The presidential and defense websites slipped offline, Internet communications were down, and major media were inaccessible. While the Georgian government tried to cope with the country falling into darkness, Russia launched a physical assault with soldiers and tanks.

One of the main weapons of choice in the 2008 cyberwar was a botnet—a network of infected computers sometimes referred to as “zombie armies,” which work as slaves to a master computer. The main attack from a botnet can take websites offline by overloading them, known as a distributed denial of service (DDoS) attack.

There was something unique about this particular botnet though. “When Russia rolled into Georgia they hired a botnet to shut down the country,” Matthew Jonkman, president of the Open Information Security Foundation, said in a phone interview.

“That was years ago and they’ve gotten even better,” Jonkman said.

The hacker underground has grown since the 2008 attacks. Hackers can now be hired through underground forums using anonymous payment methods like BitCoins, botnets can be rented for as little as $5 an hour, and nearly any target can be taken offline or compromised for the right price.

“Cyber attacks designed to knock Web sites off line happen every day, yet shopping for a virtual hit man to launch one of these assaults has traditionally been a dicey affair,” states Brian Krebs on his popular cybersecurity blog, Krebs on Security.

“That’s starting to change: Hackers are openly competing to offer services that can take out a rival online business or to settle a score,” Krebs states.

Hackers for Hire

The Russia-Georgia cyberwar, as well as the Estonia-Russia cyber conflict of 2007, are often referenced as examples of what cyberwar is capable of. Although the attacks on Estonia—one of the world’s most wired countries—did not involve physical attack, virtually the whole country came to a standstill as banks, communications, and government fell victim to cyberattacks.

Even in 2007, however, much of the world was still ignorant of the devastating potential of cyberwar. The risks only came to the forefront after hacker group Anonymous Operations began its “Operation Payback” attacks on companies including Mastercard and PayPal in 2010, retaliating against government actions on information-leaking website WikiLeaks.

Their attacks, and the highly publicized attacks from hacker group LulzSec that came later, highlighted the rise of a new kind of threat. With that, the eyes of the world opened to the flimsy foundation that much of the Internet is built on—one riddled with holes that can be stopped on little more than a whim.

Among the terrible truths of the attacks by Anonymous and LulzSec is that neither group is necessarily skilled when compared to the hacker elite. The majority of them use software or pre-written scripts to launch their attacks—hackers refer to them as “script kiddies,” unworthy of being called hackers. Thus, the companies that have fallen victim to their attacks, often fell to some of the most basic attacks there are—highlighting again the despondent state of digital security.

While these groups have garnered the most attention, the real concern is about the groups that are lesser known—terrorist organizations, state-affiliated hacker groups like the Chinese Honker Union and the Russian Business Network, and the underground elite (“leet”) of the hacker world.

In September, Secretary of the Department of Homeland Security (DHS) Janet Napolitano stated “The U.S. has become ‘categorically safer’ since 9/11, but cyber-terrorism now tops the list of security concerns.”

Cyber jihadists are already springing up around the Web, while many, like the Tariq bin Ziyad digital terrorist organization, even offer to train new members who know little or nothing about hacking.

The added threat, however, is that these groups could pull from the same resources as Russia did during their attack on Georgia—weaponizing a botnet, or going to the hired guns on the digital front. “Just as organized crime groups have hired hackers, it is possible that nation states could hire or distantly support jihad networks and launch cyber-attacks through them,” states an April 17 report from Project Cyber Dawn, part of The Cyber Security Forum Initiative.

Meanwhile, concern over groups like Anonymous and lesser-skilled yet active groups like the Iranian Cyber Army are less about where they are now, and much more about what they could become.

The DHS posted a bulletin on Oct. 17 warning that Anonymous may be planning attacks on critical infrastructure, including energy companies and industrial control systems. It adds that while the group seems to lack the ability to hit such targets currently, they may develop the skill.

But the poor state of today’s cybersecurity leaves major gaps. “What we have is in a very fragile state, so anybody who does get organized and goes after it could cause serious damage,” Jonkman said.

He added that a lot of groups, like the Iranian Cyber Army, launch many of their attacks for bragging rights—maybe defacing someone’s website with their logo and a statement. The concern though is that the lesser skilled groups could also pull from the more elite guns-for-hire.

“The ones we should worry about are the ones we don’t know about, and the state-sponsored stuff. Now, these groups can make a lot of noise or be hired by an organization or country to do something,” Jonkman said.

“It could pose a very significant threat, more than the overall threat in general,” he said.

With an increased focus on better patient outcomes and reduced costs, the healthcare industry is slowly but surely moving towards digitisation and healthcare organisations today are increasingly using IT for diagnosis and care. The availability and use, of sophisticated diagnosis techniques like teleradiology (where the attending physician remotely interprets the patient condition using biomedical devices), means that paperlessness is becoming the order of the day. The growth of concepts like Telemedicine and Telehealth (including m-health which uses mobile technology for diagnosis and care) indicates that the boundary of the hospital is expanding and the number of points of care treatments are increasing rapidly.

Ironically though, while enabling medical practitioners reach out to their patients in much better ways, technology has made the delivery of healthcare more complex. As patients and doctors become increasingly mobile, healthcare stakeholders need to follow the right process, provide information where and when needed, collate data from and to a variety of devices. All of this increases the likelihood of security breaches and loss of patient health data. Therefore, healthcare organisations today are under intense pressure and scrutiny, for security, privacy and compliance.

According to a Healthcare Information Management Systems Society (HIMSS) 2009 survey, the top three security concerns for Healthcare CIOs are around the areas of internal breach, regulatory compliance, and inadequate deployment of technology. Solutions that help meet regulatory requirements, mitigate security threats and streamline risks are increasingly being sought after.

Being compliant helps healthcare organisations to reduce patient risk and increases patient confidence. It prevents the resulting damage to the reputation of the organisation and costly fines/ penalties for the organisation and its executives. Compliance prevents loss in revenue and reduces the likelihood of professional damage to healthcare workers. It also enables doctors to easily work with any hospital across any geography using standards based tools for diagnosis and care.

In emergency situations, the use of standards based tools ensures for example, that an ambulance moving on the road easily interfaces with any nearby hospital. Use of standardised tools also provides alarms and warnings like temperature changes within a lab or chemical spills and increases patient safety within a hospital. On a larger scale it helps the government in disease surveillance.

Becoming Compliant

As governments across the world and the general public insist that healthcare organisations take appropriate steps to ensure the proper use, and protection of personal information, leaders in healthcare, business, technology, and information security need to collaborate and adopt standards that help reduce inconsistencies, inefficiencies and high costs associated with the exchange of health information.

The process of gaining compliance calls for the coming together of IT functions is in the areas of data confidentiality, integrity, availability, and auditability. Compliance can be obtained through mandated standards by bodies like the National Accreditation Board for Hospitals & Healthcare Providers (NABH) or the Health Insurance Portability and Accountability Act (HIPAA).

Helping ensure a regulatory compliance however’ poses a great challenge for IT managers. Most regulations do not specifically state what they require from an IT perspective; often different regulations apply to a given organisation making it difficult for IT managers to know what they must do to meet their compliance goals.

Although some vital differences exist among the various regulations, there is a substantial amount of overlap because they all deal with the fundamental issues of data security and privacy. An optimal way to address regulations is to first understand the potential threats and vulnerabilities of the data and network, and then create an effective and secure technology solution built on a well-designed infrastructure. This helps to easily deal with any new regulation that becomes law.

Categorising Vulnerabilities

By grouping protection techniques and vulnerabilities into categories as under confidentiality, integrity, availability and auditability, IT managers can create a common baseline for establishing guidelines that help achieve compliance. This process scales with the evolving landscape of new threats and new security measures can be incorporated easily.

Maintaining the confidentiality of healthcare data, which is continually exchanged between people, and across networks is critical. In the event of interception, it is important to make sure that data cannot be read or used by unauthorised parties. By providing for authentication through unique user IDs and strong authentication processes; access control, wherein access privileges are granted strictly on a need-to-know basis; and privacy, which relies on strong encryption of data in transit and at rest, it is possible to ensure data protection.

Firewalls, VPNs, intrusion prevention systems (IPSs), authentication, authorisation, and endpoint protection along with encryption are important for ensuring confidentiality of data in transit across the internet, wireless networks and hotspots, unsecured network areas, and areas providing guest access to the network.

In addition to confidentiality, it is also important to protect data against improper alteration or destruction and ensure its integrity ie., ensure data and information are accurate, complete and inviolably preserved. Specific threats to data integrity include data theft, copying, saving, modification, deletion and unauthorised access. To protect from these threats it is best to use a firewall and IPS in the network and on the endpoints.

Within the realm of regulatory compliance it is critical to ensure that authorised users have access to regulated data at all times while unauthorised users never access data. Compliance also means that an organisation addresses availability within the context of business continuity and disaster recovery. Availability is a critical function of security control because it ensures that no legitimate users are barred from accessing the data they need. Some specific, active threats to availability include viruses and worms and denial-of-service (DoS) attacks besides natural disasters, power outages, and a variety of emergency situations.

A broad range of options are available for healthcare organisations to implement strategies that strengthen business continuity controls, improve network and application resilience and reduce operating expenses. For starters, mission-critical applications can be identified and classified and a minimum amount of bandwidth established for them. They can then be policy routed and marked for preferential treatment. Non-critical applications can similarly be classified, policed, or blocked, as required.

Auditability is critical from a compliance perspective because it provides proof, in the form of an audit trail, that a healthcare company is following the steps necessary to satisfy specific regulations and secure sensitive information. When each security action that a company takes is tracked and audited, it is possible to demonstrate compliance and allow incident investigation.

Network and Automation

While seeking regulatory compliance, network operators must understand how the network is behaving, including its response to changes. Using solutions for security, monitoring, analysis and response helps provide intelligence to the network infrastructure, receive alerts and notifications from firewalls, IPSs and wireless applications, identify the threat, determine where it is occurring, to effectively stop it and protect data. By logging all the information and actions, it is possible to prepare incident response reports and compliance audits.

Because it touches every aspect of the extended organisation and connects all business processes, the network plays a fundamental role in regulatory compliance. With the inclusion of remote workers, healthcare organisations today need an end-to-end, system-based approach that is integrated and adaptive to manage their network security risks and addresses compliance requirements. Deploying or migrating to new technology platforms can help companies achieve regulatory compliance, lower costs and reduce overall security risks. Healthcare organisations also need to adopt best practices and technologies that have proven successful in other industries to enforce security.

Healthcare organisations who use IT resources to continuously track everything on the network must invest in solutions that automatically maintain a real-time inventory of these assets and how they are changing because new assets, new applications, and configuration changes can introduce vulnerabilities that attackers look to exploit. Automation is the key to implementing and maintaining effective security and complying with regulatory requirements.

With threats to the network becoming faster, smarter, more prevalent, and more elusive than ever before, people cannot be as vigilant as they need to be to watch for policy violations or to flag abnormal network behaviours. Therefore healthcare organisations should adopt solutions that reduce their effort not only to install and configure the technology, but also automatically monitor and enforce organisational network security policies, including compliance rules and lists. Smart technologies that can provide automation in the areas of tuning, alert routing, policy enforcement, and remediation are critical. When evaluating security products, healthcare organisations should focus efforts on identifying technology that offers more than a single feature because such solutions are cost-effective and require fewer IT security staff resources to maintain on an ongoing basis.

In addition to the above, the use of standardised nomenclatures and code sets to describe clinical problems, procedures medications, and allergies, clinical summaries, prescriptions etc help to establish a common, predictable, secure communication protocol between systems and meet regulatory compliance within a healthcare setup. Authentication, access control, and transmission security that relate to, and span across all of the other types of standards add to the benefit.

Adopting Standards

Network-based applications have transformed virtually every industry, and healthcare is no exception. Solutions that allow access to Electronic Health Records (EHRs), medical management systems, imaging, biomedical information, material management, patient accounting, admitting information, and online claims submissions are becoming commonplace in wireless, wired, and mobile scenarios. Since all data on patients need to be kept secure and private, both wired and wireless security is a significant part of the overall security strategy of any healthcare facility.

Generally, a combination of standard wireless/wired security standards should be considered to meet regulatory requirements. As regulatory audits become more frequent, there is an increased need to enforce data security, and organisations handling electronic health data need to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.

Healthcare organisations must establish a policy for how the institution manages risk on the network so that the key properties are maintained. They must put in place a process for applying risk management throughout the life cycle of the network. They need to assign people who can execute the risk management process, provide the necessary resources, specify the criteria by which risk is determined to be acceptable and approve the results of the risk management process. In order to meet regulatory requirements, healthcare organisations that maintain and operate networks with medical devices are urged to consult and implement regulatory recommendations to minimise the risk involved in operating such networks.

Deploying for example, the Cisco Medical-Grade Network (MGN) architecture can be a good option to obtain compliance because it is not just a set of firewalls at the perimeter of the network, nor does the protection end when the information is written to disk or sent to an offsite vault. The architecture has all the industry best practices applied to the entire healthcare environment and provides care providers and vendors the ability to interact with the network and its related clinical systems, seamlessly. Wireless, virtual private network (VPN), and collaborative technologies extend benefit further. The network provides fundamental mechanisms and services for interaction in a highly secure manner and enables compliancy with regulatory guidelines and best practices.

Conclusion

Architectural attributes that respond to the changing clinical requirements help the rapid deployment and secure use of various systems for efficient healthcare delivery while also responding to new security demands, maintaining uptime, serviceability, and adherence to regulatory changes. Robustly designed architectures which are scalable add to the benefit.

Healthcare organisations that approach compliance using a solid security foundation coupled with comprehensive technology solutions that use proven IT control frameworks, best practices, and threat modeling processes will have a defensible position when their networks are subjected to compliance reviews. They will be able to ready themselves for compliance challenges not only of the present but the future as well.

With an increased focus on better patient outcomes and reduced costs, the healthcare industry is slowly but surely moving towards digitisation and healthcare organisations today are increasingly using IT for diagnosis and care. The availability and use, of sophisticated diagnosis techniques like teleradiology (where the attending physician remotely interprets the patient condition using biomedical devices), means that paperlessness is becoming the order of the day. The growth of concepts like Telemedicine and Telehealth (including m-health which uses mobile technology for diagnosis and care) indicates that the boundary of the hospital is expanding and the number of points of care treatments are increasing rapidly.

Ironically though, while enabling medical practitioners reach out to their patients in much better ways, technology has made the delivery of healthcare more complex. As patients and doctors become increasingly mobile, healthcare stakeholders need to follow the right process, provide information where and when needed, collate data from and to a variety of devices. All of this increases the likelihood of security breaches and loss of patient health data. Therefore, healthcare organisations today are under intense pressure and scrutiny, for security, privacy and compliance.

According to a Healthcare Information Management Systems Society (HIMSS) 2009 survey, the top three security concerns for Healthcare CIOs are around the areas of internal breach, regulatory compliance, and inadequate deployment of technology. Solutions that help meet regulatory requirements, mitigate security threats and streamline risks are increasingly being sought after.

Being compliant helps healthcare organisations to reduce patient risk and increases patient confidence. It prevents the resulting damage to the reputation of the organisation and costly fines/ penalties for the organisation and its executives. Compliance prevents loss in revenue and reduces the likelihood of professional damage to healthcare workers. It also enables doctors to easily work with any hospital across any geography using standards based tools for diagnosis and care.

In emergency situations, the use of standards based tools ensures for example, that an ambulance moving on the road easily interfaces with any nearby hospital. Use of standardised tools also provides alarms and warnings like temperature changes within a lab or chemical spills and increases patient safety within a hospital. On a larger scale it helps the government in disease surveillance.

Becoming Compliant

As governments across the world and the general public insist that healthcare organisations take appropriate steps to ensure the proper use, and protection of personal information, leaders in healthcare, business, technology, and information security need to collaborate and adopt standards that help reduce inconsistencies, inefficiencies and high costs associated with the exchange of health information.

The process of gaining compliance calls for the coming together of IT functions is in the areas of data confidentiality, integrity, availability, and auditability. Compliance can be obtained through mandated standards by bodies like the National Accreditation Board for Hospitals & Healthcare Providers (NABH) or the Health Insurance Portability and Accountability Act (HIPAA).

Helping ensure a regulatory compliance however’ poses a great challenge for IT managers. Most regulations do not specifically state what they require from an IT perspective; often different regulations apply to a given organisation making it difficult for IT managers to know what they must do to meet their compliance goals.

Although some vital differences exist among the various regulations, there is a substantial amount of overlap because they all deal with the fundamental issues of data security and privacy. An optimal way to address regulations is to first understand the potential threats and vulnerabilities of the data and network, and then create an effective and secure technology solution built on a well-designed infrastructure. This helps to easily deal with any new regulation that becomes law.

Categorising Vulnerabilities

By grouping protection techniques and vulnerabilities into categories as under confidentiality, integrity, availability and auditability, IT managers can create a common baseline for establishing guidelines that help achieve compliance. This process scales with the evolving landscape of new threats and new security measures can be incorporated easily.

Maintai

Last year, we discussed whether or not things like Operation Payback by Anonymous (DDoSing sites of organizations they didn’t like) was really the equivalent of a modern-day sit-in protest, rather than a criminal hacking, as law enforcement (and victims) wanted to allege. It appears that this may be a question that courts are going to need to answer. Nick points us to the news that the lawyer for a homeless guy accused of setting up a DDoS on the City of Santa Cruz (he was pissed about a law) is claiming that DDoS attacks are legal and protected speech in the form of a protest:

“There’s no such thing as a DDoS ‘attack’,” Leiderman said. “A DDoS is a protest, it’s a digital sit in. It is no different than physically occupying a space. It’s not a crime, it’s speech.”

Leiderman said the crimes shouldn’t be prosecuted at all. “Nothing was malicious, there was no malware, no Trojans. This was merely a digital sit in. It is no different from occupying the Woolworth’s lunch counter in the civil rights era.”

In this case, the case has nothing to do with Anonymous, Lulzsec or any of those high profile groups, but they might want to pay attention to the case. It seems that some of those already arrested in various sweeps against Anonymous and Lulzsec have indicated that they’reconsidering the same defense strategy. In that last one, involving Mercedes Haefer, who was charged with being a part of Anonymous, her lawyer is pointing out that President Obama has asked supporters to overload the switchboards of Congress — and that’s a form of a denial of service attack:

“I think this is a political persecution, end of story,” Cohen said. “This administration wants to send a message to those who would register their opposition: ‘you come after us, we’re going to come after you.’ That’s what has happened in the Eric Holder Department of Justice.”

“When Obama orders supporters to inundate the switchboards of Congress, that’s good politics, when a bunch of kids decide to send a political message with roots going back to the civil rights movement and the revolution, it’s something else,” Cohen told TPM, stipulating that he was not indicating that his client was even involved. “Barack Obama urged people to shutdown the switchboard, he’s not indicted.”

Not surprisingly, I’m sympathetic to this argument, though I do wonder how well it’ll play in court. In both of these cases, I think a decent case can be made that the actions are a form of speech, in that they were both designed to protest certain actions. The question is whether or not the courts will recognize them as legitimate and protected protests. And that may very well come down to the judges in the cases.

In 2007, a Google engineer, Michal Zalewski, published a memo detailing a potential vulnerability of both Apache and IIS Web Servers after investigating the HTTP/1.1 “Range” header implementation. He reported then:

it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?
A proof of concept for the Apache DDoS tool was published as a Perl script on the August 19 ”Full Disclosure” security mailing list. On August 24, the Apache Security Team published a memo explaining:

It most commonly manifests itself when static content is made available with compression on the fly through mod_deflate – but other modules which buffer and/or generate content in-memory are likely to be affected as well. This is a very common (the default right!?) configuration.

The attack can be done remotely and with a modest number of requests leads to very significant memory and CPU usage.

Active use of this tools has been observed in the wild.

There is currently no patch/new version of apache which fixes this vulnerability. This advisory will be updated when a long term fix is available. A fix is expected in the next 96 hours.

On Friday, Apache published a second advisory in which they explain how Apache httpd and its so called internal ‘bucket brigades’ deal when a server processes a request to return multiple (overlapping) ranges; in the order requested. A single request can request a very large range (e.g. from byte 0- to the end) 100’s of times in a single request. Currently this kind of requests internally explode into 100’s of large fetches, all of which are kept in memory in an inefficient way.

This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy. There are several immediate options to mitigate this issue until a full fix is available.
Apache’s mitigation strategies ranged from completely disallowing the Range header, to limiting the size of requests, to deploying a custom Range counting module. Lori MacVittie detailed how the mitigation strategies could be implemeted with Big-IP.