VERSION 1.1

FEBRUARY 22, 2020

CRYPTOGRAPHY IMPLEMENTATION PLAN…PROTECTING OUR PRIVACY AND ASSETS

Confidential

CRYPTOGRAPHY IMPLEMENTATION PLAN

PLAN OVERVIEW

Name

Name of Plan Cryptography Implementation Plan

Plan Designer Keith E. Anderson, Sr.

EXECUTIVE SUMMARY

As we move forward in our efforts to provide the best experience for our customers, providers, and user community, the natural progression toward increasing collaboration and efficiencies throughout the organization have necessitated increasing our digital presence in several spaces…with more reliance on exchanging data over the public Internet medium being the most prominent.

With this increased exchange of data and resources over the Internet, we’re facing a corresponding need to provide the appropriate level of due-diligence and due-care in protecting this information for our internal and external stakeholders.

To ensure we’re able to assure the confidentiality, integrity, and authentication of data flowing between our end-user community, customers, providers, and locations across our enterprise, we’ve assembled a comprehensive set of recommendations based on standards and guidelines from the National Institute of Standards and Technology (NIST). When properly implemented, these guidelines, along with second-line defense validation of controls and implemented remediation efforts, will position our organization to provide the assurances of Information security and privacy reflective of our accepted level of risk, based on the classification of the data being protected.

WHAT WE ARE PROTECTING

OUR MOST IMPORTANT ASSETS (CROWN JEWELS)

1. People2. Patient Health Information (PHI)3. Personally Identifiable Information (PII)4. Classified organizational information (institutional knowledge)

LAWS/REGULATIONS/COMPLIANCE/CERTIFICATION REQUIREMENTS WITHIN SCOPE

1. Health Insurance Portability and Accountability Act (HIPAA)2. Health Information Technology for Economic and Clinical Health Act (HITECH)3. Health Information Trust Alliance (HITRUST) Certification4. Payment Card Industry – Data Security Standard (PCI-DSS)5. General Data Protection Regulation (GDPR)6. California Consumer Protection Act (CCPA)

February 22, 2020 Cryptography Implementation plan 1

Confidential

INTERNAL INFORMATION SECURITY POLICIES (TO INCLUDE ASSOCIATED STANDARDS) WITHIN SCOPE

1. Asset Identification and Classification2. Asset Protection3. Asset Management4. Acceptable Use5. Vulnerability Assessment and Management6. Threat Assessment and Monitoring7. Security Awareness

WHO ARE OUR ADVERSARIES, HOW CAN WE BE ATTACKED, AND HOW DO WE PROTECT OURSELVES?

INTERNAL THREATS

1. Compromised user(s) (unknowing/unintentional)2. Disgruntled employee(s) (knowing/intentional)

EXTERNAL THREATS

1. Disgruntled ex-employee(s)2. State-sponsored/organized crime hackers3. Lone-wolf Hackers and script-kiddies

To effectively deploy a secured cryptography plan, we must account for the entirety of our technology ecosystem and overall attack surface. The Cyber Threat Mitigation Map above represents the existential threat vectors in which bad actors can exploit vulnerabilities in our systems to gain access into our environment, as well as how we currently mitigate those risks with a defense-in-depth approach.

February 22, 2020 Cryptography Implementation plan 2

Confidential

Understanding the tactics, techniques, and procedures (TTP) of bad actors, as well as various indicators of compromise (IOC), can be leveraged to identify and create intelligence-driven computer network defenses that will work in tandem with our cryptography system in providing the highest levels of information security assurance possible.

ATTACK METHODS OF CONCERN

1. Password attacks2. Social engineering (Phishing, Spear Phishing, accessing unlocked consoles, etc…)3. Denial of Service4. Man-in-the-middle attacks (we recently saw Microsoft’s cryptographic vulnerability, CVE-2020-

0601)5. Wi-Fi eavesdropping6. Email Hijacking7. Replay attacks

INTEGRATING CRYPTOGRAPHY

AN HOLISTIC APPROACH TOWARD CRYPTOGRAPHY INTERGRATION

The image below is a graphical representation of our extended enterprise network. Throughout the ecosystem, there are significant opportunities for the theft of information residing on assets (data at rest), as well as data moving from one location to another (data in transit).

Based on the classification of this data, the technology in use, and the means of communication, we’ve determined the appropriate measures necessary for sufficient data protection.

February 22, 2020 Cryptography Implementation plan 3

Confidential

CRYPTOGRAPHY OPPORTUNITIES

Below is a table indicating the resources, recommended cryptography, and key length to ensure we’re in alignment with the latest recommendations from NIST:

Resource/Asset Recommended Cryptography NIST Guideline

Data at rest (confidentiality) Cipher algorithm = AES Block cipher mode = CBC w/Random IV Key size = 256-bit

NIST 800-111

Data in transit (confidentiality) Cipher algorithm = AES Block cipher mode = CBC w/Random IV Key size = 128-bit

NIST 800-52

Remote workers laptops (full-disk encryption…confidentiality/integrity)

Cipher algorithm = AES Block cipher mode = CBC w/Random IV Key size = 256-bit

NIST 800-111

Remote workers laptops (IPSEC Tunnel…confidentiality)

Cipher algorithm = AES Block cipher mode = CBC w/Random IV Key size = 256-bit

NIST 800-77

Wireless Access Authentication = EAP-TLS o 802.11 authentication with

Active Directory-integrated resource

Cipher algorithm = AES Block cipher mode = CCMP (RSN) with

Random IV Key size = 128-bit

NIST 800-97

Key Management Keys will be centrally stored in a secured location within the network infrastructure

NIST 800-21

Email (confidentiality/authenticity) Encryption = AES 128-bit Authentication & Digest = RSA 2048-bit

and SHA-256

NIST 800-45

PUBLIC VS. PRIVATE KEYS

Because of the efficiency and relative strength of a properly built cipher using an AES 256-bit algorithm (private key), it is our recommendation for this to be leveraged for communication of data in transit over a public and/or private medium. In order to facilitate the proper (and secure) exchange of this newly-generated key each time a session is built, we’ll use the guidelines below:

Off-site backup (#4) Corporate LAN (#10)o Backups occur over a point-to-point Layer-2 Ethernet Private Line, and since there’s no

encryption offered by the provider, we are potentially exposing our data to traffic sniffing and/or wire-tapping. With that said, we will establish a gateway-to-gateway vpn with the following NIST-approved recommendations:

February 22, 2020 Cryptography Implementation plan 4

Confidential

Key Exchange = Internet Key Exchange (IKE) protocol Diffie-Hellman (DH) group 2 (1024-bit MODP)

Cipher algorithm = AES Block cipher mode = CBC with Random IV Key size = 128

Remote Workers (#3) VPN Gateway (#7)o To protect organizational and remote worker privacy from eavesdropping and replay

attacks, we will ensure secured key exchange and session protection by implementing the following NIST-approved recommendations:

Key Exchange = Internet Key Exchange (IKE) protocol Diffie-Hellman (DH) group 2 (1024-bit MODP)

Cipher algorithm = AES Block cipher mode = CBC with Random IV Key size = 128

Customers (#1) Web Servers (#6)o As part of the TLS 1.2 implementation, we will protect the confidentiality and integrity of

the data going between our customers and the web servers with a symmetric key. To protect the key from being stolen and, potentially, exposing our customers to eavesdropping, replay, and/or man-in-the-middle attacks, we will ensure the symmetric key has been delivered and negotiated with the following NIST-approved recommendations:

Key Exchange = Elliptic Curve Diffie-Hellman Exchange (ECDHE) Asymmetric algorithm for the authentication key = RSA Cipher algorithm = AES 256-bit Block cipher mode = CBC with Random IV

Providers (#2) Web Servers (#6)o As part of the TLS 1.2 implementation, we will protect the confidentiality and integrity of

the data going between our customers and the web servers with a symmetric key. To protect the key from being stolen and, potentially, exposing our customers to eavesdropping, replay, and/or man-in-the-middle attacks, we will ensure the symmetric key has been delivered and negotiated with the following NIST-approved recommendations:

Key Exchange = Elliptic Curve Diffie-Hellman Exchange (ECDHE) Asymmetric algorithm for the authentication key = RSA Cipher algorithm = AES 256-bit Block cipher mode = CBC with Random IV

PUBLIC KEY INFRASTRUCTURE

For those entities relying solely on services behind the corporate firewall, contained within a closed tunnel (i.e. file encryption on a personal or shared resource, vpn, etc…), and/or internal Key Management services, we’ll use an internal public key infrastructure (PKI). For those services requiring public validation and assurances of identity (i.e. public-facing web services, email, etc…), we’ll leverage a public PKI solution with Digicert…a Root Certificate Authority (CA) that has a strong reputation for quality and can provide assurances to the extent sufficient for the agreements (acknowledgements) with our stakeholders.

February 22, 2020 Cryptography Implementation plan 5

Confidential

All private keys and certificates issued will have a two-year lifecycle, at which point, renewal will be required. Distribution will be via email notification to the assigned subject with corresponding portal pickup.

From an administrative standpoint, keys will be centrally stored in a secured location within the network infrastructure (per NIST 800-21 guidelines, as mentioned earlier). Should an issue arise with a given key/certificate, the owner will notify the team managing the PKI, who will, in turn, revoke and redistribute. Similar for entities rolling-off…upon notification, their corresponding certificate(s) will be revoked.

IDENTIFYING SECURITY CONTROLS COMPLIMENTING CRYPTOGRAPHY

With so many layers of security and complexity existing within our enterprise network, there are many opportunities for penetration by any one of the threat actors mentioned earlier (and others). The challenge for the security team is ensuring all of these (potentially) vulnerable areas are as well defended as their value to the organization would dictate.

The solutions that follow are in place to provide further assurances to our stakeholders of the security of their information, as well as the reliability of the encrypted information passing through our systems:

A Key Distribution Center (Kerberos) implementation exists within the internal network proper and offers authentication and authorization servers for all users of the internal primehealth.org domain

Identity Access Management allows for the centralized management of user access, authentication, and authorization for those users external to the corporate domain (i.e. customers and providers). This technical control, in conjunction with the appropriate administrative controls and security policy, will help ensure access is granted and revoked appropriately (and timely), and that the company follows a policy of providing access with the least amount of privileges necessary

An email security and archiving solution provides confidentiality, if required via encryption, integrity, if required with authentication/authenticity, and availability in the event of a system failure or a failure of controls protecting the system. In addition, features like malicious link/attachment detection, anti-spoofing, etc…provide an added layer of protection to the end user

Network-based Intrusion Prevention system and the Security Information and Event Management system have behavioral analytics and monitoring that complement each other, as well as work in tandem with host-based intrusion prevention systems (i.e. Symantec, Kaspersky, etc…) and our stateful firewalls near the perimeter. The SIEM also serves as a collector of logs from all available devices and is responsible for our event correlation, monitoring, and alerting

Leveraging our Asset Identification and Classification Policy as the source for prescribing the protection-level of data and information, the Data Loss Prevention system ensures the appropriate technical controls are in place to enforce the protection of organizational assets

The Web Content Filtering solution aligns with our Acceptable Use Policy and ensures users are visiting approved site categories, as well as staying-away from known malicious sites

Our Enterprise Patch Management solution, in alignment with our Vulnerability Assessment and Management Policy, ensures all company assets are kept up to date, protecting systems from known vulnerabilities and attacks

February 22, 2020 Cryptography Implementation plan 6

Confidential

Our Endpoint Detection and Response system will work in tandem with our SIEM and host-based intrusion prevention system to detect and correlate abnormal behavior on the enterprise network, facilitating quicker and more proactive response to events and incidents, as well as automation of responses to abnormal behavior coming from endpoints in the environment

The organizational Cyber Resilience program will ensure the organization’s ability to quickly recover from failures of security controls that result in the (potential) loss of CIA to organizational assets related to information security and/or privacy

CONCLUSION

To effectively mitigate and respond to risks and incidents, in particular, those targeting our most important assets mentioned earlier, we will employ a defense-in-depth security strategy that will facilitate the protection of all areas within our physical, cloud, and perimeter infrastructures (attack surface). These defensive mechanisms will work in concert to enable our Cyber Resilience program and provide our internal and external stakeholders with the appropriate level of information security assurances in protecting their information, while also enabling the growing need for more collaboration and improved process efficiencies.

One of the most important aspects of this holistic approach is the confidentiality, authentication, and integrity provided by the proposed cryptography solutions. With the amount of information now traversing the public Internet, ensuring that the data traversing our enterprise is protected by the highest standards recommended by NIST is not only key from an Information Security standpoint, it’s also key to an enterprise risk management framework focused on reducing overall organizational risk.

February 22, 2020 Cryptography Implementation plan 7

Confidential

References

1. Scarfone, K., Souppaya, M., Sexton, M. (2007). Guide to Storage Encryption Technologies for End User Devices. Retrieved April 29, 2019 from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf.

2. Barker, E., Barker, W., Lee, A. (2005). Guideline for Implementing Cryptography in the Federal Government. Retrieved April 29, 2019 from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-21e2.pdf.

3. Barker, E. (2005). Recommendation for Key Management. Retrieved April 29, 2019 from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf.

4. Frankel, S., Kent, K, Lewkowski, R., Orebaugh, A., Ritchey, R., Sharma, S. (2005). Guide to IPsec VPNs. Retrieved April 29, 2019 from https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-77.pdf.

5. Frankel, S., Eydt, B., Owens, L., Scarfone, K. (2007). Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. Retrieved April 29, 2019 from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-97.pdf.

6. McKay, K., Cooper, D. (2018). Guidelines from the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. Retrieved April 29, 2019 from https://csrc.nist.gov/CSRC/media/Publications/sp/800-52/rev-2/draft/documents/sp800-52r2-draft2.pdf.

7. Palmer, M. E., Robinson, C., Patilla, J.Moser, E. P. (2000). META Security Group Information Security Policy Framework: Best Practices for Security Policy in the Internet and e-Commerce Age. Retrieved October 2, 2019 from https://horseproject.wiki/images/1/18/Information-Security-Policy-Framework-Research-Report.pdf.

8. Tracy, M., Jansen, W., Scarfone, K., Butterfield, J. (2007). Guidelines on Electronic Mail Security. Retrieved April 29, 2019 from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-45ver2.pdf.

February 22, 2020 Cryptography Implementation plan 8