Slashdot Mirror
Ask Slashdot: Dealing With Unwanted But Official Security Probes?
An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"
They do know about HIPAA penalties for leaking data, right?
You can always run denyhosts, block any IP that attacks you, but it sounds like these guys are on your side, doing penetration testing. /.
If they are not, block the addresses. If they are local staff, call the IT dept. and talk to them, don't post to
Speak with someone at the managerial level and go find the agreement/piece of paper that states said hospital corporation has the right to perform security audits against your customers network. Until that does or does not materialize, take no action past what you're already doing in the name of good security
have a lawyer write a letter to the hospital director, explaining how it's against the law in the US to attempt to hack into another company's network, saying, "Of course you'd want to know about this to avoid civil or criminal action.
Unless there are contractual terms which allow the hospital to pentest the independent medical practice, the hospital IT staff are probably violating the law. Get your legal counsel involved ASAP and let the lawyer deal with it.
You've told them that they don't have authorization to access your computers, and are (or would be) in violation of the law if they succeed?
You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?
You're reasonably comfortable that you indeed run a tight ship?
You've configured your firewall to drop their packets?
That would be responding to a company whose only fault is having a bad policy and poor training, by committing a serious crime!
In the meantime, you want to talk to the crew that's doing the intrusion testing and make sure that they'll be keeping anything they find confidential, and that you'll get the results of the work that they're doing. What they're doing is annoying, but it's better to have it done by friendlies than to have someone truly hostile find some day-0s that they can use against you (presuming that you're willing to close any holes that they find).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
I've been on both sides of such security probes, professionally. A legitimate organization will be willing to identify itself and name the most obvious penetration test vectors, because they will show up in the logs of someone competent. It's also especially interesting to conduct a penetration a month _before_ any announced test, and a month or two _after_, to see what has actually been changed.
But as the target of a penetration test, you should be be _encouraged_ to report the attempts to the upstream provider or administration, and you should be notified of the test results. You don't indicate if you've spoken to anyone in hospital IT who has any actual authority or responsibility: a simple letter, _preferably on real paper with a real name of someone who can verify the letter_, identifying that such tests occur and where you can report them, can help protect you, and the hospital, from liability for other attacks that go unnoticed while the penetration test occurs.
I also urge you to review the regulations or laws on confidentiality of patient data. Penetration against secure data where the recovered data is not handled safely can be illegal, and a careful talk with the hospital's legal counsel can help set some guidelines. And this is just the situation where a paper trail, _on paper and kept offsite_, can protect you and your group from lawsuit or from a manager who tries to shift blame. This is especially true when the penetration succeeds, and a mid level manager uses it as ammunition to replace IT staff with a different "big vision" of how security works, even when the IT staff were prohibited from that manager from taking effective steps against the very vulnerabilities used by the penetration test. (I've seen this several times.)
Tar pit their IP addresses.
Each time they connect, disallow connections for x*2 seconds, where x is the amount of time their connections were disallowed the last time.
When you're dead, you don't know you're dead. It only affects the people around you. Same thing when you're stupid.
It appears you're unfamiliar with a common practice: regularly scanning and auditing computers on your internal network to catch comprised hosts.
Since they are doing part of your job for you, send them a nice Thank You card for helping you out.
"The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"
Drop the issue, and secure their network, so the hospital, or anyone else outside their practice's internal LAN is not capable of probing or making unapproved connections; insert an IDS, and ensure offending IP addresses are blocked from access.
The hospital may also be committing a serious crime. But you're right that responding in kind would be a very bad idea.
He had enough clue to figure out the hospital corporation was attempting to hack his system, and even did something to protect himself. That's more than most 'qualified IT professionals' can handle in their lifetime.
Just because you can boot Windows and hold a Windows Certified Administrator certificate in your hand doesn't make you qualified to do IT anywhere.
Are they causing you harm? Are you just being uppity about log entries?
Flooding the logs with false positives does cause harm, in that he may miss real attacks in the flood of "test" ones.
Not to mention, who bears the liability if this testing actually manages to get in and cause data loss? The FP poster specifically mentions fuzzing inputs to the web server - That works great in a test environment; if it succeeds on a production system, god only knows what effects it will have.
My recommendation? Aggressively block this shit until your actual boss (not some random schmuck from "corporate") directly orders you to let it get through; and if ordered to let it continue, get it in writing (email would suffice).
The hospital may also be committing a serious crime.
That was my point :-) There is a double standard where these companies get a slap on the wrist in a civil court, while if this guy did exactly the same thing back, he would get criminal charges. But as you say, even without this double standard it would not make any sense to respond by hacking the hospital.
First, as far as the network goes, treat it the same way you would treat any attack. Block IPs, add filters, whatever you normally do. If they are simulating an attack, you should simulate a defense.
Second, the human response. Make sure that this is actually an authorized security test. Tell them that if you cannot get confirmation that this is an authorized attack, you will have to treat it as an unauthorized one, which means contacting law enforcement, as per standard protocols for dealing with health information. This is "cover your ass" stuff here - if it actually isn't authorized, and you get hacked, you're likely to take the blame for it. And if it is authorized, well, you look like you're doing your job by detecting and responding to the threat.
...said by someone who doesn't have to specifically allow probes from the scanning hosts, and has to deal with the DoSing when the port scans cause a couple of the services to go haywire. (lock up, start sucking down all available memory on the machine)
We put in new checks to watch for these things, but who knows what new tests they're going to run on the next scan.
The memory one was particularly nasty, as machines w/ lots of memory available didn't start showing problems 'til up to 2 days later. (and everyone loves getting alerts at 2am)
This is a terrible idea. You can go to jail for doing this. Don't do it.
As horrible as it sounds, this is something that a lawyer can help with. I'm sure the medical practice can afford to hire a couple of hours of legal assistance to draft a "very friendly" letter to the hospital administration warning them that their actions may be a violation of HIPAA in addition to other computer security regulations.
Do I get this right? You are working for company A, but company B, with whom you have some kind of relationship, but are not a part of, tests your security?
First, make sure you have EVERYTHING in writing. At the very least as emails, but paper would be better. Make sure that everything you inform your IT superiors of is documented, and make sure every order you get from them is documented as well. Else selective amnesia might set in when the shit hits the fan. Tell your doctors to get in touch with the hospital CIO/CISO (or whoever is directing the tests), and make sure that they inform them that they want to cooperate to make sure the test makes sense. Else, what would you logically do? Right. Block the offending IP(s) until the storm is over. That's not really in the interest of the auditor either, since it's trivial to make something "secure" when I don't allow access to it by default and have every kind of access die at the front door (even though others might be allowed further in).
Personally I think it's highly unusual to conduct a pen test "against" a cooperating company. At the very least you should be informed that this has to happen (likely due to HIPAA or similar regulations), else the auditors are on VERY thin (juridical) ice. Essentially, they are conducting a hostile attack.
Tell your docs what the auditors do here is pretty much like performing an operation without the patient's consent, they'll immediately get that. It may be in the patient's interest, but cutting him open without immediate lethal danger and without consent is STILL a big nono.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Fuzzing should not cause a crash - a crash would be an indication that there may be a vulnerability since something isn't validating input properly. A non-production system would be worthless since there's no guarantee it would mirror the production setup. Any Internet accessible server should be able to handle any security threat that comes in. Especially a server with medical data. So long as they aren't pushing enough traffic to be a DOS attack there shouldn't be a problem with the server if it's properly programmed and configured.
career suicide to make a political point? how about noooo
Snowden and Manning are heroes.
The article clearly points out that these are separate companies. Even if these are just security tests it is highly illegal and if they are ever successful even more so (and letting their patient data be compromised opens up the hacked company to legal issues as well).
I work information assurance for the government. To my mind the description screamed 'subcontractors'. IE while not direct employees of the hospital in question, they'd be in serious financial trouble if they lost their association with the hospital. Not necessarily friends, but they DO need to keep a good working relationship.
Now, I can't say what the exact details of the connections, agreements, and such are, I do know that in order to hook up to one of MY networks you have to agree to meet all the requirements and be subject to all the tests as a government owned machine needs to meet. If you are unable/unwilling to meet this standard, you're free to not hook anything up to said networks, order your own internet service, etc...
One of my duties is to perform the mentioned scanning/hacking attempts. There are separate teams that attempt to do more detailed hacking, up to and including coming on location and attempting to access unlocked unattended computers and doing social engineering attacks. They usually win, the question is normally how easily they win.
Anyways, many here seem to think that the penetration testing company is going to be doing something more than generate a report. It's theoretically possible they'll do more, but if the hospital has hired a legitimate company, it's unlikely. Thus all the suggestions to 'set up a honeypot' will do nothing more than generate a dirty report with false vulnerabilities and give the hospital in question cause for enough alarm to possibly cut off the doctor's connections to their network.
I'd say his best option is to get involved with the scanning. Ask to sit in on any meetings. A copy of the scan reports. IP addresses that they're coming from so you can filter them out of your logs when looking for real hacking attempts. Find out what they're going to do with said reports, etc...
In addition, lawyers are expensive and can make things complicated, I'd try to avoid involving them unless you hit a barrier you can't work around otherwise, or there's no better option. A smile and a friendly question can get you a lot more for a lot less than a lawyer.
I don't read AC A human right
Seriously. Whats the contract between the two firms say? Are they causing you harm? Are you just being uppity about log entries? The obvious answer to your question is that if you want to continue the relationship with the hospital, you will shut the fuck up and be happy they continue to outsource things to your firm.
I wonder if you're the one who needs a clue since if shit hits the fan because there was a real attack from someone on the hospital network that goes ignored because it's assumed to be an authorized pen test it's his ass on the line. From the summary:
The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship.
I would assume that if they're even thinking about calling in law enforcement, they've done the obvious and checked if they gave permission somewhere. I think you're giving the hospital far too much benefit of the doubt here, just because corporate IT think they have permission to pen test anything connected to their network doesn't mean that it's been appropriately regulated in the agreement between the private practice and the hospital. Surely they have some from of legal representation I'd ask:
1) The hospital is doing penetration testing on us. Assuming they should succeed, is it acceptable that they may gain control of our systems or access our practice's data? If no, then take it up with the hospital's compliance officer
2) Even if this penetration testing is permitted, how can the private practice be sure this is authorized activity and not unauthorized activity. Again, get whatever legal council you have to take it up with the compliance officer.
Getting law enforcement involved is only useful if you want to punish someone for what has happened, what you want here is to find a solution going forward. Just because you're both in the health business, doesn't make you the same entity. If you can get your lawyer to say that these pen tests could be a HIPAA violation of the private practice, then their IT will listen to their legal telling them to stop. Or they might stonewall and say that if they can't do security testing, you can't be on the network. Either way you're raising the flag and saying if this happen again, we can't just ignore it.
Live today, because you never know what tomorrow brings
and make friends. Tell them what you are seeing and express your concern for live confidential data being exposed and ask if they are seeing similar probes on their side. See what they say. Maybe they say "oh, that is just us" and you have one response. Or maybe they say "we are seeing that too" but we have been told it is some contractor we hired to do penetration testing. Then you have another response. Or maybe they don't know a thing in which case you report what you are seeing up your channels and across to their senior IT guys.
But first start by making friends.
Is the hospital allowed to access records without a release based on HIPPA regulations since it is an independent practice? If not, then report them to the police. Apologize to the hospital, but explain, you have NO CHOICE. HIPPA is not something to mess with, and it doesn't matter who is trying to access the records, it IS a crime if accessing this data is not permitted. Remember the guys that got sent away for accessing the public data for AT&T? Yea... That but worse. Based on the fact that they were sentenced, even if they gained no data, the attempt itself was the crime. Failure to report a crime is a crime itself: http://www.law.cornell.edu/uscode/search/display.html?terms=misprision&url=/uscode/html/uscode18/usc_sec_18_00000004----000-.html. Report it. If they gain access to records, and then data from it leaks out, say because someone notable was a patient, then it will be on YOU. If the local police decide not to follow up, it is NOT on you.
It seems to me these "attacks" are being conducted in good faith, as a security test. I think this is good practice and it should be commonplace.
Having said that: I do think it would have been more professional to at least have informed them that security audits would be carried out, and not to worry about apparent attacks coming from IP addresses X, Y, and Z. As long as they did not pre-block those addresses, that would not affect any of the security audits in the slightest, and would ease any anxiety on the part of these people.
The testing/auditing is not necessarily only to evaluate the network, evaluating the admin/security team may also be part of the plan. In other words part of the test may be to verify that these folks get worried in a reasonably short amount of time and take appropriate actions.
If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?
You shouldn't know,and you're supposed to treat them like the bad guys.
How do you know that their machines haven't been hacked, and that ALL of the penetration attempts are actually tests?
If you talked to them on a phone rather than face-to-face at THEIR office (or even then), how do you know the person you talked to is actually a security guy or I.T. administrator at the hospital and not a freelance cracker, identity thief, spy, or even an assassin going after a patient? If somebody cracked, say, an VoIP. phone system, they could intercept your complaints and tell you it was standard operating procedure and to ignore such attacks.
Even if they are what they claim to be and ALL the attacks are from them, by telling you it's just a test, you should ignore it, and continuing to "test" you, they've just TOLD YOU TO IGNORE ATTACKS. If you do, you FAIL.
IMHO (IANAL) you MUST attempt to halt the attacks and treat them as real or you are in violation of HIPAA.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I once worked on a team doing such internal audits. After a YEAR we finally had our network looking pretty tight from the disaster it had been - this was a very large network. One day someone asked me to take a look at a WEB app they had created to demonstrate something for me - I couldn't reach the address. Neither could anyone else on my team. I asked friends via IM elsewhere on the network if they could reach the IP and they could. Suspicious I told my boss about it and he confirmed the blockage by attempting access via RDP from a machine we kept remotely on the network - he was able to access it. Suspicions confirmed he twiddled a few things and moved our DHCP IP range to a completely different set of addresses and instructed our team to goto work. We found quite a bit wrong with the network space behind that router! When the network team responsible for that router was drilled they claimed no knowledge of the filtering rule that had been blocking our IP space and no documentation of it's creation existed despite strict rules about such things.
What you're advocating is akin to stripping off street signs and house numbers so that the fire and police depts can't find your home when soliciting for donations. This has the additional side effect of also making sure they cannot find your home should a fire or robbery occur and is stupidity to say the least!
Yes, security scans like this can be bothersome. They can even crash machines and applications that aren't coded properly and if you've not locked all your doors and sealed the windows someone might crawl in. My all-time favorite was a NAS that would corrupt multi-TB worth of data every time we scanned it - the vendor's response was to tell us to stop scanning it. Our's was to replace the fucking vendor! Stopping these scans by something as stupid as blocking the traffic is simply going to waste the companies money spent hiring these people and come home to roost when someone else crawls in and steals your shit. The difference between this and thieves or vandals is that if THESE guys get in they will let you know what they found and hopefully help you fix it. Which would you rather have? The fact that they have even been spotted is a plus, most of the folks I went up against never noticed us and the stupidity we uncovered was amazing.
Sadly, much as I'd like to NOT post this AC I'm going to have to but trust me simply blocking these guys is a really BIG mistake.
There are three or four likely possibilities for what's going on here
* The hospital's lawyers and administration know what the IT guy is doing, and are ok with it. Therefore they'll be ok with you and your doctors' group lawyers talking to them about it, though you're going to have to have a long conversation about why this is not a good idea. * The hospital's lawyers and administration don't know what the IT department is doing, but the IT department thinks they're doing something officially useful, and need to get told it's inappropriate. * The hospital's IT department is doing this stuff on his own, for evil reasons, and needs to be caught and stopped. * Some outsider is masquerading as the hospital's IT department, and the email you contacted to tell them to stop doing stuff is really redirected to the bad guys. In that case, the hospital's in a real mess and needs to know about it.. Either way, you've got a responsibility to your doctors and your patients, and you need to go to the top since going to the working-level people didn't get you taken seriously.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Seriously, you are asking the wrong question on the wrong forum. Your legal department or your lawyer should handle this.
The issue is not technical. The question is which laws and contracts bind you and the other side, and which of these regulate their activities towards you.
For example, their security tests could be a part of their HIPAA or SOX implementation, and your contract states that you are included. Or there might be a seperate clause in the contract, SLA or other document.
Find out or better - let someone who is a professional in this field find out - where this is written down and what it does and doesn't allow. You might find out that you are already breaking your contract by blocking their probes. Or you might find out that they aren't allowed to probe and are thus in breach of several cybercrime laws. But you won't know until someone who knows the legalese has checked.
Disclaimer:
I used to be the Senior Manager IT Compliance for a mid-sized corporation. I now run my own company.
Assorted stuff I do sometimes: Lemuria.org
How do you know if seeing them in person is authentic? They could be clones or evil twins! :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).