Slashdot Mirror
Ask Slashdot: Dealing With Unwanted But Official Security Probes?
An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"
They do know about HIPAA penalties for leaking data, right?
You can always run denyhosts, block any IP that attacks you, but it sounds like these guys are on your side, doing penetration testing. /.
If they are not, block the addresses. If they are local staff, call the IT dept. and talk to them, don't post to
Unless you are incompetent, you have nothing to worry about. Just ignore them.
Speak with someone at the managerial level and go find the agreement/piece of paper that states said hospital corporation has the right to perform security audits against your customers network. Until that does or does not materialize, take no action past what you're already doing in the name of good security
have a lawyer write a letter to the hospital director, explaining how it's against the law in the US to attempt to hack into another company's network, saying, "Of course you'd want to know about this to avoid civil or criminal action.
...and trace their IP address.
Since what you seem to be dealing with is someone who's incompetent, because the attacks are not only totally ineffective, but high profile as well. I suggest you trace back the IP address, do some digging, and come up with a name.
And then do something innocent like editing that person's host file so all his attacks and scans are redirected to 127.0.0.1. I have found when dealing with corporate stupidity that going through official channels will get you nowhere. You need to make a statement, but it needs to be about as harmful as dropping a dummy bomb 50 miles from the border of an upstart country that thinks its being cool. I'm sure you can come up with other things to do to this person to get the message across that your systems need to be left alone.
#fuckbeta #iamslashdot #dicemustdie
Find out the official procedure of the hospital involving IT matters, your country's laws surrounding medical data (doctors as well as patients).
build up a social network with the hospital IT staff.
etc....
really ?
put an interactive honeypot and see
These sorts of probes occur on the Internet by less-than-friendly attackers all the time, and there's usually nothing that the legal system can do about it. If your machines are vulnerable, sooner or later, you'll get hacked anyway. You might as well treat this as a free security audit.
Unless there are contractual terms which allow the hospital to pentest the independent medical practice, the hospital IT staff are probably violating the law. Get your legal counsel involved ASAP and let the lawyer deal with it.
Seriously.
Whats the contract between the two firms say? Are they causing you harm? Are you just being uppity about log entries?
The obvious answer to your question is that if you want to continue the relationship with the hospital, you will shut the fuck up and be happy they continue to outsource things to your firm.
Its possible that they are doing something 'wrong', for various definitions of wrong, but the fact that you asked the question here, the way your phrased the question, and the information (or lack of) that you provided lets me know that you don't actually know if what they are doing is wrong even.
I would advise the doctors to seek outside consul by a qualified IT professional who can manage their network appropriately for the needs of medical facilities. Hell, you haven't even clarified if what they are doing is testing your HIPAA data security requirements or something other, which means you probably haven't even considered how HIPAA plays into this.
Just because you can run a Linux box and configure iptables doesn't make you qualified to do IT everywhere.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
so far you appear to have passed the tests. upgrade your vigilance, your doctors' association with the hospital may hinge on your network security. do not complain, they are looking for something you have overlooked that could open up to the exposure of confidential records. ask your doctors for increased funding and a pay raise.
You've told them that they don't have authorization to access your computers, and are (or would be) in violation of the law if they succeed?
You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?
You're reasonably comfortable that you indeed run a tight ship?
You've configured your firewall to drop their packets?
Unless this is over a WAN link, you are smoking way better dope than me if you think a crime is being committed here. If your clients are connecting to the internet through the hospital's lan and utilizing their infrastructure - they can do whatever they want on a network they administer. Solution: have your clients order their own circuit from a carrier and throw up their own routers/switches.
In the meantime, you want to talk to the crew that's doing the intrusion testing and make sure that they'll be keeping anything they find confidential, and that you'll get the results of the work that they're doing. What they're doing is annoying, but it's better to have it done by friendlies than to have someone truly hostile find some day-0s that they can use against you (presuming that you're willing to close any holes that they find).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Sounds like you need to demand more information from them, even if they have commissioned an intrusion test, what if their commissioned team hadn't even started yet? you have no proof it is them.
Also, you may have a relationship with them, but it seems you/your company/your IT heads did not sanction pen testing of your network. They are breaking the law, you not reporting it is being kind, but they need to offer you far more information so you can be assured it's not actually a black hat operation in disguise.
If your computers are directly attached to the hospitals property/network then they can do as they wish. There is no place for law enforcement in the matter and it is probable that your company signed an agreement that authorized this prior to you attaching to the network. If you don't like it, and politely asking them to stop has not worked, then you can remove your equipment from their property or STFU.
That being said, having a firewall and configuring it as you have claimed should have completely eliminated their ability to reach your computers at all. If they are still probing your ports, you have failed to do your job properly. The same would be true if you were outside the hospital and had the entire global internet probing your ports.
Speculation: The scanning is probably an automated system that constantly tests all hospital network resources. from the sound of it, they're running Nessus or something very much like it. Presuming that they report to you any found weaknesses, they're doing you a favor by providing a penetration testing service and saving you lots of money.
This speculation should be confirmed rather than simply assuming that they will act in your interest.
I've been on both sides of such security probes, professionally. A legitimate organization will be willing to identify itself and name the most obvious penetration test vectors, because they will show up in the logs of someone competent. It's also especially interesting to conduct a penetration a month _before_ any announced test, and a month or two _after_, to see what has actually been changed.
But as the target of a penetration test, you should be be _encouraged_ to report the attempts to the upstream provider or administration, and you should be notified of the test results. You don't indicate if you've spoken to anyone in hospital IT who has any actual authority or responsibility: a simple letter, _preferably on real paper with a real name of someone who can verify the letter_, identifying that such tests occur and where you can report them, can help protect you, and the hospital, from liability for other attacks that go unnoticed while the penetration test occurs.
I also urge you to review the regulations or laws on confidentiality of patient data. Penetration against secure data where the recovered data is not handled safely can be illegal, and a careful talk with the hospital's legal counsel can help set some guidelines. And this is just the situation where a paper trail, _on paper and kept offsite_, can protect you and your group from lawsuit or from a manager who tries to shift blame. This is especially true when the penetration succeeds, and a mid level manager uses it as ammunition to replace IT staff with a different "big vision" of how security works, even when the IT staff were prohibited from that manager from taking effective steps against the very vulnerabilities used by the penetration test. (I've seen this several times.)
You say that you are "connected to" the network but you don't say what this relationship actually is. If you are hosted by the hospital (i.e. actually part of their network), then they may have an information security department who is checking all the hosts that are on their network. This may or may not be part of the contract, either as a service provided or something that is required by the contract or hosting arrangement.
If you are not actually part of their network or hosted by them, there may still be something in the contracts that says that they can do this sort of penetration testing with partner companies. It isn't the best idea to accept this as a contract term, but I have seen it requested before and it may have been in there with nobody to notice it.
I would say that whoever handles the arrangement with the hospital should probably talk with their counterpart on the hospital's side about this and learn more about why it is happening and what is done with the information.
With respect to the various posts that have/will happen about HIPAA, I would say that it's totally possible (and desirable) to have a proactive information security policy that can still comply with regulations. Proactive penetration testing is not prohibited.
Is it actively causing trouble? Or do you just notice if?
If it's not DOSing you, I'd just ignore it.
Hideki!
It appears you're unfamiliar with a common practice: regularly scanning and auditing computers on your internal network to catch comprised hosts.
Since they are doing part of your job for you, send them a nice Thank You card for helping you out.
The funny thing is that when law makers create a sack of new laws they never consider the effects. We have had people nailed to the cross for rather innocent computer activity. So why not make a point. Any laws that apply to individuals should also apply to large organizations. Sue them into the weeds. If your employer will not then try suing them yourself. They are making your life a living hell as you are are forced to keep ahead of their hacking to keep your job. What suits the goose should certainly suit the gander. With a bit of luck you might be able to retire from the proceeds of the suits. Make no mistake. They would have you for lunch if you hacked them.
"The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"
Drop the issue, and secure their network, so the hospital, or anyone else outside their practice's internal LAN is not capable of probing or making unapproved connections; insert an IDS, and ensure offending IP addresses are blocked from access.
I read a lot of comments from people that may not understand what could occur. Make a lot of noise and use that noise to cover actual penetration. Start looking in the logs for something not related to that noise.
Our ITers are doing the same thing; they claim HIPAA regulations require them to. Although I suspect they're a bit overzealous, it's really not worth getting into trouble with them over this. The same thing probably goes for you; they can argue your presence on their network automatically makes you subject to the same checks (which I believe is actually true). The only thing you can do is make sure that all your services are secure and up-to-date and that everyone with access to your computers has taken basic securty training (how to create and maintain safe passwords, how to identify phishing e-mails,...) That and installing a fail2ban (or something like that) and blacklisting the IP address(es) they use for scanning. Although the latter could be interpreted as bypassing "necessary" safety checks, you can just claim ignorance: "oh, I thought that was a compromised machine, and knowing how important security is, I dutifully blacklisted it." If the attacking machine is on the hospital network, don't forget to drily report it as "probably compromised" at the time of blacklisting, else pleading ignorance does not sound realistic. They'll probably answer "don't worry, we're testing", but that doesn't mean "lower your shields, we're testing"; the latter would be pretty weird. It's up to them to change IP address if they want to play cat-and-mouse.
Here's hoping our ITers aren't reading this ;)
In principle, penetration testing is a useful service. However, they need to keep you informed, because if they don't, you can't distinguish an actual attack from their penetration testing. There also need to be clear procedures spelled out for what they do if they succeed and what the consequences are.
If there is no contractual basis for them to do this, they are likely breaking the law.
He had enough clue to figure out the hospital corporation was attempting to hack his system, and even did something to protect himself. That's more than most 'qualified IT professionals' can handle in their lifetime.
Just because you can boot Windows and hold a Windows Certified Administrator certificate in your hand doesn't make you qualified to do IT anywhere.
Handle it just as you would a real external attack. If the "attack" continues, ramp up the defenses. Report everything to the hospital's IT Security people, just like you would, presumably, in the case of a real situation.
Consider this: if they can access your data, theoretically anyone can. However, if they can access your data, you're also liable for HIPAA law violations. This is akin to having legal guns pointed at you already. Also, consider that white hat penetration testers _do_ use black hat tools such as Metasploit.
I would highly suggest covering your ass while allowing them to do their job. Consider a legal agreement where penetration testing itself is allowed (especially to prevent future problems), but patient data copying is NOT allowed - with the same caliber of penalties as HIPAA law. Due to the fact that the stakes are high, and you know who the attacker is, it's also due diligence to make sure that audits (for both security hole disclosure and patient data) are done on them. Yes, this is ahead of the government law, but it's the Right Thing to do, and the law will catch up with technology. If possible, incentiveize the proper disclosure of findings.
Also, to further cover your ass, consider a limited disclosure agreement of findings. This would allow the penetration testers to say "we found X problem in Y% of these computers, and Z% have been addressed" - which is good for the penetration testers. Word it such that you want to promote openness of the process - not opaqueness, with a high regard for security.
I am not a Lawyer. Patient records are Intellectual Property. I would suggest you get the counsel of an Intellectual Property lawyer (or team of lawyers). Criteria for this include:
Familiarity with the hospital, the hospital HR policies, and the data sharing process used by the hospital.
Familiarity with Intellectual Property sharing agreements, including auditing and enforcement.
Yes, this costs a little bit of money to do. No, it doesn't have to be sunk cost, especially if you can convince the lawyer that it's pretty much an open market here. If this is the lawyer's first time with this issue, the experience gained in doing this pro bono is more important than the time.
If your clients are connecting to the hospital network they most probably agreed to this as part of those terms of service. Blocking the attacking IP's most probably violates those terms as well.
Even if it's not baked into the TOS HIPPA pretty much requires this sort of thing 164.312 covers a lot of it. The specific policy is up to the hospital pretty much letting hospital policy override other local laws if they conflict.
Have fun calling the cops it will probably get them laughed at and there contracts terminated as they do not understand and thus are not following hippa requirements. Your best next step is to get a hippa auditor to go over there setup, as the only way they do not fall under hippa is if they are on the other side of the firewall and never access any patient data pretty doubtful if they do more than play minesweeper on them.
No sir I dont like it.
Do what you can to put yourself in charge of the situation by scheduling them, and collecting, reacting to and reporting the results of the scans. Regular penetration testing is a good thing, and you're getting it for free. And like someone else said, try getting acquainted with the Hospital Corp. IT folks who are doing this. They probably have a schedule and a strategy with what they test, and you can too.
Make hay.
Put up a honeypot. Wait a while, then laugh.
First, as far as the network goes, treat it the same way you would treat any attack. Block IPs, add filters, whatever you normally do. If they are simulating an attack, you should simulate a defense.
Second, the human response. Make sure that this is actually an authorized security test. Tell them that if you cannot get confirmation that this is an authorized attack, you will have to treat it as an unauthorized one, which means contacting law enforcement, as per standard protocols for dealing with health information. This is "cover your ass" stuff here - if it actually isn't authorized, and you get hacked, you're likely to take the blame for it. And if it is authorized, well, you look like you're doing your job by detecting and responding to the threat.
Unless they have written permission, they are violating the law by probing these systems. Not only that, but they are actively trying to do something that might crash vital infrastructure and possibly injure or kill patients. Probing equipment inside a hospital without very specific knowledge of what is what and very explicit permissions and waivers is asking for very expensive lawsuits and (insurance) claims. Tell them to stop scanning your life support systems since they crash all the time when they do so. Maybe then they'll figure out that scanning every IP they can reach might not be a very smart idea....
I was promised a flying car. Where is my flying car?
However you feel about the OP, let's all agree that the people quoting HIPPA regulations in the replies are idiots. It's HIPAA. Not HIPPA or HIPA or HIPPO. In a field where a single letter makes one hell of a difference (SMP or SNMP? DNS or DSN? NTP or NNTP), if you're going to give legal advice, you could at least cite the NAME OF THE FUCKING LAW correctly.
Legally they should have informed you of their intention and gained permission before they started conducting testing...
Aside from that, they are wanting to ensure that those they do business with are doing their due diligence and not doing anything stupid that would leak their data out to the world. So long as your systems are appropriately configured the attacks will amount to nothing, and its likely you receive similar attacks from random hosts on a daily basis anyway.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
About 10 years ago I worked in IT for a University we had many PCs in research rooms connected to a hospital network. It was pretty common knowledge that the Hospital network was filthy and poorly maintained.
And do what it tells you; if it does not, talk to your manager.
These seems to be a divide in how to interpret this article.
1) A third of the responses seem to conclude that these are friends and any and all attacks are simply a standard IT security test.
2) The other third seem to interpret this article as, these are separate, but connected, companies. Where one is actually trying to hack into some small time competition.
3) Then there's the few others that inexplicable seem to be saying "So What".
4) Hack them back.
The article clearly points out that these are separate companies. Even if these are just security tests it is highly illegal and if they are ever successful even more so (and letting their patient data be compromised opens up the hacked company to legal issues as well). /. Since when has it taken an incompetent IT manager to allow hacking to be successful? Any system can be compromised, and not caring about the security of the data that you were hired to protect is insane.
So I really I do understand where #1 is coming from at all. As for #3, these people should not be allowed on
As for #4, I hope you are all joking. This is, theoretically, a legal law abiding institution and no IT person should be engaging in illegal activities on the job, using the companies equipment, if he values his job.
Troll is not a replacement for I disagree.
Do I get this right? You are working for company A, but company B, with whom you have some kind of relationship, but are not a part of, tests your security?
First, make sure you have EVERYTHING in writing. At the very least as emails, but paper would be better. Make sure that everything you inform your IT superiors of is documented, and make sure every order you get from them is documented as well. Else selective amnesia might set in when the shit hits the fan. Tell your doctors to get in touch with the hospital CIO/CISO (or whoever is directing the tests), and make sure that they inform them that they want to cooperate to make sure the test makes sense. Else, what would you logically do? Right. Block the offending IP(s) until the storm is over. That's not really in the interest of the auditor either, since it's trivial to make something "secure" when I don't allow access to it by default and have every kind of access die at the front door (even though others might be allowed further in).
Personally I think it's highly unusual to conduct a pen test "against" a cooperating company. At the very least you should be informed that this has to happen (likely due to HIPAA or similar regulations), else the auditors are on VERY thin (juridical) ice. Essentially, they are conducting a hostile attack.
Tell your docs what the auditors do here is pretty much like performing an operation without the patient's consent, they'll immediately get that. It may be in the patient's interest, but cutting him open without immediate lethal danger and without consent is STILL a big nono.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The send them to this link: http://www.youtube.com/watch?feature=player_detailpage&v=Tj-KS2kfIr0
You need to make a statement, but it needs to be about as harmful as dropping a dummy bomb 50 miles from the border of an upstart country that thinks its being cool. I'm sure you can come up with other things to do to this person to get the message across that your systems need to be left alone.
Well that certainly leaves out redirects to Goatse.cx.
If this is official, then it's official. If you dont like it, change jobs ( or change jobs and report it if illegal )
If it's official and you don't like it, then grow up and learn to communicate with people. The organisation is bigger than your personal view point.
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
Set up a honeypot. If you see crap coming from that IP send it against a server that has a front that looks like yours but has nothing in it and nothing to do. That way they might tie up some bandwidth but they will waste the capacity of one useless server. You could probably set up the server on some old pile of junk seeing that nobody will actually care about its performance or reliability.
Also put the server in a bit of a DMZ so that if they do compromise it that they can't get any further. If you want to keep it extra interesting set up a few VMs on the machine with different OSs. One Linux, one BSD, One MS server, and if you are looking for a laugh something like QNX. The best part is if they ever cobble together some kind of report about how insecure you are you can point out that the "BSD" system they found is for the sole benefit of crappy hackers. For that purpose your honeypot should not be the same OS as your real servers; that way if their report makes no mention of your real OS you can say "I am 100% sure you didn't penetrate a real machine as we use OS X which you don't list in your report."
Keep in mind you won't be judged by technical people but by non-technical people. So if these security types ever make an accusation making them look like simpletons is a great defense.
If Hospital IT speak the truth then you have a game on your hands. Win it.
That I can't believe no one else here has mentioned this. Clarify if the medical practice you are working for is subject to the IT policies of the hospital they are affiliated with. If your computers are on the hospital's network, chances are you are subject to their policies since they own the network and are responsible for its security.
If you are not subject to their IT policies, then just block them at your firewall and be done with it.
No need to go full retard and involve law enforcement or the hospital's upper management.
You might want to check the small print in whatever contract the independent practice has with the hospital. There's a chance hospital IT has hired a security firm to do a security assessment of their network, and that would include you in the scope as well.
Even if you aren't necessarily *in* the scope of the assessment, you are an attack vector into the hospital's own network and as such you will probably be probed and poked at.
Step 1 would be to ask hospital IT for the paperwork on the security assessment and see what's in scope and what's not, and if you aren't in scope, a firm statement to the effect of "get the f*ck out of my machines" would hopefully do the trick.
Following it up with some better agreements on who notifies who when things like this go down would also be a good step.
If hospital IT stays unresponsive involve law enforcement.
There is no sig...
same place as 3rd party venders in medical places. Lot's of them are on there own but they need to be on the hospital network or they may just be stand alone systems that mainly do not go on line but they may of been hooked up to the network by some one.
Also some of them can't even AV or use windows updates and at times stuck on XP and or IE6.
It may be a it contracting firm running the place and they may be scanning for holes.
Also it may be scan find a hole and then cut off the systems they find and say to get on the network you must let us take over your systems and you have to pay our rates for it.
The key term here is this " connected to a hospital network." If you are connected to the network which is conducting the scans they have every right to police their network as they see fit. Their network; their rules.
I dont think they have their house in order - what if they knock something over? They are testing your live environment without first notifying you? Sure, I guess there may be reasons for that, but I'm a betting man and I'm betting clowns.
As mentioned above, seek out the agreement saying they can do this testing. If your IT manager hasnt seen it then these people are a shambles riding roughshod. The agreement is the basis of all your responses. If it's there, work with them and make sure they dont break anything.
Then bust into their office to see the two of them frantically typing on the same keyboard. At some point their boss will walk in and unplug their monitor, disabling your attack, but at least you'll have a good laugh about it!
Well done for (as you hope) keeping out 'the bad guys'. Now exactly who are these 'bad guys'? If they wear a badge saying 'security' does that make them good guys? No of course not. You NEED to see the chain of authorisation up to a board-level signature. (Not for your own security but theirs.) OK, so some security work is done unannounced, but if it's all unannounced that sounds suspicious. If the attackers really are properly authorised good guys then get a 'certificate' from them that shows you 'passed'. This might be important evidence if things went pear-shaped later and is a nice thing to have on your CV.
You know, there was some security firm that told there were no good UPS , and if someone turned this switch **CLICK **
Their main IT was down for 2 days...and that firm was fired and got hold responsible for the damages (I don't know if it stuck). Damaging someones systemes is never a good test, and will results in costs, that someone got to pay.
Analogy police alert.... if someone cuts your fences to prove the secury after that is not tight, they will have to pay for the repair of the fence. Not for the higher wall, but they will have to cough up the effort it takes to repair the old one.
and make friends. Tell them what you are seeing and express your concern for live confidential data being exposed and ask if they are seeing similar probes on their side. See what they say. Maybe they say "oh, that is just us" and you have one response. Or maybe they say "we are seeing that too" but we have been told it is some contractor we hired to do penetration testing. Then you have another response. Or maybe they don't know a thing in which case you report what you are seeing up your channels and across to their senior IT guys.
But first start by making friends.
If they want to hire someone to attack their own systems who the fuck are you whine about it? It seems to me if I were paying someone to pen test my shit the last person I would tell about it is the IT dept...it might actually cause them to do their job for a change instead of fucking off on slashdot.
There is no reason they can't give you a list of any IP addresses used to pen test your network. As long as you don't block those addresses, that would make absolutely no difference in their security audits, PLUS you would know who it was and avoid panic.
In my opinion, their failure to do so was rather unprofessional.
Is the hospital allowed to access records without a release based on HIPPA regulations since it is an independent practice? If not, then report them to the police. Apologize to the hospital, but explain, you have NO CHOICE. HIPPA is not something to mess with, and it doesn't matter who is trying to access the records, it IS a crime if accessing this data is not permitted. Remember the guys that got sent away for accessing the public data for AT&T? Yea... That but worse. Based on the fact that they were sentenced, even if they gained no data, the attempt itself was the crime. Failure to report a crime is a crime itself: http://www.law.cornell.edu/uscode/search/display.html?terms=misprision&url=/uscode/html/uscode18/usc_sec_18_00000004----000-.html. Report it. If they gain access to records, and then data from it leaks out, say because someone notable was a patient, then it will be on YOU. If the local police decide not to follow up, it is NOT on you.
I work in IT in hospital. The day I "just decided" to do things like that to somewhere else would be the one before the day when I started trying to find out about unemployment benefits.
This will not be actual workers doing this by choice. It will be caused by someone whose job activities do not actually include IT. Their main job functions will be attending planning meetings and wearing a suit.
The thing to do would be to meet up with the people who actually do the work there. You should be doing this on occasion anyway. The first meeting will doubtless have the boss there as well but as soon as you start talking about IT, they will loose interest and find reasons not to be at future meetings. They don't like their underlings being reminded that the boss knows less about IT than the average 12 year old.
They will probably have to continue with some sort of "tests" because that is what the arts major at the top has decreed. You should be able to find out what is going on though. You never know, you might even find ways to make your systems more secure!
I'll see your Constitution and raise you a Queen.
It seems to me these "attacks" are being conducted in good faith, as a security test. I think this is good practice and it should be commonplace.
They are authorized to do those attempts.
Law enforcement CAN'T do anything about it.
Having said that: I do think it would have been more professional to at least have informed them that security audits would be carried out, and not to worry about apparent attacks coming from IP addresses X, Y, and Z. As long as they did not pre-block those addresses, that would not affect any of the security audits in the slightest, and would ease any anxiety on the part of these people.
The testing/auditing is not necessarily only to evaluate the network, evaluating the admin/security team may also be part of the plan. In other words part of the test may be to verify that these folks get worried in a reasonably short amount of time and take appropriate actions.
Policies and Procedures exist for a reason. I support this and will always try to work within 'the system', whatever that may be. If you find 'the system' isn't working. Take the steps necessary to improve it, and carry on. Wash rinse repeat.
To that end, my recommendation is to have the doctors get involved. Absolutely, beef up their security, have good intrusion detection, prevention and reporting. Get security to advise the doctors ahead of time about the planned 'attack', and report back the findings. Be the blue team defending, let them be the red team. Make sure you've done your job right.
I would consider this to be no different than regularly restoring your backup data. You do that right?
If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?
You shouldn't know,and you're supposed to treat them like the bad guys.
How do you know that their machines haven't been hacked, and that ALL of the penetration attempts are actually tests?
If you talked to them on a phone rather than face-to-face at THEIR office (or even then), how do you know the person you talked to is actually a security guy or I.T. administrator at the hospital and not a freelance cracker, identity thief, spy, or even an assassin going after a patient? If somebody cracked, say, an VoIP. phone system, they could intercept your complaints and tell you it was standard operating procedure and to ignore such attacks.
Even if they are what they claim to be and ALL the attacks are from them, by telling you it's just a test, you should ignore it, and continuing to "test" you, they've just TOLD YOU TO IGNORE ATTACKS. If you do, you FAIL.
IMHO (IANAL) you MUST attempt to halt the attacks and treat them as real or you are in violation of HIPAA.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This!
I checked the codes and they actually do mean that.
Elegant, classic, subtle, in-your-face.
+10!
You are serious? A memo to their CIO, Security Officer and HIPAA officer stating what you have seen, and continue to see, and asking them if they are aware, and authorized that traffic.
And no doubt it still is that way even today.
now we need to go OSS in diesel cars
I once worked on a team doing such internal audits. After a YEAR we finally had our network looking pretty tight from the disaster it had been - this was a very large network. One day someone asked me to take a look at a WEB app they had created to demonstrate something for me - I couldn't reach the address. Neither could anyone else on my team. I asked friends via IM elsewhere on the network if they could reach the IP and they could. Suspicious I told my boss about it and he confirmed the blockage by attempting access via RDP from a machine we kept remotely on the network - he was able to access it. Suspicions confirmed he twiddled a few things and moved our DHCP IP range to a completely different set of addresses and instructed our team to goto work. We found quite a bit wrong with the network space behind that router! When the network team responsible for that router was drilled they claimed no knowledge of the filtering rule that had been blocking our IP space and no documentation of it's creation existed despite strict rules about such things.
What you're advocating is akin to stripping off street signs and house numbers so that the fire and police depts can't find your home when soliciting for donations. This has the additional side effect of also making sure they cannot find your home should a fire or robbery occur and is stupidity to say the least!
Yes, security scans like this can be bothersome. They can even crash machines and applications that aren't coded properly and if you've not locked all your doors and sealed the windows someone might crawl in. My all-time favorite was a NAS that would corrupt multi-TB worth of data every time we scanned it - the vendor's response was to tell us to stop scanning it. Our's was to replace the fucking vendor! Stopping these scans by something as stupid as blocking the traffic is simply going to waste the companies money spent hiring these people and come home to roost when someone else crawls in and steals your shit. The difference between this and thieves or vandals is that if THESE guys get in they will let you know what they found and hopefully help you fix it. Which would you rather have? The fact that they have even been spotted is a plus, most of the folks I went up against never noticed us and the stupidity we uncovered was amazing.
Sadly, much as I'd like to NOT post this AC I'm going to have to but trust me simply blocking these guys is a really BIG mistake.
There are three or four likely possibilities for what's going on here
* The hospital's lawyers and administration know what the IT guy is doing, and are ok with it. Therefore they'll be ok with you and your doctors' group lawyers talking to them about it, though you're going to have to have a long conversation about why this is not a good idea. * The hospital's lawyers and administration don't know what the IT department is doing, but the IT department thinks they're doing something officially useful, and need to get told it's inappropriate. * The hospital's IT department is doing this stuff on his own, for evil reasons, and needs to be caught and stopped. * Some outsider is masquerading as the hospital's IT department, and the email you contacted to tell them to stop doing stuff is really redirected to the bad guys. In that case, the hospital's in a real mess and needs to know about it.. Either way, you've got a responsibility to your doctors and your patients, and you need to go to the top since going to the working-level people didn't get you taken seriously.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
They either have a contractual right to perform reasonable security audits from an external source, or they don't, and if you wish to pursue some remedy this is the only thing that matters.
That being said, if someone told you they were performing a security audit, it wouldn't be much of one. The whole *point* is that it shouldn't matter to you whether the test was authorized or not - a real attacker doesn't care about authorization. Complaining about a pentest to slashdot is not really useful - this is a legal matter. As a technical matter if you care about a pentest which likely isn't causing any kind of denial of service, you've got problems with your outlook on security.
Dude, it's probably an automated scan run by the hospital. That's normal in all large networks as part of ensuring the safety and vulnerability level of unmanaged and managed machines alike. I would talk to the hospitals "infosec" group not the normal IT dep if you want more detail. If you are on their network, there is nothing illegal about this -- you are a tenant here.
This entire thread is nothing but unwarranted speculation. Unless you know it is actual security testing, you should not assume that it is. Contact management in person and tell them what is happening, and if they say ok then you have done your due diligence and it will not reflect on you, even if it becomes a HIPPA violation. The reason to contact management by person is that bad guys can redirect calls (with a lot of difficulty) and email (quite easily), but can never redirect actual human interaction.
activity was conducted by the hospital corporation for security purposes.
yeah, yeah...
Me, I work for The Corporation so please ignore any probes you see on your systems guys. That would be too easy wouldn't it?
Seriously, he should be allowed to cut them off in order to run a simulation of what would happen in real life. Also, I wonder if he should have been told who was running the tests in the first place.
It's like; OK I am going to attack you but you have to keep your shields down. Counter-measures are part of a good security strategy.
Everything I write is lies, read between the lines.
A key point of confusion in this thread seems to be that some here are viewing the hospital as simply an ISP, while I and others deem that unlikely.
To help clarify the situation in order to provide a meaningful response, can you outline the access your network has to the hospital's network? Are you on their internal network at all? Are you a truly separate entity that has no more access than any other plane on the internet, or do you have access to certain machines/sites/web services/etc... that would be otherwise unavailable? Does your email go through their email servers at any point?
The more detail you can provide here the better people will be able to judge what is appropriate.
Where I used to work, the security guys used to do the same thing. It is a good thing. They are doing their job by making sure everything is secure. Expose weaknesses before the real thing happens.
Now, do your jobs and make sure your systems are secure and don't allow anything through.
.
Seriously, you are asking the wrong question on the wrong forum. Your legal department or your lawyer should handle this.
The issue is not technical. The question is which laws and contracts bind you and the other side, and which of these regulate their activities towards you.
For example, their security tests could be a part of their HIPAA or SOX implementation, and your contract states that you are included. Or there might be a seperate clause in the contract, SLA or other document.
Find out or better - let someone who is a professional in this field find out - where this is written down and what it does and doesn't allow. You might find out that you are already breaking your contract by blocking their probes. Or you might find out that they aren't allowed to probe and are thus in breach of several cybercrime laws. But you won't know until someone who knows the legalese has checked.
Disclaimer:
I used to be the Senior Manager IT Compliance for a mid-sized corporation. I now run my own company.
Assorted stuff I do sometimes: Lemuria.org
I suggest you turn your head and cough.Security for medical records, files, servers, networks is the one of the last semi-vestiges of privacy in a world full of cameras, microphones, obfuscated disclosure agreements, and corruption. Barring court orders and three letter agencies that do whatever they want, this information is expected to stay safe as military property.
So when the bad ol' security tester puts his cold thingy in your tight little socket and starts to probe, just look at the picture on the wall and pretend you are somewhere else until that Vicodin kicks in. Do it for the children...
Kisses, Dr. Gregory House M.D.
Quit.
This is not a job that gives a shit about you, so why should you stick around?
How do you know if seeing them in person is authentic? They could be clones or evil twins! :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Two things:
1. They aren't really trying to break into your system, but just testing it for readiness against real attacks (that's the premise that you mention). So, they will just be running some standard attacks out of a security testing tool against you, not custom-crafted evil attacks. If your system can't even withstand these standard checks, it's good to take your system down until it's ready for the real world.
2. If your system is overloaded because of these tests, you can measure the extra load that it introduces in quantifiable terms and report it back to them, and ask them to stop doing it (maybe it's opening up a thousand sessions when the system is really built for a few tens of them; maybe it uploads/downloads tons of data that fill up your disk, whatever.) Denial of Service is not an attack to be tested out on a production environment on a routine basis.
I was on contract at a major telecom company, when the OpenVMS systems in our group started flagging all kinds of alerts (OpenVMS has some built-in break-in detection/avoidance). I null-routed the offending subnet, and had folks contact someone higher up in corporate security. The corporate security group was running something like SATAN on the network for similar reasons as OP. Oddly, we appeared to be the only group to detect, proactively block the attack, and report it.
I've also ran a PCI compliant site, and many of the PCI Certification companies also run tests like this (of course, you agree to this as part of them certifying your site). In fact, I had to pre-approve the test run via a web site, and it generally would run within a few minutes of request (so I could time it during off hours to avoid site problems).
1st - It's good that you are getting tested, and hopefully, surviving the test without any data exposure/etc.
2nd - Unless this is part of your agreement with them, this could be a big problem for the hospital. That they do these tests should be clearly documented, and times should in general be scheduled so that both parties can monitor them, and also insure they do not cause any disruption to normal operation of the physicians practice.
If you're relying on policy instead of proper network segmentation with access control to protect critical data, you're doing it wrong.
Full unencrypted medical/billing records one jump away from your gateway? Great idea!
Get something documented from within the hospital's internal IT staff. If they say "We're pen testing" make sure that they send an email to that effect, forward it to your boss so that at least two people have a copy of it. You should recognize the name of the person sending the email or at least the names on the CC, unless the hospital is a gargantuan place.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
nice story at all , thanks for posting
http://www.nile7.com
If your contract with the hospital is contingent upon regular security checks, then formalize this agreement. Suddenly, instead of a breech of your network, they are just another contractor (like yourself) running security tests on the doctors network. Directly or indirectly, the hospital has to pony up the costs of you filtering their disruptive network actions from their standard ones...
Is there anything better than clicking through Microsoft ads on Slashdot?
The decision as to whether the activity is permissible belongs to the network and systems owner. Ask them.
And if you don't know who that is and nobody claims ownership, you have bigger problems to face (but in that case, just block it and wait for somebody to complain).