Healthcare Vulnerabilities

12/10/2014 What Tech Geniuses Should Know About Healthcare Vulnerabilities A live hack demonstration Tod Ferran, CISSP, QSA Hi there! • Tod Ferran...
Author: Lorraine Casey
2 downloads 0 Views 2MB Size
12/10/2014

What

Tech Geniuses Should Know About Healthcare Vulnerabilities A live hack demonstration

Tod Ferran, CISSP, QSA

Hi there! • Tod Ferran – 25 years working with IT and physical security – 3 years PCI and HIPAA security consulting, performing entity compliance audits

• SecurityMetrics – Assisted >1 million businesses with HIPAA/PCI compliance since 2000

1

12/10/2014

HIPAA Reported Breaches - Jan 1, 2013 to Oct 1, 2013 35 30 25

Hacking/IT Incident Improper Disposal

20

Loss Other

15

Theft Unauthorized Access

10

Unknown 5 0 Laptop

Paper

Desktop

Server

Other

E-mail

Electronic Medical Record

We’ve been breached??? • Lack of – – – – – –

Current, updated anti-malware Intrusion detection systems Data loss prevention systems File integrity monitoring systems Centralized logging and alerting Security specific training for IT staff

2

12/10/2014

OWASP Top Ten • • • •

Injection Broken authentication Cross-site scripting Insecure direct object reference • Security misconfiguration • Sensitive data exposure

• Missing function level access control • Cross-site request forgery • Known vulnerabilities • Invalid redirect/forward

Thanks to the Internet, supreme intelligence isn’t required to be a hacker.

3

12/10/2014

Hacker tools are cheap and available • Most stand on the shoulders of their hacking world superiors, and use pre-made tools to steal data from vulnerable organizations. • Data scraping tools – Point-of-sale (POS) malware – Workstation/Server – Tablets & Smart Phones

POS malware and healthcare • How does POS malware impact healthcare? • We must learn and protect to survive

4

12/10/2014

POS malware • A rash of POS malware in 2014 • Reports of over 1,000 merchants affected • What does POS malware do? – Steal track data and payment account information from memory (RAM) – Send it out to be sold on black market sites

• Each strain is similar. Attackers create malware variants from preexisting malware

POS malware history Visa data security alert reported POS RAM scrapers

POS intrusions account for 14% of breaches (Verizon)

2008

2013 2009

Verizon data breach report addressed it

5

12/10/2014

POS strains 2012 Reedum (Target)

June 2013 BlackPOS

February 2014 Infostealer.Rawpos (Goodwill)

June 2014 Soraya

July 2014 BrutPOS and Backoff (Home Depot)

August 2014

BlackPOS ver. 2

23-year-old Russian hacker, the original author of BlackPOS Malware

Infostealer.Rawpos Earliest record of infected systems

Creation

Feb 2013

?

?

First anti-virus to detect

Discovered

Feb 18, 2014

1 year

Sept 5, 2014

7 months

6

12/10/2014

Biggest concerns • POS malware is not being detected by anti-virus • It can remain on systems for a long time before noticed

Merchants affected • POS malware has affected big names in retail

• Federal law enforcement says 1,000’s more

7

12/10/2014

3 public alerts within 2 months • PCI Security Standards Council merchant guidance on skimming prevention • Secret Service and Department of Homeland Security • US-CERT (Computer Emergency Readiness Team) – It wasn’t until this alert that the attack vector was really addressed

Remote access exploitation • BrutPOS and BackOFF both exploit – – – – – –

RDP LogMeIn RemotePC pcAnywhere GoToMyPC Other remote access technologies

8

12/10/2014

Why does this attack happen? • Many POS (and medical device) vendors and implementers recommend remote access technologies to run the daily reports or settlement reports – Third parties (IT support, billing) use remote access to gain network access

• Implementers don’t recognize the danger of enabling such technologies

Attack types • Remote access can be used to attack the POS or medical device itself • Can also be used to attack other systems in the environment and “pivot” to attack a POS/medical device system

9

12/10/2014

Attacking the POS (med-dev) system

Attacking the POS (med-dev) system

10

12/10/2014

The “pivot” attack

The “pivot” attack

11

12/10/2014

The “pivot” attack

Let me show you how it works.

12

12/10/2014

Analysis • This is a simple attack – Publicly available tools • Brute force password cracking tool

– Windows settings – Windows application

• You cannot rely on anti-virus tools alone to detect it

45 CFR § 164.530(c)(1) “Standard: A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

13

12/10/2014

How do you avoid attack? Take a multilayer approach to security.

Change the default username • Change admin to something more difficult to guess – Fictitious names

• Attacker must correctly guess both username and password at the same time to gain access

14

12/10/2014

Don’t enable guest accounts • Guest accounts allow anonymous access to your machine • Disabling guest protects against unauthorized users

Lock out hackers • Enable user lockouts after a certain number of failed attempts • Best practice: set lockout to zero to lock account indefinitely

15

12/10/2014

Implement 2-factor authentication • Two different forms of authentication are necessary to access an application • When setting up two-factor authentication, factors must contain two of three aspects: – Something only the user knows (e.g., a username and password) – Something only the user has (e.g., a cell phone or RSA token) – Something the user is (e.g. a fingerprint)

Use a passphrase • No common passwords • Complex passwords can be easy to guess – 123!@#qwe (keyboard patterns) – Jessica123 (social engineering + common password)

• Best practice: passphrase – I wear my sunglasses at night  Iwmsg@n1980!

16

12/10/2014

Firewall rules • • •



Whitelist – Only allow Fred and Wilma (the receptionist computers) to go to the grocer and the dry cleaners Blacklist – Allow Barney and Betty (the physician computers) to go anywhere except to the saloon Block – Don’t allow Albert (the EMR server) to leave the premises VPN – Only allow Gandhi (the physician at home) to come inside if he shows up from the underground tunnel #12 and has the secret password assigned only to him

Wireless configuration • WPA2 encryption • Change default Wi-Fi username/password • Segment guest and workforce Wi-Fi

17

12/10/2014

File integrity monitoring software • Install and monitor file integrity monitoring software on all critical systems. • Enable logging on critical systems – Review log alerts – Employ log alerting software to receive alerts of suspicious activity

Start vulnerability scanning • The average hacker can skim the entire Internet for potential victims once every 8 hours • Vulnerability scans are automatic tests that run on software, hardware, and network structures. – Some can find more than 50,000 unique vulnerabilities

• Important: remediation – Once a scan completes, fix any vulnerabilities immediately

18

12/10/2014

Get help • Penetration test (PCI Rq. 11.3) – Live attempt to exploit vulnerabilities – Try to fake passwords, manipulate code, fool web servers into giving sensitive information

• Consult with a Qualified Security Assessor (QSA) – Provides best security practices customized to your organization

What motivates decision makers? • Problem – Patient health and safety – Regulation – Bad press

• Solution – Accurate and thorough Risk Analysis – Prioritization

• ROI – Cost to insurance and hard savings

19

12/10/2014

This is a simple attack.

But…it’s easy to thwart through simple controls.

Questions? [email protected] www.securitymetrics.com

20