october 28–30, 2019 | minneapolis convention center · vulnerability exploited:...
TRANSCRIPT
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Medical Device Attack Scenario
Sarah Jopp, BS, MBA, CISSPSenior Analyst, Clinical Information Security – ResiliencyMayo Clinic
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Challenges to Securing Medical
Devices
(re-)approval takes long
time
zero downtime
24/7
clinical workflow
issues “behind-the-perimeter-
firewall” mentality
AV, anti-malware limitations
lack of Software Development
Lifecycle
limitations on adding
security software
patient safety requires special
handling
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Common Types of Vulnerabilities
Hardcoded Credentials
Default Passwords
Unsupported Operating
System
Lack of Patch Management
no/weak/custom encryption
Web app injectionsInsecure
configuration
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Series of vulnerabilities an attacker will exploit to gain complete access to a critical asset -starting from zero access (not to be confused with the cyber kill chain)
Attack Chain
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Example Scenario: Gain Unauthorized Access to MRI scanner1. Gain access to intranet by exploiting user ignorance
(phishing) and weak email filtering2. Install and maintain backdoor access to victim’s system
by exploiting weak perimeter and endpoint security3. Pivot to medical device server by exploiting web
application default password 4. Elevate privileges by exploiting unpatched server OS5. Gain access to medical device by exploiting trust
between server and device
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Vulnerability Exploited:Network perimeter devices have insufficient email filtering
Hacking Tools: exe packers, custom payloads
Attacker sends malicious email attachment
Bob
Step 1: Gain access to intranet
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Vulnerability Exploited:User ignorance
Hacking Tools: social engineering, patience
Bob
Bob is duped into opening the malicious attachment
Step 1: Gain access to intranet
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Vulnerability Exploited:Insufficient Endpoint ProtectionWeak perimeter firewall / IDS
Hacking Tools: reverse shell (msfvenom)
Bob
Attacker’s malware is installed on Bob’s machine and calls back to attacker’s machine
Step 1: Gain access to intranet
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Vulnerability Exploited:Lack of Network Segmentation
Hacking Tools: Nmap, nikto, web browser
BobAttacker pivots to attack the web server managing the MRI
web server
Step 2: Gain access to web server
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Vulnerability Exploited:Weak Password Policy Lack of Brute-force ProtectionDefault Passwords
Hacking Tools: Ncrack
Bob
web server
Attacker gains access to the web application managing the MRI by: Brute-force, guessing or consulting the device manual
Step 2: Gain access to web server
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Vulnerability Exploited:Web server running with excessive privileges Unpatched web application
Hacking Tools: web browser, metasploit
Bob
web server
Attacker gains shell on server by exploiting web app and running remote code as a web application user (elevated privileges).
Step 3: Elevate privileges on web server
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Vulnerability Exploited:Unsupported/Outdated OSInsecure Firewall Configuration
Hacking Tools: metasploit
Bob
web server
Attacker gains Administrator access to the MRI by exploiting known vulnerabilities (i.e. MS17-010)
Step 4: Gain access to MRI scanner
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Hardcoded Credentials
DefaultPasswords
Unsupported OS
Lack of Patch Mgmt.
no/weak/custom
encryption
Web app injections
Insecure config.
Manual web applicationassessments
Assessment of cryptographicaspects of application
Reverse engineeringof binary executable files
Analysis of custom protocols
Testing Methods for Common Vulnerabilities
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Hardcoded Credentials
DefaultPasswords
Unsupported OS
Lack of Patch Mgmt.
no/weak/custom
encryption
Web app injections
Insecure config.
Manual host Configuration reviews
Interview vendor staff
Remote scan of servicesfor vulnerabilities
Testing Methods for Common Vulnerabilities
October 28–30, 2019 | Minneapolis Convention Centercybersecuritysummit.org | #cybersummitmn
Questions