McAfee Antivirus
Emerging Trends in Healthcare Security: Join @McAfeeBusiness For #SecChat Thursday 2/23
Healthcare demands a degree of confidentiality and privacy that exceeds almost any other industry. As a result, trends such as cloud computing and the consumerization of IT have unique implications for security professionals working in this sphere. With increased integration of electronic records, as well as evolving regulatory pressures and privacy laws, the complexity of managing these systems has grown significantly – underlining the urgency of addressing security risks.
During this month’s #SecChat, we hope to open up a discussion that will provide insight into how healthcare organizations effectively monitor networks, optimize incident response, and assess and mitigate the risk of a security incidents including breaches – particularly in the wake of emerging trends in IT.
Is the healthcare industry ready for cloud adoption? Or is a reluctance to migrate to the cloud justified, given both information security and HIPAA compliance concerns? What are some of the security and compliance implications of growing tablet use among clinicians, and how has your organization reacted to having so much sensitive information outside of the traditional IT infrastructure? Has social media use among healthcare professionals sparked any security issues at your org, and what kind of policies have been set in place to mitigate this risk?
Join us next Thursday, 2/23 at 10am PT by following the #SecChat hashtag and @McAfeeBusiness Twitter feed, and share your opinion on emerging trends in healthcare security – from cloud adoption and mobile applications, to social media, incident response and more.
Logistics: How do I participate in #SecChat?
- Find
- Search for the #SecChat hashtag (via TweetChat, TweetDeck, or a Twitter client) and watch the real-time stream.
- Follow
- @McAfeeBusiness will get the conversation rolling by posing a few questions to participants.
- Engage!
- Tweet your reactions, questions and @reply’s to the chat, making sure to use the #SecChat hashtag.
- #SecChat should last about an hour.
Host Security for SCADA and ICS Systems Part 1
As a part of our ongoing effort to showcase industry thought leaders here in the blog, I was able to sit down with Eric Knapp, Director of Critical Infrastructure Markets in McAfee’s global business development group, for a series of talks on the topic of critical infrastructure. Eric is an expert in cybersecurity for industrial automation and control systems, and is the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA and Other Industrial Control Systems.” You can listen to his full podcast interview at the end of this post.
Today’s discussion will be part one of “Host Security for SCADA and ICS Systems.” Welcome to the show, Eric.
Thank you, Brian. It’s good to be here.
So Eric, give us just a very brief background on what a SCADA device is and what an ICS device is.
Sure. The terms SCADA and ICS are flying around a lot lately, because some of the more prominent attacks have made it into the media. But there is a lot of misunderstanding about what they are. Basically, any company that has an industrial automation component to it – whether that’s manufacturing automobiles, electricity or anything else – there is an automated portion to that environment. Generically, that can be referred to as the control system, or a lot of people use the term SCADA, which actually stands for supervisory control and data acquisition. So it’s the part of that automation facility. It’s very different than what you think of as a traditional IT environment.
Why is host security in control systems such a difficult issue to address?
What we think of as a host in a control system environment is a little different in some cases than what we think of as a host in a corporate, IT or enterprise environment. Yes there will be Windows machines and Linux machines to a certain extent, but there are also a lot of assets within these environments. An asset is sort of the control system term for a host that is doing a lot of specialized functions. So you have device controllers. You have what they call PLC or a programmable logic controller. You have remote access controllers. You have pumps, dials, valves, motors and all sorts of individual controls, and meters, and inputs and outputs and all these crazy things.
Depending on what device you are talking about, it can either be very sophisticated, running a modern operating system like Windows or Linux, or it can be a very specialized device that has an embedded operating system.
So there’s two layers of complexity there, but there’s also a factor that’s completely foreign to the corporate IT environment, and that’s a device lifecycle that can be measured in decades rather than one or two years. A device or an asset that gets deployed in a control system can be operational 24/7 by 365 for 10, 20, 30 or more years.
That gives a whole new definition to the term legacy. When we talk about legacy assets in the IT space, usually it’s something over five years. But here you’re talking decades.
Exactly. So you get this dichotomy where you have these legacy devices and you do have new devices as well. Depending on what you’re looking at, the way you secure those can be completely different and have their own challenges.
Is securing a legacy system just a matter of patching these guys? I’ve got to assume that some of these purpose built devices that are 20 plus years old, might not have the patching capabilities or might not even be supported.
You’re absolutely right. They can, and in some cases they aren’t patchable, because the embedded operating system or software is simply not made anymore. The device manufacturer may be out of business. A lot can happen in 20 or 30 years. But even if they are still maintained, patches are difficult to apply in this environment because again, that same reliability that gives us decade life spans, it’s a system that’s running in real time and needs to be operational absolutely all the time, 24/7 by 365. For example, if you’re generating electricity, you can’t just keep taking things offline to apply patches. So if a patch is made, it can still be very difficult to get that patch applied to the production system.
Final question. I’ve got this legacy device that’s providing a very critical 24/7 by 365 task. I need to secure it. It can’t be patched. What are some of the steps that I can take to keep availability going but at the same time reduce my security risk?
There are a couple of things you can do. In some cases, it may be possible to deploy some sort of a compensating use measure. So you may be able to install some sort of a host security control in these environments – and if not host security, maybe something outside of host security which we can talk about later. But security has it’s own can of worms you’re going to open. For example, antivirus typically has not been very well received in this environment, because the host security control has it’s own update and patching requirements. So you’re sort of exacerbating the product.
Luckily, there are new ways to secure a host. Application control or application white listing is a very popular solution in these environments, specifically because it’s a sort of “set it and forget it” security. You do all of your configurations up front, and once it’s deployed, it runs in isolation. That allows you to protect the system against exploitations that may target a vulnerability that can’t be fixed by a patch.
For our listeners, please be sure to tune in next week to part two of our discussion on host security for SCADA and ICS systems. Eric, thanks again for your time.
Thanks, Brian.
McAfee Reference Architecture: Protecting Fixed Function Devices
The term “fixed function” conjures images of ATMs and digital displays – things that not only perform a single function, but that are often installations designed to remain in a fixed location. Increasing numbers of enterprise and consumer systems are singular in purpose, but many have been integrated into larger mobile systems.
McAfee’s recent report on automobile security highlights some of the security implications of embedded systems within the automobile industry. There is also a critical need to secure and defend similar fixed function systems that pose a threat to business and infrastructure.
Recently, a customer was describing how a dangerous situation arose when a semi-automated forklift in a large warehouse had its on-board system tampered with by the driver. The mechanisms allowed for laser-directed motion to traverse through the warehouse, while the driver controlled the vertical mechanisms to maneuver the pallets of product. It was a case of an employee wanting to customize his machinery, without understanding how the overall software of the fixed function system interacted with the mechanics of the forklift and warehouse. The end result was a very large mess – no human injuries, but a large loss of productivity until everything was sorted out.
In this case, the cost of security coverage for a dozen semi-automated forklifts would have been a lot less expensive than the overall costs of cleanup and disruption in product delivery that this customer experienced. With a small investment, McAfee can help provide safer environments not only for your fixed function systems and information, but ultimately for the employees who rely on those systems. Take a look at McAfee’s reference architecture for more information on how McAfee can help protect fixed function devices with a cost effective and holistic security framework.
Friday Security Highlights: Car Hacking – A Growing Risk
The modern car is no longer simply a way to get around. It has become a complex network of computerized units, from anti-lock brakes to remote starters, self-parking technology and more. Quite literally, the computers are in control, which could have serious consequences down the line if we don’t think ahead about how to secure these embedded systems.
The security implications of these new technologies are extensive, and just now beginning to come to light. At a car dealer in Texas early last year, a disgruntled former employee was handed felony charges for using another employee’s password to gain access to the firm’s GPS system. With it, the man was able to wreak havoc on the firm’s customers, setting off car alarms and disabling vehicles remotely until he was tracked down.
While this example resulted in minimal damage, researchers are increasingly concerned that if manufacturers don’t address these vulnerabilities now, attacks will only continue to increase. It’s only a matter of time before we see criminals exploiting security weaknesses to remotely open car doors, or track vehicles using RFID tags. Remote access starts to get really scary when you think about it on a larger scale – imagine a terrorist group speeding up cars or locking brakes during your daily commute over the Golden Gate Bridge.
Any electronic system is at risk, and automakers and regulators need to address this threat now before it moves too far away from the hypothetical. Security regulations should be set in place for these embedded devices, with standards that combine both hardware and software solutions. For example, isolating a car’s entertainment system from safety-critical devices, preventing someone from inserting a CD that could send a signal to the brakes.
The future is not as far away as we think, and here at McAfee, we are building secure silicon for embedded solutions in an effort to make sure these systems continue to hold consumer confidence. For more information on this topic, check out my video interview with CBS, and be sure to read our whitepaper on emerging risks in automotive system security. We also update our followers regularly on Twitter at @McAfeeBusiness, where you can find the latest in McAfee news and events.
Friday Security Highlights: Car Hacking – A Growing Risk
The modern car is no longer simply a way to get around. It has become a complex network of computerized units, from anti-lock brakes to remote starters, self-parking technology and more. Quite literally, the computers are in control, which could have serious consequences down the line if we don’t think ahead about how to secure these embedded systems.
The security implications of these new technologies are extensive, and just now beginning to come to light. At a car dealer in Texas early last year, a disgruntled former employee was handed felony charges for using another employee’s password to gain access to the firm’s GPS system. With it, the man was able to wreak havoc on the firm’s customers, setting off car alarms and disabling vehicles remotely until he was tracked down.
While this example resulted in minimal damage, researchers are increasingly concerned that if manufacturers don’t address these vulnerabilities now, attacks will only continue to increase. It’s only a matter of time before we see criminals exploiting security weaknesses to remotely open car doors, or track vehicles using RFID tags. Remote access starts to get really scary when you think about it on a larger scale – imagine a terrorist group speeding up cars or locking brakes during your daily commute over the Golden Gate Bridge.
Any electronic system is at risk, and automakers and regulators need to address this threat now before it moves too far away from the hypothetical. Security regulations should be set in place for these embedded devices, with standards that combine both hardware and software solutions. For example, isolating a car’s entertainment system from safety-critical devices, preventing someone from inserting a CD that could send a signal to the brakes.
The future is not as far away as we think, and here at McAfee, we are building secure silicon for embedded solutions in an effort to make sure these systems continue to hold consumer confidence. For more information on this topic, check out my video interview with CBS, and be sure to read our whitepaper on emerging risks in automotive system security. We also update our followers regularly on Twitter at @McAfeeBusiness, where you can find the latest in McAfee news and events.
Global Cybersecurity Is Possible But Unlikely For Now
It’s a sobering experience to read the Security and Defense Agenda’s (SDA) just-released report, Cybersecurity: The Vexed Question of Global Rules. The report, sponsored by McAfee, culls together interviews with 80 cyber-security experts in government, business, international organizations, and academia with a survey of 250 senior security practitioners, to get a handle on the cybersecurity challenges nations face today and the measures they must take to protect the Internet and its business, government, and other users tomorrow. The report also rates the cybersecurity preparedness of 21 countries, including the United States. The U.S. comes out very well, though behind Israel, Sweden, and Finland,
The conclusion is best summed up in this sentence, “For the moment, the “bad guys” have the upper hand … because the lack of international agreements allows them to operate swiftly and mostly with impunity.” And, the more you read the report, the more you conclude that “for the moment” really means for the foreseeable future.
Global cooperation and information sharing are the keys to managing this threat, according to the report, yet the parade of new technologies such as mobile devices and the cloud, competing interests, and lack of agreement on what that cooperation should look like are huge challenges that won’t be solved any time soon.
First, according to Patrick Pailloux, Director General of the French Network and Information Security Agency (ANSSI), individual users and much of corporate IT are essentially where doctors were before they started washing their hands and sterilizing equipment when it comes to cybersecurity.
Businesses are reluctant to share information for fear of harming customers and damaging their reputations and stock prices. Individuals are not willing to give up any aspect of Internet freedom. Nations have widely disparate perspectives and interests regarding cybersecurity: North American and European Countries aim to preserve privacy and freedom, while countries like Russia and China see that freedom as a threat to their regime stability. Most countries see cooperation as a potential threat to sovereignty. While regulations and accountability are a necessity, the anonymous nature of the Internet makes it almost impossible to prove who is really accountable for a cyberattack, and the need to encourage cooperation makes it a dicey proposition to punish any of the players if they’re perceived to break the rules.
The report also highlights a clash of interests among generations, with the younger generation feeling much less threatened by the loss of privacy than past generations. And finally, there’s a clash of expertise and comfort between tech-savvy users and IT and less tech-savvy politicians who make the laws and attempt to regulate cyberspace.
Protecting the SCADA systems that run critical infrastructure remains a tremendous challenge with very frightening implications. Even Israel, considered perhaps the most advanced country in terms of cybersecurity, confesses that its SCADA systems are still not protected and that “there is still a lot to do.” Many of those interviewed expressed the opinion that genuine cooperation will probably not happen until a cyber version of 911 occurs.
One gets the feeling that all aspects of this issue will require many more years of evolution. As a start the report recommends global trust building through information sharing bodies such as the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA). Perhaps another likely scenario for now is one similar to the shunning of money laundering safe havens by the larger global financial participants several years ago, which reduced the number of places where money could be hidden safely. The more cyber responsible nations may have to make life difficult for the nations perceived to be less responsible, a very risky proposition.
McAfee Reference Architecture: Securing Mobile Devices
Without a doubt, the world has embraced mobile. Everyone’s doing it – from consumer and enterprise, to geography, public, private, and business vertical. In addition to the power and portability of smartphones and tablets, they are in most cases always connected, application-ready, and designed to take advantage of extensive web 2.0 resources and cloud components. From a user perspective, this agility has quickly become an indispensable part of our business and personal lives. From an organizational perspective, mobile devices are also attractive, because employees can now work from anywhere with the same or nearly the same levels of access and capabilities. Still, complications arise when orgs attempt to mange all these extra devices, especially when they allow employees to use their personal machines. From procurement and revocation to network connectivity and sensitive data protection, mobility is the newest variable in the ever-growing equation of security.
The McAfee approach to enterprise mobility is multi-layered. To secure mobile devices, the whole device must be secured along with sensitive data. As the variety of mainstream devices increases, IT departments will require a scalable solution where group and user privileges can be centrally governed across disparate platforms, so policy setting and enforcement can be accomplished easily. Having a separate, dedicated solution for each type of mobile solution is simply too complex and expensive, and it lacks unified security management. By linking the device to the user, and then to a unique identifier, accountability can be associated, network and data access can be controlled, and policy setting and management becomes independent of their endpoint device. IT security can say “yes” to user requests for their own mobile solutions while still maintaining a strong security posture. From enterprise mobility management, network access control, and virtual desktop infrastructures to tracking, backing up, and wiping devices, McAfee provides end-to-end solutions that appeal to the IT department and the end user alike.
Take a look at McAfee’s reference architecture for more information on how McAfee can help protect your mobile devices as well as other aspects of your environment with a cost effective and holistic security framework.
Cyber Insurance and Security
I recently read an article in Computerworld that really got me thinking about servers: what they are, what they do and what they hold. Traditionally, the insurance industry has offered risk protection from tangible events – even if they are unpredictable. Hurricane and earthquake insurance are factored by damages and physical loss; but how would cyber insurance be factored? Although we’ve made great strides, we still cannot predict or easily measure the impact of a future data breach. So the question is, how can companies provide any reasonable cyber insurance?
Cyber insurance can account for the physical aspect of a server being lost or stolen, and guess the value of the data that would be lost during a server compromise. But what if a server is unable to perform its job due to cyber incident or vulnerability? Does the insurance consider the loss in productivity that would occur if a compromise affected server performance or availability? And how does this extend to our partners’ datacenters, cloud services and mobile computing capacity?
The fact is, a strong, strategic security policy and holistic security framework can assist in providing visibility and actionable tasks that will have the most impact against the highest risks. In other industries, taking responsible actions to mitigate risk helps companies reduce their premiums, as well as predict the amount of necessary coverage, so they don’t over-extend. It’s too soon to tell, but it will be interesting to see how cyber insurance and security risk management will continue to mature in the next few years.
For more information on this topic, check out my podcast below, and be sure to visit our website to learn more about how the McAfee Security Connected framework can help your business enable centralized, efficient, and effective risk mitigation.