Upload
daniel-miessler
View
951
Download
1
Embed Size (px)
Citation preview
SESSIONID:SESSIONID:
#RSAC
DanielMiessler
SecuringMedicalDevicesUsingAdaptiveTestingMethodologies
ASD-R10
Director of Advisory ServicesIOActive, Inc.@danielmiessler
SESSIONID:SESSIONID:
#RSAC
DanielMiessler
SecuringMedicalDevicesUsingAdaptiveTestingMethodologies
ASD-R10
Director of Advisory ServicesIOActive, Inc.@danielmiessler
#RSAC
About
3
18yearsininformationsecurity
Technicaltestingbackground(net/web/mobile/IoT)
DirectorofAdvisoryServicesatIOActive
PreviouslyafoundingmemberandprincipalatHPEFortifyonDemand
WorkonanumberofOWASPprojects:IoTSecurity,andOWASPGameSecurityFrameworkProject
Read,write,podcast,tabletennis
#RSAC
Agenda
4
Whywecare?
Theproblem
AdaptiveTestingMethodology
Practicaltakeaways
#RSAC
Whydowecare?
#RSAC
6
- J&Jinsulinpump(AnimusOneTouchPing)- JayRadcliffe,diabeticandresearcher- Unencryptedcommandtraffic- Couldsendunauthorizedinsulininjections
RecentIssues:Johnson&Johnson
Image:REUTERS/Weigmann
#RSAC
7
- St.Judepacemaker- Manyvulnerabilitiesfound- PR+Shortingofstock- Vulnsincludedwirelessgodkey- MedSecfoundthevulns- MuddyWatersshortedstock
RecentIssues:St.Jude
#RSAC
8
Hospitalsbeingransomed:USHospitals
HollywoodPresbyterianHospital
Triedtogethelpfromauthorities,endeduppaying$17,000
MethodistHospital
Refusedtopay,hadtoshutdownpartofthehospital
Many,manymore
#RSAC
9
Hospitalsbeingransomed:NHS
OneNHSareahadtotransferpatientsbecausetheywereshutdown
34%ofHealthTrustsintheU.K.hitwithransomwarewithinthelast18months
60%ofScottishtrusts
Othercountriesaffectedaswell,includingGermany
#RSAC
10
BitcoinReadiness(adepressingstate)
Whenransomwarehappensthepaymentisusuallyinbitcoin
Companiesgettinghackedoftendon’tknowanythingaboutbitcoin
Thetimeittakestolearnaboutandacquirebitcoinoftencostscompaniesmassiveamountsofmoney
Manyarehiringlawfirmstoacquireandholdbitcoinforthemincasetheygethacked
Ilikethepreparationpiece,butit’sstillquitedepressing
#RSAC
11
ADangerousCombination
- Homeusers- Schools- Governments- Smallbusinesses
#RSAC
12
ADangerousCombination
- Themedicalspaceisextremelyvulnerabletotheseissues.
#RSAC
Theproblem
#RSAC
RecentIssues
14
-Lotsofvulnerabilitiesfound
#RSAC
ADisconnect
15
Theattacksurfaceformedicaldevicesissimplylargerthanthematurityofstandardizedprocedurestotestthosesurfaceareas.
0
25
50
75
100
CurrentA/ackSurface FutureA/ackSurface Tes8ngMaturity
#RSAC
TheAttackSurface
16
- Hardwarephysicalinterfaces- Physicalnetworkingports- Debug/adminports- WiFi/RF- Datatransferandstorage- Cryptographicimplementations- HL7implementations- Hardwaresensors- Inputparsing/validation- Command/dataauthentication
#RSAC
AttackSurfacevs.Testers
17
- Howmanydevicesaretherealready?- Howmanyhavebeentested?- Howmanydeviceswilltherebe?- Howmanytesterswillberequiredtolookatthem?
#RSAC
Problem:TesterDesensitization
18
- Comprehensivetestingmethodologiesareusuallymassive
- Testerscanusuallyonlyreadthemonceortwice
- Theycan’tusethemovertime- Youonlygetacoupleofstrikesregardingirrelevantcontent
#RSAC
TheAdaptiveTestingMethodologyapproach
#RSAC
AdaptiveTestingMethodology
20
Contextualtestingbasedonattributesofthetargetorsituation
#RSAC
AdaptiveTestingMethodology
21
Contextualtestingbasedonattributesofthetargetorsituation
Canapplytowebapps,hosts,IoT,medicaldevices,etc.
#RSAC
AdaptiveTestingMethodology
22
Contextualtestingbasedonattributesofthetargetorsituation
Canapplytowebapps,hosts,IoT,medicaldevices,etc.
Attributetypes(potential)
Targetattacksurfaces
Timeavailable
Toolsavailable
Skilllevelavailable
#RSAC
23
#RSAC
24
OWASPIoT:MedicalDeviceTesting
#RSAC
25
#RSAC
Real-worldUsage
26
Third-partytestingrequirements
Tryingtoavoidtesterfatiguefromvendors
ProfileapieceofhardwareusingAdaptiveTesting
Seewhichsurfaceareasareinplay
Createacustomizedtestingmethodologyforthatdevice/ecosystem
Reducethesizeofatestingmethodologyby50-300%
Everysectionisrelevant
#RSAC
Lessonslearnedovertheyears
27
Visibilityiskinginsecurity
Youcan’tdefendwhatyoucan’tseeanddon’tunderstand
Medicaldeviceshavemanyunseenattacksurfaces
Becauseit’sanecosystem,flawsinonecanleadtooverallweakness
Withvulnerabilities,1+1+1oftenequals7
#RSAC
Takeaways
28
Visibilityisproblem#1
#RSAC
29
Monolithictestingmethodologiescanleadtotesterfatigue
Takeaways
#RSAC
30
Simplemethodologyisconsumable,andconsumablemethodologygetsused
Takeaways
#RSAC
31
Simplemethodologyisconsumable,andconsumablemethodologygetsused
Takeaways
#RSAC
32
Friendsdon’tletfriendsshipthingswithoutunderstandingtheattacksurface
Takeaways
#RSAC
33
Friendsdon’tletfriendsbuythingswithoutunderstandingtheattacksurface
Takeaways
#RSAC
34
Friendsdon’tletfriendsinstall/implementthingswithoutunderstandingtheattacksurface
Takeaways
#RSAC
35
Placestressonapproachablesimplicityforunderstandingattacksurfaces
Takeaways
#RSAC
36
Modularizeandstreamlineyourtestingmethodologiestoavoidthembeingdisregarded.
Takeaways
#RSAC
37
Focusonbreadthbeforedepthwhencoveringattacksurfaces.
Takeaways
#RSAC
Resources
38
OWASPInternetofThingshttps://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
IAmTheCavalryhttps://www.iamthecavalry.org
#RSAC
Futurework:MedicalSecurityScenariosProject
39
MedicalSecurityScenariosProject
#RSAC
Futurework:MedicalSecurityScenariosProject
40
MedicalSecurityScenariosProject
Attacksurface
Vulnerabilitytype
Skill-levelrequired
Life-threateningornot
#RSAC
Thanks
41
Email:[email protected] [email protected]
Twitter:@danielmiessler
Podcast:UnsupervisedLearningdanielmiessler.com/ul
Reachoutanytime!Participate.
We’realwayshiringatIOActive!