Cybersecurity: Navigating a Changing Landscape

(1)

Cybersecurity:

Navigating a Changing

Landscape

(2)

Cybersecurity: Navigating a Changing Landscape

The Privacy & Security Forum 2015

(3)

(4)

(5)

(6)

Anthem

BC & BS

80,000,000

Ebay

145,000,000

Adobe

152,000,000

AOL

24,000,000

Sony

145,000,000

NASDAQ unknown

SnapChat

4,700,000 Nieman Marcus unknown Macrumors.com 800,000 LexisNexis 1,000,000

Korea

Credit

Bureau

20,000,000

Target

70,000,000

WA State Courts 160,000 Drupal 1,000,000 Advocate Medical Group 4,000,000

CHS

45,000,000

Wallgreens 100,000 Florida Courts 100,000 Hudson Gas 110,000 Nintendo 240,000 South Africa Police 16,000 Boston Children’s unknown Touchstone 300,000 LA County 350,000 Montana DDHS 1,300,000 Texas DHHS 2,000,000

(7)

$400 billion

Estimated annual cost

to the global economy.

McAfee/Center for Strategic and International Studies, June 2014

$60

Going rate for

medical records on the

black market.

(8)

“Your medical record is worth more to hackers

than your credit card.”

(9)

Today’s Threats – Global attacks on Intermountain

(10)

SANS Health Care Cyberthreat Report

• “This level of compromise and control

could easily lead to a wide range of

criminal activities that are currently not

being detected. For example, hackers can

engage in widespread theft of patient

information that includes everything from

medical conditions to social security

numbers to home addresses, and they can

even manipulate medical devices used to

administer critical care."

• http://norse-corp.com/HealthcareReport2014.html

• BARBARA FILKINS, SENIOR SANS ANALYST AND HEALTHCARE SPECIALIST

SANS Health Care Cyberthreat Report

“This level of compromise and control

could easily lead to a wide range of

criminal activities that are currently not

being detected. For example, hackers can

engage in widespread theft of patient

information that includes everything from

medical conditions to social security

numbers to home addresses, and they can

even manipulate medical devices used to

administer critical care."

http://norse-corp.com/HealthcareReport2014.html

(11)

…moving from

protecting the

perimeter to

anticipating the

attack…

Security Architectures

Old architectures no longer work!

• Can’t simply tell customers “no”

• There are no more perimeters to

defend

• Can’t just throw money and

employees at the problem

• Old practices can’t keep up with

threat levels

• Secure development lifecycle

(SDLC)

(12)

Emerging threats Black Hat 2014

• Google Glass password snatching

• Anonymous VDI screen scraping

• AD compromise through Kerberos

• Remote attacks against vehicles

• Memory scraping for credit cards

• USB Controller chips compromised

• Cellular compromise through control code

• Free cloud botnets for malware

• Mobile compromises through MDM flaws

(13)

Lose Assets, Not Data

• 1 in 4 houses is burglarized

• B&E occurs every 9 minutes

• > 20,000 laptops left in

airports each year

• Typical asset inventories off

by 60%



138% in records exposed in

2013



83% in large breaches that

involve theft



6-10% average shrinkage of

mobile devices

Sources: Radiate Media, McKinsey Global, Twitter, Cisco, Gartner, EMC, SAS, IBM, MEPTEC, QAS

(14)

Trust, but Verify

• ~2/3 of data breaches in 2012 could be attributed to negligence or

human error

• > 70% of identity theft and fraud is committed by knowledgeable insiders.

• In 2013, medical identity theft increased 20%

• Traditional audit methods & manual auditing is completely inadequate

• Behavior modeling, pattern

analysis, and anomaly detection are needed.

Sources: Ponemon, Radiate Media, McKinsey Global, Twitter, Cisco, Gartner, EMC, SAS, IBM, MEPTEC, QAS

(15)

The Security Challenge

SOCIAL

MOBILE

ANALYTICS

CLOUD

Regulatory Compliance

(16)

1.15+ billion users

500+ million users

235+ million users

SOCIAL

(17)

• 76% of mobile users review

email on their phones

• 60% of social media users

access these services on

their phones

• 54% of mobile phones are

smartphones

• 52% of breaches occur on

personal devices including

desktops, laptops, and

portables.

MOBILE

Sources: US Dept. Health and Human Services/Radiate Media, McKinsey Global, Twitter, Cisco, Gartner, EMC, SAS, IBM, MEPTEC, QAS

(18)

Where

Is the data stored

When

Is the data moved

Who

Moved the data Audit Trails

Encryption

Across the lifespan and spectrum

ANALYTICS

Volume

43 trillion GB of data by 2020

Variety

Healthcare data ~150

exabytes in 2011

Veracity

Poor data quality costs the U.S. ~$3.1 trillion a year

Velocity

18.8 billion network connections by 2016

ANALYTICS

Sources: US Dept. Health and Human Services/Radiate Media, McKinsey Global, Twitter, Cisco, Gartner, EMC, SAS, IBM, MEPTEC, QAS

(19)

2015



230% Cloud Traffic



55% Users online



380% Storage needs



150% Devices

CLOUD

(20)

Regulatory Compliance

• HIPAA

• Sarbanes Oxley (SOX)

• Federal Information Security Management Act

(FISMA)

Data Protection

(21)

Source:

Wearables &

Fitness Trackers

Removable Media

Connected Medical

Devices

Smart Phones

Tablets

Laptops

(22)

Embrace Mobility

• Care can be improved through access to real-time patient data which an increasing number of patients are collecting

• They want to share clinical data, locate one another, update attending doctors on patient conditions, order, and transmit information and images

• Security priority should be on data and device

• Restrict access based on location and encrypt data in transmission and storage

Securing Mobility

• Enforce and monitor device

encryption & passwords

• Detect Geo presence of

devices

• Force remote wipe after 30

minutes lost

• Screen savers/auto-locking

• Asset inventories and life

cycle management from

acquisition to disposition

• Enforce a Secure

Development Lifecycle

(SDLC)

(23)

Security

Operations Center

24x7 oversight to

detect and

respond to

(24)

Security Operations Center

• Builds intelligence dynamically

• Aligns processes with Business Operations

• Defines best practices (internally, globally)

• Continuously improves protection and

monitoring

• Analyses business activity, network traffic,

and actionable events

• Optimizes playbooks and use cases

Detecting an event is one

thing; knowing what to

(25)

Strategies

• Develop a risk inventory and mitigation plan

• Develop a mobile/BYOD security strategy

• Develop a set of common security controls

• Develop asset management strategies

• Develop an ePHI inventory

• Develop a Risk Management framework and prioritization guidelines

(26)