Limiting the reach, damage of a compromised network
BOSTON — "We're seeing that bad days happen an awful a lot in a network," Craig Shue, associate professor of Worcester Polytechnic Institute's Computer Science Department told the HIMSS Privacy and Security Forum on Wednesday.
"The adversary is getting this asymmetric info and more systems are becoming compromised," Shue said.
The trouble is the traditional server connections allow hackers open access, who get in at the base level – they don't need an administrator's password.
And once they're into the system, they get the information they want from the user level where all of the "good stuff" lives, he said: the patient information entered by the doctor. The information is gathered here, Shue explained, and then the hacker sets its sights on expanding to other machines.
"We have a lack of situational understanding," Shue said. There's a focus on broad issues, when the trouble lies at the ground level with servers and devices that communicate to each other.
"Adversaries get what they want when that happens," he said.
To contain the compromised system at that level, organizations should embrace software-defined networking, said Shue. Here, IT leaders can actually split the roles in a data or control plane. In traditional systems, users had no ability to dictate this function.
Software-defined networking removes control issues and allows users to dictate not only the machines that can talk to one another on the system, but also let IT know the app from which a network request is derived.
"Our goal is for the IT team to be all powerful and know the surrounding context of all data flow to make the right decision," Shue said. "Our approach is going to allow us to take this open low tech and actually apply it to an enterprise."
"We're going to essentially ask permission every time we ask for a network connection," he added. "Every time there's a new network connection, I have to ask the controller to justify the action."
And if a hospital wants to limit the types of programs allowed to communicate on the network, the policy can be written into the system.
Traditional systems don't answer these big security questions, said Shue. "And without the answers, how can we make the right decision when it comes to network security?"
The Privacy & Security Forum took place in Boston, Dec. 5-7, 2016.
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet