Ask Slashdot: Dealing With Unwanted But Official Security Probes? 238
An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"
Establish authorization first (Score:5, Informative)
Speak with someone at the managerial level and go find the agreement/piece of paper that states said hospital corporation has the right to perform security audits against your customers network. Until that does or does not materialize, take no action past what you're already doing in the name of good security
SPEAK in their own language (Score:3, Informative)
have a lawyer write a letter to the hospital director, explaining how it's against the law in the US to attempt to hack into another company's network, saying, "Of course you'd want to know about this to avoid civil or criminal action.
Have you tried all these? (Score:5, Informative)
You've told them that they don't have authorization to access your computers, and are (or would be) in violation of the law if they succeed?
You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?
You're reasonably comfortable that you indeed run a tight ship?
You've configured your firewall to drop their packets?
Get it in writing (Score:5, Informative)
I've been on both sides of such security probes, professionally. A legitimate organization will be willing to identify itself and name the most obvious penetration test vectors, because they will show up in the logs of someone competent. It's also especially interesting to conduct a penetration a month _before_ any announced test, and a month or two _after_, to see what has actually been changed.
But as the target of a penetration test, you should be be _encouraged_ to report the attempts to the upstream provider or administration, and you should be notified of the test results. You don't indicate if you've spoken to anyone in hospital IT who has any actual authority or responsibility: a simple letter, _preferably on real paper with a real name of someone who can verify the letter_, identifying that such tests occur and where you can report them, can help protect you, and the hospital, from liability for other attacks that go unnoticed while the penetration test occurs.
I also urge you to review the regulations or laws on confidentiality of patient data. Penetration against secure data where the recovered data is not handled safely can be illegal, and a careful talk with the hospital's legal counsel can help set some guidelines. And this is just the situation where a paper trail, _on paper and kept offsite_, can protect you and your group from lawsuit or from a manager who tries to shift blame. This is especially true when the penetration succeeds, and a mid level manager uses it as ammunition to replace IT staff with a different "big vision" of how security works, even when the IT staff were prohibited from that manager from taking effective steps against the very vulnerabilities used by the penetration test. (I've seen this several times.)
Re:Is this not your local net police? (Score:5, Informative)
My company's "good guys" run security tests once a week. They send me a report afterwards, listing any "findings". And, most importantly, I was informed by them beforehand, that they would be doing these tests.
If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?
Re: Unless you are incompetent... (Score:2, Informative)
...said by someone who doesn't have to specifically allow probes from the scanning hosts, and has to deal with the DoSing when the port scans cause a couple of the services to go haywire. (lock up, start sucking down all available memory on the machine)
We put in new checks to watch for these things, but who knows what new tests they're going to run on the next scan.
The memory one was particularly nasty, as machines w/ lots of memory available didn't start showing problems 'til up to 2 days later. (and everyone loves getting alerts at 2am)
Re:Be happy that their data is secure? (Score:4, Informative)
Re:Is this over LAN or WAN links? (Score:2, Informative)
The only answer. (Score:5, Informative)
Is the hospital allowed to access records without a release based on HIPPA regulations since it is an independent practice? If not, then report them to the police. Apologize to the hospital, but explain, you have NO CHOICE. HIPPA is not something to mess with, and it doesn't matter who is trying to access the records, it IS a crime if accessing this data is not permitted. Remember the guys that got sent away for accessing the public data for AT&T? Yea... That but worse. Based on the fact that they were sentenced, even if they gained no data, the attempt itself was the crime. Failure to report a crime is a crime itself: http://www.law.cornell.edu/uscode/search/display.html?terms=misprision&url=/uscode/html/uscode18/usc_sec_18_00000004----000-.html. Report it. If they gain access to records, and then data from it leaks out, say because someone notable was a patient, then it will be on YOU. If the local police decide not to follow up, it is NOT on you.
Re:How do you know THEY weren't hacked? You MUST a (Score:4, Informative)
How do you know if seeing them in person is authentic? They could be clones or evil twins! :P
Re:Escalate to their legal contacts now. (Score:2, Informative)
Having done network security for the feds in a previous job I will tell that we got legal permission before the plane tickets were bought. Generally, the permission specified the time period and scope of the testing. No permission=No testing
Sometimes we simply wanted to see their response. That would run the gambit from regular user to admin/root users and network managers.
So what would your response to a real attack be? That is your answer. If they did not want you to go that route then you would have been notified that they were conducting this testing.
If you want to include in your response that this could be some testing from another associated entity then by all means include that. But make it clear that you have not been officially notified of this and that you are proceeding as if this is a real attack as your procedures for responding are also being tested.