Nonprofit Under Attack: A Cyber Defense Case Study -- Redmondmag.com

Nonprofit Under Attack: A Cyber Defense Case Study

Planned Parenthood has sustained an unrelenting onslaught of cyberattacks over the past two years, but the organization has a comprehensive blueprint to defend its infrastructure and safeguard sensitive information with a cloud-first, mobile-optimized makeover. Here’s a look at how an SMB nonprofit is coping with problems that would challenge the largest enterprise.

By Jeffrey Schwartz
03/29/2017

Call it extreme resilience under heavy fire. Amidst a steady stream of cyberattacks and attempted breaches for nearly two years by skilled hackers determined to shut it down, Planned Parenthood Federation of America is mounting a vigorous initiative to defend itself with limited resources. While no cyberattack or breach is ordinary if your business is interrupted, the nimble Planned Parenthood IT team faces an extraordinary set of hurdles to defend itself as outsized external forces escalate daily. Even more noteworthy is the extent to which its team is seeking help in the form of deep partnerships with leading and emerging IT and security providers steeped in the conviction that what those partners learn from the attacks targeted at Planned Parenthood could advance the state of threat detection and remediation.

It started out as a seemingly routine case of a decentralized organization planning to protect highly sensitive information by modernizing its IT operations and ensuring a secure and compliant environment. Just after sharing that plan, the nationwide provider of women's health care services abruptly found itself in the eye of an ongoing storm. It's not clear when or if it will let up and what damage will be left in its wake. In the midst of rolling out a multiyear plan to build out a mature and comprehensive information security stance, Planned Parenthood's IT team finds itself adjusting but undeterred by the sudden risk of losing a substantial portion of its source of funding.

While efforts to defund Planned Parenthood have been in the public eye since the beginning of last year’s presidential campaign, the ongoing cyberattacks during that time have remained largely under the radar. Not only are the attacks unrelenting, some are sophisticated and very much as formidable as some of the worst nation-state attacks, according to Planned Parenthood CTO Franklin Rosado. "We are targets of multifaceted attack attempts that are blended," Rosado explains. Asked whether the attacks stemmed from the political debate and those opposed to Planned Parenthood, Rosado pauses and offers: "I think I can say it’s fairly obvious that they are targeting us because of who we are."

"We are targets of multifaceted attack attempts that are blended."

Franklin Rosado, CTO, Planned Parenthood

Challenging Risk Factors
Planned Parenthood, which last year celebrated its 100th anniversary, provides what many call critical social services, but what others say shouldn’t exist in their current form. Regardless, Planned Parenthood shares many of the same security concerns that face any large health care provider, where it must secure private patient information and comply with HIPAA regulations. Millions of women, mostly those with low incomes, rely on the health care services provided by Planned Parenthood’s 650 clinics throughout the United States, including cancer screenings, prenatal planning and birth control. But because some of its clinics also provide abortions, opponents say the government should stop subsidizing Planned Parenthood. How that will play out over time remains to be seen.

Beneath that backdrop, the threat of reduced funding has historically weighed on Planned Parenthood and, likewise, is the basis of non-trivial physical and IT security risks. Moreover, Rosado and his team can’t overlook the outlying potential risk that a data breach or system compromise could bring physical harm to a patient, physician, or other medical and support personnel. Rosado believes this is a challenge from which any information security and systems professional and supplier could learn. That’s why Rosado and IT leaders at a couple of Planned Parenthood affiliates, through a series of interviews over the past two years, have candidly shared the problems they’ve faced and how they’re addressing them, such as:

A unique coordinated threat vector and attack types targeted at Planned Parenthood
Difficulty finding and retaining skilled infosec professionals
Creation of a Center of Excellence (COE) blueprint based on National Institute of Standards and Technology (NIST) and SANS Institute best practices
Evaluating and developing deep partnerships with the right suppliers
Finding suitable, extensible and secure collaboration tools and an enterprise mobility and management (EMM) platform
Engaging with Microsoft to potentially deploy Office 365 and its Enterprise Mobility + Security (EMS) service

Deploying Single Sign-On
The attacks experienced by Planned Parenthood unfolded just after our first meeting two years ago when Rosado outlined Planned Parenthood’s cloud modernization effort. During that meeting, Rosado’s initial invitation was for the explicit purpose of explaining how and why Planned Parenthood was reducing its reliance on Microsoft Active Directory by migrating its user accounts to a third-party, cloud-based single sign-on service for authentication to all networks and resources provided by Okta Inc.

Okta’s willingness to build those specialized connectors was critical, he recalls, because it provided single sign-on to systems and services used by many practitioners and employees (see "Cloud Identity Authentication Battle for the Enterprise Heats Up").

Providing a modern identity and access management framework created the foundation of Planned Parenthood’s emerging multiyear plan to move the applications running in its datacenters to the cloud and build a mature information security posture. At the time of that first meeting during the summer of 2015, Rosado described the migration to Okta as 50 percent complete, and said he’d be glad to follow up on his progress. Clearly, he did, but in retrospect, that first meeting was the calm before the storm for Planned Parenthood.

Cyberattacks and Their Aftermath
The release of a video implying that a Planned Parenthood clinic was profiting by selling tissue of aborted fetuses put the organization in the spotlight during the early stage of the presidential campaign, with several Republican candidates condemning the reported activity during the widely viewed debates. The accusations raised in the tightly edited videos, which were shared on social media, were ultimately discredited, but the campaign against Planned Parenthood by its opponents remained in full force.

Around that time in July 2015, a group of hackers breached database records that included names and e-mail addresses of 300 employees. The hackers, who said they were opposed to Planned Parenthood, claimed they were able to steal the information because of bad coding practices. Days later, a targeted distributed denial of service (DDoS) attack shut down the Planned Parenthood Web site. Planned Parenthood and its affiliates have since experienced ongoing attacks and phishing attempts and have detected all sorts of probes attempting malicious activity, according to Rosado and IT officials with several Planned Parenthood affiliates.

"I think Planned Parenthood is a very interesting organization due to the politics that are involved within the organization and what they have to deal with on a daily basis," says Ibrahim (Abe) Baggili, an assistant dean and assistant professor at the University of New Haven, Conn. Baggili, an expert in digital forensics, is quite knowledgeable about Planned Parenthood’s saga. He was among a number of outside speakers who addressed its IT and physical security readiness experts at a conference held by Planned Parenthood in Denver last fall.

"Planned Parenthood has been attacked where their Web site was defaced," Bagilli says. "But more importantly, the amount of information that can be spread about them over social media that is incorrect could cause people to think things about them in a way that’s not true. To me, besides being able to get into their networks and steal their customer data, that’s a threat that’s within the cyber domain."

Scope of Attacks
Arizona State University professor Kim Jones, who last year was named director of its New College of Interdisciplinary Arts and Sciences Cybersecurity Education Consortium, also spoke at the Planned Parenthood security conference. After Planned Parenthood gave Jones a deep dive on the attacks it has sustained over the past two years, Jones admits they were much more sophisticated and alarming than he initially had presumed.

"I’ve worked for defense contractors and financial institutions and having researched the attacks Planned Parenthood is undergoing, they have a very, very motivated and diligent set of threat actors."

Kim Jones, Professor, Arizona State University

"I’ve worked for defense contractors and financial institutions and having researched the attacks Planned Parenthood is undergoing, they have a very, very motivated and diligent set of threat actors, who over an extended amount of time have remained motivated and diligent regarding disrupting their operations," Jones says.

Vince Crisler, CEO and co-founder of Dark Cubed, who has worked in the White House, Pentagon and Department of Homeland Security, has seen all kinds of attacks. Crisler is working closely with Planned Parenthood, which is testing the Dark Cubed Cyber Security Platform, an appliance that prioritizes and provides real-time visibility to threats. In a typical deployment, the appliances will find hundreds of thousands of IP addresses and domains and, in larger ones, millions, he says, of which up to 5 percent to 8 percent are considered higher-risk threats. Some of those are automated scanning bots, botnets targeting all types of devices including DVRs and IP cameras, scanning these networks from the outside in.

Deployed at a number of Planned Parenthood affiliates, the Dark Cubed appliances receive feeds from the Planned Parenthood CloudFlare infrastructure monitoring service and scored by Dark Cubed. "There are a significant number scanning them or hitting them or trying to engage them and at that point we hand it off," Crisler says. "Once threats are observed, how do you jump in and see if it has done something malicious or not? That’s the second part of the chain. First is awareness and blocking and then the second piece is if you want to dig into it, you can also feed a Splunk deployment or other logging infrastructure to be able to do more advanced analytics."

Enterprise-Grade Attacks
As earlier noted, these attacks have remained under the radar, and certainly don’t sound as spectacular as some higher profile breaches happening at the same time. Consider last year’s higher-profile attacks alone, such as the e-mails leaked from the Democratic National Committee; a spate of cyber-heists by criminals who breached the SWIFT global payment network and stole hundreds of millions of dollars from several international banks, and the massive DDoS attack in which hackers unleashed the Mirai variant of botnets on DNS provider Dyn that brought down Amazon, Box, GitHub, Heroku, Netflix, Okta, Reddit, Spotify and Twitter.

Featured

How To Fix Problems with Cached Credentials in Windows 11

While the fix might not be obvious, it should only take a few minutes to get back up and running.
Microsoft Constructing $3.3 Billion AI Datacenter in Wisconsin

Microsoft and the Biden administration announced on Wednesday that the company is investing more than $3 billion in a new AI and cloud datacenter in southeast Wisconsin.
Exchange Server Subscription Edition Coming Next Year

Microsoft provided a brief update on Tuesday of its Exchange Server roadmap, including the news that Exchange Server Subscription Edition (SE) will be arriving in the third quarter of 2025.
Biden Administration Releases Global Cybersecurity Initiative

The U.S. Department of State has released a comprehensive cybersecurity framework aimed at international cooperation when targeting cybercriminals and strengthening defenses.
Microsoft Purview Enhanced with AI Security and Compliance Hooks

Microsoft Purview, the company's data governance solution, is receiving a handful of upgrades to help enterprises securely manage their growing AI-related data.