2013 Utah Telehealth Network Tech & Security Summit

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 5 months ago)

63 views

JUNE 18
T H

2013

SNOW COLLEGE

RICHFIELD, UTAH

2013

Utah Telehealth Network

Tech & Security Summit

Agenda
-

Morning


9:00AM


9:10AM


Summary: Overall UTN Network and Security





9:10AM


9:45AM


Roles & Responsibilities


Security Policy





9:45AM


10:15AM


Real Consequences, Liabilities, & Breaches





10:15AM


10:30AM


Break





10:30AM


11:15AM


Networking


VLANs and Public Access





11:15AM


12:15PM


Security
-

Managing Vulnerabilities





12:15PM


1:15PM


LUNCH


Agenda
-

Afternoon


1:15PM


2:15PM


Security


Web Security and Wireless





2:15


2:30PM


Security


HIPAA, Cloud, & Edge Security





2:30


2:45PM


Break





2:45PM


3:30PM


Q&A and parking lot topics.





UNIVERSITY OF UTAH


UTAH TELEHEALTH NETWORK


MEMBER SITES

Summary: Overall UTN Network
and Security





INTERNET FIREWALLS


SITE FIREWALLS


DEVICE SOFTWARE FIREWALLS

Summary: Overall UTN Network
and Security





WEB SECURITY APPLIANCE


INTRUSION DETECTI ON
&

PREVENTI ON


VULNERABI LI TY SCANNING

Summary: Overall UTN Network
and Security



ANTI
-
VIRUS


ANTI
-
MALWARE


ANTI
-
SPYWARE


Summary: Overall UTN Network
and Security


Roles & Responsibilities


Security
Policy


Deb
Lamarche



Utah Telehealth Network


Kyle Anderson


Utah Telehealth Network Board
Member


Peter Bonsavage


Utah Telehealth Network

Real Consequences, Liabilities, &
Breaches


CVS Pays $2.25 Million & Toughens Disposal
Practices to Settle HIPAA Privacy Case


In a case that involves the privacy of millions of health
care consumers, on January 16, 2009, the U.S.
Department of Health & Human Services (HHS) reached
agreement with CVS Pharmacy, Inc. to settle potential
violations of the HIPAA Privacy Rule.


To resolve the
Department’s investigation of its privacy practices, CVS
agreed to pay $2.25 million and implement a detailed
Corrective Action Plan to ensure that it will appropriately
dispose of protected health information such as labels
from prescription bottles and old prescriptions.


Real Consequences, Liabilities, &
Breaches


Shasta Regional Medical Center Settles HIPAA
Security Case for $275,000

-

June 13, 2013


Idaho State University Settles HIPAA Security Case
for $400,000

-

May 21, 2013


Massachusetts
Provider Settles HIPAA Case for $1.5
Million



September 17, 2012


Alaska DHSS Settles HIPAA Security Case for
$1,700,000



June 26, 2012


HHS
settles HIPAA case with BCBST for $1.5 million

--
March 13, 2012


Real Consequences, Liabilities, &
Breaches


Utah Dept. of Technology Services


CHIP Breach.


Gov. Gary Herbert apologized to the 780,000 victims of
the health data security breach on Tuesday.


Utah guv fires tech director over health data breach,
creates security
czar.


Deseret News


The programs include free credit monitoring and free
enrollment in identify theft insurance for coverage up to
$1 million for individuals and $2 million for families
.


Senate President Michael
Waddoups
, R
-
Taylorsville, said
Tuesday he expects the response to data breach to cost
between $2 million and $10 million


and more if the
state faces federal fines or lawsuits.








Verizon Breach Report


Verizon Breach Report


gives synopsis of thousands
of breaches across industries.


http://www.verizonenterprise.com/resources/report
s/rp_dbir
-
industry
-
snapshot
-
healthcare_en_xg.pdf


Healthcare section build off 60 confirmed breaches
within Healthcare in the last two years.








Verizon Breach Report


For those Healthcare organizations included within
the DBIR data set, attacks were almost entirely the
work of
financially
-
motivated organized
criminal groups

acting deliberately and
maliciously to steal information. These groups are
notorious for knocking over smaller, low
-

risk targets
in droves to nab personal and payment data for
various and sundry fraud
schemes.







HIPAA


A person or organization that is obliged to follow the
Privacy Rule may face a civil fine of up to $25,000,
recently raised to a maximum of $50,000. In
extreme cases, the U.S. Department of Justice


(DOJ) may be called in to conduct a criminal
investigation. If the DOJ becomes involved, violators
could face a jail term of up to 10 years and a fine of
up to $250,000.







VLANS


VIRTUAL SWITCH OR BROADCAST
DOMAIN


PUBLIC ACCESS


WIFI

FOR THE GENERAL
PUBLIC.

Networking


VLANs and
Public
Access

VLANS

VLANS


Use to segregate traffic
for more security, less
broadcasts, or logical
organizations.


Data, VOIP, Video,
facilities, Public, Guest,
Wifi



Voice/Video sensitive
to broadcast traffic.
Smaller VLANs


Smaller VLANs allows
for easier security
configurations.

VLANS

VLANS

Access Control List

ACL


Use ACLs to control traffic within
VLANS for security.


ACLs were the first network
security.


ACLs on switches and routers are
NOT bidirectional.


Layer 2 (MAC addresses)


Layer 3 (IP addresses)


Broadcast Domain


Non
-
routable


Fast


Inexpensive


L2 switches can have
multiple VLANs but
cannot communicate
between


Routable


Fast


Expensive


Broadcast Domain


L3 switches can have
multiple VLANs and
route between them.


VLAN networking

Public Internet


Customers demand access with smartphones and
tablets.


How do we provide access within moral and ethical
guidelines?


How do we limit RISK and LIABILITY for customers
surfing habits?


Use of Acceptable Use documents.

Public Internet


Segregate with VLANs across
infrastucture


Have users check Acceptable Use form


Limit Liability and Risk by allowing only legal
categories


Possible even to air gap.


Use of infrastructure allows better coverage.


Bandwidth limitations allow for more users on small
circuits.

VULNERABI LI TY

DETECTI ON AND
REMEDIATI ON

Managing Vulnerabilities

Qualys


Scans every week starting Monday at 8am until
finished ~11am Tuesday.


Currently Scans 3100 devices within UTN.


Each vulnerability assigned CVE
or identifier.


Categorized by Level 5 to 1.


5


exploit exists and has the highest CVSS score.


4


exploit exists but is not easy to use


3
-
1


Informational or best practice


Low hanging fruit

Digging in


SNMP


Password brute force



Excess services, FTP,
SQL


Java


SNMP v3


Static systems like
Philips that require
vendor support


Obsolete OS

Vulns
: Where to start

Free with Windows Server OS

Windows

Software

Update

Service

Software Updates



Oracle


Sun Java


Apple


Mozilla


Google



Use auto updates whenever you can

Obsolete OS


XP and back


n 2002 Microsoft introduced its
Support Lifecycle policy

based on
customer feedback to have more transparency and predictability of support
for Microsoft products. As per this policy, Microsoft Business and
Developer products, including Windows and Office products, receive a
minimum of 10 years of support (5 years Mainstream Support and 5 years
Extended Support), at the supported service pack level.


Thus,

Windows XP SP3 and Office 2003

will go out of support on
April 8,
2014
. If your organization has not started the migration to a modern
desktop, you are late. Based on historical customer deployment data, the
average enterprise deployment can take 18 to 32 months from business
case through full deployment. To ensure you remain on supported versions
of Windows and Office, you should begin your planning and application
testing immediately to ensure you deploy before end of support.


Resources


Learn about other companies have benefitted from migrating to Windows 7
and Windows 8 Enterprise
.


Next:
What does end of support mean to customers
?


http://
www.microsoft.com
/en
-
us/windows/
endofsupport.aspx


Vulns
: Resources


UTN


Member site techs


CVE database
-

http://cve.mitre.org/cve
/


your vulnerability report


Univ. of Utah
Information Security
Office


Vendor support sites


www.microsoft.com
, etc.



Vulns
: UTN overall




Scan Title (Status) : UTN Site Scan



Start Date


: 06/10/2013 at 08:31:23 (GMT
-
0600)



Duration


: 1 day 01:30:15




Target Groups

: UTN ALL Site networks



Hosts Scanned

: 65270



Active Hosts

:
3448




Option Profile

: Standard Scan




Launched By

: Peter Bonsavage (
hscun_pb
)



Company



: HSC Univ ersity of Utah
-

Health Sciences Center



Launch Type

: Scheduled




Scan Status


: Finished



Next Action


: None



-----------------------------------------------------------------------------------------------------------------------------
---
----------





Summary of discovered Vulnerabilities (Trend)






Severity 5 "Urgent"

: 927

(
-
14)



Severity 4 "
Critical”

: 874

(
-
2)



Severity 3 "Serious"

: 2963 (
-
28)



Severity 2 "Medium"

: 5960 (+91)



Severity 1 "Minimal"

: 339

(+7)




Total



: 11063



Vulns
: UTN Devices




-----------------------------------------------------------------------------------------------------------------------------
-
------------




Emai l scan summary by
QualysGuard




Scan Ti tle (Status) : UTN Devices



Star t Date


: 06/11/2013 at 06:03:08 (GMT
-
0600)



Dur ation


: 02:10:29




Tar get
Groups

: No
Gr oup



Hosts
Scanned
: 1280



Active Hosts

: 228




Opti on

Profile

: Standar d
Scan




Launched

By

: Peter Bonsavage (
hscun_pb
)



Company



: HSC
Uni versity

of Utah
-

Health

Sciences

Center



Launch

Type

:
Schedul ed




Scan

Status


:
Fi nished



Next

Action


:
None



-----------------------------------------------------------------------------------------------------------------------------
---
----------




Summary

of
discovered

Vulnerabilities

(
Trend
)






Severity 5 "Urgent"

: 2

(=)



Severity 4 "Critical"

:
12


(
-
1)



Severity 3 "Serious"

: 183

(
-
6)



Severity 2 "Medium"

: 1198 (
-
12)



Severity 1 "Minimal"

: 7

(=)




Total



: 1402





Summary of Potential Vulnerabilities

Vulns
: How do you compare?

Your email has your line number.

WHAT WORKS FOR YOU?

WHAT DOESN’ T WORK?


COMMENTS AND DISCUSSION



Vulnerabilities

THANKS

LUNCH

CISCO
IRONPORT


WLAN CONFIGURATI ON

Web Security and Wireless

Cisco WSA Demo

Do!


Don

t do it!



WPA2 Enterprise with
802.1x authentication is
best


WPA2 Personal with
passphrase is acceptable


Use AES


Ok to have public on but
make sure is at least
vlan

seperated


WEP


Passphrase shorter
than 10 characters.


Wireless
Config

Hardening Guide


For all new and current Cisco equipment use this
guide. It can apply to ALL vendor devices.


http://
www.cisco.com
/en/US/tech/tk648/tk361/tec
hnologies_tech_note09186a0080120f48.shtml

HOW DO WE DEAL WITH OFFSITE SYSTEMS



WHAT OFFERING FOR EDGE BASED
SECURITY DO YOU USE?

Security


Cloud
, & Edge
Security

WHAT DO YOU WANT
TO KNOW?

Q&A


Topics for more discussion