Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Medical Devices Using Adaptive Testing Methodologies

1,628 views

Published on

How to build customized testing process for medical devices using adaptive testing methodology.

Published in: Technology
  • Login to see the comments

Securing Medical Devices Using Adaptive Testing Methodologies

  1. 1. SESSION ID:SESSION ID: #RSAC Daniel Miessler Securing Medical Devices Using Adaptive Testing Methodologies ASD-R10 Director of Advisory Services IOActive, Inc. @danielmiessler
  2. 2. SESSION ID:SESSION ID: #RSAC Daniel Miessler Securing Medical Devices Using Adaptive Testing Methodologies ASD-R10 Director of Advisory Services IOActive, Inc. @danielmiessler
  3. 3. #RSAC About 3 18 years in information security Technical testing background (net/web/mobile/IoT) Director of Advisory Services at IOActive Previously a founding member and principal at HPE Fortify on Demand Work on a number of OWASP projects: IoT Security, and OWASP Game Security Framework Project Read, write, podcast, table tennis
  4. 4. #RSAC Agenda 4 Why we care? The problem Adaptive Testing Methodology Practical takeaways
  5. 5. #RSAC Why do we care?
  6. 6. #RSAC 6 - J&J insulin pump (Animus OneTouch Ping) - Jay Radcliffe, diabetic and researcher - Unencrypted command traffic - Could send unauthorized insulin injections Recent Issues: Johnson & Johnson Image: REUTERS / Weigmann
  7. 7. #RSAC 7 - St. Jude pacemaker - Many vulnerabilities found - PR + Shorting of stock - Vulns included wireless god key - MedSec found the vulns - Muddy Waters shorted stock Recent Issues: St. Jude
  8. 8. #RSAC 8 Hospitals being ransomed: US Hospitals Hollywood Presbyterian Hospital Tried to get help from authorities, ended up paying $17,000 Methodist Hospital Refused to pay, had to shut down part of the hospital Many, many more
  9. 9. #RSAC 9 Hospitals being ransomed: NHS One NHS area had to transfer patients because they were shut down 34% of Health Trusts in the U.K. hit with ransomware within the last 18 months 60% of Scottish trusts Other countries affected as well, including Germany
  10. 10. #RSAC 10 Bitcoin Readiness (a depressing state) When ransomware happens the payment is usually in bitcoin Companies getting hacked often don’t know anything about bitcoin The time it takes to learn about and acquire bitcoin often costs companies massive amounts of money Many are hiring law firms to acquire and hold bitcoin for them in case they get hacked I like the preparation piece, but it’s still quite depressing
  11. 11. #RSAC 11 A Dangerous Combination - Home users - Schools - Governments - Small businesses
  12. 12. #RSAC 12 A Dangerous Combination - The medical space is extremely vulnerable to these issues.
  13. 13. #RSAC The problem
  14. 14. #RSAC Recent Issues 14 - Lots of vulnerabilities found
  15. 15. #RSAC A Disconnect 15 The attack surface for medical devices is simply larger than the maturity of standardized procedures to test those surface areas. 0 25 50 75 100 Current A/ack Surface Future A/ack Surface Tes8ng Maturity
  16. 16. #RSAC The Attack Surface 16 - Hardware physical interfaces - Physical networking ports - Debug / admin ports - WiFi / RF - Data transfer and storage - Cryptographic implementations - HL7 implementations - Hardware sensors - Input parsing / validation - Command / data authentication
  17. 17. #RSAC Attack Surface vs. Testers 17 - How many devices are there already? - How many have been tested? - How many devices will there be? - How many testers will be required to look at them?
  18. 18. #RSAC Problem: Tester Desensitization 18 - Comprehensive testing methodologies are usually massive - Testers can usually only read them once or twice - They can’t use them over time - You only get a couple of strikes regarding irrelevant content
  19. 19. #RSAC The Adaptive Testing Methodology approach
  20. 20. #RSAC Adaptive Testing Methodology 20 Contextual testing based on attributes of the target or situation
  21. 21. #RSAC Adaptive Testing Methodology 21 Contextual testing based on attributes of the target or situation Can apply to web apps, hosts, IoT, medical devices, etc.
  22. 22. #RSAC Adaptive Testing Methodology 22 Contextual testing based on attributes of the target or situation Can apply to web apps, hosts, IoT, medical devices, etc. Attribute types (potential) Target attack surfaces Time available Tools available Skill level available
  23. 23. #RSAC 23
  24. 24. #RSAC 24 OWASP IoT: Medical Device Testing
  25. 25. #RSAC 25
  26. 26. #RSAC Real-world Usage 26 Third-party testing requirements Trying to avoid tester fatigue from vendors Profile a piece of hardware using Adaptive Testing See which surface areas are in play Create a customized testing methodology for that device/ecosystem Reduce the size of a testing methodology by 50-300% Every section is relevant
  27. 27. #RSAC Lessons learned over the years 27 Visibility is king in security You can’t defend what you can’t see and don’t understand Medical devices have many unseen attack surfaces Because it’s an ecosystem, flaws in one can lead to overall weakness With vulnerabilities, 1 + 1 + 1 often equals 7
  28. 28. #RSAC Takeaways 28 Visibility is problem #1
  29. 29. #RSAC 29 Monolithic testing methodologies can lead to tester fatigue Takeaways
  30. 30. #RSAC 30 Simple methodology is consumable, and consumable methodology gets used Takeaways
  31. 31. #RSAC 31 Simple methodology is consumable, and consumable methodology gets used Takeaways
  32. 32. #RSAC 32 Friends don’t let friends ship things without understanding the attack surface Takeaways
  33. 33. #RSAC 33 Friends don’t let friends buy things without understanding the attack surface Takeaways
  34. 34. #RSAC 34 Friends don’t let friends install / implement things without understanding the attack surface Takeaways
  35. 35. #RSAC 35 Place stress on approachable simplicity for understanding attack surfaces Takeaways
  36. 36. #RSAC 36 Modularize and streamline your testing methodologies to avoid them being disregarded. Takeaways
  37. 37. #RSAC 37 Focus on breadth before depth when covering attack surfaces. Takeaways
  38. 38. #RSAC Resources 38 OWASP Internet of Things
 https://www.owasp.org/index.php/ OWASP_Internet_of_Things_Project I Am The Cavalry
 https://www.iamthecavalry.org
  39. 39. #RSAC Future work: Medical Security Scenarios Project 39 Medical Security Scenarios Project
  40. 40. #RSAC Future work: Medical Security Scenarios Project 40 Medical Security Scenarios Project Attack surface Vulnerability type Skill-level required Life-threatening or not
  41. 41. #RSAC Thanks 41 Email: daniel.miessler@ioactive.com 
 daniel@danielmiessler.com Twitter: @danielmiessler Podcast: Unsupervised Learning
 danielmiessler.com/ul Reach out any time! Participate. We’re always hiring at IOActive!

×