monthly cyber threat briefing - hitrust · monthly cyber threat briefing november 2016. 2...
TRANSCRIPT
1
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Monthly
Cyber Threat
Briefing
November 2016
2
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Presenters
• US-CERT: Majed Oweis, CISCP Analyst
• Trend Micro: Jon Clay, Global Threat Communications
• Anomali: Matthew Wollenweber, Sr. Security Engineer
• HITRUST: Eric Moriak, Manager – Assurance Services
3
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
NCCIC/US-CERT REPORT
4
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Joint Analysis Report (JAR)-16-20223: Threats to Federal, State, and
Local Government Systems Summary
JAR-16-20223 is:
• A TLP: AMBER FOUO report, released on October 14, 2016.
• A summary and collection of indicators of compromise (IOCs) associated with recent compromises and exploit attempts against
Federal, state, and local government information systems.
• A summary containing a YARA rule, recommended mitigation measures, and a list of threats associated with the IOCS in the
CSV and STIX files.
• A collection of three files: a narrative summary (PDF), a CSV file, and STIX file of indicators of compromise IOCs.
The JAR-16-20223 PDF, CSV and STIX files are available for download from the CISCP compartment on the US-CERT
Portal:
• JAR-16-20223: https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223/03c48e1e-8e37-4afc-b776-10f72c9259be
• JAR-16-20223 CSV file: https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223.csv/3c03e630-5416-4d83-a17b-
03d97161f5e7
• JAR-16-20223 STIX file: https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223stix/30e4ef58-0df6-47b6-ac71-
e890bff77e3e
5
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Questions? Comments?
Contact US-CERT at:
•Email: [email protected]
•Phone: 1-888-282-0870
•Website: www.us-cert.gov
Contact CISCP at: [email protected]
6
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
TREND MICRO
Security Concerns with Pager Communications within Healthcare
7
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Forward-Looking Threat Research
• Healthcare related Research To Discover potential
leaks of PII
• Pager Communications analyzed globally The study
timeframe was from January 25, 2016 - April 25, 2016
• Discovered Weakness with Pagers
–Pages in Clear Text
–Sensitive and Private data seen
–Easy to spoof
8
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Ways Pagers Are Used in Healthcare
•Nurse/Workflow Management
•Pharmacy
•General Communications
9
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Locations of Research Conducted
10
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Pager Protocols Examined
POCSAG: Post Office Code Standardization Advisory Group
• POCSAG operates at 512, 1200 and 2400 bits per second (bps)
• Standard operates at 512 bps
• Super-POCSAG operating at 1200 and 2400 bps
FLEX is a high-speed paging protocol that was developed by Motorola. It was designed
to operate at the same frequencies that POCSAG utilizes
• FLEX utilizes time syncs instead of always listening for a preamble to save on battery life.
• 128 Frames in 4 minute time cycle, 15 cycles per hour
• Increased the number of CAP codes that can be utilized
11
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Setup to Sniff Pagers
POCSAG and FLEX
• All can be sniffed with a RTL-SDR DVB-T Dongle
– <$20 at Hakshop, Amazon, etc.
12
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Nurse/Workflow Management
NaviCare® Curaspan™
InQuicker EpicSys
13
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Data Analyzed Breakdown
14
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Nurse/Workflow Management
15
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
PHI Data Seen
16
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Top Medical Conditions Seen
17
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Top Medical Prescriptions Seen
18
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Examples
19
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Spoofing Pages
https://github.com/unsynchronized/gr-mixalot
Multimon-ng
PDW
20
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Attack Scenarios
•Sending pages to the pharmacy for medication.
•Moving patients within facilities
•Declaring an emergency inside facilities
• Intercepting calls from the officiating doctors
•Stealing a dead person’s identity
•Spoofing messages.
21
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Recommended Solutions
•Stop using Pagers
•Move to using encrypted Pagers
•Don’t leak out personal information if pagers are
absolutely required (examples have been
observed)
22
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Read the Research Report
Leaking Beeps:
Unencrypted Pager
Messages in the
Healthcare Industry
23
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
ANOMALI
CTX Trends and Analysis
24
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Overview:
•Leaked Credentials
•CTX Trends and Analysis
•Brand and Domain Monitoring
25
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Leaked Credential Stats
26
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Leaked Credentials by Month
27
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CTX Stats
28
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CTX Analysis
Attacks Reflect General Trends:
• Malicious URLs are primary
attack vector
• Ransomware remains popular
• VBS Attachments are
common
• Nemucod is the the top tagged
trojan/ransomware
29
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
HITRUST Brand Monitoring
30
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Questions?
31
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
For More Information
Name Email
Matthew Wollenweber [email protected]
Anomali Support/Info Requests [email protected]
32
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
HITRUST
CSF Controls Related to Threats
33
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Leaked Credentials (Anomali slides)
• Control Reference: 01.d User Password Management
– Control Text: All users shall have a unique identifier (user ID) for
their personal use only, and an authentication technique shall be
implemented to substantiate the claimed identity of a user.
– Implementation Requirement: Passwords should be
confidential, passwords should be changed under indication of
compromise, passwords should not be reused, passwords should
not be shared or provided to anyone.
34
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Ransomware (Trend Micro)
• Control Reference: *02.e Information Security Awareness,
Education, and Training
– Control Text: All employees of the organization and contractors and third
party users shall receive appropriate awareness training and regular updates
in organizational policies and procedures, as relevant to their job function.
– Implementation Requirement: Ongoing training for these individuals and
organizations shall include security and privacy requirements as well training
in the correct use of information assets and facilities (including but not limited
to log-on procedures, use of software packages, anti-malware for mobile
devices, and information on the disciplinary process).
35
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Ransomware (Trend Micro)
• Control Reference: 09.j Controls Against Malicious Code
– Control Text: Detection, prevention, and recovery controls shall be
implemented to protect against malicious code, and appropriate user
awareness procedures on malicious code shall be provided.
– Implementation Requirement: Protection against malicious code
shall be based on malicious code detection and repair software,
security awareness, and appropriate system access and change
management controls.
36
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Crypto-Ransomware (Trend Micro)
• Control Reference: 09.l Backup
–Control Text: Back-up copies of information and software
shall be taken and tested regularly.
– Implementation Requirement: Back-up copies of
information and software shall be made, and tested at
appropriate intervals. Complete restoration procedures
shall be defined and documented for each system.
37
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Ransomware (Trend Micro)
• Control Reference: *10.h Control of operational software
–Control Text: There shall be procedures in place to control the installation of software on operational systems
– Implementation Requirement: The organization shall maintain information systems according to a current baseline configuration and configure system security parameters to prevent misuse.
38
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Pager/Beeper Unsecured Data
• Control Reference: *09.s Information Exchange Policies and Procedures
– Control Text: Formal exchange policies, procedures, and controls shall be in place to protect the
exchange of information through the use of all types of communication mediums.
– Implementation Requirement: The organization shall ensure that communications protection
requirements, including the security of exchanges of information, is the subject of policy development
and compliance audits consistent with relevant legislation.
– When using electronic communication applications or systems for information exchange, the
following should be addressed. (paraphrased)
• Policies or guidelines shall be defined outlining acceptable use of systems
• Encryption for transmission or wireless communications
• Restrictions on forwarding or transcription of protected information
39
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
QUESTIONS?
40
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content
Spotlight