Monthly Cyber Threat Briefing - HITRUST · Monthly Cyber Threat Briefing November 2016. 2 855.HITRUST (855.448.7878) ... Multimon-ng PDW. 20 855.HITRUST (855.448.7878) © 2016 HITRUST

1

855.HITRUST

(855.448.7878)

www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.

Monthly

Cyber Threat

Briefing

November 2016

2

855.HITRUST

(855.448.7878)


Presenters

• US-CERT: Majed Oweis, CISCP Analyst

• Trend Micro: Jon Clay, Global Threat Communications

• Anomali: Matthew Wollenweber, Sr. Security Engineer

• HITRUST: Eric Moriak, Manager – Assurance Services

3

855.HITRUST

(855.448.7878)


NCCIC/US-CERT REPORT

4

855.HITRUST

(855.448.7878)


Joint Analysis Report (JAR)-16-20223: Threats to Federal, State, and

Local Government Systems Summary

JAR-16-20223 is:

• A TLP: AMBER FOUO report, released on October 14, 2016.

• A summary and collection of indicators of compromise (IOCs) associated with recent compromises and exploit attempts against

Federal, state, and local government information systems.

• A summary containing a YARA rule, recommended mitigation measures, and a list of threats associated with the IOCS in the

CSV and STIX files.

• A collection of three files: a narrative summary (PDF), a CSV file, and STIX file of indicators of compromise IOCs.

The JAR-16-20223 PDF, CSV and STIX files are available for download from the CISCP compartment on the US-CERT

Portal:

• JAR-16-20223: https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223/03c48e1e-8e37-4afc-b776-10f72c9259be

• JAR-16-20223 CSV file: https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223.csv/3c03e630-5416-4d83-a17b-

03d97161f5e7

• JAR-16-20223 STIX file: https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223stix/30e4ef58-0df6-47b6-ac71-

e890bff77e3e

https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223/03c48e1e-8e37-4afc-b776-10f72c9259be

https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223.csv/3c03e630-5416-4d83-a17b-03d97161f5e7

https://portal.us-cert.gov/documents/64528/107086/JAR-16-20223stix/30e4ef58-0df6-47b6-ac71-e890bff77e3e

5

855.HITRUST

(855.448.7878)


Questions? Comments?

Contact US-CERT at:

•Email: [email protected]

•Phone: 1-888-282-0870

•Website: www.us-cert.gov

Contact CISCP at: [email protected]

mailto:[email protected]

http://www.us-cert.gov/


6

855.HITRUST

(855.448.7878)


TREND MICRO

Security Concerns with Pager Communications within Healthcare

7

855.HITRUST

(855.448.7878)


Forward-Looking Threat Research

• Healthcare related Research To Discover potential

leaks of PII

• Pager Communications analyzed globally The study

timeframe was from January 25, 2016 - April 25, 2016

• Discovered Weakness with Pagers

–Pages in Clear Text

–Sensitive and Private data seen

–Easy to spoof

8

855.HITRUST

(855.448.7878)


Ways Pagers Are Used in Healthcare

•Nurse/Workflow Management

•Pharmacy

•General Communications

9

855.HITRUST

(855.448.7878)


Locations of Research Conducted

10

855.HITRUST

(855.448.7878)


Pager Protocols Examined

POCSAG: Post Office Code Standardization Advisory Group

• POCSAG operates at 512, 1200 and 2400 bits per second (bps)

• Standard operates at 512 bps

• Super-POCSAG operating at 1200 and 2400 bps

FLEX is a high-speed paging protocol that was developed by Motorola. It was designed

to operate at the same frequencies that POCSAG utilizes

• FLEX utilizes time syncs instead of always listening for a preamble to save on battery life.

• 128 Frames in 4 minute time cycle, 15 cycles per hour

• Increased the number of CAP codes that can be utilized

11

855.HITRUST

(855.448.7878)


Setup to Sniff Pagers

POCSAG and FLEX

• All can be sniffed with a RTL-SDR DVB-T Dongle

– <$20 at Hakshop, Amazon, etc.

12

855.HITRUST

(855.448.7878)


Nurse/Workflow Management

NaviCare® Curaspan™

InQuicker EpicSys

13

855.HITRUST

(855.448.7878)


Data Analyzed Breakdown

14

855.HITRUST

(855.448.7878)


Nurse/Workflow Management

15

855.HITRUST

(855.448.7878)


PHI Data Seen

16

855.HITRUST

(855.448.7878)


Top Medical Conditions Seen

17

855.HITRUST

(855.448.7878)


Top Medical Prescriptions Seen

18

855.HITRUST

(855.448.7878)


Examples

19

855.HITRUST

(855.448.7878)


Spoofing Pages

https://github.com/unsynchronized/gr-mixalot

Multimon-ng

PDW

https://github.com/unsynchronized/gr-mixalot

20

855.HITRUST

(855.448.7878)


Attack Scenarios

•Sending pages to the pharmacy for medication.

•Moving patients within facilities

•Declaring an emergency inside facilities

• Intercepting calls from the officiating doctors

•Stealing a dead person’s identity

•Spoofing messages.

21

855.HITRUST

(855.448.7878)


Recommended Solutions

•Stop using Pagers

•Move to using encrypted Pagers

•Don’t leak out personal information if pagers are

absolutely required (examples have been

observed)

22

855.HITRUST

(855.448.7878)


Read the Research Report

Leaking Beeps:

Unencrypted Pager

Messages in the

Healthcare Industry

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-leaking-beeps-healthcare.pdf

23

855.HITRUST

(855.448.7878)


ANOMALI

CTX Trends and Analysis

24

855.HITRUST

(855.448.7878)


Overview:

•Leaked Credentials

•CTX Trends and Analysis

•Brand and Domain Monitoring

25

855.HITRUST

(855.448.7878)


Leaked Credential Stats

26

855.HITRUST

(855.448.7878)


Leaked Credentials by Month

27

855.HITRUST

(855.448.7878)


CTX Stats

28

855.HITRUST

(855.448.7878)


CTX Analysis

Attacks Reflect General Trends:

• Malicious URLs are primary

attack vector

• Ransomware remains popular

• VBS Attachments are

common

• Nemucod is the the top tagged

trojan/ransomware

29

855.HITRUST

(855.448.7878)


HITRUST Brand Monitoring

30

855.HITRUST

(855.448.7878)


Questions?

31

855.HITRUST

(855.448.7878)


For More Information

Name Email

Matthew Wollenweber [email protected]

Anomali Support/Info Requests [email protected]



32

855.HITRUST

(855.448.7878)


HITRUST

CSF Controls Related to Threats

33

855.HITRUST

(855.448.7878)



CSF Control for Leaked Credentials (Anomali slides)

• Control Reference: 01.d User Password Management

– Control Text: All users shall have a unique identifier (user ID) for

their personal use only, and an authentication technique shall be

implemented to substantiate the claimed identity of a user.

– Implementation Requirement: Passwords should be

confidential, passwords should be changed under indication of

compromise, passwords should not be reused, passwords should

not be shared or provided to anyone.

34

855.HITRUST

(855.448.7878)



CSF Control for Ransomware (Trend Micro)

• Control Reference: *02.e Information Security Awareness,

Education, and Training

– Control Text: All employees of the organization and contractors and third

party users shall receive appropriate awareness training and regular updates

in organizational policies and procedures, as relevant to their job function.

– Implementation Requirement: Ongoing training for these individuals and

organizations shall include security and privacy requirements as well training

in the correct use of information assets and facilities (including but not limited

to log-on procedures, use of software packages, anti-malware for mobile

devices, and information on the disciplinary process).

35

855.HITRUST

(855.448.7878)




• Control Reference: 09.j Controls Against Malicious Code

– Control Text: Detection, prevention, and recovery controls shall be

implemented to protect against malicious code, and appropriate user

awareness procedures on malicious code shall be provided.

– Implementation Requirement: Protection against malicious code

shall be based on malicious code detection and repair software,

security awareness, and appropriate system access and change

management controls.

36

855.HITRUST

(855.448.7878)



CSF Control for Crypto-Ransomware (Trend Micro)

• Control Reference: 09.l Backup

–Control Text: Back-up copies of information and software

shall be taken and tested regularly.

– Implementation Requirement: Back-up copies of

information and software shall be made, and tested at

appropriate intervals. Complete restoration procedures

shall be defined and documented for each system.

37

855.HITRUST

(855.448.7878)




• Control Reference: *10.h Control of operational software

–Control Text: There shall be procedures in place to control the installation of software on operational systems

– Implementation Requirement: The organization shall maintain information systems according to a current baseline configuration and configure system security parameters to prevent misuse.

38

855.HITRUST

(855.448.7878)



CSF Control for Pager/Beeper Unsecured Data

• Control Reference: *09.s Information Exchange Policies and Procedures

– Control Text: Formal exchange policies, procedures, and controls shall be in place to protect the

exchange of information through the use of all types of communication mediums.

– Implementation Requirement: The organization shall ensure that communications protection

requirements, including the security of exchanges of information, is the subject of policy development

and compliance audits consistent with relevant legislation.

– When using electronic communication applications or systems for information exchange, the

following should be addressed. (paraphrased)

• Policies or guidelines shall be defined outlining acceptable use of systems

• Encryption for transmission or wireless communications

• Restrictions on forwarding or transcription of protected information

39

855.HITRUST

(855.448.7878)


QUESTIONS?

40

855.HITRUST

(855.448.7878)


Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content

Spotlight

http://www.HITRUSTAlliance.net

http://hitrustalliance.net/content-spotlight/

http://hitrustalliance.net

Monthly Cyber Threat Briefing - HITRUST · Monthly Cyber Threat Briefing November 2016. 2 855.HITRUST (855.448.7878) ... Multimon-ng PDW. 20 855.HITRUST (855.448.7878) © 2016 HITRUST

Documents