Gaining Support for Infosec BudgetsDemonstrating Real Vulnerabilities Can Be Effective
"The best way to gain support for security funding is to represent what a true risk would be," Kennedy says.
A penetration test involves demonstrating how an organization's security controls can be bypassed to gain access to systems, pinpointing vulnerabilities.
The Healthcare Information Security Today survey, conducted by HealthcareInfoSecurity, shows that only 42 percent of healthcare organizations have a defined information security budget. Providing evidence of potential risks can help win support for a budget, Kennedy says in an interview about the survey results (transcript below). Diebold was one of the survey's sponsors.
In the interview, Kennedy:
- Emphasizes the role that comprehensive information security training can play in mitigating risks;
- Describes why risk assessments must address all aspects of security, including regulatory compliance, physical security, wireless network vulnerabilities and more; and
- Outlines how a centralized approach to audit log management can simplify security, making it easier to detect unauthorized access to patient data. The survey found that audit logs/log management topped the list of information security technology investments for the year ahead.
Kennedy is chief security officer at Diebold, Incorporated, heading a team dedicated to protecting the company's infrastructure in 77 countries. The team addresses information security, loss prevention, customer compliance, electronic discovery and physical security. Kennedy is the author of the book "Metasploit: The Penetration Testers Guide." He's a co-author of the Penetration Testing Execution Standard.
Complete survey results are now available.
Addressing Staff Mistakes
HOWARD ANDERSON: Survey participants perceived mistakes by staff members to be the single biggest security threat they face, followed by insider threats and business associates taking inadequate security precautions. What are some of the best ways to address each of these threats?
DAVID KENNEDY: If you look at how information security is structured right now and how information security is set up, the problem that we face are the different threat landscapes that we have out there, as far as social engineering or malicious websites. ... Generally, staff members aren't equipped enough to see different types of attacks that might be out there, or may not be able to understand a malicious web page that might be out there, or something to that effect. If you look at educational awareness around security, we are at a pretty immature state when it comes to the healthcare industry. [IT users] are having a tough time identifying any type of threats that might be out there and actually may give information out to a specific attacker or might actually click on a link ... that ultimately compromises him.
If you look at RSA for example, [the company] experienced a data breach specifically because of an employee opening up a PDF document that happened to be a zero-day, and from there it further compromised the network. If you look at ... how to protect our associates or the users, it really goes around coupling it with user and education awareness, around the latest security threats that are out there and really trying to put some granularity around user controls so that the users are actually protected as they are going out and browsing the Internet.
Improving Security Training
ANDERSON: The survey found that about 43 percent grade the effectiveness of their security training and awareness activities as poor, failing or in need of improvement. What are the essential components of an effective training effort?
KENNEDY: ...You have to look at what resonates with the users. I think most training programs kind of go the online CBT [computer-based training] route, where it's really driven off of what are the latest attacks out there. But it really doesn't resonate with the users. It tends to become cumbersome and boring for them. [Instead, it's important to try] to resonate with the associates on what the different types of attacks are and how it actually impacts them. What we've seen is companies put on a security education awareness week for their organization, talking about the latest threats, but also trying to hit them at home as well. How do you protect [your] home infrastructure or home wireless networks or things of that effect? Just by teaching them little bits of information here and there, you expand your security program out to every associate vs. just how many people you have dedicated to security.
That, coupled with trying to help them understand and relating to them through education awareness-type training, you really get a maximum effectiveness of how you can actually train them. If you look at the maturity models in most organizations, they are really focused on compliance aspects around education awareness, so making sure that we have something that they've signed that is our acceptable use policy and maybe has some training that goes along with it. It's very rare to find a company that actually invests in education and awareness around security. We've seen companies that have screensavers [with] security-related [information] just to remind them to make sure that they don't share their passwords or [to look] for suspicious activity.
We've also seen companies that have posters around the different environments that really show them what is happening as far as security goes. A lot of times it happens to also go to the individual groups and what their responsibilities are, really trying to train them on ensuring that they have a security-conscious effort when they are working with any type of data.
ANDERSON: The survey also showed that 26 percent of organizations have yet to conduct a risk assessment as mandated by HIPAA, and of those that have conducted an assessment only 46 percent update it at least annually. Can you offer some insights on how to conduct an effective risk assessment and how often it should be updated?
KENNEDY: If you look at what risk assessments were designed to do, it's to identify different risks that you have within your organization. Taking that into the context of security, risk assessments really are a current state of your overall information security program, or what you are doing as far as security is concerned. With risk assessments it really needs to be widened; it has to cover all aspects of your security program. Generally, leveraging NSA's IAM methodologies, leveraging the ISO standards are perfectly acceptable risk assessment methodologies. But when you start to look at what you actually want to accomplish out of a risk assessment, what you want to do is find out what your current state of security is and then further leverage a maturity model to get your company to a posture that they are acceptable with.
Every company is different. Not every company wants "Fort Knox" security, but if you look at what the risk assessments are actually accomplishing, it's really to try to build your information security program up to actually elevate it to a posture that is acceptable to the organization as far as what level of security you have. You want to cover things like physical security, wireless security, regulatory and compliance aspects, modems and networking-type attacks, really just looking at your entire security program as a whole and where you might have deficiencies or gaps in that, and actually build upon that. When you do it annually or you continue to do it over a period of time, you should be able to see a maturity model of your organization starting to get to that point of where you want it to be, and those risk assessments are really the validation to prove that those are actually legitimate.
ANDERSON: Audit logs and log management top the list of information security technology investments for the year ahead. Why do you think that is the case, and what is the most effective way to monitor who is accessing patient information stored in multiple information systems?
KENNEDY: If you look at how complex technology has gotten, we have different systems for literally everything that we do. Specifically in the healthcare industry there is no real centralization of applications. Every application that is built is built independently. In order to effectively monitor those, you really have to have some sort of centralized management solution that will be able to take all of that information at once and try to correlate that into something that is intelligible that you can actually monitor.
If you look at the audit log and log management solutions out there today, they're really designed to try and centralize and correlate information into one central repository that you can then start to tackle and understand what type of information is going through it. And for a security program, the common term SIEMS, or Security Information Event Monitoring Solution, it's really aimed at detecting different types of attacks that might be happening in an organization and start to tie-in multiple systems, networking devices, firewalls, databases, applications; everything kind of ties into a central repository to where they can start to monitor that from one central location vs. having to have an independent window for one application vs. your firewall vs. your switches and routers vs. your operating systems. It's really a way to try to oversimplify security so that all the information is readily available to you, and basically what you do from there on out is what you define as your security program as far as detection and trying to prevent different types of attacks.
Winning Funding for Info Security
ANDERSON: Finally, the survey found that only 60 percent of organizations report that they have a documented information security strategy in place. Only about 42 percent have a defined information security budget. What's the best way to win support and funding for a comprehensive information security strategy?
KENNEDY: This is probably one of my favorite topics as far as information security goes, because it is something that every organization struggles with and no organization has really been a leader in defining what that is. If you look at what we're trying to protect against, we're trying to protect our information; we're trying to protect our intellectual property; we're trying to protect, specifically in healthcare, our patient information; we are trying to protect the overall organization itself.
The best way to gain support within the organization for funding is to represent what a true risk would be. I'm a big advocate on penetration testing, which is essentially mimicking an attacker or an adversary, trying to attack the organization as a hacker would. Essentially, they would try to bypass security controls and gain unauthorized access to systems, and from there further penetrating to the network to identify what type of impact you can have to the organization. Why that's important is [because] penetration testing is a fundamental philosophy of assimilating what a hacker does, but it [also] identifies what your true exposures are to the organization and what an actual attacker could do to circumvent those controls, and where your deficient security programs are at.
When you are looking for funding, being able to walk into a meeting with the CFO or the CIO and basically state that you were able to completely cripple the organization if you wanted to, had access to everybody's healthcare information, were able to change the temperature of an operating room, all of those are things that can resonate with the organization so that they can actually start to give funding to a more strategic security program.
There are penetration tests that I've been on and we would do a combination of trying to attack the organization from a physical perspective. We would go in and impersonate being a doctor, or we would go in and impersonate a janitor or someone helping out. In one case we were doing a penetration test for a hospital and we broke into the drug dispensing units. ... So the doctor will go in and punch in a certain number or whatever and it spits out a certain amount of pharmaceutical drugs and we were able to get that to dispense whatever we wanted to.
There are different attacks that you can do toward an organization to represent what they need to protect against, and ultimately any company's goal is to continue to generate revenue and also try to protect its information. Penetration testing emphasizes what deficient programs you have in there and how you build upon it.