Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
Hackers Perspective on HealthCare
.
State of Illinois
Central Management Services
Purpose and Scope
To present a hacker’s perspective on
healthcare
To emphasize the importance of protecting
HIPPA, PCI and other personal information
To learn how to secure this confidential
data and even how to protect your
personal information
2
Juggling Security & Healthcare
Quick Access
To Data
HIPPA
Cyber Attacks
Passwords
Not Secure Too Secure 4
Statistics
Predicted job losses in the US:
Attacks from insider breaches:
Yearly losses due to organized crime, hackers and inside jobs:
Percentage of data breaches from simple ignorance of staff:
Amount of overall cybercrimes reported:
Of the cybercrimes reported, the percent that end with a conviction:
1.5 million
18%
$1 trillion
88%
10%
2%
5
What is Cybercrime?
Cybercrime: Criminal activity that utilizes an
element of a computer or computer
network
Examples include: Identity theft
Cyber-extortion
Information theft
Fraud
Exploitation of children
Intellectual property theft
Phishing and Vishing
Healthcare Breach Causes
1. Cybercrime: 89% of surveyed health care
orgs breached in last two years;
cybercrime top cause
2. Third-party party partner: 41%
3. Stolen computing devices 39%
http://www.scmagazine.com/ponemon-89-of-surveyed-health-care-orgs-
breached-in-last-two-years-cybercrime-top-cause/article/496530/
6
2
What needs to be protected?
Laptop = $1000
SSN numbers - $2 each
Breach notification - $18 - $209 per identity
Bot herders can make $50k per month
Copper - $3.20 /lb
Ransomware - $300 - $1000 to unlock your
data
7 8
Myths
Myths
I’m not a big enough target
They can have my data, I don’t care
We’ve never been hacked
Nobody would target me
My firewall protects us
My password is strong
9
Porn Tricks
Porn codecs
Phony multimedia player downloads or
updates
Porn Blackmail
10
Identity Theft
Who??
Traditional scam artists
Large organized criminal elements
Why??
Low risk, high reward crime
It is all about money
Directly to use your accounts or identity
To resell your accounts or identity on the
black market
Average “take” from Identity Theft is almost 10
times greater than from armed robbery
11
Preventing Identity Theft
Do not give private information over the phone to
unknown callers
Do not send private information through e-mail to
unknown recipients
Shred sensitive documents and junk mail
Check your credit report at least once a year
Only use secure internet sites for e-commerce
Do not open spam
Example (Free AV software)
12
3
13
Spam is Hostile
Spam can be dangerous
Never click on the opt-out link!
Tells spammers they found a working address
What should you do?
Filter it out whenever possible
Just delete the email
Google Dork: “Radiology”
15 16
IamTheCalvary.com/medical
Focused on issues where computer
security intersect public safety and human
life.
17
Other SCADA Vulnerabilities
Dial-ups still being used with new equipment
Use of wireless modems, Bluetooth, web services,
Telnet, SNMP, DCOM, ActiveX, and other vulnerable
applications in new equipment
Infusion Pump Example
Cybersecurity Vulnerabilities of Hospira
Symbiq Infusion System
Remotely control infusion volume
FDA Memo
Disconnect from network
Change Default password
Block default ports
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html
18
4
19
Twitter Password Crack
Used dictionary attack against Twitter
admin= Crystal
Many accounts compromised: President-
Elect Barack Obama's, and Fox News
Prevention
Complex passwords
Account lockout after 5 bad attempts
Limit admin tools to administrators
password = happyiness
20
Ransomware
Ransomware
How does it get in?
Tainted email attachment or infected advertising from a website
What does it do?
Encrypts most documents on local and shared drives
21
Ransomware - Example
2/5/2016 Hollywood Presbyterian Medical Center had their system encrypted with Ransomware ($3.6 Million)
Affected
CT scans
EMR (electronic medical record system)
Documentation
Lab Work
Pharmacy
2/15/2016 paid $17k Ransom
Ransomware
22
23
Step 0: Attacker Places Content on
Trusted Site
Client-Side Exploitation Example
24
Step 1: Client-Side Exploitation
Client-Side Exploitation Example
5
25
Step 2: Establish Reverse Shell Backdoor
Using HTTPS
Client-Side Exploitation Example
26
Step 3 & 4: Dump Hashes and Use Pass-
the-Hash Attack to Pivot
Client-Side Exploitation Example
27
Step 5: Pass the Hash to Compromise
Domain Controller
Client-Side Exploitation Example
www.sans.org/top-cyber-security-risks/#summary
28
Default Medical Passwords
If any of these look familiar, change them
29
24 most-used passwords
1. 123456 9. iloveyou 17. monkey
2. password 10. adobe123 18. shadow
3. 12345678 11. 123123 19. sunshine
4. qwerty 12. admin 20. 12345
5. abc123 13. 1234567890 21. password1
6. 123456789 14. letmein 22. princess
7. 111111 15. photoshop 23. azerty
8. 1234567 16. 1234 24. trustno1
30
Passwords
Password Cracking
Identify weak or default passwords
Verify the use of complex passwords
Characters
(complex)
Estimated
time to crack
7 6 minutes
8 2.34 hours
14 9 hours
15 209 days
6
31
Pick The Best Password
password
Summer13
P@swordCompl3x
juggle13 google
32
Passwords
A strong password is:
8 or more characters
Uppercase and lowercase
Alpha-numeric
Odd character(s)
Non-dictionary
Non-pronounceable
15 or more characters for admin passwords
(recommended)
33
Passwords
Prevention
Set minimum length and complexity through
group policies
Disable LM hashing
Don’t store passwords in plain text
Password Safe (recommended)
Don’t let the browser save your password
Educate the users
Change defaults
Example (Router and password)
34
HaveIBeenPwned.com
Techniques
Social engineering
Social networking
Lock by-passing
Thumb drive sprinkle
Dumpster diving
Tailgating
Out of office message
Black box
35
Once I’m In
Unlocked PC’s & cabinets
Unused network jacks
Keyloggers
36
7
37
Physical Security
Locks keep honest people honest
(720 ILCS 5/19-2) (from Ch. 38, par. 19-2)
38
If You Remember Nothing Else …
Promptly apply patches
Run anti-virus software configured to update
daily, use on-access/on-demand scanning, and
perform a full scan at least weekly
Use a firewall (either software or hardware) and
configure for the most restrictive setting that still
allows you to do required work
Select good, strong passwords and use them
everywhere
Think BEFORE you click!!
Security Awareness Material
www.illinois.gov/bccs/services/catalog/security/
assessments/Pages/awareness.aspx
39