Day: November 26, 2014

Posted on

Palo Alto Networks 2015 Predictions: Healthcare

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)

2015 will be a year of transition for security in healthcare where providers and organizations in the ecosystem catch up with other industries regarding the state of their cybersecurity.

In many ways, healthcare is in technology and information overload, with no clear standardization on architecture, delivery or design. When evaluating healthcare security, it’s also important to look at the entire ecosystem, small to large hospitals, healthcare insurers, healthcare application providers, medical equipment manufacturers and to some extent pharmaceutical and bio companies. Why? They all carry information related to patient medical data, and intellectual property tied to healthcare innovation.

With that in mind, here are some 2015 trends to track:

1. Going Back to Basics

You will see healthcare organizations better emphasize visibility visibility and network segmentation, in terms of:

  • Knowing what’s on the network at all times
  • Making informed decision on where to invest in security first
  • Identifying rapidly the areas that are high risk
  • Methodically and logically starting to remove traffic that does not belong to the business of healthcare
  • Implementing a better and more systematic approach to patching

2. Driving Better Awareness

We’re starting to see an evolution in the employee culture and decision-making power within healthcare organizations. Security’s awareness among key stakeholder groups – administrative employees, medical staff, patients and visitors and others – will continue to grow.

Culturally speaking, healthcare organizations will hopefully adopt more of a prevention mindset and foster greater collaboration within the broader ecosystem of healthcare providers, payers, pharmaceutical companies and medical device companies.

3. Security Automation

Security automation will become table stakes for security in healthcare because of the high volume of information and the flow of data.

 

Speaking of healthcare security, Palo Alto Networks will be at the Healthcare Cyber Security Summit next week, December 3 and 4, in San Francisco, and I will be participating in a Breakfast Panel from 8:00-9:00 am PT on December 4, “Even More Future-Proofing: Continuing the Conversation on Healthcare Security Solutions.” Register today with the code HCPA20 and get a 20% discount.

Security in healthcare is among many focus topics at Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.

 [Palo Alto Networks Blog]

 

Posted on

Seven Ways to Tighten The Security of Passwords

Passwords can actually represent one of the greatest security risks to an organization due to the combination of constant attacks and human weaknesses. In addition, as IT has become universally accessible, more users are adept at circumventing this basic security tool. Here are 7 tips to help organizations manage their passwords policy and reduce security risk.

 

1. Know the attacks

Methods of attack on passwords can be categorized into 5 types:

  • Dictionary attack uses a dictionary file to compare possible password with every word of that file.
  • Brute force attack tests every combination of characters until the password is broken.
  • Hybrid attack works like dictionary attack but adds some numbers and special characters.
  • Syllable attack combines both brute force and dictionary attack.
  • Social engineering attack uses some ruses to convince people to reveal their password.

2. Define the purpose

Before developing a password security policy, its life cycle should be defined and used as a baseline to identify needs. The password’s life cycle should comprise all phases from creation until the end of life and take into account the critical level of the resource it is assigned to protect. Phases of management may include, but are not limited to, create, send, store, utilize, recover (locked account), renew and dispose.

3. Understand vulnerabilities at all levels

According to the type of account used to access resources, passwords can be classified into four types:

  • User
  • Administrator
  • System
  • Service

Even if each password associated to a different type of account has its own level of importance according to rights and resource, the level of security risk is the same, because privilege escalation attacks can be used by hackers to get more rights on the same resource or a higher sensitive resource (i.e., admin rights).

4. Ensure password management strategy exists

Strategy for password management should be defined by 2 key factors:

  • Size of the information system in terms of resources to access and users who access it. The greater the number of resources, the more complex the management is.
  • Ability of organization to implement this strategy in terms of infrastructure and skills.

Generally, there are two strategies for managing passwords: Centralized vs. Decentralized, each of which has advantages and disadvantages. Once management strategy is adopted, access to resources should be well compartmentalized according to good security practices (e.g., least privilege, segregation of duties, need to know, and continuing user education on security risks related to passwords).

5. Do not make it easy

When talking about password complexity, people think only of its length. But it is not the only element. Other aspects like characters type, guessing probability and ease of memorization can increase complexity. Characters include lowercase and uppercase letters, non-alphanumeric characters, and base 10 digits (0-9). The more complex the password is, the harder it is to remember. As a result, users tend to write their passwords. Users must be educated and trained on how to create and use stronger passwords.

6. Test the security

Password testing checks whether existing passwords comply with the security policy. While it advised to limit weak password at creation, regularly testing the strength of existing passwords is crucial. Several tools exist for online or offline tests.

7. Protect the password

Regardless of the type of password, once it is created, it can be transmitted, stored, or recovered. For each of these operations, it is essential to protect its confidentiality and integrity by making sure it is always encrypted using approved security mechanisms. Honey Encryption is one method to add a level of protection to passwords.

Passwords must not be stored or transmitted in plain text because a hacker could use a sniffing tool to guess them. During the password recovery procedure or resetting (manual or automatic), care must be taken to preserve the security of the password.

Elie Mabo, CISA, CISSP, CEH, CCNA Sec, Security+, Information Security Consultant at CGI in Canada.

[ISACA]

Posted on

When Panic Leads to Poor Decisions

We’ve all been there before. Something unforeseen happens that triggers a panic response. More often than not we look back at that response and wish we could have done things differently.

What we’ve all learned along the way is that panic triggers a response that often leads to potentially catastrophic mistakes. Those mistakes come as we grasp for short-term fixes that give us a stronger sense of control, but don’t take long term consequences into account.

On October 14th, Microsoft’s “Patch Tuesday” took on a new sense of urgency as we learned of three new vulnerabilities that were actively being exploited in targeted attack campaigns. Microsoft released 24 patches in total. Oracle also released patches for 154 new vulnerabilities that were discovered. Adobe issued security updates for Flash and ColdFusion. For many this triggered an immediate response to begin the tedious process of upgrading security patches and signatures. Some simply don’t have the resources and will get to the upgrades as soon as they possibly can.

Assuming you weren’t one of the unlucky attack targets, the upgrades should resolve any concerns…this time around. But how many security alerts are you dealing with on a weekly, monthly basis?

For many, patch management has become a sore topic as it’s virtually impossible to stay on top of. But security efficacy takes on many shapes and sizes across the organization and despite it’s pain, patching remains a crucial process in any security operation. Or does it?

If you examine the recent exploits that utilized either an unknown zero-day based vulnerability or a vulnerability that was known but had not yet been patched, you’ll see these exploits share a common set of traits. In order to execute they must follow a very well defined and finite set of exploit techniques in order to compromise the system. In fact at latest count there are only 24 techniques at an attacker’s disposal. And in most cases attackers have to employ three to four of these techniques in succession to exploit a system.

So conventional wisdom says, ‘“If I can figure out a way to disrupt or prevent just one of those steps from being used, the attack itself could be blocked.” And a couple innovative companies are now bringing this approach to market not only for exploits but also malware-driven attacks.

With the news of a fresh round of breaches at Dairy Queen and Kmart, on top of a busy week of security patches, many organizations are falling into the dangerous path of making potentially catastrophic strategy shifts. Partly due to coercion by an industry that’s pushing a very clear agenda around detection and remediation. Backed by alarming statistics of attack dwell times, increasing costs of breaches, they’re creating a picture that prevention is futile and that organizations should shift resources to a new fall back position. Ridiculous!

I’m certainly not going to stand here and say detection isn’t important. But shifting valuable resources away from prevention so that you can more quickly detect and remediate the attack that’s most likely already achieved its objectives is an ill-conceived response that will ultimately lead to catastrophic results.

Prevention isn’t futile; remediation is. Because those companies who come in and charge $20,000 a day over an average of 31 days to clean up and remediate your systems do nothing to get back what was stolen. There’s no Navy Seal team who infiltrates the Russian organized crime team to re-take your stolen credit cards, medical records, or design documents. That’s remediation. Hold your line. Know that prevention isn’t futile.

Take this opportunity to rethink about your overall security architecture. Are you utilizing the next-generation security platforms that now exist? Ones that combine network, cloud and endpoint security. The technology exists to truly prevent these attacks from ever achieving their objectives.

Step back; don’t panic. Take the time to architect a top down approach that reduces your attack surface by safely enabling your applications, users and devices. Implement automation to protect against both known and unknown threats, eliminating the ‘man-in-the-middle’. The capability exists; it’s just a matter of taking a breath and collecting the courage to drive real change across your organization.

Scott Gainey is the VP of Product Marketing and Programs at Palo Alto Networks. He is responsible for formulating the vision, definition and delivery of programs aimed at driving Palo Alto Network’s growth in security, and cultivating opportunities in new and existing markets. Gainey has over 18 years of experience in security, cloud computing, storage systems, and enterprise networking. Prior to joining Palo Alto Networks Scott held leadership positions at Cisco, Xsigo Systems (bought by Oracle), NetApp, VERITAS Software (bought by Symantec), and Sun Microsystems.

[SecurityWeek]

English
English
Exit mobile version