THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Vulnerability v. Insecurity When you look at conducting a pen test, you want to make sure that you are using a reputable firm such as; @Trustwave or @Rapid7. These firms will provide your organization the most robust testing available with the use of both an automated vulnerability-scanning engine. Then following that up with hands on penetration testing professionals who will try to exploit those vulnerabilities. Not Just a Vulnerability The testing should not only focus on the identified vulnerabilities that an automated scanner has picked up, but it should look for ways another motivated attacker would exploit them. Not having a human in the loop leaves out an important factor in the testing, the human factor. (The ability for the potential attacker to think outside the box can’t be underestimated). Having a living breathing person behind the keyboard will ensure that the test looks more like an actual attack on your network and not just a vulnerability, but also the deeper aspect of how to manipulate that in order to get access to those secured systems. Being able to take advantage of multiple vulnerabilities at the same time or the ability to string together various types of threats can keep the testing realistic. Testing against an automated system can provide you a quick look into all of the various areas that you will have to address during the remediation efforts, but it should not be who you prepare your resources against in order to thwart an attack. Having a person as part of that equation will allow you to face the unpredictable behaviors that are inherent to having a person in the loop. "Having a person as part of that equation will allow you to face the unpredictable behaviors that are inherent to having a person in the loop." Need for Testing While an organization will have, several reasons that they may want to conduct a pen test of their networked environment. The biggest reasons will be for compliance with a regulatory requirement such as HIPPA or PCI DSS. While these regulations may be the initial drivers, they should not be the only reason that a company wants to conduct the testing. Whether the business is providing services, or other specialized data processing or storage of information. The need for using pen-testing services is growing because the threats to our business is growing as well. Attackers are becoming more blatant and daring in the types and the scopes of the attacks that they are willing to carry out. Whatever the reason for the attack on a network, it is important to remember that you can take steps to prevent them access to your network. You are not going to deter everyone, and if a motivated attacker wants in, they will find a way to get in. Testing Time
Setting up the testing is one of the most frustrating aspects of the whole process in that you may have to decide what days or times work best for your organization. Whether you are testing at night with teams that are located overseas, or with ones located in your home country. It is important that you communicate to them the following:
Test Results Communicating the test results may be one of the most important aspects of the whole process. The result must be communicated effectively and in a manner that your team and stakeholders will understand. Your results may vary from one testing firm to another, but they should contain most, if not all of the following information:
Follow-up Testing The follow-up testing may happen after the remediation efforts have been completed. This testing is to make sure that they patches or updates have been employed properly. There may be times where the patch or vulnerability solution opens up additional vulnerabilities that we not discovered during the initial testing time frame. Risks abound in the field of IT Security, and they take on many forms. Whether it is a vulnerability or a known threat, the pen testing that is conducted against your network will be able to find those issues and provide you a way to address them. Conducting additional testing will allow you to determine the effectiveness of your remediation efforts. In order to address a possible threat, patches or updates should be deployed and installed properly. Failure to do so will expose you to the very same risk that was identified during the testing. Summary While some organizations will look at the employment of a penetration testing team to be a fruitless endeavor or a waste of time and money. This has proven to be far from the case when it comes to protecting our networks. The idea of what would happen to the organization if an attacker were to compromise the network should drive you into looking for a competent testing team. How much would a potential breach cost your company? How much does your reputation cost? If you are like most businesses, this what you are relying on when it comes to building your business. Additionally, organizations are coming under more and more scrutiny and compliance requirements. These requirements are increasingly looking for ways to ensure that the business networks are more secure than they have been in the recent past. That requires more enforcement and greater controls that address the potential for threats against a computer network. Protecting your backdoor When it comes to IT Security and developing a plan to secure your organization, don’t forget to look at those companies or groups that you rely on for their services. Whom do I mean? I mean your vendors and the people that they hire to service your accounts. These people will have access to your business in ways that not many others may in your company. Vendor Selection Selecting a vendor is the most important thing you can do for your organization. With that in mind, if you want to have a secure business, you need to make sure the vendor has that in mind when they are doing the hiring of their personnel as well. Vendor selection is not just about the job the business will do for you, but also the people that they hire to carry it out. Below are some questions that should be asked when looking for a vendor:
It is important that you understand your vendor is hiring practices. Compliance Requirements If you are looking for compliance requirements, look no further than ISO 27001 for requiring a background check of not only vendors, but also for employees as well. Compliance with these requirements means that a comprehensive background check has been done on them and that if there were any discrepancies were found, that they are addressed and personnel that don’t meet the hiring criterial are not placed into roles that they not be approved for. Granting Access Whether you are looking for a vendor that will service your soda machine or someone that does your shredding. It is important that you understand your vendor is hiring practices. After you pick a vendor, granting them physical access to your business will be the next step if they are servicing your physical infrastructure or systems. Computer system access is another area that should be addressed. Granting access or the type of access should be based on the type of work that the vendor will be providing your organization. This is where Role Based Access Controls (RBAC) are enforced and implemented. The access should be limiting in scope and permission level. Control over these areas will allow the IT Security Professional to make sure that the vendor is not accessing systems that they are not permitted to access or the information that may be stored on them. Note: Firefighter accounts (these are accounts that have expanded permissions, Global Admins are an example of this type of role, although specific permissions may vary depending on your organizational policies) permissions and roles should be created and enabled only when needed. After the need is no longer there, they should be disabled or deleted and reset and ready for the next time they might be needed. Monitoring Accounts
Monitoring user accounts and user permissions is one of the key roles within the IT Security domain of responsibilities. This may be a part of the auditing process or during a review of accounts. Administrative accounts should be especially monitored and should have additional restrictions that normal accounts may not have. Some of these restrictions are:
Locking Backdoors When you contract with a vendor, you are taking a chance that they are taking the right steps that you need in employing the right personnel to do the work for your company. Sometimes this is not the case and you end up with someone that has malicious intentions and may want to harm your organization. This is where the IT Security Professional will be required to actively monitor (not passive monitoring after something has happened). Locking the backdoor is making sure that there are no administrative accounts that have been created during the time the vendor had access to specific systems. Whether they are working on Windows or UNIX systems, these should be monitored for additional account creation. If an account has to be created for whatever reason and has not been expressly discussed or outlined in the contractual agreement beforehand. Summary With vendors, it is important to keep in mind that they are there to help you and your business. Nevertheless, it is important to keep in mind that they can be a detriment as well and should be a benefit to your organization. Taking some preventive steps and having a clear delineation as to their specific responsibilities will ensure that you are protecting your business and assets. connected devices changing livesYou walk into any hospital or healthcare clinic these days and you will run into a connected computer network with lots of devices connected to it. This is a version of the Internet of Things (IoT) that has provided new capabilities to an industry that looks for new ways to help provide better services for their customers. These new devices not only connect to the Internet, but they also help to provide critical care to the patient. Without the proper security measures in place, these devices can be compromised. This will not only put the organization at risk, but it may cost someone’s life depending on the type of attack that is carried out against the device hardware. Connected Devices Smart devices have become ubiquitous in the healthcare industry these days. Some of the wireless smart devices that you can see in a hospital or clinic are:
These devices will transmit the data they collect to a centralized location where the information can be monitored by the staff. This allows for a more coordinated care if the individual patient while also being the most cost effective for the hospital. Benefits of IoT The benefits of utilizing and adoption of IoT devices within the healthcare industry can have dramatic effects on the healthcare that patients receive from their providers. From the increased effectiveness of the providers, to the ability to diagnose and prevent possible complications before they happen. The additional sensors that are able to be leveraged to track additional data points that might be left out of the diagnosis process. Having the ability to monitor a patient on many levels within a facility or even remotely, enables a healthcare organization to facilitate better care of their patients. Unique devices can be created or developed that accomplish specific tasks or multiple tasks depending on the need of the organization. Some devices are specific niche applications while others are for a more broad range of usages. Connecting smart devices to the network and creating an enhanced service to offer potential patients may be the driving force for the adoption of IoT devices, but security of the devices should be considered as well. Especially when someone’s life may depend on it. Internet of Vulnerabilities
The Internet of Things (IoT) continues to grow in size and capacity within the networked healthcare infrastructure. The key for the use of new smart technologies is to secure (harden) the network and access to the devices that are connected on the network. Instead of these devices playing music, like Amazon’s Alexa, they are integrated into the healthcare service provided by the caregivers. These new smart devices are integrated in the care and monitoring of patients, which makes security a life or death possibility. The IoT networked devices don’t have the security that one might think. These devices were made to connect to a network with very little interaction with the IT staff or the IT Security Professional. In the healthcare industry, we need to make sure that this is different in that security should be at the forefront of the development process. The increased usage of IoT devices, security still needs to be a forethought, not an afterthought in the development of these devices. The vulnerabilities that currently plague the healthcare IoT networks and devices are:
Solutions Needed In order to address the vulnerabilities that continue to plague the healthcare IoT devices, developers and users need to demand that they are addressed. Whether it is additional software or application support for complicated functions that enhance device security. Elimination of bad security practices will go a long way in creating more secure IoT devices. While there is still a lot of novelty feeling behind the use of smart devices within the healthcare setting. We should realize that we are dealing with patient’s health and the devices could have the potential to effect their very lives. If we look the other way and don’t find a solution for these insecure devices we are not helping our organizations be more secure. In fact, we are putting them in a position to have a greater potential liability due to improper use of IT Security controls. Nobody wants a patient’s death on their hands, but when you employ IoT devices within a hospital and leave gaping holes in the security configuration of those devices, that could be a potential outcome. Summary While there are still many security concerns with the adoption of new technologies. The healthcare industry is moving forward with the quick adoption of technologies that help to save the lives of their patients. Nevertheless, it is not just about the patient, it is also about the security of the devices and the ability of them to be compromised over the network. While some of the networked device makers will address these issues, others are slow to adapt to it. Which leaves the whole industry at risk of providing a needed service that patient's will question the security of. As a potential patient of these providers, I would want them to address the security vulnerabilities and make sure that the devices that they employ in my health care have been secured in a manner that makes them safe for me, but also for the others that may use them as well. It should be all about the protection of the patient and their health. After all, isn't that the reason why you are in healthcare in the first place? |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|