Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Similar documents
Cyber Criminal Methods & Prevention Techniques. By

Security+ SY0-501 Study Guide Table of Contents

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

ANATOMY OF AN ATTACK!

Symantec Client Security. Integrated protection for network and remote clients.

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Digital Wind Cyber Security from GE Renewable Energy

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Education Network Security

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Seqrite Endpoint Security

7.16 INFORMATION TECHNOLOGY SECURITY

mhealth SECURITY: STATS AND SOLUTIONS

Carbon Black PCI Compliance Mapping Checklist

IC32E - Pre-Instructional Survey

Checklist: Credit Union Information Security and Privacy Policies

SECURITY & PRIVACY DOCUMENTATION

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

K12 Cybersecurity Roadmap

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Verizon Software Defined Perimeter (SDP).

NEN The Education Network

ClearPath OS 2200 System LAN Security Overview. White paper

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

This document provides instructions for the following products.

Service Provider View of Cyber Security. July 2017

Cisco Adaptive Wireless Intrusion Prevention System: Protecting Information in Motion

CCISO Blueprint v1. EC-Council

Key Features. DATA SHEET

Monthly Cyber Threat Briefing

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

WHO AM I? Been working in IT Security since 1992

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Changing face of endpoint security

AUTHORITY FOR ELECTRICITY REGULATION

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Management Information Systems. B15. Managing Information Resources and IT Security

CS 356 Operating System Security. Fall 2013

TEL2813/IS2820 Security Management

CA Security Management

Building Resilience in a Digital Enterprise

CompTIA Security+(2008 Edition) Exam

Symantec Network Access Control Starter Edition

Security Audit What Why

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

CYBERSECURITY RISK LOWERING CHECKLIST

Chapter 4. Network Security. Part I

McAfee Public Cloud Server Security Suite

Security Principles for Stratos. Part no. 667/UE/31701/004

Enterprise D/DoS Mitigation Solution offering

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Heavy Vehicle Cyber Security Bulletin

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Ensuring System Protection throughout the Operational Lifecycle

QuickBooks Online Security White Paper July 2017

Symantec Protection Suite Add-On for Hosted Security

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

New Guidance on Privacy Controls for the Federal Government

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Network Security Protection Alternatives for the Cloud

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

SECURING YOUR HOME NETWORK

Cyber Security Program

2017 Annual Meeting of Members and Board of Directors Meeting

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

AT&T Endpoint Security

Internet of Things Toolkit for Small and Medium Businesses

Security Management Models And Practices Feb 5, 2008

Symantec Network Access Control Starter Edition

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Symantec Network Access Control Starter Edition

SECURITY PRACTICES OVERVIEW

Cybersecurity Survey Results

Cyber security tips and self-assessment for business

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Security by Default: Enabling Transformation Through Cyber Resilience

Protecting Your Cloud

Osteoporosis Assessment LORAD Breast Cancer Detection DirectRay Digital Imaging FLUOROSCAN C-arm Imaging TITLE DOCUMENT NUMBER REV

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Best Practices With IP Security.

Client Computing Security Standard (CCSS)

Cyber Defense Overview Defense in Depth

ISO27001 Preparing your business with Snare

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

: Administration of Symantec Endpoint Protection 14 Exam

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Security Policies and Procedures Principles and Practices

Inventory and Reporting Security Q&A

Security Gap Analysis: Aggregrated Results

Transcription:

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory, NT, 2000, XP and Windows are registered trademarks of Microsoft Corporation. Any other product and company names mentioned herein are the trademarks or registered trademarks of their respective owners.

Table of Contents 1.0 Overview... 2 2.0 Introduction... 2 3.0 Audience... 2 4.0 Remarks... 3 5.0 Definitions, Terms and Abbreviations... 3 6.0 Defense in Depth Strategy... 3 7.0 Windows Domain & Active Directory... 4 8.0 Network Security... 4 8.1 IP Address Assignment... 4 8.2 Segmentation... 4 8.3 Firewall... 4 8.4 Intrusion Detection Systems (DTS)... 5 9.0 Anti virus... 5 10.0 Physical Security... 5 10.1 Medical device security... 5 MAN-00363 Revision 006 Page 1

1.0 Overview Hologic is a leading developer, manufacturer and supplier of premium diagnostics, medical imaging systems and surgical products dedicated to serving the healthcare needs of women. Ensuring the integrity of our systems and the business continuity of our customers is a top concern for Hologic. This document provides a best practices guide to assist an IT staff in securing their general network infrastructure where Hologic medical products are in use. These recommendations intend to increase the overall security posture of the environment where Hologic medical products are installed and operated. Adherence to these security recommendations minimizes the overall risk of cybersecurity threats to your computer based assets by reducing the number of possible exploitable avenues. 2.0 Introduction Hologic regularly monitors the information security industry to assess new cybersecurity vulnerabilities, and offers solutions for increased product security. Hologic performs risk analysis to determine the potential consequences of any vulnerability. Hologic may offer solutions, such as: a software patch, a design change, or a suggested compensating control that is external to the product, such as configuring a network firewall device to block the malicious traffic. Hologic validates product changes that mitigate a software vulnerability or exposure to ensure optimal patient care and the continual operation of our products. Hologic also has an ongoing security maintenance program for the entire life cycle of our products. The ongoing maintenance program consists of: Regular software and OS vulnerability assessments Laboratory evaluation of anti virus software or other products that may improve the security of our products Laboratory evaluation of OS security patches Ongoing monitoring of the industry for new vulnerabilities and exploits Hologic is committed to the cybersecurity maintenance program for our products. We put forth some general cybersecurity best practices to assist our customers. We believe that when our customers incorporate these industry best practices, it increases the overall security posture of their organization. 3.0 Audience The intended audience includes the systems administrator, network administrator, and/or security personnel. These practices intend to aid in securing the network infrastructure and network environments where Hologic products are deployed. MAN-00363 Revision 006 Page 2

4.0 Remarks At Hologic, we strive to make every Hologic medical system that we sell as secure and user friendly as possible before it leaves our factory. However, these devices are for medical purposes and are not security devices by design. We regularly validate OS security patches and publish the results as a product report. Any patches listed in the cybersecurity product report are safe to install on our systems to the best of our knowledge, based upon our testing. Due to the regular pace of software vulnerabilities, speedy patching becomes impractical. Therefore, we assume our customers to take vigilant approaches to security in their day to day operations. We also assume our customers to have a resilient network environment with a security architecture design that incorporates proactive security mechanisms. These systems deal with emerging zero day vulnerabilities and exploits. A successful organizational IT security strategy consists of comprehensive security plan, policies, and best practices that utilize a combination of effective physical, administrative, and technical controls. A good security plan considers the following: Defense in Depth strategy that incorporates layered defenses Timed access control Centralized logging and auditing Disaster Recovery Plans / Business Continuity Plans Data backup and recovery strategy Authentication and password security Perimeter security (such as firewalls, IDS/IPS, proxy servers, anti virus gateway) Internal security (such as network monitoring, intrusion detection, and extrusion detection, log review process, scan of network) Physical security (such as biometrics, locks, cameras) User Security Awareness Training focusing on safe computing practices Technical network defense design and control 5.0 Definitions, Terms, and Abbreviations DHCP: Dynamic Host Configuration Protocol IDS: Intrusion Detection System IPS: Intrusion Prevention System Malware: Malicious software such as computer viruses, worms, rootkits, Trojans, data stealing, or any other malicious intent OS: Operating system VLAN: Virtual Local Area Network 6.0 Defense in Depth Strategy Defense in Depth is an Information Assurance strategy in which several layers of defense are placed to protect a computing resource such as an information system. It is designed to address security weaknesses in personnel, technology, and operations for the duration of the system life cycle. The idea behind this layered defense is to defend a system against MAN-00363 Revision 006 Page 3

any particular attack using several different methods. It is a layering tactic by the National Security Agency (NSA) as a comprehensive approach to information and electronic security. The NSA provides a guide to Defense in Depth here: http://www.nsa.gov/ia/_files/support/defenseindepth.pdf. 7.0 Windows Domain & Active Directory Many organizations have migrated to Windows Active Directory for the ease of centralized administration of their network resources. Some Hologic products support Active Directory functionality. For more details, refer to the product specific support information available 8.0 Network Security 8.1 IP Address Assignment Like most vendors, Hologic recommends that the IP addresses of Hologic devices be assigned statically, rather than dynamically via a DHCP server. This practice ensures the IP address records that our service technicians maintain are accurate, and can also prevent certain forms of denial of service attacks. When possible, do not assign a publicly addressable IP address to Hologic devices. Instead, assign a private IP address space based on RFC 1918. Do not allow open internet access without strong technical safeguards in place. 8.2 Segmentation Separating medical devices from the rest of your general network helps to increase the security of these devices. This step protects medical devices if a user accidentally downloads malware such as viruses, worms, or Trojans from the web or an email attachment. For security and privacy, have a separate physical network designed for the medical devices that does not connect directly or indirectly to the Internet. If a separate physical network is not feasible, then we recommend that you implement a logical or virtual separation using VLAN, a firewall, or a router. A medical network, whether partitioned off physically or logically, should not connect to the Internet without proper security protection to block malicious traffic. 8.3 Firewall A firewall plays an integral role in any successful security architecture. A proper firewall provides protection from external threats originating from the Internet, as well as internal threats from viruses, worms, and malicious users. Hologic recommends the use of hardware based firewalls, rather than Windows software based firewalls, which can often interfere with product operation. MAN-00363 Revision 006 Page 4

8.4 Intrusion Detection Systems (IDS) The installation of a host based intrusion detection system solution on a Hologic medical device is not recommended. A host based intrusion detection system solution can adversely impact the functionality and performance of the medical device. Network based IDS may be supported. For more details, refer to the product specific support information available 9.0 Anti-virus Running anti virus software on endpoint devices such as workstations has become a necessity in most organizations to combat potential threats from malicious software. To support our customers, Hologic has validated several anti virus products from Symantec, McAfee, Sophos, and Trend Micro with our products. For more information concerning specific products, visit our product support website 10.0 Physical Security Good physical security is the foundation of any sound security plan, as it provides protection on the inside. Sound physical security helps to prevent the following from occurring: Theft, tampering, or destruction of equipment Theft, modification, or destruction of sensitive and confidential data Installation of a backdoor access program to compromise other devices on the network that may be more valuable 10.1 Medical device security An easy way to protect your devices is to have a robust enterprise password policy. NIST provides a comprehensive guide that can be found here: http://csrc.nist.gov/publications/drafts/800 118/draft sp800 118.pdf. When determining policies for password length and complexity, organizations can consider maximum and likely actual key space. Since users are expected to memorize passwords, you can set policies that make them easier to remember, such as favoring longer passwords over more complex passwords. Another important consideration for password length and complexity policies is the rate at which cracking attacks are performed. Organizations must also consider how effectively their password strength requirements are enforced. Some Hologic products have limitations on the password policy that they can support. For more details, refer to the product specific support information available MAN-00363 Revision 006 Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback