Process-based cyber incident response Mr Jorge Silveira Executive - - PowerPoint PPT Presentation

@HISA_HIC #HIC18

Mr Jorge Silveira

Executive Director of Information Management & Chief Information Officer

Code Yellow - Cybersecurity Process-based cyber incident response

Northeast Health Wangaratta

@HISA_HIC #HIC18

Introduction – about

• Executive Director of Information Management / CIO
• Involved in industry groups
• HISA Cybersecurity Community of Practice (CoP)
• Chair of the Hume Region Cybersecurity Working Group (Vic)
• DHHS VHCIO Cybersecurity Working Group (Vic)
• DHHS VHCIO ICT Ops and Assurance Working Group (Vic)
• DHHS Healthdirect Advisory Group (Vic)

@HISA_HIC #HIC18

Introduction - about Northeast Health Wangaratta

• Located in regional Victoria (North East) 2.5h from Melbourne – Central Hume Region
• 222 bed hospital, 24/7 Emergency Department
• Covering a population of 90,000 people
• Over 70 specialists
• Key site for trauma referrals
• 24/7 Telehealth service - sponsor for the Hume region
• 24/7 digital ECG remote reading and reporting service – sponsor for the Hume region
• Largest employer in the region
• 83% self-sufficient

@HISA_HIC #HIC18

Cybersecurity Code Yellow

• Key focus areas:
• Assessment of a POSSIBLE incident
• Incident assessment process
• The key question before calling CODE YELLOW
• Is incident FULLY contained?
• Evidence preservation
• A key decision earlier in the game
• Medical Devices
• Possible activation of CODE BLUE to respond to patient health deterioration
• Business Management Systems / Facilities
• Information Assets (i.e patient, employee, supplier data, etc)
• Criminal Activity

@HISA_HIC #HIC18

Test / Validation Cybersecurity Code Yellow

As part of the Emergency Management Policy, specific emergencies shall be allocated codes and procedures, code yellow refers to Internal Emergency. There are many ways to test / validate CODE YELLOW processes and procedures:

1. Desktop exercises a) Internal validation and review b) External validation and review c) Sector validation and review 2. Actual incident

@HISA_HIC #HIC18

The real test / validation Cybersecurity Code Yellow

Have completed various desktop exercises to prepare for the day of a cyber incident …. but never had an actual cyber incident situation… until

@HISA_HIC #HIC18

Cybersecurity Incident

Friday 13th, 2018

Are you back Jason?

@HISA_HIC #HIC18

Cybersecurity Incident (cont.)

8:41am – Detection Take #1

• A Service Desk ticket was raised by a staff member reporting a

possible SPAM campaign

• Staff advised to delete message, no further action taken

@HISA_HIC #HIC18

Cybersecurity Incident (cont.)

9:45am – Detection Take #2

• CIO approached by another member of the Executive team and showed suspicious SPAM

message

• Analysis of message indicated sender of SPAM messages was one of our employees

and messages were originating from our mail servers

• Email server logs shows over 7,525 Messages being sent out in the last few hours
• That was the confirmation we were dealing with an incident

@HISA_HIC #HIC18

Cybersecurity Incident (cont.)

09:55 am

The following immediate containment actions took place:

• Request by CIO to disable account to contain affected / compromised account
• Block placed on firewall to prevent users accessing malicious link/website contained within SPAM message
• Review of mail server logs to determine if other accounts were compromised

By 10:03 am

• User contacted and discussed incident – attempting to identify root-cause of incident

10:05 am

The following actions were added to the containment plan:

• Review of Outlook Web Access (OWA) logs
• Review of Remote Desktop Services (RDS) access logs
• Review of logs, logs, and more logs for all internet facing systems and internal systems the compromised account had access to

@HISA_HIC #HIC18

Cybersecurity Incident (cont.)

11:41 am

Good progress reviewing logs, but the combination of the following:

1. Confirmed Cybersecurity Incident 2. Root-cause analysis in progress 3. Clear understanding of incident impact (which was still in progress)

Prompted the CIO to call “Code Yellow – Information Technology” until certainty and assurance of no further damage and containment was provided.

12:00 pm

• All department heads briefed with information available at the time

12:30 pm

• User laptop retrieved from locked office for analysis and evidence preservation
• Partner agencies notified, incident under control, no additional accounts compromised
• Reviewed containment plan with Incident Response Team (IRT) and external partners, containment plan adequate

@HISA_HIC #HIC18

Cybersecurity Incident (cont.)

05:07 pm

• Incident review completed, no evidence of access to any other network resource apart from

the OWA public interface and a single compromised account

• IP addresses used by unauthorized parties identified and blocked (Nigeria and Australian)
• External access to OWA disabled until an organization-wide password reset took place as a

precautionary measure

• Incident contained
• Stand down code yellow was called
• Staff briefed and reminded to complete the online Cybersecurity training

@HISA_HIC #HIC18

The Incident Handling Process

1. How did I feel when realizing one of the systems I am trusted to protect may have been compromised?

A: Not good really… but I knew it will one day, will happen to all of us... Not a matter of IF, but WHEN…

• 2. How to keep calm in situations like this?

A: Have structure that will guide you through: a) A cybersecurity code yellow process b) An Incident Response Plan (IRP) c) An Incident Response Team (IRT) d) Access to cybersecurity professionals e) Cybersecurity insurance f) Communication templates ready (write them before an incident)

Let’s have a look on the A4 piece of paper that made the entire situation a little better.

@HISA_HIC #HIC18

@HISA_HIC #HIC18

Some Additional Details

1. How did the account got compromised? A: Weak password via OWA, password set to never expire 2. Summary of root-cause analysis:

• Weak password and password set to never expiry
• Never expiry flag was put in place temporarily during a system migration that got

delayed, but not removed – staff responsible for coordinating the removal of flag was no longer working for the organization

@HISA_HIC #HIC18

Some Additional Details (cont.)

1. Other opportunities for improvement:

a) Email filtering did not detect the avalanche of emails being sent (service provided by 3rd party) b) There was no formal procedure to assess SPAM messages when reported to service desk

• 2. Lesson’s learned:
• Request third-party providers to provide DETAILS of services provide, what is included, what is not
• Document formal procedures for common signs of compromise as ICT staff will have different skill

levels

• Review password policy and establish a robust monitoring program, preferably by rotating this

responsibility between various staff members

@HISA_HIC #HIC18

Final Comments

• Technology would certainly have helped to prevent and stop SPAM emails being sent out, but

people and process also have their contribution to a cyber safe environment

• A number of improvements in internal processes were implemented following the incident and

conversations with third-party providers ongoing to acquire details of services provided and better understand risk

• Cybersecurity is not a product that one can buy, but active risk management
• If you do not have an established cybersecurity code yellow process, it is strongly encouraged

that you establish one

@HISA_HIC #HIC18

Thank you