Secure Digital Solutions, LLC
29 Jun 2017

Trends in Data Breach

June 29, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

On Friday, June 23, Anthem Healthcare agreed to settle a series of lawsuits related to the company’s 2015 data breach, which impacted 78.8 million individuals. The settlement includes a payment of $115 million and three years of additional security protections. This represents the largest amount thus far in a steadily growing list of big-dollar, security incidents.

On the surface, this trend has the appearance of a growing regulator intolerance backed up by similarly increasing penalties. But, there’s more to this story than meets the eye.

Every major data breach has resulted in settling the case without a single admittance of liability. Settlements are negotiated between the respective legal teams and various payments between parties are agreed to.

The results of these cases, without admission of liability, leaves us wondering where the accountability lies and why such breaches, and the settlements that follow, continue to happen, even though security is now viewed as a critical component of doing business. The accountability aspect is complex and likely a topic for another day. This post will focus on some reasons breaches continue to occur.

Secure Digital Solutions has been privileged to be involved in some of the largest data breach cases over the last decade. This challenging and sensitive work gives us a unique perspective on the process, the causes and the results. While I’m not able to talk specifics, I can provide some of the following insights into the high-level, recurring patterns that we see in almost every case related to these breach incidents:

  • Lack of visibility – The identified critical, core systems are known and generally well- protected. Other systems that are known, but may not have been assessed and designated as critical, are not well-protected.
  • Lack of ownership – Taking direct responsibility for company-owned and managed systems isn’t enough. Identification and ownership of the connectivity to those systems, (vendors and suppliers, for example), is mandatory as well. Reliance on 3rd party attestation doesn’t cut it.
  • Having it but not doing it – It’s one thing to have policies and standards written and communicated. They’re nothing but ‘shelf-ware’ unless they’re monitored and enforced.
  • Lack of basic blocking and tackling – The technical requirements of a solid, secure enterprise are known as are the processes to support the requirements. Implementation of those requirements is hard, but it must be done.

The key takeaway is that nothing on the above list is new or unforeseen. No undiscovered symptom exists that leads to compromise. Nor is there a silver bullet that prevents compromise. Knowing your enterprise and getting back to security basics in terms of objectives, requirements, process and appropriate supporting technology – is the most effective means of preventing a significant incident. And when an incident does occur, having the above components addressed allows for rapid and effective detection, containment and response that should minimize the long and complex process that follows a breach.

30 Mar 2016

Five Takeaways to save your Healthcare Organization $1.5M

By Chad Boeckmann, Secure Digital Solutions
March 29th, 2016

The recent outcome at North Memorial Healthcare in Minneapolis, MN should be a stark reminder to all companies the importance of secure and practical end-point provisioning processes.

Let’s take a look at what just occurred with the North Memorial Healthcare case1. North Memorial Healthcare was recently fined $1.5M because a third-party consultant lost a laptop provisioned by North Memorial that contained Protected Health Information (PHI) on an unencrypted hard drive. So what went wrong?

Lessons Learned from North Memorial Healthcare

First, there are five best practices that we can use as key takeaways from this million-dollar lesson.

  1. Ensure all third-party’s accessing any electronic system have a Business Associate Agreement in place. In the case of North Memorial Healthcare this did not occur between Accretive, third-party who lost the assigned laptop, and North Memorial Healthcare according to Federal Regulators. A Business Associate Agreement is a requirement within the HIPAA Final Rule.
  2. Only redistribute end-point devices to others by first wiping the hard disk of any existing/residual data. In many instances, healthcare particularly, IT teams are short staffed, have not been trained and have not taken time to assess all processes supporting asset distribution and asset management. To ensure compliance with HIPAA and data security of PHI it is an industry best practice to wipe all end point devices before provisioning to another person or entity.privacy
  3. Encrypt the hard drive. With the numerous data breaches it seems as though everyone understands the importance of encryption. There is still a disconnect between principal and practice.
  4. Restrict PHI from leaving the protected network. This includes any endpoint that has the ability to leave the building. Sound unreasonable? If you think so then you may want to assess current processes that allow PHI to be saved to hard drives, mobile devices and the like. By omitting PHI from devices that leave the protected environment you reduce the opportunity for data theft and compromise and thus decrease the risk substantially of a data loss event occurring.
  5. Assess third-party risk today. Vendor risk assessments are an increasing trend and something not many organizations even considered performing five years ago. With pressure to adapt using online medical record systems introduces a higher than normal acceptance of risk during this season of change as new processes are created and new users are trained. A major component to make these changes include engaging with third-parties at an exponential rate when compared to historical levels of third-party vendors in healthcare. Introducing additional vendors to the mixture automatically requires a look at the risk landscape. How many U.S.-based data breaches is a result of third-party relationships in the past five years? Too many, reduce risk and be vigilant with third-party risk assessments.

 

Combatting Data Loss

Over the last several years and as a result of the Affordable Care Act, healthcare has been under immense change. These changes have primarily taken the form of reduced margins (competitive pricing models) and large investment of new technology (Electronic Medical Record systems). The pressure to change (or adapt) introduces a higher than normal acceptance of risk during this season of change. In addition now we have PHI in electronic format and everyone wants to pursue the golden arrow of the perfect report. Drafting new business intelligence through multiple database queries to harvest information of the patient community and create trending reports for the Chief Medical Officer. Wait; did anyone consider security or privacy (access control, encryption of data in transit and at rest, storage of PHI-reports on endpoints, etc.) as an integral design requirement of this new business intelligence capability? I’m simply raising the challenges that those of you in the healthcare space know all too well and are constantly chasing as a result of EMR’s introduction. I’ll revert back to my simple rule: prevent PHI from leaving the premises (your controlled environment) to truly manage the security and privacy of the data. Many solutions are available to implement this type of control and monitoring. Other healthcare organizations have done exactly this approach and so far have been successful at keeping their name off of the main page of the latest news post.

 

Summary

Two key items to note about this example given to us by North Memorial Healthcare. If the laptop employed full disk encryption this incident would not have turned into a data loss event. Also, once more if the laptop did not contain PHI the stolen laptop would have not made a headline in the Business Journal or ignited the necessity to write about it in this blog.

Learn more about assessing current IT and business processes and the security of those processes by reading about the MAPP methodology here.

 

1 http://www.bizjournals.com/twincities/morning_roundup/2016/03/lost-laptop-costs-north-memorial-health-care-1-5.html?ana=RSS&s=article_search

 

14 Mar 2016

Incident Response – Minimize Damage from Ransomware

By: Corey Tower, Information Security Consultant, CISM, CPPM

Malware is like fashion – almost everything you are dealing with today or what seems popular was likely “popular” only a short time ago. Humans have very short memories regarding malware much as they have short memories of fashion.

Ransomware is what Vogue or GQ would call “currently in style” or “Winter 2016’s Hot New Look!” Both old and new ransomware such as CryptoWall and .Locky are very dangerous malware that you absolutely do not want to deal with. What is interesting about most of these malware are that they are nothing more than a phishing attempt with a macro embedded malware. Talk about revolutionary stuff here, no? Yet most companies still struggle against these attacks.

Less than 10% of malware are detected by signature based defenses. Monitoring and awareness have become more and more critical to stopping criminals from being successful. But there is a psychological aspect you just can’t plan for.

 Jane from accounting is tired. Its 7:45 am, her newborn was up all night, coffee hasn’t kicked in, invoices are late and she really doesn’t want to be there in the first place. An email finally arrives with the invoice she has been expecting and – “wait – what’s going on? What’s encrypted??? Who’d this email come from? Oh no….”

Prepare a response and recovery plan.
Prepare a response and recovery plan.

The Clock Starts

A client of mine recently experienced something similar to Jane as well as many more people around the globe with the recent hit of the .Locky ransomware. Here is how we kept a bad day from turning catastrophic.

  1. Awareness. The individual who was hit with .Locky had the conscious to report it immediately. For anyone who isn’t familiar with .Locky it has the capability to spread through any authorized shared network drive, even if the drive is not mapped to a drive letter. The key word is any. A shared drive does not need to be mapped to the host for .Lockey to infect it. So if your defense is “ah, they don’t even know they have access!!” think twice.
  2. Containment. Because the incident was reported quickly, tech-ops was capable of containing the incident before it spread to five additional network drives. Five! Fixing a desktop of ransomware can usually be a small task, especially if the information is backed up. Losing five network drives that may not be backed up would be catastrophic.
  3. Communicate. It is critical to notify your workforce of a present, real attack on the company. It can be the difference between dealing with one case of .Locky or dealing with six or ten. Awareness is always your most affordable, practical, effective control for your weakest link: Humans.
  4. Ensure.  .Locky’s encryption spreads fast and is very intelligent. Once the malware is discovered and contained, search the network for further damage or any other sign of the malware. Depending on the situation, you may want a forensics expert to take a look to ensure no data loss, etc.
  5. Deescalate. Take yourself off Red Alert mode. Inform your team and outside audience that the situation is contained. Take a walk, enjoy a break, take lunch and most importantly tell those who deserve it “Good Job”.
  6. Lessons Learned. The next day, talk about how you got into the mess, how you got out, and how it could have been prevented in the first place. Establish policy and procedure to prevent it from happening again. People should be rewarded for preventing problems first, solving problems second. Again, malware is like fashion. Ensure the next time ransomware is popular that you made the proper adjustments to prevent another incident.

 

Questions to Ask Today

Are your shared network drives designed around least privileged?

Can anyone open a document with macros?

What non-signature based detections have you enabled?

Is your workforce aware to not open just any attachment?

Is your workforce aware that spoofing can occur posing as a legitimate source?

Would a workforce member know who to contact and feel safe reporting an incident?

 

Conducting Tabletop Exercises

If your team has not yet conducted an incident response tabletop exercise I highly suggest coordinating this activity. At Secure Digital Solutions we work with teams to kickstart these exercises from end-point scenario compromise to full data breach response activities. The amount of knowledge gain that team members take away can be astounding even new knowledge about how the business operates is often uncovered for certain individuals that are not always involved with various aspects of business processes. To learn more visit our table top exercise page at Incident Response Tabletop Exercise Services

 

15 Sep 2014

Cyber-Risk Handbook Issued for Boards

Breaches Are Enterprise-Wide Risk Issue

By Chad Boeckmann, CEO, Secure Digital Solutions

This summer (2014), the National Association for Corporate Directors (NACD) acknowledged something we have long contended at Secure Digital Solutions: Company boards—not just IT departments—share responsibility for preventing cyber-attacks.

Prompted by a rash of high-profile breaches, which now includes Target, Michael’s, Super Valu and Home Depot, the largest association for corporate board members has acted. NACD teamed up with insurance giant AIG and the Internet Security Alliance to develop and publish security oversight guidelines for executives at the very top of American corporations.

The resulting Cyber-Risk Oversight Handbook spells out five excellent principles for boards to follow:
1. Directors need to understand and approach cyber-security as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber-risks as they relate to their company’s specific circumstances.
3. Boards should have adequate access to cyber-security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
4. Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.
5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.

The question of “where the buck stops” is finally getting the buzz it deserves. Even the Department of Homeland Security has endorsed the guidelines. Too often, IT and security have been viewed as cost centers, rather than partners, of the C-Suite. Now that boards are advised to forge a better alliance with IT security, how will the two communicate on an issue that can be densely technical, and work together to build corporate cultures of security?

Our advice is to focus on the last two guidelines, were the rubber meets the road: Companies need to set up a healthy information security program, then systematically develop a plan to address identified risks. These are the first steps we counsel in every client engagement at Security Digital Solutions.

The best program starts with a healthy Information Security Council with defined roles, membership, and a definition of scope. Because security is a technical, cultural, and communications issue, it’s vital that a company-wide team representing finance, human resources, marketing, and operations co-develop an information security plan and share accountability for its success.

The second priority for boards is to commission an unbiased information security program assessment—one everyone understands, including the board and the Information Security Council. Too many audit reports today are laundry lists that paralyze decision-makers. At Security Digital Solutions, we translate assessments into a concise, one-page Information Security Dashboard that ranks priorities red, yellow or green based on their level of threat to the bottom line. With our dashboard, clients can convey the big security picture to upper-level management in a form that clarifies and motivates investment.

We applaud the Cyber-Risk Oversight Handbook. It’s a big step by the National Association of Corporate Boards. Information security professionals everywhere are grateful for leadership on a topic where corporate governance has too long been silent or shifted blame. Let’s put and end to silos and work together to protect consumers and the companies they trust.