Ted Huskey

October 2017
(Rev 1.0 September 2018)
CSOL 510
Module 7: Final Project
Executive Summary
We cannot afford to be lax with our network security. Literally, we cannot financially afford the
consequences of a cyber attack. The FSB sponsored data breech of Yahoo resulted in a
$250,000,000 valuation hit in the days leading up to Yahoo’s acquisition by Verizon.1 In less
than a week, shipping giant Maersk lost an estimated $300,000,000 in the NotPetya ransomware
attack and it wasn’t even the prime target.2 According to the Journal of Cybesecurity 2016’s
study, the healthcare industry has the highest number of cyber incidents, second only to finance
and insurance.3 Our customers’ ePHI, and associated data, make us a prime target. That’s the
scary news, the good news is that we have a top notch cybersecurity department to defend
against these very real and persistent threats.
Our cyber security department, properly funded and supported by you all, will employ the proper
cryptographic tools and techniques, including encryption, sufficient to meet, defeat or deny the
threat while in compliance with relevant laws, regulations and standards.

Introduction
My job, the job of the cybersecurity department, is pretty straight forward – provide a secure
distributed network that facilitates and supports business operations and activities while
protecting customer electronic Personal Health Information (ePHI) and company data.
Succeeding at my job, on the other hand, is significantly more complex. In attition to be a matter
of good business, it is our ethical responsibility to safeguard of customers’ ePHI. Building and
maintaining a secure network environment is a 7/24/365 Sisyphean task which requires
professionalism, a healthy mixture of cryptography, persistence, vigilance, attention to detail,
critical thinking, imagination and common sense.
Designing a secure network is more than brick and mortar, more than firewalls, switches and
routers. Designing a truly secure and reliable network requires consideration of key network
attributes like policies and enforcement, laws, regulations, standard, threats, risks, controls, data
protection methods, encryption, cryptography and last, but definitely not least, budget. Figure 1
is an illustration of our network architecture which shows the major users, hardware components
and interfaces.
Figure 1

Laws, Policies, Regulations and Standards

Protecting and safeguarding our customers’ ePHI is one of our greatest ethical responsibilities.
As a mid-size health care insurance company we must comply with the Health Insurance
Portability and Accountability Act (HIPAA) of 1996 that provides data privacy and security
provisions for safeguarding medical information including electronic protected health
information (e-PHI).4 HIPAA sets the standards for protecting patient data. Noncompliance
with HIPAA will result in fines and a hit to our business reputation that translates directly to lose
of customers and revenue.
There are three key information policies vital to achieving information security: confidentially,
integrity and availability. Confidentiality governs access to our information and is roughly
equivalent to privacy where access is limited or restricted to only authorized users. Integrity
pertains to the trustworthiness of the data, its accuracy and consistency. Integrity can be enforced
through use of access controls and cryptographic checksum. Availability is the third leg of the
CIA triad. Availability means the data is guaranteed to be available and accessible for authorized
users. Availability enforcement depends on the network hardware being operated and maintained
properly.5
Confidentiality
There are many ways to enforce confidentiality ranging from training employees on the necessity
of using strong password to simply limiting users with access. Encryption is the most common
method of confidentiality policy enforcement.
Jumping right to encryption selection implies a considerable number of assumptions have been
made and analyses performed. Assumptions like, we are in compliance with all provisions and
laws including the Privacy Rule, Security Rule, Enforcement Rule and Omnibus rule.6,7,8 It also
assumes we have conducted a thorough risk analysis, vulnerability assessment and threat
analysis of our infrastructure, using all available toolkits. We are in a high threat environment.
Flawed analysis or assumptions will ultimately result in weak security and puts customers’ ePHI
at risk.
Security is not free, budget plays a significant part in what we ultimate field. Cost is a
consideration in all aspect of policy enforcement but cost will not be a limiting factor. We have
seen the damages (fines and penalties) due to underfunded or poorly enforced policies. Please
keep that in mind - budget and security are tightly coupled. Although a gold platted security plan
does not guarantee 100% protection, short changing our cyber security budget shortchanges our
cyber security.
A strong cryptographic key management policy is vital. All cryptographic keys will be tightly
controlled in compliance with National Institute of Standards and Technology (NIST) Special
Publication 800-111.9 We will use centralized management for our storage encryption and all
keys will be secured and managed properly.10 45 CFR Part 164 requires encryption and
decryption of ePHI and in our case that includes our data storage, and remote workers’
laptops.11,12,13 All ePHI will be encrypted at point of ingestion and will not be transported/moved
unencrypted. All encryption keys will be valid for at least 10 years and backup data will be
retained for at least 6 years.4 Advanced Encryption Standard (AES) is our preferred symmetric
algorithm for our data storage.15 AES is a proven symmetric-key algorithm well suited for our
needs. The optimum mode for the User and Provider Data and Corporate Data storage is
(Galois/Counter Mode) GCM with a 128 key size.16 Counter (CTR), with its faster speed (due to
parallelization), using a 256 key size is perfect encryption for our Off-site Backup storage. Our
confidentially policy applies to our remote workers’ laptop users as well. All remote workers’
laptop hard drives will have full disk encryption (mitigation should they be stolen) and their USB
and external drive ports will be disabled.17

Integrity and Authenticity

Data confidentially is important but alone is not sufficient to secure our network and data. We
must also be certain the data we send or receive has not been altered and that the data is from the
actual sender - data authenticity.18,19 Simply stated, integrity means what is received is, literally,
exactly what was transmitted and authenticity is the assurance that an entity is whom they claim
and not an impersonator.
Hash functions and message authentication codes (MACs) are critical authenticity and integrity
enablers and play key roles in our secure communications. There are two NSIT approved
algorithms for generating and verifying message data, Hash Message Authentication Code
(HMAC) and KECCAK-Message Authentication Code (KMAC).20 Both are suitable but
HMAC is preferred because of its proven performance and sufficiency for our tasks. Also,
KMAC is too new of an implementation for my comfort level. HMAC is used or considered for
all interfaces where data is exchanged, transported or communicated (with the exception of
communications inside our firewalls with no external exposures). We use HMAC-SHA3-256,
which is fast (enough), supports IPSec, doesn’t have collisions issues like MD5 and is not
susceptible to length extension attacks.21,22

Non-cryptographic Controls
A strong security policy, with solid cryptographic controls, is a great start, but they alone are not
sufficient.23 Non-cryptographic controls (physical and logical), hashes (like MurmurHash and
SpookyHash where speed is a premium), provide/enable the rest, dare say, the lion’s share of our
network security policy. Protecting our network is akin to protecting our house; we need to
assess it outside looking in as well as inside looking out. And like home security, implementing
these controls will affect network performance, add complexity and require money to implement.
First order of business is access control, controlling physical access to the network. Access to
our main campus and off-site buildings must be controlled by manned security that physically
checks each company issued photo ID. All hardware (printers, scanners, external hard drives and
monitors) will be tagged by the IT department and approved prior to connecting. Only company
approved mobile devices will be allowed on company premises. Remote workers will only use
company issues computers (properly tagged and inventoried). All users will have password-
protected accounts. Only assigned and actively used ports and network drops will be active. All
webcams will be disabled and covered. No outside software will be installed on company
computers or network devices without approval by the IT department. The servers, firewalls,
router and WAP will be TEMPEST compliant and located in the inner core of the building (no
direct access to external walls) in rooms with no windows and solid cored steel doors to prevent
leakage.24 The WAP output power will be regulated to reduce the probability that signals can be
received outside desired converge area. Account generation for new employs and revocations for
former employees, will be managed by the IT department. Employee web access will be role-
based and limited to work specific URLs. The network will have a strong monitoring and Host
Based Security System to prevent external attacks and encrypted information from bypassing
content-checking mechanisms. Malicious codes and spam detection mechanisms will be used
and actively managed. Network administers will periodically monitor the network to enforce
our security policy and have the ability to expeditiously disconnect or disable remote workers
and turn off/disable the wireless network.
Every means should be pursued to increase our security, including confusing potential
adversaries. Although it has the potential to complicate our network management, having a
diverse network infrastructure or heterogeneity, reduces the impact of potential exploits. To that
end, server virtualization, partitioning and network segmentation will be employed on all
applicable devices.

Assured Data Exchange

Another important security aspect is having secure and authenticate data exchange/
communication within our network and with our off-site employees, customers and providers
(who interact with our network via the Internet). The Internet presents the greatest threat vector
to our customer and company data. It provides the opportunity for access and therefore requires
the greatest security. We will use HTTPS for communications with our customers and
providers. HTTPS provides encryption (SSL), authentication (communicating with the server
you think you are) and protects against man-in-the-middle attacks.25 HTTPS does a very good
job of keeping data safe on the network to its destination, however it does not protect against
database leaks or Cross Site Scripting (XSS).26 For that reason our remotes workers connect to
the network via our VPN (with IPSec) which extends our secure company network across the
internet to their desktop.27 We have a strong password policy which is enforced and applicable to
all users who touch our network. Random password spot checks will be conducted to ensure
compliance.
When compared to the other users, our corporate LAN is fairly well protected behind two
firewalls, which allow for the use of symmetric-keys like Kerberos. Kerberos provides strong
authentication for our client/server applications using symmetric-key cryptography. It is a free
open standard that provides mutual authentication, supports authentication delegation and is
relatively fast. Kerberos, through a series of handshakes/exchanges between the user, target
server and the Key Distribution Center (KDC), which houses Authentication Service (AS),
Ticket Granting Service (TGS), enables the user to access multiple services, for a specific time
period, using one single sign on.28 Kerberos provides confidentially and integrity of information
- user passwords are never exchanged unencrypted.
We need Kerberos and integrating a Kerberos server into our network would be straightforward.
Our network runs Windows OS and Kerberos has been the default authentication protocol since
Win2K so it would simply be a matter of configuration and settings.29 The KDC would be
implemented as a domain service and use the Active Directory as it account database residing on
the Windows Domain Controller.
The KDC stores all user keys and there would be dire consequences if they were stolen. We
would need to beef-up or ensure access to the server is tightly controlled. If we implement
Kerberos on our network it needs to be supported throughout, meaning all client or server
applications must be Kerberos compliant. We also need to add a backup Domain Controller in
the event we lose our primary DC because we will need to be able to generate new keys.30

PKI
Identity and authorization management (IAM) applications and encryption are generally
considered two of the more important enablers of a layered security environment.31 Public Key
Infrastructure (PKI) is a power tool in providing trusted encrypted communications between two
entities. We will leverage PKI to help control access to our network with 802.1x authentication,
protect user data with encryption, secure network traffic IPSec, support two-factor authentication
with smart cards, implement secure email, electronic documents signatures and protect traffic to
internal web-sites.32,33.
In order to achieve the highest acceptable level of security, we will use publicly and self-issues
certificates with the public issuer being a large established Certificate Authority (CA) like
VeriSign.34 Key management is of paramount importance. Our IT department will manage our
self-issued keys and they will be responsible for the issuance, distribution and revocation. The
CA for our publicly issued keys will manage the issuance and renovation of its keys. Keys will
be valid for periods no greater than one year. Keys that are no longer required (employee
leaves, retires or is fired) will be revoked immediately and posted to the CRL. Protecting keys
requires additional controls to restrict their misuse, misconfiguration or compromise35. Root and
sub-root keys will be feverishly protected and stored in secure off-line locations. Adopting PKI
is not without its risks; keys may get stolen or compromised and it is susceptible to mathematical
attack. Even though implementing/integrating PKI into our architecture is complicated and
expensive, in our case, as a health insurance company responsible for our customers’ ePHI, the
hassles and expenses are worth it.

Employee Training
We can have the best cryptographic tools running the top encryption algorithms operating on the
best hardware on the market but that won’t matter a lick if our employees are ignorant of
network security or lack proper, and persistent, training. Employees are an easy access point for
cyber-attacks, be it malware insertion, phishing or simple intrusion.36 Employees are also our
greatest assets. Ethical behavior and professionalism are key tenants of our training program.
Our cyber training must be a priority starting with the day an employee come aboard all the
through to his exit briefing. The industry is in a state of continuous evolution; yesterday’s
security training will not protect us from tomorrow’s threat. Our training has to do better than
keep pace. Our employees are our first line of defense and must be armed with the latest
information. An adequately funded and prioritized training department is vital to that end.
Conclusion

You should look at our cyber security as health insurance for our network and the required
budget as the premium for top of the line coverage. Because of the return on investment is not
immediately realized, it’s easy to not appreciate it but to do so puts our company at peril. The
cyber world is a highly toxic and contagious environment. We need to ensure we are properly
armed and protected to operate in it. An adequate budget is the first step. We are not looking for
gold platting but rather sufficiency – slightly better than good enough. We need a budget that
will provide the proper cryptographic mechanisms, hardware, tools, encryption, protocols, top of
the industry IT staff and rock solid training department. That first step is great but our long term
success and viability as a company that provides excellent service while safeguarding our
customers’ data ultimately depends/requires your support endorsement. Without your ethical
and professional leadership and buy-in, the balance is tipped to favor the attackers. Keeping our
network secure and protecting our company and customer data is a 7/24 effort. If we fail to
provide that protection we put our customer’s data in peril, our viability as a trusted provider at
risk, open ourselves to attacks, data lose and erosion of our customers’ confidence in our ability
to safeguard their ePHI.
 References

1. Volz, D. (2017, 15 March). U.S. Authorities Charge Russian Spies, Hackers in Huge Yahoo
Hack. Retrieved from https://www.reuters.com/article/us-yahoo-hack-indictments-fsb/

2. Thomson, I. (2017, 16 August). NotPetya Ransome Attack Cost Us $300M – shipping Giant
Maersk. Retrieved from https://www.theregister.co.uk/2017/08/16/

3. Romanosky, S. (2016, 08 August). Examining the costs and causes of cyber incidents. Journal
of Cybersecurity. 2, 2, 121-135, https://doi.org/10.1093/cybsec/tyw001

4. California Department of Health Care Services. (n.d.). Health Insurance Portability

Accountability Act. Retrieved from
http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx

5. Rouse, M. (n.d.). Confidentiality, Integrity and Availability (CIA Triad). Retrieved from
http://whatis.techtarget.com/definition

6. U.S. Department of Health & Human Services. (n.d.). The HIPAA Security Rule. Retrieved
from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

7. U.S. Department of Health & Human Services. (n.d.). The HIPAA Enforcement Rule.
Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-
rule/index.html

8. U.S. Department of Health & Human Services. (n.d.). Omnibus HIPAA Rulemaking.
Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-
regulation-text/omnibus-hipaa-rulemaking/index.html

9. Scarfone, K, et al. (n.d.). Guide to Storage Encryption Technologies for End User Devices.
Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf

10. U.S. Department of Health & Human Services. (n.d.). Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized
Individuals. Retrieved from https://www.hhs.gov/hipaa/for-professionals/breach-
notification/guidance/index.html

11. American Hospital Association. (n.d.). HIPAA Security FAQs. Retrieved from
http://www.aha.org/content/00-10/cmssecurityFAQ81704.pdf

12. Haigh, D. (n.d). CSOL-510 Project 1 Template. Retrieved from

https://ole.sandiego.edu/webapps/blackboard/content/listContent.jsp?course_id=_50264_1&cont
ent_id=_1035007_1template
13. U.S. Department of Health & Human Services. (2003, February 20) 45 CFR Parts 160, 162,
and 164 Health Insurance Reform: Security Standards; Final Rule. Retrieved from
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/securityrule
pdf.pdf?language=es

14. HIPAA 164.316. (n.d.). Retrieved from http://www.hipaasurvivalguide.com/hipaa-

regulations/164-316.php

15. NIST. (2017, July 11). Update to Current Use and Depreciation of TDEA. Retrieved from
https://beta.csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA

16. Dworkin,M. NIST. (2007, November). Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC. Retrieved from
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf

17. HIPAA Compliance and Laptops 11 Things You Should Know. (2016, May 24). Retrieved
from http://hipaapoliciesandprocedures.com/blog/entry/hipaa-compliance-and-laptops-11-things-
you-should-know.

18. Adams, C. (2002, November 16). Understanding PKI: Concepts, Standards, and Deployment
Considerations. Macmillan.

19. Cobb, M. (n.d.). How MAC and HMAC use hash function encryption for authentication.
Retrieved from http://searchsecurity.techtarget.com/answer/

20. NSIT. Message Authentication Codes. Retrieved from https://csrc.nist.gov/Projects

21. Leyden, J. (2014, November 5). Crypto collision used to hijack Windows Update goes
mainstream. Retrieved from https://www.theregister.co.uk/2014/11/05/

22. NIST, (2015, August 5). NIST Releases SHA-3 Cryptographic Hash Standard. Retrieved
from https://www.nist.gov/news-events/news/2015/08/

23. Howlett, T. (2009, February 23). The Importance of a Cryptographic Controls Policy.
Retrieved from http://windowsitpro.com/security/

24. SANS. (n.d.). An Introduction to TEMPEST. Retrieved from https://www.sans.org/reading-

room/whitepapers/privacy
2. Heaton, R. (2014, 27 Marhc). How does HTTPS actually work? Retrieved from
https://robertheaton.com/

25. Dodjarny, G. (2017, 08 June). XSS Attacks: The Next Wave. Retrieved from
https://snyk.io/blog
26. Bradley, T. (2017, 07 September). VPN’s: IPSec vs. SSL. Retrieved from
https://www.lifewire.com/

27. Columbus, L. (2001, 06 August). Kerberos Security in Windows XP. Retrieved from
http://www.informit.com/articles/
28. Walla, M. (200, May). Kerberos Explained. Retrieved from https://msdn.microsoft.com/en-
us/library/

29. Clercq, J. (2007, 25 March). Comparing Windows Kerberos and NTLM Authentication
Protocols. Retrieved from http://windowsitpro.com/security

30. MIT. (n.d.) 7.1 Backing Up the Kerberos Database. Retrieved from
https://web.mit.edu/Kerberos/

31. Lawton, S. (2015, 17 March). Introduction To Public Key Infrastructure (OKI). Retrieved
from http://www.tomsitpro.com/articles/

32. Fijan. (2017, 19 June). What is Public Key Infrastructure (PKI) and How is it Used in
Cybersecurity. Retrieved from https://blog.finjan.com/

33. Code Solutions. (n.d.). Introduction to PKI. Retrieved from cca.gov.in/cca/?q=gnfc.html

34. Dublin, J. (n.d.). Choosing from the top PKI products and vendors. Retrieved from
http://searchsecurity.techtarget.com

35. Microsoft Corp. (n.d.). Cryptography and Microsoft Public Key Infrastructure. Retrieved
from https://technet.microsoft.com/en-us/library/dd277320.aspx

36. Glover, G. (n.d.). Wireless Access Point Protection: Finding Rouge Wi-Fi Networks.
Retrieved from http://blog.securitymetrics.com/2016/03/wireless-access-point-protection.html