Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/3/2020
10:00 AM
Ori Bach
Ori Bach
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Social Distancing for Healthcare's IoT Devices

Security pros need to double down around prevention of lateral movement by attackers, especially if IoT devices are connected to the network.

Even before the world began shutting down and sheltering in place, attackers had set their sights on medical records and other valuables they could leverage for cash. As early as 2018, top security researchers had identified the vulnerabilities the healthcare industry faces because attackers crave the private data kept at medical facilities.

Now, take that already worn-out security team and provide them with the current crisis, and what we have is a recipe for disaster. Just like everything else in a fight, survival is going to be a team effort. Luckily, the threat intel teams have really brought their A-game. 

Using the Mitre Att&ck framework, we can track the common techniques used by adversaries. From this information, we can get an idea of what weaknesses have already been exploited in these networks that attackers will likely hit. In the end, lateral movement is the tactic that needs to be shut down. With so much business volume going on it will be almost impossible to stop initial access, so any further footholds need to be closed off. Unfortunately, one of the most successful targets for lateral movement are Internet of Things devices that have revolutionized our medical world.

Attackers choose their targets after careful research and commonly use phishing or social engineering to gain initial access. Once they are on the network the next stage of an attack is finding the IoT devices that will grant them unrestricted lateral movement throughout the environment. 

Another issue that complicates this further: Many hospitals do not separate their IoT devices from other resources, such as databases storing patient records. The lack of separation simplifies discovering the prime targets. Attackers will then either steal the information or launch a ransomware attack.  

The first thing we need to do is to take a play from the fight against COVID-19 and start practicing proper device distancing. We know IoT devices are going to be vulnerable, so why have them on the same nets? Create choke points where traffic and endpoints are heavily monitored where the two sectors meet. At least analysts know where to look, and early triage teams know the probabilities of true positives are going to be high.

Many times, IoT devices use protocols that are not encrypted. This is a serious problem that should be rectified immediately, because anyone tapping those communications will learn everything they need to own that environment. Think of encryption like wearing your mask when going grocery shopping. Now let's make sure our devices are wearing their masks too. 

The final step that unfortunately only now many people finally started adopting is proper sanitization. IoT devices are notoriously behind when it comes to the operating systems they are using, and many more are unpatched. In fact, 83% of IoT devices are no longer running supported software. That would be similar to trying to wash your hands without indoor plumbing. 

Another flaw in the response to COVID-19 is a lack of visibility due to no testing in the community at large. Medical devices do not provide proper logging techniques that would allow SOCs to recognize when attacks happen. Due to FDA requirements, the devices are sad black boxes that must not be altered. Other methods to indirectly monitor network activity and traffic analysis need to be implemented. Just like with COVID-19, you need testing to know if the patient is infected. 

These are serious problems, and unfortunately, a lot of them will not be fixed unless we show the willpower the world has only seen with successful social distancing. But what is the point of beating COVID-19 if our hospitals allow our cyber diseases to erase any of those gains?            

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Bach is a veteran of the fight against fraud and cybercrime, working for leading companies such as IBM Trusteer, NICE–Actimize and government entities such as the Israel Ministry of Justice and the Israel Defense Force (IDF). Prior to joining TrapX, Bach served as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...