Securing Your Network

An overview of challengesand

suggestions for mitigation

Staff from Visualutions

• Primary Presenter: – Todd Smith, Director of Technology

• Associate Producer: – Greg Benge, Director of Customer Service &

Compliance Officer

• Supplemental Producer: – Cam Hendricks, Director of Programming

Preface / Disclaimers

• Visualutions:– Managed Services Provider (MSP) for

medical practices, banks and other industries

– Cloud Service Provider for several medical practices

• Todd:– A technology guy, not a salesman– Does not know everything

A little more about Todd

• Started in network support at Baylor University in 1994

• 8 years in enterprise IT support for energy and healthcare verticals

• Came to Visualutions in 2005• 10 years experience in surviving IT

audits by the government ;-) • Proud member of Infragard

Security

What does this mean to you?

Definitions of Secure

• - Merriam Webster– adjective se·cure \si-ˈkyu@ r\

: protected from danger or harm

: providing protection from danger or harm

: guarded so that no one can enter or leave without approval

1 a : archaic : unwisely free from fear or distrust : overconfident

b : easy in mind : confident

c : assured in opinion or expectation : having no doubt

2 a : free from danger

b : free from risk of loss

c : affording safety <a secure hideaway>

d : trustworthy, dependable <a secure foundation>

3 a : assured <a secure victory>

The Human Factor

Assumptions from IT & Management staff

– I’ll save money by using Open Source Solutions

– IT Services / Solutions can’t really cost that much?!

– Set it and forget it solutions– My current network security is fine

(Firewall + Antivirus)– These policy templates I bought online

will work just fine

And from the Users…

– Only the “business” needs security– As long as I’m a good person/employee,

I’m not a vulnerability

Who knows what?

Are 1 or 2 knowledgeable IT staff enough?

– Desktop guy offering network solutions– Network guy offering server solutions– Infrastructure guy offering web solutions

Subject matter experts can be worth their weight in gold.

Lingo

• Threat vs Risk vs Vulnerability

• Standard vs Guideline vs Policy

• Penetration Test vs Vulnerability Assessment

The Inside Job

• Employees are a big source of vulnerability • Sometimes opening the door for baddies due

to negligence:– Social engineering– Failure to do due diligence

• Sometimes malicious employees are the baddies– Abuse of rights– Impersonation

• How do we keep employees from opening our locked doors?

Inside Job Worries

Source: Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data -Independently conducted by Ponemon Institute LLC - Publication Date: May 2015

Inside Job Realities

Source: Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data -Independently conducted by Ponemon Institute LLC - Publication Date: May 2015

Phishing

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication – from Wikipedia

Phishing

• Minimal effort• Imitating a well known public entity

– Government agency, UPS / FedEx delivery problems, Amazon account problems, Credit agency

• Huge nets casted far and wide• Playing the numbers game• Spoofed website links

Example of Phishing

Question…

What do your friends, family, colleagues and international hackers have in common?

Answer:

• They know what you did on vacation• They know your kids' names • They know your actions / activities • They like you on Facebook, follow you on

Twitter, Instagram, etc.

Social Media

• What are you posting?• What is your company posting?• What can a malicious actor learn?

It is all fun and game until someone loses PHI!

Spear Phishing

Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks. – from Wikipedia

Spear Phishing

• Greater effort• Focused attack

Real associations: • Professional – Company, Professional

societies, etc.• Personal – Religious affiliations, family

members, vacation activities

• Greater results• Spoofed website links

The Con Job

Malicious attackers can be bold enough to convince users to open the door over the phone

Con Job Example

Employee “A” receives a phone call from a marketing firm representative. The rep tells the employee that she needs to go to a website and verify that it is working. The helpful employee complies and a short period of time later calls the help desk because she can no longer open her files. $1000 ransom payment later, her files were unencrypted.

Failure of Due Diligence

The results of not following policies, procedures and common sense

– Leaving workstations unlocked– Documenting passwords unsecurely– Installing unauthorized software– Failure to harden servers, workstations

and network equipment

Goals for the Bad Guys

• Personally Identifiable Information (PII)– Account ID / PW– Mother’s maiden name– Birthdate– Social Security Number– Etc.

• Malware installation

What to do?

• Todd’s top o’ the list:– Familiarize yourself with security requirements

of various regulations of HIPAA, Meaningful Use, PCI, etc.

– Education of employees and IT staff

– Change management

– Don’t be afraid to upset anyone to protect you network!

Regulatory Familiarity

• Audits will come… • Surviving an audit requires knowing

what is required for compliance • Use regulations when talking to C-

level• Implement security based on the

requirements as a starting point

Staff Education

• Ignorance is no excuse…• Ensure employees are knowledgeable

about security policies and procedures• Who to call with questions, suspect

activities and to report problems• Knowledge of why IT is so rigid helps

with understanding policies

IT Education

• IT staff are the first line of defense• Detect and evaluate suspicious

activities• Ensure policies are followed• Familiar with best practices• Know how to triage and remediate

threats

Change Management

• Changes introduce opportunities for vulnerabilities

• With any change, evaluate risks to productivity and security

• Plan to mitigate risks introduced by the change

• Ensure complete documentation – Auditors like documentation

Fight the Good Fight

• Users do not appreciate inconveniences

• Executive staff do not appreciate the high cost of security

• What is more intimidating? – Job loss for one or two– Job loss for everyone

The Technology Factor

Hardware / Software

Tools to help protect your network

• Firewall – Allow only required traffic in or out

• Intrusion Detection System / Intrusion Prevention System (IDS / IPS) – Actively monitor for and block malicious traffic

• Managed switches – Segregate traffic with VLANs & use port security

Tools cont’d.

• Web filter – Block access to malicious websites and data exfiltration sites like webmail and file sharing

• Drive encryption – Protection against lost / stolen PCs or hard drives when shipping data

• Data encryption – – Encrypt data at rest to protect against

unauthorized on-network access

Tools cont’d.

– Encrypt data in transit to protect against sniffing and man in the middle attacks

• Minimal necessary rights – Minimize abilities for malicious users or compromised accounts

• Complex user IDs – Make them difficult to guess, esp. for hackers

Tools cont’d.

• Secure passwords – Enable complexity and force regular changes

• Multi-factor authentication – Know, have, are…

• Auditing tools – Monitor who is doing what on the network

• Vulnerability scanners – Find holes before the bad guys do

Tools cont’d.

• Antivirus / antimalware software – Enable active protection and keep up to date

• SPAM filter – Protect against malicious email such as phishing / spear phishing or malware

New Toys

Does it really need to be on the network for the business to operate or to keep patients alive / healthy?• HVAC – Target Breach anyone?• Appliances – Refrigerator email?• Smart TVs• Personal devices - BYOD

Off-Network Security

Does employee mobility make your business vulnerable?• Remote staff• Mobile staff• Home network• Coffee shop• Hotel

Quick Summary

• Know the players• Know the rules• Draw the line• Hold the line• Ask for help• It’s not about making friends• Pay to play or cease to be paid

Supplemental Resouces

• Reference documents used in this presentation will be made available on the Customer Portal Document Library under “Security Alerts and Awareness”

• We will also post additional documents over time from various sources

• Documents posted from Infragard are subject to the Traffic Light Protocol (TLP). TLP restrictions will be noted with each document to maintain national protocol. TLP MUST be followed

Traffic Light Protocol

• RED - personal for named recipients only– In the context of a meeting, for example, RED information is limited to

those present at the meeting. In most circumstances, RED information will be passed verbally or in person.

• AMBER - limited distribution– The recipient may share AMBER information with others within their

organization, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing.

• GREEN - community wide– Information in this category can be circulated widely within a

particular community. However, the information may not be published or posted publicly on the Internet, nor released outside of the community.  

• WHITE  - unlimited– Subject to standard copyright rules, WHITE information may be

distributed freely, without restriction.

Security Alerts & Awareness

• Visualutions Customer Portal

Download all conference presentations at

visualutions.com/ug15conference

Join our newsletter and stay up to date!visualutions.com/newsletters

Thank you.