Insider Threats to the Healthcare Industry

Transcription

1 Insider Threats to the Healthcare Industry George J. Silowash Carnegie Mellon University Software Engineering Institute Pittsburgh, PA October 24, Carnegie Mellon University

2 Notices 2013 Carnegie Mellon University Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at This material was created in the performance of Federal Government Contract Number FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR and DFAR Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding. THE MATERIAL IS PROVIDED ON AN AS IS BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT is a registered mark owned by Carnegie Mellon University. 2

3 CERT Organizational Overview Carnegie Mellon University Operates a DoD FFRDC called the Software Engineering Institute CERT is a Technical Division within SEI The Original Computer Emergency Response Team; Est.1988 Research and development targeting DoD Challenge Problems Largest of the 3 technical programs (~250 employees) 3

4 What is the CERT Insider Threat Center? Center of insider threat expertise Began working in this area in 2001 with the U.S. Secret Service Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats. 4

5 Goal for an Insider Threat Program Opportunities for prevention, detection, and response for an insider incident 5

6 What is Insider Threat? 6

7 Insider Threat Issue Insiders pose a substantial threat by virtue of their knowledge of, and access to, their employers systems and/or databases. Insiders can bypass existing physical and electronic security measures through legitimate measures. 7

8 The Insider Threat There is not one type of insider threat Threat is to an organization s critical assets People Information Technology Facilities Based on the motive(s) of the insider Impact is to Confidentiality, Availability, Integrity There is not one solution for addressing the insider threat Technology alone may not be the most effective way to prevent and/or detect an incident perpetrated by a trusted insider 8

9 What is a Malicious Insider Threat? Current or former employee, contractor, or other business partner who has or had authorized access to an organization s network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization s information or information systems. 9

10 Separate the Target from the Impact from the Actor Target Critical Assets People Technology Information Facilities Impact Confidentiality Availability Integrity Actor(s) Employees Current Former Contractors Subcontractors Suppliers Trusted Business Partners WHAT HOW WHO 10

11 Types of Insider Crimes Insider IT sabotage An insider s use of IT to direct specific harm at an organization or an individual. Insider theft of intellectual property (IP) An insider s use of IT to steal intellectual property from the organization. This category includes industrial espionage involving insiders. Insider fraud An insider s use of IT for the unauthorized modification, addition, or deletion of an organization's data (not programs or systems) for personal gain, or theft of information which leads to fraud (identity theft, credit card fraud). 11

12 CERT s Insider Threat Case Database 12

13 Critical Infrastructure Sectors ** This does not include espionage cases involving classified information 13

14 How Bad Is the Insider Threat? 14

15 2013 US State of Cybercrime Survey -1 CSO Magazine, USSS, CERT & Price Waterhouse Cooper 501 respondents Percentage of Participants Who Experienced an Insider Incident 34% of organizations have more than 5000 employees % of organizations 60 have less than employees % 39% 55% 49% 51% 43% 53% 53% Source: 2013 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Price Waterhouse Cooper, June

16 2013 US State of Cybercrime Survey % of respondents Damage caused by insider attacks more damaging than outsider attacks Most common insider cyber incident Unintentional exposure of private or sensitive data (34%) Theft of intellectual property (IP) (34%) Unauthorized access to/ use of information, systems or networks Theft of other (proprietary) info including customer records, financial records, etc (30%) (31%) Source: 2013 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Price Waterhouse Cooper, June

17 2013 US State of Cybercrime Survey -3 How Insider Intrusions Are Handled 9% 7% 3% 82% Internally (without legal action or law enforcement) Internally (with legal action) Externally (notifying law enforcement) Externally (filing a civil action) Reason(s) CyberCrimes were not referred for legal action Damage level insufficient to warrant prosecution Lack of evidence/not enough information to prosecute Could not identify the individual/ individuals responsible for committing the ecrime % 40% 36% 34% 32% 37% Concerns about negative publicity 9% 14% Concerns about liability 7% 9% Concerns that competitors would use incident to their advantage Prior negative response from law enforcement 6% 7% 5% 6% Unaware that we could report these crimes 5% 4% L.E. suggested incident was national security related 4% 4% Other 12% 11% Don't know 28% 20% Source: 2013 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Price Waterhouse Cooper, June

18 Insider Crime Profiles 18

19 IT Sabotage 19

20 TRUE STORY A security guard at a U.S. hospital, after submitting resignation notice Misused his badge to obtain access to sensitive areas. Installed malicious code on an HVAC system Controlled operating room pumps, chillers, etc. Uninstalled anti-virus software Had access to patient records 20

21 TRUE STORY An insider at a non-profit specializing in organ donation was terminated. Remotely accessed systems and deleted donation databases, accounting files, backups, and applications. Used a former co-worker s administrator account 21

22 Mitigation Strategies Restrict Access to removable media Audit Physical Security event logs for anomalous behavior. Badge accesses Monitor critical systems for changes. Have a trusted baseline image. Compare systems to the trusted baseline. Disable accounts on separation. Alert on account usage anomalies VPN account name vs. network login name 22

23 Other Cases of IT Sabotage Financial Institution customers lose all access to their money from Friday night through Monday Fired system administrator sabotages systems on his way out A logic bomb sits undetected for 6 months before finally wreaking havoc on a telecommunications firm SCADA systems for an oil-exploration company is temporarily disabled A contractor, who s request for permanent employment was rejected, planted malicious code following termination System administrator at a manufacturing plant, passed over for promotion, deployed logic bomb prior to resigning, deleting critical software required to run operation Financial damage $10M; Forced to lay off 80 employees 23

24 Stressors / Sanctions Observed in Cases Termination gross insubordination violation of company rules poor performance not being a team player close to Christmas false information on background check discussion about termination of employment Passed over for promotion Demotion due to poor performance due to project completion Sanctions reprimands for work-related issues reprimands for aggressive and malicious behavior suspension for excessive absenteeism Transfer between departments Supervisor new supervisor hired disagreement with supervisor Access changed Financial disagreement over salary & compensation bonuses lower than expected failure of offering of severance package Death in family Divorce Explosive disagreement with colleagues Termination of subcontractor contract Termination of partnership because of money Co-workers overriding decisions Responsibilities removed from projects Outsourcing of project Suspension of Internet access 24

25 Summary of Insider Threats Current or former employee? Type of position Gender Target IT Sabotage Former Technical (e.g. sys admins, programmers, or DBAs) Male Network, systems, or data Fraud Current Non-technical (e.g. data entry, customer service) or their managers Fairly equally split between male and female PII or Customer Information Theft of Intellectual Property Current (within 30 days of resignation) Technical (e.g. scientists, programmers, engineers) or sales Male IP (trade secrets) or customer Info Access used Unauthorized Authorized Authorized When Outside normal working hours During normal working hours During normal working hours Where Remote access At work At work 25

26 How do you handle privileged technical employees and contractors who are on the HR radar? 26

27 Fraud 27

28 TRUE STORY An insider within a radiology department of a hospital accessed patient records for the purposes of committing credit card fraud. Used fellow employee s unlocked workstations to look up information when they stepped away. Colluded with a former employee to apply for credit cards in patient names. 28

29 TRUE STORY A front desk coordinator at a medical clinic stole PII of more than 1000 patients which contributed to over $2.8 million in fraudulent Medicare claims. Colluded with outsider who operated a medical claims service. Printed out over a 1000 records Had controls to limit number of records that could be viewed. Failed to notice the limit was exceeded regularly. 29

30 Mitigation Strategies Train employees on the dangers of leaving a workstation unlocked. Set workstations to lock after a set time period. Monitor and/or restrict print jobs. Review logs regularly to identify anomalies. 30

31 Other Cases of Fraud An accounts payable clerk, over a period of 3 years, issued 127 unauthorized checks to herself an others... Checks totaled over $875,000 A database administrator at major US Insurance Co. downloaded 60,000 employee records onto removable media and solicited bids for sale over the Internet An office manager for a trucking firm fraudulently puts her husband on the payroll for weekly payouts, and erases records of payments Over almost a year loss of over $100K 31

32 Summary of Insider Threats Current or former employee? Type of position Gender Target IT Sabotage Former Technical (e.g. sys admins, programmers, or DBAs) Male Network, systems, or data Fraud Current Non-technical (e.g. data entry, customer service) or their managers Fairly equally split between male and female PII or Customer Information Theft of Intellectual Property Current (within 30 days of resignation) Technical (e.g. scientists, programmers, engineers) or sales Male IP (trade secrets) or customer Info Access used Unauthorized Authorized Authorized When Outside normal working hours During normal working hours During normal working hours Where Remote access At work At work 32

33 Have you seriously considered how your employees could misuse your systems for financial gain? 33

34 Recent Fraud Study 34

35 Theft of Intellectual Property 35

36 TRUE STORY A foreign national employed as a technical operations associate at a pharmaceutical company steals 45GB of information, including confidential and proprietary information. ed IP to foreign investors in hopes of starting a new company Used external storage The organization spent over $500 million to develop one drug that was disclosed 36

37 TRUE STORY The Director of Operations at a in-home infusion services firm steals intellectual property, such as policies, patient databases, employee lists, and contracts to start a new business. Worked with an outsider Had 13,000 files on home computer, presumably IP 37

38 Other Cases of Theft of IP Simulation software for the reactor control room in a US nuclear power plant was being run from outside the US A former software engineer born in that country took it with him when he left the company. 38

39 Mitigation Strategies Recognize anomalies in your environment Know your assets. Does your organization do business in foreign countries? Large volumes of data transfer Monitor and limit the use of removable media Understand where all exit points of your enclave exist USB, mobile devices, wireless, tethered devices, VPNs, connections to partners, etc. 39

40 Do you check for stolen information when employees, contractors, and other trusted business partners with access to critical information leave? 40

41 Summary of Insider Threats Current or former employee? Type of position Gender Target IT Sabotage Former Technical (e.g. sys admins, programmers, or DBAs) Male Network, systems, or data Fraud Current Non-technical (e.g. data entry, customer service) or their managers Fairly equally split between male and female PII or Customer Information Theft of Intellectual Property Current (within 30 days of resignation) Technical (e.g. scientists, programmers, engineers) or sales Male IP (trade secrets) or customer Info Access used Unauthorized Authorized Authorized When Outside normal working hours During normal working hours During normal working hours Where Remote access At work At work 41

42 Our Suggestion Continuous Logging Targeted Monitoring Real-time Alerting 42

43 Common Sense Guide to Mitigating Insider Threats 43

44 Best Practices for Insider Threat Mitigation Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce policies and controls. Incorporate insider threat awareness into periodic security training for all employees. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. Anticipate and manage negative issues in the work environment. Know your assets. Implement strict password and account management policies and practices. Enforce separation of duties and least privilege. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. Institute stringent access controls and monitoring policies on privileged users. Institutionalize system change controls. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions. Monitor and control remote access from all end points, including mobile devices. Develop a comprehensive employee termination procedure. Implement secure backup and recovery processes. Develop a formalized insider threat program. Establish a baseline of normal network device behavior. Be especially vigilant regarding social media. Close the doors to unauthorized data exfiltration. 44

45 The CERT Top 10 List for Winning the Battle Against Insider Threats 45

46 CERT s Insider Threat Services 46

47 Insider Threat Assessment (ITA) Objective: To measure an organization s level of preparedness to address insider threats to their organization. Method: Document Review, Process Observation, and Onsite interviews using insider threat assessment workbooks based on all insider threat cases in the CERT case library. Outcome: Confidential report of findings with findings and recommendations. Areas of Focus: Information Technology/Security; Software Engineering; Data Owners; Human Resources; Physical Security; Legal / Contracting; Trusted Business Partners. 47

48 CERT Insider Threat Workshops Goal: participants leave with actionable steps they can take to better manage the risk of insider threat in their organization ½ day, One day, Two days - Presentations and interactive exercises Addresses technical, organizational, personnel, security, and process issues Exercises Address portions of the insider threat assessment Purpose: assist participants in assessing their own organization's vulnerability to insider threat in specific areas of concern 48

49 Building an Insider Threat Program Goal: CERT staff work with senior executives from across the organization to develop a strategic action plan, based on actual cases of insider threats at the participating organization and research by CERT staff, to address and mitigate the risk of insider threat at the organization. Key differences from standard workshop Tailored course material based on actual insider incidents at the organization. Cases are provided in advance by the organization, and treated with strict confidentiality. Workshop is preceded by a 3-day onsite by CERT staff to work with the organization s staff to familiarize themselves with the provided case material. Second day of workshop CERT staff and executives work together to create the Organization s strategic plan for preventing, detecting and responding to insider threats. 49

50 CERT Resources Insider Threat Center website ( Common Sense Guide to Mitigating Insider Threats, 4th Ed. ( The Insider Threat and Employee Privacy: An Overview of Recent Case Law, Computer Law and Security Review, Volume 29, Issue 4, August 2013 by Carly L. Huth Insider threat workshops Insider threat assessments New controls from CERT Insider Threat Lab Insider threat exercises The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak 50

51 Discussion 51

52 Point of Contact George J. Silowash Cyber Security Threat & Incident Analyst CERT Program Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA Phone 52