Inherent threats – Are you protected?
It is always going to be a daunting task for the Healthcare industry or OT systems to uncover built-in vulnerabilities such as Urgent/11 that affect medical devices to Industrial Control Systems. Many of these devices go way back 10-20 years when security was never a priority. These vulnerabilities often remain latent and go undetected for multiple reasons - from technologies mergers to corporate acquisitions, increasing the risk for business owners owning these assets.
Risk is a function of threat, vulnerability, and consequence. It can be interpreted as follows:
Risk= Threats x Vulnerability x Consequence
A threat can also be represented as a function of capability, opportunity, and intent. It is often defined as:
Threat= Capability + Opportunity + Intent
Since Threat is a summation of capability, opportunity, and intent, it is not surprising for Healthcare Industry where insider threats often outnumber external threats, access to systems with high vulnerabilities can often translate into immediate compromise.
Let us define another attribute that impacts the organization's risk - Consequence.
Consequence primarily implies the severity in terms of business damage, financial impact or lives lost.
In context to Urgent/11 vulnerability, the overall risk is very high for Healthcare delivery Organization owning these vulnerable assets due to high CVSS score, the overall higher probability of threat from an insider and disastrous consequence when compromised.
Therefore, the question is can prevailing IT systems implement countermeasures to protect these assets from compromise with the least business disruption?
One recommendation from a device vendor impacted by this vulnerability is to block the TCP port on those devices.
Though it sounds like a pretty straight forward workflow to implement, it often turns out to be challenging due to manual procedures that need to be repeated on hundreds of firewalls and executed in a live production environment. For example, blocking TCP port 3613 without knowing the source IP on a centralized firewall may impact other systems that use this port.
Moreover, segmentation using VLAN and other centralized tools often offer little help if the adversary is an insider with full access and capability to do the damage. Lack of automation, cumbersome end-to-end-integration between disparate systems further adds to the intricacy in implementing immediate defense mechanisms.
Therefore, it is vital to have a differentiated security strategy that takes into consideration overall organization risk at the individual critical asset level.
Let us revisit the three attributes namely Threat, Vulnerability and Consequence.
Threats are non-deterministic and hence difficult to measure. Vulnerability and Consequence, on the other hand, can be predicted more easily.
Hmatix recommends the following steps to manage organizational risk posed by exposures like Urgent/11 by having a better gauge on vulnerability and consequence and use those attributes to measure perceived threat:
Inventory and classify legacy assets as highly vulnerable even if there no imminent vulnerabilities exist. The reason being, it is only a matter of time before some new Vulnerability is discovered.
If there are systems with pre-existing Vulnerabilities with moderate to high CVSS score and are difficult to patch, classify them as highly vulnerable.
Perform critical impact analysis to determine the Consequence in the event of a compromise.
Legacy devices with over 10+ years of service, a history of multiple users with varying levels of access (employees, vendors, and contractors) and with widely available information on the web, can also be assigned a high threat level.
Re-classify devices using inputs from (1), (2), (3), (4) weighing their vulnerability status and consequence, and perceived threat level to determine the organizational risk.
Administer differentiated security based on the overall risk score at the individual asset level. For instance, assets with relatively high-risk scores would benefit greatly using nano-segmentation applying a combination of automation, behavioral learning and whitelisting. This would further augment the existing security mechanism in places.
Reduce detection deficit in the event of a compromise. The ability to enforce network-wide patch on impacted systems in seconds using a centralized rule template often is critical.
For more information or demo on how Hmatix can effectively provide immediate relief to HDOs and other organizations from inherent risks such as Urgent/11, contact us at firstname.lastname@example.org.
Hmatix recommends its existing customers to upgrade to 22.214.171.124 for a fix for this vulnerability.