From password management to network segmentation, modern cybersecurity must incorporate many layers, says CDW Information Security Solutions Manager Mark Lachniet.
During a meetup at HIMSS 2018 in Las Vegas on Wednesday, Lachniet shared best security practices and advice for healthcare IT professionals. Among his most important recommendations, Lachniet called on organizations to implement detailed firewall logging.
“I’ve done dozens of incident response plans as a forensic analyst, and I would say that probably 70 percent of the time, when I get a company that has been breached, they do not have the ability to tell me what that workstation talked to on the internet,” he said. “This seems like an obvious thing, but some firewall platforms … do not have logging unless you configure a syslog server and send it somewhere. Other tools may have firewall logging, but it might not be configured to get low-level packet logs, or it might be rolling over.”
Lachniet also encouraged security teams to ensure patch management is part of their strategy. Without formally forcing workstations to update third-party software packages, exposure is almost a certainty, he said.
“Anyone that can email you a file that you can open — for example, a fake UPS shipping label — that’s the way that a lot of people will get in initially, or, as a drive-by attack where maybe [the user is] going to a website that has had something bad installed on it,” Lachniet said.
Patch management alone, he said, can reduce exposures and significantly cut down on the number of security incidents an organization experiences.
Don’t Make Passwords as Easy as 1-2-3
Password discussions are also critical to any cybersecurity strategy, Lachniet said. Many organizations have a local Windows administrator password that is the same across multiple systems.
“Every time you make a new image, chances are pretty good that you have one workstation admin that’s being replicated to 30, 40, 400 different workstations at a time,” he said. “That means if I can get access to one system, I can crack that Windows administrator password and use that other places.
To that end, Lachniet said, noncomplex passwords or passwords that are complex but easily guessable are a good way for hackers to get a foot in the door.
“One thing from experience that I’ll tell you to look for is season-based passwords,” he said. “Windows, by default, wants you to change your password quarterly, so what we’ve seen a lot of people do is make a password that’s based on the season.”
Segment Networks to Prevent Escalation
Network segmentation is also a good practice to incorporate into a cybersecurity strategy, Lachniet said. As a seasoned penetration tester, one of the main ways he gets and escalates access to systems is by communicating from one workstation to another workstation.
“There is usually, in most environments, absolutely no reason that a workstation needs to talk to another workstation,” he said. “If you allow that access, that lets us do a lot of stuff like password guessing. That lets us do things like, if we can get a credential on one system, we can then walk through all the other systems on that network and see if those credentials work.”
That ability to escalate, Lachniet said, can be the difference between a healthcare organization losing three protected health information files during an attack or 300,000 files.