securing your network an overview of challenges and suggestions for mitigation
TRANSCRIPT
Staff from Visualutions
• Primary Presenter: – Todd Smith, Director of Technology
• Associate Producer: – Greg Benge, Director of Customer Service &
Compliance Officer
• Supplemental Producer: – Cam Hendricks, Director of Programming
Preface / Disclaimers
• Visualutions:– Managed Services Provider (MSP) for
medical practices, banks and other industries
– Cloud Service Provider for several medical practices
• Todd:– A technology guy, not a salesman– Does not know everything
A little more about Todd
• Started in network support at Baylor University in 1994
• 8 years in enterprise IT support for energy and healthcare verticals
• Came to Visualutions in 2005• 10 years experience in surviving IT
audits by the government ;-) • Proud member of Infragard
Definitions of Secure
• - Merriam Webster– adjective se·cure \si-ˈkyu@ r\
: protected from danger or harm
: providing protection from danger or harm
: guarded so that no one can enter or leave without approval
1 a : archaic : unwisely free from fear or distrust : overconfident
b : easy in mind : confident
c : assured in opinion or expectation : having no doubt
2 a : free from danger
b : free from risk of loss
c : affording safety <a secure hideaway>
d : trustworthy, dependable <a secure foundation>
3 a : assured <a secure victory>
Assumptions from IT & Management staff
– I’ll save money by using Open Source Solutions
– IT Services / Solutions can’t really cost that much?!
– Set it and forget it solutions– My current network security is fine
(Firewall + Antivirus)– These policy templates I bought online
will work just fine
And from the Users…
– Only the “business” needs security– As long as I’m a good person/employee,
I’m not a vulnerability
Who knows what?
Are 1 or 2 knowledgeable IT staff enough?
– Desktop guy offering network solutions– Network guy offering server solutions– Infrastructure guy offering web solutions
Subject matter experts can be worth their weight in gold.
Lingo
• Threat vs Risk vs Vulnerability
• Standard vs Guideline vs Policy
• Penetration Test vs Vulnerability Assessment
The Inside Job
• Employees are a big source of vulnerability • Sometimes opening the door for baddies due
to negligence:– Social engineering– Failure to do due diligence
• Sometimes malicious employees are the baddies– Abuse of rights– Impersonation
• How do we keep employees from opening our locked doors?
Inside Job Worries
Source: Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data -Independently conducted by Ponemon Institute LLC - Publication Date: May 2015
Inside Job Realities
Source: Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data -Independently conducted by Ponemon Institute LLC - Publication Date: May 2015
Phishing
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication – from Wikipedia
Phishing
• Minimal effort• Imitating a well known public entity
– Government agency, UPS / FedEx delivery problems, Amazon account problems, Credit agency
• Huge nets casted far and wide• Playing the numbers game• Spoofed website links
Answer:
• They know what you did on vacation• They know your kids' names • They know your actions / activities • They like you on Facebook, follow you on
Twitter, Instagram, etc.
Social Media
• What are you posting?• What is your company posting?• What can a malicious actor learn?
It is all fun and game until someone loses PHI!
Spear Phishing
Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks. – from Wikipedia
Spear Phishing
• Greater effort• Focused attack
Real associations: • Professional – Company, Professional
societies, etc.• Personal – Religious affiliations, family
members, vacation activities
• Greater results• Spoofed website links
The Con Job
Malicious attackers can be bold enough to convince users to open the door over the phone
Con Job Example
Employee “A” receives a phone call from a marketing firm representative. The rep tells the employee that she needs to go to a website and verify that it is working. The helpful employee complies and a short period of time later calls the help desk because she can no longer open her files. $1000 ransom payment later, her files were unencrypted.
Failure of Due Diligence
The results of not following policies, procedures and common sense
– Leaving workstations unlocked– Documenting passwords unsecurely– Installing unauthorized software– Failure to harden servers, workstations
and network equipment
Goals for the Bad Guys
• Personally Identifiable Information (PII)– Account ID / PW– Mother’s maiden name– Birthdate– Social Security Number– Etc.
• Malware installation
What to do?
• Todd’s top o’ the list:– Familiarize yourself with security requirements
of various regulations of HIPAA, Meaningful Use, PCI, etc.
– Education of employees and IT staff
– Change management
– Don’t be afraid to upset anyone to protect you network!
Regulatory Familiarity
• Audits will come… • Surviving an audit requires knowing
what is required for compliance • Use regulations when talking to C-
level• Implement security based on the
requirements as a starting point
Staff Education
• Ignorance is no excuse…• Ensure employees are knowledgeable
about security policies and procedures• Who to call with questions, suspect
activities and to report problems• Knowledge of why IT is so rigid helps
with understanding policies
IT Education
• IT staff are the first line of defense• Detect and evaluate suspicious
activities• Ensure policies are followed• Familiar with best practices• Know how to triage and remediate
threats
Change Management
• Changes introduce opportunities for vulnerabilities
• With any change, evaluate risks to productivity and security
• Plan to mitigate risks introduced by the change
• Ensure complete documentation – Auditors like documentation
Fight the Good Fight
• Users do not appreciate inconveniences
• Executive staff do not appreciate the high cost of security
• What is more intimidating? – Job loss for one or two– Job loss for everyone
Tools to help protect your network
• Firewall – Allow only required traffic in or out
• Intrusion Detection System / Intrusion Prevention System (IDS / IPS) – Actively monitor for and block malicious traffic
• Managed switches – Segregate traffic with VLANs & use port security
Tools cont’d.
• Web filter – Block access to malicious websites and data exfiltration sites like webmail and file sharing
• Drive encryption – Protection against lost / stolen PCs or hard drives when shipping data
• Data encryption – – Encrypt data at rest to protect against
unauthorized on-network access
Tools cont’d.
– Encrypt data in transit to protect against sniffing and man in the middle attacks
• Minimal necessary rights – Minimize abilities for malicious users or compromised accounts
• Complex user IDs – Make them difficult to guess, esp. for hackers
Tools cont’d.
• Secure passwords – Enable complexity and force regular changes
• Multi-factor authentication – Know, have, are…
• Auditing tools – Monitor who is doing what on the network
• Vulnerability scanners – Find holes before the bad guys do
Tools cont’d.
• Antivirus / antimalware software – Enable active protection and keep up to date
• SPAM filter – Protect against malicious email such as phishing / spear phishing or malware
New Toys
Does it really need to be on the network for the business to operate or to keep patients alive / healthy?• HVAC – Target Breach anyone?• Appliances – Refrigerator email?• Smart TVs• Personal devices - BYOD
Off-Network Security
Does employee mobility make your business vulnerable?• Remote staff• Mobile staff• Home network• Coffee shop• Hotel
Quick Summary
• Know the players• Know the rules• Draw the line• Hold the line• Ask for help• It’s not about making friends• Pay to play or cease to be paid
Supplemental Resouces
• Reference documents used in this presentation will be made available on the Customer Portal Document Library under “Security Alerts and Awareness”
• We will also post additional documents over time from various sources
• Documents posted from Infragard are subject to the Traffic Light Protocol (TLP). TLP restrictions will be noted with each document to maintain national protocol. TLP MUST be followed
Traffic Light Protocol
• RED - personal for named recipients only– In the context of a meeting, for example, RED information is limited to
those present at the meeting. In most circumstances, RED information will be passed verbally or in person.
• AMBER - limited distribution– The recipient may share AMBER information with others within their
organization, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing.
• GREEN - community wide– Information in this category can be circulated widely within a
particular community. However, the information may not be published or posted publicly on the Internet, nor released outside of the community.
• WHITE - unlimited– Subject to standard copyright rules, WHITE information may be
distributed freely, without restriction.