Considerations

• Research vulnerability and known exploits/threats (see links below for a good start).
• Triage the vulnerability (see Vulnerability Triage Process below if you don’t already have a method) to determine the appropriate threat mitigation strategy.
• Communicate the potential risk and plan of attack to management (solicit feedback/approval).
• Test workaround/mitigation strategy before deployment.
• Adjust strategy (if necessary) and execute plan.

Vulnerability Research

Microsoft Technet

PCWorld

Exploit/Threat Research

Symantec Research

Wikipedia: Duqu

Vulnerability Triage Process

Cisco’s Vulnerability Risk Triage Model

Details

Firesheep is a free plugin for the Firefox browser, which allows attackers to monitor wireless hot-spots. Once a person logs in to their account, the attacker is able to steal their browser cookie (a process called “session hijacking” or “sidejacking”) and access the victim’s account with just a few mouse clicks, virtually undetected. Firesheep is almost idiot-proof, and gives even the most inexperienced computer user a tremendous amount of power.

Privacy and Business Implications

The capability that this puts into the hands of an average computer user poses a significant threat to peoples privacy, and the security of hospitals and other businesses as well. Once an account is compromised, an attacker could impersonate the victim and/or monitor all communication to and from the victim. Additionally, marketing and other business professionals that maintain social media sites for organizations can have those accounts compromised.

Detection

Be on the look out and report any suspicious account activity including strange emails/posts and wrong password errors.

Prevention

Hospitals (and all organizations) should take the following steps to evaluate the potential risk (to the organization, patients and employees), and develop risk mitigation strategies:

• Evaluate business processes where privacy or security could be compromised (e.g. use of social media, patient & employee communication, etc.).
• Educate employees and patients and instruct them to report any suspicious activity (see detection above).
• Limit the use of wireless hot spots.
• Ensure the web address you are accessing begins with “https” and has a closed lock indicating a secure connection.

Note: This is a revision to the original post made in October 2010 (when Firesheep was first made available to the public).

In 2010, so far 169 data breaches have been reported, causing nearly 3.5 million people to be affected. Because it is January and most organizations take at least a month or longer to report to the HHS, we expect more notifications to be reported.

Here are some other interesting statistics.

Top 5 Largest Breaches:

1. South Shore Hospital, MA – 800,000 people
2. Puerto Rico Department of Health, PR – 400,000 people
3. Triple-S Salud, Inc., PR – 398,000 people
4. Keystone/AmeriHealth Mercy Health Plans, PA – 285,691 people
5. Emergency Healthcare Physicians, Ltd., IL – 180,111 people

Top 5 Breach Types:

1. Theft – 78
2. Loss - 30
3. Unauthorized Access/Disclosure – 27
4. Improper Disposal – 11
5. Hacking/IT Incident – 7

Theft was overwhelmingly the largest cause of a breach. It would be useful to know whether these are insider thefts or other types (laptops left in cars for instance).

Top 5 Breach Locations:

1. Laptop – 40
2. Paper Records – 38
3. Desktop Computer – 21
4. Portable Electronic Device, Other – 16
5. Network Server – 15

Because the top location of breached data was held on laptops, we can speculate theft was involved. However, desktop computers and network servers lead us to believe either insider attacks or hacking causes a large percentage of breaches.

While the issues we have highlighted are certainly not indicative of all organizations, the breach data can help us learn where others are struggling.  We can ask questions about our own security in reference to the problems others are having.  This may help us discover blind spots, and determine where to focus resources to secure our assets.

As most of us in the information security profession know, managing risk is not a simple or straight forward task. There are many moving parts and

(click on image to enlarge)

dynamics within a security program that must be accounted for and addressed, even within relatively small organizations and organizations with a strong security culture. The never ending technical and human issues require constant attention by people in all areas, and at all levels of the organization.

The HealthGuard Functional Risk Management Model for Information Security (referred to as the Model) is intended to help organizations get a clear understanding of the key interactions and interdependencies that should exist within their information security risk management program. It should be adapted to reflect your organizational structure and terminology. One word of caution: when customizing the model for use in your organization, use care when deleting/eliminating any of the elements, or functional areas. We have taken care not to add any “fluff” or extra pieces to this puzzle. All the pieces you see are real and they belong there.

Multi-Purpose

The Model should be used by multiple levels in your organization as a discussion starter and visual aid that will help get stakeholders on the same page.

Executives and board committee members – the Model provides a governance tool that produces a 30,000 foot view of the interworkings of the organization’s information security risk management program.

CIOs – the Model provides a management tool to help CIOs explain the vision or “big picture” of the risk management program to staff and internal-business partners.

Security Managers – the Model can help drive conversation(s) with senior management and other functional areas in the organization. It can also serve as an assessment/inventory tool to help identify areas that need attention.

Communication

The Model indicates areas where there should be open lines of communication and collaboration between departments and operational areas  (e.g. risk management, information security, IT, compliance, etc). In organizations where departmental “silos” exist, this will likely take time and conscious effort by individuals, as well as continuous “care and feeding” by the organization’s leadership.

Thought Starters

Here are a few questions executives and organizational leaders should consider:

• Do our leaders and managers have adequate visibility into the organization’s information security related risk?
• Do our leaders and managers have the risk related information necessary to make well informed decisions?
• Are our information security policies and related controls aligned with the business requirements, priorities and risk tolerance level?

What the Model is Not

The Model is not intended to replace other risk management methodologies or frameworks that you may be using. It is only intended to provide another perspective for those tools, thereby augmenting them.

Future

In future posts, we will be discussing specific and practical applications of the Model as well as the functional areas and elements within the Model. Until then, feel free to take and use the Model (see license information below) within your organization. I also welcome comments and feedback on the Model, as we will be continuously refining and improving it based on real-world learnings.

Download a PDF version of the diagram here.

HealthGuard Functional Risk Management Model for Information Security by Apolonio R. Garcia III is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. If you would like permission to modify/customize the model for your organization, email your request to author Apolonio Garcia (agarcia@hgitsecurity.com).

By itself, this exploit is not dangerous as it can only escalate privileges on a local machine, however if paired with another virus it can gain be used to gain kernel level privileges and compromise an entire system.  Currently, this exploit has not been seen in the wild, although it would be simple to implement by an attacker.

External References:

• http://isc.sans.edu/diary.html?storyid=9988&rss
• http://www.prevx.com/blog/160/New-Windows-day-exploit-speaks-chinese.html

These arrests and the possible dismantling of a cybercrime network are encouraging and should be counted as a win. And they are.  However, the Zeus threat has not been erased.  A Zeus development kit is sold on underground forums with a graphical, user-friendly interface which reduces the technical “know-how” required to create a new Zeus Trojan.

Zeus, and variants of it, will likely be around for a while.  What risks, if any, does malware present to a medical facility and from where?  Here are a couple of areas that are sometimes overlooked when reviewing malware mitigation.

VPN Users. When users connect through a VPN, they become part of that network and they have access to resources…and so does their malware.  A hospital should examine their policies, procedures and the controls put in place to govern VPN user access.  For example, the VPN procedures should stipulate the minimum requirements a home PC / laptop must meet before access is granted.  At a minimum, this should include AV with current definitions.  In addition to written procedures, technical safeguards can be put in place to limit exposure, such as the use of a NAC to quarantine, scan and approve the system before it is granted access to network resources.

Vendor Owned Equipment. With strict guidelines placed on medical equipment in departments like Radiology and Pharmacy it’s difficult, if not impossible, to keep these systems updated with AV and security patches.  At times, changes to the systems must follow the change control procedures of an outside vendor or even the FDA.  However, malware can spread like wildfire on these systems and loss of availability could lead to ER departments going into diversion.  Of course, written policy and procedure play a part here, too.  Employees should not be permitted to use these systems for normal business use (email, web browsing, etc.).  As for controls, if possible, we like to see these systems in a separate VLAN limiting the communication between these systems and rest of the network.

For many of us, this is a security common sense review.  But we cannot become complacent when we begin to see that large botnets are being destroyed.  Malware is more like fighing the Hydra…cut off one head and 3 more grow back.

-dsw

I want to discuss the difference between Nessus “risk severities” and our meaning of risk at HealthGuard.  Nessus “risk severities” are based on CVSS, which is a classification system for the exploitability of software vulnerabilities and exposures.  That is, it only provides information on how easily a vulnerability can be exploited by an attacker, given the opportunity, and what the vulnerability allows an attacker to do with the specific system.  This does not provide any measurement for the probability of a successful attack and the associated monetary loss from the attack.  Vulnerability ratings based on a Critical to Low scale are qualitative measurements.  To make clear decisions on true vulnerability risk, we must convert these ratings into quantitative measurements.

This is also not to say the Nessus ratings are useless.  They provide a great indicator of the types of patches missing on specific systems, as well as the services running and other informational items.  This is good from a network visibility standpoint.  It also helps provide a general baseline for how well an organization maintains its individual systems.

As an aside, the problem with the term “risk” is a difference in semantics, but it does highlight a common problem in the IT security industry.  In this case, Nessus speaks of “risk” as a qualitative measurement, while we refer to “risk” as a quantitative measurement.  As an industry, we do not have common and widely accepted definitions for even simple terms like “risk”.  However, many industry leaders are beginning to recognize this and push for a high degree of consistency.

1. Cyber security tips for both technical and non-technical users (you can also subscribe to their free newsletter to get updates in your inbox): http://www.us-cert.gov/cas/tips/
2. Tips on protecting your home and family (tips for everything from securing your home network to recovering from identity theft): http://www.staysafeonline.org/in-the-home
3. Check the security of your web browser (very important, as many attacks target weaknesses in your browser and its plug-ins): https://browsercheck.qualys.com/
4. Free Parental Control software (this helps keep your family from inappropriate web sites): http://www.k9webprotection.com
5. Free Antivirus software (from Microsoft): http://www.microsoft.com/security_essentials/

Here is a late addition to the list…consider it a bonus 6th resource: http://onlinefamily.norton.com. This is another free parental control application that was just released by Norton (Symantec). I suggest you watch the “want to see it in action” video to get an idea of what it can do.

If you have any other free tools or resources that you think would benefit parents and home users, please share them in the comments.

NCSAM is a public campaign aimed at increasing the visibility of cyber initiatives and to open a dialog regarding the importance of personal and shared responsibility.  This year’s theme reinforces cyber safety as more than corporate policies, law enforcement and government regulations.  It is an individual effort that requires diligence with regard to our presence on the Internet.  As technology and innovation continues to develop, our exposure expands.  In order to protect our companies, families, and ourselves, it is important to understand the scope of cyber connections within our environment.

Cyber security is concerned with the following:

• Virus, malware infections
• Passwords and general internet use
• Identify theft (financial, medical, work, legal)
• Corporate private data
• Personal health information
• Cyber-bullying
• Mobile devices security (phones, ipads, DSi, PSP, etc.)
• Online predators
• Social networking

StaySafeOnline.org has provided resources regarding what individuals can do to guard themselves and bring awareness to those around them.

For more information on National Cyber Security Awareness Month and to find out about local events visit www.staysafeonline.org/ncsam.