Reducing the Attack Surface Healthcare Industry Perspective Reducing

  • Slides: 18
Download presentation
Reducing the Attack Surface Healthcare Industry Perspective: Reducing the Attack Surface Jim Routh Chair,

Reducing the Attack Surface Healthcare Industry Perspective: Reducing the Attack Surface Jim Routh Chair, NH-ISAC Spring Summit 2018 Presenter: Jim Routh

Reducing the Attack Surface Methods for Shrinking the Attack Surface From Wikipedia, The attack

Reducing the Attack Surface Methods for Shrinking the Attack Surface From Wikipedia, The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. [1][2] Keeping the attack surface as small as possible is a basic security measure. [3] “Go BIG or go home!” Reduce the # instances using SSNs for authentication and identification Reduce the use of passwords as credentials for your customers and employees Reduce the attack surface for your third party products and services Reduce the attack surface for phishing by implementing controls for the four types of attacks A smaller attack surface enables an enterprise to focus scarce resources on more concentrated areas of risk for the enterprise Spring Summit 2018 2 Presenter: Jim Routh 2

Reducing the Attack Surface SSNs as authenticators and unique identifiers SSN as an Authenticator

Reducing the Attack Surface SSNs as authenticators and unique identifiers SSN as an Authenticator • Using last 4 digits to confirm identity for password reset • Account registration requiring SSN • Log in requirement for user id or SSN June, 2017 Oct, 2017 June, 2017 May 18, 2018 SSN as a Unique Identifier • Using SSN to identify patient data with third parties • Adding SSN to multiple data bases of claims history to identify members • Asking patients under care for SSN to confirm their identity GAO Report to the Chairman Subcommittee on Social Security on Ways and Means. Rob Joyce “I feel very strongly that the Social Security number has outlived its usefulness”. The Centers for Medicare & Medicaid Services (CMS) recently announced it is preparing to issue Medicare cards that will use new unique numbers in place of cardholder SSNs. Better Identity Coalition Testimony to House Ways & Means Committee Spring Summit 2018 Presenter: Jim Routh 3 Presenter: Jim Routh

Reducing the Attack Surface Techniques to Consider SSN alternatives SSN as a Unique Identifier

Reducing the Attack Surface Techniques to Consider SSN alternatives SSN as a Unique Identifier SSN as an Authenticator 1. Replace the use of SSN as an authenticator with behavioral attributes 2. Consider evolution to continuous behavioral based authentication SSN as a Unique Identifier 1. Use member/patient id number to identify patient files 2. Revise data classification policy 3. Apply higher level of controls (encryption, PUM, multi-factor auth. ) to any data base storing SSNs Spring Summit 2018 4 Presenter: Jim Routh 4

Reducing the Attack Surface Reduce password use “If I were a criminal…” https: //www.

Reducing the Attack Surface Reduce password use “If I were a criminal…” https: //www. youtube. com/watch? v=Z 8 Ab. GDOv 2 dc I would use Sentry MBA for credential stuffing. I’d take log in credentials and try them on different domains. I’d get a 2% hit, meaning 2% of the credentials I use will give me control of the account. Most people use less than 5 passwords for all accounts 50% https: //sentry. mba/ of those haven’t changed their password in the last 5 years https: //krebsonsecurity. com/tag/sentry-mba/ https: //blog. shapesecurity. com/2016/03/09/a-look-at-sentry-mba/ Spring Summit 2018 5 Presenter: Jim Routh 5

Reducing the Attack Surface 3 rd Party Evolution to event-driven risk management From To

Reducing the Attack Surface 3 rd Party Evolution to event-driven risk management From To Annual static assessment Continuous assessment Use a continuous assessment tool and share your vendor list with security intelligence services One set of controls Specific control requirements for each portfolio Design specific controls for each 3 rd party portfolio On-premise site visits Cloud specific instrumentation controls Use cloud services monitoring tools and deploy controls in cloud services Spring Summit 2018 6 Presenter: Jim Routh 6

Reducing the Attack Surface 3 rd Party Evolution to event-driven risk management Software Providers

Reducing the Attack Surface 3 rd Party Evolution to event-driven risk management Software Providers Hosting Providers 1. 21 3. 24 2. 11 Your enterprise Risk Score = 2. 13 Service Providers Risk Score = 2. 39 Risk Score = 3. 24 Risk Score = 1. 79 Spring Summit 2018 7 Presenter: Jim Routh 7

Reducing the Attack Surface 3 rd Party Evolution to event-driven risk management Software Providers

Reducing the Attack Surface 3 rd Party Evolution to event-driven risk management Software Providers Hosting Providers Key Controls 1. Asset management 2. Configuration management 3. Vulnerability management 4. Authentication 5. Network monitoring 6. Event logging 7. Incident response 8. Software security Risk Score = 3. 24 Key Controls 1. Software security 2. Incident response Your enterprise Risk Score = 2. 39 Risk Score = 2. 13 Service Providers Key Controls 1. Background check 2. Cell phone ring fence 3. VDI & VPN Risk Score = 1. 79 Spring Summit 2018 8 Presenter: Jim Routh 8

Reducing the Attack Surface 3 rd Party Community Hosting Providers Software Providers Service Providers

Reducing the Attack Surface 3 rd Party Community Hosting Providers Software Providers Service Providers 1. Invite 3 rd parties into your community 2. Invite them into the NH-ISAC Community 3. Share information with them: 1. Intelligence 2. Control requirements 3. Techniques 4. Tools 5. Incident response Your Community Spring Summit 2018 9 Presenter: Jim Routh 9

Reducing the Attack Surface Trusted Email- Shrinking the attack surface for Phishing Impostor Sender

Reducing the Attack Surface Trusted Email- Shrinking the attack surface for Phishing Impostor Sender Spoof Look-Alike Domain 1 2 Authentic Display Name Deception Compromised Account 3 4 Account Owner DMARC Sinkhole newly registered domains Apply domain attributes to inbound filters Identity Mapping Model Spring Summit 2018 10 Presenter: Jim Routh 10

Reducing the Attack Surface Trusted Email – Four tactics for Phishing email Impostor Sender

Reducing the Attack Surface Trusted Email – Four tactics for Phishing email Impostor Sender Spoof 1 Look-Alike Domain 2 Authentic Display Name Deception Compromised Account 3 4 Account Owner Spring Summit 2018 11 Presenter: Jim Routh 11

Reducing the Attack Surface Type 3/4 Phishing Attack Sample Identified as a type 3

Reducing the Attack Surface Type 3/4 Phishing Attack Sample Identified as a type 3 Passes DMARC looks legitimate Spring Summit 2018 12 Presenter: Jim Routh 12

Reducing the Attack Surface Type 4 Identity Mapping Algorithms Identity Mapping Behavioral Analytics Trust

Reducing the Attack Surface Type 4 Identity Mapping Algorithms Identity Mapping Behavioral Analytics Trust Modeling Which Identity is perceived to be sending this message? Does this message match the expected behavior for that identity? How is the perceived Identity related to the recipient? Spring Summit 2018 13 Presenter: Jim Routh 13

Reducing the Attack Surface Type 4 Control will become a reality • Origin –

Reducing the Attack Surface Type 4 Control will become a reality • Origin – Where are message typical sent from? • • • Servers/IPs 3 rd Party Services Device o o S ! n • Destination – Whom are messages typical sent to? • • • g in Number and breadth of recipients Types of recipients Frequency of sending to specific recipients • Artifact – What are the typical elements of the content? C m o • • Attachment/URL types and characteristics Signature and structure of messages • Chronology – When are messages typically sent? • • Regularity/Frequency-domain signals Time of day, Day of week/month/year • Transmission – How are messages transmitted? • • Usage of mailing lists and forwarders Number of servers in delivery path • Identification – Which identity markers are used? • • Which email addresses/services are used? Which variants of display name, signature, etc. ? Spring Summit 2018 14 Presenter: Jim Routh 14

Reducing the Attack Surface Trusted Email Healthcare Challenge 2018 Migrate all consumer facing healthcare

Reducing the Attack Surface Trusted Email Healthcare Challenge 2018 Migrate all consumer facing healthcare companies to the use of Domain-based Message Authentication, Reporting and Conformance (DMARC) by year-end. The “Doers” 23 and Me 3 M Health Systems Ascension Health BC/BS of Rhode Island Children’s Hospital of Los Angeles Henry Ford Health Merck Roswell Park Cancer Institute Torrance Memorial Medical Center Zocdoc The Others 62% 208 of top healthcare entities with no DMARC policy in place NH-ISAC members with no DMARC policy in place The September Letter Spring Summit 2018 15 Presenter: Jim Routh 15

Reducing the Attack Surface Models drive front-line security controls Input Hidden Output Mathematical formulation

Reducing the Attack Surface Models drive front-line security controls Input Hidden Output Mathematical formulation of observed events Spring Summit 2018 16 Presenter: Jim Routh 16

Reducing the Attack Surface Models drive front-line security controls Spring Summit 2018 17 Presenter:

Reducing the Attack Surface Models drive front-line security controls Spring Summit 2018 17 Presenter: Jim Routh 17

Reducing the Attack Surface Adjust your Talent Management Approach Data Scientist Security Professional Spring

Reducing the Attack Surface Adjust your Talent Management Approach Data Scientist Security Professional Spring Summit 2018 18 Presenter: Jim Routh 18