Utilizing the Critical Security Controls to Secure Healthcare Technology

1,678 views

Published on

The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals.

They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.”

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,678
On SlideShare
0
From Embeds
0
Number of Embeds
307
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Utilizing the Critical Security Controls to Secure Healthcare Technology The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals. They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.” (from the SANS website - http://www.sans.org/critical-security-controls/)
  • Utilizing the Critical Security Controls to Secure Healthcare Technology

    1. 1. Utilizing the Critical Security Controls to Secure Healthcare Technology James Tarala, Enclave Security
    2. 2. Healthcare Security in the News Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security http://www.healthcareitnews.com/news/infographic-biggest-healthcare-data-breaches-2012
    3. 3. Healthcare Security in the News Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    4. 4. FBI Annual Cyber Crime Complaints Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    5. 5. More Examples from the News • PrivacyRights.org (updated weekly) • Here are some that are reported (most are not) • Just a small sample (organization/records breached): – Public Broadcasting Service (69,000) – RxAmerica and Accendo Insurance (175,000) – Sega (1.29 Million) – S. California Medical-Legal Consultants (300,000) – Citibank (360,000) – Sony Pictures (1 Million) – Sony Playstation Network (101.6 Million) Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    6. 6. Specific Healthcare Challenges • Highly mobile & temporary workforce members • Demands from physicians & other VIPs • Patient demands for the latest technology • Vendor applications & data security • Strategic partnerships & data security • Confusing / conflicting / vague security standards • Limited resources for security implementations Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    7. 7. The Current State of Affairs • Clearly the bad guys seem to be winning the cybersecurity fight • While there are bright spots, they are few and far between • We seem to be getting better at detecting and responding to the threat • We need to be better at preventing the attacks from occurring in the first place Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    8. 8. But what do we do? Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    9. 9. Information Assurance Frameworks • There are a number of industry groups also trying to address the issues • Numerous frameworks have been established, such as: – CoBIT – IT Assurance Framework (ITAF) – ISO 27000 Series – IT Baseline Protection Manual – Consensus Audit Guidelines / Critical Security Controls – Many, many others Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    10. 10. Industry Security Regulations • Presently there are a number of government information security standards available • But, there are too many to choose from: – Individual Corporate / Agency Standards – NIST 800-53 / 800-53 A – FISMA / DIACAP – HIPAA / SOX / GLBA – PCI / NERC / CIP – 20 Critical Controls / Consensus Audit Guidelines Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    11. 11. Council on CyberSecurity • Official home of the Critical Security Controls • CEO is Jane Lute, former Deputy Secretary of DHS • Not for Profit group responsible for managing the Critical Security Controls (CSCs) • Director of the CSCs is Tony Sager • Mission is: “The Council on CyberSecurity is an independent, global organization committed to an open and secure Internet.” Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    12. 12. Document Contributors (1) • Blue team members inside the Department of Defense • Blue team members who provide services for non-DoD government agencies • Red & blue teams at the US National Security Agency • US-CERT and other non-military incident response teams • DoD Cyber Crime Center (DC3) • Military investigators who fight cyber crime • The FBI and other police organizations • US Department of Energy laboratories Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    13. 13. Document Contributors (2) • US Department of State • Army Research Laboratory • US Department of Homeland Security • DoD and private forensics experts • Red team members in DoD • The SANS Institute • Civilian penetration testers • Federal CIOs and CISOs • Plus over 100 other collaborators Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    14. 14. Project Guiding Principles • Defenses should focus on addressing the attack activities occurring today, • Enterprise must ensure consistent controls across to effectively negate attacks • Defenses should be automated where possible • Specific technical activities should be undertaken to produce a more consistent defense • Root cause problems must be fixed in order to ensure the prevention or timely detection of attacks • Metrics should be established that facilitate common ground for measuring the effectiveness of security measures Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    15. 15. Cyber Intrusion Kill Chain Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    16. 16. Critical Security Controls vs Intrusion Kill Chain Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security Critical Security Control Reconnaissance Weaponization Delivery Exploitation Installation Command&Control ActionsonObjectives CSC #1: Inventory of Authorized and Unauthorized Devices X X X X X X CSC #2: Inventory of Authorized and Unauthorized Software X X X CSC #3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers X X X CSC #4: Continuous Vulnerability Assessment and Remediation X X X
    17. 17. Technical Defensive Tools • Security Content Automation Protocol (SCAP) compliant vulnerability management solution • File integrity assessment monitoring and response system • Software whitelisting solution Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    18. 18. 2013 Java Data Breaches Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    19. 19. 2013 Java Attacks & Intrusion Kill Chain 1. The attacker discovered a weakness in software commonly utilized by the victim (reconnaissance) 2. The attacker wrote attack code to exploit the discovered software weakness (weaponization) 3. The attacker posted the attack code on a “watering hole” website that would be trusted by the victim (delivery) 4. The victim was lured into visiting the “watering hole” website hosting the attack code (exploitation) Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    20. 20. 2013 Java Attacks & Intrusion Kill Chain 5. The victim downloaded and executed the malicious code (installation) 6. The malicious code compromised the victim’s computer and connected to the attacker’s command and control servers to allow the attacker access (command and control) 7. The attacker performed his or her desired objectives on the victim’s computers (actions on objectives) Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    21. 21. 2013 Java Attacks - Defenses • Critical Control #1: Inventory of Authorized and Unauthorized Devices • Critical Control #2: Inventory of Authorized and Unauthorized Software • Critical Control #3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Critical Control #4:Continuous Vulnerability Assessment and Remediation Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    22. 22. Business Dashboards Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security http://www.ncircle.com/index.php?s=solution_reporting
    23. 23. Potential Business Metrics • How many unauthorized / unknown computers are currently connected to the organization’s network? • How many unauthorized software packages are running on the organization’s computers? • What percentage of the organization’s computers are running software whitelisting defenses which blocks unauthorized software programs from running? • What is percentage of the organization’s computers that have been configured (operating system and applications) according to the organization’s documented standards? • What is the comprehensive Common Vulnerability Scoring System (CVSS) vulnerability rating for each of the organization’s systems? Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    24. 24. Actionable Next Steps 1. Business leaders should define their strategy for how to defend against cyber attacks (document a charter). 2. Deploy technical tools to implement defensive goals. 3. Gather metrics on a continuous basis to measure the organization’s progress. 4. Engage business leaders to act based on the metrics that are gathered. Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
    25. 25. Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit – Website: http://www.auditscripts.com • Resources for further study: – SANS SEC 440/566: Implementing & Auditing the Critical Security Controls – The Council on CyberSecurity (http://www.counciloncybersecurity.org/) Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

    ×