Slashdot Mirror
Ask Slashdot: Dealing With Unwanted But Official Security Probes?
An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"
Block them anyway; claims it's part of your normal operations. Hint: they're probably stupid enough to use 1 or 2 IPs.
I want to delete my account but Slashdot doesn't allow it.
He had enough clue to figure out the hospital corporation was attempting to hack his system, and even did something to protect himself. That's more than most 'qualified IT professionals' can handle in their lifetime.
Just because you can boot Windows and hold a Windows Certified Administrator certificate in your hand doesn't make you qualified to do IT anywhere.
Yes - this! Just because they don't want to rock the boat, doesn't make it not a federal crime! And if they decide they don't want to follow up on the legal violation, I would tell me boss that the hospital may not be pentesting officially - it could be a corrupt IT (or even non-IT) person testing their clients w/o the hospital management's knowledge. If it's a major hospital (which most seem to be, these days), there are serious repercussions for doing that to the hospital employee. I would probably block the IP at the firewall and if they complain let them know that, per YOUR standard operating policy, the IP was perm-banned due to a large number of attacks coming from an unauthorized source. I do at my place of business (of course, I'm the CTO and a business partner to boot, so I can make those decisions).
. Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?
Although annoying its completely within the company's rights to audit their security however they see fit, and I can see a number of reasons to do surprise, anonymous audits. And as another poster pointed out; complaining about it on /. probably isn't the brightest move.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either.
Seriously. Whats the contract between the two firms say? Are they causing you harm? Are you just being uppity about log entries? The obvious answer to your question is that if you want to continue the relationship with the hospital, you will shut the fuck up and be happy they continue to outsource things to your firm.
I wonder if you're the one who needs a clue since if shit hits the fan because there was a real attack from someone on the hospital network that goes ignored because it's assumed to be an authorized pen test it's his ass on the line. From the summary:
The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship.
I would assume that if they're even thinking about calling in law enforcement, they've done the obvious and checked if they gave permission somewhere. I think you're giving the hospital far too much benefit of the doubt here, just because corporate IT think they have permission to pen test anything connected to their network doesn't mean that it's been appropriately regulated in the agreement between the private practice and the hospital. Surely they have some from of legal representation I'd ask:
1) The hospital is doing penetration testing on us. Assuming they should succeed, is it acceptable that they may gain control of our systems or access our practice's data? If no, then take it up with the hospital's compliance officer
2) Even if this penetration testing is permitted, how can the private practice be sure this is authorized activity and not unauthorized activity. Again, get whatever legal council you have to take it up with the compliance officer.
Getting law enforcement involved is only useful if you want to punish someone for what has happened, what you want here is to find a solution going forward. Just because you're both in the health business, doesn't make you the same entity. If you can get your lawyer to say that these pen tests could be a HIPAA violation of the private practice, then their IT will listen to their legal telling them to stop. Or they might stonewall and say that if they can't do security testing, you can't be on the network. Either way you're raising the flag and saying if this happen again, we can't just ignore it.
Live today, because you never know what tomorrow brings
It seems to me these "attacks" are being conducted in good faith, as a security test. I think this is good practice and it should be commonplace.
Not unless they've got a contract that says so. Their authority stops at my router unless I've given them permission.
They can ask me to conduct my own testing or they can ask if they can test.
I'm not a clinic but banks have similar laws.
"Almost every wise saying has an opposite one, no less wise, to balance it." - George Santayana