## 2013/01/26

### Security: Computer Security for Business Continuity in Healthcare

If you run a Healthcare-realted Business, things changed in the last 6 months...
Ransomware is set to boom [0] and cyber-security is now part of our National Security Plan.
Businesses now have to secure their computers and data just as they secure their premises and goods.

It's not optional, fail to do so and you will go out of business, just when is the question.
Ask yourself this: "If my computers were destroyed, how long could I continue the business? At reduced capacity or at all?", then act accordingly.
i.e. Does anyone around the world see you as a high-value, exploitable target?
Especially those in low-income countries with employment problems: poverty corrupts, not just power or the love of money.

The Internet is defined by its explosive growth: A few For-Profit hackers have noticed Business Ransomware is an ideal way to monetise remote computer attacks & exploits.
The numbers of these attacks will now double every few months as word gets around, new "toolkits" are sold to them and they ramp up their activities.

Every business that can raise $5,000 and relies on its systems and data for daily operations is now in their sights. These people have no morals, ethics or compassion in their work: they want your money and don't care about the damage they cause or the impact of their actions. Appeals to them will fall on deaf ears. Neither believe that a single ransom payment will be the last you'll hear of them. Why would you trust the word of criminals who've already broken in and callously damaged your systems? If you haven't taken adequate steps to protect your computer systems and data, your general insurance company may refuse claims of damage now. General Insurers definitely won't be paying in the near future if you can't demonstrate "strong locks, doors and security grills". Expect Data Insurance and Computer Security Assessment businesses to come knocking on your door looking to sign you up. They'll promise "golden bullets" to solve all problems, but you, as the owner of the business, have ultimately responsibility for opening the doors and trading, they don't, even with the best will in the world. Your business, not theirs, is on the line: act accordingly. The Prime Minister has released a new Security Policy and cyber security, for both Government and Private sectors, is seen as a crucial on-going activity. [1] [2][3] At least 70% of the cyber intrusions the Defence Signals Directorate [DSD, responsible for Govt. cyber-security standards & some operations] responded to in 2012 could have been prevented if organisations had implemented the top four of the mitigation strategies (listed below), up from 70% in 2009 [4]. The government also neatly divides cyber-attackers into four categorises, each with very different agendas, funding and desired outcomes. [5] Some want to be invisible, others seek media attention. If you read and apply DSD's "top 35 mitigation strategies", noting nothing is 100% safe from all attacks, there are still some things you need to be doing. Good Security is never "static" but active, you have to be doing more than put in place "protection". • Your Business is Your Data. • Don't just do backups, practice restores and actively check your data is complete, correct and consistent. You have to store the data is in another, safe location - consider backing up over a network. • Hardware is Cheap. • Have some laptops pre-built as replacements for all operational systems. Slow service is far, far better than no service. • Not Everything should be connected to the Internet. • For-Profit hackers won't bother trying to get past "air-gaps" onto isolated networks. Traffic segregation and Network segmentation are cheap, powerful security techniques. These same contingencies will also address Business Continuity issues from: • Equipment failure • Fire • Theft • Physical Damage, accidental or malicious, and • Electrical Damage from lightning and power surges. The Gold Coast medical practice that lost its records had been compromised two weeks before their files were encrypted and a ransom demanded. The hackers turned off the daily backups and nobody noticed. Otherwise, they were a model business. They had just upgraded their firewall, ran separate servers, had security experts setup and administer their systems and religiously did backups. They definitely would've complied with the "top 4" DSD recommendations, probably all in the "top 35". Nobody had thought to tell them that "whilst backups are done, only restores are ever requested". They, like most businesses, didn't actively check their precious data, just assumed "it worked once, so what could possibly go wrong?". Here is a simple strategy for small businesses, especially Healthcare-related high-value targets: • Add another layer to you backups, never rely on just one method or copy of your data: • store critical data on a network device with automatic, continuous or periodic backups (or "snaphots") to an off-site device. • For extra-credit, provide a dedicated link and very restrictive firewall for just this purpose at both ends. • Find someone that cares about the business and integrate checking backup data into their daily schedule. Checks can never be "make work", they have to be real, useful tasks. • Nobody cares more about a business than an owner. • Nor can risk be delegated or outsourced. • Print or view from the backup daily summary reports of all accounting and line-of-business transactions (sales, consults, patients, work dispatched). • Look for and investigate small errors, they are meaningful. Computers don't "just make mistakes", one of the best documented international hacking/espionage cases came from a diligent administrator looking into a minor discrepancy. [6] • Practice your Business Continuity procedures regularly and completely in Drills. • Safely turn-off or disconnect all your regular systems and equipment, then try to restore normal operations. • For many people, stopping and restarting normal operational systems is a challenge in itself. • You need to time how long individual things take. • You need a meticulous, independent "note taker" in every main area of activity, because later on you'll construct an exact timeline as part of your Post Drill Review. • You have to assume "9/11" conditions: • assume "the experts" along with all the equipment are unavailable. • only ordinary staff run the Data Drill and only from the written instructions. • Phone support is allowed, just not to "the I.T. expert". • After you're back on-line, collect all notes and hold for the Review. • Perform regular Post Drill Reviews to Refine your Process and Documents [7]: • Owners need to be present, but not necessarily for the whole exercise. • The outcome of the review is for the benefit of the Owners. • If the Owners aren't committed to the process and willing to personally pursue the changes needed, the Drills and Reviews should be skipped. • Review leaders have to be independent and skilled to encourage full and frank disclosure. • Staff must be able to speak openly, critically and without fear of consequences. • Even the best Employer-Employee relationship has "no go" areas that you need to find a way around to discover important information. • After the first one or two Reviews, you might run them yourself, only having paid Consultants back every year or two to keep you on-track and refresh your process. • What worked? • What didn't work? • Use the classic Ishikawa categories to help. • People, Management, Method, Machines, Materials, Maintenance, Measurement and Environment. [8] You can make this a heavyweight, expensive and laborious process or design a lightweight, simple and quick process. The key is: never let someone else sell or install a process you don't follow or can't competently manage by yourself. A friend whom I convinced to run his practice on an isolated computer did his backups to a rotating set of USB Flash drives. When one failed, he replaced the set. The only extra step he needed was to have his partner, not himself, restore a backup onto a spare laptop and check totals and summaries. With his low turnover, weekly or monthly would've sufficed. I looked for storage appliances that supported encrypted "snapshots" and secure access for him, so he and a business peer could be off-site backups for one another, but at the time none were available. He was interested and willing if I could find him something in the$500 bracket.

But wait, there's more...

Having done all this you will have a reasonably secure systems and very robust Business Continuity processes to take Internet exploits in your stride.

There are three other important strategic areas of Security you need to consider and address.

• Monocultures [9]
• It wasn't a virus that caused the 5-year long Irish Potato famine in the mid-1800's, but the lack of diversity. Only one variety of potato was planted, when an infection arose, it spread everywhere, quickly.
• Most PC's and servers in small business are Microsoft based. Because they're popular, this is what hackers target. If you arrange to run your software on other systems, even as Virtual Machines, you will immediately reduce your desirability for attackers and increase the tools at your disposal for Intrusion Prevention and Detection.
• Pharmacies and Medical Practices in Australia overwhelming run the same practice software. Practices that choose other software immediately greatly reduce their chances of being compromised: For-profit attackers make sensible commercial decisions on where to use their resources and what/whom to target.
• Insider Attacks
• Attacks from the Internet are a rising threat and not to be ignored, but far from the only threat.
• The highest impact and value attacks come from people within the system, doing what they are trained and authorised to do.
• Sometimes these people may not be on-site or even work for you: the staff of consultants, supplier, database suppliers and vendors may all potentially defraud you.
• It could be as subtle as a common database of claimable items and values being manipulated.
• Proof of this is the all too frequent media reports of Bank employees being detected and charged with significant fraud/theft, often going back many years.
• What we never hear of are those thieves the Banks detect but don't charge.
• There is extensive anecdotal evidence that large institutions prefer to learn from successful exploits and theft: perpetrators can be given indemnity if they teach the full exploit to the corporation, along with how to detect and prevent it.
• In the mid-70's, their were rumours that operations/administration staff who discovered and exploited security flaws would move from Bank to Bank running the same exploit. Because corporations aren't required to release or share Security information, even anonymised and historical, this attack is entirely plausible and hence has to be assumed effective and done.
• There is no defence against this sort of attack, only vigilance and good systems that will detect it sooner rather than later. This is why Accounting does Audits and normal practice is to require two independent people be needed for payments and authorisations.
• Vendor Compromise: if attackers plant "backdoors" in your software [10]
• Done well, you and they might never know, or at least only find out on "Zero Day" when everyone has their bank accounts drained at once and hard disks wiped.
• Vendors with dominance in any market segment are prime targets for these attacks.
• Why would a For-Profit attacker attempt to compromise 3500 Medical Practices individually when they can just take over one Vendor and own everyone else.
• This isn't a theoretical risk. In 2005 Sony released a new feature on CD-ROM drives to automatically delete pirated music. Unfortunately, they'd let a virus, a rootkit, get into their software, presumably undetected. [11]
• While all attacks can't be defeated, Vendors need to take extraordinary measures to prevent and detect backdoors being silently inserted into their code.
• In the current environment, I'd expect all Healthcare and related Software Vendors to supply statements by Independent Security Testers and Auditors on their Policies, Procedures and Practices.
• And proof of some sort of Indemnity Insurance against Contingent Liability claims from all clients.
• If your working Bank Account is drained
• and you're off the air for a week or two,
• and you've had to pay for teams of consultants to recover and clean your systems,
• that's a lot of money per individual claim.
• If they have 3-4000 clients each demanding $1-5M are they insured for that and can the Insurer cover the full amount? • Now is a good time to ask all your Software Vendors if they are covered for Contingent Liabilities caused by their negligence or inadequacy in releasing compromised software. Don't be alarmed by these views nor dismiss them as fanciful or irrelevant. There are very simple and completely effective actions you can take to recover your Business Operations quickly: pre-built, pre-positioned hardware, good backups, regular Drills + Reviews, Daily summary checks from backups by an owner. If your current I.T. support doesn't agree or can't supply those services, you need to be seeking a second opinion. After all, what have you to lose but your entire livelihood and investment? [0] My previous piece on Healthcare-related businesses as "soft" targets. [http://stevej-on-it.blogspot.com.au/2013/01/security-healthcare-systems-are-soft.html] [1] Strong and Secure: A Strategy for Australia's National Security [http://www.dpmc.gov.au/national_security/national-security-strategy.cfm] PDF 3.44MB: Strong and Secure: A Strategy for Australia's National Security [2] Australian Cyber Security Centre. January, 2013. [http://www.pm.gov.au/press-office/australian-cyber-security-centre] A new Australian Cyber Security Centre will be established in Canberra to boost the country’s ability to protect against cyber-attacks. Already around 73 per cent of Australians use the internet more than once a day. Australians’ use ;of cyberspace is estimated to be worth$50 billion to our economy, with the rollout of the NBN only expected to accelerate these changes.

Yet Australia’s cyberspace is subject to threats:
• In 2011-12, there were more than 400 cyber incidents against government systems requiring a significant response by the Cyber Security Operations Centre.
• In 2012, 5.4 million Australians fell victim to cyber crime with an estimated cost to the economy of \$1.65 billion.
Securing and protecting our networks, and ensuring confidence in the online environment, is pivotal to Australia’s economy.
[3] Gillard vows to fight 'malicious' cyber attacks
[http://www.abc.net.au/news/2013-01-23/gillard-national-security-strategy/4480448]
• 2011-12 saw a 27 per cent increase in the number of 'cyber incidents requiring a significant response'.
• The Federal Government spent 80 million on cyber security in 2011-12.
[4] DSD: Strategies to Mitigate Targeted Cyber Intrusions
[http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm]
PDF: 700KB http://www.dsd.gov.au/publications/Top_35_Mitigations_2012.pdf
At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to could be prevented by following the first four mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions:
• use application whitelisting to help prevent malicious software and other unapproved programs from running
• patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers
• patch operating system vulnerabilities
• minimise the number of users with administrative privileges.
[5] Speech by Director Defence Signals Directorate, 26 February 2010
[http://www.dsd.gov.au/speeches/20100226_nsa_ddsd.pdf]
We judge that the cyber threat comes from a wide range of sources, representing a broad range of skills and varying levels of sophistication. They include:
• individuals working alone;
• issue­-motivated groups;
• organised criminal syndicates, as well as
• state-­based foreign intelligence services.
[6] The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage , by Clifford Stoll.
[http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787]

Summary of "The Cuckoo's Egg" on Wikipedia. Broad strokes only. The book is well-written and very readable, if a little idiosyncratic as you might expect from an Academic Astromoner-turned-Administrator.
[http://en.wikipedia.org/wiki/The_Cuckoo's_Egg]

[7] Project Retrospectives: A Handbook for Team Reviews, by Norman L. Kerth
[http://www.dorsethouse.com/books/pr.html]
This is the definitive guide to running the many types of "Reviews" and makes a case as to why what happens after a Project (or Event/Drill) is more important than anything: you get to learn and develop a corporate memory.

Many might first think this approach is too "touchy-feely".
Quality Improvement and its twins, Performance and Cost/Efficiency Improvement, are solely based on People Learning and Changing what's done. If People are involved, then at some point Change will require "touchy-feely" work, something many people find confronting or uncomfortable.
[8] Wikipedia has a very basic overview of Ishikawa "Fishbone" diagrams. They may or may not be useful, but his Quality Improvement questions are as good as it gets.

[9] The Dangers of a Software Monoculture, By Bruce Schneier. November 2010
[http://www.schneier.com/essay-331.html]
In 2003, a group of security experts -- myself included -- published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would be interesting to revisit the debate.
The basic problem with a monoculture is that it's all vulnerable to the same attack. The Irish Potato Famine of 1845--9 is perhaps the most famous monoculture-related disaster. The Irish planted only one variety of potato, and the genetically identical potatoes succumbed to a rot caused by Phytophthora infestans. Compare that with the diversity of potatoes traditionally grown in South America, each one adapted to the particular soil and climate of its home, and you can see the security value in heterogeneity.

[10] Reflections on Trusting Trust, Ken Thompson. You can't trust code that you did not totally create yourself.
[http://cm.bell-labs.com/who/ken/trust.html]
This wasn't a piece of speculative writing, but a research report on what works in practice.

[11]Wikipedia on the Sony BNG copy protection rootkit scandal
[http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal]