Ask Slashdot: Dealing With Unwanted But Official Security Probes?

An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"

Is this not your local net police?

[Dr.+Tom]

You can always run denyhosts, block any IP that attacks you, but it sounds like these guys are on your side, doing penetration testing.
If they are not, block the addresses. If they are local staff, call the IT dept. and talk to them, don't post to /.

Re:Is this not your local net police?

[Hizonner]

Yes, the practice's security affects the hospital's. Your security affects mine, too, and in fact the security of everybody on the Internet affects the security of everybody else.

Nonetheless, it is not legal, ethical, or appropriate to go around attacking somebody else's systems without their explicit permission. It doesn't matter if you provide them with network service. It doesn't matter if you have (perhaps unwisely) given them access that makes them a potential threat to you. It doesn't matter if you're the "big" network, or if you have more to lose than they do. It doesn't matter if you feel you're "responsible for the whole network". It doesn't matter if they're completely incompetent and overrun with malware.

If you don't have advance permission, and you attack somebody else's system. you're in CFAA violation territory. And if you didn't get that permission in writing, you're an incompetent idiot.

This isn't the wild, wild west. Your motives do not matter. The effect on your own security does not matter. End of story.

Key words for me: independent practice

Unless there are contractual terms which allow the hospital to pentest the independent medical practice, the hospital IT staff are probably violating the law. Get your legal counsel involved ASAP and let the lawyer deal with it.

Re:Have you tried all these?

[Dan+Dankleton]

You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?

I never have mod points when there's something I want to moderate! This is the thing to do. Get in touch with the hospital's security people. If the scans are causing any problems with IT operations then arrange with them to schedule the scans differently. Otherwise, explain that you've picked up the scans and blocked them per procedure. Ask if they want you to unblock their specific scan so that they can find any issues which would reveal weaknesses you could defend against in more depth.

All this may be unwelcome but it doesn't sound like there's much you can do about it, so treat it as an opportunity.

Two things

[gman003]

First, as far as the network goes, treat it the same way you would treat any attack. Block IPs, add filters, whatever you normally do. If they are simulating an attack, you should simulate a defense.

Second, the human response. Make sure that this is actually an authorized security test. Tell them that if you cannot get confirmation that this is an authorized attack, you will have to treat it as an unauthorized one, which means contacting law enforcement, as per standard protocols for dealing with health information. This is "cover your ass" stuff here - if it actually isn't authorized, and you get hacked, you're likely to take the blame for it. And if it is authorized, well, you look like you're doing your job by detecting and responding to the threat.

Escalate to their legal contacts now.

[billstewart]

There are three or four likely possibilities for what's going on here

* The hospital's lawyers and administration know what the IT guy is doing, and are ok with it. Therefore they'll be ok with you and your doctors' group lawyers talking to them about it, though you're going to have to have a long conversation about why this is not a good idea. * The hospital's lawyers and administration don't know what the IT department is doing, but the IT department thinks they're doing something officially useful, and need to get told it's inappropriate. * The hospital's IT department is doing this stuff on his own, for evil reasons, and needs to be caught and stopped. * Some outsider is masquerading as the hospital's IT department, and the email you contacted to tell them to stop doing stuff is really redirected to the bad guys. In that case, the hospital's in a real mess and needs to know about it.

. Either way, you've got a responsibility to your doctors and your patients, and you need to go to the top since going to the working-level people didn't get you taken seriously.