models » An a2ack surface isn’t the full extent of a threat model » Risk & Impact are actually 2 different things » Threats & A2acks are not synonyms » You can’t threat model what you don’t know – know how your app env works and what components exists
statement of an intenNon to inflict pain, injury, damage, or other hosNle acNon » A2ack /əˈtak/ • aggressive acNon against (a place or enemy forces) with weapons or armed force
• Performing medically unnecessary services solely for the purpose of generaNng insurance payments (Source: FDA Reports) • MisrepresenNng non-‐covered treatments as medically necessary covered treatments for purposes of obtaining insurance payments » Clinical Drug Trials Fraud (Unique Cases, News) • Faking ‘paNents’ in order to falsify clinical trial parNcipaNon numbers
h2ps://hitrustalliance.net/cyber-‐threat-‐xchange • Cyber ThreatXchange – Exchange of cyber related events/ incidents affecNng healthcare • Free and Fee Based SubscripNon (SIEM IntegraNon) • Cyber Discovery Study – Ongoing study of persistence threats in healthcare
detecNon efforts can be leveraged » Find vulns|weaknesses that support threat claims » Map CVEs (vulns),CWEs (weaknesses) to CAPEC (a2acks) » A2ack tree now emerges with assets, threats, and vulns on branches
understanding of your healthcare applicaNon env -‐> build your a2ack surface » A2ack Trees help to speak on the viability of a2acks and mapping to weaknesses (CWEs)/ vulns (CVEs)
around account creaNon A2ack exisNng accounts; social eng implicaNons A2ack accounts that have been idenNfied as valid Weakness exists in app to not control brute forces Abuse use cases to see how sessions are created and maintained Abuse role creaNon use cases A2ack to derive elevate authenNcated sessions Vuln idenNfied during manual tesNng around session mgt Seek support response with session in support link
hosts, networks q Leverage exisNng scan results (< 3 months) q Metadata searches map relaNonship mappings q Build a2ack trees that relate to right targets q Rights targets are those where greatest intel and impact exists
healthcare wearables, implantables » Cyber murder threat moNve against person of interest » Impact 1: Poor PR. Media a2enNon around death of person of interest, celebrity, poliNcian, etc. » Impact 2: MarkeNng Costs. MarkeNng dollars would be needed in order to rebuild product placement. » Impact 3: Sales Loss. Drops in product sales would be a operaNonal impact to a realized a2ack in the threat model.
enabled devices (Stage I) » Record paNent EKG (electrocardiogram) » Validate if paNent is having a heart a2ack by trending EKG levels » Medical device can send SMS to hospitals via paNent cell phone » Saves paNent & doctor Nme
» What is the threat moNve? » Who are the threat actors? » What threat pa2erns affect known vulns/ weaknesses in the environment? » Good threat intel makes risk based decisioning a lot easier.
unique threats q Threats against People of Interest (high value targets) q PHI used as intel for more subtle a2acks q Bluetooth capabiliNes for cyber murder q Which of the last slide’s HC threats could realize an a2ack node on this
Server Boundary) Message Call Account/ Transaction Query Calls Web Server Application Server Application Calls Encryption + Authentication Encryption + Authentication Financial Server Authentication Data Restricted Network (App & DB Server/Financial Server Boundary) Database Server Application Responses Financial Data Auth Data Message Response SQL Query Call Customer Financial Data Internal (Web Server/ App & DB Server Boundary) <SCRIPT>alert(“Cookie”+ document.cookie)</ SCRIPT> Injec*on flaws CSRF, Insecure Direct Obj. Ref, Insecure Remote File Inclusion ESAPI/ ISAPI Filter Custom errors OR ‘1’=’1—‘, Prepared Statements/ Parameterized Queries, Store Procedures ESAPI Filtering, Server RBAC Form Tokeniza*on XSS, SQL Injec*on, Informa*on Disclosure Via errors Broken Authen*ca*on, Connec*on DB PWD in clear Hashed/ Salted Pwds in Storage and Transit Trusted Server To Server Authen*ca*on, SSO Trusted Authen*ca*on, Federa*on, Mutual Authen*ca*on Broken Authen*ca*on/ Impersona*on, Lack of Synch Session Logout Encrypt Confiden*al PII in Storage/Transit Insecure Crypto Storage Insecure Crypto Storage "../../../../etc/passwd %00" Cmd=%3B+mkdir +hackerDirectory http://www.abc.com? RoleID Phishing, Privacy ViolaNons, Financial Loss IdenNty Thek System Compromise, Data AlteraNon, DestrucNon
or fall vicNm to FUD à Strategize security measures based upon a clear threat model » Impact, Threat, and A2ack viability are key variables » Encompasses more than than just the OSI model; human and process based hacks also