Securing Health IT Value

Richard Staynings

One of the fundamental conditions to deliver health IT value is security. Without it Health IT Systems cannot protect confidential data, validate the integrity of medical records, or ensure that clinicians can access IT systems in order to treat patients.

The recent WannaCry attack that took out part of the British NHS, and other ransomware attacks that have crippled hospitals all over the U.S. should be a wake-up call for healthcare leaders. Without security, health IT can be a liability rather than an asset. Furthermore, cybersecurity and patient safety are now inextricably joined at the hip.

Richard Staynings
Working the audience
Emerging and new technologies will help drive the efficiency and security of Health IT, but their adoption or readiness for widespread production use, may be 3 to 5 years away. New technologies require planning and forethought, and not all of them will be suitable for everyone. Given the pace of change and the inability of many healthcare payers and providers to attract and retain top cybersecurity talent, alternative approaches to the consumption of these new capabilities may be necessary.

Rather than hire, build and integrate, it may be faster and more cost effective to procure capabilities as a service. This is particularly so in security where fierce competition to attract and retain cyber resources places the healthcare industry at a disadvantage compared to other better paying employers.

Richard Staynings
Keynoting VA HIMSS 17
This was the theme of my keynote presentation today at the Virginia HIMSS Conference at the Kingsmill Resort in in Williamsburg, VA. attended by just under 400 of the Commonwealth’s healthcare technology leaders and those that help to keep them being successful.

Richard Staynings
Machines already outnumber Humans
My keynote was followed up later in the day with a second High Impact Ted style talk on the changing face of security and IoT in a healthcare environment. I think I had everyone's undivided attention!

My special thanks for the VA HIMSS Executive Team for making me feel so welcome and for an extremely well planned and organized event. And what an idyllic location for a day of charity golfing followed by two days of educational conference! I'll have to remember this place. Your hospitality was inspiring as were all of the speakers who presented.

Richard Staynings
Richard Staynings, Cisco
As promised, here are links to my decks. Feel free to leverage for your own graphically assisted conversations with your boards of directors / regents, and your executive leadership team.

HITSecurity Forum

Richard Staynings addresses the audience at the HIMSS Healthcare Security Forum 2017

‘Security is an industry where we are continually developing new solutions without understanding the problem we are trying to fix’.

This was the basis for a presentation I gave to the HIMSS Healthcare Security Forum today in Boston.

Richard Staynings addresses the audience at the HIMSS Healthcare Security Forum 2017

The session discussed the adoption of new and emerging tools and approaches to secure healthcare data and IT system availability. Tools like NGFW, Micro-Segmentation, Biometrics and MFA, Blockchain, Big Data Analytics, Machine Learning and AI. Tools that boost automation, protection, visibility, and intelligence, leading to improved threat detection, and containment of inevitable attacks.


Richard Staynings

As with any new tool or approach, security leaders need to fully understand the costs, benefits and drawbacks before adoption, and how quickly, easily or difficult each tool can be integrated into the existing infrastructure. Furthermore, they need to be able to articulate and defend exactly what business risk gaps, each tool will address, what business benefits it will provide to the organization and what legacy tools it will retire.

As security leaders, we need to work smarter, not harder, and with an average 65 disparate security vendors in each US hospital, we need to consolidate to a smaller, leaner and more manageable toolbox.

Richard Staynings addresses the audience at the HIMSS Healthcare Security Forum 2017

Thanks to the attendees, sponsors and organizers of the HIMSS Media Healthcare Security Forum today in Boston. Thanks also to Tina Kitchen for some great low light photographs.

For those you asked, here's a link to my presentation slides.


Understanding Medical Device Security


The FDA recall of a medical device last week has caused a bit of a media storm as the general public scrambles to find out more. The fact that a medical device meant to help sustain life is insecure and could be hacked to kill a patient is alarming to all of us. More worrying is that the medical device subject to the recall, a cardiac rhythm management product, or “pacemaker” to the rest of us, is probably not an anomaly. Many other medical devices more than likely also lack adequate security.

To understand the risks, we first need to understand the problem. To be honest, this could require an extensive series of blog posts over weeks to fully examine and explain this properly, but here’s the 50,000-foot version.


Different types of medical devices and the risks they pose

First, there are the implantable medical devices (IMDs) like the medical pacemaker at the center of this story. This group of medical devices includes the implanted insulin pump that security researcher Barnaby Jack hacked live on stage at the Miami Hacker Halted Conference in 2011, reconfiguring the device to deliver a lethal drug dose. It also includes a pacemaker that was hacked, again by Jack, at the Melbourne BreakPoint Security Conference in 2012 to deliver a lethal 830 volt electric shock to a patient.

Second are the much wider range of network-attached medical devices used in healthcare delivery. These include:

  • Diagnostic imaging systems: ultrasound, MRI, PET, CT scanners, and X ray machines 
  • Treatment equipment: infusion pumps, medical lasers, and surgical machinery 
  • Life support: ventilators, anesthetic and dialysis machines 
  • Medical monitors for oxygen saturation, blood pressure, ECG and EEG, and many, many more. 

The greatest data-security risks for medical devices

Network-attached devices far outnumber implantable ones, but both have one thing in common—a very long life span! No one wants a pacemaker that needs to be replaced every couple of years, and hospitals simply can’t afford to rip and replace their multi-million-dollar investment in x-ray machines, and PET and CT scanners if they still work perfectly. Many current medical devices are 15 or 20 years old already, placed into service when the rest of us were deploying Windows 95 and dial-up modems.

The greatest risk to medical devices, however, is that many lack even the basic security protections that a $200 home PC has - things like antivirus software and a host firewall. The danger is that when a malware worm gets into a hospital and spreads its way laterally across the network to reach highly vulnerable medical devices, it either quickly infects them (many of the newer models run a form of Windows XP), or the malware multicast traffic storm causes the medical device to crash or just stop working. It’s not that someone hacked and changed a parameter - although that is a distinct possibility, but it’s more likely that its battery becomes quickly drained and powers off, or the system blue screens and ceases to provide life-sustaining care.



It’s going to take years to patch or replace the arsenal of insecure medical devices and billions of dollars that healthcare providers simply don’t have. So, we need to look at alternatives to secure them for the rest of their life-spans.

How to reduce risk and protect devices

By far the most effective approach is microsegmentation, where medical devices are locked down and secured by the network they are attached to. (Attempting to manage 350,000 individual medical devices in a hospital is impossible.)

Modern network infrastructure supports security technologies like Cisco TrustSec©, where each network port acts as a virtual firewall. Using security group tags, network traffic is controlled so that only specifically authorized users - biomedical equipment technicians (or BMETs, as they are known) - have access to reprogram devices, and these systems are only able to communicate with designated internal IP addresses using predetermined ports and protocols. The network will drop everything else, like malware traffic and any connection attempts from unauthorized users. Many of the more advanced healthcare providers have already adopted such an approach, and by employing compensating security controls like TrustSec have been able to secure their networked medical devices from attack.

Learn more about Cisco’s approach towards medical device security

Find out if TrustSec and Microsegmentation are right for you

For more information on cybersecurity solutions, get the details on Cisco’s Digital Network Architecture for Healthcare and IoT Threat Defense for network-connected devices.

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

FDA announces first-ever recall of a medical device due to cyber risk

 

This week, the FDA took the unprecedented step of recalling a medical device – a pacemaker – because it was found to be vulnerable to cyber threats. The recall arose from an investigation by the FDA in February that highlighted a number of areas of non-compliance. While there are no known reports of patient harm related to the implanted devices affected by the recall, the step was taken as a preventative measure. A firmware update has been developed (and approved by the FDA) that can be applied during a patient visit with their healthcare provider.



Medical device vulnerabilities have been on the FDA’s radar for some time. In July 2015, the FDA issued an Alert highlighting cyber risks related to infusion pumps. Then, at the end of 2016, it issued what it called “guidance” on the post-market management of cybersecurity for medical devices. But aside from market pressure, there was no enforcement mechanism for any of these alerts and statements. To make matters worse, a recent study revealed that only 51 percent of medical device manufacturers and 44 percent of healthcare organizations currently follow the FDA guidance to reduce or mitigate device security risks. Many thought leaders in the healthcare security space have been pushing for greater governance of medical devices as more and more security vulnerabilities and back doors to these devices have been discovered.

While “homicide by medical device” may seem like a far-fetched Hollywood-esque scenario right now, it’s not completely out of the realm of possibility. “The potential for immediate patient harm arising from hackers gaining control of a pacemaker is obvious, even if the ability to do so on a mass scale is theoretical,” Fussa pointed out. “For example, imagine a ransomware attack that threatens to turn off pacemakers unless a bitcoin ransom is paid. In this week’s recall alone, 465,000 devices are affected. An attack of this type would pose an immediate risk to all of these patients and would likely overwhelm the ability to respond.”

While it’s good news that the FDA is acting to protect patients from harm due to cyberattack, connected devices continue to pose a threat to both patients and facilities. There’s been no shortage of press on the subject, and most healthcare executives are keenly aware of the problem. However, very few have an effective or scalable solution.



Many hospital systems have in excess of 350,000 medical devices, before you even start to count the implantable ones that leave with patients. Most of these devices were never designed with security in mind, and many have multiple ways in which they can be compromised by a hacker. The fact that we are not aware of any reported patient deaths yet is a good thing, but the industry has a very short window to secure its medical device arsenal before hospitals and patients get held to ransom. Health systems need to be looking at segmentation as a compensating security control to prevent attacks, until the medical device industry catches up.

Do you have a plan in place to secure your facility’s medical devices? Are you able to segment and isolate traffic to them?

Do you have visibility into who and what is communicating with your biomed systems and do you have ransomware protection?

Having specific answers to these questions will be key to a strong, ongoing defense against attacks.

For more information on cybersecurity solutions, get the details on Cisco’s Digital Network Architecture for Healthcare and IoT Threat Defense for network-connected devices.

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.


Threats and Response to Healthcare Cyber Attack



We live, work and treat patients today in a world of inter-connectivity; where almost every thing, business and person is connected more or less all of the time. A world where in 2008, the number of ‘things’ connected to the Internet surpassed the global human population. A world in which by 2020 there will be in excess of 30 billion smart 'connected' devices.

It should be no surprise then to any of us, that this interconnected world that we have built for ourselves, presents not only a shifted paradigm in health treatment practices, but one that presents unique new challenges to secure hospitals and other healthcare services.

The 'Internet of Everything': - connected hospitals, connected cities, connected cars, and other ‘things’, has changed the face of security. No longer can we build walls around our business and IT systems; today the security paradigm is one of controls without absolutes, without well-defined boundaries and perimeters; walls which were once easy to secure.

Attacks by opportunist cyber criminals, are increasing in size and scope as they search to maximize their impact. Thanks to greater reliance on technology in our hospitals, the impact of a cyber attack on a healthcare provider is now enormous. The lack of clinical systems availability to treat patients (because of a ransomware or denial of service attack), threatens the lives of patients in our hospitals and clinics. Healthcare is part of our critical infrastructure and as we add IoT devices inside and outside of the hospital, we need to be extremely vigilant in making sure that every precaution is taken to secure and protect critical health IT systems.

This includes addressing widespread problems in our hospitals, some of which have been responsible for the recent spate of ransomware attacks against health systems. These include  slow patching of IT systems with known critical vulnerabilities, retirement of old no-longer supported platforms and applications, daytime-only security operations, and lackluster poorly practiced security incident response procedures.

Ransomware is a current favorite among attackers, but this appears in its latest iterations to have evolved into DeOS or ‘destruction of service’ offering no return for those not equipped with full off-site and disconnected backups. Even then, the time to restore and rebuild for most organizations is prohibitive, certainly not if a patient's well being depends upon the availability of an IT system.

Improved visibility, comprehensive 'round the clock' security operations and effective security incident response has become key to business continuity and keeping hospitals open. The first step however, is understanding what you are up against, how both exploits and defenses work, and what tools and technologies are available to bolster your security people and processes.

This was the subject of an hour long webex presentation given last week to healthcare IT and security leaders across Canada by Sean Earhard and myself. To watch the recording, open the link below to the webex player.

Watch the webex recording





2017 Midyear Cybersecurity Report


Cisco released its 2017 Mid Year Cybersecurity Report today, outlining security trends over the past six to twelve months, and providing valuable research into the antics of cyber criminal elements.As in previous Cisco annual or midyear security reports, threats and attack vectors continue to evolve, with bad actors adding new and ever-more sophisticated spins to their exploits.

The report identifies a new trend of what Cisco has coined 'DeOS' (destruction of service), where attackers destroy data under the auspices of thinly-veiled ransomware demands. This is accomplished in such a way that the attacks prevent defenders from ever restoring systems and data.


Perpetrators continue to employ new methods to evade detection by rapidly pivoting campaigns and changing attack vectors, the report states. This is accomplished using both new tools and exploit kits, while combining attack vectors with old favorites like business email compromise (BEC) and social engineering to by-pass sandbox defenses.

As expected, exploitation of IoT devices continues to grow as attackers defeat grossly inadequate security of these appliances. Compromised devices are then used in Botnet networks for IoT-driven DDoS attacks or “1-TBps DDoS” as Cisco describes them. If big enough these attacks can significantly disrupt almost the entire Internet. Furthermore, these large Botnets are increasingly being used to provide highly lucrative “DDOS-as-a-service” engagements by the hacker community.

Malware continues to develop in its sophistication and is evolving in ways that can help attackers with delivery, obfuscation, and evasion. Cisco also notes the growth of “ransomware-as-a-service” (RaaS) platforms that allow adversaries to quickly enter the lucrative ransomware market.

Overall, MttD (mean time to detection) is improving across Cisco security tools and services, down now to an average of 3.5 hours. Cisco security appliances and services are identifying known threats quickly such that attackers are under more pressure than ever to find new tactics to avoid detection.

The report also includes a new section. Cisco’s Security Capabilities Benchmark Study. This provides useful advice to customers in pinpointing how key verticals can reduce complexity in their IT environments and embrace automation.

The report concludes by highlighting the need for defenders to fully understand the risks in their environment, and to devote well-trained and practiced resources to swiftly respond to threats, in order to minimize the potential damage of an attack. Furthermore, it recommends that the community of defenders should share research and ideas across the industry so we’re not in the dark about successful security approaches.

Read or download the full report here.

NH-ISAC Spring Conference

Richard Staynings with Mike Freeman and Chad Speiers from Sentara Health at the NH-ISAC Spring Conference
Richard with Mike Freeman and Chad Spiers from Sentara Health

Thanks to everyone who attended the NH-ISAC Spring Conference in Orlando. Great to see such amazing thought leadership and lots of very useful information being shared. What a great place to network. Look forward to the next one.

Richard Staynings with David Anderson from Adventist Health at the NH-ISAC Spring Conference
Richard with David Anderson from Adventist Health
Paul Singleton from Cisco addresses the audience at the NH-ISAC Spring Conference
Grand Rounds Breakout Session led by Paul Singleton of the Cisco Umbrella Team


CCPL

Richard Staynings
The challenges faced by Canadian healthcare in protecting the confidentiality, integrity and availability of the health and personal data of Canadian patients is great. But so too is the job of ensuring that healthcare IT systems and other critical infrastructure remains available to treat patients in today's IT-centric health delivery model, where system outages possibly as the result of a cyber attack, can mean life or death for a patient.

This was the subject of a workshop today at the 2017 Canadian Conference on Physician Leadership in Vancouver, BC, where many of Canada's top Physicians and Chief Medical Officers met to discuss many of the challenges and concerns facing the industry.

Participants learned not just about some of the cyber threats and risks being faced by healthcare in Canada and world wide, but also about some of the successes of other health providers to put in place effective, holistic security controls to block attacks and to protect personal health information, clinical research and other intellectual property from compromise.

As the leader of these workshops, I would like to extend my sincere thanks to everyone who attended and contributed to the debate. Canadian healthcare took a giant step forward today in recognizing, not just how much the industry needs to catch up with the better funded banks and other financial institutions, but also in understanding that cybersecurity is a business risk in which clinicians play a critical and leading part in helping to secure vital IT systems from attack.

A copy of the deck presented today can be downloaded here.

A Slippery Slope?

Like many cybersecurity professionals, I was somewhat pleased to finally read about the sentencing of convicted Russian cybercriminal Roman Seleznev to 27 years imprisonment by a US court. While this sets a new precedent in the sentences handed out to cybercriminals, many of whom have cost banks and retailers billions of Dollars, Pounds and Euros in losses, and forced other businesses to close up shop entirely, the case raises some interesting legal, moral and political questions.

Should it be the role of the United States judiciary to police the Internet and prosecute perpetrators of cybercrime, many of whom, reside in parts of the world outside of accepted standards of functional law enforcement. And if so, what lengths should be considered internationally acceptable for US law enforcement to go to, in order to capture, or apprehend individuals for future prosecution, when those individuals are discovered in, or transiting through, other countries, with whom the United States has no extradition treaty?

This was plainly the case in the apprehension of Seleznev who was vacationing with his family in the Maldives – a country with no extradition treaty with the United States. Yet, he was detained, handed over to US law enforcement officials, who then took him against his will to Guam, and onto Washington State where he was charged under US law for his crimes in the United States having never (as far as we know) even visited the country. Essentially, this is a non-US citizen, kidnapped by US law enforcement officials, in a neutral third country, and forcibly extradited without warrant to the United States to face charges for crimes allegedly perpetrated in that country.

Don’t get me wrong, I’m all for the arrest of cyber criminals and the imposition of long deterrent sentences to keep them off the cyber streets. I'm also keen for this to send a message to other (young) wannabes that cybercrime doesn’t pay. My concern is one of the basic rule of international law and whether this could one day back-fire against the United States.

I’m no lawyer but if due process was ignored in the apprehension of this individual then he’ll be out of jail on a technicality very quickly when this goes to appeal. If the intent was to use Saleznev as a bargaining chip with the Russians, then that raises a whole different set of questions, and this entire case moves more towards a political abduction / ransom  scenario.

While Seleznev, the son of an influential Russian politician, was plainly protected in Russia from prosecution by the country’s barely functioning legal system, and by his father’s close friendship with Vladimir Putin and contacts at the FSB, does the United States have a moral, ethical or legal right to enforce its laws half the way around the globe in countries where it has no legal jurisdiction and against citizens of other nations? Does the United States regard itself as the Internet judge, jury and executioner for electronic crimes?

Few would dispute the morality of the lengths undertaken to bring to justice a mass-murderer like Osama Bin Laden by the US military, but does this morality extend to perpetrators of financial crimes, and, if so, where do we draw the line?

Jeff Fridges raised some interesting questions in his comments to Brian Krebs story of the sentencing of Roman Seleznev and while the scenario Jeff paints might be considered a little far fetched, let's not forget that we have seen these kind of event-chains in the past. No one expected the Spanish Inquisition, and few predicted the rise of the Nazis, Kim Il Sung, Mao Tse Tung, or Stalin.

[quote]
I’m bothered that the US apparently feels it has jurisdiction over the entire Internet, and can arrest anyone ‘anywhere in the world’ who violates ‘US law’ online.

Sure, this guy was a crook … but what about the next guy?

Consider this scenario. Street violence by right-wing militias in the US gets worse over April and May. Early in June, someone caps Trump. Pence becomes President and at the same time the assassination spurs a huge mobilization of Trump’s right-wing base. By the time everyone’s heads have stopped spinning, it’s martial law, draconian new legislation is being passed by the Republican congress (dominated by Tea Party evangelicals) and rubber-stamped by Pence. A Supreme Court stacked with ultraconservative Christian judges (Gorsuch, et al) looks the other way as the Constitution is put to the torch. Trade unionists and Muslims are rounded up and “disappeared” or deported, after which a purge of Hispanics begins — later it will be the Jews, though until the new forces have cemented their power thoroughly they and their powerful lobby and bankster friends will be left alone or even, for a while, convinced that “this time won’t be like the last time” for them.

By December the US is a de-facto fundamentalist Christian theocracy. Free speech is outlawed. Non-Christian religions, the teaching of evolution or climate change, p0rn, etc. are all outlawed.

And the US continues to act as if its borders contain the entire Internet.

Now someone in Cambodia blogs about climate change, or a European scientist publishes online a paper about evolutionary biology. Plenty of websites exist for mosques, synagogues, Buddhist temples, etc., run out of various corners of the world. And of course the net is awash in p0rn.

Do the proprietors of all of these websites start getting rounded up and renditioned, “extradited” to the US? After all, though they’re not inside US borders, what they are doing is illegal under US law and they are doing it online …

Now are you worried?
[end quote]

Regardless of who’s in the US White House (or Mar-a-Lago) and lets face it, Washington is a revolving door every few years, the questions that Jeff raises, and the scenario he paints, needs further discussion rather than simple dismissal as being radical.

While the United States with its overwhelmingly superior military might, has been the global policeman for many years, is this a role that the US intends to formally expand to the policing of the Internet, and is this a conscious decision as agreed by elected leaders and set in policy and law, or one brought about by the independent actions of US law enforcement officials frustrated at the failure, or lack of functional legal systems in other parts of the world. Legal systems rife with corruption, where cyber criminals can “live big” and publicly boast about their activities as Seleznev did, (till now) safe in the knowledge that the right people have been paid off, and that they are immune from prosecution?

Did the United States make a conscious decision to go to war and militarily occupy South Vietnam, or was it a political slippery slope driven by a succession of events and decisions from which it became increasingly difficult to turn back?

“Those who don't know history are doomed to repeat it.”
- Edmund Burke

Perhaps an examination of historical events is necessary to attempt to understand where this action could lead, and if it is the right type of action to address the policing of the Internet globally.


Securing Medical Devices - The Need for a Different Approach - Part 2



This is a two-part story. The first part can be read here.

I recently met with the CIO and CISO of a large US healthcare system to chat about how the system was going about securing its 350,000 network attached medical devices. They were busy assessing and profiling all of the disparate devices from a multitude of different vendors that the pre-merger, independent hospitals had purchased over the past twenty years or so. The Health System had multiple teams of third party vendors from many of the big names in bio-engineering, working with its own IT team to review configurations, firmware and OS/ application versions, and to make updates where necessary in order to improve the security posture of these devices.

The CIO however was greatly concerned by the number and churn in these devices – given warranty replacement units and new devices arriving at hospitals seemingly on a weekly basis. He was concerned whether they would ever be able to get in front of their hardening project, and whether reconfiguration and lock-down would ever really secure these network attached systems at the end of the day.

After listening carefully to his plan and all the activities he and his CISO had sanctioned, I suggested cautiously, that perhaps the health system was on the wrong path. My argument was that they would never be able to keep up with and manage 350,000 disparate biomedical devices, growing by twenty percent per annum, using a strategy essentially designed to manage PCs and workstations. One where domain level tools could be used to patch and configure the vast majority of endpoints. The manpower requirements alone I suggested, would consume his entire IT team’s bandwidth and budget at some point, if not very soon.

I suggested that he abandon entirely all thoughts of securing individual endpoints by locally hardening devices, and by disabling services like TFTP, FTP, TelNet and SSH, that many of his medical devices had left the factory with enabled, and instead look at other control points to secure those devices (compensating security controls) that would enable much higher levels of automation, and reduce the margin for human error that a manual process would inevitably lead to.

I suggested that he use his network as the control point rather than attempt to manage so many individual endpoints. By enabling TrustSec - a built-in access system in his newer Cisco switches and routers, he could lock down each endpoint device whether wired or wirelessly attached to the network, and control in a uniformed manner, which ports and protocols each device could communicate on, which users could administer each device, and which other devices each medical device could communicate with, i.e. specifically authorized canister, gateway or clinical information systems only…. and nothing else!

By employing ISE (Cisco Identity Services Engine) to set access policy, which would then be enforced by TrustSec, (something that was already being used to manage guest wireless access), the health system could create uniform enterprise policy implementation across all sites and locations, and avoid the need for possibly hundreds of firewall engineers to write and update access control lists in switches, routers, and firewalls. What’s more, rules written in ISE could be written in easy-to-understand business language, rather than complex access control syntax for direct entry into infrastructure devices by firewall and network engineers.

Furthermore ISE could be used to profile each of model of medical device, such that a profile could be developed and assigned once for each model, and applied globally across the entire enterprise of 350,000+ medical devices, thus automating security for the almost un-securable!

I continued, “What’s more, the same profile you assign to a medical device in one hospital, is used for a similar device in another hospital so long as its all part of the same ISE domain. Thus you can more effectively manage your medical device asset inventory across hospitals, by assigning medical devices when and where needed rather than to tie up money in unused assets in each location.”

“In other words” I explained, “Using ISE and TrustSec, you can provide your users with dynamic segmentation capabilities such that you can take a medical device (or truck load of medical devices) from one site to another site in need of those devices, (for perhaps local disaster management), and have those devices immediately recognized by the network and assigned the right access permissions as soon as they are plugged in or otherwise connected to the network. No need to engage a firewall or network engineer to add MAC addresses to an ACL (access control list) at 2am in the morning – just plug it in and it will work!”

Essentially you will have an enterprise-wide dynamic automated user and device access system, that is enterprise policy-driven in easy to understand language (versus firewall and switch syntax), that will actually save your biomed team money because they can run a minimal asset inventory across the entire health system. What’s more, in so doing, you are actually securing the un-securable and protecting medical devices from attack, as well as protecting the main hospital business network from being attacked from an easily compromised medical device.

A large number of leading US healthcare delivery organizations are already using ISE and TrustSec to secure their medical devices, research and intellectual property, PHI, PII and other confidential information, by security segmentation of their networks and IT systems. Many are working towards micro-segmentation at the individual device level. Many more are using the same segmentation approach and technology to isolate their PCI payment systems, their guest and contractor network access, and for network access quarantine to perform posture assessments on laptops and mobile devices re-attaching to the network after being used to treat patients in the community.

For more information on this approach, read Cisco’s Segmentation Framework and the Software-Defined Segmentation Design Guide.

For information about how Cisco’s Security Advisory Services can to assist you to design secure segmentation in your environment, please review Cisco's Security Segmentation Service or contact your Cisco sales team.


This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Securing Medical Devices - The Need for a Different Approach - Part 1



It’s hard not to notice a growing collection of medical devices whenever you visit a hospital or clinic. They surround today’s medical bed, almost like a warm scarf around a bare neck on a cold winter’s day. If they weren’t there you would wonder why. They provide all kinds of patient telemetry back to the nurses station: O2 sat levels, pulse rate, blood pressure, etc. They provide automatic and regular administration of medication via pumps and drips and oxygen dispensers. The medical bed itself tracks patient location across the hospital as the patient is wheeled to and from the OR, imaging or other specialties.

What is not recognized however, is that the number of medical devices employed in the delivery of care to patients is currently growing at almost twenty percent per annum globally. What's more, this growth rate is increasing. For the BioMed staff that has historically been responsible for managing them, it’s an almost impossible task. One that gets more difficult by the day as more and more devices are plugged in or wirelessly connected to the network.

The problem as far as risk is concerned, is not just the growth of these standalone devices and the difficulty managing so many, but the fact that these systems, many of which are critical to patient well-being, by and large have ALMOST NO BUILT-IN SECURITY CAPABILITY. Nor can they be secured by standard compute endpoint tools like anti-virus / anti-malware. They are a huge vulnerability, not only to themselves, but also to everything else attached to the network on one side of the device, and the patient on the other side.

Standalone medical devices are designed, built and FDA approved to perform a very narrow and specific function, and to do so reliably for long continuous periods of operation - unlike a Windows PC, which sometimes appears to have been designed to work for a month more than its manufacture warranty! Medical devices tend to stop working when subjected to things outside of their design parameters. Things like multicast network traffic caused by worms, viruses and other malware. Things like ICMP, NMAP and other network traffic used to illuminate, query, or profile devices perhaps by attackers. What’s more, medical devices are rarely retired and withdrawn from service, which means many hospitals are still using devices designed and built twenty years ago – at a time when Windows 95 had just been released and most of us weren’t even on the ‘World Wide Web’ as we called it then! How could they POSSIBLY be secured and prepared to defend against the types of cyber attack we see today?

Many standalone medical devices leave the manufacturing plant with all kinds of security vulnerabilities – many open TCP/UDP ports, and numerous enabled protocols by default like TFTP, FTP, Telnet. Most of these are highly vulnerable to attack. In June 2013 DHS tested 300 medical devices and all of them failed basic security checks. In 2015 we had 'white-hats' demonstrating hacks of implantable medical devices (IMDs) live on stage at security conferences. Since this time several popular medical pumps have been very publicly exposed for the ease at which they could be compromised by an attacker. (Some manufactures have issued recalls and firmware upgrades but not all.) If one of these pumps were employed to administer at a gradual and regular level, for example, pain medication such as morphine or perhaps insulin to a patient, what damage would be inflicted upon that patient if the pump was hacked and told to administer its entire medication all at once?

While older standalone medical devices were built to run on obscure, custom, often hardened UNIX operating systems, or even eProm, many of today’s mass-produced, quick-to-market commercial devices run on Windows 9 Embedded – nothing more than a cut-down version of the hugely vulnerable and highly insecure Windows XP operating system.

Windows Embedded is subject to many of the same vulnerabilities and freely available exploits as the regular Windows XP operating system. A targeted attack against modern medical devices is thus relatively easy given a mass of known and proven exploits. Yet we continue to attach insecure, unprotected pumps and all kinds of other devices with the potential to do damage to patients, knowing that at any time a nefarious hacker or almost innocent intruder could turn the device into an execution tool.

Just because it hasn’t happened yet, doesn’t mean to say that it won’t happen today… or perhaps tomorrow!

Read Part 2 of this blog.


This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Who’d want to be a CISO?


Lets face it, being a CISO (Chief Information Security Officer) is no bed of roses. The ultimate responsibility for protecting the organization against a rising tide of hackers and state sponsored cyber spies intent on breaking in and stealing information rests firmly on the CISO’s broad shoulders. Being the CISO in most companies today usually means being starved of resources for additional headcount, tools, and services, while you spend each and every day with your back against a wall! And did I say every day? Being a CISO is not a nine-to-five job. You need to keep your wits about you during the dark hours when your boss and most of the Executive Leadership Team (ELT) are out for dinner or sleeping soundly in their beds. The ‘witching hours’ are between 7pm and 7am and at weekends when cyber criminals know all too well that the fort is unmanned and they can usually get away with whatever they want – largely unnoticed.

7pm US Eastern Time, is breakfast time in Beijing and Shanghai where many of China’s best cyberspies work. The Peoples’ Republic of China (PRC) has invested in vast campuses full of specialized Peoples’ Liberation Army units, whose role is to attack foreign organizations and steal not just defense secrets, but also commercial secrets that may help Chinese companies to catch up with and surpass their western counterparts. Despite an agreement between President Xi and President Obama in 2015, the dashboards of western Security Operations Centers stay lit with the Chinese IP addresses of active attackers every day and every night. According to a former FBI Special Agent, “China's corporate cyber-espionage apparatus is too big and too effective to shut down". "The genie is out of the bottle" he concludes.

7pm US Eastern Time marks 2am in Moscow when club revelers call it a night and return to their flats amongst the sprawling public housing projects. While they have been out clubbing, their neighbors have been busy testing the cyber defenses of their latest targets. The Hackers here are more ‘freelancers for hire’ working on occasions for the government, the FSB or perhaps for a favor for someone well connected, but just as equally for themselves, paid by the job or paid by results. Entrepreneurial and opportunistic, these are the ‘shadow–dwellers’ who prey upon the weak and unprotected with phishing campaigns, malware, and much, much worse – anything that could generate them income, today, tomorrow, or next month.

The Russians and Chinese are not alone, they are just the largest adversaries by volume on the CISO’s situational threat board. It’s fair to say that in a global economy, the threats don’t just come out at night, it’s just that the attacks seem scarier when everyone else has gone home for the night and its dark outside!

The CISO has to be aware of not just the constant attacks against his or her network, or the spear phishing campaigns against users attempting to get them to unwittingly reveal secrets, or to click on a link that will deposit a dropper or other malware on their company computer. It’s a continuum of threats and risks that the CISO and his team have to defend and protect against. And when something goes wrong and some nefarious bot or person gets by the paper defenses? It’s the CISO who takes the fall, and takes responsibility for everything that went wrong leading to the breach – lax controls, inadequate staff for 24 by 7 operations coverage, no budget for user security awareness training, a mish-mash of out of date security products and applications, and the CIO or CFOs decision to select a proposal from a less-expensive implementation vendor who undercut the experts who actually knew what they were doing!

Decisions are often made by those above the CISO, safe in the knowledge that they have a ‘fall guy’. No wonder so many CISOs start updating their resumes, the day they start a new job! It’s a thankless job - a very, very stressful job, and if it were paid by the hour rather than salaried, CEOs might just begin to understand the level of expertise required and work involved to secure a company from dynamically changing cyber threats.

Despite the challenges of the job, the role of the CISO attracts some of today's brightest and the best corporate executives - those able to understand, protect and promote the success of the business, and able to negotiate the boardroom and ELT politics, yet at the same time understand the intricate complexities of risk, security, privacy and compliance and the associated technologies used to monitor, measure and protect the business from cyber attack.

It takes a unique and broad set of skills to be a successful CISO, but it also takes a certain kind of person, one that doesn't give up easily and can get back up after being knocked down. Vision, passion, dedication, perseverance and sheer tenacity are key traits that usually come to mind for the job. The role of CISO is changing however, from a deeply technical role implementing tools within IT, to an executive role managing and reporting enterprise security risks to the ELT and the Board.

Retaining top CISO talent in a highly competitive landscape where demand massively outstrips supply is becoming an increasing problem however. CISO salaries have risen sharply over the past two years and the trend is showing no signs of slowing down. In fact CISOs in the big US cities can make in excess of $350,000 to $420,000 based upon studies by SilverBull and by Healthcare IT News. CISOs are increasingly being asked to present directly to the board on an ongoing basis, and IDC predicts that “by 2018, fully 75% of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, rather than the CIO” which has been the norm till now.

With over one million open cybersecurity jobs, and average CISO salaries in sharp ascent, its clear that effective CISO’s are desperately needed and will continue to be a challenge to attract and retain.

SecurityCurrent Average CISO Salary Report, prnewswire.com

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Unsecured Endpoints in the Hospital Environment


Unsecured Endpoints in the Hospital Environment - Securing IOT and Medical Devices

Medical devices are growing by an estimated 20% per annum the world over, as are other IOT devices that control critical infrastructure in our hospitals. Yet, most cannot be secured by traditional endpoint computer means due to a combination of device limitation and regulation. Nor can most be patched and updated against known security vulnerabilities. At the same time, formerly isolated networks have converged to support digital transformation of healthcare, thus increasing risks exponentially for both the clinical business and biomedical networks used to treat patients.

How then do we go about "securing the un-securable" using the tools at our disposal to protect patients, their data and hospital systems from attack and ransom?

This is the subject of a recent presentation given to the HIMSS Healthcare Cybersecurity Community by Richard Staynings, Cisco’s Cybersecurity Leader for the Healthcare Life Sciences Industry, and Craig Williams, Technical Outreach Leader at Cisco Talos.

In their presentation, Richard and Craig discuss what the future may hold for targeted attacks against hospital IOT and medical devices, and what healthcare technology and security leaders should consider doing to protect them.



Watch the WebEx recording here.

View the slides here.

BC Aware

Richard Staynings

The 'BC Aware Privacy and Security in Healthcare Conference' took place today at the Vancouver General Hospital in Vancouver, Canada. Richard Staynings, Cisco's Global Cybersecurity Leader for the Healthcare Industry kicked off the conference sharing trends and industry intelligence along with recent innovations to aid in securing hospitals, universities and standalone clinical research establishments.

Richard was joined by Drew McArthur, Information and Privacy Commissioner for British Columbia and by Oliver Gruter-Andrew, Chief Information Officer for Provincial Health Services Authority, Providence Health Care and Vancouver Coastal Health.

Richard Staynings addresses the audience at BC Aware

Presentations and discussion centered around the need for improved privacy and security across all aspects of healthcare, improved regulation and enforcement of privacy laws, and the need for holistic security, to include IoT and medical devices in hospitals and medical centers.

Oliver Gruter-Andrew and Richard Staynings conduct a Q&A at the BC Aware Privacy and Security Conference
Oliver Gruter-Andrew and Richard Staynings conduct a Q&A at the BC Aware Privacy and Security Conference




2017 Annual Cybersecuritry Report


The 2017 Annual Security Report is released today. This is the tenth year of the report which delivers analysis on the evolving threats and trends from 2016, insights from a survey of more than 2,900 security professionals worldwide, as well as guidance on how to be more secure in 2017 and beyond.

The report investigates the impact a breach can have on businesses - operational disruption, lost customers, missed opportunity, a hit to brand reputation, and in some cases, declining revenue.

The report also highlights the fact that malicious actors are taking advantage of expanding attack surfaces and evolving tactics to keep their windows of opportunity open so as to maximize their attacks.

Read or download the full report:


David Ulevitch, head of Cisco’s Security Business Group, and John Stewart, Cisco's Chief Security and Trust Officer, share report highlights from the 2017 Cisco Annual Cybersecurity Report in this video.

Digital Value in the Healthcare Industry


With Effective Security, Healthcare Organizations Can Take Advantage of Opportunities to Enable Innovation and Growth with Greater Speed, Efficiency, and Agility

To address the global shortage of pediatric specialists in many rural areas and around the world, the Lucile Packard Children’s Hospital enables remote clinical interactions for pediatric care. Using high-quality video conferencing, network-connected medical devices, and a virtual patient network, clinical data, patients, doctors and specialists are now connecting to offer better care to children. The University of Virginia Center for Telehealth is also accelerating healthcare delivery, increasing access to specialty services, and providing training to physicians. From Spanish tele-interpretation services to video consultations and virtual meetings, the center is optimizing patient care while increasing productivity for UVA’s healthcare workers.

These are just a couple of examples of how the healthcare industry is embracing digital transformation. In fact, Forrester’s Global Business Technographics Business and Technology Services Survey, 2015 found that 53% of healthcare organization respondents are currently undergoing a digital transformation – more than any other sector – while 26% are exploring such an initiative. These organizations realize that while digitization is disruptive, it also provides enormous opportunity to drive value, including improving patient experience and reducing operational costs. Let’s take a closer look at five of the trends in healthcare that are motivating digital transformation.

1. Rising healthcare costs are driving digital transformation but leaving the healthcare industry struggling to keep pace with security risk. Recognizing this gap, bad actors increasingly set their sights on healthcare providers. For years healthcare has lagged other industries in security investments; in tools, technologies and specialized security staff making the industry an easy target. With demand for security professionals outstripping supply by a factor of 12 to 1, healthcare faces a daunting challenge to hire and retain the quality security talent it needs to defend against attacks. What’s more, healthcare information is extremely lucrative for hackers, fetching 10 times more than credit card information on the black market. Patient records can command such a return as they include not just financial information but personally identifiable information as well as insurance and prescription information. Medical records are also highly prized because that data is valid for life and compromises are more difficult to detect. Just to put this in context—in contrast, banks have sophisticated controls in place to identify unusual activity in bank accounts and to quickly detect and cancel stolen credit cards. The healthcare industry is well aware of the significant financial and reputational costs when patient records are breached. The industry is also waking up to the increased risk to patient safety; a DDoS or ransomware attack can restrict access to clinical information systems that are essential to render care.

2. Electronic health records are another driver of digital transformation. The meaningful use and exchange of information for more efficient and accurate diagnosis is requiring healthcare providers to digitize patient information and improve interoperability of digital health systems. Hospitals are being encouraged by the government to integrate discrete, standalone systems to enable the sharing of information between different providers and, ultimately, improve quality of care and patient outcomes.

3. Administrative operational systems and standalone clinical treatment systems must also talk to each other to help streamline operations and improve patient care, particularly as new reimbursement models emerge. Better collaboration and communication across the organization, improves workflow so clinicians and administrators can share data and gain efficiencies while maintaining quality care.

4. New service delivery models from telehealth and telemedicine to the emergence of robotic surgery are also driving digital transformation. Multi-gigabit, highly resilient medical-grade networks are required to support the next level of services that not only improve the patient experience and outcomes, but also offer more cost-effective and efficient care for patients in remote locations, or for those who are home-bound.

5. Medical devices are becoming more pervasive and essential for the reliable, affordable delivery of quality care. Spurred by innovation, an aging population, and extended life expectancies, the worldwide market for medical devices such as heart monitors, morphine and insulin pumps, to deliver care, and CT scanners, X-ray and MRI machines for diagnosis, is expected to grow 25% by 2020 according to the 2016 International Trade Association Medical Devices Top Markets Report.

The healthcare industry has a lot to gain by digital transformation. However it also has a lot to lose if it doesn’t start with security as a foundation. Instead of being bolted on as an afterthought and getting in the way of rendering care, it has to be built into processes and workflows making it seamless for clinicians, administrators, and patients. Without the appropriate security controls and expertise in place, healthcare organizations risk breaches that require directing funds to fines, restitution, and punitive damages that could put some institutions out of business, leading to further declines in patient care. Patient confidence and trust could also erode, leading some patients to not be honest with their caregivers or even avoid seeking treatment.

With effective security, the healthcare industry can take advantage of new opportunities to enable innovation and growth with greater speed, efficiency, and agility. Hospitals can reduce operational costs, adopt new service delivery models, improve the quality and efficiency of care, decrease inpatient volume, and shift to new reimbursement models. At the same time, patients and their families benefit from a better experience and better outcomes. By starting the journey with an approach that puts security first, the prognosis for digital value in the healthcare industry is extremely positive.


This article was co-authored with Ashley Arbuckle, VP of Security Services at Cisco and was also published by Security Week.

Australian Healthcare Highly at Risk


Just learned that my interview with Nick Whigham at Australia's www.news.co.au has gone viral. The interview which was published last week, talks about the general state of security surrounding the Australian Healthcare industry and is based upon two weeks of workshops and other meetings I ran across the country in November with Senior Healthcare Executives.

The full article can be found here


Turning Cybersecurity into a Strategic Advantage

Most C-suite leaders think about cybersecurity as a way to stop threats. But in today’s intensely competitive digital economy they should be thinking about cybersecurity as a strategic advantage that not only protects business value, but enables new business value.

The prevailing focus on threats to protect business value isn’t surprising. Modern digital businesses go beyond traditional walls and spawn new attack vectors in today’s dynamic threat landscape. Businesses face a cybercrime wave that is increasing in intensity and sophistication. According to a recent article in Forbes, “Corporate and home computers have been hit with an average of 4,000 ransomware attacks every day this year, a 300% increase over 2015,” citing United States Department of Justice sources.

While we must continue to work diligently to protect valuable data and assets, to achieve growth, the biggest opportunity comes when we make cybersecurity a foundational component of our digital strategies. One of the biggest downsides to cybersecurity weakness is how it inhibits innovation. In fact, 71% of respondents in a Cisco survey said cybersecurity risks and threats hinder innovation in their organization.

Organizations that have any doubt about their cybersecurity capabilities delay important digital initiatives and risk falling behind the competition tomorrow.

As Mike Dahn, head of data security and industry relations at Square, Inc., put it in this Cybersecurity as a Growth Advantage report, “I think it’s really important that we stop thinking about security as a defense-centric approach that is sold by fear, uncertainty, and doubt. We need to start thinking of it as an enabler that supports innovation … and helps the business go forward.”

You know your organization is well-positioned to move forward when:
  1. You recognize that cybersecurity concerns can hold back innovation and hinder growth. While cybersecurity concerns can hinder the development of new digital business models and driving innovation, smart organizations realize they must move forward, or be left behind by digital disruptors and other agile competitors.

  2. As a business leader, you are much more engaged in cybersecurity issues than your typical peers. Sixty-six percent of Boards do not believe they are properly secured against cyber-attacks. (Source: Cybersecurity in the Boardroom, Veracode 2015). And, the Board, the CEO, and other key stakeholders likely hold you responsible for cybersecurity issues, even if you don’t hold an IT or technical role. That’s because the success of digital programs that are shaping the future of the business, is predicated upon strong security practices. As business leaders develop digital initiatives they proactively collaborate with IT to ensure that security is included in plans from the earliest stages.

  3. You believe your organization is prepared to address cybersecurity challenges in three key digital capabilities – Big data/analytics, cloud computing, and the Internet of Things (IoT). These capabilities are critical to digital growth strategies that depend on connectivity. The level of confidence you have in incorporating these digital technologies into your business processes and offerings allows you to accelerate innovation and time-to-market and capture a greater share of digital value at stake.
The digital era is here. Those who embrace it will have a competitive edge, but not without a secure foundation that allows innovation with speed and confidence.

Take time during this year’s Cyber Security Awareness Month to evaluate how you can turn cybersecurity into a strategic advantage. If you are not sure where to start, our Security advisors can help. If you are already on your way to a digital transformation, we can help you assess your readiness and work with you to design and implement a secure digitization strategy.



Guest Blog - written by my colleague and good friend, Ashley Arbuckle.  Ashley is Vice President of Cisco Security Services.  This blog is also published here.

Insiders: The often forgotten threat


Insider threats are of particular concern to organisations, as the impact of a rogue insider can be catastrophic to the business. The 2016 Verizon Data Breach Investigations Report showed that 15% of data breaches were a direct result of insider deliberate or malicious behaviour. Given that it is not likely that all insider breaches are discovered and/or reported, this number may well be under represented in Verizon’s statistics. In addition, insiders often have legitimate access to very sensitive information, so it is no wonder that it is difficult to detect these breaches. Regardless, they can negatively impact the business in a big way, and must not be overlooked.

As I speak to a lot of customers about this, I see views of insider threats vary considerably by industry vertical. For example, financial services and gaming companies see financial objectives as the main motivator; manufacturing/high technology/biotech see intellectual property theft as their biggest concern; and personal services store and process large amounts of personally identifiable information, which they must protect from insider theft. The unique challenge faced is that insiders are often more difficult to identify behaving maliciously as they are often misusing their legitimate access for inappropriate objectives such as fraud or data theft.

Strong user access policies are a key building block to a good insider threat management strategy. Regular review of user access rights, along with job rotation, mandatory leave, separation of duties, and prompt removal of access rights for departing employees have been the core of managing insider risk for many years. Once you have these key components in place it's time to go to the next level.

As with everything in security there is no single answer, and frankly you should question anyone that tells you they can fix all of your security problems with one service. To reduce the risk of the insider threat, I would suggest the following strategy:

1. Classify your Sensitive Data.

This is the most critical step and often difficult as this requires the technology team and the business to align in order to classify what data is sensitive and to ensure there is consistency in the classification strategy. Remember to not boil the ocean; this step should focus solely on identifying sensitive data that could effect the business should it be stolen. Carnegie Mellon University has a good example that can be adapted to most organisations.

2. Implement a Protection Plan

a. Instrument the network....

so you can detect atypical accesses to your data. To validate if your instrumentation is setup correctly, you should be able to answer the following questions:

  • Have new users started accessing sensitive data?
  • Have your authorised users accessed more sensitive data than usual?
  • Have your authorised users accessed different groups of sensitive data more than before?
Many fraud management professionals would recognise these questions as lead indicators of possible fraudulent activity, and astute HR professionals would recognise these as possible lead indicators of an employee about to leave the business. Both of these scenarios are very typical lead indicators of insider data loss. You should try to make use of fraud management and HR personnel to assist you in determining what to look for and actions you can/should take when you detect a possible insider incident.

Data flow analytics may also assist from the technical side as well. Cisco Stealthwatch uses NetFlow to build profiles of expected behaviour for every host on the network. When activity falls significantly outside of expected thresholds, an alarm is triggered for suspicious behaviour. Data hording is one typical use case where data flow analytics detects anomalous behaviours. For example, if a user in marketing usually only accesses a few megabytes of network resources a day but suddenly starts collecting gigabytes of proprietary engineering data in a few hours, they could be hoarding data in preparation for exfiltration. Whether the activity is the result of compromised credentials or insider threat activity, the security team is now aware of the suspicious behaviour and can take steps to mitigate it before that data makes it out of the network. 

b. Data Loss Prevention software...

or DLP as it is more commonly known, is software that monitors data flows much like an IPS as well as monitoring data usage at the endpoint. Network DLP uses signatures like an IPS, but the signatures are typically keywords in documents or data patterns that can identify sensitive data. Endpoint DLP can be used to control data flow between applications, outside of the network and to physical devices. This becomes especially important if there are concerns about sending data to external data storage systems (Google Drive, Box, SkyDrive etc.) or to USB attached storage. DLP can control access to all of these systems, but it is a matter of policy and vigilance as new capabilities are released at the endpoint.

There is a lot of skill in effectively setting up DLP software and much of the complaints about the lack of effectiveness of DLP comes down to a lack of proper data classification and poor DLP software configuration. There is also an argument that network DLP is losing relevance with the increasing amount of encryption of network traffic. This is certainly true and enterprises need to have SSL interception properly configured to maximise the effectiveness of their DLP investment. Still not all traffic will be able to be decrypted and you must determine whether your risk appetite will allow for users having encrypted communications you cannot monitor. This is not exclusively an IT decision, but one that needs to be decided by a well-briefed executive.

c. Network segmentation....

is unfortunately something that is often not done well until after a security breach. One of the benefits of a properly segmented network is that a malicious insider keeps bumping into network choke points. If these choke points are properly instrumented then alerts flow to warn of potential inappropriate access attempts. This gives the defender more time to detect and respond to an attack before sensitive data leaves the network. For example, if your Security Operations Centre (SOC) observes a user in Finance trying to access an Engineering Intranet server then you should be raising an incident to address why this user is trying to access a server that most likely holds no relevance for their job function.

3. Honeypots

These are one of the more controversial strategies that may not be for everyone. The honeypot should be setup with decoy data and a similar look and feel to the production environment. The decoy data needs to look authentic and the knowledge of the existence of a honeypot needs to controlled on a need to know basis. The great advantage of a honeypot over other technical strategies is that all traffic that goes to the honeypot can be considered malicious and by its very nature as the honeypot has no business relevance. The honeypot is only there to trap those that could be looking for sensitive data inappropriately. I have found it useful in the past to use the same authentication store as the production environment so you can quickly see which user is acting inappropriately, or you may have an external attacker using the legitimate credentials of an insider to hunt for sensitive data. Either way, you need to act quickly and deliberately to head off possible data loss. Like every data loss scenario you need a robust process for managing these incidents types.

4. Use of non-core applications, especially social media applications

There has been an explosion of social media applications in recent years ranging from Skype, WhatsApp, QQ, WeChat, LINE, Viber and many others. Businesses are worried that their staff are using these applications to send sensitive data out of the business. These applications are often used for business purposes and depending on the sensitivity of the data this may be considered inappropriate behaviour. Our favoured strategy is to use some of the recommendations above, classify your data, and instrument the network to look for inappropriate use. But, from the user’s perspective, they are trying to perform their job in the most efficient manner and no one wants to discourage “good behaviour!” If there is a legitimate business use for a social media application, we recommend that a corporate social media application be deployed so staff can be efficient in their job. Security needs to enable users to get their job done and not hold up business progress and increase business complexity. Additionally, users must understand the ramifications of their actions and know what data can be sent externally and what cannot leave the organisation without appropriate protections. Education is the key to achieving an effective balance and reminders, like a “nag screen” that alerts the user that they are accessing sensitive data can reinforce the user’s training. Document watermarks and strongly worded document footers about the document sensitivity can also serve as another valuable reinforcement.

5. Hunt for caches of sensitive data

You need to have the ability to hunt for caches of sensitive data – one phenomena that that our security consultants see time and again is that people have the habit of creating a cache of sensitive data to steal before they send or take it out of the organisation. This is true not just for insiders, but often with external attackers that are preparing to exfiltrate data. Our consultants use endpoint tools to look for caches of documents in user directories, desktop and temp directories as the most common places to find document caches. Often the documents will be compressed into an archive such as a ZIP, RAR or GZ file for quicker data exfiltration and to avoid tripping the DLP keyword filters. Whatever tool you use to hunt for data caches it must be able to return the name and type of documents when it does its scans. You should select a tool that can hunt on the basis of a threshold of data volume and be able to dynamically tune the amount. Some of the more sophisticated DLP solutions can implement this functionality also.

Complexity is the arch nemesis of a good security program

Like every good superhero we have our arch nemesis, and this is often the complexity of our security environment and not the bad guys that are trying to compromise our networks. The 2016 Cisco Annual Security Report recently found the average number of Information Security vendors in enterprises was 46! A shocking number, but one which goes to show that there are a lot of point products in this industry. 

One of the constant comments from our customers is “can you make all of these products work together?” We hear you, and recommend that when you are devising your strategy to combat the insider threat that you also consider that the output from these controls is going to have to be acted upon, and you cannot continue to overburden the existing SOC team. We recommend that you review how the insider threat strategy will integrate with your existing threat management process and platform as a key consideration before you get involved in the “speeds and feeds” bake offs with products.

We hope this blog has given you some ideas about key strategies you can deploy to prevent, detect and respond to insider threats. If you would like to learn more about how to get started, Cisco Security Services can work with you to conduct an Intellectual Property Risk Assessment to get a full view of insider threats in your business and can assist with designing a custom strategy to address these threats.


Guest Blog - written by my colleague and good friend, Mark Goudie. Mark is Principal and Director of Security for APJC at Cisco.