Recommended
Recommended
More Related Content
Similar to Security Risk Analysis of KNC
Similar to Security Risk Analysis of KNC (20)
Recently uploaded
Recently uploaded (20)
Security Risk Analysis of KNC
- 1. HIGH LEVEL COMPARATIVE ANALYSIS -HGA AND KNC HEALTH CARE- HARIPRIYA VENKATACHALAPATHY for Security Risk Management and Assessment- IA 5200 December 10, 2018
- 2. INTRODUCTION HYPOTEHTICAL GOVERNMENT AGENCY (HGA) Payroll Processing1000 EmployeesUSA 2 KNC HEALTH CARE Florida, USA 360 Employees Healthcare
- 4. 4 KNC HEALTH CARE NETWORK TOPOLOGY
- 5. 2 11 3 30% 49% Critical Assets in $ Financial Resources Personnel Information Contract Documents Business Documents CRITICAL ASSETS FOR HGA 12% CRITICAL ASSETS FOR KNC HEALTH CARE 42% 33% 21% Critical Assets in $ Protected Health Information Financial Resources Medical Equipment Contract Documents Total = $ 16,500,00Total = $ 24,000,00
- 6. 6 State Sponsored Threat Agents Terrorists Cyber Criminals Disgruntled Employees Natural Disasters Hackers Competitors THREAT AGENTS HGAKNC HEALTH CARE Unauthorized Access Virus Prevention Accidental Corruption Network Related VULNERABLITIES Unauthorized Access Exposure to Phishing Attacks Misconfigured Access Points SQL Injection Unsecured Log Files 15% 10% 0% 2% 4% 6% 8% 10% 12% 14% 16% HGA KNC Health Care Exploitation Probability in % EXPLOITATION PROBABILITIES
- 7. ATTACK TREES • Understand attack goals. • Identify different attack methods. • Helps to budget. • Root node is goal. • Leaf node is attacks: • Different leaf nodes show different attack methods. HGA Disclose financial resources information Modify payroll data Erroneous modification Malicious intent Disgruntled employee Malicious attacker Erroneous processing of payroll data Improper review of data before commit System error Network attacks Denial of Service Service interruption Sniffing Eavesdropping Man-in-the- middle attacks Unauthorized access KNC HEALTH CARE Leak senstive data Unauthorized access Unauthorized device usage Staff PDAs Guest wireless devices Using misconfigured access points Set up rogue access points Data sniffing Phishing attacks Spear phishing Whaling Business email compromise Clone phishing Compromise legacy systems Network based attacks Denial of Service Eavesdropping Data sniffing Man-in-the- middle
- 8. $5,161,286 $7,545,000$5,322,290 $11,990,000 $0 $2,000,000 $4,000,000 $6,000,000 $8,000,000 $10,000,000 $12,000,000 $14,000,000 HGA KNC Health Care Asset and Vulnerability Risks in $ Asset Risk Vulnerability Risk ATTACK AND VULNERABILITY RISKS
- 9. SECURITY BUDGET HGA Total Budget- Approx. $4,000,000 Administrative- $50,000 OTPs & Digital Signatures- $75,000 SETA- $1,000,000 MOU- $500,000 PC Protection- $50,000 Life Cycle Planning- $25,000 Incident Response- $1,000,000 Audit Trail- $750,000 VPN and DMZ- $13,500 Overall Operational Costs- $500,000 SETA- 25% Incident Response- Audit Trail- 19% KNC HEALTH CARE Administrative- $500,000 Technical Controls- $1,150,000 SETA- $1,500,000 Legacy Systems Protection- $2,000,000 Incident Response- $1,000,000 Audit Trail- $1,000,000 Lifecycle Management- $750,000 Overall Operational Costs- $500,000 Technical Controls- 14% SETA- 19% Legacy Systems Protection- 25% Total Budget- Approx. $8,000,000
- 10. SECURIT Y BUDGET ANALYSI S 0.07927 0.240210.05333 0.33333 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 Per $ Revenue Per $ Critical Assets Security Budget Per Category HGA KNC Health Care Value in $ HGA KNC Health Care Security Budget $3,963,500 $8,000,000 Revenue $50,000,000 $150,000,000 Cost of Critical Assets $16,500,000 $24,000,000 Security Budget per Employee HGA- $3963.50 KNC Health Care- $22222 Benefit Analysis Security Risk Improvement • HGA- $91,363,714 • KNC Health Care- $12,500,000 ROI • HGA- 23 (approx.) • KNC Health Care- 1.56 Cost Benefit Ratio • HGA- 0.043 • KNC Health Care- 0.64
- 11. CYBERSECURITY WORKFORCE RECOMMENDATIONS FOR HGA • Extend job role tasks: • Verify encryption. • Virus scanning programs. • Customer service and dedicated help desk. • Documentation. • New security assessor: • Oversee procedures. • New audit compliance regulator: • Periodic review. CYBERSECURITY WORKFORCE RECOMMENDATIONS FOR KNC HEALTH CARE • Extend job role tasks: • DBA and team. • Third-party software testing. • New SETA: • For all employees. • Think about visitor management program and responsibilities: • Possibly new roles.
- 12. THANK YOU SUMMARY • HGA: • Budget is 4% of expected benefit. • More focus needed on data integrity, lifecycle management and audit trail mechanism. • KNC Health Care: • More valuable critical assets. • Spend more. • Lower cost benefit ratio than HGA.
Editor's Notes
- High level comparative analysis between HGA and KNC Health Care network. Considering difference in industries and nature of work done.
- HGA mission: Transfer US govt. funds to individuals as paychecks. KNC Health Care mission: Provide healthcare to patients in area of Florida, USA. Note difference in size of organization in terms of employees.
- Image Source: An Introduction to Computer Security: The NIST Handbook, Barbara Guttman and Edward A. Roback Network topology of HGA: Mix of components owned and operated by HGA and other organizations. System architecture: PCs for all/most personnel. Connected to LAN. LAN server. Printer pool. Router to connect to internet for communication with outside agencies. Modem pool enabled to allow only e-mailing. Special console restricted ONLY to admins. WAN to connect to other agencies- owned and operated by third party telecommunication company under government contract. Mainframes- federal agency controls it and acts as service provider to HGA under MOU. Important: Modem pool, Console, WAN
- KNC Health Care Network Topology: Generated using Visio, with input from KNC Health Care. Identify main areas: Outside access. Database- sensitive data. Wireless devices- staff tablets and other PDAs. Medical equipment: Most are legacy systems, including diagnostic and surgical equipment. All controls based on securing these. Network level: NIDS. VPN. VLAN for administrators- secure. DB security: DB roles and groups. No explicit application security controls. Wireless security: Use wireless router within internal network. MAC address whitelisting.
- Different critical assets for both organizations. Total cost and top 3 assets listed for both. HGA: Financial Resources -$8,000,000 Personnel Information-$5,000,000 Contract Documents-$2,000,000 Business Documents-$1,500,000 KNC Health Care: Protected Health Information-$8,000,000 Financial Resources-$5,000,000 Medical Equipment-$10,000,000 Contract Documents-$1,000,000
- Extensive but not all-inclusive list of threat agents. HGA threat agents and KNC Health Care threat agents. Vulnerabilities vary between both: Unauthorized Access Unauthorized Access Virus Prevention Exposure to Phishing Attacks Accidental Corruption and Loss of Data Misconfigured Access Points Vulnerabilities Related to Network-Related Attacks SQL Injection Unsecured Log Files Considering all the critical assets, various threats and agents and the vulnerabilities present in the system, exploitation probabilities are estimated. HGA- 15% KNC Health Care- 10% Even though KNC HC has more expensive assets and face greater loss exposure to external networks is limited – because only through VPN, no other connections – they have lesser exploitation probability than HGA.
- Attack trees: Find out various attack goals. Think from attacker perspective. Detail all possible attack methods. Leaf is goal. Nodes are various methods. Listed attack trees for both HGA and KNC HC. HGA: Focus on network-based methods. KNC: Phishing and network-based. Due to high non-technical staff usage. Not aware of security concerns. Can be easily fooled.
- KNC faces more loss in terms of both asset and vulnerability risk calculations– due to presence of legacy systems, difficult to update and patch.
- Budget calculations: HGA: Total budget to cover new CISO controls, implement the missing MOT controls, replace modem pool using VPN and zoning the HGA’s network to account for a DMZ is approximately $4m. Security training and awareness, incident response planning and implementing audit trail mechanisms take up 70% of the total budget clearly showing how important these controls are to the HGA and that their implementation is essential for a holistic risk management plan. Breakdown of costs to implement VPN and DMZ: VPN Server- $500 Dedicated Server to Implement DMZ- $3,000 Overall Implementation Cost Within HGA- $10,000 -------------------------------------------------------- Total Cost- $13,500 KNC Health Care: Focus on new technical controls– legacy systems, SETA for ALL employees and protection of legacy systems. Total budget is $8m approx.
- KNC spends more on security to cover controls for its more expensive vulnerabilities and systems. Spending per critical asset is 10% higher than HGA. Spending per employee is 5 times that of HGA. They see lesser ROI. Cost benefit ratio is 16 times lesser. HGA sees 96% benefit. KNC sees only 36% benefit.
- New recommendations for both. Important new roles or extend previous job roles.
- Cybersecurity Workforce Recommendations: Hypothetical Government Agency (HGA): Extend the job role responsibilities to include full encryption of all communication channels, internal and external: All the communication channels serving as points of interaction within the HGA, its departments and between the HGA and the interconnected agencies must be fully encrypted with sufficiently advanced modes of encryption to prevent password sniffing and other attacks based on monitoring the unencrypted, plaintext traffic in these communication channels. Appoint a separate security assessor to oversee security procedures and controls for portable systems: A separate action plan has to be drawn up to handle the security controls needed for portable systems in addition to the systems at the HGA. These procedures must focus on coming up with a preemptive security plan with regards to the following: How these mobile devices must be sanitized or encrypted before being used in conjunction with HGA systems. Data transfer between portable systems and HGA systems. Quarantine upon possible security incidents. Disposal of HGA-related data present on these devices. Include the job roles of virus scanning, implementing and overseeing virus detection and removal programs with the roles relevant to network specialists: The various departments under the HGA should direct all the administrators responsible for handling system security within their departments to install an automated virus scanning, detection and removal program that will solely operate under the control of the administrator and cannot be overridden or modified by end users. Reinforce customer service roles to aid and manage a dedicated help desk: The HGA should have a separate help desk in place that can dedicatedly help users troubleshoot day-to-day errors. They should also have a dedicated incident management team that monitors, and reviews incidents submitted by the users via an incident resolving interface. This incident management team will respond first to any security breach. Software developer should also be responsible for creating and maintaining end user documents and user manuals: Every user should be supplied with a proper user manual following extensive training that should be used to further clarify controls in the hardware and/or software during future periods of time. These manuals and documents should be concise, clear and should serve as the primary troubleshooting guide for users before they approach the help desk. Hire audit compliance regulator to conduct periodic review and accreditation: The HGA should conduct a periodic assessment of the controls and procedures in place to: Reevaluate the risk considering new threats and vulnerabilities. Fully integrate new systems into the HGA after a series of tests on said systems. Keep the risk management plan current and effective. Keep the risk management plan integrated between the HGA and interconnected organizations. Keep with a holistic life cycle methodology to implement an effective risk management plan. KNC Health Care: For all database administrators and the employees under his/her team implement the new policies in addition to their existing job roles and tasks: Anonymize data wherever possible. Encrypt all data in all states. Ensure secure review of all data before it is being entered into the database by streamlining data entry followed by supervision by an appointed Database Supervisor which would require the creation of a new role. Ensure secure software is developed by all third-party software developers by testing in any of the following ways: Offsite testing at the developer’s site before completing the implementation and deploying in production environment. Onsite supervised testing and review in the presence of the software development team and its members. Onsite testing and review by IT team at KNC Health Care. Update existing network security policies to include an end-to-end provision where data is protected in all the following scenarios: Data creation. Data transmission. Data processing. Data storage. Data deletion. Ensure that this is implemented across all onsite databases and cloud database provisions. Include policies regarding: Penalties for violations and non-compliance such as denial of access and even termination. Updates following breaches and/or incidents of non-compliance. Implement a strong and universal security awareness and training program for ALL the employees at KNC Health Care and not just limited to the employees joining the IT and Networking Department or team: All employees must undergo 2 weeks of training by authorized network and information security professionals. Following the training they are required to complete and pass an exam which will test their information security appetite and require that they score a minimum of 80% to complete their training program successfully. This training must be repeated in the following scenarios: Once every 12 months. When and if KNC Health Care System components are updated. Following a security incident/breach. Implement a visitor management program that transcends isolating guest networks and includes policies that cover physical and environmental controls as well