Healthcare Threat Modeling Vignettes

Transcript

1. None

2. Healthcare  Threat  Modeling  Vigne2es   Current  threats  ,  a2ack  pa2erns,

    &  risk   based  countermeasure  development   for  the  healthcare  industry.     2  

3. Speaker  Bio   »  Tony  UcedaVélez  (“Tony  UV”)   • 

   CEO,  VerSprite  –  Global  Security   ConsulNng  Firm   •  Chapter  Leader  –  OWASP  Atlanta   (past  7  years)   •  Author,  “Risk  Centric  Threat  Modeling   –  Process  for  A2ack  SimulaNon  &   Threat  Analysis”,  Wiley  June  2015   •  HHS,  Symantec,  Dell-­‐Secureworks,   HIPAA  ConsulNng  since  2002   3

4. Driver  for  Threat  Modeling  in  HC  

5. What  is  a  Vigne&e?   »  (noun)  –  a  brief

    evocaNve,  descripNon,   account  or  episode       5  

6. Importance  of  Risk  based  Threat  Modeling   »  CollaboraNve  

     »  EducaNonal     »  Impact  led  remediaNon   »  Builds  Security-­‐In  earlier   »  SubstanNve  (no  FUD)   6  

7. Threat  Modeling  MisconcepNons   »  DFDs  are  DFDs,  not  threat

    models   »  An  a2ack  surface  isn’t  the  full  extent  of  a  threat   model   »  Risk  &  Impact  are  actually  2  different  things   »  Threats  &  A2acks  are  not  synonyms   »  You  can’t  threat  model  what  you  don’t  know  –   know  how  your  app  env  works  and  what   components  exists  

8. Threat  vs.  A2acks   »  Threat  /Thret/   •  a

    statement  of  an  intenNon  to  inflict  pain,  injury,   damage,  or  other  hosNle  acNon     »  A2ack  /əˈtak/   •  aggressive  acNon  against  (a  place  or  enemy   forces)  with  weapons  or  armed  force  

9. Process  for  A2ack  SimulaNon  &  Threat   Analysis   1.

    Define  Business   ObjecNves   Revenue   Compliance  (Data   Security)   Market  growth   OperaNonal  goals   Privacy  (Data  Use,   RetenNon)   2.  Technology   EnumeraNon   List  server  side  tech   List  client  side  tech    List  3rd  party   technology   List  frameworks   List  infrastructure  layer   tech   3.  ApplicaNon   DecomposiNon   Map  out  internal/   external  APIs   IdenNfy  calls  to  data   repositories   IdenNfy  actors     IdenNfy  data  flows   Enumerate  protocols   4.  Threat  Analysis   IdenNfy  threat  actors,   moNves   Threat  Data   Threat  Intel   Threat  Tabletops   5.  Vuln  Analysis   IdenNfy  system   vulnerabiliNes   IdenNfy  sokware/   architecture   weaknesses   IdenNfy  Process  Gaps   6.  A2ack  Modeling   IdenNfy  Abuse  Cases   Build  A2ack  Trees   Exploit  vulnerabiliNes   ProbabilisNc  Analysis   7.  Residual  Risk   Analysis     Correlate  tech  risk  to   biz  risk   IdenNfy  business   impact   Develop   countermeasures  

10. HC  Threat  Modeling  Benefits   »  Healthcare  Sokware  Makers  

    •  Fosters  Building  Security  In  or  SDL  principles   •  Non-­‐intrusive  security  analysis   •  CollaboraNve  exercises  (Dev,Architecture,InfoSec)   •  Compliments  various  SDLC  methodologies  

11. HC  Threat  Modeling  Benefits  (cont.)   »  Healthcare  EnNNes  (HC

     Systems,  Clinics,  Private   PracNce)   •  Provides  network  &  architectural  security  review   •  IntrospecNve  look  at  data  flow  security   •  Supports  ‘living’  threat  models  that  conNnue  to  evolve     •  Provides  greater  security  visibility   •  Non-­‐intrusive  security  analysis  

12. Healthcare  Sokware  Maker  –  Vigne2e  #1   »  Mobile  CareStream

     App  (iOS)   »  Used  by  Primary  Care  Physicians   »  Convenient  paNent  EMR  lookup   »  Clinical  Trial/  PharmaceuNcal  IntegraNon  
13. None
14. None

15. Stage  3:  

16. Threat  Analysis  (Stage  IV)   »  Enumerate  threat  scenarios  

    •  Threat  Data  (internal  network  |  system  |  app  logs)   •  Threat  Intel  (external  DBIR,  threat  feeds,  security   advisories)  

17. Threat  Intel  Scenarios   »  Claims  Fraud  (FDA  Reports)  

    •  Performing  medically  unnecessary  services  solely  for  the   purpose  of  generaNng  insurance  payments  (Source:  FDA   Reports)   •  MisrepresenNng  non-­‐covered  treatments  as  medically   necessary  covered  treatments  for  purposes  of  obtaining   insurance  payments   »  Clinical  Drug  Trials  Fraud  (Unique  Cases,  News)   •  Faking  ‘paNents’  in  order  to  falsify  clinical  trial   parNcipaNon  numbers  

18. Threat  Sources  for  Healthcare   »  Threat  Intel:   • 

    h2ps://hitrustalliance.net/cyber-­‐threat-­‐xchange   •  Cyber  ThreatXchange  –  Exchange  of  cyber  related   events/  incidents  affecNng  healthcare   •  Free  and  Fee  Based  SubscripNon  (SIEM  IntegraNon)   •  Cyber  Discovery  Study  –  Ongoing  study  of  persistence   threats  in  healthcare  

19. Generic  Threat  Sources   »  www.us-­‐cert.gov  US-­‐CERT   »  www.dhs.gov/about-­‐naNonal-­‐cybersecurity-­‐

    communicaNons-­‐integraNon-­‐center  DHS   »  MulNple  commercial  opNons   •  Relate  threat  intel  to  threat  model  
20. None

21. T2  Viability  (Threat  Persistence)   Source:  h2ps://hitrustalliance.net/content/uploads/2015/09/HITRUST-­‐HHS-­‐MTB-­‐Sept-­‐2015.pdf   TacNcs,  techniques,

     &  procedures  

22. Vulnerability  &  Weakness  Analysis  (Stage  V)   »  ExisNng  vulnerability

     detecNon  efforts  can  be   leveraged   »  Find  vulns|weaknesses  that  support  threat  claims   »  Map  CVEs  (vulns),CWEs  (weaknesses)  to  CAPEC   (a2acks)   »  A2ack  tree  now  emerges  with  assets,  threats,   and  vulns  on  branches  

23. Stage  VI:  A2ack  &  Model   »  Leveraging  Stage  II

     understanding  of  your   healthcare  applicaNon  env  -­‐>  build  your  a2ack   surface   »  A2ack  Trees  help  to  speak  on  the  viability  of   a2acks  and  mapping  to  weaknesses  (CWEs)/   vulns  (CVEs)  

24. A2ack  Tree  on  CareStream  A2acks   Sequence  &  req  

    around  account   creaNon   A2ack  exisNng   accounts;  social   eng  implicaNons   A2ack  accounts   that  have  been   idenNfied  as  valid   Weakness  exists   in  app  to  not   control  brute   forces   Abuse  use  cases   to  see  how   sessions  are   created  and   maintained   Abuse  role   creaNon   use  cases   A2ack  to  derive   elevate   authenNcated   sessions   Vuln  idenNfied   during  manual   tesNng  around   session  mgt   Seek  support   response  with   session  in   support  link  

25. Build  Trees  for  the  Right  Surface   q  IdenNfy  relevant

     hosts,   networks   q  Leverage  exisNng  scan   results  (<  3  months)   q  Metadata  searches  map   relaNonship  mappings   q  Build  a2ack  trees  that   relate  to  right  targets   q  Rights  targets  are  those   where  greatest  intel  and   impact  exists  

26. Healthcare  Product  Manufacturer  –  Vigne2e  #2   »  Manufacturer  of

     healthcare  wearables,  implantables   »  Cyber  murder  threat  moNve  against  person  of  interest   »  Impact  1:  Poor  PR.  Media  a2enNon  around  death  of   person  of  interest,  celebrity,  poliNcian,  etc.   »  Impact  2:  MarkeNng  Costs.    MarkeNng  dollars  would  be   needed  in  order  to  rebuild  product  placement.   »  Impact  3:  Sales  Loss.    Drops  in  product  sales  would  be   a  operaNonal  impact  to  a  realized  a2ack  in  the  threat   model.  

27. Business  ObjecNves  of              

     enabled  devices   (Stage  I)     »  Record  paNent  EKG  (electrocardiogram)     »  Validate  if  paNent  is  having  a  heart  a2ack  by   trending  EKG  levels   »  Medical  device  can  send  SMS  to  hospitals  via   paNent  cell  phone   »  Saves  paNent  &  doctor  Nme  

28. EnumeraNon  &  DecomposiNon   (Stage  II  &  III)  

29. Threat  Analysis  is  Key  to  Threat  Model   (Stage  IV)

      »  What  is  the  threat  moNve?   »  Who  are  the  threat  actors?   »  What  threat  pa2erns  affect  known  vulns/   weaknesses  in  the  environment?   »  Good  threat  intel  makes  risk  based  decisioning   a  lot  easier.  

30. Threat  MoNve  

31. How  to  Consider  the  Right  Threats  

32. A2ack  Tree   for   Implantables   q  A2acks  support

      unique  threats   q  Threats  against   People  of  Interest   (high  value  targets)   q  PHI  used  as  intel  for   more  subtle  a2acks   q  Bluetooth   capabiliNes  for  cyber   murder   q  Which  of  the  last   slide’s  HC  threats   could  realize  an   a2ack  node  on  this  

33. 33     33   Users Request Responses DMZ (User/Web

    Server Boundary) Message Call Account/ Transaction Query Calls Web Server Application Server Application Calls Encryption + Authentication Encryption + Authentication Financial Server Authentication Data Restricted Network (App & DB Server/Financial Server Boundary) Database Server Application Responses Financial Data Auth Data Message Response SQL Query Call Customer Financial Data Internal (Web Server/ App & DB Server Boundary) <SCRIPT>alert(“Cookie”+ document.cookie)</ SCRIPT> Injec*on  flaws     CSRF,   Insecure  Direct  Obj.   Ref,       Insecure  Remote   File  Inclusion   ESAPI/   ISAPI  Filter   Custom  errors   OR ‘1’=’1—‘, Prepared  Statements/   Parameterized  Queries,   Store    Procedures   ESAPI  Filtering,   Server  RBAC   Form  Tokeniza*on     XSS,  SQL   Injec*on,     Informa*on   Disclosure     Via  errors   Broken   Authen*ca*on,   Connec*on  DB   PWD  in  clear   Hashed/   Salted    Pwds  in   Storage  and  Transit   Trusted    Server  To   Server  Authen*ca*on,   SSO   Trusted   Authen*ca*on,   Federa*on,  Mutual   Authen*ca*on   Broken     Authen*ca*on/   Impersona*on,   Lack  of  Synch   Session  Logout   Encrypt  Confiden*al  PII     in  Storage/Transit   Insecure  Crypto   Storage   Insecure  Crypto   Storage   "../../../../etc/passwd %00" Cmd=%3B+mkdir +hackerDirectory http://www.abc.com? RoleID Phishing,   Privacy  ViolaNons,   Financial  Loss   IdenNty  Thek   System  Compromise,   Data  AlteraNon,   DestrucNon  

34. PASTA  Risk  Take  Aways   »  Don’t  boil  the  ocean

     or  fall  vicNm  to  FUD  à   Strategize  security  measures  based  upon  a   clear  threat  model   »  Impact,  Threat,  and  A2ack  viability  are  key   variables   »  Encompasses  more  than  than  just  the  OSI   model;  human  and  process  based  hacks  also  

35. Thank  you!   @t0nyuv   @versprite