monthly cyber threat briefing - american hospital association · 2018-10-03 · kelvin security...
TRANSCRIPT
1
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Monthly
Cyber Threat
Briefing
February 2016
2
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Presenters
• Majed Oweis: CISCP Analyst, US-CERT
• Srujan Kotikela: Senior Threat Scientist, Armor
• Jon Clay: Sr. Mgr – Global Threat Communications, Trend Micro
• Luis Mendieta: Sr. Threat Researcher, ThreatStream
• Dennis Palmer: Senior Assurance Associate, HITRUST
3
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
NCCIC/US-CERT
4
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
ARMOR: TOP THREAT ACTORS AND
COMMAND AND CONTROL ACTIVITY
5
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Top Vulnerability Exploits for the Last 30 Days
NAME HITS RELATED TECHS/MALWARE
CVE-2015-6612 5 Bluetooth, Alphabet Inc., Android, Telephony
CVE-2014-3566
(POODLE)5
SSL, Google, Encryption, OpenSSL, IBM
Corporation
MS08-067 5Conficker, Honeypot, Microsoft, DCE/RPC,
Connection
CVE-2015-3977 5 Schneider Electric, IMT25, CVSS v2
CVE-2015-5655 4
CVE-2013-0634 4Adobe, Adobe Flash Player, Firefox,
Microsoft Word, Microsoft Windows
CVE-2015-7645 4Adobe Flash Player, Adobe, Angler Exploit
Kit, Nuclear Pack Exploit Kit, Trend Micro
CVE-2014-9163 4Adobe, Adobe Flash Player, Flash
15.0.0.242, Microsoft IE, Forbes
NAME HITS RELATED TECHS/MALWARE
CVE-2015-8126 126 Reddit, Bitcoin
CVE-2014-0160
(Heartbleed)20 OpenSSL, Yahoo, Google, Encryption, SSL
Stagefright
Vulnerability12
Android, Google, Exploit, Smartphone,
Zimperium
CVE-2015-0311 8Adobe Flash Player, Adobe, Microsoft Control
Flow Guard, Windows 8.1, Windows 8
CVE-2015-7830 8 XML
CVE-2015-4000
(Logjam)6
OpenSSL, Diffie-Hellman, Apache HTTP
Server, Encryption, TLS Encryption
CVE-2015-1743 6Microsoft IE, Microsoft, Explorer Elevation,
Internet Explorer 7, RCE
CVE-2015-1745 6Microsoft IE, Microsoft, Adobe, memory
corruption, RCE
Action Item:
1. Follow-up
related
vulnerabilities
(attack tree)
2. Identify the
patch status
of you
systems
3. Prioritize your
remediating
efforts
6
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Top Emerging Malware EntitiesNAME HITS RELATED TECHS/MALWARE
Cherry Picker 499 Abaddon, Point of Sale, Trustwave, Encryption, Radar
Bookworm 207 Microsoft, Kaspersky Lab, Palo Alto Networks, Deluxe Corp, PlugX - Korplug - Sogu
b374k web shell 85 Unix shell, PDO, Perl, Injection, Java
KillerRat 9 njRAT - Bladabindi
Candle Jar 9 Positive Energy, ClearBox, Results Hub, Sun Washed Linen, Diluents
Fastoplayer 5 Microsoft Windows
BadBarcode 5 Internet of Things
TinyLoader 4 VAWTRAK, Abaddon, Proofpoint, Fareit, Microsoft Word
Karrot 4 Mobile Phone, TalkTalk Telecom Group
GoMovix 4 Microsoft IE, Firefox, Mozilla, Google
Action Item:
1. Identify malware
entities related to
your environment
and block
2. Ensure your
network sensors
are always up-to-
date and tuned to
detected indicators
7
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Hacker Activity NAME HITS
Anonymous Palestine 2
APT17 Deputy Dog 2
Anonymous Mexico 2
Kelvin Security Team 1
AnonGh0st 1
Hunter Gujjar 1
Anonymous Operation Philippines 1
Guardians of Peace 1
Al Qassam Cyber Fighters 1
Anonymous Canada 1
NAME HITS
Anonymous 2794
CtrlSec 378
Cyber Caliphate 257
Lizard Squad 75
GhostSec 18
Anonymous Legion 16
Anonymous Argentina 14
Mujahidin Cyber Army 11
Armada Collective 6
Anonymous Ireland 6
Cracka With Attitude 5
Action Item:
1. Follow hacker
activity that
are a threat to
your brand
2. Subscribe to
threat
intelligences
feeds for
constant
updates
8
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Top Suspicious IP AddressesNAME HITS
89[.]248[.]167[.]155 4
84[.]200[.]65[.]2 4
41[.]33[.]194[.]107 4
208[.]100[.]26[.]230 4
176[.]98[.]26[.]188 4
113[.]207[.]36[.]253 3
123[.]151[.]149[.]222 3
112[.]82[.]223[.]47 3
NAME HITS
46[.]109[.]168[.]179 30
188[.]118[.]2[.]26 24
118[.]170[.]130[.]207 18
81[.]183[.]56[.]217 11
114[.]44[.]192[.]128 10
87[.]222[.]67[.]194 6
23[.]239[.]65[.]180 4
216[.]243[.]31[.]2 4
93[.]174[.]95[.]77 4
Action Item:
1. Ensure your
security
monitor list is
updated with
the latest
threat IPs
9
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Ransomware Criminals Infect Thousands with Weird WordPress Hack
An unexpectedly large number of WordPress websites have been mysteriously compromised and are
delivering the TeslaCrypt ransomware to unwitting end-users. Antivirus is not catching this yet.
Malware researchers from Malwarebytes and other security firms have reported that a massive
number of legit WordPress sites have been compromised and are silently redirecting visitors to sites
with the Nuclear Exploit Kit.
Currently it's not yet clear how the WordPress sites are getting infected, but it is highly likely that there
is a new vulnerability that is being exploited in either WP or a very popular WP plugin.
The WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to
domains appearing to be hosting ads.
The compromised WordPress sites were hacked and included encrypted code at the end of all
legitimate JavaScript files. The malware tries to infect all accessible .js files.
The attack tries to conceal itself and the code redirects end-users through a series of sites before
dropping the ransomware payload. Once a WP Server is infected, the malware also installs a variety
of backdoors on the machine.
Action Item:
1. Patch Server Operating Systems
2. Patch WordPress
3. Get rid of unused WP plugins as soon as possible and patch the current ones
4. Update all your WP instances at the same time to prevent cross-infections
5. Lock down all WP instances with a very strong password and the WP 2-factor authentication
6. Backup your data and keep daily off-site backups.
7. Regularly pentest your websites
10
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Healthcare Supply Chain List Posted on Deepweb
Threat Actor: Thanos
TTP: Supply Chain Attacks
On January 19th, 2016, an actor known as 'Thanos' shared
some contact information for supply chain providers to
Healthcare Organizations.
While all of the information is generally public, the packaging of
the information in this format could indicate future supply chain
attacks against US and EU based healthcare organizations.
Organizations are advised to pay close attention to
interconnections and communication (including email) to and
from the listed organizations.
Action Item:
1. Patch Server Operating Systems
Sr no.|Topic|Company Name |Website |Currency|EmailAddress|Phone Number|FaxNumber|Country| 2580|IT Health Care|Vignette|http://www.vignette.com/|U.S.D|[email protected]|512 741 4300 |512 741 1537|U.S.A| 2581|IT Health Care|WelchAllyn|http://www.welchallyn.com/|U.S.D|[email protected]|800 535 6663|315 685 3361|U.S.A| 2582|IT Health Care|Lexmark International, Inc|http://www1.lexmark.com|U.S.D|[email protected]|859 232 2000|212 880 2828|U.S.A| 2583|IT Health Care|TANDBERG|http://www.tandberg.com|U.S.D|[email protected]|617 933 8919|617 933 8920|U.S.A| 2584|IT Health
Care|concentra|https://contact.concentra.com|U.S.D|[email protected]|860 289 5561|860 291 1895 |U.S.A| 2585|IT Health Care|Sage|http://www.sagenorthamerica.com|U.S.D|[email protected]|770 724 4000| |U.S.A| 2586|IT Health Care|ePartnersInc|http://www.epartnersolutions.com/|U.S.D|[email protected]|972 819 2700|972 819 2705|U.S.A| 2587|IT Health Care|Jacada Ltd (NASDAQ: JCDA)|http://www.jacada.com/|U.S.D|[email protected]|770 352 1300|770 352 1313|U.S.A| 2588|IT Health Care|HK Systems , Inc.|http://www.hksystems.com/|U.S.D|[email protected]|262 860 6715|262 860 7010|U.S.A|2589|IT Health Care|IntacctCorporation|http://us.intacct.com/|U.S.D|[email protected]|408 878 0900|408 878 0910 |U.S.A| 2590|IT Health Care|TecturaCorporation|http://www.tectura.com|U.S.D|[email protected]|650235 1925|650 585 5599 |U.S.A| 2591|IT Health Care|Keane , Inc. (NYSE: KEA)|http://www.keane.com/|U.S.D|[email protected]|877 885 3263|617 241 9507|U.S.A| 2592|IT Health Care|3i InfotechLimited|http://www.3i-infotech.com|U.S.D|[email protected]|952 828 9868|952 828 9867|U.S.A| 2593|IT Health Care|ErgotronInc|http://www.ergotron.com/|U.S.D|[email protected]|800 888 8458|651 6817600|U.S.A| 2594|IT Health Care|JobscienceInc|http://www.jobscience.com/|U.S.D|[email protected]|866 284 1892|415 777 1085 |U.S.A| 2595|IT Health Care|Medversant Technologies LLC|http://www.medversant.com/|U.S.D|[email protected]|800 508 5799| |U.S.A| 2596|IT Health Care|HayesManagement Consulting|http://www.hayesmanagement.com|U.S.D|[email protected]|617 559 0404|617 559 0415|U.S.A| 2597|IT Health
11
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Critical Fixes for IE Vulnerabilities and
updates for Flash PlayerMicrosoft released 13 security bulletins addressing vulnerabilities in Internet Explorer, Microsoft Windows, and Microsoft. Out of
these bulletins 6 are tagged as Critical while 7 are marked as Important.
One of the critical bulletins (MS16-009) resolves issues affecting older versions of Internet Explorer (IE 9, 10) as well as IE 11.
When exploited successfully, it could lead to remote code execution thus compromising the security of the system. Microsoft
announced that it will have limited support for older versions of IE, and encouraged users to upgrade to the latest version, which is
currently IE 11.
Microsoft Edge also has critical vulnerabilities which can also result to remote code execution once successfully exploited.
Another notable security bulletin for this month’s cycle is MS16-015, which fixes flaws in Microsoft Office. Attackers can execute
arbitrary code when they leverage these vulnerabilities.
Adobe also rolled out several patches for Adobe Connect, Adobe Experience Manager, Adobe Flash Player, and Adobe
Photoshop CC and Bridge CC. Several of the bugs found in Flash Player are considered as critical vulnerabilities that may lead to
attackers compromising the system or taking full control of the affected systems.
Action Item:
Ensure only the updated version of software are running in your environment.
12
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Suspicious Domain Registrations: hitrust
(January 2016)hitrustnow.com (Pattern: hitrust): administrativecontact_city: Panama City administrativecontact_country: PANAMA administrativecontact_email: [email protected] administrativecontact_name: DOMAIN MAY BE FOR SALE, CHECK AFTERNIC.COM Domain Admin administrativecontact_organization: Whois Foundation administrativecontact_postalcode: 0823 administrativecontact_state: Panamá administrativecontact_street1: Ramon Arias Avenue, Ropardi Building, Office 3-C PO Box 0823-03015 administrativecontact_telephone:5078365679 audit_auditupdateddate: 2016-01-17 00:00:00 UTC contactemail: [email protected] createddate: 17-jan-2016 domainname: hitrustnow.com expiresdate: 17-jan-2017 nameservers: NS27.ROOKDNS.COM|NS28.ROOKDNS.COM| registrant_city: Panama City registrant_country: PANAMA registrant_email: [email protected] registrant_name: DOMAIN MAY BE FOR SALE, CHECK AFTERNIC.COM Domain Admin registrant_organization: Whois Foundation registrant_postalcode: 0823 registrant_state: Panamá registrant_street1: Ramon Arias Avenue, Ropardi Building,Office 3-C PO Box 0823-03015 registrant_telephone: 5078365679 registrarianaid: 303 registrarname: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM standardregcreateddate: 2016-01-17 00:00:00 UTCstandardregexpiresdate: 2017-01-17 00:00:00 UTC standardregupdateddate: 2016-01-17 00:00:00 UTC status: clientTransferProhibitedhttp://www.icann.org/epp#clientTransferProhibited technicalcontact_city:Panama City technicalcontact_country: PANAMA technicalcontact_email: [email protected] technicalcontact_name: DOMAIN MAY BE FOR SALE, CHECK AFTERNIC.COM Domain Admin technicalcontact_organization: Whois Foundation technicalcontact_postalcode: 0823 technicalcontact_state: Panamá technicalcontact_street1: Ramon Arias Avenue, Ropardi Building, Office 3-C PO Box 0823-03015 technicalcontact_telephone: 5078365679 updateddate: 17-jan-2016 whoisserver: whois.PublicDomainRegistry.com
hitrustexperts.info (Pattern: hitrust): administrativecontact_city: Yorba Linda administrativecontact_country: UNITED STATES administrativecontact_email: [email protected] administrativecontact_name:Tim Roncevich administrativecontact_postalcode: 92887 administrativecontact_state: California administrativecontact_street1: 28135 Shady Meadow Lane administrativecontact_telephone: 17143182458 audit_auditupdateddate: 2016-01-26 00:00:00 UTC billingcontact_city: Yorba Linda billingcontact_country: UNITED STATES billingcontact_email: [email protected] billingcontact_name: Tim Roncevich billingcontact_postalcode: 92887 billingcontact_state: California billingcontact_street1: 28135 Shady Meadow Lane billingcontact_telephone: 17143182458 contactemail:[email protected] createddate: 2016-01-26T00:44:59Z domainname: hitrustexperts.info expiresdate: 2017-01-26T00:44:59Z nameservers: NS53.DOMAINCONTROL.COM|NS54.DOMAINCONTROL.COM|registrant_city: Yorba Linda registrant_country: UNITED STATES registrant_email: [email protected] registrant_name: Tim Roncevichregistrant_postalcode: 92887 registrant_state:California registrant_street1: 28135 Shady Meadow Lane registrant_telephone: 17143182458 registrarianaid: 146 registrarname: GoDaddy.com, LLC standardregcreateddate: 2016-01-26 00:44:59 UTCstandardregexpiresdate: 2017-01-26 00:44:59 UTC status: serverTransferProhibitedhttps://icann.org/epp#serverTransferProhibited|addPeriod https://icann.org/epp#addPeriod technicalcontact_city: Yorba Linda technicalcontact_country: UNITED STATES technicalcontact_email: [email protected] technicalcontact_name: Tim Roncevichtechnicalcontact_postalcode: 92887 technicalcontact_state:California technicalcontact_street1: 28135 Shady Meadow Lane technicalcontact_telephone: 17143182458 whoisserver: whois.godaddy.com
Action Item:
1. Educated your
employees to
look into
certificate
information
13
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
TREND MICRO: RANSOMWARE
14
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Motivation: Return per Malware Infection
Spam bot $
Banking Trojan $$
Ransomware $$$
15
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
2015 Comparison
Crypto-Ransomware
83%
Ransomware17%
16
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Jan 2016 Regional Ransomware Outbreaks
Sat Sun Mon Tue Wed Thu Fri
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31
17
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Cryptowall: Number of clicks on malicious URLs per hour on day
of outbreak - June 2015
18
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Cryptowall: Number of clicks on malicious URLs per hour on day
of outbreak - July 2015
19
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Typical Spam Outbreak
Spam Bot Spam Malware
20
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Cryptowall 4.0 Outbreaks
ISP Spam Malicious Malware
Webservers
21
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
TorrentLocker Outbreaks
Hosted Spam Landing Malware
Page (Captcha)
22
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Conclusion
• Campaigns with excellent operational execution
– A lot of effort on Evasion
– Using $ to make some of this evasion happen
• Moving from a consumer threat towards business
• Starting to use encryption for system hostage
• No Silver Bullets
– Defense in Depth
23
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Best Practices (IT Managers)• Turn on Web & Email Reputation
• Turn off macros if not needed
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task
• Disable AutoPlay to avoid automatic execution of executable files in removable/network drives
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access.
• Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be
shared
• Standard Stuff
– Do end-user education
– Enforce a strong password policy
– Apply security patches for all programs and the Operating Systems
– Backups!!
24
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Best Practices (when compromised)
• When a computer is compromised, isolate it immediately from the network
• During system infection, temporarily restrict write accesses to shared folders
• Contact Law Enforcement
25
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
THREATSTREAM: NJRAT TROJAN
ALIVE AND KICKING….
26
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Overview:
• njRAT- remote access trojan. designed to
capture keystrokes, steal saved browser data
and upload/download files.
• Tool of choice due to is ease to use and it wide
community support e.g “tutorials”.
27
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Who uses njRAT
• used in cyberespionage ops in the middle east. also by hacktivist
and Sirian electronic army.
• Lately as of few months ago there has been a spike of its usage in
the Brazilian region.
• Also used by script kiddies
28
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
njRAT and the Healthcare industry
• 36% of infections related with the healthcare vertical were related
with njrat according with fireeye report. [1]
[1]https://www.fairwarning.com/wp-content/uploads/2015/08/FireEye-Report-Cyber-Threats-to-Healthcare-and-Pharmaceutical-Companies.pdf
29
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Geographic distribution of jRAT c2’s
30
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
njRAT Distribution Methods
Picture credit to Phishme Labs.
31
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
njRAT Capabilities
• Complete remote system administration capabilities
• Scrapes saved credentials from browser
• Uploads/downloads files
• Command execution
• Key logging
• Webcam control
32
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
njRAT weekly build count
33
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
njRAT Mitigation
• Have antivirus software with the latest
definitions
–May not help if packed
• Application whitelisting
• User education on spearphishing attacks
• Up-to-date Network IDS
34
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
njRAT Detectionrule njRat
{
strings:
$s1 = {7C 00 27 00 7C 00 27 00 7C} // |'|'|
$s2 = "netsh firewall add allowedprogram" wide
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s4 = "yyyy-MM-dd" wide
$s5 = "abcdefghijklmnopqrstuvwxyz" wide
$v1 = "cmd.exe /k ping 0 & del" wide
$v2 = "cmd.exe /c ping 127.0.0.1 & del" wide
$v3 = "cmd.exe /c ping 0 -n 2 & del" wide
condition:
all of ($s*) and any of ($v*) and new_file
}
Yara Rule:
rule courtesy of: https://malwareconfig.com/yara/
35
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
njRAT Detection
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"njRAT C2
Callout"; flow:from_client,established; content:"|00|lv|7C 27 7C
27 7C|"; fast_pattern; classtype:trojan-activity;)
snort Rule:
36
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Thank you!!!! Any questions?
37
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
HITRUST
38
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
• CSF Control for njRAT distribution , Suspicious IP addresses, Ransomeware
(WordPress Ransomware)
– Control Reference: *01.i Policy on the Use of Network Services
• Control Text: Users shall only be provided access to internal and
external network services that they have been specifically authorized to
use. Authentication and authorization mechanisms shall be applied to
users and equipment.
• Implementation requirement: The organization shall specify the
networks and network services to which users are authorized access.
39
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
• CSF Control for Vulnerability Patching
– Control Reference: *10.m Control of technical vulnerabilities
• Control Text:Timely information about technical vulnerabilities of systems being used
shall be obtained; the organization's exposure to such vulnerabilities evaluated; and
appropriate measures taken to address the associated risk
• Implementation Requirement: Specific information needed to support technical
vulnerability management includes the software vendor, version numbers, current state
of deployment (e.g. what software is installed on what systems) and the person(s) within
Appropriate, timely action shall be taken in response to the identification of potential
technical vulnerabilities. Once a potential technical vulnerability has been identified, the
organization shall identify the associated risks and the actions to be taken. Such action
shall involve patching of vulnerable systems and/or applying other controls.
40
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
• CSF Control for Top Emerging Malware Entities
– Control Reference: *09.j Controls Against Malicious Code
• Control Text: Detection, prevention, and recovery controls shall be
implemented to protect against malicious code, and appropriate user
awareness procedures on malicious code shall be provided.
• Implementation Requirement: Protection against malicious code
shall be based on malicious code detection and repair software,
security awareness, and appropriate system access and change
management controls.
41
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
• CSF Control for Ransomware (autorun functions)
– Control Reference: *09.o Management of Removable Media
• Control Text: Formal procedures shall be documented and
implemented for the management of removable media.
• Implementation requirement: The organization shall formally
establish and enforce controls for the management of removable
media and laptops including restrictions on the type of media and
usage, and registration of certain types of media including laptops.
(disable autorun, sanitize media before connecting)
42
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
• CSF Control for Ransomware (unauthorized software)
– Control Reference: *10.h Control of operational software
• Control Text: There shall be procedures in place to control
the installation of software on operational systems
• Implementation requirement: The organization shall
maintain information systems according to a current baseline
configuration and configure system security parameters to
prevent misuse.
43
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
QUESTIONS?
44
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content
Spotlight