what to do when hacktivists target your health systemslide deck: webex support 1-866-229-3239 event...

Slide Deck: http://goo.gl/4wMk3RWebex Support 1-866-229-3239

Event #667 827 013

“What to Do When Hacktivists Target Your Health System”

A Complimentary Webinar From healthsystemCIO.com

Sponsored by Proofpoint

Your Line Will Be Silent Until Our Event Begins at 12:00 ET

Thank You!


Event #667 827 013

Housekeeping

• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com• Ask A Question

• We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the

lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”

• Download the Deck • Go to Download today's deck at: http://healthsystemcio.com/presentation/hack-

webinar.pdf• Shortened URL at bottom of all slides

• View the Archive• You will receive an email when our archive recording is ready. • Separate registration is required.

http://healthsystemcio.com/presentation/hack-webinar.pdf


Event #667 827 013

Agenda — Approximately 45 Minutes

• 30 minutes: Daniel Nigrin, MD, CIO, Boston Children's Hospital

• 5 minutes: A Word From Our Sponsor: Patrick Wheeler, Director, Product Marketing, Proofpoint

• 10 minutes: Q&A w/Daniel Nigrin


Event #667 827 013



Event #667 827 013

Case Study

• What happened?

• How did we respond

• What did we learn?

• Could it happen again?


Event #667 827 013

A Shot Across Our Bow

• March 20, 2014 – notified by external cyber intelligence group about Twitter/Pastebin posting by Anonymous, threatening attack

• result of highly publicized child custody case

• Anonymous: loose and decentralized group of “hacktivist” individuals

• “d0x” of staff and presiding judge posted

• “Details” of BCH external web site posted


Event #667 827 013


Event #667 827 013

Was This the Real “Anonymous”?

• Not hard to get details they posted

• Not hard to post a video on YouTube

• Should we just discount it then?


Event #667 827 013

Was This the Real “Anonymous”?

Should we just discount it then?

NO!!• Convened Hospital’s Incident Response Team, began forming

contingency plans• Especially focused on potential need to “go dark”, cutting ourselves off from

Internet if necessary

• Message to entire organization emphasizing vigilance, email security best practices

• Contacted authorities


Event #667 827 013

It Begins

• About 3 weeks later... low volume DDoS attack starts

• Mitigated by network changes

• Cat and mouse – we address attack, they change tactic/increase volume

• 1 week later, Easter/Patriot’ Day weekend (Boston Marathon bombing 1 year anniversary)

• Massive uptick in DDoS volume

• Engaged 3rd party vendor to assist in filtering traffic


Event #667 827 013

Internet Traffic During DDoS Attack

Nigrin, NEJM, July 31, 2014


Event #667 827 013

******


Event #667 827 013

Not Just DDoS…

• Direct penetration attacks on exposed ports, web sites• Proactively took down virtually all externally facing sites: research,

philanthropy, patient and provider portals, etc…

• Massive influx of malware laden emails• Proactively shut down entire email system for ~24 hrs

• Re-emphasized to staff to not open suspicious mails/attachments

• Ensured no malware made it through filters


Event #667 827 013


Event #667 827 013

It Ends

• About 1 week after high volume DDoS started, it abruptly declined, to a low trickle

• Only gradually brought externally facing sites back online, after extensive 3rd party (re)penetration testing

• Took a deep breath!


Event #667 827 013

Out of all bad things...…good things come


Event #667 827 013


Event #667 827 013

What Did We Learn

• DDoS countermeasures are critical!

• Know what systems (or features within systems) depend on Internet access, and have contingency plans for those

• Recognize importance of email, and need for alternate forms of communication

• Need to push through security initiatives – no excuses anymore

• Securing teleconference meetings

• Separating signal from noise


Event #667 827 013

And Most Importantly

As an industry, we’ve got to pay closer attention to these threats, and prioritize our efforts against them,

far more than we have done in the past


Event #667 827 013


Patrick Wheeler, Director, Product Marketing, Proofpoint


Event #667 827 013

E-mail is Arguably the #1 Threat Vector“There is ample evidence that

email is the preferred channel to

launch advanced targeted

attacks.”

- GARTNER, JULY 2013

“Criminals who pursue a

career in phishing can

reap millions of dollars a

year, even if they only

manage to snag just a

few victims per scam.”

- Brian Krebs, KrebsOnSecurity and investigator who

revealed Target breach

“Users WILL be

phished, and they

WILL eventually

click.”

- Verizon 2014 Data Breach Investigations Report

“A BUSINESS’ REPUTATION CAN BE AFFECTED

IMMENSELY BY A PHISHING ATTACK ... IRRELEVANT

OF A COMPANY’S SIZE, IT CAN TAKE A LONG TIME

FOR PEOPLE TO REGAIN CONFIDENCE IN A

BUSINESS”

- Rachel Ark, Hacksurfer


Event #667 827 013

• Attackers continually refine and try new phishing templates

The Limits of User Education


Event #667 827 013

The User Challenge


Event #667 827 013

TRADITIONAL

ANTI-SPAM

Traditional Reputation and

Signature Systems

99% effectiveness good enough

Black-box

TODAY’S

THREATS

Mass customization and botnets increasingly by-pass

Every message matters

Real-time, end-to-end insight and rich policy are critical

New Threat Landscape, New Requirements


Event #667 827 013

Proofpoint Email Security Suite

Known, Emerging Threats

Proofpoint

Enterprise Protection

DETECTBLOCK

Targeted, Previously

Unknown Threats

Proofpoint

Targeted Attack Protection

RESPOND


Event #667 827 013

Proofpoint (NASDAQ: PFPT)

Security-as-Service LeaderKey PartnersWhat We Do

Leaders Quadrant:

2012-2013-2014 Magic Quadrant for Secure Email Gateways &

Enterprise Information Archive Champions Quadrant & Innovation Award, 2012

Accolades

Select Partners & CustomersDemonstrated Success

3 of the 5 largest

US Retailers

5 of the 5 largest

US Banks

3 of the 5 largest US

Defense Contractors

2 of the 5 largest

Global Pharmaceuticals Companies

Protect the Most Sensitive Data of

the World’s Most Successful

Companies

Comprehensive Data Protection

Portfolio

Scalable Security-as-a-Service

platform

Advanced Threat Protection


Event #667 827 013

Gartner Positions Proofpoint in the Leaders Quadrant2014 Magic Quadrant for Secure Email Gateways

• Gartner positions Proofpointin the Leaders Quadrant

• Evaluation based onCompleteness of Visionand Ability to Execute

• Magic Quadrant for Secure Email Gatewaysby Peter Firstbrook and Brian LowansGartner, Inc., July 1, 2014

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.

The Gartner report is available from Proofpoint upon request. Read the full report:

www.proofpoint.com/magicquadrant

http://www.proofpoint.com/magicquadrant


Event #667 827 013

Q&A

Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the

send to default as “All Panelists.”


Event #667 827 013

Thank You!

• Thanks to our featured speaker: Daniel Nigrin, MD

• Thanks to our sponsor: Proofpoint

• You will receive an email when our archive recording is ready. (Separate registration is required)

• CHIME CHCIO Credits – Attending our Webinars = 1 CEU

• Questions/Comments – Anthony Guerra [email protected]

Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.

mailto:[email protected]

http://www.healthsystemcio.com/webinars

what to do when hacktivists target your health systemslide deck: webex support 1-866-229-3239 event...

Documents