The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals. They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.”

1. Utilizing the Critical Security Controls to
Secure Healthcare Technology
James Tarala, Enclave Security

2. Healthcare Security in the News
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
http://www.healthcareitnews.com/news/infographic-biggest-healthcare-data-breaches-2012

3. Healthcare Security in the News
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

4. FBI Annual Cyber Crime Complaints
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

5. More Examples from the News
• PrivacyRights.org (updated weekly)
• Here are some that are reported (most are not)
• Just a small sample (organization/records breached):
– Public Broadcasting Service (69,000)
– RxAmerica and Accendo Insurance (175,000)
– Sega (1.29 Million)
– S. California Medical-Legal Consultants (300,000)
– Citibank (360,000)
– Sony Pictures (1 Million)
– Sony Playstation Network (101.6 Million)
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

6. Specific Healthcare Challenges
• Highly mobile & temporary workforce members
• Demands from physicians & other VIPs
• Patient demands for the latest technology
• Vendor applications & data security
• Strategic partnerships & data security
• Confusing / conflicting / vague security standards
• Limited resources for security implementations
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

7. The Current State of Affairs
• Clearly the bad guys seem to be winning the
cybersecurity fight
• While there are bright spots, they are few and far
between
• We seem to be getting better at detecting and
responding to the threat
• We need to be better at preventing the attacks from
occurring in the first place
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

8. But what do we do?
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

9. Information Assurance Frameworks
• There are a number of industry groups also trying to
address the issues
• Numerous frameworks have been established, such
as:
– CoBIT
– IT Assurance Framework (ITAF)
– ISO 27000 Series
– IT Baseline Protection Manual
– Consensus Audit Guidelines / Critical Security Controls
– Many, many others
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

10. Industry Security Regulations
• Presently there are a number of government
information security standards available
• But, there are too many to choose from:
– Individual Corporate / Agency Standards
– NIST 800-53 / 800-53 A
– FISMA / DIACAP
– HIPAA / SOX / GLBA
– PCI / NERC / CIP
– 20 Critical Controls / Consensus Audit Guidelines
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

11. Council on CyberSecurity
• Official home of the Critical Security Controls
• CEO is Jane Lute, former Deputy Secretary of DHS
• Not for Profit group responsible for managing the
Critical Security Controls (CSCs)
• Director of the CSCs is Tony Sager
• Mission is:
“The Council on CyberSecurity is an independent, global
organization committed to an open and secure Internet.”
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

12. Document Contributors (1)
• Blue team members inside the Department of Defense
• Blue team members who provide services for non-DoD
government agencies
• Red & blue teams at the US National Security Agency
• US-CERT and other non-military incident response teams
• DoD Cyber Crime Center (DC3)
• Military investigators who fight cyber crime
• The FBI and other police organizations
• US Department of Energy laboratories
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

13. Document Contributors (2)
• US Department of State
• Army Research Laboratory
• US Department of Homeland Security
• DoD and private forensics experts
• Red team members in DoD
• The SANS Institute
• Civilian penetration testers
• Federal CIOs and CISOs
• Plus over 100 other collaborators
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

14. Project Guiding Principles
• Defenses should focus on addressing the attack activities
occurring today,
• Enterprise must ensure consistent controls across to
effectively negate attacks
• Defenses should be automated where possible
• Specific technical activities should be undertaken to produce a
more consistent defense
• Root cause problems must be fixed in order to ensure the
prevention or timely detection of attacks
• Metrics should be established that facilitate common ground
for measuring the effectiveness of security measures
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

15. Cyber Intrusion Kill Chain
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

16. Critical Security Controls vs Intrusion Kill Chain
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
Critical Security Control
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command&Control
ActionsonObjectives
CSC #1: Inventory of Authorized and
Unauthorized Devices
X X X X X X
CSC #2: Inventory of Authorized and
Unauthorized Software
X X X
CSC #3: Secure Configurations for Hardware
and Software on Mobile Devices, Laptops,
Workstations, and Servers
X X X
CSC #4: Continuous Vulnerability
Assessment and Remediation
X X X

17. Technical Defensive Tools
• Security Content Automation Protocol (SCAP)
compliant vulnerability management solution
• File integrity assessment monitoring and response
system
• Software whitelisting solution
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

18. 2013 Java Data Breaches
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

19. 2013 Java Attacks & Intrusion Kill Chain
1. The attacker discovered a weakness in software
commonly utilized by the victim (reconnaissance)
2. The attacker wrote attack code to exploit the
discovered software weakness (weaponization)
3. The attacker posted the attack code on a “watering
hole” website that would be trusted by the victim
(delivery)
4. The victim was lured into visiting the “watering hole”
website hosting the attack code (exploitation)
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

20. 2013 Java Attacks & Intrusion Kill Chain
5. The victim downloaded and executed the malicious
code (installation)
6. The malicious code compromised the victim’s
computer and connected to the attacker’s command
and control servers to allow the attacker access
(command and control)
7. The attacker performed his or her desired objectives
on the victim’s computers (actions on objectives)
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

21. 2013 Java Attacks - Defenses
• Critical Control #1: Inventory of Authorized and
Unauthorized Devices
• Critical Control #2: Inventory of Authorized and
Unauthorized Software
• Critical Control #3: Secure Configurations for
Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers
• Critical Control #4:Continuous Vulnerability
Assessment and Remediation
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

22. Business Dashboards
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security
http://www.ncircle.com/index.php?s=solution_reporting

23. Potential Business Metrics
• How many unauthorized / unknown computers are currently
connected to the organization’s network?
• How many unauthorized software packages are running on the
organization’s computers?
• What percentage of the organization’s computers are running
software whitelisting defenses which blocks unauthorized
software programs from running?
• What is percentage of the organization’s computers that have
been configured (operating system and applications) according
to the organization’s documented standards?
• What is the comprehensive Common Vulnerability Scoring
System (CVSS) vulnerability rating for each of the organization’s
systems?
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

24. Actionable Next Steps
1. Business leaders should define their strategy for
how to defend against cyber attacks (document a
charter).
2. Deploy technical tools to implement defensive goals.
3. Gather metrics on a continuous basis to measure
the organization’s progress.
4. Engage business leaders to act based on the metrics
that are gathered.
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security

25. Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit
– Website: http://www.auditscripts.com
• Resources for further study:
– SANS SEC 440/566: Implementing & Auditing the
Critical Security Controls
– The Council on CyberSecurity
(http://www.counciloncybersecurity.org/)
Utilizing the Critical Security Controls to Secure Healthcare Technology © 2013 Enclave Security