Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Healthcare  Threat  Modeling  Vigne2es   Current  threats  ,  a2ack  pa2erns,  &  risk   based  countermeasure  development   for  the  healthcare  industry.     2  

Slide 3

Slide 3 text

Speaker  Bio   »  Tony  UcedaVélez  (“Tony  UV”)   •  CEO,  VerSprite  –  Global  Security   ConsulNng  Firm   •  Chapter  Leader  –  OWASP  Atlanta   (past  7  years)   •  Author,  “Risk  Centric  Threat  Modeling   –  Process  for  A2ack  SimulaNon  &   Threat  Analysis”,  Wiley  June  2015   •  HHS,  Symantec,  Dell-­‐Secureworks,   HIPAA  ConsulNng  since  2002   3

Slide 4

Slide 4 text

Driver  for  Threat  Modeling  in  HC  

Slide 5

Slide 5 text

What  is  a  Vigne&e?   »  (noun)  –  a  brief  evocaNve,  descripNon,   account  or  episode       5  

Slide 6

Slide 6 text

Importance  of  Risk  based  Threat  Modeling   »  CollaboraNve     »  EducaNonal     »  Impact  led  remediaNon   »  Builds  Security-­‐In  earlier   »  SubstanNve  (no  FUD)   6  

Slide 7

Slide 7 text

Threat  Modeling  MisconcepNons   »  DFDs  are  DFDs,  not  threat  models   »  An  a2ack  surface  isn’t  the  full  extent  of  a  threat   model   »  Risk  &  Impact  are  actually  2  different  things   »  Threats  &  A2acks  are  not  synonyms   »  You  can’t  threat  model  what  you  don’t  know  –   know  how  your  app  env  works  and  what   components  exists  

Slide 8

Slide 8 text

Threat  vs.  A2acks   »  Threat  /Thret/   •  a  statement  of  an  intenNon  to  inflict  pain,  injury,   damage,  or  other  hosNle  acNon     »  A2ack  /əˈtak/   •  aggressive  acNon  against  (a  place  or  enemy   forces)  with  weapons  or  armed  force  

Slide 9

Slide 9 text

Process  for  A2ack  SimulaNon  &  Threat   Analysis   1.  Define  Business   ObjecNves   Revenue   Compliance  (Data   Security)   Market  growth   OperaNonal  goals   Privacy  (Data  Use,   RetenNon)   2.  Technology   EnumeraNon   List  server  side  tech   List  client  side  tech    List  3rd  party   technology   List  frameworks   List  infrastructure  layer   tech   3.  ApplicaNon   DecomposiNon   Map  out  internal/   external  APIs   IdenNfy  calls  to  data   repositories   IdenNfy  actors     IdenNfy  data  flows   Enumerate  protocols   4.  Threat  Analysis   IdenNfy  threat  actors,   moNves   Threat  Data   Threat  Intel   Threat  Tabletops   5.  Vuln  Analysis   IdenNfy  system   vulnerabiliNes   IdenNfy  sokware/   architecture   weaknesses   IdenNfy  Process  Gaps   6.  A2ack  Modeling   IdenNfy  Abuse  Cases   Build  A2ack  Trees   Exploit  vulnerabiliNes   ProbabilisNc  Analysis   7.  Residual  Risk   Analysis     Correlate  tech  risk  to   biz  risk   IdenNfy  business   impact   Develop   countermeasures  

Slide 10

Slide 10 text

HC  Threat  Modeling  Benefits   »  Healthcare  Sokware  Makers   •  Fosters  Building  Security  In  or  SDL  principles   •  Non-­‐intrusive  security  analysis   •  CollaboraNve  exercises  (Dev,Architecture,InfoSec)   •  Compliments  various  SDLC  methodologies  

Slide 11

Slide 11 text

HC  Threat  Modeling  Benefits  (cont.)   »  Healthcare  EnNNes  (HC  Systems,  Clinics,  Private   PracNce)   •  Provides  network  &  architectural  security  review   •  IntrospecNve  look  at  data  flow  security   •  Supports  ‘living’  threat  models  that  conNnue  to  evolve     •  Provides  greater  security  visibility   •  Non-­‐intrusive  security  analysis  

Slide 12

Slide 12 text

Healthcare  Sokware  Maker  –  Vigne2e  #1   »  Mobile  CareStream  App  (iOS)   »  Used  by  Primary  Care  Physicians   »  Convenient  paNent  EMR  lookup   »  Clinical  Trial/  PharmaceuNcal  IntegraNon  

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Stage  3:  

Slide 16

Slide 16 text

Threat  Analysis  (Stage  IV)   »  Enumerate  threat  scenarios   •  Threat  Data  (internal  network  |  system  |  app  logs)   •  Threat  Intel  (external  DBIR,  threat  feeds,  security   advisories)  

Slide 17

Slide 17 text

Threat  Intel  Scenarios   »  Claims  Fraud  (FDA  Reports)   •  Performing  medically  unnecessary  services  solely  for  the   purpose  of  generaNng  insurance  payments  (Source:  FDA   Reports)   •  MisrepresenNng  non-­‐covered  treatments  as  medically   necessary  covered  treatments  for  purposes  of  obtaining   insurance  payments   »  Clinical  Drug  Trials  Fraud  (Unique  Cases,  News)   •  Faking  ‘paNents’  in  order  to  falsify  clinical  trial   parNcipaNon  numbers  

Slide 18

Slide 18 text

Threat  Sources  for  Healthcare   »  Threat  Intel:   •  h2ps://hitrustalliance.net/cyber-­‐threat-­‐xchange   •  Cyber  ThreatXchange  –  Exchange  of  cyber  related   events/  incidents  affecNng  healthcare   •  Free  and  Fee  Based  SubscripNon  (SIEM  IntegraNon)   •  Cyber  Discovery  Study  –  Ongoing  study  of  persistence   threats  in  healthcare  

Slide 19

Slide 19 text

Generic  Threat  Sources   »  www.us-­‐cert.gov  US-­‐CERT   »  www.dhs.gov/about-­‐naNonal-­‐cybersecurity-­‐ communicaNons-­‐integraNon-­‐center  DHS   »  MulNple  commercial  opNons   •  Relate  threat  intel  to  threat  model  

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

T2  Viability  (Threat  Persistence)   Source:  h2ps://hitrustalliance.net/content/uploads/2015/09/HITRUST-­‐HHS-­‐MTB-­‐Sept-­‐2015.pdf   TacNcs,  techniques,  &  procedures  

Slide 22

Slide 22 text

Vulnerability  &  Weakness  Analysis  (Stage  V)   »  ExisNng  vulnerability  detecNon  efforts  can  be   leveraged   »  Find  vulns|weaknesses  that  support  threat  claims   »  Map  CVEs  (vulns),CWEs  (weaknesses)  to  CAPEC   (a2acks)   »  A2ack  tree  now  emerges  with  assets,  threats,   and  vulns  on  branches  

Slide 23

Slide 23 text

Stage  VI:  A2ack  &  Model   »  Leveraging  Stage  II  understanding  of  your   healthcare  applicaNon  env  -­‐>  build  your  a2ack   surface   »  A2ack  Trees  help  to  speak  on  the  viability  of   a2acks  and  mapping  to  weaknesses  (CWEs)/   vulns  (CVEs)  

Slide 24

Slide 24 text

A2ack  Tree  on  CareStream  A2acks   Sequence  &  req   around  account   creaNon   A2ack  exisNng   accounts;  social   eng  implicaNons   A2ack  accounts   that  have  been   idenNfied  as  valid   Weakness  exists   in  app  to  not   control  brute   forces   Abuse  use  cases   to  see  how   sessions  are   created  and   maintained   Abuse  role   creaNon   use  cases   A2ack  to  derive   elevate   authenNcated   sessions   Vuln  idenNfied   during  manual   tesNng  around   session  mgt   Seek  support   response  with   session  in   support  link  

Slide 25

Slide 25 text

Build  Trees  for  the  Right  Surface   q  IdenNfy  relevant  hosts,   networks   q  Leverage  exisNng  scan   results  (<  3  months)   q  Metadata  searches  map   relaNonship  mappings   q  Build  a2ack  trees  that   relate  to  right  targets   q  Rights  targets  are  those   where  greatest  intel  and   impact  exists  

Slide 26

Slide 26 text

Healthcare  Product  Manufacturer  –  Vigne2e  #2   »  Manufacturer  of  healthcare  wearables,  implantables   »  Cyber  murder  threat  moNve  against  person  of  interest   »  Impact  1:  Poor  PR.  Media  a2enNon  around  death  of   person  of  interest,  celebrity,  poliNcian,  etc.   »  Impact  2:  MarkeNng  Costs.    MarkeNng  dollars  would  be   needed  in  order  to  rebuild  product  placement.   »  Impact  3:  Sales  Loss.    Drops  in  product  sales  would  be   a  operaNonal  impact  to  a  realized  a2ack  in  the  threat   model.  

Slide 27

Slide 27 text

Business  ObjecNves  of                enabled  devices   (Stage  I)     »  Record  paNent  EKG  (electrocardiogram)     »  Validate  if  paNent  is  having  a  heart  a2ack  by   trending  EKG  levels   »  Medical  device  can  send  SMS  to  hospitals  via   paNent  cell  phone   »  Saves  paNent  &  doctor  Nme  

Slide 28

Slide 28 text

EnumeraNon  &  DecomposiNon   (Stage  II  &  III)  

Slide 29

Slide 29 text

Threat  Analysis  is  Key  to  Threat  Model   (Stage  IV)   »  What  is  the  threat  moNve?   »  Who  are  the  threat  actors?   »  What  threat  pa2erns  affect  known  vulns/   weaknesses  in  the  environment?   »  Good  threat  intel  makes  risk  based  decisioning   a  lot  easier.  

Slide 30

Slide 30 text

Threat  MoNve  

Slide 31

Slide 31 text

How  to  Consider  the  Right  Threats  

Slide 32

Slide 32 text

A2ack  Tree   for   Implantables   q  A2acks  support   unique  threats   q  Threats  against   People  of  Interest   (high  value  targets)   q  PHI  used  as  intel  for   more  subtle  a2acks   q  Bluetooth   capabiliNes  for  cyber   murder   q  Which  of  the  last   slide’s  HC  threats   could  realize  an   a2ack  node  on  this  

Slide 33

Slide 33 text

33     33   Users Request Responses DMZ (User/Web Server Boundary) Message Call Account/ Transaction Query Calls Web Server Application Server Application Calls Encryption + Authentication Encryption + Authentication Financial Server Authentication Data Restricted Network (App & DB Server/Financial Server Boundary) Database Server Application Responses Financial Data Auth Data Message Response SQL Query Call Customer Financial Data Internal (Web Server/ App & DB Server Boundary) alert(“Cookie”+ document.cookie)</ SCRIPT> Injec*on  flaws     CSRF,   Insecure  Direct  Obj.   Ref,       Insecure  Remote   File  Inclusion   ESAPI/   ISAPI  Filter   Custom  errors   OR ‘1’=’1—‘, Prepared  Statements/   Parameterized  Queries,   Store    Procedures   ESAPI  Filtering,   Server  RBAC   Form  Tokeniza*on     XSS,  SQL   Injec*on,     Informa*on   Disclosure     Via  errors   Broken   Authen*ca*on,   Connec*on  DB   PWD  in  clear   Hashed/   Salted    Pwds  in   Storage  and  Transit   Trusted    Server  To   Server  Authen*ca*on,   SSO   Trusted   Authen*ca*on,   Federa*on,  Mutual   Authen*ca*on   Broken     Authen*ca*on/   Impersona*on,   Lack  of  Synch   Session  Logout   Encrypt  Confiden*al  PII     in  Storage/Transit   Insecure  Crypto   Storage   Insecure  Crypto   Storage   "../../../../etc/passwd %00" Cmd=%3B+mkdir +hackerDirectory http://www.abc.com? RoleID Phishing,   Privacy  ViolaNons,   Financial  Loss   IdenNty  Thek   System  Compromise,   Data  AlteraNon,   DestrucNon  

Slide 34

Slide 34 text

PASTA  Risk  Take  Aways   »  Don’t  boil  the  ocean  or  fall  vicNm  to  FUD  à   Strategize  security  measures  based  upon  a   clear  threat  model   »  Impact,  Threat,  and  A2ack  viability  are  key   variables   »  Encompasses  more  than  than  just  the  OSI   model;  human  and  process  based  hacks  also  

Slide 35

Slide 35 text

Thank  you!   @t0nyuv   @versprite