© 2016 HITRUST Alliance.
Vulnerability Management and Reporting A Proposed Code of Conduct David S. Muntz, CHCIO, FCHIME, LCHIME, FHIMSS HITRUST - Senior Advisor, Public Policy April 28, 2016, Breakout Session – Texas 1-3
© 2016 HITRUST Alliance.
How is This Relevant to Our HIT Environment?
© 2016 HITRUST Alliance.
Complexity of the Current Environment • New models of payment • Mergers/acquisitions/closures • Shift in care settings • Care coordination • Talent shifting • ICD-10 • ACOs • SSP ACOs • Health Insurance Marketplace • MU 1 • MU 2 • New proposed rules • Understanding MU 3 • Beyond MU
• Post-ARRA ONC (termination of grants programs)
• Post-ARRA HIT deployment • HIPAA regulations • Cybersecurity • Biodefense • Payment audits • Security audits • Business Continuity • Patient and Family Engagement • Patient matching • Mobile • Telehealth • BYOD
© 2016 HITRUST Alliance.
Complexity of the Current Environment • All other federal and state
regulatory requirements, e.g. SGR, quality reporting
• All other internal HIT initiatives • Post-implementation optimization • Safety • Big (eclectic) Data • Data (value) Analytics • Talent shortage • Focus • Changing roles
• Genomics • Proteomics • Precision Medicine • Nanotechnologies • Health literacy • Global competition • Climate • Global financial health • The Value Proposition • Accelerating speed of change in
– Information Technologies – The healthcare environment
© 2016 HITRUST Alliance.
Complexity + Pace of Change
Opportunity
h"p://www.signingsavvy.com/sign/OPPORTUNITY/1977/1
© 2016 HITRUST Alliance. 6
Success=People+Process+Technology
Think Holistically
© 2016 HITRUST Alliance. 7
Success=PeoplexProcessxTechnology
Think Holistically
© 2016 HITRUST Alliance.
Vulnerabilities Exist
Our Shared Challenge: Re-establishing Trust
© 2016 HITRUST Alliance.
Definition of Vulnerabilities • Conditions that might unfavorably impact
– Development – Deployment – Nominal operations – Products – Services
• Vulnerabilities can be – Intentional – Unintentional – Known – Unknown
• Elements of products and services that could be affected
– Security – Confidentiality – Privacy – Integrity – Authority – Trust – Usability – Availability
© 2016 HITRUST Alliance.
Proposal: Create a Code of Conduct
© 2016 HITRUST Alliance.
Why Should Principles Be Adopted? • It’s the right thing to do. • Adherence to principles can raise the community
standard of care • An expected set of behaviors can be inferred or
defined explicitly • Information gathered should lead to better
production, deployment, and usage of HIT products and service
© 2016 HITRUST Alliance.
Guiding Principle
My/Ourfundamentalobjec4veistomaintainandincreasethesafetyofthehealthcarecon4nuuminwhichweprovidehealthinforma4ontechnology(HIT)productsandservicesforthehumanhealthexperience. AsadeveloperofsoDwareand/oraproviderofsoDwareandservicesusedbyHealthcareProvidersandConsumers,I/wearecommiHedtothefollowingprinciples.
© 2016 HITRUST Alliance.
General Principle
Inanefforttodeliversafe,defect-freeproductsandservices,I/wewillemployvulnerabilitymanagementandrepor4ngprac4cesbasedonthefollowingprinciplesduringthedevelopment,deployment,anduseofthoseproductsandservices.
PaFentsafetyisparamount.
© 2016 HITRUST Alliance.
Community Responsibility I/Wewillaspiretomakeeverypar4cipantinthedeliveryofHITproductsandservicesawareoftheirindividualresponsibilitytomonitorandreportoneventsthatmayadverselyaffectsafetyastheyoccurforthesakeofeverymemberofthecommunity. Asadeveloperand/orproviderofservices,I/wemusteducateouremployeesandourclientsabouthowtocommunicateavulnerability. Asadeveloperand/orproviderofservices,I/werecognizethatsafetycanbeimprovedandpromotedbycommunica4ngvulnerabili4esduringallphasesofHIT,includingbutnotlimitedtodevelopment,tes4ng,deployment,andpost-implementa4on.Asadeveloperand/orproviderofservices,I/werecognizethatwhateverproductorserviceI/weprovideisonecomponentofthecarecon4nuumandI/wewillthinkabouttheimpactthatourproductsandserviceshaveonothers,aswellastheimpactothersmayhaveonus.
© 2016 HITRUST Alliance.
Blame-free Culture
I/wewilltreatthediscoveryofvulnerabili4esasanopportunityforimprovement.I/wewilladdressthecontribu4ngfactorsinaconstruc4vemanner.
© 2016 HITRUST Alliance.
From the National Patient Safety Foundation
© 2016 HITRUST Alliance.
Sense of Urgency Asaproviderofproductsandservices,I/wehavearesponsibilitytomanagethevulnerabili4esasquicklyastheycanbevalidatedaDertheyarediscovered.Oncediscovered,I/wewillcommunicateinclearandconcisetermsthepoten4alimpactsofthevulnerability,andwhenprac4cal,providesolu4ons.
© 2016 HITRUST Alliance.
Audience Participation
© 2016 HITRUST Alliance.
Role of the Government • Create a voluntary framework that can and will be adopted by
all healthcare sector participants. In the event that private sector participation is weak, a regulatory mandate(s) for participation should be considered. The effectiveness of the activities in the healthcare sector should be judged by an independent body of experts and reported to [governmental oversight body].
• Provide legal protection to ensure that all parties are
encouraged to report vulnerabilities as they are identified.
© 2016 HITRUST Alliance.
Other Questions • Should a vulnerability management maturity model be developed?
• Should the principles evolve with the industry?
• Does one size fit all? How does size, complexity, or usage impact the principles?
• How do we deal with existing quality and safety reporting processes and organizations not necessarily focused on HIT?
• How does this impact or how is it impacted by Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing (EO 9913691)
• How does this relate to The National Health Information Sharing & Analysis Center, (NH-ISAC)
© 2016 HITRUST Alliance.
ExternalIntelligence:Brand& Supply Chain MonitoringNicholasAlbrightVicePresident,Security-Anomali
© 2016 HITRUST Alliance.
Agenda• Overview• SupplyChainMonitoring• ExternalThreatIntelligence
• SuspiciousDomains• NetworkCleanliness• SocialMediaandDarkWeb• CredenFalExposures
• OperaFonalizing• Wrapup
© 2016 HITRUST Alliance.
Overview• ExternalIntelligencebasedBreachAnalyFcs• i.e.usingintelligenceabouteventsthatmaynotbeobservableonyournetworktodetectbreachesorothersecurityevents
• Weapplythisbeyondyourborderstoyoursupplychain• Typesofthreatintelligencecoveredinclude:
• SuspiciousDomains• NetworkCleanliness• SocialMediaandDarkWeb• CredenFalExposures
© 2016 HITRUST Alliance.
DefiningYourSupplyChain• Anyvendor,partner,orcustomerthatyourorganizaFonreliesortrustsimplicitlyorexplicitly
• Supplychainmembersareadependencyinyourvulnerablegraph• BreacheswithinyoursupplychainmayimpactyourorganizaFon• Supplychainexamples:
• Contractorsorvendors• SoZware,ThirdPartyLibraries,RemoteAccessTools(VPN)• EnvironmentalControl• Power,UFliFes,andTelecomms• CompuFng,HosFng,andISPs• SaaSServices
© 2016 HITRUST Alliance.
OnPremisesControls• OnPremisesControlswillonlyworkforsupplychaineventswithinyournetwork
• Code/LibraryReviews• NetworkFlowandAccountAccessReviews• InternalPivoFng• ThreatFeeds(YourOrganizaFononBlocklists,Badguysaccessingyourorg)
• Theycannotdetecteventsoccurringoutsideyournetwork
© 2016 HITRUST Alliance.
ZeroPremisesControls• HowcanyouuseYourThreatIntelligencesoluFontoidenFfySupplyChainThreats?
• ZeroPremisesControlswillextendyourcapabiliFesdeepwithinyoursuppliersinfrastructure!
• PublicCredenFalExposures(Yourself,Partners,Suppliers)• ThreatFeeds(ExternalOrganizaFonsonBlocklists)• Shodan/CensysReviews• SuspiciousDomainRegistraFons(Yourself,Partners,Suppliers)• SocialMedia/DarkWebMonitoring
© 2016 HITRUST Alliance.
SupplyChainThreatIntelligence• DocumentandResearch• Supplychaincompany’ssecurityposture?
• Networkcleanliness?Webfootprint?(Services/CapabiliFes)
• Supplychaincompanycompromised?• HowRecent?Repeated?Mayputyouatrisk
• Supplychaincompany’sbrandusedtophishyou?• PaySpecialA"enFontoServiceDeskServices!
• Supplychaincompanybeingtargeted?• Examplesmaynotbesoobvious
• DNSRegistrarsholdthekeys
© 2016 HITRUST Alliance.
External Threat Intelligence
© 2016 HITRUST Alliance.
SuspiciousDomainNameMonitoring• Adversariesregisterdomainsmimickingthetarget’sbrand
• Techniques:• Transforms:Typosquat,Homoglyph,CharacterOmission/inserFon/swap,etc
• Decep.vedomains:vpn-mycompany.com,portal-mycompany.com
• UsedtophishyouorasC2domains• VeryeffecFvesocialengineeringtacFc• InventoryItems:internalandexternaldomainnames,brandnames• DataSources:NewDomainregistraFons,PassiveDNS,VirustotalHunFng,URLCrazy
• Opera.ons:SIEMintegraFon,Emailalerts,IDSSignatures,DNSRPZ
© 2016 HITRUST Alliance.
SuspiciousDomainExamples
threa4stream.edu th2eatdtream.com
threatstrewqm.com
threatsrraem.com thvaatstraam.com
thbeaystream.com th2eatstreams.com
threatstreal.se
thpeatstreasm.com threatatream.se
threadstrean.com theeatstreae.com
threatrtrteam.com
thraatstream.ru thr3atstraem.com
threststram.com thruatsdtruam.com
thhreatstrema.com
threratstveam.com thrra4stream.com
throatstroasm.com
threutsatreum.com threitstreram.com
thraetstrecm.com thteatstrgam.com
threattstream.se
threatsttteam.com threautsream.com
threatst2eam.no threitstreasm.com
thruatstzuam.com
threatstreaen.com threatstreem.ru
thruatctruam.com thretstreaam.com
threatstrawm.com
thrmatstream.ch threaystr3am.com
theatsdream.com
thhreatrstream.com threustreum.com
theretstreem.com threatsvrewam.com
threatstreal.us
thr3atsvream.com threotstrreom.com
threatstrgams.com threatsteram.cm
threetstreel.com
thgraatstream.com theeatstresm.com
threatstrreal.com threattresm.com
thvatstream.com
threatwtreams.com threatstrtewam.com
thgreatstreai.com
thuatstream.com thraatsyraam.com
thr3avstr3am.com threattreamm.com
threatstreal.ru
threatstr3m.com threat3trearn.com
thrratsttream.com threatystream.ch
thrrapstream.com
threatstrea.de theatstrewam.com
threatstreams.org threatstram.fr
thseatstream.net
thveatsttream.com threaustrwam.com
threatsrreem.com
threatstrr3am.com threatstr3qm.com
threatsyzeam.com thpeatstreaam.com
threatstteam.no
threaststream.us thrratstrwam.com
threatstrream.org threattstreamcom.com
threatwtrem.com
threaatstream.ca threattrgam.com
threastsstream.com thrmatstreaam.com
thrratstreams.com
© 2016 HITRUST Alliance.
Don’tForgetAboutDynamicDNS
threatstream.gnway.net threatstream.rincondelmotor.com threatstream.pluginfree.net threatstream.estr.com.ru threatstream.teksunpv.com threatstream.gameyg.com threatstream.redbirdrestaurant.com threatstream.linkpc.net threatstream.support-microsoft.net threatstream.openoffcampus.com threatstream.keygen.com.ru threatstream.cu.cc threatstream.pornandpot.com threatstream.informatix.com.ru threatstream.fuentesderubielos.com
threatstream.9wide.com threatstream.jaqan.cn threatstream.hyfitech.com threatstream.easyeatout.com threatstream.xicp.cn threatstream.xenbox.net threatstream.publicvm.com threatstream.ven.bz threatstream.meibu.com threatstream.aq.pl threatstream.m3th.org
threatstream.lioha.com threatstream.meibu.net threatstream.kz.com.ru threatstream.gnway.cc threatstream.ircop.cn threatstream.igirl.ru threatstream.newsexstories.com threatstream.free-stuff.com.ru threatstream.leedichter.com threatstream.ggsddup.com threatstream.yooko.com.ru threatstream.za.pl threatstream.servercide.com threatstream.sxn.us threatstream.wmdshr.com
© 2016 HITRUST Alliance.
CaseStudy:SuspiciousDomainRegistraFon• Abuseisn’talwaysaboutnetworkcompromises• MajorUSBasedCableandTelecommunicaFonscompany• Fraudulentprocurementa"empt• Emailsentfrom${user}@${company}-us.com,butwiththecorrectle"erheadandmarkings
• DiscoveredbySIEMscanningincomingemaillogsandflaggedmessagesassuspicious
• SecurityteampreventedfraudulenttransacFon,fraudteamseizeddomain
© 2016 HITRUST Alliance.
NetworkCleanlinessMonitoring• SystemsfromyourIPspaceoryoursupplychain’sshowingupas…
• BotIPs• ScanningIPs• BruteforceIPs• SpamIPs
• YourwebserverhosFngmaliciouscontent?• Vulnerableorunexpectedservicesrunninganddiscoverable?• InventoryItems:IPAddressSpaceoforganizaFonandkeyexecuFves
(ifpossible)• DataSources:Threatintelligencefeeds,honeypotevents,botnet
sinkhole,Portscan/Webcrawldata• Opera.ons:SIEMintegraFon,EmailnoFficaFons,passiveauditsof
portscan/webcrawldata
© 2016 HITRUST Alliance.
CaseStudy:NetworkCleanliness• LargeHi-techfirmevaluaFngITstaffingcompanyforoutsourcingsomedevelopmentandITservices
• ITStaffingcompanywouldneedVPNaccessandaccesstoourinternalITresources
• Passivevendorauditperformedusingthreatintelligencedataandpublicportscanrepository
• UponinspecFon,ITstaffingcompanyhadverypoornetworkhygiene• tensofIPsregularlycheckedintomalwaresinkholes• tensofIPsregularlyscannedhoneypotsensors• thousandsofcompromisedcredenFals
• ITstaffingcompanydeemedtoorisky
© 2016 HITRUST Alliance.
SocialNetworkandDarkwebMonitoring
• InventoryItems:Brandnames,keyexecuFvenames• DataSources:Socialmediafeeds,CrawlingDarkWeb,analysts
monitoringdarkweb,GoogleDorks
• Opera.ons:SIEMintegraFon,EmailnoFficaFons
Creden4alExposurePosting from the Hell
Darkweb forum
© 2016 HITRUST Alliance.
CaseStudy:SocialMedia/DarkwebMonitoring• BrandmonitoringforMajorUSBasedRetailer• Discoveredacustombuilta"acktoolsdesignedforthesolepurposeofbruteforcingaspecificpartoftheretailer’swebapplicaFon
• Providedthesampleandareportaboutwhatitdid,howitworkedandwhobuiltittotheretailer
© 2016 HITRUST Alliance.
CredenFalExposureMonitoring
• InventoryItems:emaildomains,emailaddressesofkeyexecuFves• Datasources:Pastesites,GoogleDorks,Darkweb• Opera.ons:SIEMintegraFon/orchestraFonsystem–noFfyusers/resetpasswords,Emailalerts
© 2016 HITRUST Alliance.
CaseStudy:CredenFalExposures• BrandmonitoringforaMajorFoodandBeverageCompany• DiscoveredleakedcredenFalexposurefromaninternalITwikipagethatwasaccidentlyexposed
• Companyalertedandchangedallpasswordswithin24hours• NoevidencethatthesecredenFalswereabusedinthatFme
© 2016 HITRUST Alliance.
OperaFonalizing
© 2016 HITRUST Alliance.
BuildanInventory• Createaninventory
• Yourself• CriFcalsupplychainpartners
• Theadversariesthis,youshouldtoo• Emaildomainsnames• InternalandExternaldomainnames• PersonalemailaddressesofkeyexecuFves• Company’sIPaddressspace• IPaddressspaceofkeyexecuFves’homenetworks• Brandnames• NamesofkeyexecuFves
© 2016 HITRUST Alliance.
DataSourcesandIntegraFonPointsDataSources Integra.onPoints
SuspiciousDomains • NewdomainregistraFondata(Whois)• PassiveDNS• VirustotalHunFng• RepeatedreviewsofDynDNS
• SIEMintegraFons• EmailbasedalerFng
NetworkCleanliness • Honeypots/C2Sinkholes• Opensourcethreatfeeds• Spammerfeeds• CommercialThreatintelligenceproviders• Portscan/Webcrawldata
• Search/AlertonyourIPnetworkoryoursupplychain’snetworkshowingupontheselists.
• SIEMintegraFons• EmailbasedalerFng• Periodicreviewofexternalinternetfacingassets
SocialMediaandDarkWeb
• DarkWeb/DeepWebForums• SocialMediaSites• GoogleDorks
• Search/Alertonyourbrandoryoursupplychains’• SIEMintegraFons
CompromisedCredenFals
• Pastesites• DarkWeb/DeepWebmonitoring• Googledorks• CommercialThreatintelligenceproviders
• Search/Alertonyouremaildomainsorthoseofyoursupplychain
• NoFfyusers• Resetpasswordsasneeded
© 2016 HITRUST Alliance.
Summary• OrganizaFonsmustwatchmorethanthemselvesandtheirindustryverFcal
• HighTechSupplierssuchasWebandDomainServices,FirewallandDesktopApplicaFonvendorsareincreasinglytargeted
• Cha"eronsocialmediaandDarkWebforumscanprovideearlywarning
• CompromisedCredenFalsmaybeusedbythirdpartycontractorsonyournetwork
• Passivevendorsauditsshouldbepartofyourprocurementprocess
© 2016 HITRUST Alliance.
NicholasAlbright|VPofSecurityAnomali2317Broadway,3rdFloorRedwoodCity,CA94063Phone:1–844–THREATSHTTPS://Anomali.com