Healthcare Industry Perspective: Reducing the Attack Surface

1. Reducing the Attack Surface Healthcare Industry Perspective: Reducing the Attack Surface Jim Routh Chair, NH-ISAC Spring Summit 2018 Presenter: Jim Routh

2. Reducing the Attack Surface Methods for Shrinking the Attack Surface From Wikipedia, The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment.[1][2] Keeping the attack surface as small as possible is a basic security measure.[3] “Go BIG or go home!” Reduce the # instances using SSNs for authentication and identification Reduce the use of passwords as credentials for your customers and employees Reduce the attack surface for your third party products and services Reduce the attack surface for phishing by implementing controls for the four types of attacks A smaller attack surface enables an enterprise to focus scarce resources on more concentrated areas of risk for the enterprise Spring Summit 2018 2 Presenter: Jim Routh

3. Reducing the Attack Surface SSNs as authenticators and unique identifiers SSN as an Authenticator • Using last 4 digits to confirm identity for password reset • Account registration requiring SSN • Log in requirement for user id or SSN SSN as a Unique Identifier • Using SSN to identify patient data with third parties • Adding SSN to multiple data bases of claims history to identify members • Asking patients under care for SSN to confirm their identity June, 2017 GAO Report to the Chairman Subcommittee on Social Security on Ways and Means. Oct, 2017 Rob Joyce “I feel very strongly that the Social Security number has outlived its usefulness”. June, 2017 The Centers for Medicare & Medicaid Services (CMS) recently announced it is preparing to issue Medicare cards that will use new unique numbers in place of cardholder SSNs. May 18, 2018 Better Identity Coalition Testimony to House Ways & Means Committee Spring Summit 2018 3 Presenter: Jim Routh Spring Summit 2018 Presenter: Jim Routh

4. Reducing the Attack Surface Techniques to Consider SSN alternatives SSN as a Unique Identifier SSN as an Authenticator Replace the use of SSN as an authenticator with behavioral attributes Consider evolution to continuous behavioral based authentication SSN as a Unique Identifier Use member/patient id number to identify patient files Revise data classification policy Apply higher level of controls (encryption, PUM, multi-factor auth.) to any data base storing SSNs Spring Summit 2018 4 Presenter: Jim Routh

5. Reducing the Attack Surface Reduce password use • “If I were a criminal…” Most people use less than 5 passwords for all accounts https://www.youtube.com/watch?v=Z8AbGDOv2dc I would use Sentry MBA for credential stuffing. I’d take log in credentials and try them on different domains. I’d get a 2% hit, meaning 2% of the credentials I use will give me control of the account. 50% • of those haven’t changed their password in the last 5 years https://sentry.mba/ https://krebsonsecurity.com/tag/sentry-mba/ https://blog.shapesecurity.com/2016/03/09/a-look-at-sentry-mba/ Spring Summit 2018 5 Presenter: Jim Routh

6. Reducing the Attack Surface 3rd Party Evolution to event-driven risk management From To Use a continuous assessment tool and share your vendor list with security intelligence services Annual static assessment Continuous assessment Design specific controls for each 3rd party portfolio Specific control requirements for each portfolio One set of controls Use cloud services monitoring tools and deploy controls in cloud services Cloud specific instrumentation controls On-premise site visits Spring Summit 2018 6 Presenter: Jim Routh

7. Reducing the Attack Surface 3rd Party Evolution to event-driven risk management Hosting Providers Software Providers 2.11 3.24 1.21 Your enterprise Service Providers Risk Score = 2.13 Risk Score = 2.39 Risk Score = 1.79 Risk Score = 3.24 Spring Summit 2018 7 Presenter: Jim Routh

8. Reducing the Attack Surface 3rd Party Evolution to event-driven risk management Software Providers Hosting Providers Key Controls Software security Incident response Key Controls Asset management Configuration management Vulnerability management Authentication Network monitoring Event logging Incident response Software security Risk Score = 2.13 Your enterprise Service Providers Key Controls Background check Cell phone ring fence VDI & VPN Risk Score = 2.39 Risk Score = 1.79 Risk Score = 3.24 Spring Summit 2018 8 Presenter: Jim Routh

9. Reducing the Attack Surface 3rd Party Community Hosting Providers Software Providers • Invite 3rd parties into your community • Invite them into the NH-ISAC Community • Share information with them: • Intelligence • Control requirements • Techniques • Tools • Incident response Service Providers Your Community Spring Summit 2018 9 Presenter: Jim Routh

10. Reducing the Attack Surface Trusted Email- Shrinking the attack surface for Phishing Impostor Authentic Sender Display Name Deception Look-Alike Domain Account Owner Compromised Account Spoof 1 2 3 4 • DMARC • Sinkholenewlyregistereddomains • Apply domain attributes to inbound filters • Identity Mapping Model Spring Summit 2018 10 Presenter: Jim Routh

11. Reducing the Attack Surface Trusted Email – Four tactics for Phishing email Impostor Authentic Sender Display Name Deception Look-Alike Domain Account Owner Compromised Account Spoof 1 2 3 4 Spring Summit 2018 11 Presenter: Jim Routh

12. Reducing the Attack Surface Type 3/4 Phishing Attack Sample Identified as a type 3 Passes DMARC looks legitimate Spring Summit 2018 12 Presenter: Jim Routh

13. Reducing the Attack Surface Type 4 Identity Mapping Algorithms Identity Mapping Which Identity is perceived to be sending this message? Behavioral Analytics Does this message match the expected behavior for that identity? Trust Modeling How is the perceived Identity related to the recipient? Spring Summit 2018 13 Presenter: Jim Routh

14. Reducing the Attack Surface Type 4 Control will become a reality • Origin – Where are message typical sent from? • Servers/IPs • 3rd Party Services • Device • Destination – Whom are messages typical sent to? • Number and breadth of recipients • Types of recipients • Frequency of sending to specific recipients • Artifact – What are the typical elements of the content? • Attachment/URL types and characteristics • Signature and structure of messages • Chronology – When are messages typically sent? • Regularity/Frequency-domain signals • Time of day, Day of week/month/year • Transmission – How are messages transmitted? • Usage of mailing lists and forwarders • Number of servers in delivery path • Identification – Which identity markers are used? • Which email addresses/services are used? • Which variants of display name, signature, etc.? Coming Soon! Spring Summit 2018 14 Presenter: Jim Routh

15. Reducing the Attack Surface Trusted Email Healthcare Challenge 2018 Migrate all consumer facing healthcare companies to the use of Domain-based Message Authentication, Reporting and Conformance (DMARC) by year-end. 62% The “Doers” The Others • of top healthcare entities with no DMARC policy in place 23 and Me 3M Health Systems Ascension Health BC/BS of Rhode Island Children’s Hospital of Los Angeles Henry Ford Health Merck Roswell Park Cancer Institute Torrance Memorial Medical Center Zocdoc 208 NH-ISAC members with no DMARC policy in place The September Letter Spring Summit 2018 15 Presenter: Jim Routh

16. Reducing the Attack Surface Models drive front-line security controls Hidden Output Input 𝜁(s) Mathematical formulation of observed events Spring Summit 2018 16 Presenter: Jim Routh

17. Reducing the Attack Surface Models drive front-line security controls Spring Summit 2018 17 Presenter: Jim Routh

18. Reducing the Attack Surface Adjust your Talent Management Approach Security Professional Data Scientist Spring Summit 2018 18 Presenter: Jim Routh