SlideShare a Scribd company logo

How to Determine Your Attack Surface in the Healthcare Sector

Jeremiah Grossman
Jeremiah Grossman

This document provides an analysis of the attack surface for 19 major healthcare organizations based on data collected by Bit Discovery from public sources on the internet. It includes statistics on each organization's total assets, domain names, cloud assets, use of content delivery networks, certificate authorities, expired certificates, geographic distribution, private IP addresses, WordPress vulnerabilities, and recommendations for building a security program around mapping the attack surface.

1 of 25
Download to read offline
HOW TO DETERMINE YOUR ATTACK SURFACE IN THE HEALTHCARE SECTOR JANUARY 14, 2021 BIT DISCOVERY
BIT DISCOVERY Attack Surface Management that discovers, learns, and (finally) lets you secure everything. Secure everything.
•CEO, Bit Discovery •20 years in Information Security •Founder of WhiteHat Security •Black Belt in Brazilian Jiu-Jitsu JEREMIAH GROSSMAN
ASSET ATTACK SURFACE From the network perspective of an adversary, the complete asset inventory of an organization including all actively listening services (open ports) on each asset. • a domain name, subdomain, or IP addresses and/or combination thereof, for a device connected to the Internet or internal network. • (an asset) may include, but not limited to, web servers, name servers, IoT devices, or network printers.
•Shadow Asset: The specific asset, as defined by a hostname/IP-address, that’s unknown or uncontrolled by the organization. •Shadow Service: Unknown or uncontrolled services (i.e., open ports) that are actively listening on an asset. •Shadow Software: Unknown or uncontrolled software stack information (i.e., list of installed software and versions) of a listening service on an asset. SHADOWS WITHIN SHADOW-IT
IMPORTANCE ATTACK SURFACE MANAGEMENT BIT DISCOVERY
Bit Discovery 2020 FEDERAL TRADE COMMISSION, Plaintiff, v. EQUIFAX INC., Defendant.
Bit Discovery 2020 USE-CASES ATTACK SURFACE MANAGEMENT • Vulnerability & Patch Management • Third-Party Risk Management • Mergers & Acquisition • Cyber-Insurance • Policy & Compliance • Security Ratings • Incident Response • Sales & Marketing Enablement • Investments
YOU CAN ONLY SECURE WHAT YOU KNOW YOU OWN. BIT DISCOVERY
•Collect a list all registered IP-ranges and domain names: Most organizations will not have a ready up-to-date list. •Find and scan all subdomains: Assets located on-premise, in the cloud, hosted applications, labelled under of subsidiaries, physically located across distributed data centers, and across non-contiguous IP-ranges. •Collect all meta-data for every asset: software stack, version info, TLS cert info, programming language, open ports, IP geo-location, hosting provider, CDN, etc. •Maintain an up-to-date attack surface map: The asset data for most organizations change between 1-5% monthly. THE ATTACK SURFACE
ABOUT BIT DISCOVERY BIT DISCOVERY’S DATA
Bit Discovery 2020 INTERNET “COPY” OF THE • Generated by Bit Discovery and 400 data sources. • WHOIS databases, domain names, ASN, ports, service banners, technology stack, website index page(s), full TLS certificate info, email addresses, password dumps, etc. • Each asset has potentially 115 unique data points. • Each data point updated daily-to-monthly. • Hundreds of snapshots collected over 5 years. Largest Data-Set Of It’s Kind *missing ~30% of the Internet* 4.5 BILLION DNS ENTRIES 200+ INTERNET SNAPSHOTS 515 DATA SOURCES 115 DATA COLUMNS 150 YEARS OF CPU TIME
BIT DISCOVERY HOSPITALS & HEALTH ATTACK SURFACE MAP ANALYSIS
The total number of Internet-connected assets. TOTAL ASSETS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 10,000 20,000 30,000 40,000 2,839 237 39,956 38 1,752 18 36,639 479 25 22 44 5,293 77 80 22,972 1,010 2,271 795 172
The total number of registered domain names. DOMAIN NAMES SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 350 700 1,050 1,400 93 3 1,400 2 53 1 444 44 1 2 3 312 5 2 8 37 128 30 6
The percentage of cloud-hosted assets including Amazon Web Services, Microsoft Azure, Google App Engine, and others. CLOUD ASSETS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 13 25 38 50 14.76 19.41 26.66 7.89 5.31 11.11 20.70 11.69 0.00 0.00 0.00 46.91 0.00 0.00 0.06 1.19 6.16 3.52 1.74
The percentage of Internet-accessible assets served by a well-known Content Delivery Network including Akamai, Cloudflare, and Fastly. CDN ASSETS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 8 15 23 30 0 0 3 24 0 0 0 0 24 0 0 0 0 0 0 4 1 0 0
The number of unique Certificate Authorities seen across the Internet- accessible assets. CERTIFICATE AUTHORITIES SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 10 20 30 40 22 4 39 3 18 2 26 12 1 2 2 37 3 6 5 10 29 9 5
The number of expired TLS Certificates seen across the Internet- accessible assets. EXPIRED TLS CERTS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 50 100 150 200 77 3 110 0 16 0 110 2 0 0 0 196 0 0 0 21 90 9 5
The number of countries hosting Internet-accessible assets. COUNTRIES SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 4 7 11 14 4 6 14 1 5 1 12 6 2 1 1 8 1 1 3 4 9 3 2
The number of Internet-connected assets where the hostname resolves to non-route-able RFC-1918 internal IP-addresses. PRIVATE IP-SPACE SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 8 15 23 30 10 0 8 0 2 0 1 0 0 0 0 1 0 0 0 27 8 0 0
Extremely popular free and open-source CMS. Wordpress assets scanned with WPScan, which includes vulnerabilities in plug-ins. WORDPRESS VULNS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 45 90 135 180 21 0 172 0 0 0 65 0 0 0 57 0 0 0 0 1 0 0 0
2021 SECURITY GUIDANCE
Every security program must begin with an attack surface map. Jeremiah Grossman CEO, Bit Discovery • Attack Surface Map • Multi-factor Authentication • Email Security • Routine Backups • Wire Transfer Verification • Password Management
BIT DISCOVERY

More Related Content

How to Determine Your Attack Surface in the Healthcare Sector

  • 1. HOW TO DETERMINE YOUR ATTACK SURFACE IN THE HEALTHCARE SECTOR JANUARY 14, 2021 BIT DISCOVERY
  • 2. BIT DISCOVERY Attack Surface Management that discovers, learns, and (finally) lets you secure everything. Secure everything.
  • 3. •CEO, Bit Discovery •20 years in Information Security •Founder of WhiteHat Security •Black Belt in Brazilian Jiu-Jitsu JEREMIAH GROSSMAN
  • 4. ASSET ATTACK SURFACE From the network perspective of an adversary, the complete asset inventory of an organization including all actively listening services (open ports) on each asset. • a domain name, subdomain, or IP addresses and/or combination thereof, for a device connected to the Internet or internal network. • (an asset) may include, but not limited to, web servers, name servers, IoT devices, or network printers.
  • 5. •Shadow Asset: The specific asset, as defined by a hostname/IP-address, that’s unknown or uncontrolled by the organization. •Shadow Service: Unknown or uncontrolled services (i.e., open ports) that are actively listening on an asset. •Shadow Software: Unknown or uncontrolled software stack information (i.e., list of installed software and versions) of a listening service on an asset. SHADOWS WITHIN SHADOW-IT
  • 7. Bit Discovery 2020 FEDERAL TRADE COMMISSION, Plaintiff, v. EQUIFAX INC., Defendant.
  • 8. Bit Discovery 2020 USE-CASES ATTACK SURFACE MANAGEMENT • Vulnerability & Patch Management • Third-Party Risk Management • Mergers & Acquisition • Cyber-Insurance • Policy & Compliance • Security Ratings • Incident Response • Sales & Marketing Enablement • Investments
  • 9. YOU CAN ONLY SECURE WHAT YOU KNOW YOU OWN. BIT DISCOVERY
  • 10. •Collect a list all registered IP-ranges and domain names: Most organizations will not have a ready up-to-date list. •Find and scan all subdomains: Assets located on-premise, in the cloud, hosted applications, labelled under of subsidiaries, physically located across distributed data centers, and across non-contiguous IP-ranges. •Collect all meta-data for every asset: software stack, version info, TLS cert info, programming language, open ports, IP geo-location, hosting provider, CDN, etc. •Maintain an up-to-date attack surface map: The asset data for most organizations change between 1-5% monthly. THE ATTACK SURFACE
  • 12. Bit Discovery 2020 INTERNET “COPY” OF THE • Generated by Bit Discovery and 400 data sources. • WHOIS databases, domain names, ASN, ports, service banners, technology stack, website index page(s), full TLS certificate info, email addresses, password dumps, etc. • Each asset has potentially 115 unique data points. • Each data point updated daily-to-monthly. • Hundreds of snapshots collected over 5 years. Largest Data-Set Of It’s Kind *missing ~30% of the Internet* 4.5 BILLION DNS ENTRIES 200+ INTERNET SNAPSHOTS 515 DATA SOURCES 115 DATA COLUMNS 150 YEARS OF CPU TIME
  • 14. The total number of Internet-connected assets. TOTAL ASSETS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 10,000 20,000 30,000 40,000 2,839 237 39,956 38 1,752 18 36,639 479 25 22 44 5,293 77 80 22,972 1,010 2,271 795 172
  • 15. The total number of registered domain names. DOMAIN NAMES SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 350 700 1,050 1,400 93 3 1,400 2 53 1 444 44 1 2 3 312 5 2 8 37 128 30 6
  • 16. The percentage of cloud-hosted assets including Amazon Web Services, Microsoft Azure, Google App Engine, and others. CLOUD ASSETS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 13 25 38 50 14.76 19.41 26.66 7.89 5.31 11.11 20.70 11.69 0.00 0.00 0.00 46.91 0.00 0.00 0.06 1.19 6.16 3.52 1.74
  • 17. The percentage of Internet-accessible assets served by a well-known Content Delivery Network including Akamai, Cloudflare, and Fastly. CDN ASSETS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 8 15 23 30 0 0 3 24 0 0 0 0 24 0 0 0 0 0 0 4 1 0 0
  • 18. The number of unique Certificate Authorities seen across the Internet- accessible assets. CERTIFICATE AUTHORITIES SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 10 20 30 40 22 4 39 3 18 2 26 12 1 2 2 37 3 6 5 10 29 9 5
  • 19. The number of expired TLS Certificates seen across the Internet- accessible assets. EXPIRED TLS CERTS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 50 100 150 200 77 3 110 0 16 0 110 2 0 0 0 196 0 0 0 21 90 9 5
  • 20. The number of countries hosting Internet-accessible assets. COUNTRIES SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 4 7 11 14 4 6 14 1 5 1 12 6 2 1 1 8 1 1 3 4 9 3 2
  • 21. The number of Internet-connected assets where the hostname resolves to non-route-able RFC-1918 internal IP-addresses. PRIVATE IP-SPACE SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 8 15 23 30 10 0 8 0 2 0 1 0 0 0 0 1 0 0 0 27 8 0 0
  • 22. Extremely popular free and open-source CMS. Wordpress assets scanned with WPScan, which includes vulnerabilities in plug-ins. WORDPRESS VULNS SolutionHealth Parkland Health Fairmont Behavioral Ascension Health Tenet Healthcare Children's Hospital Colorado Tahoe Forest Effingham Health Trinity Health SBH Health Tulsa Bone and Joint Vibra Healthcare Community Health Granville Health Atrium Health Call 4 Health CommonSpirit Health LifePoint health Providence Health 0 45 90 135 180 21 0 172 0 0 0 65 0 0 0 57 0 0 0 0 1 0 0 0
  • 24. Every security program must begin with an attack surface map. Jeremiah Grossman CEO, Bit Discovery • Attack Surface Map • Multi-factor Authentication • Email Security • Routine Backups • Wire Transfer Verification • Password Management