THE NEW BATTLEGROUND: RANSOMWARE AND OTHER …€¦ · segment the network with isfws strategically...
40
1 Session 198, February 22, 2017 THE NEW BATTLEGROUND: RANSOMWARE AND OTHER ADVANCED THREATS LYNNE A. DUNBRACK: RESEARCH VP IDC HEALTH INSIGHTS JOSH KINSLER: SECURITY ENGINEERING MGR COMMUNITY HEALTH NETWORK
Transcript of THE NEW BATTLEGROUND: RANSOMWARE AND OTHER …€¦ · segment the network with isfws strategically...
1
Session 198, February 22, 2017
THE NEW BATTLEGROUND: RANSOMWARE AND OTHER ADVANCED THREATS
LYNNE A. DUNBRACK: RESEARCH VPIDC HEALTH INSIGHTS
JOSH KINSLER: SECURITY ENGINEERING MGR COMMUNITY HEALTH NETWORK
2
LYNNE A. DUNBRACK
RESEARCH VICE PRESIDENT: IDC Health Insights
SPEAKER INTRODUCTION
JOSH KINSLER
SECURITY ENGINEERING MANAGER: Community Health Network
3
CONFLICT OF INTEREST
LYNNE A. DUNBRACK JOSH KINSLER
NO REAL or APPARENT CONFLICTS of INTEREST to report.
4
AGENDA
THE SECURITY
IMPERATIVE IN
HEALTHCARE
LESSONS
LEARNED FROM
COMMUNITY
HEALTH NETWORK
Q & A
?
5
LEARNING OBJECTIVES
RECOGNIZE
TOP THREATS STALKING Healthcare environments, medical devices, virtual infrastructures, and other medical technologies
ASSESS
HOW HACKERS AND CYBER-EXTORTIONISTS are able to rapidly build up automated systems and tools to probe healthcare networks for exploitable vulnerabilities
IDENTIFY
A PRAGMATIC PLAN with technology considerations, mitigation strategies, and impactful counter measures across all attack vectors
REALIZING THE VALUE OF
HEALTH ITHealth IT creates five kinds
of value of benefit to patients, healthcare
providers and communities
S SATISFACTION
SECURITY across a highly distributed health system without compromising access to critical information
IMPROVED SECURITY PERFORMANCE and uptime equates to man-hours saved and a reallocation of resources to other IT priorities
T TREATMENT/CLINICAL
S SAVINGS
E ELECTRONIC SECURE DATA
REALIZING THE VALUE OF HEALTH IT WITHOUTSIDE-IN AND INSIDE-OUT PROTECTION
PPATIENT ENGAGEMENT & POPULATION MANAGENT
RENEWED confidence in the security infrastructure and security awareness training
7
HEALTHCARE TRENDS WITHSECURITY IMPLICATIONS
Source: Providing Outside In and Inside Out Protection against Ransomware and Other Intensifying Cyberthreats, An IDC Health Insights White Paper sponsored by Fortinet
8
CYBERSECURITY THREATS INTENSIFY
1000sOF THREATS ON A DAILY BASIS
100sOF THREATS POTENTIALLY DANGEROUS
10ARE SO SEVERE, THE CISO SHOULD CALL LAW ENFORCEMENT
9
SHIFT FROM LOST & STOLEN DEVICES TOHACKING AND MALICIOUS IT INCIDENTS
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
2009 2010 2011 2012 2013 2014 2015 2016
Unknown
Unauthorized Access/Disclosure
Theft
Other
Loss
Improper Disposal
Hacking/IT Incident
112 million individuals affected due
to a hacking/IT
incident reported in
2015 up from 1.8
million in 2014
744K individuals affected due to
loss and theft reported in 2015
Source: U.S. Department of Health and Human Services Office for Civil Rightshttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
84.4% of breached
records in 2016 were the
result of hacking or IT
incidents
10
IDC HEALTH: IDC PREDICTION #2
IT IMPACT
Already overburdened IT staff further taxed
IT systems held hostage for exorbitant ransom payments
Mission-critical clinical systems are not available
GUIDANCE
Educate users that security is everyone’s responsibility
Design incidence response procedures for cyber attacks
Be hyper vigilant about patches and SW updates
By 2018, there will be a doubling of ransomware attacks on healthcare organizations
11
INTERNET OF THREATS: EXPANDING ATTACK SURFACES ARE INCREASINGLY BORDERLESS
HOW DO YOU MAKE THESE DEVICES, THAT YOU DON'T OWN OR CONTROL, SECURE FOR YOUR ENVIRONMENT?
-– Josh Kinsler, Security Engineering Manager, Community Health Network
“ “Source: Providing Outside In and Inside Out Protection against Ransomware and Other Intensifying Cyberthreats, An IDC Health Insights White Paper sponsored by Fortinet
12
MEDJACKING: EXPLOITING VULNERABLE INTERCONNECTED MEDICAL DEVICE ENDPOINTS
9.6%OF HEALTHCARE ORGANIZATIONS HAVE NETWORKED MEDICAL DEVICES INTEGRATED INTO THEIR ENTERPRISE SECURITY ARCHITECTURE
10.6%HAVE NOT BEGUN!
13
BREAKING THE KILL CHAIN WITH ADVANCED NETWORK SECURITY LINES OF DEFENSE
14
PLANNED SECURITY INVESTMENT: 46% OF PROVIDERS WILL INCREASE IT SECURITY SPEND
Source: IDC Health Insights, Healthcare
Provider Technology Spend Survey
DATA CENTER SECURITY
MOBILE DEVICE SECURITY
INTRUSION/BREACH DETECTION
PHYSICAL SECURITY
SHADOW IT
IMPROVING SECURITY REQS FOR CLOUD SERVICE PROVIDERS
USER EDUCATION/ANTI-PHISHING STRATEGIES
MU COMPLIANCE
COMPLIANCE/HIPAA
DISASTER RECOVERY
VIRUS AND MALWARE DETECTION
BUSINESS CONTINUITY
DUAL FACTOR AUTHENTICATION
45%
37%
34%
33%
33%
30%
25%
23%
23%
17%
14%
13%
9%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
15
PROTECTION FROM THE OUTSIDE IN: BENEFITS OF ADVANCED THREAT PROTECTION
THREAT INTELLIGENCEFROM MILLIONS OF SENSORS AND THREAT INFORMATION SHARING
PROTECTIONAGAINST KNOWN AND UNKNOWN THREATS
SHARED CYBERTHREAT INTELLIGENCEAMONG HEALTHCARE ORGANIZATIONS
16
SEGMENT THE NETWORK WITH ISFWS STRATEGICALLY PLACED IN FRONT OF VALUABLE IT ASSETS
OPERATE AT MULTI-GIGABIT SPEED TO ENSURE OPTIMAL NETWORK PERFORMANCE
PREVENT UNFETTERED ACCESS TO THE NETWORK IF A THREAT GETS THROUGH THE FIRST LINES OF DEFENSE AT THE PERIMETER
COMPLEMENT NEXT GENERATION FIREWALLS AND UNIFIED THREAT MANAGEMENT SECURITY
PROTECTION FROM THE INSIDE OUT
A New Class of Firewall—Internal Segmentation Firewalls
17
SECURITY BEST PRACTICES
INCLUDE ALL DEVICES AND DEVICE TYPES IN THE CYBERTHREAT
ASSESSMENT
SEGREGATE MEDICAL DEVICES AND OTHER VALUABLE IT ASSETS
DEPLOY A BALANCED COMBINATION OF ADVANCED THREAT
PROTECTION TECHNOLOGIES
BE HYPER VIGILANT ABOUT INSTALLING SECURITY PATCHES
PERFORM AND TEST REGULAR BACKUPS OF KEY SYSTEMS
USE SECURITY PRODUCTS BASED ON EXTENSIVE SECURITY
INTELLIGENCE
1:
2:
3:
4:
5:
6:
18
HEALTHCARE HAS CHANGED
DDoS RANSOMWARE MALWARE PHISHING
TOP 4ATTACKSSorry We’re
CLOSED
9 0 %ORGANIZATIONS
USE AT LEAST ONE
TYPE OF MOBILE
DEVICE TO ENGAGE
PATIENTS
646 MILLIONIoT DEVICES
TO BE USED IN
HEALTHCARE
PROVIDER ORGANIZATIONS
ADMITTED A RECENT
“SIGNIFICANT SECURITY
INCIDENT” 80%
BILLIONHEALTHCARE CLOUD
COMPUTING MARKET
IS EXPECTED TO
REACH
$9.5
19
MEDICAL DEVICES
19
X-RAY and PACSTARGETED MALWARE
PACEMAKERS, INSULIN PUMPS
NOTORIETY
Hacktivism / Assassination
Medicine Dispensers
High $$$ value on the street
Other Vulnerable Systems
Shared Workstations
IoT DEVICES – Badge readers, Alarm Systems, IP Cameras, Heart Monitors
PAGER SYSTEMS
Hospital
Remote Clinic
Hospital
Primary
Data Center
Hospital
Backup
Data Center
Remote Clinic
Remote Clinic
Hospital
Remote Clinic
Mobile
Medical
Devices
TODAY’S BORDERLESS ATTACK SURFACE…
WITH MORE WAYS IN…
AND MORE WAYS OUT…
600M Taiwan
IOT HACKS on the RISE
ASUS UDP Command Execution
9 Million Hits (September 2016)
10’s of MILLIONS of IP’s“ “
22
OUR PHILOSOPHY
AWARENESS
EDUCATE USERS TO REDUCE DANGEROUS BEHAVIOR
EMAIL/Phishing Awareness Campaign/Continuing Education
BLOCK THREATS BEFORE THEY ENTER OUR NETWORK
NEXT GEN FIREWALL
SANDBOXING
MAIL GATEWAYS
DNS FIREWALLING
PREVENTION
RESPONSE TO THE THREATS WE’VE DETECTED AS QUICKLY AS POSSIBLE
SIEM/IR
DETECT THE THREATS THAT WEREN’T BLOCKED
IDS/SIEM
MACHINE LEARNING
RESPONSE DETECTION
23
Question 1
Which do you feel your company does the best currently?
1. Awareness
2. Prevention
3. Response
4. Detection
24
25
MALICIOUSINFRASTRUCTURE
MALICIOUS CODE LAUNCHES
USER CLICKS A LINK OR MALVERTISING
RANSOMWARE PAYLOAD
OR
USER DOWNLOADS
MALICIOUS EMAIL
ATTACHMENT
RANSOMWARE PAYLOAD
How Does Ransomware Get In
26
MALICE WEBSITE
END USER INTERNETDNS SERVER COMPANY B
FIREWALL
COMPANY WEBSITE PUBLIC DNS
PHISHING ATTACK DNS QUERY
The END USER gets an email that has a link in it that looks like it is for COMPANY A WEBSITE, but it is missing a “Y” in the URL, and the end user CLICKS ON THE LINK which does a DNS Query for www.compana.com
27
PHISHING DNS RESPONSE
MALICE WEBSITE
END USER INTERNETDNS SERVER COMPANY B
FIREWALL
COMPANY WEBSITE PUBLIC DNS
DNS RESPONSE
to query is
2.2.2.2
28
OH NO!!! RANSOMWARE
MALICE WEBSITE
END USER INTERNET
COMPANY B END USER starts a TCP session with MALICE WEBSITE.
DNS SERVER COMPANY B
FIREWALL
COMPANY WEBSITE PUBLIC DNS
YOUR
FILES ARE
ENCRYPTED!
30
ONE BAND-AID DNS SINKHOLE
WHAT IS A DNS SINKHOLE/FIREWALL?
USING STANDARD DNS REQUESTS THAT SHOULD GO
TO ONE SITE AND REDIRECTING THEM TO ANOTHER.
31
DNS SINKHOLE WITH PHISHING ATTACK
MALICE WEBSITE
END USER INTERNET
The END USER gets an email that has a link in it that looks like it is for COMPANY A WEBSITE, but it is missing a “Y” in the URL, and the end user CLICKS ON THE LINK which does a DNS Query for www.compana.com
DNS SERVER COMPANY B
FIREWALL
COMPANY A WEBSITE
DNS Query
PUBLIC DNS
32
MALICE WEBSITE
END USER INTERNET
The FIREWALL sees that it is a DNS request for a MALICIOUS WEBSITE and forges a response with the IP that you setup as a non-routable IP, or to your own site letting the end user know that their PC just tried to visit a MALICIOUS WEBSITE.
DNS SERVER COMPANY B
FIREWALL
DNS SINKHOLE RESPONSE
COMPANY A WEBSITE
DNS
RESPONSE
10.10.10.10
PUBLIC DNS
33
DNS SINKHOLE
COMPANY A WEBSITE MALICE WEBSITEPUBLIC DNS
As the END USER tries to get to the site now it is going to a NON ROUTABLE IP ADDRESS that doesn’t go off the firewall. You now get logs that the end user is getting SINK-HOLED and can start to investigate why.
END USER INTERNETDNS SERVER COMPANY B
FIREWALL
34
Question 2
What causes the biggest risk in your organization?
1. End Users
2. Company Owned Devices
3. Vendor/Partner PC’s and Medical Devices
4. Food Truck sitting in the Parking Lot
35
36
WHO HAS HEARD THIS MYTH?
WE CAN’T CHANGE ANYTHINGON IT BECAUSE IT IS AN FDA APPROVED DEVICE.
“ “
Data Center
SDN Orchestration
DCFW
Cloud
Branch
Office
PoS
IoT
NGFW
Campus
Mobile
Endpoint
Data Center
DCFW
UTM
External
Internal
Medical Devices
CURRENT NETWORK
38
Data Center
SDN Orchestration
DCFW
Branch
Office
PoS
IoT
NGFW
Campus
Data Center
DCFW
Endpoint
UTM
External
Mobile
Internal Segmentation
NGFW
NGFWUTM
UTM
NGFW
NGFW
Cloud
NGFW
Medical Devices
NGFW
NETWORK SEGMENTATION
NGFW
39
REALIZING THE VALUE OF
HEALTH ITHealth IT creates five kinds
of value of benefit to patients, healthcare
providers and communities
S SATISFACTION
30%INCREASED VIEW/SECURITY ALERTS INTO THE INFRASTRUCTURE
5%FINANCIAL SAVINGS BY REDUCING MAN HOURS FOCUSED ON SECURTY FROM OTHER IT GROUPS
T TREATMENT/CLINICAL
S SAVINGS
E ELECTRONIC SECURE DATA
PPATIENT ENGAGEMENT & POPULATION MANAGENT
78%END USERS SUCCESSFULLY COMPLETING PHISHING CAMPAIGNS
A Summary of How Benefits Were Realized for the Value of Health IT
22%TRUE SECURITY EVENTS COMPARED TO 58% FALSE POSITIVES
!
$$
40
QUESTIONS
www.linkedin.com/in/lynne-dunbrack-8002b2
@ldunbrack
LYNNE A. DUNBRACK JOSH KINSLER
www.linkedin.com/in/josh-kinsler-806a874
@secjokin
