CRYPTOGEDDON: HEALTH CARE COMPROMISE. Todd Dow, CISA, PMP Founder,

Transcription

1

2 CRYPTOGEDDON: HEALTH CARE COMPROMISE Todd Dow, CISA, PMP Founder,

3 WHAT IS CRYPTOGEDDON? An online scavenger hunt using hacker tools Use infosec tools to solve technology puzzles

4 Cryptogeddon s author Who is Todd Dow? Senior Digital Specialist at Postmedia Major projects and operational optimizations Specialist in: Information security Risk management IT operations CISA & PMP certified

5 DISCLAIMER I have worked in health care in the past. Therefore, it is important for me to include this text: This is a work of fiction. All of the characters, companies and incidents mentioned in this scenario are fictitious. Any resemblance to actual persons living or dead, or actual events, is purely coincidental.

6 THE SCENARIO GetWellSoon Hospital has hired you to: 1.perform a penetration test 2.Identify vulnerabilities 3.Recommend corrective actions

7 What you ll take away An understanding of key information security concepts A healthier respect for how vulnerable data has become Key tips and techniques to safeguard data

8 GETWELLSOON HOSPITAL OVERVIEW GWSH consists of: 1 site in the GTA Emergency, in-patient & out-patient services Numerous clinics, ORs & treatment facilities Pharmacy services on site

9 Gwsh overview con t IT infrastructure includes: 250+ desktop nodes & 500+ BYOD mobile devices (ios, Android, Blackberry, Windows Phone) On-site server room Microsoft Active Directory & Exchange Windows & UNIX based app servers Remote access is permitted via VPN Multiple external connections for data exchange

10 GWSH PEN TEST SCOPE The scope of this engagement is to identify any internal or external vulnerabilities and to ensure that all data and services retain: Confidentiality Availability Integrity

11 HOW DO WE PROCEED? What steps should we follow in this engagement? 1.Surveillance 2.Vulnerability scanning 3.Exploit target(s) and extract data

12 1. SURVEILLANCE a) Physical network inventory: What can you find out by walking around? Location of server room(s) Machine OS version, hardware & software installed Locked, unlocked and shared computing resources

13 1. SURVEILLANCE b) Internet inventory: What can you find out on the Internet: Google, WHOIS lookup, Vulnerability databases

14 1. SURVEILLANCE c) HumInt inventory: What can you find out on Google & social media?

15 2. VULNERABILITY SCANNING a) Physical access tests What can I get access to? Can I plug into network drops? Can I access wireless networks?

16 2. VULNERABILITY SCANNING b) Network inventory and port scans: What can I find out by plugging in and/or accessing wireless network? Open or restricted network Inventory of machines Network scanning tools can include: nmap, Nessus, Fing

17 2. VULNERABILITY SCANNING c) Application vulnerability scans: Automated scans can identify potential vulnerabilities based on: OS Software version Open ports etc.

18 2. VULNERABILITY SCANNING d) Target employees: Social engineering Phishing attacks Freely available tools can quickly and easily create automated phishing campaigns. Metasploit s Phishing Attack Tools: 1.Spoofed landing pages 2.Redirect pages 3.Phishing s 4.Web server 5. server 6.Reporting

19 2. VULNERABILITY SCANNING e) Data interception: Data can be read as it is transmitted (both within a LAN and also across the Internet)

20 3. EXPLOIT TARGET AND EXTRACT DATA a) Prioritize exploits: 1.List all of the vulnerabilities 2.Decide which vulnerabilities to exploit

21 3. EXPLOIT TARGET AND EXTRACT DATA b) Perform exploits: 1.Social engineering 2.System compromise 3.Data interception and decryption

22 3. EXPLOIT TARGET AND EXTRACT DATA c) Keep the door open 1.Insert appropriate long term vulnerabilities 2.Cover your tracks and retreat

23 EXPLOIT RECAP Step 1: Surveillance Step 2: Vulnerability scanning Step 3: Exploit target & extract data

24 TIPS & TECHNIQUES TO SAFEGUARD DATA a) Use established standards: Source: COBIT 5, figure ISACA All rights reserved.

25 TIPS & TECHNIQUES TO SAFEGUARD DATA b) Inventory management Know which resources are in your organization Things Places Things

26 TIPS & TECHNIQUES TO SAFEGUARD DATA c) Perimeter defenses: Firewalls Malware protection & detection Continuous scanning

27 TIPS & TECHNIQUES TO SAFEGUARD DATA d) Computer and application maintenance: Keep software current Apply service packs and maintenance releases Patch Tuesday

28 TIPS & TECHNIQUES TO SAFEGUARD DATA e) Staff training: Risk awareness Password policies Access management Phishing attacks Social engineering Safe surfing File & device handling

29 TIPS & TECHNIQUES TO SAFEGUARD DATA f) Regular audits: Automate what you can Alert on noncompliance Manual audits on a regular basis

30 TIPS & TECHNIQUES RECAP a) Use established standards b) Inventory management c) Perimeter defenses d) Computer and application maintenance e) Staff training f) Regular audits

31 ADDITIONAL INFORMATION Great resources: ISACA, (ISC) 2 Google Online Security Microsoft Security OWASP Symantec SOTI sectools.org

32 QUESTIONS? Todd Dow, CISA, PMP Founder,