Capstone – Ricardo Nevarez

Ricardo Nevarez
CSOL – 510, Applied Cryptography

University of San Diego

2017
Capstone – Ricardo Nevarez

Executive Summary

No two organizations computer network security are identical, because each computer network is

uniquely implemented to what its’ company needs are and also not one computer network can be 100%

secure from internal and external attacks on the computer networks hardware and software (Maclnnes,

2011). This is simply the nature of computer networks. To properly secure a system, it requires trained

information security personnel for this goal to be achieved. As information security professionals what we

can do is focus to make it harder for the bad guys to get to the targeted data. This includes many

methodologies of which can include but are not limited to: 1) understanding the overall computer network

security gaps, 2) implementing network security appliances, 3) updating, and maintaining security policy,

4) Implement proper access controls, 5)implement cryptography, and a Public Key Infrastructure (PKI),

6) implement end-to-end cryptography, 7) implement security monitoring. As Chief Information Security

Officer (CISO) improving upon the computer networks security posture of the health insurance company

is the essence of this paper and to discuss how the security posture of the company can be improved in the

following areas: 1) relevant laws relating to healthcare, protection requirements, and current regulations,

2) policies, 3) healthcare threat environment, and 4) how cryptography can enforce security policy. With

the support of the senior technical management panel this can be possible.
Capstone – Ricardo Nevarez

Data is the lifeblood of any company and it is critical any security used to protect this data gets done

correctly. The health care industry continues to move to electronic health records (EHR) (Blumenthal,

2010), and patients personal electronic health records that are handled and shared among health insurance

companies, healthcare providers and the patients, information privacy and security of theses EHR’s are

more vulnerable today. It’s important that the confidentiality, integrity, and availability of these electronic

health records do not get compromised. Stakeholders, patients and everyone involved in maintaining

patient information expect no less than having the best security protecting this data. Fortunately the

healthcare industry has many recognized organizations that provide thorough information for security

professional to protect the data privacy and security of patients’ healthcare information. For example the

Health Insurance Portability and Accountability Act (HIPAA) of which I will discuss a little later.

The healthcare sector of which also includes healthcare insurance companies are all required to ensure

that the confidentially, integrity and availability of all patients’ electronic health records from which are

created, received, maintained or transmitted ((OCR), 2013). Other requirements are to identify and protect

against reasonably anticipated threats to the security and/or the integrity of the patients’ electronic health

records. To achieve this, there are tools at our disposal. One such security tool that helps in this area of

securing patients electronic health records is to implement a public key infrastructure (PKI). This

implementation is interwoven with the existing computer network. The details of this implementation

includes the following: block ciphers, hash functions, controls over the public key infrastructure (PKI),

key distribution, and the implementation of a physical Kerberos server to host the key parts of this

infrastructure. There also are laws, regulations and standards that have to be implemented where

applicable within the computer network. Other parts to this cryptographic security puzzle require

enforcing policy, an understanding of the threat environment, and lastly an understanding of the

cryptographic mechanisms to enforce policy. We can have all the mechanisms, and procedures in place,

but if policy is not enforced the security will fail. This is true for any organization.
Capstone – Ricardo Nevarez

The public key infrastructure once implemented is to provide security to the data communication between

the customers, providers and remote workers to this company. Cryptography when correctly implemented

to the data in transit and at rest will be a reflection of a trustworthy computer network. As mentioned, we

have recognized organizations in health care like HIPAA to provide us security professionals with

suggested guidelines to achieve our goals. The threats to our patient’s electronic data will come in

through insecure web browsers, insecure communication lines from our customers, providers and

including our remote workers who use VPN to our outer and inner firewalls. Following suggested

guidelines will help with mitigating the threat.

As mentioned, this is a company within the health care sector, and should be in lock step with the Health

Insurance Portability and Accountability Act (HIPAA). By applying encryption and cryptography we are

following HIPAA guidelines and mitigating a data breach. HIPAA also suggests the following to mitigate

data breaches, for example: 1) data encryption, 2) secure messaging, 3) compliant cloud storage, 4)

scrutinize business associates, 5) train staff, 6) software updates, virus and malware control, and secure

disposal (Kelleher, 2017).

I want to recap, the goal here is understanding the overall computer network security gaps, implementing

network security appliances, updating, and maintaining security policy, implementing proper access

controls, implementing cryptography where needed and that includes applying it to end-to-end points ,

and implementing security monitoring. Security monitoring will help with detecting malicious and

abnormal network behavior. This will be followed up by IT of which they will have applications that will

go through the security logs, operating system logs, and application logs. Per (NIST, 2006), IT will be

going through logs of the following category of systems: host-based protection software, intrusion

detection and prevention systems (IDS/IPS), VPN, web proxy servers, vulnerability management

software, authentication servers, routers, layer 3 switches of which use access control lists (ACLs), and

firewalls.
Capstone – Ricardo Nevarez

Up to this point securing communication from the customers, providers, and the remote workers to the

outer firewall of the computer network of this company has been mentioned. Also talked about is the

Kerberos server of which it is important to properly secure within the computer network because this

server is the keeper of the cryptographic keys. To secure what inbound connections are trusted and

accepted into the computer network will depend on authentication, and if the correct cryptographic

applications are properly applied.

We understand that we do not have much control over security the customers and providers implement on

their end, but we can control what they are required to use when coming into the computer network. For

example, to secure the communication in transit we will ensure that our outer firewall will only accept our

customers, providers, and remote workers inbound connections who have implemented AES with CBC

and 128 bit key, and the remote workers with VPN use 128 or 256-bit keys. The encryption applied to

these inbound connections will use HMAC with SHA 256 using 32 bit words/ symmetric encryption, and

remote workers will use HMAC with SHA 256 or 512 using 32-bit and 64-bit words respectively/

symmetric encryption. To further mitigate this threat the inbound connections will be audited, all unused

ports locked down at the outer firewall and physical access will be limited (Latham, 1998 ). Now, this

group to gain access into the computer network past the outer firewall will use 2048-bit RSA public key

exchange (asymmetric encryption) using SHA-256 with AES 356-bit. The costs of implementing these

settings is minimal to the company, but if done correctly will enable securer cryptographic controls and

communication, and bring with it big returns for the company in the form of a secure and trust worthy

computer network. And most of these settings and security best practices are well-known industry best

practices and are available on the internet and can easily be implanted over a short period of time.

As I have shown you these implementations are what is needed to secure a computer network data of its’

confidentiality, integrity, and availability (Bethesda, MD., 2013). For the implementation of cryptography

to work, a Kerberos server is required to sit within the computer network behind the inner DMZ and not
Capstone – Ricardo Nevarez

within the outer DMZ alongside where the webserver is currently located. My choice of location of the

Kerberos server gives it a High Trust, and before any customers, providers, remote workers, including

internal LAN users to gain access to data they must first be authenticated here (Obregon, 2015). The High

Trust comes from ensuring proper implementation of the following within the Kerberos Server:

1) Authentication Service (AS) –provides the initial authentication ticket

2) Ticket –Granting Server also known as (TGS)- provides the ticket granting ticket (TGT)

3) Kerberos database –responsible for storing the shared keys of all the entities within its realm.

(Santos, Muniz, & Crescenzo, 2017)

This security approach will mitigate external and internal attacks. At all costs the KDC must remain

secure because it is accountable and the custodian of the shared keys of every computer, service, and

application within this Kerberos realm. Accountability of maintaining this High Trust will fall on policies.

When the company embraces company polices in respect to computer network usage, the computer

network is that much stronger against attacks.

The National Institute of Standards and Technology (NIST) (NIST, 2016), provides the cybersecurity

community excellent principles, processes and procedures for cryptographic standards and guidelines of

which can be applied to our case. The categories covered are as follows:

Access Control Incident Response System and Communications

Audit and Accountability Maintenance Protection
Awareness and Training Media Protection System and Information
Configuration Management Physical Protection Integrity
Identification and Personnel Security
Authentication Risk Assessment
(Ross, Viscuso, Guissanie, Dempsey, & Riddle, 2015)

All this is only possible by enforcing policy in these following areas:

Acceptable Use Policy Backup Policy Incident Response Policy

Capstone – Ricardo Nevarez

Email Policy VPN Policy Data Classification Policy

Wireless Policy Password Policy Retention Policy

Network Security Policy Network Access Policy Physical Security Policy

Confidential Data Policy Remote Access Policy Kerberos Server Policy

Outsourcing Policy Encryption Policy Firewall Policy

((OCR), Summary of the HIPAA Security Rule, 2013)

Enforcing these policies should be straightforward. Any employee not in compliance should have a one

on one conversation with their supervisor, and a review and acknowledgment of what the Company

Security Compliance Standards are, and a physical signature by the employee. This approach is

reasonable and should encourage active participation by all employees. Implementation of these policies

ensures that controls are put in place to secure the computer network. Another aspect of improving this

company’s security is to ensure non-cryptographic controls are in place to the “outer and inner firewall”

(CISCO, 2009). For example, these controls can be applied on packet-filtering at the network layer,

stateful inspection at the session and application layer, at the application layer and circuit gateway

(session layer). These non-cryptographic modes also include some costs. For example, the packet filtering

is low cost, and does not use that much cpu resources. The circuit gateway is also low cost as well as the

other firewall applied non-cryptographic control modes (CISCO, 2009).

This health insurance company will be recommended to also use a cryptographic distribution system that

will implement both public and secret key cryptography and key management (Barker & Dang, 2015).

This with encryption within our computer network will ensure the preservation of data integrity, and

ensure High Trust. Throughout the computer network the public shared key will be used to verify

signatures, and used by the customers, providers and remote users to encrypt their respective messages.

The benefits of using AES shared secret key is that it’s fast in encrypting and decrypting. It doesn’t put a

workload on the hardware. A downside to the implementation of a shared secret key is the lack of

authenticity. It’s important for the keeper of the symmetric keys to lock them away and keep them safe. If
Capstone – Ricardo Nevarez

these are found, the attacker can impersonate. The off-site backup will use RSA public key exchange

(asymmetric encryption) with SSL. I don’t feel that speed and the work load placed on the hardware is an

issue here thus my decision with going with asymmetric cryptography. The VPN will use 2048-bit RSA

public key exchange (asymmetric encryption) using SHA-256 to establish that symmetric key

communication between the remote workers and the VPN server (Pfleeger & Pfleeger, 2003). This is

going to provide authentication of the packet data stream to the internal computer network, and will

ensure that the data stream is not tampered with during transit in any way by using SSL/TLS within the

browser. A little more about SSL/TLS will be discussed later.

For example, components including all interfaces of these components will be using Advanced

Encryption Standards (AES) with key sizes of 128, 192, and 256 with block sizes of 128 bits, with rounds

of 10, 12 or 14 (Barker, Recommendation for Key Management, 2016). To put into perspective the

strength here, if a hacker would to attempt the task of brute forcing an encrypted message from one of our

customers to one or more our employee using a key size of 128-bit, it would approximately take an

astounding 1 billion billion years. (Arora, 2012). Additionally, per Mr. Bruce Schneier (security expert),

he suggests there is no need to use AES-256. AES -128 bit provides more than enough of a security

margin for the foreseeable future. I want to add that the cryptographic algorithm being used here in AES

are for symmetric keys, and I would use 256 bit, because the computer power in today’s computers can

handle the processing required. As mentioned, and of the computers connecting to the outer firewall will

use within the web browsers HTTPs, SSL/TLS, etc. In regards to the outer firewall we know the threat is

real and hackers will take advantage any vulnerability. These firewalls also are there to identify users who

have use digital signatures, public and private keys. It also authorizes our remote workers coming in

through the VPN. In regards to block ciphers of which is applied to the “off-site backup”, its’ data at rest

will be encrypted with both AES with cipher block chaining (CBC) with a bit size of 256, and AES with

Counter Mode (CTR) using 256 bit. For redundancy if AES should fail the Triple Data Encryption

Algorithm (TDEA) block cipher can be used (NIST, Block Cipher Techniques, 2017). This off-site
Capstone – Ricardo Nevarez

backup will also ONLY support HMAC –SHA 255 and 512 with 32 and 64 bit word size respectively,

and SHA3 (OWASP, 2017). This is to ensure the security of the file transfers over the untrusted computer

network. SHA3 takes it to the next level by using outputs of 224, 256, 384, and 512 bits. Even though

NIST does not yet recommend SHA 3 (NIST, Hash Functions, 2015) because of how computing intensive

it is on CPUs, it is an available option with systems using the ASIC processors. In regards to the Wireless

Access Point (WAP) and this too will be using HMAC SHA2-256 (OWASP, 2017), with IEEE 802.1x

authentication/ PEAP –TLS MS-CHAP v2. The VPN will use x.509 certificates for encryption and

authentication.

Earlier I mentioned the use of SSL/ TLS of which provides protection on the transport layer. This is the

layer of which is used to transmit data between the client to the web server, and web application within

the corporate LAN. The SSL/ TLS version applied here is using the current standard of v1.2. This

mitigates the threats from intruders messing with communication between the browsers and the web

servers, and also from passive eavesdropping (OWASP, Transport Layer Protection Cheat Sheet, 2017).

There are some downsides to this but it is negligible because today’s hardware can handle the asymmetric

encryption calculations. Everything mentioned here, and the use of digital certificates, man-in-the-middle

attacks can be mitigated. In other words, it’s not one or two pieces that that will mitigate the threat, but all

the pieces together with the support from management to the ground troops.
Capstone – Ricardo Nevarez

Conclusion

This computer network will only be resilient against this unsecure threat environment when everyone

participates and plays their part in following and enforcing company security policy, and by adhering

established federal, state and local laws with the handling of patients’ electronic health records. This

means that we as a health insurance company must follow the Health Insurance Portability and

Accountability Act (HIPAA). By supporting, managing, and maintaining cryptographic methodologies,

the viable solutions mentioned here will enforce security policy, and also ensure the confidentiality,

integrity and availability of our companies most valuable product our patients’ electronic health data.
Capstone – Ricardo Nevarez

References
(OCR), O. f. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved October 21, 2017, from
U.S. Department of Health & Human Services: https://www.hhs.gov/hipaa/for-
professionals/security/laws-regulations/index.html

(OCR), O. f. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved October 22, 2017, from
HHS.GOV: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

(OCR), O. f. (2017, May 12). The Security Rule. Retrieved October 22, 2017, from HHS:
https://www.hhs.gov/hipaa/for-professionals/security/index.html

Arora, M. (2012, May 7). How Secure is AES against brute force attacks? . Retrieved October 22, 2017,
from EE Times: https://www.eetimes.com/document.asp?doc_id=1279619

Barker, E. (2016, January). Recommendation for Key Management. Retrieved October 24, 2017, from
NIST: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

Barker, E., & Dang, Q. (2015, January ). Recommendation for Key Management. Retrieved October 24,
2017, from NIST: http://nvlpub.nist.gov/nistpubls/specialpublications/nist.sp.800-57pt3r1.pdf

Bethesda, MD. (2013). SANS Security Essentials. Retrieved October 22, 2013, from SANS.

Blumenthal, D. (2010, July 13). The Future of Health Care and Electronic Records. Retrieved October
21, 2017, from HealthIT.gov: https://www.healthit.gov/buzz-blog/electronic-health-and-medical-
records/the-future-of-health-care-and-electronic-records/

CISCO. (2009, June 8). Firewall and Types. Retrieved October 24, 2017, from CISCO Support
Community: https://supportforums.cisco.com/t5/security-documents/firewall-and-types/ta-
p/3112038

FTC. (2011, September). Laptop Security. Retrieved October 24, 2017, from Federal Trade Commision
Laptop Security: https://www.consumer.ftc.gov/articles/0015-laptop-security

Kelleher, A. (2017). HIPAA Compliance Guide. Retrieved September 15, 2017, from HIPAA Journal:
https://www.hipaajournal.com/wp-content/uploads/2015/05/HIPAAJournal-com-HIPAA-
Compliance-Guide.pdf

Latham, D. C. (1998 , October 8). Department of Defense Trusted Computer System Evaluation.
Retrieved September 25, 2017, from NIST:
https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-
21st-nissc-1998/documents/early-cs-papers/dod85.pdf

Maclnnes, B. (2011, May). No system is 100% secure says Sony chief. And he should know. Retrieved
October 21, 2017, from Computer Weekly:
http://www.computerweekly.com/microscope/opinion/No-system-is-100-secure-says-Sony-chief-
And-he-should-know
Capstone – Ricardo Nevarez

NIST. (2015, August 5). Hash Functions. Retrieved October 24, 2017, from Computer Security Resource
Center NIST: https://csrc.nist.gov/projects/hash-functions/nist-policy-on-hash-functions

NIST. (2016, March). NIST Cryptographic Standards and Guidelines Development Process. Retrieved
October 23, 2017, from NIST: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7977.pdf

NIST. (2017, July 20). Block Cipher Techniques. Retrieved October 22, 2017, from NIST Computer
Security Resource Center: https://csrc.nist.gov/Projects/Block-Cipher-Techniques

Obregon, L. (2015, December 2). Infrastructure Security Architecture for Effective Security Monitoring.
Retrieved October 24, 2017, from SANS: https://www.sans.org/reading-
room/whitepapers/bestprac/infrastructure-security-architecture-effective-security-monitoring-
36512

OWASP. (2017, September 11). Cryptographic Storage Cheat Sheet. Retrieved October 24, 2017, from
OWASP: https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

OWASP. (2017, September 15). Transport Layer Protection Cheat Sheet. Retrieved October 24, 2017,
from OWASP: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Pfleeger, C. P., & Pfleeger, S. L. (2003). Security in Computing. Prentice Hall PTR.

Ross, R., Viscuso, P., Guissanie, G., Dempsey, K., & Riddle, M. (2015, June). Protecting Controlled
Unclassified Information in Nonfederal Information Systems and Orgainizations. Retrieved
October 22, 2017, from NIST: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
171.pdf

Santos, O., Muniz, J., & Crescenzo, S. D. (2017). CCNA Cyber Ops SECFND 210-250. (M. Taub, Ed.)
Indianapolis: Cisco Press.