From Plans to Pen Testing - Dealing with The
Unexpected
Session #CS3, February 19, 2017
Ron Mehring, CISO, Texas Health Resources
1
Speakers Introduction
Ron Mehring
VP, Technology & Security
Texas Health Resources
2
Conflict of Interest
Ron Mehring
Has no real or apparent conflicts of interest to report.
3
Agenda
• Healthcare Threat Landscape
• Security Plans, Continuous Monitoring and Penetration Testing
• Incident Management
4
Learning Objectives
• Explain the current threat and vulnerability landscape facing healthcare
organizations.
• Illustrate how to plan and test your plan: practical information and
perspectives on how to design and test your privacy and security plans to fit
the needs of your organization.
• Describe how to test your plan with best case and worst case and “what if”
scenarios.
• Explain current attacks and compromises and hallmarks of sophisticated vs.
unsophisticated attackers.
• Explain how to recognize a significant security incident and what to do when a
major breach does occur.
5
An Introduction of How Benefits Were
Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and
build trust by helping to improve security and
reduce breaches and ransomware
• Electronic Secure Data: improve security of
sensitive patient information
– Highlight gaps, enable information sharing to
improve security
• Savings: reduce breaches and ransomware and
associated business impacts and costs
6
The Healthcare Threat Landscape
7
Healthcare and the integrated cyber
future
• Optimization of healthcare operations is
driving the adoption new and innovative
technology platforms
• Merger and acquisition is occurring at an
increasing rate.
• Tighter technology integration is occurring
across multiple platforms types.
• The end user and the patient are driving
new and innovative technology use cases.
8
What are some of the more significant
threats
3.7 Million credit card breach via malware attack on point of sale.
https://www.bannerhealth.com/news/2016/08/banner-health-identifies-cyber-attack
EHR shut down for 6 days due to cyberattack. http://www.healthcareitnews.com/news/cyberattackappalachian-regional-healthcare-keeping-ehr-down-after-six-days
Massive Internet of Things attack. http://fortune.com/2016/10/23/internet-attack-perpetrator/
Over half of the Locky Ransomware in August was focused at hospitals.
http://www.zdnet.com/article/a-massive-locky-ransomware-campaign-is-targeting-hospitals/
9
Protecting health
care delivery
networks is
becoming more
complex every
day.
10
Sophisticated vs Unsophisticated Threats
• Advanced threats are characterized by the
motivation, the persistence of attacker and
the ability for the attacker to evade
traditional cybersecurity hygiene controls.
• Commodity everyday threats that can
be prevented through the application of
good cybersecurity hygiene.
– Nation state attacks
– Physical Theft
– Knowledgeable malicious Insider
threat with high level access
– Insider unauthorized access or
misuse
– Targeted phishing attacks
– Broad based phishing scams
– Environmentally tailored malware and
exploits
– Known malware and exploits
– Noisy, smash and grab
– Well designed, stealthy, command
and control
11
Security Plan, Continuous Monitoring
and Penetration Testing
12
Building an organizationally tuned penetration
testing assessment program
•
•
Penetration testing is an assessment approach
where security controls are purposely evaded.
Security Plan
The assessment program should be aligned with the
business risk profile and leadership expectations.
•
3rd party independent (penetration) assessment
services should be employed when possible.
•
All assessment and audit plans should be pulled into
a single monitoring plan.
• Cost
• Prioritization
• Resources
13
Continuous
Monitoring Plan
Audit, Monitoring
and Internal
Assessments
3rd Party Penetration
Testing Plan
The Security Plan
• The security plan is based on the risk appetite of the organization.
• Control thresholds formalize security posture expectations.
• Audit, monitoring and assessment plans should be aligned with control thresholds.
Regulatory Requirements
Business Requirements
Control Catalog
Emerging – Recognized
Threats
14
Control Thresholds
The Continuous Monitoring Plan
• Documents all audit, assessment and monitoring requirements.
• Documents the specific tests required for each controls area.
• Sets integrated audit, monitoring assessment schedule.
• Establishes stakeholder ownership for each control being assessed.
15
Setting the assessment schedule and
robustness objectives
•
Determine most significant
weaknesses
•
3rd Party – Penetration Assessments
o Red teaming context
•
Determine what controls are
most important
•
Incorporation of controls based exercises
o Purple teaming context
•
How often do they need to be
tested
•
Phishing testing
•
Vulnerability Exposure Assessments
16
Continuous Improvement, Data Driven
Assessments and Exercises
• Improving incident response performance and baselining control effectiveness requires continuous
assessments, exercising and testing.
• A quarterly driven independent assessment cycle ensures regular testing of control effectiveness.
• The addition of risk exposure and threat data into assessment helps ensure assessment cycle is
focused on testing weakness in compensating controls.
• Data helps feed the continuous improvement cycle and reinforces high reliability principles.
Continuous Phishing Exercises
External Assessment
Internal Assessment
External Assessment
17
Internal Assessment
Penetration testing design based on scenario
– what if approaches
Scenerios
Phishing Email
Workstation Compromise
Access Compromise
Attacker Elevates Privileges
Controls
Controls
Controls
Controls
Testing Requirement
•
•
•
•
End user susceptibility
Email filtering
Detection - Monitoring
Response Plan
•
•
•
•
•
•
•
Malware prevention
Workstation hardening
Detection - Monitoring
Response Plan
18
User Monitoring
Detection - Monitoring
Response Plan
•
•
•
System Admin controls
Detection - Monitoring
Response Plan
The Security Plan, Risk and Operational
Considerations
• Ensure assessment/audit operational performance data is fed back
into risk program.
Risk
• Apply techniques such as Kanban and Theory of Constraints.
These techniques can help improve performance.
• Use risk scenarios (threat models) as a bridge between risk
management and operations.
Appetite - Requirements
• Recognize that security risk decisions are tradeoffs.
Performance - Outcomes
Operations
• Best practices still must have a risk analysis performed. Not all best
practices are appropriate for every environment.
• Be cautious of using “cybersecurity dogma” as a basis for risk
prioritization.
19
Incident Management
20
Detecting, Classifying and Managing Incidents
Risk Scenarios - Exposure
Incident Response Plan
Workflow Development
Security Architecture
Cyber Insurance
Incident Criteria
Preparation
Operations
Follow Through
Operational Rhythm
Incident Playbooks
Control Analysis
Incident Resolution
Benchmarking – Trend - Reporting
Continuous Improvement
21
Incident Response Performance
• Create a feedback loop of indicators and risk thresholds that flow into operations
and continuous improvement processes.
• Data driven workflows allow for the measuring of control performance –
effectiveness.
Indicator Output
Incidents
Time to Detection
Time to Respond
Risk Scenarios
Control Analysis
Events
Time to Remediate
Exposure
Data
Threat Events Managed
22
Risk Management
How do you know when an incident is
occurring
• Establishing analytics and log
management platforms.
Analytics
• Measuring where your most significant
exposure is located will provide the
best opportunity to detect an incident.
• Having a daily monitoring rhythm
ensures that there is a regular routine
is evaluating threat events.
Rhythm
Incident
Threats/Exposure
• Information sharing and threat
intelligence services.
23
Information Sharing
Using modeling – bounding approaches
helps in setting and maintain analytics
Time
Establishing a model for
monitoring and
analytics system can be
very helpful for tuning,
playbook and response
actions.
Identity
Entitlement
Location
Sensitivity
Asset
Data
Quantity
Size
24
How do you know when an incident is
occurring
Log Data Sources
Analytics
Active Directory
Database
Newly accessed system
Access time abnormal
Anomalous Log In
Active Directory
VPN
Access time abnormal
Location
Data Loss/Compromise
EHR
Abnormal transaction activity
Data Loss Prevention
Sensitive data access activity
File Directory Log
Sensitive data transmission activity
25
Playbooks
Privileged Misuse
When a major breach occurs what do
you do?
• Playbooks: Playbooks should direct staff how to coordinate and escalate the incident.
• Use escalation levels that can help guide staff with response time expectations and
communication
– Level 1 – Routine Incident
– Level 2 – Potential Breach
– Level 3 – Active Major Breach
• At level 2 have a plan to engage in incident response - forensic services and
cybersecurity insurance.
• At level 3 have a plan to engage legal, law enforcement, remediation - crisis
management services, and public affairs.
26
A Summary of How Benefits Were Realized
for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by
helping to improve security and reduce breaches and
ransomware
– Benchmarks, information sharing, collaboration
• Electronic Secure Data: improve security of sensitive patient
information
– Highlight maturity, 8 priorities, 42 capabilities, gaps, to
enable information sharing in order to improve security
• Savings: reduce breaches and ransomware and associated
business impacts and costs
– Frequency of occurrence, business impact
27
Questions?
• [email protected]
linkedin.com/in/ron-mehring
twitter.com/mehringrc
28