Vulnerability Management and Reporting - HITRUST · 2016. 5. 3. · • Global competition •...

transcript

Vulnerability Management and Reporting A Proposed Code of Conduct David S. Muntz, CHCIO, FCHIME, LCHIME, FHIMSS HITRUST - Senior Advisor, Public Policy April 28, 2016, Breakout Session – Texas 1-3

How is This Relevant to Our HIT Environment?

Complexity of the Current Environment • New models of payment • Mergers/acquisitions/closures • Shift in care settings • Care coordination • Talent shifting • ICD-10 • ACOs • SSP ACOs • Health Insurance Marketplace • MU 1 • MU 2 • New proposed rules • Understanding MU 3 • Beyond MU

• Post-ARRA ONC (termination of grants programs)

• Post-ARRA HIT deployment • HIPAA regulations • Cybersecurity • Biodefense • Payment audits • Security audits • Business Continuity • Patient and Family Engagement • Patient matching • Mobile • Telehealth • BYOD

Complexity of the Current Environment • All other federal and state

regulatory requirements, e.g. SGR, quality reporting

• All other internal HIT initiatives • Post-implementation optimization • Safety • Big (eclectic) Data • Data (value) Analytics • Talent shortage • Focus • Changing roles

• Genomics • Proteomics • Precision Medicine • Nanotechnologies • Health literacy • Global competition • Climate • Global financial health • The Value Proposition • Accelerating speed of change in

– Information Technologies – The healthcare environment

Complexity + Pace of Change

Opportunity

h"p://www.signingsavvy.com/sign/OPPORTUNITY/1977/1

Success=People+Process+Technology

Think Holistically

Success=PeoplexProcessxTechnology

Think Holistically

Vulnerabilities Exist

Our Shared Challenge: Re-establishing Trust

Definition of Vulnerabilities • Conditions that might unfavorably impact

– Development – Deployment – Nominal operations – Products – Services

• Vulnerabilities can be – Intentional – Unintentional – Known – Unknown

• Elements of products and services that could be affected

– Security – Confidentiality – Privacy – Integrity – Authority – Trust – Usability – Availability

Proposal: Create a Code of Conduct

Why Should Principles Be Adopted? • It’s the right thing to do. • Adherence to principles can raise the community

standard of care • An expected set of behaviors can be inferred or

defined explicitly • Information gathered should lead to better

production, deployment, and usage of HIT products and service

Guiding Principle

My/Ourfundamentalobjec4veistomaintainandincreasethesafetyofthehealthcarecon4nuuminwhichweprovidehealthinforma4ontechnology(HIT)productsandservicesforthehumanhealthexperience. AsadeveloperofsoDwareand/oraproviderofsoDwareandservicesusedbyHealthcareProvidersandConsumers,I/wearecommiHedtothefollowingprinciples.

General Principle

Inanefforttodeliversafe,defect-freeproductsandservices,I/wewillemployvulnerabilitymanagementandrepor4ngprac4cesbasedonthefollowingprinciplesduringthedevelopment,deployment,anduseofthoseproductsandservices.

PaFentsafetyisparamount.

Community Responsibility I/Wewillaspiretomakeeverypar4cipantinthedeliveryofHITproductsandservicesawareoftheirindividualresponsibilitytomonitorandreportoneventsthatmayadverselyaffectsafetyastheyoccurforthesakeofeverymemberofthecommunity. Asadeveloperand/orproviderofservices,I/wemusteducateouremployeesandourclientsabouthowtocommunicateavulnerability. Asadeveloperand/orproviderofservices,I/werecognizethatsafetycanbeimprovedandpromotedbycommunica4ngvulnerabili4esduringallphasesofHIT,includingbutnotlimitedtodevelopment,tes4ng,deployment,andpost-implementa4on.Asadeveloperand/orproviderofservices,I/werecognizethatwhateverproductorserviceI/weprovideisonecomponentofthecarecon4nuumandI/wewillthinkabouttheimpactthatourproductsandserviceshaveonothers,aswellastheimpactothersmayhaveonus.

Blame-free Culture

I/wewilltreatthediscoveryofvulnerabili4esasanopportunityforimprovement.I/wewilladdressthecontribu4ngfactorsinaconstruc4vemanner.

From the National Patient Safety Foundation

Sense of Urgency Asaproviderofproductsandservices,I/wehavearesponsibilitytomanagethevulnerabili4esasquicklyastheycanbevalidatedaDertheyarediscovered.Oncediscovered,I/wewillcommunicateinclearandconcisetermsthepoten4alimpactsofthevulnerability,andwhenprac4cal,providesolu4ons.

Audience Participation

Role of the Government • Create a voluntary framework that can and will be adopted by

all healthcare sector participants. In the event that private sector participation is weak, a regulatory mandate(s) for participation should be considered. The effectiveness of the activities in the healthcare sector should be judged by an independent body of experts and reported to [governmental oversight body].

• Provide legal protection to ensure that all parties are

encouraged to report vulnerabilities as they are identified.

Other Questions • Should a vulnerability management maturity model be developed?

• Should the principles evolve with the industry?

• Does one size fit all? How does size, complexity, or usage impact the principles?

• How do we deal with existing quality and safety reporting processes and organizations not necessarily focused on HIT?

• How does this impact or how is it impacted by Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing (EO 9913691)

• How does this relate to The National Health Information Sharing & Analysis Center, (NH-ISAC)

Thank You!

David.Muntz@HITRUSTalliance.org

ExternalIntelligence:Brand& Supply Chain MonitoringNicholasAlbrightVicePresident,Security-Anomali

Agenda•  Overview•  SupplyChainMonitoring•  ExternalThreatIntelligence

•  SuspiciousDomains•  NetworkCleanliness•  SocialMediaandDarkWeb•  CredenFalExposures

•  OperaFonalizing•  Wrapup

Overview•  ExternalIntelligencebasedBreachAnalyFcs•  i.e.usingintelligenceabouteventsthatmaynotbeobservableonyournetworktodetectbreachesorothersecurityevents

•  Weapplythisbeyondyourborderstoyoursupplychain•  Typesofthreatintelligencecoveredinclude:

•  SuspiciousDomains•  NetworkCleanliness•  SocialMediaandDarkWeb•  CredenFalExposures

DefiningYourSupplyChain•  Anyvendor,partner,orcustomerthatyourorganizaFonreliesortrustsimplicitlyorexplicitly

•  Supplychainmembersareadependencyinyourvulnerablegraph•  BreacheswithinyoursupplychainmayimpactyourorganizaFon•  Supplychainexamples:

•  Contractorsorvendors•  SoZware,ThirdPartyLibraries,RemoteAccessTools(VPN)•  EnvironmentalControl•  Power,UFliFes,andTelecomms•  CompuFng,HosFng,andISPs•  SaaSServices

OnPremisesControls•  OnPremisesControlswillonlyworkforsupplychaineventswithinyournetwork

•  Code/LibraryReviews•  NetworkFlowandAccountAccessReviews•  InternalPivoFng•  ThreatFeeds(YourOrganizaFononBlocklists,Badguysaccessingyourorg)

•  Theycannotdetecteventsoccurringoutsideyournetwork

ZeroPremisesControls•  HowcanyouuseYourThreatIntelligencesoluFontoidenFfySupplyChainThreats?

•  ZeroPremisesControlswillextendyourcapabiliFesdeepwithinyoursuppliersinfrastructure!

•  PublicCredenFalExposures(Yourself,Partners,Suppliers)•  ThreatFeeds(ExternalOrganizaFonsonBlocklists)•  Shodan/CensysReviews•  SuspiciousDomainRegistraFons(Yourself,Partners,Suppliers)•  SocialMedia/DarkWebMonitoring

SupplyChainThreatIntelligence•  DocumentandResearch•  Supplychaincompany’ssecurityposture?

•  Networkcleanliness?Webfootprint?(Services/CapabiliFes)

•  Supplychaincompanycompromised?•  HowRecent?Repeated?Mayputyouatrisk

•  Supplychaincompany’sbrandusedtophishyou?•  PaySpecialA"enFontoServiceDeskServices!

•  Supplychaincompanybeingtargeted?•  Examplesmaynotbesoobvious

•  DNSRegistrarsholdthekeys

External Threat Intelligence

SuspiciousDomainNameMonitoring•  Adversariesregisterdomainsmimickingthetarget’sbrand

• Techniques:• Transforms:Typosquat,Homoglyph,CharacterOmission/inserFon/swap,etc

•  Decep.vedomains:vpn-mycompany.com,portal-mycompany.com

•  UsedtophishyouorasC2domains•  VeryeffecFvesocialengineeringtacFc•  InventoryItems:internalandexternaldomainnames,brandnames•  DataSources:NewDomainregistraFons,PassiveDNS,VirustotalHunFng,URLCrazy

•  Opera.ons:SIEMintegraFon,Emailalerts,IDSSignatures,DNSRPZ

SuspiciousDomainExamples

threa4stream.edu th2eatdtream.com

threatstrewqm.com

threatsrraem.com thvaatstraam.com

thbeaystream.com th2eatstreams.com

threatstreal.se

thpeatstreasm.com threatatream.se

threadstrean.com theeatstreae.com

threatrtrteam.com

thraatstream.ru thr3atstraem.com

threststram.com thruatsdtruam.com

thhreatstrema.com

threratstveam.com thrra4stream.com

throatstroasm.com

threutsatreum.com threitstreram.com

thraetstrecm.com thteatstrgam.com

threattstream.se

threatsttteam.com threautsream.com

threatst2eam.no threitstreasm.com

thruatstzuam.com

threatstreaen.com threatstreem.ru

thruatctruam.com thretstreaam.com

threatstrawm.com

thrmatstream.ch threaystr3am.com

theatsdream.com

thhreatrstream.com threustreum.com

theretstreem.com threatsvrewam.com

threatstreal.us

thr3atsvream.com threotstrreom.com

threatstrgams.com threatsteram.cm

threetstreel.com

thgraatstream.com theeatstresm.com

threatstrreal.com threattresm.com

thvatstream.com

threatwtreams.com threatstrtewam.com

thgreatstreai.com

thuatstream.com thraatsyraam.com

thr3avstr3am.com threattreamm.com

threatstreal.ru

threatstr3m.com threat3trearn.com

thrratsttream.com threatystream.ch

thrrapstream.com

threatstrea.de theatstrewam.com

threatstreams.org threatstram.fr

thseatstream.net

thveatsttream.com threaustrwam.com

threatsrreem.com

threatstrr3am.com threatstr3qm.com

threatsyzeam.com thpeatstreaam.com

threatstteam.no

threaststream.us thrratstrwam.com

threatstrream.org threattstreamcom.com

threatwtrem.com

threaatstream.ca threattrgam.com

threastsstream.com thrmatstreaam.com

thrratstreams.com

Don’tForgetAboutDynamicDNS

threatstream.gnway.net threatstream.rincondelmotor.com threatstream.pluginfree.net threatstream.estr.com.ru threatstream.teksunpv.com threatstream.gameyg.com threatstream.redbirdrestaurant.com threatstream.linkpc.net threatstream.support-microsoft.net threatstream.openoffcampus.com threatstream.keygen.com.ru threatstream.cu.cc threatstream.pornandpot.com threatstream.informatix.com.ru threatstream.fuentesderubielos.com

threatstream.9wide.com threatstream.jaqan.cn threatstream.hyfitech.com threatstream.easyeatout.com threatstream.xicp.cn threatstream.xenbox.net threatstream.publicvm.com threatstream.ven.bz threatstream.meibu.com threatstream.aq.pl threatstream.m3th.org

threatstream.lioha.com threatstream.meibu.net threatstream.kz.com.ru threatstream.gnway.cc threatstream.ircop.cn threatstream.igirl.ru threatstream.newsexstories.com threatstream.free-stuff.com.ru threatstream.leedichter.com threatstream.ggsddup.com threatstream.yooko.com.ru threatstream.za.pl threatstream.servercide.com threatstream.sxn.us threatstream.wmdshr.com

CaseStudy:SuspiciousDomainRegistraFon•  Abuseisn’talwaysaboutnetworkcompromises•  MajorUSBasedCableandTelecommunicaFonscompany•  Fraudulentprocurementa"empt•  Emailsentfrom${user}@${company}-us.com,butwiththecorrectle"erheadandmarkings

•  DiscoveredbySIEMscanningincomingemaillogsandflaggedmessagesassuspicious

•  SecurityteampreventedfraudulenttransacFon,fraudteamseizeddomain

NetworkCleanlinessMonitoring•  SystemsfromyourIPspaceoryoursupplychain’sshowingupas…

•  BotIPs•  ScanningIPs•  BruteforceIPs•  SpamIPs

•  YourwebserverhosFngmaliciouscontent?•  Vulnerableorunexpectedservicesrunninganddiscoverable?•  InventoryItems:IPAddressSpaceoforganizaFonandkeyexecuFves

(ifpossible)•  DataSources:Threatintelligencefeeds,honeypotevents,botnet

sinkhole,Portscan/Webcrawldata•  Opera.ons:SIEMintegraFon,EmailnoFficaFons,passiveauditsof

portscan/webcrawldata

CaseStudy:NetworkCleanliness•  LargeHi-techfirmevaluaFngITstaffingcompanyforoutsourcingsomedevelopmentandITservices

•  ITStaffingcompanywouldneedVPNaccessandaccesstoourinternalITresources

•  Passivevendorauditperformedusingthreatintelligencedataandpublicportscanrepository

•  UponinspecFon,ITstaffingcompanyhadverypoornetworkhygiene•  tensofIPsregularlycheckedintomalwaresinkholes•  tensofIPsregularlyscannedhoneypotsensors•  thousandsofcompromisedcredenFals

•  ITstaffingcompanydeemedtoorisky

SocialNetworkandDarkwebMonitoring

•  InventoryItems:Brandnames,keyexecuFvenames•  DataSources:Socialmediafeeds,CrawlingDarkWeb,analysts

monitoringdarkweb,GoogleDorks

•  Opera.ons:SIEMintegraFon,EmailnoFficaFons

Creden4alExposurePosting from the Hell

Darkweb forum

CaseStudy:SocialMedia/DarkwebMonitoring•  BrandmonitoringforMajorUSBasedRetailer•  Discoveredacustombuilta"acktoolsdesignedforthesolepurposeofbruteforcingaspecificpartoftheretailer’swebapplicaFon

•  Providedthesampleandareportaboutwhatitdid,howitworkedandwhobuiltittotheretailer

CredenFalExposureMonitoring

•  InventoryItems:emaildomains,emailaddressesofkeyexecuFves•  Datasources:Pastesites,GoogleDorks,Darkweb•  Opera.ons:SIEMintegraFon/orchestraFonsystem–noFfyusers/resetpasswords,Emailalerts

CaseStudy:CredenFalExposures•  BrandmonitoringforaMajorFoodandBeverageCompany•  DiscoveredleakedcredenFalexposurefromaninternalITwikipagethatwasaccidentlyexposed

•  Companyalertedandchangedallpasswordswithin24hours•  NoevidencethatthesecredenFalswereabusedinthatFme

OperaFonalizing

BuildanInventory•  Createaninventory

•  Yourself•  CriFcalsupplychainpartners

•  Theadversariesthis,youshouldtoo•  Emaildomainsnames•  InternalandExternaldomainnames•  PersonalemailaddressesofkeyexecuFves•  Company’sIPaddressspace•  IPaddressspaceofkeyexecuFves’homenetworks•  Brandnames•  NamesofkeyexecuFves

DataSourcesandIntegraFonPointsDataSources Integra.onPoints

SuspiciousDomains •   NewdomainregistraFondata(Whois)•   PassiveDNS•   VirustotalHunFng•   RepeatedreviewsofDynDNS

•   SIEMintegraFons•   EmailbasedalerFng

NetworkCleanliness •   Honeypots/C2Sinkholes•   Opensourcethreatfeeds•   Spammerfeeds•   CommercialThreatintelligenceproviders•   Portscan/Webcrawldata

•   Search/AlertonyourIPnetworkoryoursupplychain’snetworkshowingupontheselists.

•   SIEMintegraFons•   EmailbasedalerFng•   Periodicreviewofexternalinternetfacingassets

SocialMediaandDarkWeb

•   DarkWeb/DeepWebForums•   SocialMediaSites•   GoogleDorks

•   Search/Alertonyourbrandoryoursupplychains’•   SIEMintegraFons

CompromisedCredenFals

•   Pastesites•   DarkWeb/DeepWebmonitoring•   Googledorks•   CommercialThreatintelligenceproviders

•   Search/Alertonyouremaildomainsorthoseofyoursupplychain

•   NoFfyusers•   Resetpasswordsasneeded

Summary•  OrganizaFonsmustwatchmorethanthemselvesandtheirindustryverFcal

•  HighTechSupplierssuchasWebandDomainServices,FirewallandDesktopApplicaFonvendorsareincreasinglytargeted

•  Cha"eronsocialmediaandDarkWebforumscanprovideearlywarning

•  CompromisedCredenFalsmaybeusedbythirdpartycontractorsonyournetwork

•  Passivevendorsauditsshouldbepartofyourprocurementprocess

NicholasAlbright|VPofSecurityAnomali2317Broadway,3rdFloorRedwoodCity,CA94063Phone:1–844–THREATSHTTPS://Anomali.com

Vulnerability Management and Reporting - HITRUST · 2016. 5. 3. · • Global competition •...

Documents