Paubox SECURE @ Home 2020 Virtual Healthcare Cybersecurity & Innovation Conference October 21 - 22, 2020 https://www.paubox.com/blog/jeremiah-grossman-confirmed-to-speak-at-paubox-secure/ https://try.paubox.com/paubox-secure-2020

1. THE
ATTACK SURFACE
OF THE
HEALTHCARE
INDUSTRY
OCTOBER 21, 2020
BIT
DISCOVERY

2. •CEO, Bit Discovery
•20 years in Information Security
•Founder of WhiteHat Security
•Black Belt in Brazilian Jiu-Jitsu
JEREMIAH
GROSSMAN

3. Coalition serves over 25,000 small
and midsize organizations across
every sector of the US and Canada.
Report covers not just “breaches,” but
breaches resulting in material harm.

7. IMPORTANCE
ASSET INVENTORY

8. Bit Discovery 2020
FEDERAL TRADE
COMMISSION,
Plaintiff, v. EQUIFAX
INC., Defendant.

9. Bit Discovery 2020
USE-CASES
ASSET INVENTORY
• Vulnerability & Patch Management
• Third-Party Risk Management
• Mergers & Acquisition
• Cyber-Insurance
• Policy & Compliance
• Security Ratings
• Incident Response
• Sales & Marketing Enablement
• Investments

10. BIT
DISCOVERY
THE DATA
ABOUT

11. Bit Discovery 2020
INTERNET
“COPY” OF THE
• Generated by Bit Discovery + 400 data sources.
• WHOIS databases, domain names, ASN, ports,
service banners, technology stack, website index
page(s), full TLS certificate info, email addresses,
password dumps, etc.
• Each asset has potentially 115 unique data points.
• Each data point updated daily-to-monthly.
• Hundreds of snapshots collected over 5 years.
Largest Data-Set
Of It’s Kind
*missing ~30% of the Internet*
4.5 Billion DNS Entries
200+
INTERNET
SNAPSHOTS
515
DATA SOURCES
115
DATA COLUMNS
150
YEARS OF
CPU TIME

12. INVENTORY
ANALYSIS
BIT
DISCOVERY

13. Bit Discovery 2020
INSIGHTS
What do you want to know?
• How many websites, VPNs, mail servers, DNS
servers, SSH servers, etc.?
• How many of what assets are “in the cloud”
or use a particular CDN?
• How many assets have expired or soon-to-be
expired TLS certificates?
• What asset are using or NOT using PHP,
Drupal, Citrix, F5, Wordpress, etc.?
• In what countries are assets located?
• What assets or services should probably not
be externally exposed (RDP, MySQL, Dev/
Staging)?
By Organization
By Industry
Your Inventory

14. Bit Discovery 2020
ASSET
as·set | ˈaset |
noun
a domain name, subdomain, or IP
addresses and/or combination
thereof of a device connected to
the Internet or internal network.
• (an asset) may include, but not
limited to, web servers, name
servers, IoT devices, or network
printers.

15. Total Assets (hospitals & health)
The total number of Internet-connected assets globally.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 30,000 60,000 90,000 120,000
1,897
1,883
183
10,594
749
10,594
356
3,506
788
1,910
104,605

16. Total Assets (Healthcare)
The total number of Internet-connected assets globally.
Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 30,000 60,000 90,000 120,000
21,360
108,759
18,645
6,360
43,153
19,900
22,819
70,645
10,020

17. Domain Names
The total number of registered domain names.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 1,500 3,000 4,500 6,000
107
90
3
1,286
50
1,286
36
307
38
123
5,264 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 1,500 3,000 4,500 6,000
808
5,615
204
404
953
1,434
1,086
663
523
Hospitals & Health Healthcare

18. Cloud Assets
The percentage of Internet-accessible and cloud-hosted assets. Cloud providers
include Amazon Web Services, Microsoft Azure, Google App Engine, and others.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 0 0 0 1
15.40%
16.78%
24.59%
15.40%
7.88%
15.40%
14.04%
32.94%
0.63%
5.18%
53.70% Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 0 0 1 1
8.54%
6.26%
83.91%
15.30%
1.17%
10.82%
5.01%
2.83%
44.26%
Hospitals & Health Healthcare

19. CDN Assets
The percentage of Internet-accessible assets being served by a well-known
Content Delivery Network. CDNs include Akamai, Cloudflare, Fastly, and others.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 0 0 0 0
1.05%
0.74%
0.00%
8.14%
0.27%
8.14%
0.00%
1.23%
4.06%
1.36%
0.19% Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 0 0 0 0
1.59%
3.38%
0.19%
1.45%
0.33%
0.02%
10.54%
0.59%
2.94%
Hospitals & Health Healthcare

20. Certificate Authorities
The number of unique Certificate Authorities seen across the Internet-accessible assets.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 13 25 38 50
22
19
4
27
7
27
5
25
9
27
46 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 28 55 83 110
47
106
24
37
42
45
60
48
50
Hospitals & Health Healthcare

21. Expired TLS Certs
The number of expired TLS Certificates seen across the Internet-accessible assets.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 30 60 90 120
59
55
5
103
10
103
1
81
17
63
97 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 175 350 525 700
243
433
14
556
107
88
614
221
264
Hospitals & Health Healthcare

22. Countries Hosting
The number of countries hosting Internet-accessible assets.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 4 8 12 16
6
3
4
9
2
9
3
8
4
8
16 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 6 12 18 24
16
20
10
23
15
13
17
11
18
Hospitals & Health Healthcare

23. Private IP-Space
The number of Internet-connected assets where the hostname
resolves to non-route-able RFC-1918 internal IP-addresses.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 8 15 23 30
4
3
0
5
2
5
0
1
25
8
30 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 175 350 525 700
42
408
3
9
98
8
691
15
68
Hospitals & Health Healthcare

24. Wordpress (Healthcare)
Extremely popular free and open-source content management
system. Wordpress assets scanned with WPScan, which includes
vulnerabilities in WordPress plug-ins.
Total (Median)
WordPress
Websites
Total (Median)
WordPress
Vulnerabilities
Total (Median)
WordPress
Websites with
at least 1
vulnerability
Median # of
Vulnerabilities
per Wordpress
website
Hospitals &
Health
17 0 0 0
Healthcare 70 106 5 16

25. GUIDANCE

26. Every
security
program
must begin
with an asset
inventory.
Jeremiah Grossman
CEO, Bit Discovery
• Asset Inventory (Attack Surface Map)
• Multi-factor Authentication
• Email Security
• Routine Backups
• Wire Transfer Verification
• Password Management

27. BIT
DISCOVERY

28. Bit Discovery 2020
CAVEATS
Data Collection:
• Our Internet scanners sometimes use ANY type lookups
and not all service providers support ANY type DNS
lookups (i.e. Cloudflare)
• Round Robin DNS sometimes finds a lot of assets,
sometimes a little, and changes frequently.
• DNS servers and resolvers sometimes experience outages.
• DNS responses may exceed TTL.
• DNS servers may selectively block requests.
Issues with Organization Asset Inventory:
• Assets with subdomains within the ownership of a third-
party domain (e.g. <company>.wpengine.com,
<company>.salesforce.com, etc.) may cause issues.
• Assets not listed on certificate transparency and/or doesn’t
have a public DNS entry (e.g. they'll use internal DNS and
a self-signed cert).
• DNS errors falling outside the RFC standard,
"example_site.com" (~1%)
• Wildcard (*) DNS entries.
• DNS providers respond with erroneous information due to
breach.
• WHOIS redaction due to GDPR.