Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/3/2020
10:00 AM
Ori Bach
Ori Bach
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Social Distancing for Healthcare's IoT Devices

Security pros need to double down around prevention of lateral movement by attackers, especially if IoT devices are connected to the network.

Even before the world began shutting down and sheltering in place, attackers had set their sights on medical records and other valuables they could leverage for cash. As early as 2018, top security researchers had identified the vulnerabilities the healthcare industry faces because attackers crave the private data kept at medical facilities.

Now, take that already worn-out security team and provide them with the current crisis, and what we have is a recipe for disaster. Just like everything else in a fight, survival is going to be a team effort. Luckily, the threat intel teams have really brought their A-game. 

Using the Mitre Att&ck framework, we can track the common techniques used by adversaries. From this information, we can get an idea of what weaknesses have already been exploited in these networks that attackers will likely hit. In the end, lateral movement is the tactic that needs to be shut down. With so much business volume going on it will be almost impossible to stop initial access, so any further footholds need to be closed off. Unfortunately, one of the most successful targets for lateral movement are Internet of Things devices that have revolutionized our medical world.

Attackers choose their targets after careful research and commonly use phishing or social engineering to gain initial access. Once they are on the network the next stage of an attack is finding the IoT devices that will grant them unrestricted lateral movement throughout the environment. 

Another issue that complicates this further: Many hospitals do not separate their IoT devices from other resources, such as databases storing patient records. The lack of separation simplifies discovering the prime targets. Attackers will then either steal the information or launch a ransomware attack.  

The first thing we need to do is to take a play from the fight against COVID-19 and start practicing proper device distancing. We know IoT devices are going to be vulnerable, so why have them on the same nets? Create choke points where traffic and endpoints are heavily monitored where the two sectors meet. At least analysts know where to look, and early triage teams know the probabilities of true positives are going to be high.

Many times, IoT devices use protocols that are not encrypted. This is a serious problem that should be rectified immediately, because anyone tapping those communications will learn everything they need to own that environment. Think of encryption like wearing your mask when going grocery shopping. Now let's make sure our devices are wearing their masks too. 

The final step that unfortunately only now many people finally started adopting is proper sanitization. IoT devices are notoriously behind when it comes to the operating systems they are using, and many more are unpatched. In fact, 83% of IoT devices are no longer running supported software. That would be similar to trying to wash your hands without indoor plumbing. 

Another flaw in the response to COVID-19 is a lack of visibility due to no testing in the community at large. Medical devices do not provide proper logging techniques that would allow SOCs to recognize when attacks happen. Due to FDA requirements, the devices are sad black boxes that must not be altered. Other methods to indirectly monitor network activity and traffic analysis need to be implemented. Just like with COVID-19, you need testing to know if the patient is infected. 

These are serious problems, and unfortunately, a lot of them will not be fixed unless we show the willpower the world has only seen with successful social distancing. But what is the point of beating COVID-19 if our hospitals allow our cyber diseases to erase any of those gains?            

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Bach is a veteran of the fight against fraud and cybercrime, working for leading companies such as IBM Trusteer, NICE–Actimize and government entities such as the Israel Ministry of Justice and the Israel Defense Force (IDF). Prior to joining TrapX, Bach served as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...