the avalanche of vulnerabilities - nist...asof 2015‐02‐15 total of 1094 unique cves affected...

THE AVALANCHE OF VULNERABILITIES A PERSPECTIVE

Mike Ahmadi Global Director of Critical Systems Security, Codenomicon Ltd

@codenomicon

6/17/2015© 2014 All Rights Reserved

UNKNOWN VULNERABILITIES ARE BAD… KNOWN VULNERABILITIES ARE A HUGE PROBLEM

• Hospital central monitoring system with 1683 known vulnerabilities

• 378 of the vulnerabilities are in one (Java) runtime environment, meaning just updating the version will fix 378 vulnerabilities.

• This system is widely used throughout hospitals…including government hospitals

2


Brain Wave Monitoring

3

MEDICAL ISSUES ARE WIDESPREAD

Infusion Pump Patient Monitor Brain Wave Monitoring Device (OS) Drug Library

Device: 181 Known Vulnerabilities

182 Missing Exploit Mitigation Techniques

Infusion Pump: Patient Monitor: Drug Library: 55 Known 818 Known 440 Known Vulnerabilities

Vulnerabilities Vulnerabilities 49 Missing Exploit Mitigation Techniques


4

LET’S LOOK AT AN INDUSTRIAL CONTROL SYSTEM

• SCADA system with over 20,000 licenses worldwide

• Customer reference list on website (including government customers)

• 702 exact match vulnerabilities in 10 components.

• 374 vulnerabilities in 1 java runtime

• Over 150 NIST CVSS critical in one component

5

SERIOUS NATURE OF SPECIFIC VULNERABILITIES

• Over 150 vulnerabilities in Java scored CRITICAL

• Critical commonly means remotely executable with no authentication

• This means that there are potentially at least 150 fairly trivial ways to exploit the system

© 2014 All Rights Reserved 6/17/2015

6UNIQUE VULNERABILITIES GRAPH OVER TIME

• Huge increase in number of vulnerabilities entering NIST CVE database in the last 3 years

• Massive spike since 2013 for common software components (such as Java,

© 2014 All Rights Reserved OpenSSL)

Vulnerabilities in package combination of increase in discovered vulnerabilities and addition of new

features Version Releases

Over 1000% increase in CVEs between 2012 release and 2014

release

6/17/2015

7INCREASE IN MALWARE ATTACKS ON INDUSTRIAL 3500% CONTROL SYSTEMS 3000%

2500%

2000%

1500%

1000%

500%

0%

100%

704%

2866%

2012 2013 2014

source: Kaspersky Labs © 2014 All Rights Reserved 6/17/2015 7

0

200

400

600

800

1000

1200

3/15/2002 3/15/2003 3/15/2004 3/15/2005 3/15/2006 3/15/2007 3/15/2008 3/15/2009 3/15/2010 3/15/2011 3/15/2012 3/15/2013 3/15/2014

GRAPH OF VULNERABILITIES IN HOSPITAL MONITORING SYSTEM OVER TIME

Newest component on software was compiled in Nov 2012. This indicates

That it was released with at least 509 unique CVEs affecting 24 components

around end of 2012 or early 2013.

As of 2015‐02‐15 total of 1094 unique CVEs Affected this software via now 30 vulnerable

components. That is about 0.8 new CVEs / day .

Oldest compiled component on the software image was from Dec 2001

8


200

100

0

CODE DECAY OVER TIME – ROUTER

300

400

500

600

700

800

Date of the oldest component found in the software (2009‐01‐13)

Product Released / compiled

( 2014‐01‐17)289 new unique

CVEs affecting the product during first

12 months of operations (approx 0.78 new CVEs per day

during first 6 months)

689 unique CVEs as of 2015‐01‐26

Released with total of

400 unique CVEs

48 new unique CVEs affecting the

product 12 months before

release

600% Increase In Unique Vulnerabilities Discovered In Last

Year

2/28

/200

8

4/28

/200

8

6/28

/200

8

8/28

/200

8

10/28/20

08

12/28/20

08

2/28

/200

9

4/30

/200

9

6/30

/200

9

8/31

/200

9

10/31/20

09

12/31/20

09

2/28

/201

0

4/30

/201

0

6/30

/201

0

8/31

/201

0

10/31/20

10

12/31/20

10

2/28

/201

1

4/30

/201

1

6/30

/201

1

8/31

/201

1

10/31/20

11

12/31/20

11

2/29

/201

2

4/30

/201

2

6/30

/201

2

8/31

/201

2

10/31/20

12

12/31/20

12

2/28

/201

3

4/30

/201

3

6/30

/201

3

8/31

/201

3

10/31/20

13

12/31/20

13

2/28

/201

4

4/30

/201

4

6/30

/201

4

8/31

/201

4

10/31/20

14

12/31/20

14


9

10

6/17/2015 © 2014 All Rights Reserved

SMART TV SET

0

100

200

300

400

500

600

700

11/1

/202

2

Nov 2022. End of 100.000 hours average lifespan of LCD TV screen.

Today. March 1, 2015. 584 unique CVEs in 23 components

7 more years of expected operation of the LCD TV

( based on 100,000 hours average lifespan )

2012 Smart TV lineup launched: Nov/Dec 2011

7 years

Last firmware / SW update: Mar 2013 (*Approx. 178 unique CVEs affecting product at the moment of SW EoL)

Nov

2014:

security up

date

topatch curl,

ope

nssl,

flash_

player,

ffmpe

g , libpn

g and freetype

Approx. 0.58 new CVEs / day over the course of 23 months

Estimated 2065 CVEs

affecting Product by Nov 2022 based

on historic 0.58 CWEs per day

(* date may not be fully accurate, as e.g. partial OTA updates may have been delivered after this date as well ( see sec. update on Nov 2014)

One year standard warranty for parts and labor from the date of purchase

One year product cycle

r/Firewall Ro

Cash

INFORMATION WORKFLOW 11

6/17/2015 © 2014 All Rights Reserved

Hospital Bank (HSC)

The CloudFED Database

(420 Known Vulnerabilities) HIE Database

(420 Known Vulnerabilities)

Customer Database (420 Known

Vulnerabilities)

Backup Server (30 Known Vulnerabilities)

Route (689 Known

Vulnerabilities) uter/Firewall (689 Known

Vulnerabilities) Data Analysis System

(231 Known Vulnerabilities)

EHR Database (420 Known Vulnerabilities)

Patient Monitoring System (1580 Known Vulnerabilities)

Patient

Infusion Pump (41 Known Vulnerabilities)

ATTACKER WORKFLOW

MEDJACK – NOW THERE’S A NAME FOR IT • Report issued by security organization TrapX.

• From the article “TrapX found that while many hospitals, for example, maintain solid IT departments with firewalls and other security solutions, these vulnerable medical devices are often left without patching.”

• Attacker uses unpatched devices to get wherever they want to go.

Source:http://www.scmagazine.com/trapx‐profiles‐medjack‐threat/article/418811/

© 2014 All Rights Reserved

12

6/17/2015

13

ROYCE BILL: CYBER SUPPLY CHAIN MANAGEMENT AND TRANSPARENCY ACT – KEY

PROVISIONS • For government agencies, software contracts must include clauses requiring: • a confidentially supplied list, or a bill of materials, of each binary component that is used in the software, firmware, or product;

• the contractor to verify that products do not contain known security vulnerabilities and to notify the purchasing agency of any known vulnerabilities or defects;

• product designs to allow fixes with patches, updates, or replacements; and

• the contractor to provide timely repairs for discovered vulnerabilities.


14OPPOSITION ARGUMENTS • We already do this: The data indicates that if this is already being done no action is being taken to resolve the issue. More likely it is not being done…or being done quite poorly, and leaving us all at risk.

• Sharing a Bill of Materials means giving up proprietary information: FDA already requires an ingredient list. Coca Cola can supply an ingredient list without sharing trade secrets.

• I cannot control my supply chain: You already do in selection of products based on feature requirements.

• This requires too much work: Tools are completely automated and easy to use.

• This bill is being backed by organizations that stand to benefit from such legislation: Actually, we all benefit from better security. The entire software security industry is built on identifying and mitigating security issues.


15

THE INSURANCE INDUSTRY PUSHES BACK

• Cottage Health System gets breached forced to pay class action settlement of $4.125 million ($81 per record)

• Insurer files suit in court for a Declaratory Judgment against Columbia for Cottage’s “Failure to Follow Minimum Required Practices.”


SOME MINIMUM REQUIRED PRACTICES IN DETAIL

• Check for security patches and apply within 30 days

• Replace factory default settings • Re‐assess risk yearly and apply changes • Require 3rd parties to protect information

with safeguards at least as good as your own

• PERFORM DUE DILLIGENCE ON 3RD

PARTIES TO ENSURE THAT THEIR SAFEGUARDS ARE AS GOOD AS YOUR OWN

• AUDIT 3RD PARTIES TO ENSURE THEY CONTINUOSLY SATISFY YOUR STANDARDS FOR SAFEGUARDING SENSITIVE INFORMATION


16

BUILDING A CYBERSECURITY CERTIFICATION LAB • Aligned with

international standards (62443)

• Creating program due to demand

• Creating program due to need

• Active lobbying to promote message

17



18

questions

Mike Ahmadi Global Director, Critical Systems

Security

Codenomicon Ltd.

Phone: (925) 413‐4365

Email: [email protected]

the avalanche of vulnerabilities - nist...asof 2015‐02‐15 total of 1094 unique cves affected...

Documents