1

From Plans to Pen Testing - Dealing with The Unexpected

Session #CS3, February 19, 2017

Ron Mehring, CISO, Texas Health Resources

2

Speakers Introduction

Ron MehringVP, Technology & SecurityTexas Health Resources

3

Conflict of Interest

Ron Mehring

Has no real or apparent conflicts of interest to report.

4

Agenda• Healthcare Threat Landscape

• Security Plans, Continuous Monitoring and Penetration Testing

• Incident Management

5

Learning Objectives• Explain the current threat and vulnerability landscape facing healthcare

organizations.

• Illustrate how to plan and test your plan: practical information and perspectives on how to design and test your privacy and security plans to fit the needs of your organization.

• Describe how to test your plan with best case and worst case and “what if” scenarios.

• Explain current attacks and compromises and hallmarks of sophisticated vs. unsophisticated attackers.

• Explain how to recognize a significant security incident and what to do when a major breach does occur.

6

An Introduction of How Benefits Were Realized for the Value of Health IT

• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware

• Electronic Secure Data: improve security of sensitive patient information

– Highlight gaps, enable information sharing to improve security

• Savings: reduce breaches and ransomware and associated business impacts and costs

7

The Healthcare Threat Landscape

8

Healthcare and the integrated cyber future

• Optimization of healthcare operations is

driving the adoption new and innovative

technology platforms

• Merger and acquisition is occurring at an

increasing rate.

• Tighter technology integration is occurring

across multiple platforms types.

• The end user and the patient are driving

new and innovative technology use cases.

9

What are some of the more significant threats

EHR shut down for 6 days due to cyberattack. http://www.healthcareitnews.com/news/cyberattack-

appalachian-regional-healthcare-keeping-ehr-down-after-six-days

3.7 Million credit card breach via malware attack on point of sale.

https://www.bannerhealth.com/news/2016/08/banner-health-identifies-cyber-attack

Massive Internet of Things attack. http://fortune.com/2016/10/23/internet-attack-perpetrator/

Over half of the Locky Ransomware in August was focused at hospitals.

http://www.zdnet.com/article/a-massive-locky-ransomware-campaign-is-targeting-hospitals/

10

Protecting health

care delivery

networks is

becoming more

complex every

day.

11

Sophisticated vs Unsophisticated Threats• Advanced threats are characterized by the

motivation, the persistence of attacker and the ability for the attacker to evade traditional cybersecurity hygiene controls.

– Nation state attacks

– Knowledgeable malicious Insider threat with high level access

– Targeted phishing attacks

– Environmentally tailored malware and exploits

– Well designed, stealthy, command and control

• Commodity everyday threats that can be prevented through the application of good cybersecurity hygiene.

– Physical Theft

– Insider unauthorized access or misuse

– Broad based phishing scams

– Known malware and exploits

– Noisy, smash and grab

12

Security Plan, Continuous Monitoring and Penetration Testing

13

Building an organizationally tuned penetration testing assessment program

Security Plan

Continuous

Monitoring Plan

3rd Party Penetration

Testing Plan

Audit, Monitoring

and Internal

Assessments

• Penetration testing is an assessment approach

where security controls are purposely evaded.

• The assessment program should be aligned with the

business risk profile and leadership expectations.

• 3rd party independent (penetration) assessment

services should be employed when possible.

• All assessment and audit plans should be pulled into

a single monitoring plan.

• Cost

• Prioritization

• Resources

14

The Security Plan

Regulatory Requirements

Business Requirements Control Catalog Control Thresholds

• The security plan is based on the risk appetite of the organization.

• Control thresholds formalize security posture expectations.

• Audit, monitoring and assessment plans should be aligned with control thresholds.

Emerging – Recognized

Threats

15

The Continuous Monitoring Plan

• Documents all audit, assessment and monitoring requirements.

• Documents the specific tests required for each controls area.

• Sets integrated audit, monitoring assessment schedule.

• Establishes stakeholder ownership for each control being assessed.

16

Setting the assessment schedule and robustness objectives

• Determine most significant

weaknesses

• Determine what controls are

most important

• How often do they need to be

tested

• 3rd Party – Penetration Assessments

o Red teaming context

• Incorporation of controls based exercises

o Purple teaming context

• Phishing testing

• Vulnerability Exposure Assessments

17

Continuous Improvement, Data Driven Assessments and Exercises

• Improving incident response performance and baselining control effectiveness requires continuous assessments, exercising and testing.

• A quarterly driven independent assessment cycle ensures regular testing of control effectiveness.

• The addition of risk exposure and threat data into assessment helps ensure assessment cycle is focused on testing weakness in compensating controls.

• Data helps feed the continuous improvement cycle and reinforces high reliability principles.

External Assessment Internal Assessment External Assessment Internal Assessment

Continuous Phishing Exercises

18

Penetration testing design based on scenario – what if approaches

Phishing Email Workstation Compromise Access Compromise Attacker Elevates Privileges

Controls Controls Controls Controls

Testing Requirement

Scenerios

• End user susceptibility

• Email filtering

• Detection - Monitoring

• Response Plan

• Malware prevention

• Workstation hardening

• Detection - Monitoring

• Response Plan

• User Monitoring

• Detection - Monitoring

• Response Plan

• System Admin controls

• Detection - Monitoring

• Response Plan

19

The Security Plan, Risk and Operational Considerations

• Ensure assessment/audit operational performance data is fed back

into risk program.

• Apply techniques such as Kanban and Theory of Constraints.

These techniques can help improve performance.

• Use risk scenarios (threat models) as a bridge between risk

management and operations.

• Recognize that security risk decisions are tradeoffs.

• Best practices still must have a risk analysis performed. Not all best

practices are appropriate for every environment.

• Be cautious of using “cybersecurity dogma” as a basis for risk

prioritization.

Appetite - Requirements

Performance - Outcomes

Operations

Risk

20

Incident Management

21

Detecting, Classifying and Managing Incidents

Risk Scenarios - Exposure

Incident Playbooks Control Analysis Incident ResolutionOperational Rhythm

Preparation Incident Response Plan

Operations

Workflow Development

Follow Through Continuous Improvement Benchmarking – Trend - Reporting

Security Architecture Cyber Insurance Incident Criteria

22

Incident Response Performance• Create a feedback loop of indicators and risk thresholds that flow into operations

and continuous improvement processes.

• Data driven workflows allow for the measuring of control performance –effectiveness.

Time to Detection

Time to Respond

Time to Remediate

Control Analysis Risk Management

Threat Events Managed

Risk Scenarios

Incid

ents

Events

Indicator Output

Exposure

Data

23

How do you know when an incident is occurring• Establishing analytics and log

management platforms.

• Measuring where your most significant exposure is located will provide the best opportunity to detect an incident.

• Having a daily monitoring rhythm ensures that there is a regular routine is evaluating threat events.

• Information sharing and threat intelligence services.

Incident

Analytics

Information Sharing

Rhythm

Threats/Exposure

24

Using modeling – bounding approaches helps in setting and maintain analytics

Time

Location

Sensitivity

Quantity

Size

Identity

Asset

Data

Entitlement

Establishing a model for

monitoring and

analytics system can be

very helpful for tuning,

playbook and response

actions.

25

Anomalous Log In

Privileged Misuse

Data Loss/Compromise

Log Data Sources Analytics

Active Directory

Database

Active Directory

VPN

Newly accessed system

Access time abnormal

EHR

Data Loss Prevention

Access time abnormal

Location

Abnormal transaction activity

File Directory Log

Sensitive data access activity

Sensitive data transmission activity

How do you know when an incident is occurring

Pla

ybo

oks

26

When a major breach occurs what do you do?• Playbooks: Playbooks should direct staff how to coordinate and escalate the incident.

• Use escalation levels that can help guide staff with response time expectations and

communication

– Level 1 – Routine Incident

– Level 2 – Potential Breach

– Level 3 – Active Major Breach

• At level 2 have a plan to engage in incident response - forensic services and

cybersecurity insurance.

• At level 3 have a plan to engage legal, law enforcement, remediation - crisis

management services, and public affairs.

27

A Summary of How Benefits Were Realized for the Value of Health IT

• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware

– Benchmarks, information sharing, collaboration

• Electronic Secure Data: improve security of sensitive patient information

– Highlight maturity, 8 priorities, 42 capabilities, gaps, to enable information sharing in order to improve security

• Savings: reduce breaches and ransomware and associated business impacts and costs

– Frequency of occurrence, business impact

28

Questions?• RonaldMehring@TexasHealth.org

twitter.com/mehringrclinkedin.com/in/ron-mehring