the avalanche of vulnerabilities - nist...asof 2015‐02‐15 total of 1094 unique cves affected...
TRANSCRIPT
THE AVALANCHE OF VULNERABILITIES A PERSPECTIVE
Mike Ahmadi Global Director of Critical Systems Security, Codenomicon Ltd
@codenomicon
6/17/2015© 2014 All Rights Reserved
UNKNOWN VULNERABILITIES ARE BAD… KNOWN VULNERABILITIES ARE A HUGE PROBLEM
• Hospital central monitoring system with 1683 known vulnerabilities
• 378 of the vulnerabilities are in one (Java) runtime environment, meaning just updating the version will fix 378 vulnerabilities.
• This system is widely used throughout hospitals…including government hospitals
2
6/17/2015© 2014 All Rights Reserved
Brain Wave Monitoring
3
MEDICAL ISSUES ARE WIDESPREAD
Infusion Pump Patient Monitor Brain Wave Monitoring Device (OS) Drug Library
Device: 181 Known Vulnerabilities
182 Missing Exploit Mitigation Techniques
Infusion Pump: Patient Monitor: Drug Library: 55 Known 818 Known 440 Known Vulnerabilities
Vulnerabilities Vulnerabilities 49 Missing Exploit Mitigation Techniques
6/17/2015© 2014 All Rights Reserved
4
LET’S LOOK AT AN INDUSTRIAL CONTROL SYSTEM
• SCADA system with over 20,000 licenses worldwide
• Customer reference list on website (including government customers)
• 702 exact match vulnerabilities in 10 components.
• 374 vulnerabilities in 1 java runtime
• Over 150 NIST CVSS critical in one component
5
SERIOUS NATURE OF SPECIFIC VULNERABILITIES
• Over 150 vulnerabilities in Java scored CRITICAL
• Critical commonly means remotely executable with no authentication
• This means that there are potentially at least 150 fairly trivial ways to exploit the system
© 2014 All Rights Reserved 6/17/2015
6UNIQUE VULNERABILITIES GRAPH OVER TIME
• Huge increase in number of vulnerabilities entering NIST CVE database in the last 3 years
• Massive spike since 2013 for common software components (such as Java,
© 2014 All Rights Reserved OpenSSL)
Vulnerabilities in package combination of increase in discovered vulnerabilities and addition of new
features Version Releases
Over 1000% increase in CVEs between 2012 release and 2014
release
6/17/2015
7INCREASE IN MALWARE ATTACKS ON INDUSTRIAL 3500% CONTROL SYSTEMS 3000%
2500%
2000%
1500%
1000%
500%
0%
100%
704%
2866%
2012 2013 2014
source: Kaspersky Labs © 2014 All Rights Reserved 6/17/2015 7
0
200
400
600
800
1000
1200
3/15/2002 3/15/2003 3/15/2004 3/15/2005 3/15/2006 3/15/2007 3/15/2008 3/15/2009 3/15/2010 3/15/2011 3/15/2012 3/15/2013 3/15/2014
GRAPH OF VULNERABILITIES IN HOSPITAL MONITORING SYSTEM OVER TIME
Newest component on software was compiled in Nov 2012. This indicates
That it was released with at least 509 unique CVEs affecting 24 components
around end of 2012 or early 2013.
As of 2015‐02‐15 total of 1094 unique CVEs Affected this software via now 30 vulnerable
components. That is about 0.8 new CVEs / day .
Oldest compiled component on the software image was from Dec 2001
8
© 2014 All Rights Reserved 6/17/2015
200
100
0
CODE DECAY OVER TIME – ROUTER
300
400
500
600
700
800
Date of the oldest component found in the software (2009‐01‐13)
Product Released / compiled
( 2014‐01‐17)289 new unique
CVEs affecting the product during first
12 months of operations (approx 0.78 new CVEs per day
during first 6 months)
689 unique CVEs as of 2015‐01‐26
Released with total of
400 unique CVEs
48 new unique CVEs affecting the
product 12 months before
release
600% Increase In Unique Vulnerabilities Discovered In Last
Year
2/28
/200
8
4/28
/200
8
6/28
/200
8
8/28
/200
8
10/28/20
08
12/28/20
08
2/28
/200
9
4/30
/200
9
6/30
/200
9
8/31
/200
9
10/31/20
09
12/31/20
09
2/28
/201
0
4/30
/201
0
6/30
/201
0
8/31
/201
0
10/31/20
10
12/31/20
10
2/28
/201
1
4/30
/201
1
6/30
/201
1
8/31
/201
1
10/31/20
11
12/31/20
11
2/29
/201
2
4/30
/201
2
6/30
/201
2
8/31
/201
2
10/31/20
12
12/31/20
12
2/28
/201
3
4/30
/201
3
6/30
/201
3
8/31
/201
3
10/31/20
13
12/31/20
13
2/28
/201
4
4/30
/201
4
6/30
/201
4
8/31
/201
4
10/31/20
14
12/31/20
14
© 2014 All Rights Reserved 6/17/2015
9
10
6/17/2015 © 2014 All Rights Reserved
SMART TV SET
0
100
200
300
400
500
600
700
11/1
/202
2
Nov 2022. End of 100.000 hours average lifespan of LCD TV screen.
Today. March 1, 2015. 584 unique CVEs in 23 components
7 more years of expected operation of the LCD TV
( based on 100,000 hours average lifespan )
2012 Smart TV lineup launched: Nov/Dec 2011
7 years
Last firmware / SW update: Mar 2013 (*Approx. 178 unique CVEs affecting product at the moment of SW EoL)
Nov
2014:
security up
date
topatch curl,
ope
nssl,
flash_
player,
ffmpe
g , libpn
g and freetype
Approx. 0.58 new CVEs / day over the course of 23 months
Estimated 2065 CVEs
affecting Product by Nov 2022 based
on historic 0.58 CWEs per day
(* date may not be fully accurate, as e.g. partial OTA updates may have been delivered after this date as well ( see sec. update on Nov 2014)
One year standard warranty for parts and labor from the date of purchase
One year product cycle
r/Firewall Ro
Cash
INFORMATION WORKFLOW 11
6/17/2015 © 2014 All Rights Reserved
Hospital Bank (HSC)
The CloudFED Database
(420 Known Vulnerabilities) HIE Database
(420 Known Vulnerabilities)
Customer Database (420 Known
Vulnerabilities)
Backup Server (30 Known Vulnerabilities)
Route (689 Known
Vulnerabilities) uter/Firewall (689 Known
Vulnerabilities) Data Analysis System
(231 Known Vulnerabilities)
EHR Database (420 Known Vulnerabilities)
Patient Monitoring System (1580 Known Vulnerabilities)
Patient
Infusion Pump (41 Known Vulnerabilities)
ATTACKER WORKFLOW
MEDJACK – NOW THERE’S A NAME FOR IT • Report issued by security organization TrapX.
• From the article “TrapX found that while many hospitals, for example, maintain solid IT departments with firewalls and other security solutions, these vulnerable medical devices are often left without patching.”
• Attacker uses unpatched devices to get wherever they want to go.
Source:http://www.scmagazine.com/trapx‐profiles‐medjack‐threat/article/418811/
© 2014 All Rights Reserved
12
6/17/2015
13
ROYCE BILL: CYBER SUPPLY CHAIN MANAGEMENT AND TRANSPARENCY ACT – KEY
PROVISIONS • For government agencies, software contracts must include clauses requiring: • a confidentially supplied list, or a bill of materials, of each binary component that is used in the software, firmware, or product;
• the contractor to verify that products do not contain known security vulnerabilities and to notify the purchasing agency of any known vulnerabilities or defects;
• product designs to allow fixes with patches, updates, or replacements; and
• the contractor to provide timely repairs for discovered vulnerabilities.
© 2014 All Rights Reserved 6/17/2015
14OPPOSITION ARGUMENTS • We already do this: The data indicates that if this is already being done no action is being taken to resolve the issue. More likely it is not being done…or being done quite poorly, and leaving us all at risk.
• Sharing a Bill of Materials means giving up proprietary information: FDA already requires an ingredient list. Coca Cola can supply an ingredient list without sharing trade secrets.
• I cannot control my supply chain: You already do in selection of products based on feature requirements.
• This requires too much work: Tools are completely automated and easy to use.
• This bill is being backed by organizations that stand to benefit from such legislation: Actually, we all benefit from better security. The entire software security industry is built on identifying and mitigating security issues.
© 2014 All Rights Reserved 6/17/2015
15
THE INSURANCE INDUSTRY PUSHES BACK
• Cottage Health System gets breached forced to pay class action settlement of $4.125 million ($81 per record)
• Insurer files suit in court for a Declaratory Judgment against Columbia for Cottage’s “Failure to Follow Minimum Required Practices.”
© 2014 All Rights Reserved 6/17/2015
SOME MINIMUM REQUIRED PRACTICES IN DETAIL
• Check for security patches and apply within 30 days
• Replace factory default settings • Re‐assess risk yearly and apply changes • Require 3rd parties to protect information
with safeguards at least as good as your own
• PERFORM DUE DILLIGENCE ON 3RD
PARTIES TO ENSURE THAT THEIR SAFEGUARDS ARE AS GOOD AS YOUR OWN
• AUDIT 3RD PARTIES TO ENSURE THEY CONTINUOSLY SATISFY YOUR STANDARDS FOR SAFEGUARDING SENSITIVE INFORMATION
© 2014 All Rights Reserved 6/17/2015
16
BUILDING A CYBERSECURITY CERTIFICATION LAB • Aligned with
international standards (62443)
• Creating program due to demand
• Creating program due to need
• Active lobbying to promote message
17
© 2014 All Rights Reserved 6/17/2015
6/17/2015© 2014 All Rights Reserved
18
questions
Mike Ahmadi Global Director, Critical Systems
Security
Codenomicon Ltd.
Phone: (925) 413‐4365
Email: [email protected]