SlideShare a Scribd company logo

The Attack Surface of the Healthcare Industry

Jeremiah Grossman
Jeremiah Grossman

Paubox SECURE @ Home 2020 Virtual Healthcare Cybersecurity & Innovation Conference October 21 - 22, 2020 https://www.paubox.com/blog/jeremiah-grossman-confirmed-to-speak-at-paubox-secure/ https://try.paubox.com/paubox-secure-2020

Related slideshows

Seen at InfoSec Europe 2015: Spot your Snowden!
Seen at InfoSec Europe 2015: Spot your Snowden!Seen at InfoSec Europe 2015: Spot your Snowden!
Seen at InfoSec Europe 2015: Spot your Snowden!
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
 
The X Factor in Data Centric Security
The X Factor in Data Centric SecurityThe X Factor in Data Centric Security
The X Factor in Data Centric Security
 
1 of 28
Download to read offline
THE ATTACK SURFACE OF THE HEALTHCARE INDUSTRY OCTOBER 21, 2020 BIT DISCOVERY
•CEO, Bit Discovery •20 years in Information Security •Founder of WhiteHat Security •Black Belt in Brazilian Jiu-Jitsu JEREMIAH GROSSMAN
Coalition serves over 25,000 small and midsize organizations across every sector of the US and Canada. Report covers not just “breaches,” but breaches resulting in material harm.
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
IMPORTANCE ASSET INVENTORY
Bit Discovery 2020 FEDERAL TRADE COMMISSION, Plaintiff, v. EQUIFAX INC., Defendant.
Bit Discovery 2020 USE-CASES ASSET INVENTORY • Vulnerability & Patch Management • Third-Party Risk Management • Mergers & Acquisition • Cyber-Insurance • Policy & Compliance • Security Ratings • Incident Response • Sales & Marketing Enablement • Investments
BIT DISCOVERY THE DATA ABOUT
Bit Discovery 2020 INTERNET “COPY” OF THE • Generated by Bit Discovery + 400 data sources. • WHOIS databases, domain names, ASN, ports, service banners, technology stack, website index page(s), full TLS certificate info, email addresses, password dumps, etc. • Each asset has potentially 115 unique data points. • Each data point updated daily-to-monthly. • Hundreds of snapshots collected over 5 years. Largest Data-Set Of It’s Kind *missing ~30% of the Internet* 4.5 Billion DNS Entries 200+ INTERNET SNAPSHOTS 515 DATA SOURCES 115 DATA COLUMNS 150 YEARS OF CPU TIME
INVENTORY ANALYSIS BIT DISCOVERY
Bit Discovery 2020 INSIGHTS What do you want to know? • How many websites, VPNs, mail servers, DNS servers, SSH servers, etc.? • How many of what assets are “in the cloud” or use a particular CDN? • How many assets have expired or soon-to-be expired TLS certificates? • What asset are using or NOT using PHP, Drupal, Citrix, F5, Wordpress, etc.? • In what countries are assets located? • What assets or services should probably not be externally exposed (RDP, MySQL, Dev/ Staging)? By Organization By Industry Your Inventory
Bit Discovery 2020 ASSET as·set | ˈaset | noun a domain name, subdomain, or IP addresses and/or combination thereof of a device connected to the Internet or internal network. • (an asset) may include, but not limited to, web servers, name servers, IoT devices, or network printers.
Total Assets (hospitals & health) The total number of Internet-connected assets globally. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 30,000 60,000 90,000 120,000 1,897 1,883 183 10,594 749 10,594 356 3,506 788 1,910 104,605
Total Assets (Healthcare) The total number of Internet-connected assets globally. Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 30,000 60,000 90,000 120,000 21,360 108,759 18,645 6,360 43,153 19,900 22,819 70,645 10,020
Domain Names The total number of registered domain names. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 1,500 3,000 4,500 6,000 107 90 3 1,286 50 1,286 36 307 38 123 5,264 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 1,500 3,000 4,500 6,000 808 5,615 204 404 953 1,434 1,086 663 523 Hospitals & Health Healthcare
Cloud Assets The percentage of Internet-accessible and cloud-hosted assets. Cloud providers include Amazon Web Services, Microsoft Azure, Google App Engine, and others. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 0 0 0 1 15.40% 16.78% 24.59% 15.40% 7.88% 15.40% 14.04% 32.94% 0.63% 5.18% 53.70% Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 0 0 1 1 8.54% 6.26% 83.91% 15.30% 1.17% 10.82% 5.01% 2.83% 44.26% Hospitals & Health Healthcare
CDN Assets The percentage of Internet-accessible assets being served by a well-known Content Delivery Network. CDNs include Akamai, Cloudflare, Fastly, and others. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 0 0 0 0 1.05% 0.74% 0.00% 8.14% 0.27% 8.14% 0.00% 1.23% 4.06% 1.36% 0.19% Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 0 0 0 0 1.59% 3.38% 0.19% 1.45% 0.33% 0.02% 10.54% 0.59% 2.94% Hospitals & Health Healthcare
Certificate Authorities The number of unique Certificate Authorities seen across the Internet-accessible assets. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 13 25 38 50 22 19 4 27 7 27 5 25 9 27 46 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 28 55 83 110 47 106 24 37 42 45 60 48 50 Hospitals & Health Healthcare
Expired TLS Certs The number of expired TLS Certificates seen across the Internet-accessible assets. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 30 60 90 120 59 55 5 103 10 103 1 81 17 63 97 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 175 350 525 700 243 433 14 556 107 88 614 221 264 Hospitals & Health Healthcare
Countries Hosting The number of countries hosting Internet-accessible assets. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 4 8 12 16 6 3 4 9 2 9 3 8 4 8 16 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 6 12 18 24 16 20 10 23 15 13 17 11 18 Hospitals & Health Healthcare
Private IP-Space The number of Internet-connected assets where the hostname resolves to non-route-able RFC-1918 internal IP-addresses. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 8 15 23 30 4 3 0 5 2 5 0 1 25 8 30 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 175 350 525 700 42 408 3 9 98 8 691 15 68 Hospitals & Health Healthcare
Wordpress (Healthcare) Extremely popular free and open-source content management system. Wordpress assets scanned with WPScan, which includes vulnerabilities in WordPress plug-ins. Total (Median) WordPress Websites Total (Median) WordPress Vulnerabilities Total (Median) WordPress Websites with at least 1 vulnerability Median # of Vulnerabilities per Wordpress website Hospitals & Health 17 0 0 0 Healthcare 70 106 5 16
GUIDANCE
Every security program must begin with an asset inventory. Jeremiah Grossman CEO, Bit Discovery • Asset Inventory (Attack Surface Map) • Multi-factor Authentication • Email Security • Routine Backups • Wire Transfer Verification • Password Management
BIT DISCOVERY
Bit Discovery 2020 CAVEATS Data Collection: • Our Internet scanners sometimes use ANY type lookups and not all service providers support ANY type DNS lookups (i.e. Cloudflare) • Round Robin DNS sometimes finds a lot of assets, sometimes a little, and changes frequently. • DNS servers and resolvers sometimes experience outages. • DNS responses may exceed TTL. • DNS servers may selectively block requests. Issues with Organization Asset Inventory: • Assets with subdomains within the ownership of a third- party domain (e.g. <company>.wpengine.com, <company>.salesforce.com, etc.) may cause issues. • Assets not listed on certificate transparency and/or doesn’t have a public DNS entry (e.g. they'll use internal DNS and a self-signed cert). • DNS errors falling outside the RFC standard, "example_site.com" (~1%) • Wildcard (*) DNS entries. • DNS providers respond with erroneous information due to breach. • WHOIS redaction due to GDPR.

More Related Content

The Attack Surface of the Healthcare Industry

  • 2. •CEO, Bit Discovery •20 years in Information Security •Founder of WhiteHat Security •Black Belt in Brazilian Jiu-Jitsu JEREMIAH GROSSMAN
  • 3. Coalition serves over 25,000 small and midsize organizations across every sector of the US and Canada. Report covers not just “breaches,” but breaches resulting in material harm.
  • 8. Bit Discovery 2020 FEDERAL TRADE COMMISSION, Plaintiff, v. EQUIFAX INC., Defendant.
  • 9. Bit Discovery 2020 USE-CASES ASSET INVENTORY • Vulnerability & Patch Management • Third-Party Risk Management • Mergers & Acquisition • Cyber-Insurance • Policy & Compliance • Security Ratings • Incident Response • Sales & Marketing Enablement • Investments
  • 11. Bit Discovery 2020 INTERNET “COPY” OF THE • Generated by Bit Discovery + 400 data sources. • WHOIS databases, domain names, ASN, ports, service banners, technology stack, website index page(s), full TLS certificate info, email addresses, password dumps, etc. • Each asset has potentially 115 unique data points. • Each data point updated daily-to-monthly. • Hundreds of snapshots collected over 5 years. Largest Data-Set Of It’s Kind *missing ~30% of the Internet* 4.5 Billion DNS Entries 200+ INTERNET SNAPSHOTS 515 DATA SOURCES 115 DATA COLUMNS 150 YEARS OF CPU TIME
  • 13. Bit Discovery 2020 INSIGHTS What do you want to know? • How many websites, VPNs, mail servers, DNS servers, SSH servers, etc.? • How many of what assets are “in the cloud” or use a particular CDN? • How many assets have expired or soon-to-be expired TLS certificates? • What asset are using or NOT using PHP, Drupal, Citrix, F5, Wordpress, etc.? • In what countries are assets located? • What assets or services should probably not be externally exposed (RDP, MySQL, Dev/ Staging)? By Organization By Industry Your Inventory
  • 14. Bit Discovery 2020 ASSET as·set | ˈaset | noun a domain name, subdomain, or IP addresses and/or combination thereof of a device connected to the Internet or internal network. • (an asset) may include, but not limited to, web servers, name servers, IoT devices, or network printers.
  • 15. Total Assets (hospitals & health) The total number of Internet-connected assets globally. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 30,000 60,000 90,000 120,000 1,897 1,883 183 10,594 749 10,594 356 3,506 788 1,910 104,605
  • 16. Total Assets (Healthcare) The total number of Internet-connected assets globally. Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 30,000 60,000 90,000 120,000 21,360 108,759 18,645 6,360 43,153 19,900 22,819 70,645 10,020
  • 17. Domain Names The total number of registered domain names. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 1,500 3,000 4,500 6,000 107 90 3 1,286 50 1,286 36 307 38 123 5,264 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 1,500 3,000 4,500 6,000 808 5,615 204 404 953 1,434 1,086 663 523 Hospitals & Health Healthcare
  • 18. Cloud Assets The percentage of Internet-accessible and cloud-hosted assets. Cloud providers include Amazon Web Services, Microsoft Azure, Google App Engine, and others. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 0 0 0 1 15.40% 16.78% 24.59% 15.40% 7.88% 15.40% 14.04% 32.94% 0.63% 5.18% 53.70% Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 0 0 1 1 8.54% 6.26% 83.91% 15.30% 1.17% 10.82% 5.01% 2.83% 44.26% Hospitals & Health Healthcare
  • 19. CDN Assets The percentage of Internet-accessible assets being served by a well-known Content Delivery Network. CDNs include Akamai, Cloudflare, Fastly, and others. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 0 0 0 0 1.05% 0.74% 0.00% 8.14% 0.27% 8.14% 0.00% 1.23% 4.06% 1.36% 0.19% Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 0 0 0 0 1.59% 3.38% 0.19% 1.45% 0.33% 0.02% 10.54% 0.59% 2.94% Hospitals & Health Healthcare
  • 20. Certificate Authorities The number of unique Certificate Authorities seen across the Internet-accessible assets. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 13 25 38 50 22 19 4 27 7 27 5 25 9 27 46 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 28 55 83 110 47 106 24 37 42 45 60 48 50 Hospitals & Health Healthcare
  • 21. Expired TLS Certs The number of expired TLS Certificates seen across the Internet-accessible assets. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 30 60 90 120 59 55 5 103 10 103 1 81 17 63 97 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 175 350 525 700 243 433 14 556 107 88 614 221 264 Hospitals & Health Healthcare
  • 22. Countries Hosting The number of countries hosting Internet-accessible assets. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 4 8 12 16 6 3 4 9 2 9 3 8 4 8 16 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 6 12 18 24 16 20 10 23 15 13 17 11 18 Hospitals & Health Healthcare
  • 23. Private IP-Space The number of Internet-connected assets where the hostname resolves to non-route-able RFC-1918 internal IP-addresses. HCA Ascension Tenet Trinity Vibra Community Health Atrium CommonSpirit LifePoint Providence MEDIAN 0 8 15 23 30 4 3 0 5 2 5 0 1 25 8 30 Cardinal Kaiser McKesson Anthem CVS Cigna Humana UnitedHealth MEDIAN 0 175 350 525 700 42 408 3 9 98 8 691 15 68 Hospitals & Health Healthcare
  • 24. Wordpress (Healthcare) Extremely popular free and open-source content management system. Wordpress assets scanned with WPScan, which includes vulnerabilities in WordPress plug-ins. Total (Median) WordPress Websites Total (Median) WordPress Vulnerabilities Total (Median) WordPress Websites with at least 1 vulnerability Median # of Vulnerabilities per Wordpress website Hospitals & Health 17 0 0 0 Healthcare 70 106 5 16
  • 26. Every security program must begin with an asset inventory. Jeremiah Grossman CEO, Bit Discovery • Asset Inventory (Attack Surface Map) • Multi-factor Authentication • Email Security • Routine Backups • Wire Transfer Verification • Password Management
  • 28. Bit Discovery 2020 CAVEATS Data Collection: • Our Internet scanners sometimes use ANY type lookups and not all service providers support ANY type DNS lookups (i.e. Cloudflare) • Round Robin DNS sometimes finds a lot of assets, sometimes a little, and changes frequently. • DNS servers and resolvers sometimes experience outages. • DNS responses may exceed TTL. • DNS servers may selectively block requests. Issues with Organization Asset Inventory: • Assets with subdomains within the ownership of a third- party domain (e.g. <company>.wpengine.com, <company>.salesforce.com, etc.) may cause issues. • Assets not listed on certificate transparency and/or doesn’t have a public DNS entry (e.g. they'll use internal DNS and a self-signed cert). • DNS errors falling outside the RFC standard, "example_site.com" (~1%) • Wildcard (*) DNS entries. • DNS providers respond with erroneous information due to breach. • WHOIS redaction due to GDPR.