Vulnerability Management and Reporting - HITRUST · 2016. 5. 3. · • Global competition •...

© 2016 HITRUST Alliance.

Vulnerability Management and Reporting A Proposed Code of Conduct David S. Muntz, CHCIO, FCHIME, LCHIME, FHIMSS HITRUST - Senior Advisor, Public Policy April 28, 2016, Breakout Session – Texas 1-3


How is This Relevant to Our HIT Environment?


Complexity of the Current Environment • New models of payment • Mergers/acquisitions/closures • Shift in care settings • Care coordination • Talent shifting • ICD-10 • ACOs • SSP ACOs • Health Insurance Marketplace • MU 1 • MU 2 • New proposed rules • Understanding MU 3 • Beyond MU

• Post-ARRA ONC (termination of grants programs)

• Post-ARRA HIT deployment • HIPAA regulations • Cybersecurity • Biodefense • Payment audits • Security audits • Business Continuity • Patient and Family Engagement • Patient matching • Mobile • Telehealth • BYOD


Complexity of the Current Environment • All other federal and state

regulatory requirements, e.g. SGR, quality reporting

• All other internal HIT initiatives • Post-implementation optimization • Safety • Big (eclectic) Data • Data (value) Analytics • Talent shortage • Focus • Changing roles

• Genomics • Proteomics • Precision Medicine • Nanotechnologies • Health literacy • Global competition • Climate • Global financial health • The Value Proposition • Accelerating speed of change in

– Information Technologies – The healthcare environment


Complexity + Pace of Change

Opportunity

h"p://www.signingsavvy.com/sign/OPPORTUNITY/1977/1

© 2016 HITRUST Alliance. 6

Success=People+Process+Technology

Think Holistically

© 2016 HITRUST Alliance. 7

Success=PeoplexProcessxTechnology

Think Holistically


Vulnerabilities Exist

Our Shared Challenge: Re-establishing Trust


Definition of Vulnerabilities • Conditions that might unfavorably impact

– Development – Deployment – Nominal operations – Products – Services

• Vulnerabilities can be – Intentional – Unintentional – Known – Unknown

• Elements of products and services that could be affected

– Security – Confidentiality – Privacy – Integrity – Authority – Trust – Usability – Availability


Proposal: Create a Code of Conduct


Why Should Principles Be Adopted? • It’s the right thing to do. • Adherence to principles can raise the community

standard of care • An expected set of behaviors can be inferred or

defined explicitly • Information gathered should lead to better

production, deployment, and usage of HIT products and service


Guiding Principle

My/Ourfundamentalobjec4veistomaintainandincreasethesafetyofthehealthcarecon4nuuminwhichweprovidehealthinforma4ontechnology(HIT)productsandservicesforthehumanhealthexperience. AsadeveloperofsoDwareand/oraproviderofsoDwareandservicesusedbyHealthcareProvidersandConsumers,I/wearecommiHedtothefollowingprinciples.


General Principle

Inanefforttodeliversafe,defect-freeproductsandservices,I/wewillemployvulnerabilitymanagementandrepor4ngprac4cesbasedonthefollowingprinciplesduringthedevelopment,deployment,anduseofthoseproductsandservices.

PaFentsafetyisparamount.


Community Responsibility I/Wewillaspiretomakeeverypar4cipantinthedeliveryofHITproductsandservicesawareoftheirindividualresponsibilitytomonitorandreportoneventsthatmayadverselyaffectsafetyastheyoccurforthesakeofeverymemberofthecommunity. Asadeveloperand/orproviderofservices,I/wemusteducateouremployeesandourclientsabouthowtocommunicateavulnerability. Asadeveloperand/orproviderofservices,I/werecognizethatsafetycanbeimprovedandpromotedbycommunica4ngvulnerabili4esduringallphasesofHIT,includingbutnotlimitedtodevelopment,tes4ng,deployment,andpost-implementa4on.Asadeveloperand/orproviderofservices,I/werecognizethatwhateverproductorserviceI/weprovideisonecomponentofthecarecon4nuumandI/wewillthinkabouttheimpactthatourproductsandserviceshaveonothers,aswellastheimpactothersmayhaveonus.


Blame-free Culture

I/wewilltreatthediscoveryofvulnerabili4esasanopportunityforimprovement.I/wewilladdressthecontribu4ngfactorsinaconstruc4vemanner.


From the National Patient Safety Foundation


Sense of Urgency Asaproviderofproductsandservices,I/wehavearesponsibilitytomanagethevulnerabili4esasquicklyastheycanbevalidatedaDertheyarediscovered.Oncediscovered,I/wewillcommunicateinclearandconcisetermsthepoten4alimpactsofthevulnerability,andwhenprac4cal,providesolu4ons.


Audience Participation


Role of the Government • Create a voluntary framework that can and will be adopted by

all healthcare sector participants. In the event that private sector participation is weak, a regulatory mandate(s) for participation should be considered. The effectiveness of the activities in the healthcare sector should be judged by an independent body of experts and reported to [governmental oversight body].

• Provide legal protection to ensure that all parties are

encouraged to report vulnerabilities as they are identified.


Other Questions • Should a vulnerability management maturity model be developed?

• Should the principles evolve with the industry?

• Does one size fit all? How does size, complexity, or usage impact the principles?

• How do we deal with existing quality and safety reporting processes and organizations not necessarily focused on HIT?

• How does this impact or how is it impacted by Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing (EO 9913691)

• How does this relate to The National Health Information Sharing & Analysis Center, (NH-ISAC)


Thank You!

[email protected]


ExternalIntelligence:Brand& Supply Chain MonitoringNicholasAlbrightVicePresident,Security-Anomali


Agenda•  Overview•  SupplyChainMonitoring•  ExternalThreatIntelligence

•  SuspiciousDomains•  NetworkCleanliness•  SocialMediaandDarkWeb•  CredenFalExposures

•  OperaFonalizing•  Wrapup


Overview•  ExternalIntelligencebasedBreachAnalyFcs•  i.e.usingintelligenceabouteventsthatmaynotbeobservableonyournetworktodetectbreachesorothersecurityevents

•  Weapplythisbeyondyourborderstoyoursupplychain•  Typesofthreatintelligencecoveredinclude:

•  SuspiciousDomains•  NetworkCleanliness•  SocialMediaandDarkWeb•  CredenFalExposures


DefiningYourSupplyChain•  Anyvendor,partner,orcustomerthatyourorganizaFonreliesortrustsimplicitlyorexplicitly

•  Supplychainmembersareadependencyinyourvulnerablegraph•  BreacheswithinyoursupplychainmayimpactyourorganizaFon•  Supplychainexamples:

•  Contractorsorvendors•  SoZware,ThirdPartyLibraries,RemoteAccessTools(VPN)•  EnvironmentalControl•  Power,UFliFes,andTelecomms•  CompuFng,HosFng,andISPs•  SaaSServices


OnPremisesControls•  OnPremisesControlswillonlyworkforsupplychaineventswithinyournetwork

•  Code/LibraryReviews•  NetworkFlowandAccountAccessReviews•  InternalPivoFng•  ThreatFeeds(YourOrganizaFononBlocklists,Badguysaccessingyourorg)

•  Theycannotdetecteventsoccurringoutsideyournetwork


ZeroPremisesControls•  HowcanyouuseYourThreatIntelligencesoluFontoidenFfySupplyChainThreats?

•  ZeroPremisesControlswillextendyourcapabiliFesdeepwithinyoursuppliersinfrastructure!

•  PublicCredenFalExposures(Yourself,Partners,Suppliers)•  ThreatFeeds(ExternalOrganizaFonsonBlocklists)•  Shodan/CensysReviews•  SuspiciousDomainRegistraFons(Yourself,Partners,Suppliers)•  SocialMedia/DarkWebMonitoring


SupplyChainThreatIntelligence•  DocumentandResearch•  Supplychaincompany’ssecurityposture?

•  Networkcleanliness?Webfootprint?(Services/CapabiliFes)

•  Supplychaincompanycompromised?•  HowRecent?Repeated?Mayputyouatrisk

•  Supplychaincompany’sbrandusedtophishyou?•  PaySpecialA"enFontoServiceDeskServices!

•  Supplychaincompanybeingtargeted?•  Examplesmaynotbesoobvious

•  DNSRegistrarsholdthekeys


External Threat Intelligence


SuspiciousDomainNameMonitoring•  Adversariesregisterdomainsmimickingthetarget’sbrand

• Techniques:• Transforms:Typosquat,Homoglyph,CharacterOmission/inserFon/swap,etc

•  Decep.vedomains:vpn-mycompany.com,portal-mycompany.com

•  UsedtophishyouorasC2domains•  VeryeffecFvesocialengineeringtacFc•  InventoryItems:internalandexternaldomainnames,brandnames•  DataSources:NewDomainregistraFons,PassiveDNS,VirustotalHunFng,URLCrazy

•  Opera.ons:SIEMintegraFon,Emailalerts,IDSSignatures,DNSRPZ


SuspiciousDomainExamples

threa4stream.edu th2eatdtream.com

threatstrewqm.com

threatsrraem.com thvaatstraam.com

thbeaystream.com th2eatstreams.com

threatstreal.se

thpeatstreasm.com threatatream.se

threadstrean.com theeatstreae.com

threatrtrteam.com

thraatstream.ru thr3atstraem.com

threststram.com thruatsdtruam.com

thhreatstrema.com

threratstveam.com thrra4stream.com

throatstroasm.com

threutsatreum.com threitstreram.com

thraetstrecm.com thteatstrgam.com

threattstream.se

threatsttteam.com threautsream.com

threatst2eam.no threitstreasm.com

thruatstzuam.com

threatstreaen.com threatstreem.ru

thruatctruam.com thretstreaam.com

threatstrawm.com

thrmatstream.ch threaystr3am.com

theatsdream.com

thhreatrstream.com threustreum.com

theretstreem.com threatsvrewam.com

threatstreal.us

thr3atsvream.com threotstrreom.com

threatstrgams.com threatsteram.cm

threetstreel.com

thgraatstream.com theeatstresm.com

threatstrreal.com threattresm.com

thvatstream.com

threatwtreams.com threatstrtewam.com

thgreatstreai.com

thuatstream.com thraatsyraam.com

thr3avstr3am.com threattreamm.com

threatstreal.ru

threatstr3m.com threat3trearn.com

thrratsttream.com threatystream.ch

thrrapstream.com

threatstrea.de theatstrewam.com

threatstreams.org threatstram.fr

thseatstream.net

thveatsttream.com threaustrwam.com

threatsrreem.com

threatstrr3am.com threatstr3qm.com

threatsyzeam.com thpeatstreaam.com

threatstteam.no

threaststream.us thrratstrwam.com

threatstrream.org threattstreamcom.com

threatwtrem.com

threaatstream.ca threattrgam.com

threastsstream.com thrmatstreaam.com

thrratstreams.com


Don’tForgetAboutDynamicDNS

threatstream.gnway.net threatstream.rincondelmotor.com threatstream.pluginfree.net threatstream.estr.com.ru threatstream.teksunpv.com threatstream.gameyg.com threatstream.redbirdrestaurant.com threatstream.linkpc.net threatstream.support-microsoft.net threatstream.openoffcampus.com threatstream.keygen.com.ru threatstream.cu.cc threatstream.pornandpot.com threatstream.informatix.com.ru threatstream.fuentesderubielos.com

threatstream.9wide.com threatstream.jaqan.cn threatstream.hyfitech.com threatstream.easyeatout.com threatstream.xicp.cn threatstream.xenbox.net threatstream.publicvm.com threatstream.ven.bz threatstream.meibu.com threatstream.aq.pl threatstream.m3th.org

threatstream.lioha.com threatstream.meibu.net threatstream.kz.com.ru threatstream.gnway.cc threatstream.ircop.cn threatstream.igirl.ru threatstream.newsexstories.com threatstream.free-stuff.com.ru threatstream.leedichter.com threatstream.ggsddup.com threatstream.yooko.com.ru threatstream.za.pl threatstream.servercide.com threatstream.sxn.us threatstream.wmdshr.com


CaseStudy:SuspiciousDomainRegistraFon•  Abuseisn’talwaysaboutnetworkcompromises•  MajorUSBasedCableandTelecommunicaFonscompany•  Fraudulentprocurementa"empt•  Emailsentfrom${user}@${company}-us.com,butwiththecorrectle"erheadandmarkings

•  DiscoveredbySIEMscanningincomingemaillogsandflaggedmessagesassuspicious

•  SecurityteampreventedfraudulenttransacFon,fraudteamseizeddomain


NetworkCleanlinessMonitoring•  SystemsfromyourIPspaceoryoursupplychain’sshowingupas…

•  BotIPs•  ScanningIPs•  BruteforceIPs•  SpamIPs

•  YourwebserverhosFngmaliciouscontent?•  Vulnerableorunexpectedservicesrunninganddiscoverable?•  InventoryItems:IPAddressSpaceoforganizaFonandkeyexecuFves

(ifpossible)•  DataSources:Threatintelligencefeeds,honeypotevents,botnet

sinkhole,Portscan/Webcrawldata•  Opera.ons:SIEMintegraFon,EmailnoFficaFons,passiveauditsof

portscan/webcrawldata


CaseStudy:NetworkCleanliness•  LargeHi-techfirmevaluaFngITstaffingcompanyforoutsourcingsomedevelopmentandITservices

•  ITStaffingcompanywouldneedVPNaccessandaccesstoourinternalITresources

•  Passivevendorauditperformedusingthreatintelligencedataandpublicportscanrepository

•  UponinspecFon,ITstaffingcompanyhadverypoornetworkhygiene•  tensofIPsregularlycheckedintomalwaresinkholes•  tensofIPsregularlyscannedhoneypotsensors•  thousandsofcompromisedcredenFals

•  ITstaffingcompanydeemedtoorisky


SocialNetworkandDarkwebMonitoring

•  InventoryItems:Brandnames,keyexecuFvenames•  DataSources:Socialmediafeeds,CrawlingDarkWeb,analysts

monitoringdarkweb,GoogleDorks

•  Opera.ons:SIEMintegraFon,EmailnoFficaFons

Creden4alExposurePosting from the Hell

Darkweb forum


CaseStudy:SocialMedia/DarkwebMonitoring•  BrandmonitoringforMajorUSBasedRetailer•  Discoveredacustombuilta"acktoolsdesignedforthesolepurposeofbruteforcingaspecificpartoftheretailer’swebapplicaFon

•  Providedthesampleandareportaboutwhatitdid,howitworkedandwhobuiltittotheretailer


CredenFalExposureMonitoring

•  InventoryItems:emaildomains,emailaddressesofkeyexecuFves•  Datasources:Pastesites,GoogleDorks,Darkweb•  Opera.ons:SIEMintegraFon/orchestraFonsystem–noFfyusers/resetpasswords,Emailalerts


CaseStudy:CredenFalExposures•  BrandmonitoringforaMajorFoodandBeverageCompany•  DiscoveredleakedcredenFalexposurefromaninternalITwikipagethatwasaccidentlyexposed

•  Companyalertedandchangedallpasswordswithin24hours•  NoevidencethatthesecredenFalswereabusedinthatFme


OperaFonalizing


BuildanInventory•  Createaninventory

•  Yourself•  CriFcalsupplychainpartners

•  Theadversariesthis,youshouldtoo•  Emaildomainsnames•  InternalandExternaldomainnames•  PersonalemailaddressesofkeyexecuFves•  Company’sIPaddressspace•  IPaddressspaceofkeyexecuFves’homenetworks•  Brandnames•  NamesofkeyexecuFves


DataSourcesandIntegraFonPointsDataSources Integra.onPoints

SuspiciousDomains •   NewdomainregistraFondata(Whois)•   PassiveDNS•   VirustotalHunFng•   RepeatedreviewsofDynDNS

•   SIEMintegraFons•   EmailbasedalerFng

NetworkCleanliness •   Honeypots/C2Sinkholes•   Opensourcethreatfeeds•   Spammerfeeds•   CommercialThreatintelligenceproviders•   Portscan/Webcrawldata

•   Search/AlertonyourIPnetworkoryoursupplychain’snetworkshowingupontheselists.

•   SIEMintegraFons•   EmailbasedalerFng•   Periodicreviewofexternalinternetfacingassets

SocialMediaandDarkWeb

•   DarkWeb/DeepWebForums•   SocialMediaSites•   GoogleDorks

•   Search/Alertonyourbrandoryoursupplychains’•   SIEMintegraFons

CompromisedCredenFals

•   Pastesites•   DarkWeb/DeepWebmonitoring•   Googledorks•   CommercialThreatintelligenceproviders

•   Search/Alertonyouremaildomainsorthoseofyoursupplychain

•   NoFfyusers•   Resetpasswordsasneeded


Summary•  OrganizaFonsmustwatchmorethanthemselvesandtheirindustryverFcal

•  HighTechSupplierssuchasWebandDomainServices,FirewallandDesktopApplicaFonvendorsareincreasinglytargeted

•  Cha"eronsocialmediaandDarkWebforumscanprovideearlywarning

•  CompromisedCredenFalsmaybeusedbythirdpartycontractorsonyournetwork

•  Passivevendorsauditsshouldbepartofyourprocurementprocess


NicholasAlbright|VPofSecurityAnomali2317Broadway,3rdFloorRedwoodCity,CA94063Phone:1–844–THREATSHTTPS://Anomali.com

Date post:	18-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Vulnerability Management and Reporting - HITRUST · 2016. 5. 3. · • Global competition •...

Documents