System Hardening and Vulnerability Management Programs
3 hours 42 minutes
so welcome to the implementing a hip of compliance program for leadership. And this is less than 2.7 system hardening and vulnerability management programs to very necessary and require programs. If you want to get that auditor out of your office and get back to your desk so you can unbox your new laptop. So then when you powered up, well, you only need, like,
19 days of updates to the operating system before you can plug it in
and then be reminded that you need to update the auto update tool, which is gonna update all your other applications and your security settings so that you can finally meet security policy and then get on the network and, you know, do more updates. So good times the fun stuff. So if you're ready, let's get that patching party started, man. I'm just exhausted talking about it.
So welcome back, you cyber boxers and cage fighters in the blue corner weighing in too many pounds. According to the published body mass index guidelines. Well, it's me, fatty boy, The instructor and in the red corner are HIPPA compliant network. Well, it would be compliant if we didn't have 372 instances of Windows desktops,
the new software patching and oops! Well, we still have seven instances of Windows XP running around our office, wreaking havoc for the auditor because the operating system hasn't been supported since Elvis was a movie star.
Have you seen an Elvis movie? Yeah, let's move on. In today's lecture, we're gonna learn all about maintaining a HIPPA compliance system and vulnerability and systems hardening management programs. We're gonna review the key elements of what a vulnerability management program looks like. And we're gonna learn how to test the program ahead of our friendly auditor who wants to knock us out of the ring because he doesn't like the color of our boxing trunks.
So what's wrong with pink trunks with blue stripes? I ask.
So in our information technology systems, there are four types of security vulnerabilities. Network vulnerabilities, operating system vulnerabilities, human vulnerabilities and process vulnerabilities. Thes can be breaking down into a few more categories like software vulnerabilities, hardware vulnerabilities and properly configured devices. Human errors such as utilizing weak passwords, misplaced trust,
trusting your environment team without performing the due diligence and adequate testing like penetration, testing
and devices that are already compromised. According to IBM, it takes companies an average of 197 days to identify a security breach and 69 days to contain a breach. And IBM tells us that companies that can contain a breach in less than 30 days will save more than $1 million in comparison to those who take longer. Pretty scary stuff in a great reason to identify our vulnerabilities,
remediate them, reduce risk
and help protect the privacy and security of electronic health records and our patient health information.
So, almost in every vulnerability assessment I've ever been part of, it's been identified that the organization being tested has hundreds, even thousands, of software vulnerabilities that need to be remediated or what the industry calls patched. The problem is, is that software patching for many organizations due to the size of the organization and the quantities of server and desktop systems they manage well,
it's a full time job.
A desktop and server admin can spend three months patching all the company's systems just to turn around and have to pass them again. You see, the problem is that at some point, a software developer has to quit its agile software development and its testing sprints and published its code and release the product.
But you can't test every operating system on every type of device. It's just too much. And new devices and new hardware come out every month, and new versions of operating systems and browsers
come out frequently as well. At some point, you have to publish as I record this lecture. There are currently over 4000 known software vulnerabilities in the top four shipping Internet browsers that on our end, users are accessing their applications with and surfing the Internet with very daunting indeed. And that's just the Internet browser category of software.
When you think about all the software running in our network,
you can see what software patching is. It's a truly daunting task.
So in 2019, the network industry realized that a tiny microprocessor, the until Adam C. 2000 ship that was installed in networking devices like routers and firewalls would, after performing for approximately 18 months, begin to fail, and the likelihood of failure would increase over the time of the device remaining in the production network. The clock signal component issue
would cause products to stop functioning
and they would not reboot, and the failure would be unrecoverable. So this is an extreme case of, ah, hardware vulnerability but a good example of what might happen to an organization, for example, if their firewall were to fail. That is a complete network down until you recover from the firewall service or steer around it and for a while, leave the network unprotected.
Hardware vulnerabilities can come in all forms, but the biggest is the device has gotten old, and it's reached its manufacturer. End of support threshold
and no vulnerability update. Your firmware patches are going to be available from the manufacturer. Your device hasn't died and won't likely die anytime soon. But leaving the device in place and relying on it well, it's a huge organizational risk.
So when we're talking about vulnerability management, really talking about two different programs that we need to have in our hip organization, we need a vulnerability management program and the device hardening program. And although these programs are similar and symbiotic in their relationships, their very different. We have learned that different categories of vulnerabilities, but now we need to identify and remediate them in our network. But how do we find them?
The most successful and fastest way is through technical scanning of our network,
its contents of devices and use their entities using a vulnerability scanner. And there are hundreds of vulnerability scanners out there. One of the difference, in fact, when companies compare different consulting firms for their assessments and technical scans, is to evaluate what scanning tools the firms use. Your Big Five consulting firms in the U. S. A. Use tools that cost millions of dollars smaller consulting firms
where you will You scanning tools that cost tens of thousands
regardless of the tools used. The vulnerability scanners will scan the network using read, write networking protocols, and the network and its contents will announce themselves to the scanner until the scanner all about them. Hi, I'm a Dell laptop. I run this operating system. I have this much memory, my processor memory utilization, or X and Y etcetera, and the scanning tool will compare this information
with all the various published common vulnerability and exploits known
and then kick out a report. This report is then evaluated by the security consulting team and put into categories based on risk and criticality fix this first because it will cost you a whole bunch of a threat is realized the smaller priority stuff on the list. Well, it can wait until you get to it. You then schedule and apply your remediation, which could be a software patching update and changing device design,
use or configuration. Perhaps even swap out the device for a new one
because of age and lack of manufacturers support. And then we're gonna work on device hardening and optimization, which we're gonna talk about next. The bottom line, though, is that when you you always need to be diligent and that vulnerability management never ends. It is truly a foundation to network operations and the life of i t.
Our network devices have three planes or dimensions of operation, the data playing the control plane and the management plane. The data plane is responsible for handling the data packets and applying actions to them. Based on rules that are programmed into the software of the device, The control plane is tasked with calculating and programming actions for the data plane. This is where fording decisions were made.
The management plain is where we configure monitor our networking device.
So it's the management plane that we program and turn on and off the features of our device. Thes three planes have weaknesses, some of the weaknesses or software related, and some are hardware related vulnerable code or bad memory ships that's causing memory leaks. But most of the time we're talking just about human error.
So for either not fully utilizing the features or functionality written in the devices software
or because of mis configuration, either by missing configuration elements or incorrectly configured elements well, the people that program this thing well, the devices vulnerable example. We have configured the devices administration level passwords that air at Mons can log into the device and make programming changes. But we left the devices. Password is default
or we didn't enable encryption. So our management functions on Lee occur clear text and are susceptible to eavesdroppers. Wire captures packet sniffers, etcetera.
We need to harden our device from any and all vulnerabilities and threats, and then we need to optimize our devices, turn on the rest of those features that optimize them and harden them and drive efficiencies and business outcomes for our health care organization.
Every program we managed to be baseline improved through our remediation efforts and by being ever vigilant by performing ongoing technical scanning and testing. As our network is never static, change is the only network constant, and our program will reach a point where our policies, procedures and methodologies have proven to work.
And we become more efficient because our procedures and methodologies a repeatable and verifiable
and our program, which is a point where we become leaders in program management leaders in our space, from our compliance to privacy and security of our patients. Information. Our program actually become so good we share with our community and our partners how they can improve their program. Now we're cooking at the speed of mature model T Ford.
Maximum speed. 45 MPH. So really cooking, with all 177 cubic inches roaring at a full 20 horsepower
quarter mile, breaking stuff,
right hook uppercut and down for the count. 123 And now for our quiz. For what are some of the key differences between their healthcare organizations, vulnerability management programs and hardening management programs? Well hit pause.
Stand up, shake it off,
Put your mouth guard back in because we've got to protect those teeth. And when you're ready, let's review our answers together. So really vulnerability. Management is about managing and remediating the vulnerabilities caused by software and in our hardware. And we do this thing called patching where we're putting on new firmware new software, and we're getting those vulnerabilities corrected.
Hardening is about correcting incorrect or missing configuration caused by our users. Or we need to harden and optimize the devices so that we're
turning on our features and turning on best practices and optimizing our configuration to deliver the business outcomes to our health care organizations. Both programs are ongoing and never ending, and in fact are required by hip. So we better figure that out so that we can always be improving and maturing our policies, procedures and methodologies, using vulnerability management
and system hardening programs. So if you're ready,
let's take a glass job years into the doctor because you know what? You're a mess.
So in this lesson, we learned about the importance of maintaining system vulnerability and system hardening programs, and we reviewed patching and vulnerability remediation work compared to the device hardening techniques of turning on a device is missing features or correcting a poorly configured device, leaving loopholes so that threat agents might hijack the device and take over it. Not good.
And we learned that sharing what we learned about vulnerabilities with our partners and ecosystem.
That's how it become leaders in the security industry. We've become so good we can now help other agencies repeat our steps and in our next lecture will review. The principles are program needs about maintaining its documentation through change management procedures and strong documentation handling policies.
So that's it for our vulnerability and system hardening cage match. If you're still conscious and aren't missing too many teeth, well, we'll see you in our next lecture. Everyone's favorite topic hip. A comprehensive documentation management. So until then, well, I tell you what. It's been so much fun. It's almost been like ringside tickets at the heavyweight championship fight. It's just been a blast.
Well, maybe not that much fun.
Okay, until then, next time on behalf of all of us a sigh Berry. Thank you. Take care and pleasant journeys