[BreachExchange] 2017: A Year in Review of Cybersecurity Developments: Lessons Learned in Healthcare and Beyond

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 28 19:40:39 EST 2017


http://www.himss.org/news/2017-year-review-cybersecurity-developments-
lessons-learned-healthcare-and-beyond

This past year, we witnessed twists, turns, and even chaos in the realm of
cybersecurity. In summary, we are finding that, while the healthcare sector
is improving its healthcare cybersecurity practices – as a whole, much more
needs to be done. Indeed, the asymmetric threat still exists.
Cyber-attackers –especially those with some level of sophistication – may
have superior technical knowledge and skills compared to the many of the
defenders out there. Fortunately, though, both healthcare providers and
vendors are pushing the envelope with innovation solutions, training,
processes, mock exercises – and, yes, more penetration testing.

So, here is a rewind of cybersecurity events and developments in 2017
through the lens of our HIMSS healthcare and cross-sector cybersecurity
reports.

January 2017: Many servers, accessible via the internet, are vulnerable to
TLS/SSL attacks such as Drown, Triple Handshake, SMACK, FREAK, Logjam, and
SLOTH (Vol. 8, item no. 8 in Threats, Vulnerabilities, and Mitigation
Information).

While weak or misconfigured TLS/SSL is not a new problem, so many websites
and other services –accessible via the internet – are insecure. Many
academics have called for a revamp of internet architecture to ensure
better security. Some researchers have even suggested a new way to map the
internet.

February and March 2017: We saw waves of attacks by cyber weapons such as
Shamoon 2.0 and Stonedrill and increases in malspam attributable to botnets
such as Necurs (Vol. 9, items 1, 2, and 4 in Threats, Vulnerabilities, and
Mitigation Information).

It is likely that we will see the rise of offensive cyber maneuvers,
including the use of cyber weapons (wiper malware and otherwise), by nation
state, non-state, and other actors in 2018 (and beyond). But, one does not
need to be a sophisticated cyber-attacker to access and use such
technology. Indeed, many of these resources are easy to use and hiding in
plain sight.

April 2017: Many entities have been failing to address SMB vulnerabilities
(even instances in which a patch was readily available), thus making things
such as remote code execution a fairly trivial endeavor. On a related note,
research continued to show that the Conficker worm was alive and well after
all of these years. (Vol. 10, item no. 1 in Threats, Vulnerabilities, and
Mitigation Information).

While the state of healthcare cybersecurity is improving, there will
continue to be many entities with vulnerable machines to SMB attacks (yes,
even Conficker).

May 2017: The most significant event this month was WannaCry, which
exploited an SMB vulnerability (CVE-2017-0144), in a global cyberattack
campaign. However, SMB vulnerabilities are not just a Windows problem. We
also took note of SambaCry (CVE-2017-7494) which allows for remote code
execution via a writable SMB share. (Vol. 11, item nos. 1 and 2 in Threats,
Vulnerabilities, and Mitigation Information).

June 2017: While WannaCry was still somewhat of a problem in June, NotPetya
surfaced as a new issue and yet another global cyberattack campaign.
Although WannaCry was a ransomworm, NotPetya was characterized as a
destructive wiper malware. (Vol. 12, item no. 1 in Threats,
Vulnerabilities, and Mitigation Information). In addition, NotPetya was
largely attributed to a supply chain software problem.

What we saw in May and June of 2017 was perhaps a “flexing of the muscle”
to observe what happens in the face of a global cyberattack campaign. The
damage to the healthcare sector and other critical infrastructure sectors
could have been much worse, in the face of a coordinated attack on our
sectors. While we have improved in regard to information sharing and other
proactive measures, we are nowhere near where we need to be (yet) vis-à-vis
a hypothetical coordinated cyberattack in a global scale against our vital
industries and sectors.

July 2017: Analysts anticipated a rise in malware specifically targeting
specialized types of industrial control systems. One such example is known
as Industroyer (Vol. 13, item no. 3 in Threats, Vulnerabilities, and
Mitigation Information). According to analysts, such malware is designed
with what almost appears to be “insider knowledge” of the exact workings of
these industrial control systems. Yet others state that such malware has
been around for quite a while and is not new. There is general consensus,
however, around the fact that such targeted, specific malware for
pinpointing specific types of industrial control systems will continue to
increase over time.

If you have not taken a look at your supply chain disaster preparedness
response and procedures yet, now may be the time to do so. Just as we all
have taken a closer look at our contingency plans, backup procedures, and
such in the face of ransomware, we also need to take into account the
anticipated problems of supply chain disruption. In other words, we may not
be always able to rely on the “just in time” and “on demand” approach to
getting what we need when we need it.

August 2017: The telnet protocol is not new, nor should it be “news” that
telnet communications are not encrypted and that credentials can be easily
stolen. However, with the rise in the Internet of Things (IoT), we noted
the work of a researcher that had disclosed information about this problem
and thousands of credentials to IoT devices having been uncovered through
the course of such research (Vol. 14, item no. 4 in Threats,
Vulnerabilities, and Mitigation Information).

In the healthcare arena, almost everything is “connected” (even if the
device does not necessarily need to be). If a device is connected to the
internet for ease of administration, then that device could potentially be
open for access to the world. When there is a will, there is a way. So,
perhaps we need to take a step back and scrutinize our inventory and our
procurement processes. Does that light bulb really need to be connected to
the Internet? What is “cool” or “convenient” may not necessarily be good
for you (or your organization) in the long run.

September 2017: Just about every organization has a website, and web
technology is always changing. But, as we have noted previously in this
blog post, website security is not something that everyone has mastered.
Thus, while entities may patch their back-office systems and in-house IT
infrastructure, their websites (and web technology) may be ignored. Web
applications may have significant vulnerabilities such as directory
traversals (Vol. 15, item no. 1 in Threats, Vulnerabilities, and Mitigation
Information), which may result in unauthorized disclosure of potentially
sensitive files. In addition, if you have a back-end database which your
web application can query, you need to keep in mind problems such as, but
not limited to, SQL injection vulnerabilities (Vol. 15, item no. 2 in
Threats, Vulnerabilities, and Mitigation Information).

With vulnerabilities such as directory traversals, a cyber-attacker may be
able to discern the users on a system and potentially even passwords (or
password hashes) on a system as well. It may be possible to execute shell
commands by way of SQL injection, and/or dump the entire database contents,
erase the contents, create privileged users, and more.

October 2017: Wireless-connected devices are quite ubiquitous. Yet, many do
not give much thought to the insecurity of such devices. Researchers
disclosed a method for attacking the WPA2 protocol (Vol. 16, item no. 4 in
Threats, Vulnerabilities, and Mitigation Information). In addition,
advanced persistent threat actors continued to target critical
infrastructure sectors with ongoing campaigns (Vol. 16, item no. 1 in
Threats, Vulnerabilities, and Mitigation Information).

As we can see from ongoing research and findings, there is no such thing as
100 percent security. This would mean that we would never ever make a
mistake in configuration, design, installation, implementation, or even
post-implementation activities (such as patches, including patches which
may introduce newly exploitable vulnerabilities).

November 2017: We saw significant vulnerabilities affecting products that
many thought, once upon a time, were far more secure than their
counterparts. (Yet, we now know that—just like any other technology—there
have been significant flaws in MacOS, Linux, and other platforms(Vol. 17,
item no. 4- 6 in Threats, Vulnerabilities, and Mitigation Information).)
Furthermore, medical device security remains problematic with significant
insecurity found in connected infusion pumps and other types of medical
devices (Vol. 17, items 1-3 in Threats, Vulnerabilities, and Mitigation
Information).

When we evaluate products for procurement, we rely, in part, on brand names
and reputations. But, one cannot necessarily make assumptions on good
security (or bad) just based upon this “goodwill” analysis alone. It pays
to do more due diligence and gauge, as well, what the track record is of
the vendor in terms of reported and discovered vulnerabilities, as well as
vulnerabilities which the vendor (hopefully responsibly) has addressed.

December 2017: While the healthcare sector has been in the news in regard
to cyberattacks and reported breaches, some analysts have found that the
healthcare sector is not the worst in terms of sheer numbers of breaches
(Vol. 18, item no. 2 in Reports and Tools). We all find challenges in
cybersecurity – regardless of one’s sector or industry. Indeed, insecure
websites (of all types) are still a problem (Vol. 18, item no. 4 in Reports
and Tools). We also noted the fragility and susceptibility to attack of
undersea cables, which, as reported, support 97 percent of global
communications (Vol. 18, item no. 5 in Reports and Tools.)

Many providers focus on incident detection, but not necessarily incident
response and recovery. Fewer still take into account our supply chain
dependencies and the security of our supply chain. Perhaps we need more of
a multi-dimensional approach to how we understand and address cyber risks.
Cybersecurity and healthcare both touch virtually everything—these are
things that we cannot afford to ignore. The clock is ticking.



Summary: While cybersecurity is not for the faint of heart, we all can do
our part by raising awareness and taking action. As I have said over the
course of this year, cybersecurity should be and is for everyone. Whether
as individuals, businesses, or organizations which help save people’s
lives, we all need to do our part. More people in healthcare – and indeed,
the world – are getting more informed about cybersecurity. But, we also
need to educate people about the other side of things – how attacks occur
and what the impact of these attacks can be. Perhaps, then, fewer people
will use passwords such as “123456” and “letmein.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171228/80a7452c/attachment.html>


More information about the BreachExchange mailing list