Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/3/2020
10:00 AM
Ori Bach
Ori Bach
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Social Distancing for Healthcare's IoT Devices

Security pros need to double down around prevention of lateral movement by attackers, especially if IoT devices are connected to the network.

Even before the world began shutting down and sheltering in place, attackers had set their sights on medical records and other valuables they could leverage for cash. As early as 2018, top security researchers had identified the vulnerabilities the healthcare industry faces because attackers crave the private data kept at medical facilities.

Now, take that already worn-out security team and provide them with the current crisis, and what we have is a recipe for disaster. Just like everything else in a fight, survival is going to be a team effort. Luckily, the threat intel teams have really brought their A-game. 

Using the Mitre Att&ck framework, we can track the common techniques used by adversaries. From this information, we can get an idea of what weaknesses have already been exploited in these networks that attackers will likely hit. In the end, lateral movement is the tactic that needs to be shut down. With so much business volume going on it will be almost impossible to stop initial access, so any further footholds need to be closed off. Unfortunately, one of the most successful targets for lateral movement are Internet of Things devices that have revolutionized our medical world.

Attackers choose their targets after careful research and commonly use phishing or social engineering to gain initial access. Once they are on the network the next stage of an attack is finding the IoT devices that will grant them unrestricted lateral movement throughout the environment. 

Another issue that complicates this further: Many hospitals do not separate their IoT devices from other resources, such as databases storing patient records. The lack of separation simplifies discovering the prime targets. Attackers will then either steal the information or launch a ransomware attack.  

The first thing we need to do is to take a play from the fight against COVID-19 and start practicing proper device distancing. We know IoT devices are going to be vulnerable, so why have them on the same nets? Create choke points where traffic and endpoints are heavily monitored where the two sectors meet. At least analysts know where to look, and early triage teams know the probabilities of true positives are going to be high.

Many times, IoT devices use protocols that are not encrypted. This is a serious problem that should be rectified immediately, because anyone tapping those communications will learn everything they need to own that environment. Think of encryption like wearing your mask when going grocery shopping. Now let's make sure our devices are wearing their masks too. 

The final step that unfortunately only now many people finally started adopting is proper sanitization. IoT devices are notoriously behind when it comes to the operating systems they are using, and many more are unpatched. In fact, 83% of IoT devices are no longer running supported software. That would be similar to trying to wash your hands without indoor plumbing. 

Another flaw in the response to COVID-19 is a lack of visibility due to no testing in the community at large. Medical devices do not provide proper logging techniques that would allow SOCs to recognize when attacks happen. Due to FDA requirements, the devices are sad black boxes that must not be altered. Other methods to indirectly monitor network activity and traffic analysis need to be implemented. Just like with COVID-19, you need testing to know if the patient is infected. 

These are serious problems, and unfortunately, a lot of them will not be fixed unless we show the willpower the world has only seen with successful social distancing. But what is the point of beating COVID-19 if our hospitals allow our cyber diseases to erase any of those gains?            

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Bach is a veteran of the fight against fraud and cybercrime, working for leading companies such as IBM Trusteer, NICE–Actimize and government entities such as the Israel Ministry of Justice and the Israel Defense Force (IDF). Prior to joining TrapX, Bach served as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...