New Year, Same Challenges

If you are reading this blog post, you have survived 2016. By most accounts, it was a rough year in regards to the state of security in healthcare. Cyber attacks have been no exception to this calculation. We saw the announcements of some of the biggest breaches in history, the continued proliferation of ransomware, and even the recent reports that Russia was meddling in U.S. politics through attacks on IT security.

Let us, as a collective, decide to do better this year. Most of the atrocious breaches and other IT security related incidents could have been avoided if we could be smarter about our security hygiene. Security starts with basics, and that is where we need to return to this year.

Back to the Basics

Before we start to spend boatloads of money on new security solutions, like new software and hardware, we should look at what is currently in place and identify how it can be more effectively implemented and/or better protected. For example, I perform penetration testing and security assessments almost every working day. Oftentimes, I find simple mistakes that could easily lead to compromising sensitive data. Most of these issues are directly related to missing patches or, even worse, using end-of-life (EOL) and deprecated software.

Can you answer these questions confidently:

  • When was the last time you did a vulnerability scan on your network?
  • How many findings were there?
  • How many of those would still be there if another scan was run today?

Obviously, the above are rhetorical questions, and I don’t expect a deluge of emails answering them. However, I am curious as to how you might answer these questions.

Furthermore, if you were to conduct a new scan, would that scan have similar results as the previous scan? If so, you are not alone … almost everyone is in that same boat. But, why is this? The immediate answer is that it is too easy to put things off, wait for a new system to replace the vulnerable one, or ignore fixes due to lack of time. Unfortunately, this is the pervasive attitude, and it is time for a change.

How to Adjust

One of the single greatest security improvements that we could make to this approach is to address the security concerns that already exist today and make better use of what we have, with what we already have in place. Before you start blowing the seemingly endless 2017 budget on bigger and better analytics or a rack-mounted box of silicon and aluminum that promises to save the day through security black magic, consider your own house first. How long ago did you intend to have all the EOL systems off the corporate network? Are you still accepting TLS version 1.0, or worse yet any version of SSL? These are just a few examples that I see most often.

I also propose that we should make initiatives and follow through to address old systems shored up. For example, what if the firewalls, database, or system is due to be replaced this year? Attackers are not looking for issues to exploit next month or even tomorrow, rather they are looking for these type of cracks in the perimeter. I am by no means suggesting that you should halt improvements and upgrades. Instead, I am suggesting that these types of issues should not be used as an excuse to ignore vulnerabilities that reside on the network right now.

What Can We Do?

What we once thought of as a wall around our network is now more of a porous mesh that lets almost anything through. We let users bring in their own mobile phones, connect them to corporate email, and trust they won’t allow their device to be compromised. We have all opened countless ingress and egress points in our once solid walls to allow cloud-based services to be accessed, allow our users to access the web, and allow external devices (BYOD and contractor provided) to access the internal network. This is the new face of security and should not be ignored. Our attack surfaces are growing exponentially every day, and new fixes will not make a difference if we ignore the issues we already know about.

I suggest to step back and evaluate all the security vulnerabilities that were pushed to the back burner last year and ask how many could be the root cause of an upcoming incident. Then address, reassess and prioritize your available resources that can help remediate threats. Approach the here and now, plan for the future, but don’t rely on it as a fix for all vulnerabilities that are present in this moment. It is also important to remember that business should continue as usual during this process and that CynergisTek has resources that can help you with that assessment.

January 19th, 2017|

About the Author:

John Nye is Vice President of Cybersecurity Strategy for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).