Scribd Logo
Carica

Benvenuto in Scribd!

  • Do S and Don Ts of Risk-Based Security Management in A Compliance

    Caricato da

    Prince
    20 visualizzazioni24 pagine
    Netspective’s HIPAA Compliance Subscription (https://www.netspective.com/lp/opsfolio/opsfolio-hipaa51plus/offpagepromotions/hipaa-compliance/) provides you with options to do a self or guided assessment of security and HIPAA compliance. Data breaches from your EHR/EMR, practice management, or other software and medical devices pose a bigger risk than you might think. Once a breach occurs it can impact your organization by harming your hard-earned reputation in addition to subjecting you to government fines. Even if there has been no loss of data, fines can still be imposed on your organization simply by being out of legal compliance with byzantine HIPAA and other recently passed cybersecurity regulations.

    Titolo originale

    Do s and Don Ts of Risk-based Security Management in a Compliance

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Netspective’s HIPAA Compliance Subscription (https://www.netspective.com/lp/opsfolio/opsfolio-hipaa51plus/offpagepromotions/hipaa-compliance/) provides you with options to do a self or guided assessment of security and HIPAA compliance. Data breaches from your EHR/EMR, practice management, or other software and medical devices pose a bigger risk than you might think. Once a breach occurs it can impact your organization by harming your hard-earned reputation in addition to subjecting you to government fines. Even if there has been no loss of data, fines can still be imposed on your organization simply by being out of legal compliance with byzantine HIPAA and other recently passed cybersecurity regulations.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    20 visualizzazioni24 pagine

    Do S and Don Ts of Risk-Based Security Management in A Compliance

    Caricato da

    Prince
    Netspective’s HIPAA Compliance Subscription (https://www.netspective.com/lp/opsfolio/opsfolio-hipaa51plus/offpagepromotions/hipaa-compliance/) provides you with options to do a self or guided assessment of security and HIPAA compliance. Data breaches from your EHR/EMR, practice management, or other software and medical devices pose a bigger risk than you might think. Once a breach occurs it can impact your organization by harming your hard-earned reputation in addition to subjecting you to government fines. Even if there has been no loss of data, fines can still be imposed on your organization simply by being out of legal compliance with byzantine HIPAA and other recently passed cybersecurity regulations.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 24

    Dos and Donts of Risk-based

    Security Management in a
    Compliance-driven Culture
    Security and Regulatory Compliance arent the
    same thing but theyre often confused
    Shahid N. Shah, CEO

    NETSPECTIVE

    Who is Shahid?
    20+ years of architecture, design, software
    engineering, and information assurance
    (security) in embedded, desktop, and
    enterprise environments such as
    FISMA-regulated government systems
    HIPAA-regulated health IT systems
    FDA-regulated medical devices and systems

    Have held positions at CTO, Chief Architect,


    or Senior Engineer in a variety of regulated
    environments
    www.netspective.com

    Compliance vs. Security

    NETSPECTIVE

    Compliance vs. Security is like


    Compliance

    Security

    www.netspective.com

    NETSPECTIVE

    Human Resources
    Law: Compliance

    www.netspective.com

    Order: Security

    NETSPECTIVE

    Knowledge
    Compliance knowledge bases

    FISMA

    HIPAA
    FDA
    www.netspective.com

    Security knowledge areas

    PCI DSS

    Firewalls

    Encryption

    ONC

    Access
    Control

    Pen Testing

    SOX

    Continuous
    Monitoring

    Packet
    Analysis
    6

    NETSPECTIVE

    States
    Compliance:
    Usually Binary

    www.netspective.com

    Security:
    Continuous Risk Management

    NETSPECTIVE

    Reality
    You can be compliant and not secure, secure but not compliant, or both

    Compliant

    www.netspective.com

    Both

    Secure

    NETSPECTIVE

    An example of compliant insecurity


    Its easy to check off compliance boxes and still be insecure

    Compliance Requirement

    Encrypt all data at FIPS 140


    level

    Insecure but compliant


    Full disk encryption

    Encryption keys stored on same


    disk

    SSL encryption

    No TLS negotiation or man in the


    middle monitoring

    Secure and compliant


    Full disk encryption

    Disk-independent key
    management

    TLS encryption

    Force SSL TLS and monitor for


    MIM threats

    www.netspective.com

    NETSPECTIVE

    Why does compliant insecurity occur?


    Compliance is focused on

    Regulations
    Meetings & discussions
    Documentation
    Artifact completion
    checklists

    www.netspective.com

    Instead of

    Risk management
    Probability of attacks
    Impact of successful attacks

    Threat models
    Attack surfaces
    Attack vectors

    10

    Recommendations

    NETSPECTIVE

    Forget compliance
    Get your security operations
    in proper order before
    concentrating on compliance.
    Start sounding like a broken
    record, ask is this about
    security or compliance?
    often.

    www.netspective.com

    12

    NETSPECTIVE

    Consider costs while planning security


    100% security is impossible so compliance driven environments must be slowed by cost drivers

    Source: Olovsson 1992, A structured approach to computer security


    www.netspective.com

    13

    NETSPECTIVE

    Dont rely on perimeter defense


    Firewalls and encryption arent enough

    www.netspective.com

    14

    NETSPECTIVE

    Classify data and assets


    NIST 800-60 can help you or you can use your own system (e.g. Microsoft)

    Objective

    Purpose

    Low Impact

    Moderate
    Impact

    High Impact

    Confidentiality

    Protecting
    personal
    privacy and
    proprietary
    Information

    Limited adverse
    effect from
    disclosure

    Serious adverse
    effect from
    disclosure

    Catastrophic
    effect from
    disclosure

    Integrity

    Guarding against
    improper
    information
    modification
    or destruction
    and nonrepudiation

    Limited adverse
    effect from
    unauthorized
    modification

    Serious adverse
    effect from
    unauthorized
    modification

    Catastrophic
    effect from
    unauthorized
    modification

    Availability

    Ensuring timely
    and
    reliable access to
    and use
    of information.

    Limited adverse
    effect from
    service
    disruption

    Serious adverse
    effect from
    service
    disruption

    Catastrophic
    effect from
    service
    disruption

    www.netspective.com

    15

    NETSPECTIVE

    Clearly express business impacts


    Only evidence-driven business-focused impacts should be considered real threats

    www.netspective.com

    16

    NETSPECTIVE

    Create risk and threat models


    He will win who, prepared himself, waits to take the enemy unprepared Sun Tzu

    Define threats

    Create minimal documentation


    that you will keep up to date

    Capability, for example:

    Access to the system (how much privilege


    escalation must occur prior to
    actualization?)
    Able to reverse engineer binaries
    Able to sniff the network

    Experienced hacker
    Script kiddie
    Insiders

    Simple manual execution


    Distributed bot army
    Well-funded organization
    Access to private information

    Skill Level, for example:

    Resources and Tools, for example:

    Motivation + Skills and Capabilities tells


    you what youre up against and begins to
    set tone for defenses
    Source: OWASP.org, Microsoft
    www.netspective.com

    17

    NETSPECTIVE

    Visualize attacks / vulnerabilities

    www.netspective.com

    18

    NETSPECTIVE

    Create an Attack Library

    Password Brute Force


    Buffer Overflow
    Canonicalization
    Cross-Site Scripting
    Cryptanalysis Attack
    Denial of Service
    Forceful Browsing
    Format-String Attacks
    HTTP Replay Attacks
    Integer Overflows

    LDAP Injection
    Man-in-the-Middle
    Network Eavesdropping
    One-Click/Session
    Riding/CSRF
    Repudiation Attack
    Response Splitting
    Server-Side Code
    Injection
    Session Hijacking
    SQL Injection
    XML Injection

    Source: Microsoft
    www.netspective.com

    19

    NETSPECTIVE

    Collect attack causes and mitigations


    Define the relationship
    between
    The exploit
    The cause
    The fix

    SQL Injection

    Use of Dynamic
    SQL
    Use
    parameterized
    SQL

    Ineffective or
    missing input
    validation

    Validate input

    Use stored
    procedure with
    no dynamic SQL
    Source: Microsoft
    www.netspective.com

    20

    NETSPECTIVE

    How you know youre secure


    Value of assets to be protected is understood
    Known threats, their occurrence, and how
    they will impact the business are cataloged
    Kinds of attacks and vulnerabilities have been
    identified along with estimated costs
    Countermeasures associated with attacks and
    vulnerabilities, along with the cost of
    mitigation, are understood
    Real risk-based decisions drive decisions not
    security theater
    www.netspective.com

    21

    NETSPECTIVE

    Review security body of knowledge


    Everyone

    FIPS Publication 199 (Security


    Categorization)
    FIPS Publication 200 (Minimum
    Security Requirements)
    NIST Special Publication 800-60
    (Security Category Mapping)

    Security ops and developers

    NIST Special Publication 800-53


    (Recommended Security Controls)
    Microsoft Patterns & Practices,
    Security Engineering
    OWASP

    Executives and security ops

    Auditors

    NIST Special Publication 800-18


    (Security Planning)
    NIST Special Publication 800-30
    (Risk Management)

    www.netspective.com

    NIST Special Publication 800-53


    (Recommended Security Controls)
    NIST Special Publication 800-53A Rev 1
    (Security Control Assessment)
    NIST Special Publication 800-37
    (Certification & Accreditation)

    22

    NETSPECTIVE

    Key Takeaway
    If you have good security operations in place
    then meeting compliance requirements is
    easier and more straightforward.
    Even if you have a great compliance track
    record, it doesnt mean that you have real
    security.

    www.netspective.com

    23

    Visit
    http://www.netspective.com
    http://www.healthcareguy.com
    E-mail shahid.shah@netspective.com
    Follow @ShahidNShah
    Call 202-713-5409

    Thank You

    Potrebbero piacerti anche