what’s up with all the security breaches in the news?denver, co speaking today drew labbo mba,...
TRANSCRIPT
![Page 1: What’s up with all the security breaches in the news?Denver, CO Speaking Today Drew Labbo MBA, CISSP Children’s Hospital Colorado ... Web software security (OWASP) Software security](https://reader034.vdocument.in/reader034/viewer/2022051911/6001f1ff7a99436b2563f3e0/html5/thumbnails/1.jpg)
10/17/2014
1
What’s up with all the security
breaches in the news?
(and what should we be doing about it!!??)
October 24, 2014
HCCA Mountain Regional Conference
Denver, CO
Speaking Today
� Drew Labbo
� MBA, CISSP
� Children’s Hospital Colorado
� Information Security Officer & Director Information Security
�RMHG LLC – Rocky Mountain HIPAA Guru
� Principal
2
3
![Page 2: What’s up with all the security breaches in the news?Denver, CO Speaking Today Drew Labbo MBA, CISSP Children’s Hospital Colorado ... Web software security (OWASP) Software security](https://reader034.vdocument.in/reader034/viewer/2022051911/6001f1ff7a99436b2563f3e0/html5/thumbnails/2.jpg)
10/17/2014
2
Does this sound overly vigilant and risk averse?
� Secure Data Center (SSAE 16 Type 2, SOC2 Audit)
� Server operating system hardening security review
� NIST 800-53A application controls assessment
� Web Application penetration testing
� Recording of vendor remote access sessions
� Anti-virus software and patching plan on servers that run the application
� Minimum necessary ports and services enabled on site-to-site VPN connection for data transfer
Sample Information Security Requirements for new Software Acquisition and Implementation
Breaches on the rise
5
Ineffective to blame Third Party
6
![Page 3: What’s up with all the security breaches in the news?Denver, CO Speaking Today Drew Labbo MBA, CISSP Children’s Hospital Colorado ... Web software security (OWASP) Software security](https://reader034.vdocument.in/reader034/viewer/2022051911/6001f1ff7a99436b2563f3e0/html5/thumbnails/3.jpg)
10/17/2014
3
Why All the Hacking and Breaches These Days!!??� IT started as a house in the middle of nowhere
� Isolated, undetected, and away from crime
� Securing the house was not a priority
7
Urban Sprawl Surrounded The House
8
Internet access, hackers, criminals
Evolution of the Hacking World
Hacking for Sport
Criminals
Hacktivism
Hacker for Hire
Government Cyberwarfare
![Page 4: What’s up with all the security breaches in the news?Denver, CO Speaking Today Drew Labbo MBA, CISSP Children’s Hospital Colorado ... Web software security (OWASP) Software security](https://reader034.vdocument.in/reader034/viewer/2022051911/6001f1ff7a99436b2563f3e0/html5/thumbnails/4.jpg)
10/17/2014
4
IT Developers Usually Don’t Inherently Understand Security Risks
10
Securing the House
11
Locks on Doors
Locks on WindowsLocks on sky lights
Locks on Garage
Burglar Alarm Security System
Securing IT Systems
12
Data Center Security
(SSAE 16 Type 2,
SOC2)
Server OS security (hardening)
Web software security (OWASP)
Software security (NIST 800-53A)
Security intrusion
detection/prevention
(Anti-virus, encryption IDS/IPS, log
monitoring, secure remote
connections)
![Page 5: What’s up with all the security breaches in the news?Denver, CO Speaking Today Drew Labbo MBA, CISSP Children’s Hospital Colorado ... Web software security (OWASP) Software security](https://reader034.vdocument.in/reader034/viewer/2022051911/6001f1ff7a99436b2563f3e0/html5/thumbnails/5.jpg)
10/17/2014
5
13
Securing IT Systems
14
Data Center Security
(SSAE 16 Type 2,
SOC2)
Server OS security (hardening)
Web software security (OWASP)
Software security (NIST 800-53A)
Security intrusion detection/prevention
(Anti-virus, encryption, IDS/IPS, log
monitoring, patching, secure remote
connections)
Does this sound overly vigilant and risk averse?
15
Data Center Security
(SSAE 16 Type 2,
SOC2)
Server OS security (hardening)
Web software security (OWASP)
Software security (NIST 800-53A)
Security intrusion detection/prevention
(Anti-virus, encryption, IDS/IPS, log
monitoring, patching, secure remote
connections)
![Page 6: What’s up with all the security breaches in the news?Denver, CO Speaking Today Drew Labbo MBA, CISSP Children’s Hospital Colorado ... Web software security (OWASP) Software security](https://reader034.vdocument.in/reader034/viewer/2022051911/6001f1ff7a99436b2563f3e0/html5/thumbnails/6.jpg)
10/17/2014
6
What Are Other Healthcare Orgs Doing?
� Lack of sophistication and understanding
� Vendors: “Well [insert hospital name here] didn’t request all this
extra security stuff”
� [insert hospital name here]: “Oh my, we didn’t consider this
when we evaluated security of this vendor’s software!”
16
Government Audits (KMPG Contracted)
17
KMPG Findings
18
![Page 7: What’s up with all the security breaches in the news?Denver, CO Speaking Today Drew Labbo MBA, CISSP Children’s Hospital Colorado ... Web software security (OWASP) Software security](https://reader034.vdocument.in/reader034/viewer/2022051911/6001f1ff7a99436b2563f3e0/html5/thumbnails/7.jpg)
10/17/2014
7
Would you buy a house without locks on the doors and windows?
19
Data Center Security
(SSAE 16 Type
2/SOC2)
Server OS security (hardening)
Web application security (OWASP)
Application security (NIST 800-53A)
Security intrusion
detection/prevention
(Anti-virus, encryption IDS/IPS, log
monitoring, secure remote
connections)
Questions?
� www.rmhguru.com