Agenda
• Introduction
• Data Security and
Compliancy
• Various Forms of Cyber
Threats
• Infiltration Methods
• Ways to Detect Malicious
Activity
• Prevention Practices
• The Ability to Recover
• Online Resources and Tools
• Q&A
2
Introduction
About me
• President, Innovative Business Technologies, Inc.
• Director of Technical Services, McKesson Information Solutions Homecare
and Hospice
• Systems Engineer, B.T. Alex. Brown
• Systems Engineer, Millennium Inorganic Chemicals
3
Introduction
Why is this topic becoming so important?
• It’s a profitable business
• Security breaches are often intentional criminal acts
• Malicious software is becoming more advanced
4
Data Security and Compliancy
What does a breach cost?
IBM's Data Breach Cost Calculator
• $11m - Average cost of a data
breach for a US based healthcare
organization
Global average cost of a data breach
(2017 report) = $3.62 million
• Up by 55% for healthcare = $8.04
million
Ponemon Cost of Data Breach Study
• 2016
• $158 per record
• $355 per record for healthcare organizations
• 55% more per record
• 2017
• $141 per record
• $316 per record, *estimated based on the
same 11% decreasehttps://www.ibm.com/security/data-breach/
5
Data Security and Compliancy
Why is this important to healthcare providers?
Based on data from HHS and OCR Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2017 projection based on first 6 months of data
0
50
100
150
200
250
300
350
400
2010 2011 2012 2013 2014 2015 2016 2017
Breaches Reported Affecting 500 or More Individuals
0
20
40
60
80
100
120
140
2010 2011 2012 2013 2014 2015 2016 2017
Breach Type = Hacking
6
Data Security and Compliancy
CMS: Emergency Preparedness• Any event that adversely
affects access to, or the
ability to deliver, healthcare
services
Risk Assessment• Identify areas that must be
monitored
• Develop risk mitigation
strategies
• Understand the probabilities of
an occurrence
• Business impact
Incident Response• Policy Defined
• Breach Response Plan
7
Data Security and Compliancy
Data Vulnerability - A Real World Example
• The field staff laptop with full disk
encryption
• Data at Rest
• To Encrypt or not to Encrypt?
• Let’s use Ransomware as an example
• Is it a breach?
• What are the OCR guidelines?
8
Does Compliancy = Security?
Various Forms of Cyber Threats
Malware• A general term short for
“malicious software”
• Intentions vary
Spoofing• Pretending to be something
they’re not
• IP, ARP, DNS, Email
Bot• Software that automates
a process
• A network of bots, called
a botnet, can be coordinated
to issue distributed
type attacks
9
Bot Traffic Report 2016.png: Igal Zeifman, Imperva Incapsula; Bot Traffic Report 2016, January 24, 2017, https://www.incapsula.com/blog/bot-traffic-report-2016.html10
Various Forms of Cyber Threats
Computer Virus• An infected host file
that spreads
Worm• Does not require an infected
host file or user interaction to
spread
Trojan Horse• Remember how the Greeks
took Troy
Common types of malware attacks
11
Various Forms of Cyber Threats
Rootkits• Uses elevated access and
attempts to run undetected
Zero DayAttack• Exploit of a software
vulnerability before there’s
a patch
Ransomware• Encrypts data to prevent
access and demands payment
for the key to unlock it
Common types of malware attacks – cont.
13
Various Forms of Cyber Threats
Denial of Service (DoS)• Flood of traffic to disrupt
a service or make it
inaccessible
• SYN Flood Attack
Network based
attacks
Tcp_normal.png: Dakederivative work: Hazmat2 (talk) - This file was derived from Tcp normal.png:, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=18126366, https://en.wikipedia.org/wiki/SYN_flood
14
Various Forms of Cyber Threats
Denial of Service (DoS)• Flood of traffic to disrupt
a service or make it
inaccessible
• SYN Flood Attack
Network based
attacks
Tcp_synflood.png: CC BY-SA 2.5, https://commons.wikimedia.org/w/index.php?curid=810830, https://en.wikipedia.org/wiki/SYN_flood 15
Various Forms of Cyber Threats
Denial of Service (DoS)– cont.
• ICMP (PING) Flood Attack• Overload of ICMP traffic without waiting on a reply
• Smurf Attack
• Ping of Death (PoD)
Distributed Denial of Service (DDoS)
Network based attacks
Port Scanning
16
Infiltration Methods
Social Engineering• Any method that convinces a user to disclose
information
Phishing• Spoofed email or some type of social
engineering scheme
• Credential Harvesting
17
Infiltration Methods
Internet of Things (IoT)
• Not just laptops,
but anything that can
connect
• October 2016 attack
on Dyn, Inc. (DNS
provider)
• DDoS attack carried out
by cameras and DVR’s
• Bluetooth devices
• We now have terms like:
• Bluesnarfing
• Bluejacking
• Bluebugging
19
Infiltration Methods
Once malware is within the boundaries of your network…• It propagates within
• Often calls out to a malicious site
Vendors• Unmanaged devices
• Remote connectivity
Device Theft
20
Ways to Detect Malicious Activity
Look for symptoms
• User complaints
• Unexpected new add-ons
within browser
• Accounts being continuously
locked out
• Frequent pop-ups
• Settings have changed unexpectedly
• Computer performance
21
Ways to Detect Malicious Activity
Establish baselines and trends
• Internet bandwidth
consumption
• Unexpected increase in disk
storage usage
• You must know your environment
• Internal network performance issues
22
Ways to Detect Malicious Activity
Detection Systems
• IPS or IDS - What's the difference?
• Intrusion Prevention System
• Inline with the data flow
• Blocks traffic based on rule sets of known threats
• Sometimes combined within a firewall
• UTM (Unified Threat Management) option
23
Ways to Detect Malicious Activity
Detection Systems– cont.
• NIDS - network-based intrusion
detection system• Appliance or dedicated server
• Linux based typically
• Methods• Signature-Based – known patterns
• Anomaly-Based – based on baseline patterns
• Quiz – which of the two would be best for
detecting a Zero Day attack?
• Intrusion Detection System• Sideline device or software that observes
network activity
• HIDS - host-based intrusion
detection system• Locally installed on the host
24
Prevention Practices
First question:
Who is susceptible?
Network design
• What are you allowing in? And to where?• SMTP, HTTP, HTTPS, FTP
• What are you allowing out? And to where?• SMTP, NTP, DNS, HTTP, HTTPS, FTP
• No “Any” rules
25
Prevention Practices
Network design– cont.
• Your traffic cops• Perimeter access gateways
• Firewall
• Email Filter
• Web Filter/Proxy Server
Whether inbound or outbound,
traffic should be very limited as to
where it can go.
26
Prevention Practices
• Network shares
• Open shares or use
of weak passwords =
vulnerable
• Access controls
• Process for unmanaged
devices
• Wi-Fi Networks
• Isolate guest
networks
• Layered security
• Different
vendors/scanning
engines
Network design– cont.
31
Prevention Practices
Stay Current
• Antivirus software• Definitions
• Operating System Updates• Windows Updates
• WannaCry - hit in May
• Microsoft had released the patch in March
• Most attacks target Windows OS, but Linux patches
should be maintained as well. What about Mac?
32
Prevention Practices
Stay Current– cont.
• Appliance Software maintenance
and subscriptions
• Mail gateways
• RBL's (Reputation Block List)
• Barracuda is good
• Spamhaus and SpamCop are good
as well, I have seen a little more
false positives
• Firewall
• UTM
• Perimeter devices
• Snort rules (IPS)
• Data transmission methods• Windows XP
• Business operations software –
EMR systems• Forever Day Exploits
• End of life software that has a known
vulnerability, but the software vendor isn’t
going to patch it
33
Prevention Practices
• Macros
• Microsoft Office
• When in doubt,
say “NO”
• Melissa, 1999
• Estimated cost
of more than
$1 billion
• Safe website browsing
• Confirm that the website
is authentic
• Avoid Cybersquatting
(or typosquatting)
• Look for the lock in the
toolbar before entering
information
• Even if it’s https –
no lock, no good
• Bad email tips
• Misspellings and
grammar errors
• Something just doesn’t
look right
User Education!
34
Prevention Practices
User Education! – cont.
• Provide an easy structured process for
users to report suspicious activity
• Drive-by’s do not work
• Rinse, lather, repeat
• End-user training must be relevant,
current, and repeated
35
Prevention Practices
Environment TODOs
• Monitor and
Alerting tools
• Syslog server
• Daily ritual
• IP block list
• Handling packets: drop vs.
reject
• Account Management
• Password policy
• Multifactor
authentication
36
Environment TODOs – cont.
Prevention Practices
• Look at your attack
surface
• The more software
that is loaded, the more
opportunities for
vulnerabilities
• Fuzz Testing
• Should be part of a
software vendors
development process
• Website design
• reCAPTCHA key on forms
• protect from bots
• http https
• Open Source options
• IDS/IPS
• DNS Sinkhole
• Prevents calls to
known malicious
sites
37
The Ability to Recover
Your ability to restore and recover data directly corresponds to how susceptible
you are to an attack.
• Recovery Time Objective (RTO)
• The length of time a system or core
application can be down or off-line
• Recovery Point Objective (RPO)
• The amount of data you can afford to lose
Having a clear understanding of your RTO and RPO business requirements is the
primary guide to your data protection strategy.
Let's talk about RTO and RPO
38
The Ability to Recover
Backup Methods
• Local
• The basic first step
• This should be a well-oiled machine with notifications of success and failures
• Why successes?
• May be susceptible to an internal attack like a worm
• Encrypted backup (at rest)
• SQL vs. Files
39
The Ability to Recover
Backup Methods – cont.
• Offsite Cloud Backup
• Replacing offsite rotation
• Dependent on internet connectivity
• Offsite Rotation of Local Media
• Protect from local (data center) isolated
events
• Offsite data is not susceptible to a newly
introduced cyber attack
• Delayed recovery due to the retrieval process
• Older standard
40
The Ability to Recover
Failover / Disaster Recovery (DR)
• Hot Site
• Available and ready within
minutes of an event
• Based on a real-time
replication model
• Which one?
• Depends on your RTO and
RPO requirements
• Warm Site
• Failover system
available
• Not immediately
accessible to end-users
• Requires updated data
41
The Ability to Recover
Test, Test, Test
Two primary components:
• The failover/recovery system must meet your RTO requirements• RTO also deals with accessibility
• Users have to be able to access the system
• This is often over-looked
• It must be functional in that the recoverable data meets your RPO
requirements
Don’t wait for a crisis to test your ability to recover data.
42
Online Resources and Tools
hhs.gov
• FACT SHEET: Ransomware and HIPAA:
https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
• HIPAA for Professionals: https://www.hhs.gov/hipaa/for-
professionals/index.html
• HHS ASPR, the Technical Resources, Assistance Center, and Information
Exchange (TRACIE): https://asprtracie.hhs.gov/
SANS Institute
• Main - http://www.sans.org/
• Internet Storm Center: https://isc.sans.edu/
• Penetration Testing: https://pen-testing.sans.org/
NIST (National Institute of Standards and Technology)
• Computer Security Resource Center (CSRC):
http://csrc.nist.gov/
• National Vulnerability Database: https://nvd.nist.gov/home
Computer Emergency Readiness Team (CERT)
• US-CERT: https://www.us-cert.gov/
• Carnegie Mellon University: http://www.cert.org/
Federal Trade Commission (FTC) Complaint Assistant:
https://www.ftccomplaintassistant.gov/Information#crnt&panel1-1
Symantec Security Response:
https://www.symantec.com/security_response/
Barracuda Reputation Block List (BRBL):
http://barracudacentral.org/rbl
Snort - Open Source IPS: https://www.snort.org
No More Ransom Project: https://www.nomoreransom.org/
MS Security Scanner: https://www.microsoft.com/security/scanner/en-
us/default.aspx
American Registry for Internet Numbers (ARIN): https://www.arin.net/
SSL Certificate Check: https://www.sslshopper.com/ssl-checker.html
SSL Website Check: https://www.ssllabs.com/ssltest/index.html
Symantec CryptoReport:
https://cryptoreport.websecurity.symantec.com/checker/
43
Ricky Smith • President, Innovative Business Technologies, Inc.
877-402-9349 ext. 111
https://www.linkedin.com/in/ricky-smith-369a4431/
www.ibusinesstech.com
Security and Data Loss Prevention
45