MEDICAL DEVICE THREAT MODELING WITH … · MEDICAL DEVICE THREAT MODELING WITH TEMPLATES. ......

Preview:

Click to see full reader

Citation preview

SESSION ID:

#RSAC

Valery Berestetsky

MEDICAL DEVICE THREAT MODELINGWITH TEMPLATES

MBS-W12

Principal Product Security LeaderGE Healthcare

Jonathan Schaaf

Staff Product Security AnalystGE Healthcare

# R S A C

Threat Modeling: What Could Possibly Go Wrong?

2

Murphy’s law is not a curse, it’s a design approach

# R S A C

Threat Modeling: Life Cycle

3

Model

Identify Threats

Mitigate

Validate

Vision

# R S A C

Vision: Software Applications vs Medical Devices

4

How is your product different?

# R S A C

Model: What’s Different?

5

How is your product different?

# R S A C

Model: What’s Different?

6

Medical Environment

How is your product different?

Web Application

Device Control Process

Sensor

Radiation Source

Image Repository

# R S A C

Identify Threats: Are We Covered with STRIDE?

7

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of Privilege

Abuse

Patient Safety

# R S A C

There are tools for this!

8

# R S A C

Demo Time – Our Template

9

# R S A C

Summary

10

Threat modeling answers “What can possibly go wrong?” questionIf nothing else, threat model. Use STRIDE (or another framework)Tooling isn’t essential, but can make life a lot easier

# R S A C

11

Anything can be threat modeled. Ask “What can possibly go wrong?”

jonathan.p.schaaf@ge.comvalery.berestetsky@ge.com

# R S A C

Apply What You Have Learned Today

12

3 weeks: Familiarize yourself with threat modeling; consider reading a book, downloading a tool and make yourself familiar with it6 weeks: get a customized template and build a threat model with it3 months: create your own template and submit to the community!

# R S A C

Bibliography, References, and Suggested Reading

13

“Whatever can go wrong, will go wrong,” by Nick T. Spark, ISBN 978-1411684690

“Threat Modeling: Designing for Security,” by Adam Shostack, ISBN 978-1118809990

Microsoft Threat Modeling Github: https://github.com/Microsoft/threat-modeling-templates

Existing NCC Group Automotive Threat Modeling Templatehttps://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/july/the-automotive-threat-modeling-template/

Image attributions:XKCD number 319, https://xkcd.com/319/ Creative Commons BY-NC version 2.5

Microsoft Threat Modeling Tool2016 Release: https://www.microsoft.com/en-us/download/details.aspx?id=49168Preview Release https://aka.ms/tmtpreview, includes Microsoft Azure template

https://github.com/Microsoft/threat-modeling-templates
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/july/the-automotive-threat-modeling-template/
https://xkcd.com/319/
https://www.microsoft.com/en-us/download/details.aspx?id=49168
https://aka.ms/tmtpreview

Recommended

Managing a Bomb Threat Drill and a Real Event a Bomb Threat Drill ... Vice President of Emergency Services. Wyckoff Heights Medical Center. Jack Finkelstein, MPA, ... Exercises and
Documents
Idol Threat: Not an Idle Threat
Environment
Xkcd. Cryogenics Tyler Brewer Overview History of cryogenics Uses Methods of Cooling Materials Considerations Vibration Issues
Documents
Electronic Discovery and Electronic Medical Records: Does ......Electronic Discovery and Electronic Medical Records: Does the Threat of Litigation affect Firm Decisions to Adopt Technology?
Documents
Cheap GPS (From xkcd)
Documents
Threat Assessment in the School Setting Nancy Rappaport, MD Harvard Medical School
Documents
Medical Health Threat briefing - Generic Health... · 11 03.06 MEDICAL REQUIREMENTS • In-theater –Receiving this post-deployment medical threat briefing –Completing the Post-Deployment
Documents
Non-medical use of benzodiazepines: a growing threat to ...€¦ · Non-medical use of benzodiazepines: a growing threat to ... were among the 10 drugs most fre-quently involved in
Documents
DFA Emergency Procedures Severe Weather Fire Evacuation Medical Emergency Earthquake Intruder Alert Bomb Threat
Documents
Serious Scientific Answers to Absurd Hypothetical Questions what if? by Randall Munroe xkcd
Documents
xkcd characters · xkcd is a fantastic webcomic founded by ex-NASA roboticist Randall Munroe in September 2005. To date, Munroe has published over 1400 xkcd comics (at a rate of about
Documents
xkcd/773 Hat tip to Nick Silkey for bringing this one to my attention
Documents
Threat Protection for Medical Devices - Intel · Layered Security on Mainstream IT Platforms Brings Better threat protection • Implement a series of different ... Figure 1: Virtualization
Documents
Counter Threat Unit™ Threat Intelligence
Documents
CS-5630 / CS-6630 Visualization Views · CS-5630 / CS-6630 Visualization Views Alexander Lex alex@sci.utah.edu [xkcd]
Documents
Cybercrimes Pose Growing Threat to Medical Devicess3.amazonaws.com/.../HT_Cybersecurity/2011JF_CyberCrimes.pdf28 January/February 2011 SPECIAL REPORT Cybercrimes Pose Growing Threat
Documents
“priorities” by xkcd
Documents
Artificial intelligence in medical imaging: threat or
Documents
CYBER THREAT INTELLIGENCE ESTIMATE 2017€¦ · 2017 THREAT LANDSCAPE REPORT Cyber Threat Intelligence 7 8. THREAT ACTORS When security professionals talk about threat actors, they
Documents
XKCD: Visualized
Education