the hacker identity - nchica · the hacker identity ... to the network. the indicators. 9...
TRANSCRIPT
4WHAT THE BOARDS ARE ASKING
“How do we measure the effectiveness of our current cybersecurity program?”
“What are we doing for medical device cybersecurity?”
“How do we know our business associates are safeguarding patient information?”
”Do we have an incident response plan?”
“How does our security program compare to that of its peers?”
8BEHAVIORAL THREAT MODELING
• Identification of the potential attack surface of your organization vs. the behavior patterns and intent of an attacker
• Considerations:- “Where are the high-value assets?”
- What are the most relevant threats?”
- “Where am I most vulnerable to attack?”
- “Is there an attack vector that might go unnoticed?
• Can be used to identify Advanced Persistent Threats (APT) to the network
9THE INDICATORS
Indicators of Exposure (IOE)
• Zero-day vulnerabilities
• Weaknesses and vulnerabilities in hardware configurations or firmware
• Legacy operating systems and applications
• Medical devices with unknown configurations
Indicators of Compromise (IOC)
• Exfiltration of data in an unusual pattern or destination
• Anomalous acitivity and movement of admin accounts or those with escalated privileges
• Markers of automated bot attack
10NOT JUST LIKELIHOOD AND IMPACT
Low Quantity of Assets
High Barrier to Entry• Deeper security controls, such as MFA
and encryption• Hosted on premises
High Value• Direct impact on patient safety• Current black market value• Subjective risk level of repurposing –
email accounts, bank accounts• Intellectual property
Higher Reputational Risk
High Quantity of Assets
Low Barrier to Entry• Connected web or mobile
applications• Managed by third party• Public cloud
Low Value• No threat to patient safety• Commodity target
Lower Reputational Risk
11MAPPING THE SURFACE ATTACK AREA: INSIDE
=Black Market Value
or Fine PotentialNumber of Records
in Target AreaRelative Risk Rating
and Mapping
Patient Safety Mapping of Assets:
Ecosystem Entry Points
Biomedical Device
Risk to Patient Safety
+Traditional Valuation of Assets:
12
1. Identify the bad actors• Competition for commodity records – crime syndicates, lone wolves• Intellectual property – industrial espionage, overseas manufacturing• Hacktivists• Terrorists or nation states
2. Assess the external infrastructure and entry points for IOEs:• Penetration test results from live IPs• Connectivity to a web or smartphone application• Shared data at a vendor• Vendor with remote access privileges
MAPPING THE SURFACE ATTACK AREA: OUTSIDE
13
Assess the risk of staff and contractors:
• Number of staff members and/or contractors with access to the highest value targets (dollars and safety)
– The relative risk or ability to either introduce malware or open the door to a bad actor
– The relative risk or ability to affect patient safety
• Determine experience, training levels, and frequency of training• Assess, if possible, their exposure to social media
• Conduct frequent social engineering exercises • Profile mobile device and laptop usage; for contractors’ profiles for remote access
THE SURFACE ATTACK AREA: STAFF & CONTRACTORS
16INCIDENT RESPONSE PLANNING & TESTING
• Develop runbooks across multiple potential events and test at least twice a year
• Include variations within the runbook based on threat modeling decision trees
• Consider a two-tiered approach to incident response tabletop exercises:- IT management and appropriate staff with DR/BCP and security responsibilities
- Executive and C-Suite with one board member participant
• Common topics for IR plans and exercises:- Unknown exfiltration of data
- Ransomware of the EMR, medical devices, DR sites
- Confirmed IOC of an advanced persistent threat
- Malfunction or critical impairment of device or application not caused by APT
- Denial-of-service attack
17RED & BLUE TEAMS
• Emulates actual hacker behaviors and decision trees
• Designed to test the organization’s people, process, and technology, not just the technical systems
• Can include coordinated script for simultaneous phishing, USB drive baiting, and pretexting
• Generally considered successful when the target data is exfiltrated or command and control (C2) is established
18TAKEAWAYS: NOT ALL DATA AND SYSTEMS ARE CREATED EQUAL
Identify• Profile all servers, applications and devices and develop critical application lists with data categorizations
and those with access
• Analyze your attack surface area across all data locations: physical, virtual, and cloud
• Develop incident response plans around more than just the EMR
Prioritize
• Don’t rely on complex risk and value calculation models; your adversary is a human, not a robot
• Place an equal or higher effort on securing medical devices vs. the EMR
19TAKEAWAYS: NOT ALL DATA IS CREATED EQUAL
Implement• NIST Framework for raising cybersecurity posture
• Vulnerability management program
• Create compensating controls to address legacy systems
Govern
• Test IR plans via tabletop exercises at least twice yearly
• Engage with the Board, Biomed, and Risk Management & Patient Safety Office as often as with IT
• Stay informed:• Information sharing National Health Information Sharing & Analysis Center (NH-ISAC)
• Medical Device Innovation, Safety and Security Consortium (MDISS)