From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing...
Transcript of From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing...
1
From Plans to Pen Testing - Dealing with The Unexpected
Session #CS3, February 19, 2017
Ron Mehring, CISO, Texas Health Resources
2
Speakers Introduction
Ron MehringVP, Technology & SecurityTexas Health Resources
3
Conflict of Interest
Ron Mehring
Has no real or apparent conflicts of interest to report.
4
Agenda• Healthcare Threat Landscape
• Security Plans, Continuous Monitoring and Penetration Testing
• Incident Management
5
Learning Objectives• Explain the current threat and vulnerability landscape facing healthcare
organizations.
• Illustrate how to plan and test your plan: practical information and perspectives on how to design and test your privacy and security plans to fit the needs of your organization.
• Describe how to test your plan with best case and worst case and “what if” scenarios.
• Explain current attacks and compromises and hallmarks of sophisticated vs. unsophisticated attackers.
• Explain how to recognize a significant security incident and what to do when a major breach does occur.
6
An Introduction of How Benefits Were Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware
• Electronic Secure Data: improve security of sensitive patient information
– Highlight gaps, enable information sharing to improve security
• Savings: reduce breaches and ransomware and associated business impacts and costs
7
The Healthcare Threat Landscape
8
Healthcare and the integrated cyber future
• Optimization of healthcare operations is
driving the adoption new and innovative
technology platforms
• Merger and acquisition is occurring at an
increasing rate.
• Tighter technology integration is occurring
across multiple platforms types.
• The end user and the patient are driving
new and innovative technology use cases.
9
What are some of the more significant threats
EHR shut down for 6 days due to cyberattack. http://www.healthcareitnews.com/news/cyberattack-
appalachian-regional-healthcare-keeping-ehr-down-after-six-days
3.7 Million credit card breach via malware attack on point of sale.
https://www.bannerhealth.com/news/2016/08/banner-health-identifies-cyber-attack
Massive Internet of Things attack. http://fortune.com/2016/10/23/internet-attack-perpetrator/
Over half of the Locky Ransomware in August was focused at hospitals.
http://www.zdnet.com/article/a-massive-locky-ransomware-campaign-is-targeting-hospitals/
10
Protecting health
care delivery
networks is
becoming more
complex every
day.
11
Sophisticated vs Unsophisticated Threats• Advanced threats are characterized by the
motivation, the persistence of attacker and the ability for the attacker to evade traditional cybersecurity hygiene controls.
– Nation state attacks
– Knowledgeable malicious Insider threat with high level access
– Targeted phishing attacks
– Environmentally tailored malware and exploits
– Well designed, stealthy, command and control
• Commodity everyday threats that can be prevented through the application of good cybersecurity hygiene.
– Physical Theft
– Insider unauthorized access or misuse
– Broad based phishing scams
– Known malware and exploits
– Noisy, smash and grab
12
Security Plan, Continuous Monitoring and Penetration Testing
13
Building an organizationally tuned penetration testing assessment program
Security Plan
Continuous
Monitoring Plan
3rd Party Penetration
Testing Plan
Audit, Monitoring
and Internal
Assessments
• Penetration testing is an assessment approach
where security controls are purposely evaded.
• The assessment program should be aligned with the
business risk profile and leadership expectations.
• 3rd party independent (penetration) assessment
services should be employed when possible.
• All assessment and audit plans should be pulled into
a single monitoring plan.
• Cost
• Prioritization
• Resources
14
The Security Plan
Regulatory Requirements
Business Requirements Control Catalog Control Thresholds
• The security plan is based on the risk appetite of the organization.
• Control thresholds formalize security posture expectations.
• Audit, monitoring and assessment plans should be aligned with control thresholds.
Emerging – Recognized
Threats
15
The Continuous Monitoring Plan
• Documents all audit, assessment and monitoring requirements.
• Documents the specific tests required for each controls area.
• Sets integrated audit, monitoring assessment schedule.
• Establishes stakeholder ownership for each control being assessed.
16
Setting the assessment schedule and robustness objectives
• Determine most significant
weaknesses
• Determine what controls are
most important
• How often do they need to be
tested
• 3rd Party – Penetration Assessments
o Red teaming context
• Incorporation of controls based exercises
o Purple teaming context
• Phishing testing
• Vulnerability Exposure Assessments
17
Continuous Improvement, Data Driven Assessments and Exercises
• Improving incident response performance and baselining control effectiveness requires continuous assessments, exercising and testing.
• A quarterly driven independent assessment cycle ensures regular testing of control effectiveness.
• The addition of risk exposure and threat data into assessment helps ensure assessment cycle is focused on testing weakness in compensating controls.
• Data helps feed the continuous improvement cycle and reinforces high reliability principles.
External Assessment Internal Assessment External Assessment Internal Assessment
Continuous Phishing Exercises
18
Penetration testing design based on scenario – what if approaches
Phishing Email Workstation Compromise Access Compromise Attacker Elevates Privileges
Controls Controls Controls Controls
Testing Requirement
Scenerios
• End user susceptibility
• Email filtering
• Detection - Monitoring
• Response Plan
• Malware prevention
• Workstation hardening
• Detection - Monitoring
• Response Plan
• User Monitoring
• Detection - Monitoring
• Response Plan
• System Admin controls
• Detection - Monitoring
• Response Plan
19
The Security Plan, Risk and Operational Considerations
• Ensure assessment/audit operational performance data is fed back
into risk program.
• Apply techniques such as Kanban and Theory of Constraints.
These techniques can help improve performance.
• Use risk scenarios (threat models) as a bridge between risk
management and operations.
• Recognize that security risk decisions are tradeoffs.
• Best practices still must have a risk analysis performed. Not all best
practices are appropriate for every environment.
• Be cautious of using “cybersecurity dogma” as a basis for risk
prioritization.
Appetite - Requirements
Performance - Outcomes
Operations
Risk
20
Incident Management
21
Detecting, Classifying and Managing Incidents
Risk Scenarios - Exposure
Incident Playbooks Control Analysis Incident ResolutionOperational Rhythm
Preparation Incident Response Plan
Operations
Workflow Development
Follow Through Continuous Improvement Benchmarking – Trend - Reporting
Security Architecture Cyber Insurance Incident Criteria
22
Incident Response Performance• Create a feedback loop of indicators and risk thresholds that flow into operations
and continuous improvement processes.
• Data driven workflows allow for the measuring of control performance –effectiveness.
Time to Detection
Time to Respond
Time to Remediate
Control Analysis Risk Management
Threat Events Managed
Risk Scenarios
Incid
ents
Events
Indicator Output
Exposure
Data
23
How do you know when an incident is occurring• Establishing analytics and log
management platforms.
• Measuring where your most significant exposure is located will provide the best opportunity to detect an incident.
• Having a daily monitoring rhythm ensures that there is a regular routine is evaluating threat events.
• Information sharing and threat intelligence services.
Incident
Analytics
Information Sharing
Rhythm
Threats/Exposure
24
Using modeling – bounding approaches helps in setting and maintain analytics
Time
Location
Sensitivity
Quantity
Size
Identity
Asset
Data
Entitlement
Establishing a model for
monitoring and
analytics system can be
very helpful for tuning,
playbook and response
actions.
25
Anomalous Log In
Privileged Misuse
Data Loss/Compromise
Log Data Sources Analytics
Active Directory
Database
Active Directory
VPN
Newly accessed system
Access time abnormal
EHR
Data Loss Prevention
Access time abnormal
Location
Abnormal transaction activity
File Directory Log
Sensitive data access activity
Sensitive data transmission activity
How do you know when an incident is occurring
Pla
ybo
oks
26
When a major breach occurs what do you do?• Playbooks: Playbooks should direct staff how to coordinate and escalate the incident.
• Use escalation levels that can help guide staff with response time expectations and
communication
– Level 1 – Routine Incident
– Level 2 – Potential Breach
– Level 3 – Active Major Breach
• At level 2 have a plan to engage in incident response - forensic services and
cybersecurity insurance.
• At level 3 have a plan to engage legal, law enforcement, remediation - crisis
management services, and public affairs.
27
A Summary of How Benefits Were Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware
– Benchmarks, information sharing, collaboration
• Electronic Secure Data: improve security of sensitive patient information
– Highlight maturity, 8 priorities, 42 capabilities, gaps, to enable information sharing in order to improve security
• Savings: reduce breaches and ransomware and associated business impacts and costs
– Frequency of occurrence, business impact