Utilizing the Critical Security Controls to Secure Healthcare Technology

Utilizing the Critical Security Controls to
Secure Healthcare Technology
James Tarala, Enclave Security

Healthcare Security in the News
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
http://www.healthcareitnews.com/news/infographic-biggest-healthcare-data-breaches-2012

Healthcare Security in the News

FBI Annual Cyber Crime Complaints

More Examples from the News
• PrivacyRights.org (updated weekly)
• Here are some that are reported (most are not)
• Just a small sample (organization/records breached):
– Public Broadcasting Service (69,000)
– RxAmerica and Accendo Insurance (175,000)
– Sega (1.29 Million)
– S. California Medical-Legal Consultants (300,000)
– Citibank (360,000)
– Sony Pictures (1 Million)
– Sony Playstation Network (101.6 Million)

Specific Healthcare Challenges
• Highly mobile & temporary workforce members
• Demands from physicians & other VIPs
• Patient demands for the latest technology
• Vendor applications & data security
• Strategic partnerships & data security
• Confusing / conflicting / vague security standards
• Limited resources for security implementations

The Current State of Affairs
• Clearly the bad guys seem to be winning the
cybersecurity fight
• While there are bright spots, they are few and far
between
• We seem to be getting better at detecting and
responding to the threat
• We need to be better at preventing the attacks from
occurring in the first place

But what do we do?

Information Assurance Frameworks
• There are a number of industry groups also trying to
address the issues
• Numerous frameworks have been established, such
as:
– CoBIT
– IT Assurance Framework (ITAF)
– ISO 27000 Series
– IT Baseline Protection Manual
– Consensus Audit Guidelines / Critical Security Controls
– Many, many others

Industry Security Regulations
• Presently there are a number of government
information security standards available
• But, there are too many to choose from:
– Individual Corporate / Agency Standards
– NIST 800-53 / 800-53 A
– FISMA / DIACAP
– HIPAA / SOX / GLBA
– PCI / NERC / CIP
– 20 Critical Controls / Consensus Audit Guidelines

Council on CyberSecurity
• Official home of the Critical Security Controls
• CEO is Jane Lute, former Deputy Secretary of DHS
• Not for Profit group responsible for managing the
Critical Security Controls (CSCs)
• Director of the CSCs is Tony Sager
• Mission is:
“The Council on CyberSecurity is an independent, global
organization committed to an open and secure Internet.”

Document Contributors (1)
• Blue team members inside the Department of Defense
• Blue team members who provide services for non-DoD
government agencies
• Red & blue teams at the US National Security Agency
• US-CERT and other non-military incident response teams
• DoD Cyber Crime Center (DC3)
• Military investigators who fight cyber crime
• The FBI and other police organizations
• US Department of Energy laboratories

Document Contributors (2)
• US Department of State
• Army Research Laboratory
• US Department of Homeland Security
• DoD and private forensics experts
• Red team members in DoD
• The SANS Institute
• Civilian penetration testers
• Federal CIOs and CISOs
• Plus over 100 other collaborators

Project Guiding Principles
• Defenses should focus on addressing the attack activities
occurring today,
• Enterprise must ensure consistent controls across to
effectively negate attacks
• Defenses should be automated where possible
• Specific technical activities should be undertaken to produce a
more consistent defense
• Root cause problems must be fixed in order to ensure the
prevention or timely detection of attacks
• Metrics should be established that facilitate common ground
for measuring the effectiveness of security measures

Cyber Intrusion Kill Chain

Critical Security Controls vs Intrusion Kill Chain
Critical Security Control
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command&Control
ActionsonObjectives
CSC #1: Inventory of Authorized and
Unauthorized Devices
X X X X X X
CSC #2: Inventory of Authorized and
Unauthorized Software
X X X
CSC #3: Secure Configurations for Hardware
and Software on Mobile Devices, Laptops,
Workstations, and Servers
X X X
CSC #4: Continuous Vulnerability
Assessment and Remediation
X X X

Technical Defensive Tools
• Security Content Automation Protocol (SCAP)
compliant vulnerability management solution
• File integrity assessment monitoring and response
system
• Software whitelisting solution

2013 Java Data Breaches

2013 Java Attacks & Intrusion Kill Chain
1. The attacker discovered a weakness in software
commonly utilized by the victim (reconnaissance)
2. The attacker wrote attack code to exploit the
discovered software weakness (weaponization)
3. The attacker posted the attack code on a “watering
hole” website that would be trusted by the victim
(delivery)
4. The victim was lured into visiting the “watering hole”
website hosting the attack code (exploitation)

2013 Java Attacks & Intrusion Kill Chain
5. The victim downloaded and executed the malicious
code (installation)
6. The malicious code compromised the victim’s
computer and connected to the attacker’s command
and control servers to allow the attacker access
(command and control)
7. The attacker performed his or her desired objectives
on the victim’s computers (actions on objectives)

2013 Java Attacks - Defenses
• Critical Control #1: Inventory of Authorized and
Unauthorized Devices
• Critical Control #2: Inventory of Authorized and
Unauthorized Software
• Critical Control #3: Secure Configurations for
Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers
• Critical Control #4:Continuous Vulnerability
Assessment and Remediation

Business Dashboards
http://www.ncircle.com/index.php?s=solution_reporting

Potential Business Metrics
• How many unauthorized / unknown computers are currently
connected to the organization’s network?
• How many unauthorized software packages are running on the
organization’s computers?
• What percentage of the organization’s computers are running
software whitelisting defenses which blocks unauthorized
software programs from running?
• What is percentage of the organization’s computers that have
been configured (operating system and applications) according
to the organization’s documented standards?
• What is the comprehensive Common Vulnerability Scoring
System (CVSS) vulnerability rating for each of the organization’s
systems?

Actionable Next Steps
1. Business leaders should define their strategy for
how to defend against cyber attacks (document a
charter).
2. Deploy technical tools to implement defensive goals.
3. Gather metrics on a continuous basis to measure
the organization’s progress.
4. Engage business leaders to act based on the metrics
that are gathered.

Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit
– Website: http://www.auditscripts.com
• Resources for further study:
– SANS SEC 440/566: Implementing & Auditing the
Critical Security Controls
– The Council on CyberSecurity
(http://www.counciloncybersecurity.org/)

Utilizing the Critical Security Controls to Secure Healthcare Technology

More Related Content

What's hot (20)

Similar to Utilizing the Critical Security Controls to Secure Healthcare Technology (20)

More from EnclaveSecurity (10)

Recently uploaded (20)

Utilizing the Critical Security Controls to Secure Healthcare Technology

Editor's Notes