Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

Transcription

1 Technology Security Failures Common security parameters neglected Presented by: Tod Ferran October 31 st,

2 HALOCK Overview Founded in % focus on information security Privately owned Owned and operated by seasoned security practitioners Consistent growth for the last 12 quarters Over 450 Active Business Clients Geographic coverage US and Canada Industry Focus Healthcare Cloud Providers Insurance Banking Retail Energy Higher Education 2

3 Common Security Parameters Role-based authentication controls (RBAC) Password policy Least privileges Encryption Disk level DB table or field? Wireless WEP vs WPA2 Default configs To broadcast or not to broadcast? Bonus Items Internet access Whitelisting Blacklisting Application whitelisting Risk Assessment Patching 3

4 RBAC Create Roles Job function Applications Internet access Enforcement Password policy Whitelisting Access Control 4

5 Let s dig in 5

6 6

7 Users and Groups 7

8 Account and Local Policies 8

9 Password Policies 9

10 Account Lockout Policies

11 Account Audit Policies 11

12 Security Policies 12

13 Security Policies 13

14 Encryption Disk-level Windows BitLocker Mobile devices Workstations Do not select automatically decrypt (TPM) Do store your recovery key someplace safe Databases HSM (blackbox) DB vs Table vs field 14

15 Wireless WEP vs WPA2 Hack times Selecting a strong passphrase Default user ID/password Change password every quarter Broadcasting SSID 15

16 Internet Access Business Use Restrict by subnet or specific machine White list vs black list 16

17 Patching Automatic vs manual Applications as well as OS Don t forget mobile devices 17

18 DHS Restrict Admin privileges Whitelist applications Patch systems timely 18

19 Whitelisting Applications 19

20 Patch Systems!! 20

21 Risk Assessment What is a real risk assessment? Why?? 21

22 Standards That Courts and FTC Use to Decide Negligence Apply Controls for Reasonable Appropriate Acceptable Risk Apply All Controls Completely 22

23 Why Reasonable Controls? Courts apply this multi-factor balancing test to determine whether someone applied due care when an injury/breach occurred. Data breach civil suits are tried in terms of negligence. 23

24 Why Reasonable Controls? Attorneys and judges are trying to determine whether entities are doing something reasonable to prevent harm to others. 24

25 How Risk Assessments Prepare Entities for the Duty of Care Balance Test Duty of Care Balance Test Did you consider the foreseeability of the harm that this breach caused? Did you consider the impact of the harm that this breach could have caused? What did the public and the injured parties gain by you engaging in the risk? What did you gain by engaging in the risk that led to the breach? What alternative safeguards would have avoided the risk that led to the breach? Would the alternative safeguards have imposed a burden that was unbearable to you? How well would these alternative safeguards have reduced the risk of harm? Risk Assessment Question Likelihood of a threat Impact of a threat What is the mission of the entity? What are the objectives of the entity? What controls will be applied to reduce the risk? What risk to mission and objective would the new controls create? What risk to obligations would the new controls create? 25

26 Why Are These Questions Asked? They ask these same questions whether the case is about Lost PHI (Lost laptop, backup tape, or attacker breaching our systems) Hot coffee spilled on a lap Defective car parts Workplace accidents 26

27 Why Are These Questions Asked? Because, securing information is still a question of a duty of care, and the law sees it that way. 27

28 HIPAA Requires Risk Assessments, Right? Yes, it is the core driver of what controls to implement and the priority of which to do first When we assess risk, we may find a need for stricter controls in some areas and less strict in other areas. We need to expend our limited resources on the highest priorities. Why?! data breach is tried as ordinary negligence! 28

29 Timeline of the Reasonable Person in Data Breach Cases Present 2001 Present Office of Management and Budget enforces new cost/benefit regulatory enforcement with risk assessments. 29

30 Timeline of the Reasonable Person in Data Breach Cases Present 2001 Present Influential case introduces math to determine whether safeguards are too burdensome. 30

31 The Calculus of Negligence Since 1947 B <= P x L Burden Probability Liability of occurrence or cost of treating the risk or the cost of the impact should the risk be realized R = L x I Risk Likelihood Impact of occurrence or the cost of the impact should the risk be realized 31

32 Reducing Liability Over Time 32

33 Comparing Risk to Burden Burden Impact Low Medium High Harm Impact Low Medium High 33

34 Making Impact Calculable Rating Burden Impact Harm Impact Low 1 1 Medium 2 2 High

35 Making Impact Meaningful to an Entity Rating 1=Tolerable 2=Intolerable 3=High Mission and Objectives Impact Patient care must to be efficient and competitive No impact to accurate, efficient purchase or delivery. Significant number of customers go to competitors. Margins miss targets. Permanent loss of clients. Inability to operate profitably. Obligations Impact Protect patient information from breach No unauthorized access to PHI Unauthorized access to few PHI records. Large-scale breach of PHI 35

36 How Do We Calculate the Acceptable Risk Definition? 36

37 Accepting Risk for Vulnerabilities Vulnerability Report Finding Asset Backup Server Owner Infrastructure Vulnerability Unsecure SSH Version Threat Hacker access Risk Scenario Malware or hacker can access configuration, command line or PHI through deprecated SSH service that is needed by vendor Appropriate Contact Impact 3 Likelihood 3 Privacy Impact 4 Risk Score: Max (I) x L 12 Treatment Permit vendor s IP address as sole client of SSH service Appropriate Contact Impact 1 Likelihood 1 Privacy Impact 4 Risk Score: Max (I) x L 4 37

38 Accepting Risk for Security Investments Advanced Malware Tool Architecture Assessment Asset Endpoint deployment? Owner Operations Vulnerability Laptops are only protected in the office. Threat Laptops may obtain malware on the road. Risk Scenario Laptops only allow approved apps, and users have no local admin privileges or CHD. Scanned as they join office network. Appropriate Contact Impact 2 Likelihood 2 Privacy Impact 2 Risk Score: Max (I) x L 4 Treatment Accept the risk. Appropriate Contact Impact 2 Likelihood 2 Privacy Impact 2 Risk Score: Max (I) x L 4 38

39 Unacceptable Controls Vulnerability Management Finding Asset Vulnerability Risk Scenario PHI on Collections System Reports Employees can read all PHI. Owner Threat Collections Manager Accidental or intentional impermissible disclosure of PHI. Staff may take notes, screen snapshots, or voice recordings of hundreds of records per day and sell or use information. Appropriate Contact Impact 3 Likelihood 3 Privacy Impact 4 Risk Score: Max (I) x L 12 Treatment Mask or remove PHI from the collections system report, making it difficult for collectors to verify identity and account. Appropriate Contact Impact 5 Likelihood 5 Privacy Impact 2 Risk Score: Max (I) x L 25 39

40 Vulnerability Management Finding Acceptable Controls Asset Vulnerability Risk Scenario PHI on Collections System Reports Employees can read all PHI. Owner Threat Collections Manager Accidental or intentional impermissible disclosure of PHI. Staff may takes notes, screen snapshots, or voice recordings of hundreds of records per day and sell or use information. Appropriate Contact Impact 3 Likelihood 3 Privacy Impact 4 Risk Score: Max (I) x L 12 Treatment Leave all electronic devices and pads of paper in lockers outside of collections call center. Appropriate Contact Impact 1 Likelihood 2 Privacy Impact 3 Risk Score: Max (I) x L 6 40

41 Guidance Needed for Entities Guidance on how to calculate risk. Guidance on defining likelihood and impact for each entity. Guidance on defining acceptable risk for each entity. 41

42 Questions Tod Ferran, CISSP, QSA Managing Consultant HALOCK Security Labs 42