Information Security Testing How Do AMCs Ensure Your Networks are Secure

June 22, 2015

Ray Hillen, Dennis Schmidt, Adam Bennett

11th AMC Conference on

Securely Connecting Communities for Improved Health

Session Objectives • Participants should gain:

• Understanding what the vendor must do to adequately prepare and perform a penetration test - what information is needed, what precautions should be taken, and how to do the test.

• Knowledge of what the AMC customer should expect - AMC concerns, precautions to identify and provide for to reach an agreement with the vendor, and expected results and applicability of the test

• Practical insight of the necessary steps to optimize the efficiency and effectiveness of the entire process

2

Ray Hillen Director, Security Consulting Practice

Agio

Technical Security Testing: What You Should Know & Ask About the Vendor’s Offering

Vulnerability Scan or Penetration Test

• Vulnerability Scan • Identifies vulnerable systems • Automated tools • Network and application layer • Short duration

A Good Penetration Test Should Evaluate the People, Processes, & Technologies That Safeguard e-PHI

• Penetration test • Identifies methods to exploit system vulnerabilities, workflows, user

awareness • Attempts to gain unauthorized access and/or privilege escalation • Automated tools and manual checks. • Network & application layer • Social engineering

• Phishing • USB drive baiting • Pretexting

• Wireless security review • Physical security review

Assessor Organization’s Qualifications

• Past experience • Years of experience • Network layer • Application layer • Social engineering • Assessments similar in size/scope

• Industry experience • Methodology

Security Assessor’s Qualifications

Certifications • Global Information Assurance Certification (GIAC) Certifications

-GIAC Certified Penetration Tester (GPEN) -GIAC Web Application Penetration Tester (GWAPT) -GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

• Certified Ethical Hacker (CEH) • Offensive Security Certified Professional (OSCP)

Pre-Engagement

• Scoping • Documentation • Network diagrams depicting all segments in scope

• Key/critical systems • Data flows

Rules of Engagement • Communication during engagement, e.g., issues, questions, updates • Define appropriate time window for testing • Identify legacy systems that may not respond well to automated tools and

determine best method for evaluating • Security devices: evaluate “as is,” “whitelist,” hybrid • Compromised passwords • Data (incidental e-PHI) discovered, BAA? • Identification of previously compromised system/s • Third-party-hosted / cloud environments

• Approval

• Web-management portals • Security assessor’s equipment; threat?

Success Criteria

• Remember the goal: simulate real-world attack in order to determine how far an attacker could penetrate the environment, but..

• Set the parameters and limits, e.g., access to root folder, establish administrative account on X system/s, no access gained, etc.

• Establish prior to testing!!! • Different for every environment

The Test (Engagement)

• Application layer • Network layer • Segmentation • What to do when e-PHI is encountered • Post-exploitation

Post-Engagement

• Reporting • Remediation best practices (Adam Bennett will cover this) • Retesting identified vulnerabilities • Cleaning up the environment

Penetration Testing from The Customer’s Point of View

Dennis Schmidt Assistant Dean for Information Technology

HIPAA Security Officer

University of North Carolina • Nation’s first public university, chartered 1789

• 29,000 students

• 3,600 faculty

• Number of servers: Unknown, but it’s a lot!!!

• 5% or campus is protected by firewall ‒Block 87 million unwanted connections weekly

• IPS blocks 5.1 million malicious threat events

14 Managing the Integrated Information Environment

UNC School of Medicine

• 1,500+ Faculty • 720 Medical Students • 700 Graduate Students • 3000 Staff

Managing the Integrated Information Environment 15

What Is Our Goal?

• NIST 800-42: “security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation…to identify methods of gaining access to a system”.

• Locate weaknesses in our network and systems before the bad guys do.

• Educate our users and our technicians • Test our social engineering weaknesses

• Phishing, Phone calls, etc.

How do we start?

• Setting Up Rules of Engagement • Potential impact on systems • Hours of operation • How much system information to provide penetration team • How much initial access to give to the penetration team • What type of attacks will be used

• Zero Knowledge (Black Box test) • Partial Knowledge (Grey Box test) • Full Knowledge (White Box test)

• Coordinate with other entities to prevent collateral damage • Central IT Security

• What authorizations and legal waivers do we need beforehand?

Concerns during the testing

• How do we know it’s the test and not a real penetration? • Correlating testing activity with SIEM

• Will we cause an unexpected Denial of Service? • Will we cause any unexpected reboots? • What if we find exposed sensitive data?

Non-Electronic Testing (Social Engineering) • Phishing test • Lost USB Drive Test • Phone calls

• “Hi, I’m from Microsoft…….” • “This is your IT support, I need to remotely log into your machine

to test…..” • Dumpster diving

Practical Next Steps After a Penetration Test

Adam Bennett Vice President

Cloudburst Security

Cloudburst Security

• Cloudburst founded by Adam Bennett in 2006

• 100% cybersecurity-focused company

• Federal government (DoD, civilian, homeland security, intelligence) and commercial clients (healthcare, banking/finance, non-profit)

• Have conducted over 400 vulnerability assessments and penetration tests

• Leading provider of managed security monitoring, incident response, malware analysis, forensics, and cyber threat intelligence services

21 Managing the Integrated Information Environment

We conducted a pen test, now what?!

Common mistakes, challenges, & trends

• Pen Tester didn’t succeed—’we must be totally secure!’ • Pen Tester succeeded—’the sky is falling!’ • Security issue ‘hot potato’ • Lack of organization and remediation planning • Lack of follow up & integration with SOC/Incident

Response • Budget & Human Resource Challenges • Security awareness • Educating Leadership

Tips for Post-Security Testing Success

• Develop a formal remediation plan with milestones • Display a team attitude, no matter how serious the test results—the

common goal is to improve security posture • Present Executive Summary of Remediation Plan to Management—

get their buy-in! • Form a committee of stakeholders to track remediation progress • Leverage high-risk findings to ‘move the ball’ on security projects and

budget items • Track organization & team performance metrics annually

Group Discussion