Beruflich Dokumente
Kultur Dokumente
October 2017
(Rev 1.0 September 2018)
CSOL 510
Module 7: Final Project
Executive Summary
We cannot afford to be lax with our network security. Literally, we cannot financially afford the
consequences of a cyber attack. The FSB sponsored data breech of Yahoo resulted in a
$250,000,000 valuation hit in the days leading up to Yahoo’s acquisition by Verizon.1 In less
than a week, shipping giant Maersk lost an estimated $300,000,000 in the NotPetya ransomware
attack and it wasn’t even the prime target.2 According to the Journal of Cybesecurity 2016’s
study, the healthcare industry has the highest number of cyber incidents, second only to finance
and insurance.3 Our customers’ ePHI, and associated data, make us a prime target. That’s the
scary news, the good news is that we have a top notch cybersecurity department to defend
against these very real and persistent threats.
Our cyber security department, properly funded and supported by you all, will employ the proper
cryptographic tools and techniques, including encryption, sufficient to meet, defeat or deny the
threat while in compliance with relevant laws, regulations and standards.
Introduction
My job, the job of the cybersecurity department, is pretty straight forward – provide a secure
distributed network that facilitates and supports business operations and activities while
protecting customer electronic Personal Health Information (ePHI) and company data.
Succeeding at my job, on the other hand, is significantly more complex. In attition to be a matter
of good business, it is our ethical responsibility to safeguard of customers’ ePHI. Building and
maintaining a secure network environment is a 7/24/365 Sisyphean task which requires
professionalism, a healthy mixture of cryptography, persistence, vigilance, attention to detail,
critical thinking, imagination and common sense.
Designing a secure network is more than brick and mortar, more than firewalls, switches and
routers. Designing a truly secure and reliable network requires consideration of key network
attributes like policies and enforcement, laws, regulations, standard, threats, risks, controls, data
protection methods, encryption, cryptography and last, but definitely not least, budget. Figure 1
is an illustration of our network architecture which shows the major users, hardware components
and interfaces.
Figure 1
Non-cryptographic Controls
A strong security policy, with solid cryptographic controls, is a great start, but they alone are not
sufficient.23 Non-cryptographic controls (physical and logical), hashes (like MurmurHash and
SpookyHash where speed is a premium), provide/enable the rest, dare say, the lion’s share of our
network security policy. Protecting our network is akin to protecting our house; we need to
assess it outside looking in as well as inside looking out. And like home security, implementing
these controls will affect network performance, add complexity and require money to implement.
First order of business is access control, controlling physical access to the network. Access to
our main campus and off-site buildings must be controlled by manned security that physically
checks each company issued photo ID. All hardware (printers, scanners, external hard drives and
monitors) will be tagged by the IT department and approved prior to connecting. Only company
approved mobile devices will be allowed on company premises. Remote workers will only use
company issues computers (properly tagged and inventoried). All users will have password-
protected accounts. Only assigned and actively used ports and network drops will be active. All
webcams will be disabled and covered. No outside software will be installed on company
computers or network devices without approval by the IT department. The servers, firewalls,
router and WAP will be TEMPEST compliant and located in the inner core of the building (no
direct access to external walls) in rooms with no windows and solid cored steel doors to prevent
leakage.24 The WAP output power will be regulated to reduce the probability that signals can be
received outside desired converge area. Account generation for new employs and revocations for
former employees, will be managed by the IT department. Employee web access will be role-
based and limited to work specific URLs. The network will have a strong monitoring and Host
Based Security System to prevent external attacks and encrypted information from bypassing
content-checking mechanisms. Malicious codes and spam detection mechanisms will be used
and actively managed. Network administers will periodically monitor the network to enforce
our security policy and have the ability to expeditiously disconnect or disable remote workers
and turn off/disable the wireless network.
Every means should be pursued to increase our security, including confusing potential
adversaries. Although it has the potential to complicate our network management, having a
diverse network infrastructure or heterogeneity, reduces the impact of potential exploits. To that
end, server virtualization, partitioning and network segmentation will be employed on all
applicable devices.
PKI
Identity and authorization management (IAM) applications and encryption are generally
considered two of the more important enablers of a layered security environment.31 Public Key
Infrastructure (PKI) is a power tool in providing trusted encrypted communications between two
entities. We will leverage PKI to help control access to our network with 802.1x authentication,
protect user data with encryption, secure network traffic IPSec, support two-factor authentication
with smart cards, implement secure email, electronic documents signatures and protect traffic to
internal web-sites.32,33.
In order to achieve the highest acceptable level of security, we will use publicly and self-issues
certificates with the public issuer being a large established Certificate Authority (CA) like
VeriSign.34 Key management is of paramount importance. Our IT department will manage our
self-issued keys and they will be responsible for the issuance, distribution and revocation. The
CA for our publicly issued keys will manage the issuance and renovation of its keys. Keys will
be valid for periods no greater than one year. Keys that are no longer required (employee
leaves, retires or is fired) will be revoked immediately and posted to the CRL. Protecting keys
requires additional controls to restrict their misuse, misconfiguration or compromise35. Root and
sub-root keys will be feverishly protected and stored in secure off-line locations. Adopting PKI
is not without its risks; keys may get stolen or compromised and it is susceptible to mathematical
attack. Even though implementing/integrating PKI into our architecture is complicated and
expensive, in our case, as a health insurance company responsible for our customers’ ePHI, the
hassles and expenses are worth it.
Employee Training
We can have the best cryptographic tools running the top encryption algorithms operating on the
best hardware on the market but that won’t matter a lick if our employees are ignorant of
network security or lack proper, and persistent, training. Employees are an easy access point for
cyber-attacks, be it malware insertion, phishing or simple intrusion.36 Employees are also our
greatest assets. Ethical behavior and professionalism are key tenants of our training program.
Our cyber training must be a priority starting with the day an employee come aboard all the
through to his exit briefing. The industry is in a state of continuous evolution; yesterday’s
security training will not protect us from tomorrow’s threat. Our training has to do better than
keep pace. Our employees are our first line of defense and must be armed with the latest
information. An adequately funded and prioritized training department is vital to that end.
Conclusion
You should look at our cyber security as health insurance for our network and the required
budget as the premium for top of the line coverage. Because of the return on investment is not
immediately realized, it’s easy to not appreciate it but to do so puts our company at peril. The
cyber world is a highly toxic and contagious environment. We need to ensure we are properly
armed and protected to operate in it. An adequate budget is the first step. We are not looking for
gold platting but rather sufficiency – slightly better than good enough. We need a budget that
will provide the proper cryptographic mechanisms, hardware, tools, encryption, protocols, top of
the industry IT staff and rock solid training department. That first step is great but our long term
success and viability as a company that provides excellent service while safeguarding our
customers’ data ultimately depends/requires your support endorsement. Without your ethical
and professional leadership and buy-in, the balance is tipped to favor the attackers. Keeping our
network secure and protecting our company and customer data is a 7/24 effort. If we fail to
provide that protection we put our customer’s data in peril, our viability as a trusted provider at
risk, open ourselves to attacks, data lose and erosion of our customers’ confidence in our ability
to safeguard their ePHI.
References
1. Volz, D. (2017, 15 March). U.S. Authorities Charge Russian Spies, Hackers in Huge Yahoo
Hack. Retrieved from https://www.reuters.com/article/us-yahoo-hack-indictments-fsb/
2. Thomson, I. (2017, 16 August). NotPetya Ransome Attack Cost Us $300M – shipping Giant
Maersk. Retrieved from https://www.theregister.co.uk/2017/08/16/
3. Romanosky, S. (2016, 08 August). Examining the costs and causes of cyber incidents. Journal
of Cybersecurity. 2, 2, 121-135, https://doi.org/10.1093/cybsec/tyw001
5. Rouse, M. (n.d.). Confidentiality, Integrity and Availability (CIA Triad). Retrieved from
http://whatis.techtarget.com/definition
6. U.S. Department of Health & Human Services. (n.d.). The HIPAA Security Rule. Retrieved
from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
7. U.S. Department of Health & Human Services. (n.d.). The HIPAA Enforcement Rule.
Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-
rule/index.html
8. U.S. Department of Health & Human Services. (n.d.). Omnibus HIPAA Rulemaking.
Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-
regulation-text/omnibus-hipaa-rulemaking/index.html
9. Scarfone, K, et al. (n.d.). Guide to Storage Encryption Technologies for End User Devices.
Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf
10. U.S. Department of Health & Human Services. (n.d.). Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized
Individuals. Retrieved from https://www.hhs.gov/hipaa/for-professionals/breach-
notification/guidance/index.html
11. American Hospital Association. (n.d.). HIPAA Security FAQs. Retrieved from
http://www.aha.org/content/00-10/cmssecurityFAQ81704.pdf
15. NIST. (2017, July 11). Update to Current Use and Depreciation of TDEA. Retrieved from
https://beta.csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
16. Dworkin,M. NIST. (2007, November). Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC. Retrieved from
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
17. HIPAA Compliance and Laptops 11 Things You Should Know. (2016, May 24). Retrieved
from http://hipaapoliciesandprocedures.com/blog/entry/hipaa-compliance-and-laptops-11-things-
you-should-know.
18. Adams, C. (2002, November 16). Understanding PKI: Concepts, Standards, and Deployment
Considerations. Macmillan.
19. Cobb, M. (n.d.). How MAC and HMAC use hash function encryption for authentication.
Retrieved from http://searchsecurity.techtarget.com/answer/
21. Leyden, J. (2014, November 5). Crypto collision used to hijack Windows Update goes
mainstream. Retrieved from https://www.theregister.co.uk/2014/11/05/
22. NIST, (2015, August 5). NIST Releases SHA-3 Cryptographic Hash Standard. Retrieved
from https://www.nist.gov/news-events/news/2015/08/
23. Howlett, T. (2009, February 23). The Importance of a Cryptographic Controls Policy.
Retrieved from http://windowsitpro.com/security/
25. Dodjarny, G. (2017, 08 June). XSS Attacks: The Next Wave. Retrieved from
https://snyk.io/blog
26. Bradley, T. (2017, 07 September). VPN’s: IPSec vs. SSL. Retrieved from
https://www.lifewire.com/
27. Columbus, L. (2001, 06 August). Kerberos Security in Windows XP. Retrieved from
http://www.informit.com/articles/
28. Walla, M. (200, May). Kerberos Explained. Retrieved from https://msdn.microsoft.com/en-
us/library/
29. Clercq, J. (2007, 25 March). Comparing Windows Kerberos and NTLM Authentication
Protocols. Retrieved from http://windowsitpro.com/security
30. MIT. (n.d.) 7.1 Backing Up the Kerberos Database. Retrieved from
https://web.mit.edu/Kerberos/
31. Lawton, S. (2015, 17 March). Introduction To Public Key Infrastructure (OKI). Retrieved
from http://www.tomsitpro.com/articles/
32. Fijan. (2017, 19 June). What is Public Key Infrastructure (PKI) and How is it Used in
Cybersecurity. Retrieved from https://blog.finjan.com/
34. Dublin, J. (n.d.). Choosing from the top PKI products and vendors. Retrieved from
http://searchsecurity.techtarget.com
35. Microsoft Corp. (n.d.). Cryptography and Microsoft Public Key Infrastructure. Retrieved
from https://technet.microsoft.com/en-us/library/dd277320.aspx
36. Glover, G. (n.d.). Wireless Access Point Protection: Finding Rouge Wi-Fi Networks.
Retrieved from http://blog.securitymetrics.com/2016/03/wireless-access-point-protection.html