3/21/2018

1

Ricky Smith • Innovative Business Technologies, Inc.

Security and Data Loss Prevention

Agenda

• Introduction

• Data Security and

Compliancy

• Various Forms of Cyber

Threats

• Infiltration Methods

• Ways to Detect Malicious

Activity

• Prevention Practices

• The Ability to Recover

• Online Resources and Tools

• Q&A

2

Introduction

About me

• President, Innovative Business Technologies, Inc.

• Director of Technical Services, McKesson Information Solutions Homecare

and Hospice

• Systems Engineer, B.T. Alex. Brown

• Systems Engineer, Millennium Inorganic Chemicals

3

3/21/2018

2

Introduction

Why is this topic becoming so important?

• It’s a profitable business

• Security breaches are often intentional criminal acts

• Malicious software is becoming more advanced

4

Data Security and Compliancy

What does a breach cost?

IBM's Data Breach Cost Calculator

• $11m - Average cost of a data

breach for a US based healthcare

organization

Global average cost of a data breach

(2017 report) = $3.62 million

• Up by 55% for healthcare = $8.04

million

Ponemon Cost of Data Breach Study

• 2016

• $158 per record

• $355 per record for healthcare organizations

• 55% more per record

• 2017

• $141 per record

• $316 per record, *estimated based on the same 11% decrease

https://www.ibm.com/security/data-breach/5

Data Security and Compliancy

Why is this important to healthcare providers?

Based on data from HHS and OCR Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Data updated as of 2.5.2018 6

0

20

40

60

80

100

120

140

160

2010 2011 2012 2013 2014 2015 2016 2017

Breach Type = Hacking

0

50

100

150

200

250

300

350

400

2010 2011 2012 2013 2014 2015 2016 2017

Breaches Reported Affecting 500 or more

3/21/2018

3

Data Security and Compliancy

CMS: Emergency Preparedness• Any event that adversely

affects access to, or the

ability to deliver, healthcare

services

Risk Assessment• Identify areas that must be

monitored

• Develop risk mitigation

strategies

• Understand the probabilities of

an occurrence

• Business impact

Incident Response• Policy Defined

• Breach Response Plan

7

Data Security and Compliancy

Data Vulnerability - A Real World Example

• The field staff laptop with full disk

encryption

• Data at Rest

• Let’s use Ransomware as an example

• Is it a breach?

• What are the OCR guidelines?

8

Does Compliancy = Security?

Various Forms of Cyber Threats

Malware• A general term short for

“malicious software”

• Intentions vary

Spoofing• Pretending to be something

they’re not

• IP, ARP, DNS, Email

Bot• Software that automates

a process

• A network of bots, called

a botnet, can be coordinated

to issue distributed

type attacks

9

3/21/2018

4

Bot Traffic Report 2016.png: Igal Zeifman, Imperva Incapsula; Bot Traffic Report 2016, January 24, 2017, https://www.incapsula.com/blog/bot-traffic-report-2016.html10

Various Forms of Cyber Threats

Computer Virus• An infected host file

that spreads

Worm• Does not require an infected

host file or user interaction to

spread

Trojan Horse• Remember how the Greeks

took Troy

Common types of malware attacks

11

InfiltrationMethods

Legitimate

or not?

12

3/21/2018

5

Various Forms of Cyber Threats

Rootkits• Uses elevated access and

attempts to run undetected

Zero DayAttack• Exploit of a software

vulnerability before there’s

a patch

Ransomware• Encrypts data to prevent

access and demands payment

for the key to unlock it

Common types of malware attacks – cont.

13

Various Forms of Cyber Threats

Denial of Service (DoS)• Flood of traffic to disrupt

a service or make it

inaccessible

• SYN Flood Attack

Network based

attacks

Tcp_normal.png: Dakederivative work: Hazmat2 (talk) - This file was derived from Tcp normal.png:, CC BY-SA 3.0,

https://commons.wikimedia.org/w/index.php?curid=18126366, https://en.wikipedia.org/wiki/SYN_flood

14

Various Forms of Cyber Threats

Denial of Service (DoS)• Flood of traffic to disrupt

a service or make it

inaccessible

• SYN Flood Attack

Network based

attacks

Tcp_synflood.png: CC BY-SA 2.5, https://commons.wikimedia.org/w/index.php?curid=810830,

https://en.wikipedia.org/wiki/SYN_flood 15

3/21/2018

6

Various Forms of Cyber Threats

Denial of Service (DoS)– cont.

• ICMP (PING) Flood Attack• Overload of ICMP traffic without waiting on a reply

• Smurf Attack

• Ping of Death (PoD)

Distributed Denial of Service (DDoS)

Network based attacks

Port Scanning

16

Infiltration Methods

Social Engineering• Any method that convinces a user to disclose

information

Phishing• Spoofed email or some type of social

engineering scheme

• Credential Harvesting

17

Social Media• Social Phishing

Email• Attachments

• Links

Website Browsing

Infiltration Methods

18

3/21/2018

7

Infiltration Methods

Internet of Things (IoT)

• Not just laptops,

but anything that can

connect

• October 2016 attack

on Dyn, Inc. (DNS

provider)

• DDoS attack carried out

by cameras and DVR’s

• Bluetooth devices

• We now have terms like:

• Bluesnarfing

• Bluejacking

• Bluebugging

19

Infiltration Methods

Once malware is within the boundaries of your network…• It propagates within

• Often calls out to a malicious site

Vendors• Unmanaged devices

• Remote connectivity

Device Theft

20

Ways to Detect Malicious Activity

Look for symptoms

• User complaints

• Unexpected new add-ons

within browser

• Accounts being continuously

locked out

• Frequent pop-ups

• Settings have changed unexpectedly

• Computer performance

21

3/21/2018

8

Ways to Detect Malicious Activity

Establish baselines and trends

• Internet bandwidth

consumption

• Unexpected increase in disk

storage usage

• You must know your environment

• Internal network performance issues

22

Ways to Detect Malicious Activity

Detection Systems

• IPS or IDS - What's the difference?

• Intrusion Prevention System

• Inline with the data flow

• Blocks traffic based on rule sets of known threats

• Sometimes combined within a firewall

• UTM (Unified Threat Management) option

23

Ways to Detect Malicious Activity

Detection Systems– cont.

• NIDS - network-based intrusion

detection system• Appliance or dedicated server

• Linux based typically

• Methods• Signature-Based – known patterns

• Anomaly-Based – based on baseline patterns

• Quiz – which of the two would be best for

detecting a Zero Day attack?

• Intrusion Detection System• Sideline device or software that observes

network activity

• HIDS - host-based intrusion

detection system• Locally installed on the host

24

3/21/2018

9

Prevention Practices

First question:

Who is susceptible?

Network design

• What are you allowing in? And to where?• SMTP, HTTP, HTTPS, FTP

• What are you allowing out? And to where?• SMTP, NTP, DNS, HTTP, HTTPS, FTP

• No “Any” rules

25

Prevention Practices

Network design– cont.

• Your traffic cops• Perimeter access gateways

• Firewall

• Email Filter

• Web Filter/Proxy Server

Whether inbound or outbound,

traffic should be very limited as to

where it can go.

26

80/443, http/httpsWeb services

25, SMTP (email)

Bad Inbound Design

27

3/21/2018

10

80/443, http/httpsWeb services

25, SMTP (email)

Email Filter

Good Inbound Design

28

ANY

Bad Outbound Design

29

80/443, http/httpsWeb services

Web FilterGood Outbound Design

30

3/21/2018

11

Prevention Practices

• Network shares

• Open shares or use

of weak passwords =

vulnerable

• Access controls

• Process for unmanaged

devices

• Wi-Fi Networks

• Isolate guest

networks

• Layered security

• Different

vendors/scanning

engines

Network design– cont.

31

Prevention Practices

Stay Current

• Antivirus software• Definitions

• Operating System Updates• Windows Updates

• WannaCry - hit in May

• Microsoft had released the patch in March

• Most attacks target Windows OS, but Linux patches

should be maintained as well. What about Mac?

32

Prevention Practices

Stay Current– cont.

• Appliance Software maintenance

and subscriptions

• Mail gateways

• RBL's (Reputation Block List)

• Barracuda is good

• Spamhaus and SpamCop are good

as well, I have seen a little more

false positives

• Firewall

• UTM

• Perimeter devices

• Snort rules (IPS)

• Data transmission methods• Windows XP

• Business operations software –

EMR systems• Forever Day Exploits

• End of life software that has a known

vulnerability, but the software vendor isn’t

going to patch it

33

3/21/2018

12

Prevention Practices

• Macros

• Microsoft Office

• When in doubt,

say “NO”

• Melissa, 1999

• Estimated cost

of more than

$1 billion

• Safe website browsing

• Confirm that the website

is authentic

• Avoid Cybersquatting

(or typosquatting)

• Look for the lock in the

toolbar before entering

information

• Even if it’s https –

no lock, no good

• Bad email tips

• Misspellings and

grammar errors

• Something just doesn’t

look right

User Education!

34

Prevention Practices

User Education! – cont.

• Provide an easy structured process for

users to report suspicious activity

• Drive-by’s do not work

• Rinse, lather, repeat

• End-user training must be relevant,

current, and repeated

35

Prevention Practices

Be Proactive with Vendors

National Vulnerability Database

https://nvd.nist.gov/vuln/full-listing

36

• Common Vulnerabilities and Exposures (CVE's)

• 2016 ≈ 543

• 2017 ≈ 1510

• January 2018 = 1716

• What to ask your vendors:

• How do I get notified about vulnerabilities?

• How are security patches delivered? 0

200

400

600

800

1,000

1,200

1,400

1,600

2010 2011 2012 2013 2014 2015 2016 2017

Average Number of CVE Entries Per Month

3/21/2018

13

Prevention Practices

Environment TODOs

• Monitor and

Alerting tools

• Syslog server

• Daily ritual

• IP block list

• Handling packets: drop vs.

reject

• Account Management

• Password policy

• Multifactor

authentication

37

Environment TODOs – cont.

Prevention Practices

• Look at your attack

surface

• The more software

that is loaded, the more

opportunities for

vulnerabilities

• Fuzz Testing

• Should be part of a

software vendors

development process

• Website design

• reCAPTCHA key on forms

• protect from bots

• http https

• Open Source options

• IDS/IPS

• DNS Sinkhole

• Prevents calls to

known malicious

sites

38

The Ability to Recover

Your ability to restore and recover data directly corresponds to how susceptible

you are to an attack.

• Recovery Time Objective (RTO)

• The length of time a system or core

application can be down or off-line

• Recovery Point Objective (RPO)

• The amount of data you can afford to lose

Having a clear understanding of your RTO and RPO business requirements is the

primary guide to your data protection strategy.

Let's talk about RTO and RPO

39

3/21/2018

14

The Ability to Recover

Backup Methods

• Local

• The basic first step

• This should be a well-oiled machine with notifications of success and failures

• Why successes?

• May be susceptible to an internal attack like a worm

• Encrypted backup (at rest)

• SQL vs. Files

40

The Ability to Recover

Backup Methods – cont.

• Offsite Cloud Backup

• Replacing offsite rotation

• Dependent on internet connectivity

• Offsite Rotation of Local Media

• Protect from local (data center) isolated

events

• Offsite data is not susceptible to a newly

introduced cyber attack

• Delayed recovery due to the retrieval process

• Older standard

41

The Ability to Recover

Failover / Disaster Recovery (DR)

• Hot Site

• Available and ready within

minutes of an event

• Based on a real-time

replication model

• Which one?

• Depends on your RTO and

RPO requirements

• Warm Site

• Failover system

available

• Not immediately

accessible to end-users

• Requires updated data

42

3/21/2018

15

The Ability to Recover

Test, Test, Test

Two primary components:

• The failover/recovery system must meet your RTO requirements• RTO also deals with accessibility

• Users have to be able to access the system

• This is often over-looked

• It must be functional in that the recoverable data meets your RPO

requirements

Don’t wait for a crisis to test your ability to recover data.

43

Online Resources and Tools

hhs.gov

• FACT SHEET: Ransomware and HIPAA:

https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

• HIPAA for Professionals: https://www.hhs.gov/hipaa/for-

professionals/index.html

• HHS ASPR, the Technical Resources, Assistance Center, and Information

Exchange (TRACIE): https://asprtracie.hhs.gov/

SANS Institute

• Main - http://www.sans.org/

• Internet Storm Center: https://isc.sans.edu/

• Penetration Testing: https://pen-testing.sans.org/

NIST (National Institute of Standards and Technology)

• Computer Security Resource Center (CSRC):

http://csrc.nist.gov/

• National Vulnerability Database: https://nvd.nist.gov/home

Computer Emergency Readiness Team (CERT)

• US-CERT: https://www.us-cert.gov/

• Carnegie Mellon University: http://www.cert.org/

Federal Trade Commission (FTC) Complaint Assistant:

https://www.ftccomplaintassistant.gov/Information#crnt&panel1-1

Symantec Security Response:

https://www.symantec.com/security_response/

Barracuda Reputation Block List (BRBL):

http://barracudacentral.org/rbl

Snort - Open Source IPS: https://www.snort.org

No More Ransom Project: https://www.nomoreransom.org/

MS Security Scanner: https://www.microsoft.com/security/scanner/en-

us/default.aspx

American Registry for Internet Numbers (ARIN): https://www.arin.net/

SSL Certificate Check: https://www.sslshopper.com/ssl-checker.html

SSL Website Check: https://www.ssllabs.com/ssltest/index.html

Symantec CryptoReport:

https://cryptoreport.websecurity.symantec.com/checker/

44

Q&A

Ok, that was a lot of information!

Thank you very much.

45

3/21/2018

16

Ricky Smith • President, Innovative Business Technologies, Inc.

ricky.smith@ibusinesstech.com

877-402-9349 ext. 111

https://www.linkedin.com/in/ricky-smith-369a4431/

www.ibusinesstech.com

Security and Data Loss Prevention

46