Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Unwanted But Official Security Probes?

Posted by timothy on from the surely-you-have-nothing-to-hide dept.

An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"

12 of 238 comments (clear)

  1. Is this not your local net police? by Dr.+Tom · · Score: 5, Insightful

    You can always run denyhosts, block any IP that attacks you, but it sounds like these guys are on your side, doing penetration testing.
    If they are not, block the addresses. If they are local staff, call the IT dept. and talk to them, don't post to /.

    1. Re:Is this not your local net police? by Gothmolly · · Score: 5, Interesting

      Block them anyway; claims it's part of your normal operations. Hint: they're probably stupid enough to use 1 or 2 IPs.

      --
      I want to delete my account but Slashdot doesn't allow it.
    2. Re:Is this not your local net police? by PolygamousRanchKid+ · · Score: 5, Informative

      My company's "good guys" run security tests once a week. They send me a report afterwards, listing any "findings". And, most importantly, I was informed by them beforehand, that they would be doing these tests.

      If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    3. Re:Is this not your local net police? by Hizonner · · Score: 5, Interesting

      They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either.

    4. Re:Is this not your local net police? by ColdWetDog · · Score: 5, Funny

      Just make it look official and let everybody know you're using all the most modern coding tools. For example, your mythical patient could suffer from a burn due to water skis being on fire (ICD 10 code V91.07XA). Or he could have been attacked by a turtle (W5921XA).

      Real codes, but it would be rather unlikely to find such traumatic incidents in actual medical practice.

      --
      Faster! Faster! Faster would be better!
    5. Re:Is this not your local net police? by Hizonner · · Score: 5, Insightful

      Yes, the practice's security affects the hospital's. Your security affects mine, too, and in fact the security of everybody on the Internet affects the security of everybody else.

      Nonetheless, it is not legal, ethical, or appropriate to go around attacking somebody else's systems without their explicit permission. It doesn't matter if you provide them with network service. It doesn't matter if you have (perhaps unwisely) given them access that makes them a potential threat to you. It doesn't matter if you're the "big" network, or if you have more to lose than they do. It doesn't matter if you feel you're "responsible for the whole network". It doesn't matter if they're completely incompetent and overrun with malware.

      If you don't have advance permission, and you attack somebody else's system. you're in CFAA violation territory. And if you didn't get that permission in writing, you're an incompetent idiot.

      This isn't the wild, wild west. Your motives do not matter. The effect on your own security does not matter. End of story.

  2. Establish authorization first by Anonymous Coward · · Score: 5, Informative

    Speak with someone at the managerial level and go find the agreement/piece of paper that states said hospital corporation has the right to perform security audits against your customers network. Until that does or does not materialize, take no action past what you're already doing in the name of good security

  3. Key words for me: independent practice by Anonymous Coward · · Score: 5, Insightful

    Unless there are contractual terms which allow the hospital to pentest the independent medical practice, the hospital IT staff are probably violating the law. Get your legal counsel involved ASAP and let the lawyer deal with it.

  4. Have you tried all these? by Anonymous Coward · · Score: 5, Informative

    You've told them that they don't have authorization to access your computers, and are (or would be) in violation of the law if they succeed?
    You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?
    You're reasonably comfortable that you indeed run a tight ship?
    You've configured your firewall to drop their packets?

    1. Re:Have you tried all these? by Dan+Dankleton · · Score: 5, Insightful

      You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?

      I never have mod points when there's something I want to moderate! This is the thing to do. Get in touch with the hospital's security people. If the scans are causing any problems with IT operations then arrange with them to schedule the scans differently. Otherwise, explain that you've picked up the scans and blocked them per procedure. Ask if they want you to unblock their specific scan so that they can find any issues which would reveal weaknesses you could defend against in more depth.

      All this may be unwelcome but it doesn't sound like there's much you can do about it, so treat it as an opportunity.

  5. Two things by gman003 · · Score: 5, Insightful

    First, as far as the network goes, treat it the same way you would treat any attack. Block IPs, add filters, whatever you normally do. If they are simulating an attack, you should simulate a defense.

    Second, the human response. Make sure that this is actually an authorized security test. Tell them that if you cannot get confirmation that this is an authorized attack, you will have to treat it as an unauthorized one, which means contacting law enforcement, as per standard protocols for dealing with health information. This is "cover your ass" stuff here - if it actually isn't authorized, and you get hacked, you're likely to take the blame for it. And if it is authorized, well, you look like you're doing your job by detecting and responding to the threat.

  6. Escalate to their legal contacts now. by billstewart · · Score: 5, Insightful

    There are three or four likely possibilities for what's going on here

    * The hospital's lawyers and administration know what the IT guy is doing, and are ok with it. Therefore they'll be ok with you and your doctors' group lawyers talking to them about it, though you're going to have to have a long conversation about why this is not a good idea. * The hospital's lawyers and administration don't know what the IT department is doing, but the IT department thinks they're doing something officially useful, and need to get told it's inappropriate. * The hospital's IT department is doing this stuff on his own, for evil reasons, and needs to be caught and stopped. * Some outsider is masquerading as the hospital's IT department, and the email you contacted to tell them to stop doing stuff is really redirected to the bad guys. In that case, the hospital's in a real mess and needs to know about it.

    . Either way, you've got a responsibility to your doctors and your patients, and you need to go to the top since going to the working-level people didn't get you taken seriously.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks