12/10/2014
What
Tech Geniuses Should Know About Healthcare Vulnerabilities A live hack demonstration
Tod Ferran, CISSP, QSA
Hi there! • Tod Ferran – 25 years working with IT and physical security – 3 years PCI and HIPAA security consulting, performing entity compliance audits
• SecurityMetrics – Assisted >1 million businesses with HIPAA/PCI compliance since 2000
1
12/10/2014
HIPAA Reported Breaches - Jan 1, 2013 to Oct 1, 2013 35 30 25
Hacking/IT Incident Improper Disposal
20
Loss Other
15
Theft Unauthorized Access
10
Unknown 5 0 Laptop
Paper
Desktop
Server
Other
E-mail
Electronic Medical Record
We’ve been breached??? • Lack of – – – – – –
Current, updated anti-malware Intrusion detection systems Data loss prevention systems File integrity monitoring systems Centralized logging and alerting Security specific training for IT staff
2
12/10/2014
OWASP Top Ten • • • •
Injection Broken authentication Cross-site scripting Insecure direct object reference • Security misconfiguration • Sensitive data exposure
• Missing function level access control • Cross-site request forgery • Known vulnerabilities • Invalid redirect/forward
Thanks to the Internet, supreme intelligence isn’t required to be a hacker.
3
12/10/2014
Hacker tools are cheap and available • Most stand on the shoulders of their hacking world superiors, and use pre-made tools to steal data from vulnerable organizations. • Data scraping tools – Point-of-sale (POS) malware – Workstation/Server – Tablets & Smart Phones
POS malware and healthcare • How does POS malware impact healthcare? • We must learn and protect to survive
4
12/10/2014
POS malware • A rash of POS malware in 2014 • Reports of over 1,000 merchants affected • What does POS malware do? – Steal track data and payment account information from memory (RAM) – Send it out to be sold on black market sites
• Each strain is similar. Attackers create malware variants from preexisting malware
POS malware history Visa data security alert reported POS RAM scrapers
POS intrusions account for 14% of breaches (Verizon)
2008
2013 2009
Verizon data breach report addressed it
5
12/10/2014
POS strains 2012 Reedum (Target)
June 2013 BlackPOS
February 2014 Infostealer.Rawpos (Goodwill)
June 2014 Soraya
July 2014 BrutPOS and Backoff (Home Depot)
August 2014
BlackPOS ver. 2
23-year-old Russian hacker, the original author of BlackPOS Malware
Infostealer.Rawpos Earliest record of infected systems
Creation
Feb 2013
?
?
First anti-virus to detect
Discovered
Feb 18, 2014
1 year
Sept 5, 2014
7 months
6
12/10/2014
Biggest concerns • POS malware is not being detected by anti-virus • It can remain on systems for a long time before noticed
Merchants affected • POS malware has affected big names in retail
• Federal law enforcement says 1,000’s more
7
12/10/2014
3 public alerts within 2 months • PCI Security Standards Council merchant guidance on skimming prevention • Secret Service and Department of Homeland Security • US-CERT (Computer Emergency Readiness Team) – It wasn’t until this alert that the attack vector was really addressed
Remote access exploitation • BrutPOS and BackOFF both exploit – – – – – –
RDP LogMeIn RemotePC pcAnywhere GoToMyPC Other remote access technologies
8
12/10/2014
Why does this attack happen? • Many POS (and medical device) vendors and implementers recommend remote access technologies to run the daily reports or settlement reports – Third parties (IT support, billing) use remote access to gain network access
• Implementers don’t recognize the danger of enabling such technologies
Attack types • Remote access can be used to attack the POS or medical device itself • Can also be used to attack other systems in the environment and “pivot” to attack a POS/medical device system
9
12/10/2014
Attacking the POS (med-dev) system
Attacking the POS (med-dev) system
10
12/10/2014
The “pivot” attack
The “pivot” attack
11
12/10/2014
The “pivot” attack
Let me show you how it works.
12
12/10/2014
Analysis • This is a simple attack – Publicly available tools • Brute force password cracking tool
– Windows settings – Windows application
• You cannot rely on anti-virus tools alone to detect it
45 CFR § 164.530(c)(1) “Standard: A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”
13
12/10/2014
How do you avoid attack? Take a multilayer approach to security.
Change the default username • Change admin to something more difficult to guess – Fictitious names
• Attacker must correctly guess both username and password at the same time to gain access
14
12/10/2014
Don’t enable guest accounts • Guest accounts allow anonymous access to your machine • Disabling guest protects against unauthorized users
Lock out hackers • Enable user lockouts after a certain number of failed attempts • Best practice: set lockout to zero to lock account indefinitely
15
12/10/2014
Implement 2-factor authentication • Two different forms of authentication are necessary to access an application • When setting up two-factor authentication, factors must contain two of three aspects: – Something only the user knows (e.g., a username and password) – Something only the user has (e.g., a cell phone or RSA token) – Something the user is (e.g. a fingerprint)
Use a passphrase • No common passwords • Complex passwords can be easy to guess – 123!@#qwe (keyboard patterns) – Jessica123 (social engineering + common password)
• Best practice: passphrase – I wear my sunglasses at night Iwmsg@n1980!
16
12/10/2014
Firewall rules • • •
•
Whitelist – Only allow Fred and Wilma (the receptionist computers) to go to the grocer and the dry cleaners Blacklist – Allow Barney and Betty (the physician computers) to go anywhere except to the saloon Block – Don’t allow Albert (the EMR server) to leave the premises VPN – Only allow Gandhi (the physician at home) to come inside if he shows up from the underground tunnel #12 and has the secret password assigned only to him
Wireless configuration • WPA2 encryption • Change default Wi-Fi username/password • Segment guest and workforce Wi-Fi
17
12/10/2014
File integrity monitoring software • Install and monitor file integrity monitoring software on all critical systems. • Enable logging on critical systems – Review log alerts – Employ log alerting software to receive alerts of suspicious activity
Start vulnerability scanning • The average hacker can skim the entire Internet for potential victims once every 8 hours • Vulnerability scans are automatic tests that run on software, hardware, and network structures. – Some can find more than 50,000 unique vulnerabilities
• Important: remediation – Once a scan completes, fix any vulnerabilities immediately
18
12/10/2014
Get help • Penetration test (PCI Rq. 11.3) – Live attempt to exploit vulnerabilities – Try to fake passwords, manipulate code, fool web servers into giving sensitive information
• Consult with a Qualified Security Assessor (QSA) – Provides best security practices customized to your organization
What motivates decision makers? • Problem – Patient health and safety – Regulation – Bad press
• Solution – Accurate and thorough Risk Analysis – Prioritization
• ROI – Cost to insurance and hard savings
19
12/10/2014
This is a simple attack.
But…it’s easy to thwart through simple controls.
Questions?
[email protected] www.securitymetrics.com
20