Building an endpoint security arsenal: A multi-layered approach to network security is required to reduce the risk imposed by the proliferation of removable storage devices.Like any CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. , security is always top-of-mind for me, especially when it comes to protecting sensitive patient information and complying with HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, regulations. In recent years, we've seen the influx of inexpensive storage media from MP3 players A digital music player that supports the MP3 format, which was the audio format that started a revolution in online music downloads and distribution. All portable music players, the iPod being the most popular, support MP3 along with one or more other audio formats. and PDAs to USB thumb drives See USB drive. and external hard drives facilitating the dissemination of information further and further away from the enterprise core. What's more, attackers are writing increasingly complex, customized malicious code designed to compromise a company's proprietary information. These threats are very real, and the recent spate of data thefts and security breaches has created the potential for a huge amount of personal and sensitive data to become compromised. For example, McDonalds Japan was forced to recall more than 10,000 promotional MP3 players after discovering that the devices carried a spyware Trojan. Apple unknowingly shipped video iPods A common name for the first iPod that supported video, introduced in late 2005. Also called the 5th Generation iPod (5G iPod). Apple refers to Video iPods as simply "iPod." See iPod. that were loaded with a Windows virus capable of compromising a computer. TomTom revealed that many of the GPS units it shipped in the fourth quarter of 2006 were infected with a virus that could infect a computer if the TomTom unit was connected to the machine. Empire Blue Cross and Blue Shield Blue Shield A US not-for-profit health care insurer that is a reimbursement intermediary for physicians. Cf Blue Cross. of New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of lost an unencrypted compact disc that contained personal information on 75,000 people. These recent instances of data loss and malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. infiltrations pushed my staff to look long and hard at the potentially large number of holes in our existing security nets. Many studies reveal that the most significant security breaches come from insiders--both from malicious and seemingly benign activities. As part of our ongoing efforts to protect against all potential threats, we decided we needed to proactively seek a solution to enforce our policies regarding the use of removable storage media on company PCs, laptops and servers. Caught Between a Device and a Herd Piece At John C. Lincoln Health Network (JCL (Job Control Language) A command language for mini and mainframe operating systems that launches applications. It specifies priority, program size and running sequence as well as the files and databases used. JCL - Job Control Language ), we consider ourselves to be at the forefront of computer security in the healthcare environment. JCL is a not-for-profit organization based in Phoenix that includes two hospitals, thirteen physician practices and a number of outreach programs. We employ more than 3,000 staff and 1,400 physicians, all of whom are dedicated to providing the highest-quality patient care possible. As the CIO, my role in ensuring quality care also includes maintaining a secure environment for patient data. Yet, in early 2005, we struggled with ways to enforce our IT security policies. While JCL had extensive documentation on proper security usage in regards to removable storage media, my IT staff was unable to effectively enforce these policies. One policy stated that users are not allowed to save anything to a hard drive, but some employee activity stood in direct violation. In one instance, an employee inserted a floppy disk and inadvertently exposed JCL to the Slammer A worm that caused a billion dollars worth of damage on the Internet on January 25, 2003. Slammer infected computers all over the Internet by generating random IP addresses and causing the computer's buffer to overflow with its own instructions that replicate itself and start the process virus--the pandemic pandemic /pan·dem·ic/ (pan-dem´ik) 1. a widespread epidemic of a disease. 2. widely epidemic. pan·dem·ic adj. Epidemic over a wide geographic area. n. worm that used a known buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. in Microsoft's SQL Server An earlier relational DBMS from Sybase and from Microsoft. Sybase introduced SQL Server in 1988 for various Unix versions. In that same year, with help from IBM, Sybase created an OS/2 version that Microsoft licensed and branded as Microsoft SQL Server. database to generate massive amounts of network packets, overloading servers and routers and slowing down network traffic. While the organization recovered from this incident, portable media continued to cause problems. We were continually performing reactive maintenance. This, combined with frequent news reports of compromised data, forced us to look for methods that would put some weight behind the written word. One of our prime concerns included allowing people to continue to do their jobs in an effective manner while providing the proper security balance. For many years, capital investments at JCL were directed toward ways to improve overall computer operational efficiency and security. Several technologies, including Computrace, e-mail encryption E-mail encryption refers to encryption, and often authentication, of e-mail messages. E-mail encryption usually relies on public-key cryptography. E-mail encryption protocols Popular protocols for e-mail encryption include:
This manifested itself in the problems we were experiencing with people downloading or uploading from thumb drives See USB drive. , CD-ROMs, burners and floppy disks. Employees were also adding peripheral devices See peripheral. peripheral device - peripheral , such as modems, without our knowledge. The modems were bypassing our firewalls and connecting to programs like AOL (A division of Time Warner, Inc., New York, NY, www.aol.com) The world's largest online information service with access to the Internet, e-mail, chat rooms and a variety of databases and services. . We were not sure what was being uploaded or downloaded. We had people loading games, bringing in term papers and using our machines for other non-work related activities. One of the most serious risks we considered was data leakage. Employees can easily lift data from a company's database by using an iPod or a Blackberry. Once the data is on the device, it's vulnerable to data leakage if lost or stolen. However, data leakage is not the only risk. The idea of "mobile malware See smartphone virus. "--inadvertently introducing viruses, spyware, Trojans or other forms of malware from a device that spends most of its time hooked up to a far less secure home PC. These concerns made us realize that building a truly effective endpoint security arsenal starts by understanding that the "endpoint" has shifted from the PC to removable storage media. The number of ways users can access sensitive corporate data is continuously increasing, especially with the proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of handheld devices. We had to establish defenses accordingly. One of my greatest challenges was not being able to individually inspect the 2,000 machines across our 15 locations. I could not simply ignore unknown threats to the network that could potentially put the organization at risk of noncompliance noncompliance failure of the owner to follow instructions, particularly in administering medication as prescribed; a cause of a less than expected response to treatment. noncompliance with HIPAA privacy laws, which mandate the protection of confidentiality and security of health data through setting and enforcing standards. I began a search for an effective, yet flexible device management solution to prevent unauthorized user activity. We wanted a process that would allow us to take better control of our peripherals without making it impossible for the people who needed devices to do their jobs since there are some instances in which some devices are appropriate and add business value. In the same vein, we also wanted to take control of our hard drives. Creating Sanctuary for Mobile Device Use JCL considered several options in our investigation of endpoint security methods. The easiest and cheapest solution would have been to disable To turn off; deactivate. See disabled. peripheral and USB USB in full Universal Serial Bus Type of serial bus that allows peripheral devices (disks, modems, printers, digitizers, data gloves, etc.) to be easily connected to a computer. access at the BIOS level. This was a clean, straight-forward approach, but it would not have achieved our goal of allowing authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal to accomplish their job. At JCL, as in most facilities, a large number of users may access numerous machines throughout a standard work day. By forcing all machines into the same strict configuration, we would be severely limiting the ability for staff to effectively do their jobs. In addition, it is not practical to perform a large amount of moves and general repairs while trying to keep a specific set of systems open. What we needed was an automated system that could be configured based on an individual's role, not location, and had a manageable administrator interface to allow easy changes, adds and deletes. After looking at several products, we chose Sanctuary, SecureWave's endpoint security solution, to simplify the device management process and proactively secure our organization from data leakage, malware and other threats posed by the use of removable storage media. We chose Sanctuary for many different reasons. The ability to manage users in a role-based scenario was one of our core requirements, and this product was one of few that allowed that function. By rolling out Sanctuary to all of our desktops, we were able to set policies based on either a user's role or identity. For example, a user could have full thumb drive access, just keyboard access or access to read from a thumb drive or CD-ROM CD-ROM: see compact disc. CD-ROM in full compact disc read-only memory Type of computer storage medium that is read optically (e.g., by a laser). , but not the ability to save anything to the machine from the peripheral. Another key benefit of the SecureWave software is the ability to quickly and easily change a user's configuration and peripheral levels on the fly. With continued growth at our facilities, we were hiring numerous new staff throughout the organization, as well as redefining some existing roles. Sanctuary allows us to use lightweight directory access protocol (protocol) Lightweight Directory Access Protocol - (LDAP) A protocol for accessing on-line directory services. LDAP was defined by the IETF in order to encourage adoption of X.500 directories. (LDAP (Lightweight Directory Access Protocol) A protocol used to access a directory listing. LDAP support is implemented in Web browsers and e-mail programs, which can query an LDAP-compliant directory. ) as a method to quickly and efficiently add or remove permissions to a unique user, without having to make a technician available to go out and physically touch a machine. In an environment where construction changes were making us move or add users and workstations with very little notice, this was a key success factor in our ability to continue to protect our security levels while maintaining a high level of customer service. Sanctuary also allows us to control the use of approved devices. We require all JCL employees to fill out a "device approval" form if they want to plug any device into their work machines. If anyone tries to use media that has not been sanctioned by the IT staff, the device will be automatically blocked by Sanctuary. If employees can justify a need to use an application or connect a device such as a USB stick It typically refers to a flash-based USB drive, but may refer to a USB-based device that performs some other function such as a wireless adapter. See USB drive. to the IT network, I can easily use Sanctuary to grant access rights. Sanctuary allows us to enable access rights at a high level or all the way down to device class, specific device or application to users, user groups, a particular computer and many more granular granular /gran·u·lar/ (gran´u-lar) made up of or marked by presence of granules or grains. gran·u·lar adj. 1. Composed or appearing to be composed of granules or grains. 2. parameters. Sanctuary provides us with the control we need while giving users the flexibility to access applications and devices that are required to effectively do their job. Permission settings include read/write, scheduled access, temporary access, online/offline, specific busses, HDD/non-HDD devices and more. Equally important is Sanctuary's encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. functionality, which encrypts removable media In computer storage, removable media refers to storage media which can be removed from its reader device, conferring portability on the data it carries. A removable drive is a reader device for such media. so that it can be safely used and transported to ensure that sensitive data is not inadvertently exposed to those without authorized access. It seems like every day we hear about another stolen hard drive or laptop or PC that contained sensitive patient data. With Sanctuary, we can enforce policies so that if an authorized piece of removable media with sensitive information is lost or stolen, the data is encrypted. In addition to putting an enforcement technology behind our written policies, the Sanctuary implementation also gave us a much needed ease of rollout. Though we looked at many products that claimed to offer plug-and-play capabilities, in most instances it was more often plug-and-pray. Numerous registry issues with demo installs and poor technical support in the prepurchase decision phase made us leery of many of the other players in this market. We tested Sanctuary on workstations and laptops with Windows 2000 and XP Professional, as well as on cube thin clients, with no issues and completed a 2,000-seat deployment without a single hitch A Single hitch is a type of knot. This hitch is actually an overhand knot tied around or through an object. . We found an immediate fix to the glaring problem of unauthorized device use, as the entire sales and deployment process wrapped up within two weeks from the first on-site meeting and demonstration. Only one staff member was required to install and deploy Sanctuary, which installed the first time, and the support was and is to this day top-notch. The install of the client was easily delivered by our software delivery program, and worked with a wide range of O/S and patch levels on our varied systems throughout our network. Whitelisting: Security's White Knight White Knight falls off his horse every time it stops. [Br. Lit.: Lewis Carroll Through the Looking-Glass] See : Awkwardness White Knight invents clever objects that never work. [Br. Lit. Sanctuary operates on a default/deny or "whitelisting" concept. This involves setting a predefined list of devices that are allowed to work on corporate machines while blocking all others by default. The whitelisting concept shelters administrators from the laborious la·bo·ri·ous adj. 1. Marked by or requiring long, hard work: spent many laborious hours on the project. 2. Hard-working; industrious. task of maintaining blacklists of all the devices which are to be banned on corporate PCs, laptops and servers. The beauty of the whitelisting approach is that it places control of corporate policy squarely in the hands of the IT administration staff. Only devices authorized as having a viable business use will work on corporate endpoints. This supports company policy, because it gives the IT staff the means to enforce its written list of allowed devices. For example, if a policy excluded iPods from use on company computers, the IT administrator would simply exclude iPods from the whitelist and they would not work on corporate endpoints. There is also minimal administrative overhead associated with Sanctuary and whitelisting. We spent minimal time creating the list of authorized devices and even less time updating it. Sanctuary provides a prepopulated whitelist that identifies every type of removable media, so there is not much custom definition that needs to be done. In turn, I have the guarantee that virus-laden iPods or other devices will not impair the organization because they will never succeed in connecting to the network if plugged in to any of our 2,000 workstations. On average, we save about 10 hours each week due to a substantial decrease in the number of work orders for trouble shooting related to device dilemmas. Because the whitelisting approach is so effective for enforcing device-use policy, we elected to purchase additional components. Sanctuary Application Control allows us to add a layer of protection that would prevent people from installing software without IT involvement. This reduces the risk of software conflicts and assists with software license compliance. Additionally, Sanctuary is an exceptional first line of defense to battle viruses, Trojans, spyware and all other forms of malware. It allows us to create a whitelist of allowed executables, and all others are denied by default--including all unauthorized programs, unwanted software and all forms of malicious code. Whitelisting applications is far more efficient than the traditional blacklisting approach used by anti-virus, antispyware and similar solutions. These types of technologies require the constant updating of a blacklist (1) A list of e-mail addresses of known spammers. See spam, spam filter, Blacklist of Internet Advertisers, greylisting and blackholing. Contrast with white list. (2) A list of Web sites that are considered off limits or dangerous. of known threats that should remain barricaded bar·ri·cade n. 1. A structure set up across a route of access to obstruct the passage of an enemy. 2. Something that serves as an obstacle; a barrier. See Synonyms at bulwark. tr.v. outside the network. Many companies take the same approach to device use, denying access to unauthorized devices. However, the problem is that malicious code today is so complex and targeted that maintaining an accurate blacklist is next to impossible. Sanctuary's unified console allows JCL to centrally manage and monitor both device and application control across the organization. Sanctuary provides a single, seamless view of everything accessing or attempting to access the network through corporate endpoints from a device and application perspective, providing a new level of visibility into the network than was previously possible. A Layered Approach to IT Security In order to complement Sanctuary, JCL also has undergone many initiatives to increase our overall security stance. One of the larger deployments involved replacing traditional workstations, primarily in clinical areas, with PC blade technology. This architecture enabled JCL's IT staff to allow the user to experience the same level of GUI (Graphical User Interface) A graphics-based user interface that incorporates movable windows, icons and a mouse. The ability to resize application windows and change style and size of fonts are the significant advantages of a GUI vs. a character-based interface. , while reducing the possibility of confidential data inadvertently being stored on a hard drive that was accessible to anyone with access to the PC. By having a thin client device connecting back via remote desktop protocol See RDP. (protocol) Remote Desktop Protocol - (RDP) A Microsoft protocol that provides remote display and input for Windows. RDP's video driver renders display output by sending packets to the client which translates them into corresponding Microsoft Win32 graphics (RDP (Remote Desktop Protocol) The presentation services protocol that governs input/output between a Windows terminal client and Windows Terminal Server. It is based on the T.share protocol. See Windows Terminal Server. (protocol) RDP - 1. ) to a secure PC blade located in JCL's server room, not only are we able to reduce the threat of data being stored locally, we dramatically reduce overall downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. for our 24/7 clinical areas. By removing elements such as heating, cooling and power spikes, users are no longer forced to wait for repair when their PCs crash. Now, with a simple mouse click, we can redirect any end user to a new blade so they can continue working with minimal downtime. We also installed several Darknet systems to increase the physical and electronic security of the JCL's systems. With the number of phishing Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. attacks that occur on a daily basis increasing, our three Darknet systems not only protect us from outside incursions, but also have the added ability of tracking an infected PC back to the desktop location. They have proven invaluable in black-holing numerous bogus sites, including financial institutions that have sent messages to our end user population asking for verification of one confidential detail or another. Again, though policies exist and education is conducted on these types of corrupt sites, the ability to add automation to a written policy has saved our network from numerous attempts at malicious penetration. The Winning Combination: User Education and Policy Enforcement The systems and guidelines for JCL are always changing in an effort to stay one step ahead of the bad guys. With an ever-increasing drive to establish electronic systems for everything from A to Z, the reliance on these systems to provide accurate, safe and secure information grows exponentially. With ever increasing pressure to make exceptions to the rule for one person or program, it becomes harder and harder to protect our electronic boundaries and information. A CIO must always balance good security procedures with the needs of a particular organization. However, as more data is forced into the electronic age, at what point does convenience have to be overshadowed by security? As such, we strive to make IT as invisible to our employees as possible. This dilemma revealed itself when we rolled out the SecureWave software. We were surprised at just how many devices were out there. We found devices we did not even know about. Organizations often have hundreds of IT policies and many times employees unintentionally violate them, so we need Sanctuary to audit the network and evaluate all device activity. Sanctuary's I/O (Input/Output) The transfer of data between the CPU and a peripheral device. Every transfer is an output from one device and an input to another. See PC input/output. I/O - Input/Output bi-directional shadowing tracks information as it is read from or written to a floppy, CD/DVD or removable device, and provides a comprehensive audit log of every event, whether allowed or attempted including those by unauthorized code--and all writes to removable media and specific ports. Optionally, a full copy of the data written to or from a device can be captured and retained as well. As incidents of mobile malware and device theft make headlines in growing numbers, JCL will continue to utilize Sanctuary to proactively enforce its device usage policies. We will also regulate application use with Sanctuary and thus proactively avoid problems of malware, spyware, key-loggers, Trojans, rootkits, worms and viruses. Not only is the audit log invaluable in measuring and enforcing policy compliance, it also bundles the information we need as proof of HIPAA compliance. Any organization without policy enforcement in place is treading on thin ice. If you assume policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental are enough, there are going to be a lot of "I told you so" moments. Policies are important, but if you have a choice between a policy and a technology such as Sanctuary, that enforces a policy, the safe bet is to go with the technology because people are human and will make mistakes. With Sanctuary, we do not have to worry about patient data being exposed. As long as end users know what the IT department is doing and why, they are usually more than willing to help out. While it should be the duty of every user to protect the company's assets, the CIO and their IT departments ultimately will be held responsible for any breach of confidentiality or data. By proactively taking steps to address device and application control, organizations can ensure that they are protected from data leakage while still enabling employees to use the gadgets and programs they need to perform their regular job functions. The most effective approaches to addressing these challenges involve multiple steps that help companies thoroughly understand what applications and removable storage media are needed and by whom. Robert L. Israel is chief information officer for John C. Lincoln Health Network in Phoenix. Contact him at Rob.Israel @jcl.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion