Compromising Remote Access: A Live Hack Demonstration Gary Glover, Sr. Director of Security Assessments About SecurityMetrics Helping organizations comply with mandates, avoid security breaches, and prevent data theft since 2000. 1 1
About Me Gary Glover CISSP, CISA, QSA, PA-QSA 10+ yrs security exp. 2 Healthcare Under Attack Medical identify theft incidents increased 21.7% since 2014 (Ponemon Institute) 29.3 million records stolen since 2009 (HHS) 90% of all healthcare orgs had a compromise within the last 2 years (Ponemon Institute) 3 2
Data Breaches Affect Everyone 4 Insecure Remote Access #1 compromise pathway of today s hackers Used to access PHI from home, on-the-go Common applications RDP LogMeIn RemotePC pcanywhere GoToMyPC VPN 5 3
Remote Access Integrated solutions Ports used: 3389, 5631, 5632, 443, 80, 5900 Over 90,000 estimated with port 3389* open (using Remote Desktop Connection software) Hackers simply need credentials * 4% of SecurityMetrics unique targets in 2013/2014 had 3389 open. 4% times 7M US merchants = 94,400 merchants 6 Case Study: Target Hacker gained access via HVAC remote access account Leapfrog to other systems inside network Result? Theft of 40 million cards Affected over 70 million cards 7 4
Sample Attack 1. Scan Internet for open remote access ports 2. Brute force credentials w/ online password list 3. Test remote access credentials 4. If they re successful, gain access to system 5. Download malware onto system 6. Capture patient information 8 Stolen Credentials 9 5
Pivot Attacks EHR 10 Malware 6
Malware Unauthorized Software 156 million phishing emails 16 million make it past firewalls and filters 8 million opened 800,000 embedded links opened 80,000 fall for scam and share sensitive info this repeats every day (Sophos) Phishing: common point of malware introduction 12 Example Malware: Infostealer.Rawpos Creation? Earliest record of infected systems Feb 2013 Discovered Feb 18, 2014 First anti-virus to detect Sept 5, 2014? 1 year 7 months Antivirus alone will not protect your system sufficiently! 14 7
POS Malware Installation Attack vectors Inside job (USB) Phishing/social engineering Vulnerabilities exploitation Weakly configured remote access 15 Biggest Concerns Malware is not being detected by anti-virus It can remain on systems for a long time before noticed It s being customized for attacks 16 8
Live Hack Attack Fundamentals Scan for port 3389 to identify potential targets Dictionary/ brute force 3389 on potential targets Test access (where credentials validated) Go exploring Install malware 18 9
19 HIPAA Security Rule Protect ephi created, received, used, or maintained by a covered entity Appropriate administrative, technical and physical safeguards to ensure the confidentiality, integrity and security of ephi. 20 10
Risk Analysis Annual review of vulnerabilities, threats, and risks Scope analysis Data collection Vulnerabilities/threat identification Assessment of current security measures Likelihood of threat occurrence Potential impact of threat Risk level Periodic review/update as needed 21 Defining Scope is Critical 22 11
Risk Management Plan Evidence of good faith compliance Be sure to include: Action items Milestones Completion dates Daily/weekly progress 23 Take a Multilayered Approach to Security 12
Get Business Associates on Board ~30% of patient records breached have involved a business associate from 2009-2014. (HHS) Be a professional skeptic about third parties Most don t realize they re part of HIPAA regulations 25 26 13
Get Employees on Board Your weakest link: Employees Workforce member negligence will continue to be the leading cause of security incidents in the next year. (Experian) 15 minute meetings every month are better than 3 hour trainings every year 28 Controlling Employee Access Role based access: All staff should have separate user accounts 85% of recent breaches could have been prevented by reducing admin/access privileges, whitelisting applications, and system patching. (DHS) 29 14
Employee Training Physical security Phishing Passwords Policies Personal email HIPAA Security Rule 30 Change Default Username Change admin to something more difficult to guess DrBrown Officeadmin Attacker must correctly guess both username and password at the same time to gain access 31 15
Set Lock Out Limits (Login Attempts) Enable user lockouts after a certain number of failed attempts Best practice: set lockout to zero to lock account indefinitely 32 Implement 2-Factor Authentication Two different forms of authentication necessary to access an application Must contain: User knows (e.g., a username and password) User has (e.g., a cell phone or RSA token) User is (e.g., a fingerprint) 34 16
Use a Passphrase No common passwords Complex passwords can be easy to guess 123!@#qwe (keyboard patterns) Jessica123 (social engineering + common password) Best practice: passphrase I wear my sunglasses at night Iwmsg@n1980! 35 Start Vulnerability Scanning Vulnerability scans: automatic tests that run on software, hardware, and network structures. Some can find more than 50,000 unique vulnerabilities Important: remediation Once a scan completes, fix any vulnerabilities immediately 36 17
File Integrity Monitoring Software Install and monitor file integrity monitoring software on all critical systems. Enable logging on critical systems Review log alerts Employ log alerting software to receive alerts of suspicious activity 37 Anti-Virus Antivirus alone will not protect your system sufficiently Keep up-to-date Run regularly 38 18
Get Help Consult with a security expert Provides best security practices customized to your organization HIPAA experts are IT experts, security experts, and HIPAA experts 39 This hack demo was a simple attack. But easy to thwart through simple controls. 40 19
Questions? gglover@securitymetrics.com www.securitymetrics.com 20