Penetration Testing and Compliance

Security & Compliance - An Overview

There’s a systemic issue within the cybersecurity industry regarding compliance. While not universal, there is an incredibly pervasive attitude towards compliance. It’s all too often seen as an exercise in exploring the borders of minimum effective dosage, that is to say, how can we ‘check the compliance box’ in the most expedient, low-cost way, rather than in the manner most productive to effect improvements in overall security.

Looking locally, institutions like the Australian Signals Directorate are providing resources to bolster functional frameworks to help enhance the collective cybersecurity posture within Australia, extending to both the private and public sectors. The Information Security Manual (ISM), while not compliance focused by design (more a risk-guidance framework) there are certainly compliance implications we should examine in this and similar contemporary attempts to codify an approach to security.

In this article, we wish to understand how compliance can be used not just as a yard-stick for minimum acceptable levels of security, but as a basis for security excellence - an opportunity to periodically examine areas of security under a microscope and contemplate practical measures to raise the overall security stance individually, and hence en masse.

The Importance of Data Security

The most vital asset to most organisations is trust. Without it, government, health, and financial institutions as prime examples, suffer tremendously. In the digital era, this is most typically associated with Personally Identifiable Information (PII), and will be the primary example we use throughout this article.

Performing annual and regular penetration tests is now mandated by many industry and government bodies, most notably, the financial and healthcare industries. Failure to secure your client data, could result in being penalised by the Office of the Australian Information Commissioner (OAIC). This penalty is the result of the enforcement of the Notifiable Data Breach legislation that came into effect on February 22nd 2018. As this is mandatory legislation, this means that companies need to continuously audit, monitor, and detect any potential for data exfiltration. This will help ensure the security posture across all sectors is heightened and remains front of mind - the optimal outcome for compliance measures. This benefits users in terms of improved security, and as an ancillary benefit, such measures minimise the potential for brand damage that is caused when any compromise does go public.

So we are now seeing the requirement for security teams to continually update their internal policies to ensure alignment with governance of data security is controlled in line with legislation. Everything is linked. Because of this, it means that any internal deployment to prevent attacks from happening and maintaining the posture of the company's security needs to be understood in its entirety.

Everything is connected and can have a knock-on effect.

Practical Compliance

As a background, ‘compliance’ in the context we wish to examine, refers to legal or regulatory statutes against which a target organisation is measured. There are compliance standards common within security, like PCI-DSS, ISO-27001, HIPAA, HITRUST, and countless others, and they must, if applicable to your organisation, be met. Historically, as cybersecurity has really only been coming into a mature state over the past decade in particular, there has been a pronounced lag in terms of the validity to most compliance measures. The issues stems from most governing bodies having to write standards that cover myriad of organisations inside a myriad of industries. This lack of specificity directly translates to many measures being irrelevant and merely roadblock to productivity. This has given rise to this tick-in-the-box approach we’ve already alluded to, so organisation are compliant, even in the absence of any real desire of need to be as such.

Security and compliance overlap, but are not the same

As we’ve seen an increasing focus on security, so too has there been a concurrent rise in the complexity and vehemence of adherence to industry standards. Moreover, as we’ve seen recently, the expectations by both legislative and user-led entities have increased in terms of their expectations to privacy and transparent data controls relating to PII. Rest assured, this will lead directly to more stringent and regular auditing against compliance measures like the General Data Protection Regulation (GDPR) in the EU, and The Privacy Act in Australia.

Compliance is one of the most significant aspects an organisation needs to address as any failings can have enormous implications. Not only do government mandated regulations and industry standards’ bodies typically demand compliance in order for organisations to meet or retain certification, but commercially, client organisations may insist on verifiable compliance in order to conduct business. This has unfortunately led to a Pass/Fail approach to many areas within security as excellence has become victim to expediency. To this, penetration tests are often fallaciously seen as tick-in-the-box exercises to meet expectations. However, when conducted expertly, penetration tests provide opportunity to improve security posture.

Identify Gaps Within an Organisation

Much the same way as it’s advisable to submerge a tyre to find a leak rather than to examine each square centimetre of the whole tyre to ensure its integrity, an astute method to understand where your vulnerabilities are is to perform a thorough penetration test to find analogous leaks.

Finding the holes requires the right processes

For clarity, this does not mean a mere Vulnerability Assessment (VA) using Nmap or Nessus or their like. These types of tools are just performing automated scans to find ‘low hanging fruit’ vulnerabilities, and are typically not enough to find the true scope of vulnerabilities that exist within your organisation. While useful in that they offer a level of automation to cover the breadth of potential vectors an organisation may have, it requires a human agent to truly explore the potential for compromise. Complications arise, however, as a VA may be sufficient to achieve compliance in some use cases for some standards. Hell, until relatively recently (3.0), VA’s were sufficient for PCI-DSS! So the problem is, despite meeting compliance, this often doesn’t unearth these true, deeper security issues - there’s potentially a chasm between best practice and mere compliance.

A Risk Management Approach

All companies want to reduce unnecessary risk. By performing regular penetration tests, risks will be identified within the organisation sooner. Regular risk management meetings with system owners helps evaluate and prioritise those risks accordingly, contextually, across security. By performing penetration tests, the result will be business units that are outside of security can be made aware of potential vulnerabilities within their unit. Security Risk Managers can then communicate such security challenges in a lexicon that will resonate with those specific teams to help them understand their risk profile, mitigate those risks, and help them better understand the risks that they are choosing to accept or deem not acceptable. Moreover, internal functions are not sufficient in satisfying requirements of partners wishing to connect, and therefore an external audit is typically mandated.

Partners and clients insist on external audit penetration testing.

Conversely, accurately outlining all of the vulnerabilities in a pentest report, with, of course, the correct terminology, is critical for technology teams. However, when taking that report and communicating with a different audience, the language needs to change so teams understand what they need to do to remediate those risks. The fundamental element to approaching security-risk awareness successfully is then, to ensure the language with which it’s communicated has eliminated technical jargonism. This keeps topics relevant and thus prevents dilution where meaning gets lost in translation. This will result in a unified approach of a security team working alongside a business unit to ensure the best security posture for the company. The best way to distil this down for most business units is with a standard Risk Matrix, bullet pointing the critical issues and steps towards remediation in a supplemental document supplied by internal tech teams.

A simple Risk Matrix can provide clarity

Avoid Conflicts of Interest

If an entity that implemented a technical solution (be they internal staff or external service providers) is called upon to audit that very solution, the findings are very likely going to be overwhelmingly positive. As there are few mandates within compliance requirements calling for an independent external audit function, a company could meet compliance standards by using internal testing, or more likely, the same external service providers that were responsible for the body of work being evaluated. Further, even when an independent external firm conducts a penetration test, it would not make sense from an audit point of view for that same firm to also be involved in the deployment of e.g. security infrastructure, or policy framework. This would create a conflict of interest analogous of school children marking their own homework and getting 100%.

Avoid Conflict of Interest.

There are also a (relatively) new standards and certifications being imposed on the security industry, claiming to raise the bar in terms of technical expertise required to perform penetration tests. The reality is, however, that certain organisations that are normalising this requirement are governed (at least in part) by senior members of the certifying body - a textbook Conflict of Interest.

Core Sentinel’s response is to recommend the use of different, thoroughly independent firms every time you have to perform any security auditing function, including penetration tests. This not only avoids such conflicts, but also facilitates a different approach and therefore potential identification of otherwise overlooked security issues. In terms of due diligence in finding appropriate firms to conduct pentests, Core Sentinel recommend looking for qualifications such as; OSCP (Offensive Security Certified Professional), OSCE (Offensive Security Certified Expert), and CISA (Certified Information Systems Auditor). These require demonstrative technical knowledge and ability, as well as demonstrable communicative skills to generate the types of reports you need, containing actionable intelligence in order to reduce risk and demonstrate an acceptable level of security to third parties.

Optimum App Security by Following OWASP Guidelines

OWASP (Open Web Application Security Project) Top 10 is a regularly updated report outlining security concerns for web application security and focusing on the 10 most critical risks. Companies performing web application penetration tests look to OWASP to assist in identification and classification of those risks, and use it as a guideline when performing testing. Although somewhat vague by necessity, the OWASP Top 10 is still the gold standard for approaching web app security.

You can read the full report here

Summary

Compliance does not (always) equate to best practice - especially for security. Though the terms are often used interchangeably, there are fundamental and important differences with implications well beyond the purely technical realms.

In terms of security compliance, when undertaking any measures, implementing controls that go beyond the minimum will not only make you more secure int terms of cybersecurity now, but also set-up an environment that fosters and values the pivotal importance of true security over lip-service. Instead of playing catch-up, you’ll be focused on setting the standard, and a reputation for security excellence will be appreciated internally, by clients, and your end-users.

Our Founder's full interview covering pentesting on KBTV.

If you'd like to understand more about how Core Sentinel can help you best address the gap between "compliant" and "secure" please get in contact.

We will be exploring a case study of a 'Conflict of Interest' in depth in our next article.

Hack-proof Your Systems.

Other Articles You Might Like:

Healthcare Cybersecurity: An industry in the Cross Hairs

Penetration Testing for GDPR Compliance

Black Box vs. White Box Testing: Key Differences Every Organisation Should Know

Healthcare Cybersecurity - An Industry In The Crosshairs

By their very nature, healthcare institutions are the bastions of the weak and vulnerable. Institutions that unlike most others, have matters of literal life and death constantly hanging over their heads. The pressures and precarious positions faced by such institutions coupled with the operational importance of IT systems, means that any threat actor can tip the balance – or threaten to - with potentially calamitous results. This provides enormous leverage to a would-be attacker in matters of coercion, as it forces a need for immediate response. What needs to be considered when looking at healthcare penetration testing?
First, we need to understand what medical systems can be potentially compromised?

“Anything. Anything technical can be. And it should be tested. You can never understand just how far an attacker can get without seeing it play-out in the real world, on your real systems.”

- Steve McLaughlin, Director & Principal at Core Sentinel

Anything Can be Tested (and should be!) - A Clip from Core Sentinel on KBTV

• One of the most evident attacks due the sheer scale of it was in 2017 when the UK’s NHS (National Health Service) was compromised. Leading to over 60 000 pieces of hospital equipment affected by WannaCry, it’s estimated that the total bill came in at nearly USD$100m.
• In 2018, we found out about the Singaporean Government Health records hack. This compromise alone saw the records of roughly 25% of the population, including those of the Prime Minister, exfiltrated.
• Australia's ‘My Health Record’ initiative delivered by Accenture has been a debacle. As well as the mismanagement and miscommunication of the entire program to the public, the annual report from the Australian Digital Health Agency (ADHA) has highlighted that 42 data breaches were reported. While most were seemingly not serious, it’s indicative of the systemic problems towards security.
• In the private sector, the health record company, Allscripts (the irony of the name isn’t lost on us) was hit by SamSam in January 2018, severely limiting the access of health records to many of its clients for nearly a week. This attack with SamSam saw numerous health institutions succumbing to the extortion and paying the ransom. At least 233 organisation paid nearly USD$6m and extrapolating from that, we estimate over USD$2m was paid by the healthcare industry in this one ransomware instance.
• Only in February 2019, cardiac specialists at Cabrini Hospital were held hostage with ransomware reportedly encrypting records contain some 15,000 patients.

Despite the enormous resources and potentially very visible culpability healthcare platforms pose - both private and public sector - fundamental issues have led to the recent spate of compromises and have eroded public trust. Secondly, the volume of attacks that have occurred, even the unsuccessful ones, highlights just how directed the attacks to the healthcare industry are given the scope of resources required for these numbers to even exist.

Unique Attack Vectors for Healthcare Security

New ways mean new vectors...

Moving to The Cloud

Cloud adoption provides rapid accessibility and ubiquity in data current to things like patient records and imaging that deliver a huge benefit in expediting access to accurate information in an industry where split seconds and access to data is often critical. This access is a double-edged sword though. The increased amenity comes at a risk for healthcare providers and consumers alike, as having vast amounts of healthcare records converged on central platforms and data in flight increases the attractiveness of a target, and hence risk.
Looking at the individual components as discrete parts is a mistake. The way modern IT ecosystems work is as an implicitly connected nexus, even more so with the adoption of the cloud. Securing 99 of 100 systems from infiltration leaves the entire network potentially open to compromise from implicitly trusted sources.

Customer Number 17

The commoditisation of malware and the marketplaces that have formed provide a very-low-friction method for attackers to be in a position to execute sophisticated attacks. With relatively very little technical maturity, an attacker can run these off-the-shelf ransomware attacks to compromise and lock-out administrative and even the critical operational machines of healthcare facilities by encrypting local files, or compromising connected equipment. In most industries this is a serious inconvenience. In healthcare it can be fatal, and this means it requires a more resolute weighting and diligent approach than perhaps in other sectors.

IoT Adoption and Increasing Attack Surface

The Good

The benefits of Internet of Things (IoT) devices - those that can push/pull data between them without human agency - are manyfold, including sharing of records like imaging, or valuable insights from remote specialists, or the continuous and remote monitoring of patients, and more specifically, the interweaving of this data to develop insights from subtle fluctuations that otherwise would have gone unseen.

The Risk

An always-on device connected to a network upon which the patient might be depending to stay alive poses obvious risks. Even the compromise of non-critical IoT devices like a thermometre could cause tremendous harm through a knock-on effect, pulling focus and resources away from more critical activities. And let’s not ignore risks posed by critical elements like pacemakers or dialysis machines.

The Reality

Generally speaking, Engineers are not thinking “security” first which means that measures are usually bolted on before going to market rather than adhering to ‘security-by-design’ principles during development. These engineers are unlikely to be IT but rather medical electronics specialists, further removing them from the realms of a security-first mentality. Their heart might be in the right place, but their frameworks are (likely) not.

Patching

While having a mature program to tackle patching is difficult enough in any industry - even with commodity systems - the healthcare sector has a major problem with it due to many of the devices having non-standard interfaces or in many cases, no way at all to practically patch. There’s also the 24/7/365 aspect to operations mean the opportunities to patch are infrequent at best within healthcare.
In 2017 WannCry Infected specific medical hardware that was running on a Windows kernel. This device from Bayer was joined by alerts from other devices from Medtronic and Johnson & Johnson acknowledging the potential issues that manufacturers were, at least in part, expecting.
The lifecycle of most medical devices is long. Due to the bureaucratic nature of FDA in the US and the Therapeutic Goods Administration (TGA) approval in Australia, and the overall expense in procurement of devices, the lifecycle of use often extends well past the sunsetting of updates and support from manufacturers, meaning vulnerabilities are no longer addressed.

People

Exhaustion is commonplace within the industry, and it's a tall order to expect employees to hark back to the 2 hours of Security Awareness Training they did 3 years ago even when well rested.
Phishing is the most prolific of attack vectors regardless of industry. In healthcare, however, it’s particularly pronounced as the simplicity in its execution and the necessary (and demonstrable historical willingness) in organisations responsiveness to ransomware is very attractive to threat actors. Too, staff lists are readily available with online rosters and profiles in the public arena.
Healthcare professionals will, like many industries, also petition for the use of BYOD within the organisation. With the ‘rental’ model where many healthcare professionals, even within hospitals, are essentially tennents, it can be exceptionally hard to enforce strict policies that will keep institutions secure. Further, while most professionals understand to some level the risks of virii or other threats to desktop/laptop computers, the threats by mobile devices - now the bulk of BYOD endpoints - is less understood.

Not All Dire News

While the rate of change in attacks is still increasing, it’s increasing at a decreasing rate compared to 2016/17/18. The adoption of more sophisticated approaches to tackling cybersecurity challenges within healthcare have occurred since early 2017 when the Department of Health and Human Services Health Care Industry Cybersecurity Task Force cited the industry security posture as ‘critical’ globally. Since then, we have seen determined efforts leading to somewhat of a swinging back of the pendulum, or at least a loss in momentum. While maturing approaches in some areas and organisation are having an effect, education is still the weakest link with social-engineering and phishing being the primary vectors.

“We at Core Sentinel are seeing Security Awareness improving. It’s taken a long time to permeate into the public consciousness within healthcare, but I think we’ve seen a tipping point corresponding to the often very public coverage of incidence. Individuals may not know the specifics of how to respond, but they’re now starting to understand the gravity of some of these threats.”

- Steve McLaughlin, Director & Principal at Core Sentinel

Some Things are Improving - A Clip from Core Sentinel on KBTV
It’s not a cheap exercise, but the risk reduction and spill-on effects to cyber insurance, PR, and ICT clean-up can prove to make security risk assessment and penetration testing of medical equipment and healthcare environments invaluable.
While far from perfect, the healthcare industry is faring better than most in terms of embracing encryption for communications. Anecdotally, we’re seeing some institutions adopting proactive approaches to data encryption for at-rest states, but this is still lagging behind in terms of adoption compared to communications encryption. This is relatively low-hanging fruit in many cases to improve security for healthcare organisations.
Healthcare organisations are constantly under pressure from attackers, and constantly chasing their collective tails. One healthcare approach that has stood out is that of the UAE Government. They have vocally and demonstrably understood the need for ongoing evolution, and see the part machine learning can play in overall strategy in terms of both healthcare and the security options it may provide in this context. This has stemmed from their willingness to act on aspects of the Fourth Industrial Revolution Protocol (4IR) established in 2018. This could well be proving ground for huge breakthroughs in healthcare and its security.

Immediate Steps - Healthcare Penetration Testing

Industry specialism is of paramount importance when it comes to security engagements such as penetration testing. Understanding the nuances in requirements often makes a huge difference to ultimate outcomes, and none more-so than that of the health industry.
“Anything. Anything technical can be tested and should be tested. You can never understand just how far an attacker can get without seeing it in the real world.” said Steve McLaughlin of Core Sentinel. “Conduct a penetration test at least once a year, and from someone outside your IT providers, and an organisation that specialises in penetration testing for health care” he went on to say.

Use and External Auditer - A Clip from Core Sentinel on KBTV
The low-hanging fruit for healthcare organisations to address falls typically into one of only several bins. Like most things, the fundamentals are almost always the critical elements in success or failure;

• Vulnerability management processes integrated with intelligent patching.
• Integrate proper network segmentation as part of the overall design.
• Up-to-date, offsite backup processes are a universal catch-all to recover from several of the incidents we’ve seen with ransomware.
• Also conduct a penetration test prior to any go-live deployment, and after any significant changes.
• Documented build standards aligned to industry hardening standards and frameworks such as OWASP.
• Network and host based malware/antivirus detection and prevention.
• Network and web application firewalls (WAF).
• Security review integrated into change management.
• Documented security processes, procedures, standards, and guidelines which staff are trained to follow.
• User awareness training.

Recovery from ransomware while historically difficult and unlikely, can often now be done. The industry has responded, and tools to identify and often remediate infections are now available from many vendors, and it’s constantly evolving. However, a simple, well-implemented enterprise backup and recovery program for critical data, can allow for recovery of a ransomware outbreak with minimal loss of data. There are new variants to original ransomware being released which aren’t possible to remediate. However, a specialist like Core Sentinel can help you understand your risks, and where to best focus your attention. Our security testing allows you to identify security weaknesses, vulnerabilities, and architectural weaknesses all across the board, so you are able to prioritise risk remediation based on a risk assessment targeted to your specific business and technology environment.
Whether looking at the security of a blood gas analyser or Siemens MRI, these systems are generally not addressed by IT Teams inside organisations. This leaves them unpatched and now sitting connected to the internet. Core Sentinel addresses these areas that need a focused engagement, and need unique testing, ensuring healthcare institutions stay secure.
Afterall, as the medical industry is well aware; prevention is always better than a cure.
Call one of our consultants today to see how we can assist you.

Hack-proof Your Systems.

Other Articles You Might Like:

Characteristics of a Good Penetration Tester
Definitive Guide to Penetration Testing
Black Box vs. White Box Testing: Key Differences Every Organisation Should Know