1

Neo Medical Checkup – Hospital The greatest risk to the medical industry lies within the Advanced Persistent Threat (APT) attacks carried out by well-funded and equipped adversaries who are seeking the most valuable data: healthcare records. Medical industry accounted for 43% of data-breaches in 2014 (Identity Theft Research Center), which left 1.84 million Americans victims of identity fraud (Ponemon Institute). Stolen medical records (also called PHI) provide hackers with a complete profile of an identity to steal, whereas the typical stolen credit card can be deactivated very quickly. Banks and other financial institutions have greatly improved their reaction time in detecting fraudulent activity on debit/credit cards. Healthcare breaches present a much more difficult situation as PHI may not be used until a much later time to establish a fraudulent identity. In this case study Neo was deployed to help a large medical facility assess its level of network security. The unit was put on the network by two IT administrators without the knowledge of the remaining IT staff to determine how their incident response and network monitoring personnel would react to the supposed threat that Neo posed against the network systems. Almost immediately upon installing Neo on the hospital network, the IT personnel monitoring network traffic logs began to get notifications that an unknown device was attempting to penetrate various network servers. As this type of report from the staff was expected, our client proved that their Monitoring and Incident Response teams were prepared for this type of threat. One of the key design features of Neo is that it is relentlessly attempting to penetrate a network, each day, to ensure that all access points are secure. A crucial test that Neo performs surrounds the types of weaknesses that make an entity ‘low-hanging fruit’. In other words are there any attacks that a hacker could perform that would be easy and fast? Of course, the attack(s) would have to be successful, meaning the hacker would need to be able to successfully break in. Automatically performing these tests and reporting the results to the user is the entire essence of Neo. Continuing through the remainder of the day, Neo was able to perform its various levels of penetration tests on the hospital network. Within 24 hours of installation Neo was able to successfully login to a network device through an insecure File Transfer Protocol (FTP) server. The following lines are direct from our client’s security logs: 04/09/2015 20:34:23 System: FTP user 'apc' logged in from xx.xx.xx.xxx. 04/09/2015 20:34:22 System: FTP user 'apc' logged out from xx.xx.xxx.xxx. 04/09/2015 20:33:43 System: Detected an unauthorized user attempting to access the

Control Console interface from xx.xx.xx.xxx. These log lines say the following: Neo successfully logged into the FTP server (line 1) at the IP address (xxx’d out for security), then logged out from the FTP server (line 2). Line 3 is a generated system alert that says the login/logout happened.

2

From a hacker’s perspective, having access to an internal network file storage system is ideal. This server could host valuable information allowing the hacker to store illegally accessed files and use this server as a pivot point to attack other devices within the network. In the latter scenario, the IT logs would appear as if the FTP server were attacking the other device. Another, darker scenario is that a hacker may utilize this particular FTP server to alter firmware images for APC devices. This represents a critical situation as in the hands of a skilled enemy, firmware images can be used in a malicious manner. As described above, APT attacks are subtle and often performed over an extended period of time. In this case, hypothetical APT attackers against our client hospital could alter the device firmware image to provide ongoing access to any network devices the firmware is installed on, which in turn could leave open a hardcoded backdoor into the network device, or even be programmed to launch ongoing attacks against other devices on the network. After analyzing the results, it is clear that our client has a security weakness that needs to be strengthened. For a fraction of the cost from a normal penetration testing company, Neo was able to quickly show IT staff where the vulnerability was and provided them with the information they needed to formulate an action plan to secure this particular device on their network. Neo is an automated ethical penetration-testing device that goes beyond typical network security devices and what third party security firms offer, for a fraction of the cost. Neo performs security tests of a network daily, helping ensure the highest level of security possible. Justin Farmer, CEO April 13, 2015 GIAC ISO 27001, CEH, CHFI, CDRP, CWSP, Network+