Issue link: https://beckershealthcare.uberflip.com/i/1336426
51 51 PRACTICE MANAGEMENT THOUGHT LEADERSHIP The SolarWinds breach — What do CIOs need to know? By Mitch Parker, Chief Information Security Officer of Indiana University Health S olarWinds, a major supplier of network security and management soware to governments, private industry and in- dustry titans like FireEye and Microso, was found to have been compromised. Network management soware that controls, manages and monitors the cores of multiple critical networks has been breached. e effects of this cannot be understated. is strikes at the core of networks and enabled sophisticated attacks. is includes the Fire- Eye attack in mid-December. It bypassed some of the best security we had. It did so through compromised soware updates. While there are any number of pundits and explanations available in the media, we want to get information to CIOs they can use to protect the patients that visit our facilities and the networks that facilitate their care. is at- tack puts us all at increased risk. Contracting When we contract for soware, hardware and services with third parties, we need to ensure that they have a commitment to securing their own environments. One of the factors Reuters had identified was that access to Solarwinds' computers was for sale on underground fo- rums. Contracts with third-party vendors need to include language on securing the environ- ment, using third-party static code analysis and regular security scanning of local and cloud- based environments. ey also need to require the use of the latest encryption and authenti- cation technologies. Many application vendors in healthcare require less secure authentication methods to be enabled. is means that when a malicious third party gets access to the network, they can very easily acquire all the credentials, not just a small subnet, due to these weaknesses. According to Microso, encryption using weak ciphers lessens security. Having these items in contracts gives organizations leverage to better enforce security terms and conditions and do a better job of protecting patients. Dark Web Monitoring/Threat Intelligence e Reuters article above mentioned that ac- cess to SolarWinds computers was for sale on underground hacking forums. Many peo- ple share the same passwords across multiple work and home accounts. is makes pass- word spraying, the technique by which people try numerous breached passwords plus other commonly used passwords, highly effective. e Dark Web monitoring that companies of- fer is targeted toward individual users. ere are multiple great companies out there that can provide excellent Dark Web monitoring for you and notify you if assets or team mem- ber accounts are for sale or available on under- ground forums. is will help address issues before they become persistent problems. Two-factor Authentication/Login Lo- cation Checking Two items you can undertake to protect your networks are to require app-based two-factor authentication and checking to see where peo- ple log in from. App-based two-factor authen- tication, such as Cisco Duo, Imprivata, or Mi- croso Authenticator, requires a second factor besides a password to access resources from outside the network. Checking to see where users are logging in from, and immediately flagging resources trying to log in from outside your home country or area can also help ad- dress the use of breached credentials. According to Microso when they presented at the 2020 RSA Conference, more than 99.9 percent of Mi- croso enterprise accounts that get invaded by attackers didn't use multi-factor authentication. Only 11 percent of the accounts overall had it enabled. is move will further reduce risk. Locking Down Internal Networks As we discussed before, there are many ap- plication vendors that rely upon less secure methods to authenticate. is also extends to permissions. e reason why the SolarWinds attack is so dangerous is because of the high access level of network access their Orion soware had. Inventory your soware and critical applications used. Work with your vendors to determine the minimum access needed and configure applications to only use that. Don't give accounts administrative per- missions because it's easy. It's harder to clean up from a data breach. Filter and disallow In- ternet access from devices that don't need it, especially Internet of ings or medical de- vices running older operating systems. If you have a vulnerable version of Orion, ac- cording to CISA, you need to disable legacy en- cryption methods in your Active Directory envi- ronment, reset any credentials used by the Orion soware, rebuild any hosts or devices monitored by it using trusted soware, reset the passwords used by service accounts to use at least 25 charac- ters, and start using Group Managed Service Ac- counts instead of user accounts. You also need to reset the Ticket Granting Ticket password, better known as the keys to the kingdom. If that pass- word is compromised, then you are no longer in control of your own network. If you don't have a vulnerable version, you need to disable legacy encryption methods and start using Group Managed Service Accounts when- ever possible. If you have service accounts us- ing simple passwords, reset those too. ere are some vendors in the healthcare space who have asked for passwords to not be changed. ey need to be changed. If we can Google it, and we have before, then it's not a secure password and you're putting patient data at risk. EDR instead of Anti-Virus One of the items that SolarWinds recom- mended was to disable anti-virus scanning on their directories. A cached document from their support site gave a list of direc- tories to exclude from scanning. is means that malware placed in these directories wouldn't be detected. Our recommendation is to enable scanning on these directories. If you have legacy anti-virus, get in an Endpoint Detection and Response product such as Mi- croso Defender Advanced reat Protec- tion, Blackberry Cylance, VMWare Carbon Black, Crowdstrike, or Cybereason instead. ese products will do a better job detecting malware than legacy products will, and do a better job protecting patient data. Operational Management Procedures We need to develop runbooks and operation- al management procedures for applications and network services to check for and report on anomalies. ese include invalid logins, connections to outside sites, accounts that look up numerous records and attempts at probing other resources. Linking systems to a Security Incident and Event Manager (SIEM) managed by a Managed Security Services Provider (MSSP) and/or Clinical Engineer- ing Device Management Company can help you automate these processes. Also, make sure that your teams are performing periodic maintenance, including patches, application reliability checks and database checks. Mass Password Change Procedures Organizations need to make sure that they have good procedures in place for when a significant event occurs. Today it was SolarWinds Orion being compromised. Tomorrow will bring other similar events. System administrators have been walked out, credentials have been compromised and many other issues have happened in the IT space, like ransomware. It is never too late to pre- pare to have to change all credentials and have a process to do so. Conclusion e Solarwinds event is going to be history like the Morris Worm or Stuxnet. It will be re- lentlessly studied and examined. is doesn't mean we throw up our hands and say that se- curity doesn't work. It means that we study and learn from it, and implement techniques that make ourselves more resilient. ere are many people, especially now, that depend on us. We owe it to them to do better. n