SenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web Apps
From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing...
Transcript of From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing...
![Page 1: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/1.jpg)
1
From Plans to Pen Testing - Dealing with The Unexpected
Session #CS3, February 19, 2017
Ron Mehring, CISO, Texas Health Resources
![Page 2: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/2.jpg)
2
Speakers Introduction
Ron MehringVP, Technology & SecurityTexas Health Resources
![Page 3: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/3.jpg)
3
Conflict of Interest
Ron Mehring
Has no real or apparent conflicts of interest to report.
![Page 4: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/4.jpg)
4
Agenda• Healthcare Threat Landscape
• Security Plans, Continuous Monitoring and Penetration Testing
• Incident Management
![Page 5: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/5.jpg)
5
Learning Objectives• Explain the current threat and vulnerability landscape facing healthcare
organizations.
• Illustrate how to plan and test your plan: practical information and perspectives on how to design and test your privacy and security plans to fit the needs of your organization.
• Describe how to test your plan with best case and worst case and “what if” scenarios.
• Explain current attacks and compromises and hallmarks of sophisticated vs. unsophisticated attackers.
• Explain how to recognize a significant security incident and what to do when a major breach does occur.
![Page 6: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/6.jpg)
6
An Introduction of How Benefits Were Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware
• Electronic Secure Data: improve security of sensitive patient information
– Highlight gaps, enable information sharing to improve security
• Savings: reduce breaches and ransomware and associated business impacts and costs
![Page 7: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/7.jpg)
7
The Healthcare Threat Landscape
![Page 8: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/8.jpg)
8
Healthcare and the integrated cyber future
• Optimization of healthcare operations is
driving the adoption new and innovative
technology platforms
• Merger and acquisition is occurring at an
increasing rate.
• Tighter technology integration is occurring
across multiple platforms types.
• The end user and the patient are driving
new and innovative technology use cases.
![Page 9: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/9.jpg)
9
What are some of the more significant threats
EHR shut down for 6 days due to cyberattack. http://www.healthcareitnews.com/news/cyberattack-
appalachian-regional-healthcare-keeping-ehr-down-after-six-days
3.7 Million credit card breach via malware attack on point of sale.
https://www.bannerhealth.com/news/2016/08/banner-health-identifies-cyber-attack
Massive Internet of Things attack. http://fortune.com/2016/10/23/internet-attack-perpetrator/
Over half of the Locky Ransomware in August was focused at hospitals.
http://www.zdnet.com/article/a-massive-locky-ransomware-campaign-is-targeting-hospitals/
![Page 10: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/10.jpg)
10
Protecting health
care delivery
networks is
becoming more
complex every
day.
![Page 11: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/11.jpg)
11
Sophisticated vs Unsophisticated Threats• Advanced threats are characterized by the
motivation, the persistence of attacker and the ability for the attacker to evade traditional cybersecurity hygiene controls.
– Nation state attacks
– Knowledgeable malicious Insider threat with high level access
– Targeted phishing attacks
– Environmentally tailored malware and exploits
– Well designed, stealthy, command and control
• Commodity everyday threats that can be prevented through the application of good cybersecurity hygiene.
– Physical Theft
– Insider unauthorized access or misuse
– Broad based phishing scams
– Known malware and exploits
– Noisy, smash and grab
![Page 12: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/12.jpg)
12
Security Plan, Continuous Monitoring and Penetration Testing
![Page 13: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/13.jpg)
13
Building an organizationally tuned penetration testing assessment program
Security Plan
Continuous
Monitoring Plan
3rd Party Penetration
Testing Plan
Audit, Monitoring
and Internal
Assessments
• Penetration testing is an assessment approach
where security controls are purposely evaded.
• The assessment program should be aligned with the
business risk profile and leadership expectations.
• 3rd party independent (penetration) assessment
services should be employed when possible.
• All assessment and audit plans should be pulled into
a single monitoring plan.
• Cost
• Prioritization
• Resources
![Page 14: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/14.jpg)
14
The Security Plan
Regulatory Requirements
Business Requirements Control Catalog Control Thresholds
• The security plan is based on the risk appetite of the organization.
• Control thresholds formalize security posture expectations.
• Audit, monitoring and assessment plans should be aligned with control thresholds.
Emerging – Recognized
Threats
![Page 15: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/15.jpg)
15
The Continuous Monitoring Plan
• Documents all audit, assessment and monitoring requirements.
• Documents the specific tests required for each controls area.
• Sets integrated audit, monitoring assessment schedule.
• Establishes stakeholder ownership for each control being assessed.
![Page 16: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/16.jpg)
16
Setting the assessment schedule and robustness objectives
• Determine most significant
weaknesses
• Determine what controls are
most important
• How often do they need to be
tested
• 3rd Party – Penetration Assessments
o Red teaming context
• Incorporation of controls based exercises
o Purple teaming context
• Phishing testing
• Vulnerability Exposure Assessments
![Page 17: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/17.jpg)
17
Continuous Improvement, Data Driven Assessments and Exercises
• Improving incident response performance and baselining control effectiveness requires continuous assessments, exercising and testing.
• A quarterly driven independent assessment cycle ensures regular testing of control effectiveness.
• The addition of risk exposure and threat data into assessment helps ensure assessment cycle is focused on testing weakness in compensating controls.
• Data helps feed the continuous improvement cycle and reinforces high reliability principles.
External Assessment Internal Assessment External Assessment Internal Assessment
Continuous Phishing Exercises
![Page 18: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/18.jpg)
18
Penetration testing design based on scenario – what if approaches
Phishing Email Workstation Compromise Access Compromise Attacker Elevates Privileges
Controls Controls Controls Controls
Testing Requirement
Scenerios
• End user susceptibility
• Email filtering
• Detection - Monitoring
• Response Plan
• Malware prevention
• Workstation hardening
• Detection - Monitoring
• Response Plan
• User Monitoring
• Detection - Monitoring
• Response Plan
• System Admin controls
• Detection - Monitoring
• Response Plan
![Page 19: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/19.jpg)
19
The Security Plan, Risk and Operational Considerations
• Ensure assessment/audit operational performance data is fed back
into risk program.
• Apply techniques such as Kanban and Theory of Constraints.
These techniques can help improve performance.
• Use risk scenarios (threat models) as a bridge between risk
management and operations.
• Recognize that security risk decisions are tradeoffs.
• Best practices still must have a risk analysis performed. Not all best
practices are appropriate for every environment.
• Be cautious of using “cybersecurity dogma” as a basis for risk
prioritization.
Appetite - Requirements
Performance - Outcomes
Operations
Risk
![Page 20: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/20.jpg)
20
Incident Management
![Page 21: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/21.jpg)
21
Detecting, Classifying and Managing Incidents
Risk Scenarios - Exposure
Incident Playbooks Control Analysis Incident ResolutionOperational Rhythm
Preparation Incident Response Plan
Operations
Workflow Development
Follow Through Continuous Improvement Benchmarking – Trend - Reporting
Security Architecture Cyber Insurance Incident Criteria
![Page 22: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/22.jpg)
22
Incident Response Performance• Create a feedback loop of indicators and risk thresholds that flow into operations
and continuous improvement processes.
• Data driven workflows allow for the measuring of control performance –effectiveness.
Time to Detection
Time to Respond
Time to Remediate
Control Analysis Risk Management
Threat Events Managed
Risk Scenarios
Incid
ents
Events
Indicator Output
Exposure
Data
![Page 23: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/23.jpg)
23
How do you know when an incident is occurring• Establishing analytics and log
management platforms.
• Measuring where your most significant exposure is located will provide the best opportunity to detect an incident.
• Having a daily monitoring rhythm ensures that there is a regular routine is evaluating threat events.
• Information sharing and threat intelligence services.
Incident
Analytics
Information Sharing
Rhythm
Threats/Exposure
![Page 24: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/24.jpg)
24
Using modeling – bounding approaches helps in setting and maintain analytics
Time
Location
Sensitivity
Quantity
Size
Identity
Asset
Data
Entitlement
Establishing a model for
monitoring and
analytics system can be
very helpful for tuning,
playbook and response
actions.
![Page 25: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/25.jpg)
25
Anomalous Log In
Privileged Misuse
Data Loss/Compromise
Log Data Sources Analytics
Active Directory
Database
Active Directory
VPN
Newly accessed system
Access time abnormal
EHR
Data Loss Prevention
Access time abnormal
Location
Abnormal transaction activity
File Directory Log
Sensitive data access activity
Sensitive data transmission activity
How do you know when an incident is occurring
Pla
ybo
oks
![Page 26: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/26.jpg)
26
When a major breach occurs what do you do?• Playbooks: Playbooks should direct staff how to coordinate and escalate the incident.
• Use escalation levels that can help guide staff with response time expectations and
communication
– Level 1 – Routine Incident
– Level 2 – Potential Breach
– Level 3 – Active Major Breach
• At level 2 have a plan to engage in incident response - forensic services and
cybersecurity insurance.
• At level 3 have a plan to engage legal, law enforcement, remediation - crisis
management services, and public affairs.
![Page 27: From Plans to Pen Testing - Dealing with The Unexpected · 2017-02-18 · From Plans to Pen Testing - Dealing with The Unexpected Session #CS3, February 19, 2017 Ron Mehring, CISO,](https://reader036.fdocuments.net/reader036/viewer/2022070720/5ee0ca9bad6a402d666be61a/html5/thumbnails/27.jpg)
27
A Summary of How Benefits Were Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware
– Benchmarks, information sharing, collaboration
• Electronic Secure Data: improve security of sensitive patient information
– Highlight maturity, 8 priorities, 42 capabilities, gaps, to enable information sharing in order to improve security
• Savings: reduce breaches and ransomware and associated business impacts and costs
– Frequency of occurrence, business impact