Blog

What a week it has been! You have seen news related to incidents at FireEye, several Federal entities, and SolarWinds. We have seen some great work come out of FireEye and information from the Cybersecurity & Infrastructure Security Agency (CISA); without doubt, with much more to come.

When we see incidents like this, we immediately look to see what our exposure is; are we possibly affected? But after that, what can we learn? How can we improve?

We are witnessing good communication and coordinated efforts amongst many private organizations and public agencies. In the case of FireEye we have seen the priceless result of a methodical response to a suspected event(s). They demonstrated how gathering information and conducting an investigation are critical to successful response. In this case, what they may not have expected going in, was their investigation was the key to a much larger global incident with serious domestic national security impact.

A measured response, one that is focused on gathering information, and not panicked containment and eradication will always yield the best results. We need information to know all the aspects of loss and methods of bypass. With good information we can make good decisions on what to do to contain and eradicate. Without it, we will have only contained an acute symptom, and given ourselves a false sense of success.

Some good examples of what not to rush into during response were outlined by CISA in September of this year. Let use some of these take-aways to examine our response plans:

• Mitigating the affected systems too soon, allowing the adversary to change tactics, techniques, and procedures (TTP)

• Touching the adversary infrastructure, tipping them off that they have been detected

• Preemptively blocking adversary infrastructure, they can pivot and you will lose visibility

• Preemptive password reset. It is likely the adversary has multiple credentials and will just use another one, giving you loss of visibility

• Failure to preserve or collect log data. If not retained for a sufficient length of time, key information could be lost. Retain logs for at least one year.

• Communicating over the same network as the incident, ensure all communication is out-of-band

• Only fixing symptoms. Get to the root cause, don’t play whack-a-mole allowing the adversaries to change tactics and retain access to the network.

Simply put: Don’t Trample, Preserve! We have all seen some sort of detective mystery in the movies and on TV, none of the investigators aimlessly walk through a crime scene, and they don’t immediately go chasing after someone to arrest, they follow a calm measured methodology and focus on gathering evidence. The same for us in security, tread lightly so that you can fully and confidently contain, eradicate, and recover from the incident.

Reference: us-cert.cisa.gov - Alert (AA20-245A) Technical Approaches to Uncovering and Remediating Malicious Activity

Security Starts with a Conversation : Don’t go this alone. Reach out to have a conversation about your incident response policies, process and procedures. Remember, every organization has something worth protecting.

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments. Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

About nine months ago, nearly overnight, many business found themselves with workforces that needed to work entirely remotely.  We saw long established pandemic response built on phases move almost immediately to full economic shutdown. Turning to the Business Continuity plan on the shelf, it was quickly seen that the plan and supporting technologies were inadequate for the situation at hand.

How to start from here?

We have all lived the near total disruption we call 2020.  Hopefully we have learned a lot of what works, what doesn’t, what’s needed, and what’s not.  Now is a great time to critically evaluate our Business Impact Analysis (BIA) methodology and results and correct it with our newly learned lessons.  Effective Continuity plans start with a through and accurate BIA, without this projection of disruption impact we can’t determine contingency need.

The Plans

The plan is to keep-on-keepin’-on, in a worst case scenario.  The good news is we have first hand experience. No doubt all of us saw our co-workers step up, figure things out, and make things happen.  Let’s reflect on this experience, form a future strategy, and document it. Update the plans and bring everyone into the process – make a goal to make everyone more capable in the next event.

Is there more or different technology in use today than nine months ago? Are these solutions disaster ready?  We can’t take for granted that we are operating in a disaster scenario, and have the view that a different disaster can’t or won’t occur. We are running now on what we are running; what happens if a disaster hits? Can we recover our new technology that is now critical to the operation in this current disaster? Review the updated BIA, carefully examine the new objectives and new assets -- can we support this from here?  Bring the business in and discuss the needs for further investment and actual testing.  We all must accept that from where we are standing now, there is much of this that will remain “normal” and must be recoverable in our more typical disaster scenarios.

The Reality

Let’s look at the restaurant industry. They have needed to shift gears a number of times.  Many early on in the pandemic, adjusted menus and staffing and moved to a takeout model; others closed for good.  For the ones that remained open, did they have a plan or at the very least create one on the fly? Did the ones that closed not have a plan?  For some, they couldn’t make the pivot on the fly and were unable to make it for one reason or another.  Others seemingly figured out a way to make it work almost overnight. Still others yet were ready for the change.  I use this to illustrate that a crisis requires us to think differently.  If we do some of that critical thinking ahead of time, we are more likely to continue in operation.

The reality is that threats to our operation abound, and those threats don’t care if we are dealing with one already. Having a good understanding of our operation, capabilities, and options will make all the difference in a critical situation. Are we convinced that it isn’t about if, but rather when?  Let’s commit to documenting our recent experiences, gain greater input from others, brainstorm on the “that won’t happen”, reserve time to train, and conduct real-life tests.  Let’s build resiliency through alignment -- alignment of team, mission, and capability.

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

 Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

How many people are tasked with security in your organization? Hopefully, you can say “everyone!” Each member of every organization has a part to play. Security needs to be a key objective for everyone involved. It’s the DNA, “the way things are done around here”, “the key to holding our client’s trust”...no matter how you say it, security needs to be baked in, a part of the fabric.

Security is about culture, and culture is built top-down. Most organizations have an Information Security Officer (ISO) of some title, who leads the charge against cyber-this and cyber-that. This person’s mission is to execute a program and lead a team tasked with a massive scope that ranges from protection and detection to recovery and continuity; it is an “always on” and “better be ready” environment of expectation. This demand keeps ISOs and their teams hopping with evaluating new technologies, managing compliance, monitoring identity and access, identifying vulnerabilities, reporting risks, and developing best strategies to deliver for tomorrow. However, the most important component is executing an effective awareness and training program for the organization. The ISO can’t do it alone.

Culture is about all-hands, everyone participates. The ISO should take the lead by being proactive in the C-suite, seeking to build a positive security culture one chief at a time. As one who is often the “glue” of the entire organization, the COO can be the best place to start. The COO’s perspective and understanding of the interdependent relationships within the organization and be invaluable to weaving security into its fabric. Without key C-level alliances, ISOs will struggle to align their programs with business outcomes, and a culture of security cannot develop. Security is bred from awareness, defined as the state of being conscious of something. More specifically, it is the ability to know and perceive, to feel, or to be cognizant of events. Having advocates for security at the top, driving proactive, persistent and positive interactions, will help shape and change culture.  Focused security leadership brings everyone into the security team!

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

Sun-Tzu said “in the midst of chaos, there is also opportunity.” With all of our lives turned up, down, and all-around, we have come to know it simply as 2020.  With massive change in the way we work, shop, recreate, and associate – why not more change? Some may look at 2020 as only disruption and even destruction. Without question, many have experienced much pain and heartache.  But, is there anything positive that can come from it?  With so much change, embracing the change might just be the way to go. Why not change perspective and control what can be controlled? I decided to adjust my outlook and make change that I wanted to happen – positive change.

Like many of us, I have spent my career implementing other people’s ideas.  Being in sales, you have to make those ideas your own to some extent, but I really wanted to own it. I wanted the challenge of bringing forth an idea and seeing if I could make it grow – the full cycle: live or die.  I enjoy solving puzzles, taking a problem and changing perspective as a way to move forward, and  I enjoy helping people to achieve their goals. I often reflect on when I played baseball. I played catcher and I always thought of it as the best position on the field.  As catcher, I could significantly influence game play and outcomes.  The biggest impact wasn’t how well I caught the ball or how alert I was, but was the influence I could have on the rest of my team.  The collaboration with the pitcher, the communication with the basemen, the more I engaged my teammates with positivity and confidence, the better we all played.  I loved winning and losing with my team.  I wanted my children to have those same types of experiences – to feel that positive charge, win or lose.  So, I made time to coach and I’m glad I did; being with them by their side as they grew. They faced challenges and defeat, built relationships, and built confidence – those were the real wins.  I was so happy to have been part of the process – providing guidance and experience – being part of the team with a positive outcome.

Professionally, I was happiest when I was able to be part of my client’s process, on their “team” to bring a positive outcome. We started Octellient with exactly that mindset.  We want to be part of the team, side-by-side, working together to build positive outcomes.  The world of information security is often chaotic.  It seems at times we are wandering aimlessly, that we are going from one thing to the next without making forward progress.  Business is changing ever faster, demands are increasing, seemingly there is no time to breathe, and the world is on our shoulders.  Perhaps it’s time to take a breath, re-group, and focus on the potential for opportunity.  As my good friend John Gamades, recently wrote in a blog post, maybe it’s time for some “imagination”.  Can we imagine forward progression? Can we imagine a positive outcome from chaos? I can. We need to build our confidence by accepting where we are at today and take advantage of the chaos, the definition of resilient.  How can we take the advantage? We need to employ our imagination to bring a new mindset to the table, a strategy to get from here to there.  Just like when we were down 4-2, it’s time to go the mound and chat – it’s time to partner and rally. 

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

Without a doubt connected devices have become part of our lives and will only continue to proliferate in the future.  To illustrate, note these predictions:

• 63 million American homes will qualify as “Smart Homes” by 2022. This includes internet-connected devices such as: thermostats, lightbulbs, security systems, appliances, and the like. –BergInsight

• The number of connected devices will increase to 125 billion by 2030, meaning every consumer will own around 15 connected devices. – MTA

• 70% of light-duty vehicles and trucks will be connected to the internet by 2023. – Statista

• 5G will reach 45% of the world’s population by the end of 2024. Enabling instantaneous connectivity for billions of devices. – Ericsson

• By 2023, an emerging digital infrastructure ecosystem will be the underlying platform for all IT and business automation initiatives anywhere and everywhere. – IDC

As these devices are installed our behaviors will evolve and so will those of the cyber criminals. As we become more dependent on these inter-connected devices, the type and amount of data we will be producing will unimaginable.  It will continue to push against the margins of privacy and security.  Starting now, we must, more than ever #becybersmart.  This means that we need to think about which devices we are connecting and how we are using those devices.  It means that we all play a part in our privacy and our security. We have to actively participate in building a culture that is aware and purposeful about how we build and use the technology of tomorrow.  Security starts today.

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

Guest post by William Scandrett

It’s no secret that healthcare organizations have been plagued with the explosion of medical device security and have been left wondering how to best protect their organizations and patients while at the same time shedding off the accusations of potentially acting as a barrier to providing top-quality care. Worse yet, the responsibility of healthcare security teams is to protect the organization from 100% of threats that can affect medical devices without causing any type of disruption in care (or to the devices themselves) and to scan or patch these devices in a 24/7, always-on medical facility. So what are healthcare security teams to do? How can we balance security risks against risks of patient care disruption or even worse…patient harm? How can we build repeatable and reliable programs that can remediate security vulnerabilities in an effective and safe way? The approach we’ve taken at Allina Health is that one size may not fit all.

The primary issue as we see it is that certain medical devices have been in use for quite some time. Although we have great medical device manufacturers out there that are security minded and are building devices that can be updated and easily maintained, the simple fact of the matter is that a number of devices regularly in use in a care facility have been in use for years and are expensive and disruptive to replace with more easily updatable models. Furthermore, medical devices have a much longer “go to market” timeline that most consumer devices in that there are clinical requirements and approval processes that must be satisfied before devices are qualified to be used as medical products. This poses an additional problem in that the technology that may have been used in initial development is often deemed out of date by the time a device hits the sales cycle. So healthcare security teams are left holding the bag of a hodgepodge of different devices with different security profiles, tasked with the job of keeping everyone safe.

So if we can’t develop a one-sized fits all program to manage this issue, why not borrow from our friends in risk management?

The construction and nature of any particular device gives it an inherent security profile. It may perform a critical lifesaving function or it may only provide a non-invasive diagnostic. It may process and contain loads of PHI or it may only provide real-time monitoring data that is never recorded. Perhaps it is hosted with a cloud-based repository or perhaps is only holds one record at a time in a “single-use” mechanism. Whatever the case may be, we can apply logic to these risk profiles to determine the method of triage we leverage. In high risk scenarios, perhaps we fully quarantine devices that are extremely risky and cannot be updated or patched due to archaic construction on contractual warranty issues. For devices that perform critical functions and cannot be scanned for fear of device malfunction or failure, we apply a medium risk approach and only scan during off-hours or when devices can be pulled out of clinical rotation for general maintenance. Devices that are low-risk could be scanned at any time as patient harm implications are virtually non-existent. And it doesn’t stop there. We can also leverage network layer controls (whitelisting, strict firewalls, east/west IPS) combined with logging (SIEM, etc.) and behavior analysis to provide a more complete risk picture especially when patching and vulnerability scanning aren’t possible.

At the end of the day, we are stuck in a situation where the medical device industry needs to catch up to secure coding and build practices and healthcare organization need to cycle through aging product until we can get to a more manageable baseline. Until that time, consider a multi-sized approach to managing medical device security risk with minimal disruption. One size may not fit all….but that’s why we can order stuff in Small, Medium, and Large!

ABOUT THE AUTHOR

William Scandrett is an accomplished information security leader with a proven track record of establishing successful security programs across retail, finance, and healthcare industries. As CISO for Allina Health, William is responsible for the Security Governance, Identity/Access, and Cybersecurity programs as well as Technology Compliance and Risk Management and IT Asset Management.

Prior to Allina Health, William served as CISO for HealthEast, and held the Information Security Director role at Ameriprise Financial where he led the Identity Management and Governance, Risk, & Compliance (GRC) programs. William also led the IT Compliance program at GMAC ResCap and consulted at Best Buy through Accenture to help establish their global technology compliance program and software development methodologies.

William is recognized in the information security community for his knowledge, vision and leadership in the areas of Identity, Compliance, and Risk Management. He is most recently a CSO50 award winner and has been recognized as one of the “Healthcare CISO’s to Watch” in 2019 and 2020.

ABOUT OCTELLIENT

Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

COVID-19  has blurred the lines between home and work.  We have all had to learn to juggle work while kids are distance learning. We have had to learn new software and conferencing systems, not to mention paper files and what to do with those while at home.  Our home is now our office! We must follow the security practices that our employer has put in place.  Here are some things that you can do to secure your devices at home and work:

• Start with the basics -  Keep your software up to date.  Use strong complex passwords and don’t reuse them on different accounts.  Use a password vault!

• Use your work device for work – Using a personal device for work introduces many vulnerabilities; likely it doesn’t have the same security controls and also has other non-essential applications on it like games.  Don’t let others use your work device and be sure to lock it when walking away, just like you would in the office.

• Secure your home network – Ensure you have WPA2 or WPA3 encryption standards set up on your router. Here is some guidance from the FTC that may help you Secure Your Wireless Network.

• Keep sensitive paper files secure – There may be times that you need to transfer sensitive paper files from the office to home.  Be sure to keep them secure by keeping them out of sight and locked up, just like you would in the office.

• Shred any sensitive paperwork – Don’t just throw away or recycle sensitive files, shred it!  Paperwork often times contains information about customers, company, or employees and it can be used by those with less than good intentions.

• Video conference securely – Use passwords when setting up video conference call to ensure only those you want in attendance can join.  Close applications and information that doesn’t pertain to the current call so that you don’t accidentally share.

• Be aware of rise in phishing –  Especially important during times of fear and curiosity like that of the current COVID-19 pandemic.  Do not click on links that look suspicious or are from unknown or unexpected senders.  If you have doubts, verify they are legitimate by calling or direct messaging the sender.

If you are in charge of security for your company, hopefully you have laid out clear, actionable guidelines for your employees.  Those should include reminder of the security policies as well as what services they should be using from home and what is not appropriate.  This is the time to double down on awareness campaigns and send out responses to FAQs.

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges. 

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com