Effective cybersecurity strategy starts with developing an adversarial mindset and understanding the likely first and last steps a bad actor will take when entering and exiting a network, according to Intermountain VP/CISO Erik Decker, who made the comments at the 2024 HIMSS Global Conference during a session entitled, “Break the Attack Chain: Understanding Cybercriminals’ Focus on Credentials.”
In response to a question about preventing data exfiltration, Decker said that while doing so was tricky, there are a number of things health system can implement on the front end to slow bad actors down, one of which is multi-factor authentication.
When it comes to “Internet-facing things, if you are only using a password, you are toast, gone.” Though MFA isn’t perfect – as cybercriminals have found ways some creative ways around it – it’s still a must have, he said.
What also troubles Decker is the nature of networks that run on Microsoft and feature its Active Directory. “What Microsoft needs to do is stop producing and delivering Active Directory in this flat environment,” he said.
What Decker prefers – even though transitioning to it is admittedly difficult and expensive – is a network structure that embraces the Bell–LaPadula model (BLP), which has been around since 1973. It’s a principal that calls for tiers of security zones in which lower tiers cannot control higher ones; and higher tiers do not have exposure to those below.
“When you have implemented that in Active Directory, you force management of the highest level of credentials through privileged access workstations (PAWs). You have to completely block any way of managing Active Directory except through that, and every admin who uses it uses their PAW to manage it, and every management system connected to that tier has to be controlled the exact same way.
“If you do that, now you introduced real isolation because you don’t have a flat structure, and you have now put a major friction point into what these bad actors want to do, and so you would have time to check for that data exfiltration – you would see other types of signals that pop up, and your response teams would be constantly looking for those signals.”
Decker spoke on the panel with Zafar Chaudry, MD, SVP, Chief Digital & Information Officer, Seattle Children’s. The session was moderated by Ryan Witt, VP, Industry Solutions, Proofpoint.
Share Your Thoughts
You must be logged in to post a comment.