Part 5 of 6, External Communication Control
Where have you been and where are you going?
At a medical facility, there are so many devices its hard to keep track of all the communications in the network let alone all the traffic going out of the network to the web. Sure we deploy firewalls to keep the bad folks from getting inside but how do we keep track of all the traffic leaving the corporate network into the vast unknown? What if it goes to some bad site or even worse, there are communications between your device and a country on the watch list such as North Korea or Iran? Is there a good way to understand what all your devices are doing at all times? Can we once and for all close the door on external communications vulnerability?
Opening up the Wormhole
Communicating with the outside world is totally normal and at a hospital, we often see specific holes or access tunnels enabled in the firewall so that manufacturers can diagnose and even patch a necessary device. Using a protocol called Remote Desktop Protocol (RDP) the technician of a large medical device manufacturer will use a VPN tunnel to use this opening to control a device from anywhere around the world.
The problem, however, is that hackers can get into this opening if they are quick enough and they can gain access to critical systems at a hospital. It gets worse. When we talk to many healthcare CISO’s we find that oftentimes these holes are left open inadvertently even after the patching or remote control session is completed. To date, it’s a manual process to keep track of how many people are coming in and out and how many sessions are opened and left unclosed.
Looking Like Swiss Cheese
A fortified firewall is one thing but with so many RDP sessions, many of which are not closed after a session, and nobody actively monitoring all these sessions, a corporation can be left unprotected and the bad guys can get in through the front door. Oftentimes, there can be hundreds of concurrent RDP sessions occurring at a major healthcare center and unlike your home, there is no time-delayed automatic garage door closer.
And because there is no automatic “closer” within enterprise networks that cleans up these open ports once jobs are finished, your “fortified” network can be vulnerable. The good news is that we can help by sending an alert to the firewall that a hole has been left open. We track how many sessions and detail closely, who is coming in and out at all times like a diligent sentry.
Some Bad Countries
Ever wonder how much of your network traffic is going to a destination outside the U.S.? Or which devices are talking to which country? And wouldn’t it help to see if you have devices are communicating with the dark web or blacklisted countries? If someone clicks a URL and there is traffic flow to Iran, Syria, or North Korea, there could be trouble brewing and it’s something you need to know about right away. Even within the U.S., there might be well-intended sites but it can be a ruse for a ransomware site. Now firewalls know the basics such as the traffic to certain countries but what is missing is the ability to know which device is going to which country and for what specific reason.
China…It’s a Big Country
With all the news regarding spyware and hacks from China, it’s a big red flag if you find out that your devices are sending traffic back and forth from China right? Actually no since many companies have manufacturing and support centers in China. If a GE medical device, for example, opens a communications line to a known site in China, it’s actually fine since this is normal behavior. GE maintains a large help center in China.
Likewise, if a Philips MRI machine is having an active dialogue with a site in the Netherlands, that is perfectly fine as well. However, if that same Philips machine starts talking to China where there is no physical facility owned by Philips, we know that this is a behavior violation and something is out of character. We ring the alarm. Our system is smart enough to know that certain devices can communicate with certain countries while others cannot. We bring all these policy protection and automatically program the firewalls via APIs. Ordr provides the required context of the devices that are talking to an external connection to the firewall. Devices are classified in an orderly fashion by group (manufacturer/make/model) that gets programmed into the firewall. Subsequently, the firewall is updated with all the rules of which group of devices can communicate with which specific websites and countries.
Go Travel…But Be Proactive
At Ordr, we can tell you exactly what all your devices are doing and inform you if anyone “left the garage door open.” We can see all the traffic down to the session of the medical device talking to a country overseas. At a glance, we can display the number of countries that each device are having transactions with.
If device traffic does go overseas and returns only to act unusual or different, we will alert you as well. Proactive protection starts with a comprehensive view of what all your devices are doing and who or what they are talking to. Overseas travel is not easy nor tracking all the external communications but with Ordr you are in control.