Security Tools Meant to Protect You Can Sometimes Inadvertently Weaken Your Security
Client was routinely conducting penetration tests using a third party.
While conducting an external advanced penetration test, the HORNE Cyber red team was able to discover and exploit a vulnerability in a system designed to securely transport patient data between the organization and its business partners. With access to this system, the team was able to demonstrate access to protected health information as defined by HIPAA, and also gather information about the staff and IT systems within the client. Using passwords gathered from this system, the team was able to gain access to the facility’s internal network from the public Internet.
Security cameras were also identified as being accessible from the external attack surface of the organization. Vulnerabilities discovered in these cameras allowed the HORNE Cyber team to have “eyes on” within the organization, and the ability to blind internal staff monitoring them. Using a hacker’s mentality, the team was able to compromise security devices, originally placed on the network to make it more secure, and use them to expand their access across the network.
Once inside the healthcare provider network, internal systems for monitoring the security of the network were compromised. The HORNE Cyber team was able to develop exploits to gain control of the facility HVAC systems and identified vulnerabilities in network connected medical devices.
The HORNE Cyber team provided recommendations that improved the healthcare provider’s operational security and eliminate the identified potential exposure of HIPAA data.
Lesson #1: The systems that are purchased and installed to secure a network often represent an inviting attack surface to criminals. Best practices and “keeping it simple” are often better strategies than buying another appliance and expanding your attack surface.
Lesson #2: Well-trained and experienced testers with specialty knowledge in software/hardware vulnerability analysis are required to find zero-day vulnerabilities.
Lesson #3: An external attacker needs only one vulnerability or compromised employee to become your next insider threat.