Endpoint Protection – A Few Tips

back_to_basics

Properly Configured Endpoint Protection is Still Critical

There are a few big misconceptions that companies have about endpoint security tools.  It starts with a belief by executive leadership that you can buy a product that will plug gaps without significant internal costs.  This of course leads shoddy product implementations, little to no training on the new product and lack of resources assigned to the product once it’s in production.

The end result of this philosophy is  IT and security are left with a piece of hardware or software that few know how to effectively use and do not have the staff to truly manage it.  It is important to note that poorly managed security tools  have lead to some of the largest security breaches (Target, Sony, Anthem).

So with all that said, endpoint protection is one of the bread-n-butter components of an effective security defense.  It is also one of the most poorly managed components due to the lack of  new technology “sparkle”, such as the latest IDS/IPS tools.

Here are a few tips to bounce against your (hopefully) current endpoint protection (EP) solutions:

  • Endpoint protection must have appropriately configured policies to effective.  Lax policies equal far less protection against aggressive malware.  Review your vendor’s best practices guide on this issue.
  • Your Endpoint protection must be monitored from a central server.  Trained security personnel must follow up on suspicious activity reported by the endpoint software.  You would be surprised how often this is not the case.
  • Endpoint protection is not a panacea for poor patching practices on the end user devices.  Devices that lag behind in patching can be easily compromised by malicious software.  There are too many zero-day and known vulnerabilities for antivirus/malware software to effectively protect against.
  • Employees can often subvert enterprise endpoint protection by uninstalling the software or killing processes depending upon what policies are in place.  Also, employees can respond to phishing emails that can bypass endpoint protection by cloaking malicious processes inside legitimate ones.
  • Keeping your A/V signatures updated isn’t the only challenge.  Ensure you are running current code for your scan engine, HIPS, DLP tools etc.  Maybe not the bleeding edge, but no more than two minor revisions behind.

This list was created based on issues I have found when working with my clients on updating their security program.  Drop a comment below if you have more to add or if you have a question.

Medical Device Madness. No Excuses

no-excuses

Manufacturer’s Cannot Use the “Re-certification” Excuse to Dodge Security Patching Responsibilities.

In my last post, I touched on the issue of cybersecurity vulnerabilities in medical devices and how the healthcare industry struggles to manage this risk.  We also mentioned the June 2013 FDA Safety Memo that outlined what it perceived as the new responsibilities for manufacturers, healthcare entities and the FDA itself regarding the securing of these devices.

Recently I published an online course in collaboration with the Financial Times / ExecSense on this topic.  I covered quite a bit of the problematic history of medical device security as well as some strategies on how to address this issue on the technology and business fronts.  Healthcare leadership push-back on recalcitrant medical device vendors  will be key in addressing this problem.   Painful cultural change will also be necessary.

Review the June 2013 safety communication, the FDA broke down the responsibilities of the healthcare organization, medical device manufacturer and the FDA itself. If you are in the healthcare arena, the document is short and well worth the read (Link Above), but I’ll put up some highlights:

Healthcare Providers
• Monitoring network activity for unauthorized use.
• Making certain appropriate antivirus software and firewalls are up-to-date.
• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services

Device Manufacturers
• Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
• Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.

FDA
• The FDA released a draft guidance on how manufacturers should address cybersecurity in their pre-market submissions. The FDA also has guidance on how manufacturers should address cybersecurity issues related to products that use off-the-shelf software.

The most interesting sentence in the document and the most powerful is The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity . Of course the inclusion of the word “typically” provides device manufacturers with some significant wiggle room. However this statement begins to take the air out of the standard vendor re-certification argument when it comes to patching and endpoint protection.

Adding more fuel to the fire is the recent release of the Health and Human Services (HHS) Office of Inspector General (OIG) Fiscal Year 2014 Work Plan, which outlines their intent of focusing on medical device security. The work plan states that OIG “will determine whether hospitals’ security controls over networked medical devices are sufficient to effectively protect associated electronic protected health information – ePHI – and ensure beneficiary safety.” The document then clarifies that “Computerized medical devices … pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications.

With both the FDA and HHS OIG now in the act, healthcare clinical project managers and security professionals may finally get the ammunition they need to bend the ear of medical device manufacturers. At present it is primarily the healthcare organization that has to contort its requirements and security concerns to ensure they receive vendor support for their devices.

I’d like to hear some feedback from other healthcare PMs and security professionals on this topic. So please feel free to drop me a line in the comments below!

Medical Device Madness. Security Suffering

Critical Risks

Poorly Protected Medical Devices are a Serious Cybersecurity Threat

“We can’t add a virus scanner to our device or we’ll have to get re-certified by the FDA.” If you have any time in the trenches as a healthcare project manager, you have heard those words spoken by a medical device rep. Famous for falling back on the “FDA re-certification” argument, these words have clipped the wings of many a project security and usability requirement. Since many of these devices are sold by a few key players (Phillips, GE) healthcare providers had little choice but to grit their teeth and allow insecure hardware and software to be attached to their network. Then the real challenge begins as the quirky device(s) begins to show unexpected behaviors and generally fails to play well with standardized enterprise systems. If the healthcare organization deploys an operating system patch or places their standard endpoint protection on the device, they run the risk of the vendor halting support during a device issue until the offending patch or software is removed. This can quickly escalate into a patient safety issue, so many times organizations accept the risk and keep their medical devices unpatched and under-protected.

For years medical providers have petitioned the FDA to clarify the rules around cybersecurity and medical devices. Do device manufacturers have to re-certify every time they apply an operating system patch or install endpoint protection? The issue gained more urgency as HIPAA penalties for patient data breaches became more common. Organizations rightly questioned the re-certification argument from vendors since some of the most sensitive protected health information (PHI) is passed through or collected by these devices. How can organization’s effectively manage their security risks and protect against breaches if their key devices remain vulnerable to the most common security issues; outdated patches and endpoint protection? So healthcare IT had to get creative about protecting these devices. Separate medical VLANs, additional physical security, hamstrung endpoint protection and a lot of reluctant risk acceptance. While these steps help mitigate the risk of a breach, organizations still have to contend with similar issues that led to the recent Target credit card breach; default admin passwords, patching issues and third party system access.

Clarity on these concerns may finally be on the horizon. While not a strongly worded as some healthcare security and IT practitioners would like, the FDA has recently released (June 2013) a Safety Communication on the topic of medical devices and cybersecurity. It is the first series of memos and articles that point toward the FDA beginning to crack down on the issues of medical device security.

In my next post I will summarize the FDA Medical Device Safety memo as well as provide some additional thoughts on how to address this thorny problem.  As always please feel free to leave comments below!

Of Portals and Patient Care: Education and the Healthcare PM

Patient Education, Literacy and Patient Portals are Making Healthcare InroadsPatient Education and Literacy are among the key topics that are bandied about in the Preventative Medicine discipline and its quest to reduce healthcare costs.  Of course the fact that 42 percent of patients do not understand “empty stomach” guidelines for medication is a cause for concern and a data point for how effective healthcare and wellness education has been to date.With that in mind  AtTask  has published a short piece of mine that covers Patient Education and how it impacts healthcare professionals and the project managers tasked with implementing Patient Education-based projects.

Here’s a bit of the post and then follow the link for the remainder of the article:

I had mentioned in my last post, Hazards on the HIE Road – A Map for Project Managers, that I was going to discuss Patient Education and what projects that PMs were going to be exposed to in this space.

Like most things in healthcare, patient portals and education are linked to HIPAA, Meaningful Use and the Joint Commission. Project Managers must understand the various technological, business and healthcare related drivers that are moving these tools to the fore.

Patient Learning and the tools associated with that discipline have gained considerable traction in the healthcare field. Driven by regulatory, technological, and patient forces, healthcare providers are launching suites of tools that allow patients to access their medical records online, order tests and interact with providers. Medical professionals are relying more on patient portals and other tools to drive better results for their practice and efficiently facilitate patient visits.

Not only do patient learning tools and portals educate the client, they provide risk management and business process management benefits. These tools help coordinate the distribution of clinical, administrative, and financial activities including multi-disciplinary and multi-care settings, plans of care, active care coordination, and the automation of compliance management with a healthcare provider.

– See more at: Of Portals and Patient Care: Education and the Healthcare PM

Hazards on the HIE Road – A Map for Project Managers

Quite a few pitfalls await the Project Manager

Quite a few pitfalls await the Project Manager

Health Information Exchanges are at the  forefront of information security and general news these days.  Since HIEs play an important role within the overall state and federal Health Insurance Marketplaces and the security controls within these marketplaces are looking a bit dubious; the overall discussion of HIEs and how they impact healthcare project managers is a timely topic.

With that in mind my latest AtTask Work Management blog post is up.  I cover the HIE technical, regulatory and process backgrounds and how it impacts healthcare project managers.

Here’s a bit of the post and then follow the link for the remainder of the article:

In my last post, “Healthcare’s Creative Destruction & the Project Manager” I mentioned that I would outline Health Information Exchanges and what a project manager should know about the current state of this local, state and federal initiatives.  Why is this topic so important?  In the scale of software development and database integration, few projects like the Nationwide Health Information Network (NwHIN) have been so sweeping in scope; no matter the industry.

One facet that defines the scope of this massive effort is the dollars spent.  The Affordable Care Act mandates (Meaningful Use) that healthcare providers shift to Electronic Medical Records (EMR). Without EMRs, a NwHIN would not be possible.  In order to facilitate this, the Federal government has doled out $12.6 billion in subsidies to providers since 2012.  For the first two months of 2013, $425 million has been handed out for EMR meaningful use.  These large numbers do not take into account the vast sums that will be spent on local, state and federal HIE/HIX promotions, setup and operations (currently estimated at $5 billion).

– See more at: Hazards on the HIE Road – A Map for Project Managers

Healthcare’s Creative Destruction and the Project Manager

The Impact of Creative Destruction in Healthcare on the Project Manager

Healthcare’s Creative Destruction and the Impact on the Project Manager

My latest AtTask Work Management blog post is up.  I cover the current creative destruction that is ongoing in healthcare and how this is impacting the project manager and the discipline as a whole.

Here’s a snippet and then follow the link for the remainder of the article:

“It’s already here; the churn of healthcare change.  Small physician practices are being swallowed up by large healthcare organizations. Older practitioners are retiring sooner, rather than slog through the tremendous business process and regulatory changes that are buffeting healthcare. Local, state and the federal government are embarking on a massive data sharing project with Health Information Exchanges.

These issues all lead to a tremendous amount of risk for the healthcare project manager. To combat this, a PM in healthcare will have to have contract, technology, regulatory, and business savvy when piloting an outreach or new clinic project.”

– See more at: Healthcare’s Creative Destruction & the Project Manager

Navigating the Churn of Healthcare Project and Work Management

Work Management Blog from AtTask

Joining AtTask’s Work Management Blog as a Guest Author

I have done some work in the past for AtTask such as Podcasts and Webinars.  They recently invited me to become a guest blogger for their Work Management blog.  I will be writing on the topics of healthcare, project management and cybersecurity.

My first article was recently posted.  Here is a snippet with a link to the remaining piece:

So, back to the healthcare priorities, what are they? Well, that’s part of the problem. There are so many priorities at the moment in the healthcare space, it’s almost impossible to get a clear direction. There is an alphabet soup of healthcare initiatives that are pressing down on the industry (HIPAA, HITECH, ARRA, ACA, HIE, HIX, ICD-10, Meaningful Use) that, like a tsunami, has engulfed all resources available in many organizations. – See more at:  Navigating the Churn of Healthcare

The New Alchemy: Data to Dollars. Now, Protect It.

Sensitive Information or Data is the New Crown Jewels

Data is Money. How Do you Effectively Protect it?

Protection of data.  That’s what security boils down to and it’s what I tell clients when they ask me what they need to protect most.  Competitors, criminals and other players covet your data because it can be converted into money.  Like an alchemist turning lead into gold.

Much of this data you are trying to protect is sensitive or personally identifiable information (PII), like medical or financial records.  So how do you protect PII and what are the ramifications if you don’t?  Well, let’s roll out some common questions I get from clients and address the issues one by one.

What Are the PII Compliance Issues?

The primary compliance issue will involve data protection.  There will be increased litigation of security breaches due to the ever increasing penetration of sensitive electronic information and its impact on consumers if disclosed.

With the “Consumerization” trend pushing the enterprise to integrate consumer devices (iDevices, Androids, Chromebooks, etc.) this opens up a tremendous amount of risk regarding the security and storage of sensitive information (PII).  A central IT organization no longer choses and controls the hardware that is utilized to access critical enterprise information.  Corporate compliance and information security will have to struggle to balance regulatory requirements on one hand with the need to provide access to critical data on the other.

Are There New/Emerging Pieces of Legislation, Including Federal That Touch on PII Protection?

There are many layers of regulatory compliance for organizations who hold sensitive electronic data.   These mandates originate from federal, state and local governments. The legal and regulatory compliance area has increased tremendously over the last decade, with HIPAA, Sarbanes-Oxley, PCI DSS, HITECH and Dodd-Frank impacting almost all industries in the U.S.

On the “new/emerging” legislation front, the FDA has also proposed a new regulatory framework called MDDS or Medical Device Data System.   Basically, any computing device, application, network or storage solution that is attached to a regulated medical device becomes a “medical device” and is thus subject to regulation.  This would include smartphones, iDevices and tablets in general.  These new regulations will create additional complexity for healthcare IT and Security staff who are attempting to gain control of an environment where physicians are attaching their own iDevices to enterprise systems.

Buried on Regulations and Guidelines

A Ton of Regulation Exists that Directly Addresses PII Security and Breach Ramifications

How About More Enforcement of Current Regulations/Mandates That Could Result in Jail/Fines?

With the advent of HIPAA and the HITECH Act, providers are ramping up their efforts to protect electronic and physical medical records.  This is primarily due to the significant fines an organization can face if records are lost or stolen.

Provisions in the HITECH Act, mandating a move toward Electronic Healthcare Records (EHR), healthcare providers are adopting EHR solutions as a means to address patient data security.  Most EHR providers provide a hosted or “cloud” solution so physicians do not have to locally host their EHR package, which reduces cost somewhat.

Expect enforcement of HIPAA/HITECH to ramp up significantly in the near future due to the added enforcement policies within HITECH.  As an example, healthcare provider Cignet received the first penalty ($4.3 million) under HIPAA, due to HITECH regulatory enforcement.  HHS OCR has recently levied penalties on other providers to continue this general trend.

Organizations who have complied with government and industry regulations are far more likely to be protected from lawsuits based on “due diligence” clauses built into many industry regulations.  PCI DSS is one example of this with its “get out of jail free” or “SafeHarbor” clause. SafeHarboris determined to be in effect if the breached organization was deemed compliant with PCI regulations at the time of the breach.

What Security Technologies, Processes or Policies Can Help?

The most significant hurdle to overcome with sensitive data security (PII) is user behavior.  Organizations will have to address where users can store and access sensitive data securely, what devices (iPhones, iPads, Androids, etc.) are allowed on the network and what policies are to be put in to place to enforce these mandates.  Educating the enterprise in the proper way of treating sensitive data in multiple scenarios will be far more challenging than implementing new technology.

Technology Alone is Not Enough to Protect Data

Training is the Most Effective Security Tool. Speeds and Feeds Only Goes So Far.

The best way to modify user behavior is effective training with simple, enforced and monitored security policies.  Unfortunately organizations have cut back training activities significantly during the Great Recession and are only now slowly adding funding back.  Organizational policies are also an issue.  In many cases these policies are lengthy, unread and unenforced tracts that languish in the appendix of the New Employee Handbook.

The complexity of security compliance with mobile devices may be simplified with the acceptance and implementation of the Virtual Desktop Infrastructure (VDI) technology in the corporate environment.  This technology has the ability to push a secure remote desktop image to a mobile device.  A user logs into a specific desktop image, the network connection is encrypted and the data is stored remotely on secure corporate storage.  The company gains greater control over mobile devices with the added benefit of providing a secure, standardized image for employees.  This VDI solution also cuts the risk of sensitive data been lost or stolen due to the ephemeral nature of the remote desktop technology.  Once the user logs out, the desktop is gone and the user is presented with the consumer mobile interface again.

I’d like to hear you take on this topic, so sound off in the comments below!

Just Add Water. Cloud Computing Can Enhance Security

3 Top Things IT Experts Won't Tell You About Cloud Computing Security

The Cloud Can Have a Security Silver Lining…Really

Houston-based technology consulting firm, Xvand (IsUtility) graciously offered the opportunity to provide content for their cloud computing blog. I worked closely with firm representative Yehuda Cagen on the topic of how Cloud Computing can actually increase enterprise security if correctly applied.

The article, 3 Top Things IT Experts Won’t Tell You About Cloud Computing Security, covers Managed Security Service Providers (MSSP), Cloud Disaster Recovery strategies and Mobile Device Management (MDM).  These solutions are particularly relevant to those firms who do not have the internal resources available to address the multitude of issues that are currently breaking over the enterprise

Cloud security is a still an immature practice, yet the services mentioned above can cover significant security gaps in your organization, reduce the risk of data loss or allow the effective management of the consumerization trend in the enterprise.

With security and IT teams strapped for resources and time, these services can allow for a more proactive approach to information security and risk management.

Please feel free to sound off in the comments below!

And Now A Word From Your Commonsense

Much of Security is Prevention.

An Ounce of Prevention is Worth a Pound of Cure

As infosec pros debate the finer points of IPv6, Cloud security, IDS/IPS and risk management it behooves us to stop and remember our customers. They really don’t care if your solution is FIPS certified and is SAS 70 compliant. They are only concerned if their identity is stolen and used to open a pickle stand in Zanzibar.

Open Google and search on information security tips and watch it bring around 124 million hits.  I am about to add +1 to that lengthy hit parade.  Why?  Well, I have been working the New Employee Orientation presentation circuit at one of my clients for bit and I always get a boatload of questions from the attendees. Since my presentation covers social engineering, identity theft, how a device gets infected with malware, I get a lot of queries pertaining to these topics.

This thread also ties into other commentary on endpoint security and social engineering before in the Chicago Tribune and Los Angeles Times.  The article was entitled “Security Breaches Highlight Need for Consumer Vigilance“. Just recently, eSecurity Planet also featured my contributions on how malware removal differs in the enterprise and for personal devices in their article “The Best Malware and Antivirus Tool is Prevention“.

So I decided to distill all these questions and tips down and answer them in this article.   First lets tackle some routine best practices.

When it comes to numerical pass-codes (debit cards, badges, etc.), how should one pick?

Debit card pin numbers are normally only assigned by a financial institution.  You can request to change them, but they are sent separate from the debit or credit card.  When you receive the PIN number via mail, you memorize it, and then destroy/shred the letter.  Never write your PIN on your card.  Also, when withdrawing cash from an ATM or using your card at a retailer’s terminal ensure no one is looking over your shoulder or “shoulder surfing”.  Another good tip is to inspect the point of sale terminal or ATM for signs of tampering.  If the keypad is misaligned or the card slot mechanism looks suspicous, do not use the device.  It could be compromised and part of a “skimming” operation.

When it comes to alphabetical and numerical passcodes (such as those used online), how should one pick?

Best practices for online passwords are relatively straight forward.  They should be at least 12 characters in length with a mix of upper and lower case letters, numbers and accepted special characters.  They should not consist of addresses, dates of birth, pet names, spouses or anything easily gleaned from social media or personal data.

It is better to use a “pass phrase”, basically a sentence you can easily remember that can consist of the above recommendations.  These are normally 30 characters long and consist of non-dictionary words.

These recommendations are based on applications that can accept this input.  Many online applications still only require 6 to 8 character passwords and don’t support special character content.

Bad Passwords Brought To You By RockYou Users

If You Have One of These, Change It Now

What are the most common used passwords and why should we avoid using them?

In light of the RockYou password database breach, the most common password was “123456” the next was “12345”.  Other popular passwords were “princess” and “Password”.

These passwords should be avoided at all cost because they are short, lack special characters, are easily guessed and can be cracked with software rapidly

What’s the best way to protect your identity online?

Strong passwords that are unique for critical sites, like online banking or social media profiles.  Commonsense plays a huge role as well.  Be careful whose emails you open and once in an email, what links you click on.  Legitimate organizations will not ask you for sensitive financial data, username and password information via email.  Call the organization in question if you feel the communication is suspicious.

Do not post sensitive personal information on your social media profiles, such as birth dates, when you are going on vacation or other critical pieces of information that would give a bad actor valuable insight into your life.  Ensure you are using the appropriate privacy settings in these applications and monitor your friends list for people you do not know.

My machine has a virus or malware on it.  What can I do?

In a corporate environment, the normal policy is to just wipe and re-image the infected machine.  Malware removal is an intensive and normally unsuccessful process.  Why is it unsuccessful?  Because modern malware employs tricks to hide its malicious code in memory, the boot sector or sometimes in seemingly legitimate code.   The user believes that the machine has been cleaned but when the device is restarted, it re-establishes a connection to its Command and Control server, re-installs itself on the infected machine and the process begins again.  This is normally on a laptop from Finance.

Running Your Antivirus Now Is Too Late

I Hope You Had a Backup

However if you have a few hours to burn on a Sunday before your big presentation on Monday.  There are several choices choices on removing malware from a device.

One, use the “hopefully” installed and updated anti-virus package on the device to remove the malware.  There is a slim chance of success here.

Second, if that fails, use a malware removal tool on the malicious software.  An example of this is Malwarebytes’ Anti-Malware.  A free program (free for individual use, not corporate) that is a mainstay of the malware removal trade.  Make sure it’s updated.  There is a better chance of success here.

Third if that fails, and if the user is running a Microsoft operating system, they can download the Microsoft Malicious Software Removal tool for that month.  I have had some decent success with this approach when combined with Malwarebytes.

The final option before a scorched earth re-image is to use the Microsoft operating system rollback feature to move the OS back to a date when the system was not infected.  This is a dicey approach since the malware may have hidden itself in a directory that may not be touched by System Restore.

There you have it.  A pretty high level set of tips and suggestions that will guide customers, clients or your Uncle Phil toward a hopefully more secure digital experience.

Please sound off in the comments below if you have any additional suggestions or insights to share!