The following is a computer systems security and maintenance self-assessment that organizations of all sizes can use to test their overall security strategy. Most of this list is also applicable to residential scenarios. Special items related to HIPPA or PCI environments are notated.
This is not an exhaustive list to verify HIPPA or PCI compliance, but is intended to be an overview in terms that most business decision makers will understand.
The QPC website has many articles where you can find solutions to any strategy deficiencies revealed to you through use of this assessment. Review the Podcasts area or use the search bar to find articles and podcasts pertinent to the subjects you are interested in learning more about.
Perimeter Security Appliances / Firewall: hardware
The paradigm of stateful packet inspection firewalls at the perimeter is a dead paradigm due to its complete lack of effectiveness at defending against modern threats.
The only affordable yet effective paradigm in contemporary scenarios starts with a rigorously featured, programmed, and maintained perimeter security appliance. That device will often be the core router in the small to medium enterprise space allowing for security and logging to the subnet layer.
If the organization is required to comply with HIPPA or PCI, then DLP protections may be required at the network layer. It is typical to implement DLP controls at the following layers:
Typically, organizations will want services such as Trend Micro's Cloud App Security to protect their cloud assets and email from advanced persistent threats such as ransomware and other malware. Often, quality security products provide an abundance of security protections for the same price when properly implemented.
When architecting strategies for protecting against breaches, one must be very cognizant over what technology has visibility into the breach mechanism vector in what scenario. A perimeter security appliance can only protect what it has visibility into. As a result, organizations may opt to buy a bundle-pack of Trend Micro Smart Protection Complete which would allow for the optional enhanced security agent on their systems even when the systems are not at the workplace.
Security appliances can provide excellent protection to remote devices as long as the user of that device consistently establishes a force tunnel SSL VPN session to the network protected by the security appliance.
The goal is to block malicious content BEFORE it gets to the endpoint (computer, server, mobile device). Reactive strategies are no longer viable.
While a quality host-based security product will usually block and stop propagation of malware, the malware can still do damage in the milliseconds of time between execution and blocking. This has been seen many times starting in 2016.
Therefore, perimeter security appliances are essential even in residential settings to defend against current threats.
A host-based security product travels with the device. If a laptop has Trend Worry-Free Business Security client installed, then that client goes wherever that laptop goes. This offers sophisticated protection even when the laptop is not behind a secure hardware-based perimeter security appliance.
Security agents must be installed on all servers. Technicians who claim that security agents should not be installed on servers are ignorant of the techniques employed to enable the security agent to protect the system while still allowing special applications such as SQL to perform as expected.
A good host-based security product offers these features:
Remember that the goal is to block malicious content BEFORE it gets to the endpoint (computer, server, mobile device). Reactive strategies such as attempting to clean up the system after a breach are no longer viable. The only clean up approaches that are effective are full system restores from prior system images, or full rebuilds from scratch where partitions were wiped and possibly firmware on hard drives was reflashed.
Web content filtering
Web content filtering should be comprised of three layers on any secure network.
All patches for software on computers should be installed within 48 hours of the security patch being released to the public.
An organization or individual needs to have in place:
QPC provides patch management and proactive maintenance services to clients under systems management contract.
Hard drive monitoring and maintenance
Hard drive maintenance can normally be achieved by running "defrag c: -v" from a command line on Windows systems. Optimization requires Diskeeper.
Monitoring requires the use of S.M.A.R.T.
Endpoint security practices
Block known sources of malware using multiple methods
Advertisements are attractive targets for hackers to use to distribute their malware. Inappropriate, free games, or criminal content websites are also frequently hacked to serve up malware. Therefore, a good strategy is to use multiple methods to block these sources of malware.
Because advertising content is injected in all kinds of websites, you cannot simply decide to not receive the content. You need to have an active blocking mechanism in place that will filter out bad content.
Organizations that wish to prevent their data from being compromised or leaked should use role-based access control, adequate backups, all the other security measures listed in this article, endpoint encryption, and DRM (digital rights management).
DRM and endpoint encryption rules ensure that when data is on a mobile device is encrypted and not able to be copied, moved, or stolen. It is security without hampering employee productivity.
DRM rules prevent data from being copied or exported to non-approved locations by employees regardless of their intention. DRM also enables selective wipe of organization data from mobile devices in a BYOD environment without otherwise damaging the employee-owned device.
|Role-based access control - RBAC|
Role-based access control is always used in combination with the concept of least-rights privilege. This concept is codified in the NIST SP-800 standard and is a requirement for HIPPA and PCI. RBAC and least rights has actually been a concept used since the beginning of secure computing and is just common sense for all scenarios.
In RBAC, an organization defines roles, assigns individuals to those roles, and then defines the access that the role itself has. Individuals are not assigned to resources, only roles are. In that way, as an employee changes roles, their role membership is changed easily and quickly. When this method is not used, employees perpetually accumulate rights that virtually no one is courageous enough to remove from that employee's access rights for fear of breaking something.
With the relationship between a role and access to a set of resources defined, RBAC removes anything personal from the decision of removing access from an individual user. The question of access simply goes to the manager of the employee asking what roles does that employee have? Access is then granted based upon role membership. Management would have already made decisions about what resources people with those roles should have access to.
|Encryption at rest and in transit|
HIPPA and PCI clearly define that data must be protected by encryption at rest and in transit. Types of data are defined. It is often prudent to just encrypt everything that can be encrypted.
Organizations must realize that means their copiers also. A copier has a hard drive that keeps a copy of the last several thousand items that it has print, scanned, or copied. Therefore, the hard drive must be encrypted. A typical encryption module in a copier is a one-time $400 expense, so it is not cost-prohibitive whatsoever.
For HIPPA, and PII or PHI being transmitted via email must be encrypted in transit. There are many mechanisms to accomplish that, but an organization should use a system that enforces encryption automatically based upon industry standard rules and not based upon employees putting the string "#encrypt#" someplace in the email. If an organization assumes that employees will 100% of the time remember to do that correctly, they are bound to have many HIPPA violations.
The biggest need for encrypted email is in healthcare is where it is common to use email for medical offices to share information like treatment records, etc. with referring medical offices. Hospitals generally have medical information sharing systems on dedicated network links already setup. Those are very expensive and practical only for large organizations like hospitals, so smaller medical offices must rely upon encrypted email.
|Mobile device security|
Trend Micro Worry-Free Business Security Services edition provides a moderate featured client for Android and iOS. When an organization buys WFBiz Sec, they automatically get mobile device licenses.
Trend Micro offers many other tools that can offer even more advanced protections for mobile devices. Usually, an organization will invest in Smart Protection Complete, and then decide what components they will implement. One of those components provides an always on VPN for mobile devices that provides them with complete protection against internet-borne threats. When that is combined with Office 365 Enterprise Mobility Suite, an incredibly feature rich protection level can be achieved.
|Devices that cannot be secured|
Many organizations are faced with the challenges of being HIPPA or PCI compliant, but their own software vendors make that extremely difficult. We see these challenges primarily in healthcare systems and POS systems.
It is best to understand these problems by example.
Many practice management applications are poorly written using old security models where the only way the software vendor will guarantee that the application works is by enabling full administrator privileges for the user accounts using the software.
Allowing users that can browse the internet and do email to have administrator access to their system is a 100% guaranteed way to be in violation of HIPPA or PCI. Therefore, this is a completely non-viable answer. Practitioners are put in a very difficult spot where their software vendor will not correct the deficiencies in their poorly programmed software, so the practitioner must accept the full liability knowing that they are in breach of the compliance regulations.
One way to deal with this is to literally block internet access from those systems and require staff to use RDP/RDS to do things like email and internet. We have yet to see a scenario where anyone other than highly skilled IT personnel can make this model work though. Putting the practice management application in something like RDS is typically not viable due to the heavy integration that it must have with the local subnet (again deficiencies in how the software is programmed) as well as devices locally connected to systems (x-ray and other sensors).
In the case of a computer that is connected to a CT scanner and is supposed to be dedicated to that purpose, find out from the hardware/software vendor what applications and websites that machine needs to get to. Write a security appliance policy that specifies that the CT scanner computer can access the LAN, but not the internet except for the minimal destinations required to allow the CT scanner software support personnel to remote control and manage that device.
|Understand the cyber-security kill chain|
Resources to help you understand the cyber security kill chain and how its use protects the organization's assets.
PII - personally identifiable information
PHI - protected health information
SME - small to medium enterprise
POS - point of sale