sphinx-project.eu / Blog  / SPHINX Use Cases: Part VI

SPHINX Use Cases: Part VI

Continue from blog entry SPHINX Use Cases: Part V

Through the following classification of use cases, SPHINX aims to better understand how threats, risks and vulnerabilities are manifested, as well as how prevention, recovery and mitigation actions can be improved.

Intrusion in the Clinical Centre’s Wireless Network

Description: As part of its mHealth services policy, a clinical centre provides a WiFi network allowing its clerical and clinical staff to easily access the centre’s IT resources, namely the healthcare information systems and the healthcare databases. The centre’s WiFi network uses WPA2 protection with 256-bit encryption key; however, it openly broadcasts its SSID and the password set is very weak, based on a simple dictionary word (“password”). Moreover, the IT department did not change the router’s default configuration access credentials (user “admin” and password “admin”).

A visiting guest to the centre detects the existing WiFi network and, using a simple WiFi cracker and a dictionary file, manages to crack the password. The attacker guest is then able to access the router admin console and change its configuration. While performing a network scan, the attacker guest identifies several switches that, having reached end-of-life, are not patched by the manufacturer and display known vulnerabilities. The attacker is also successful in connecting to those switches and alter their configuration. As a result of this attack, the clinical centre’s wired and WiFi network is disabled and the centre’s IT resources are no longer accessible to the centre’s clerical and clinical staff, seriously compromising the healthcare service delivery.

Once the breach is detected, the IT department proceeds with the reconfiguration of the networking devices, performing a factory reset in the WiFi router and implementing stronger passwords, including for all connected WiFi assets used by the centre’s staff.

Attack Impact: This case directly impacts the clinical centre’s operations, causing the loss of availability of all healthcare services that are IT-dependent and forcing the centre’s staff to revert to paper-based operations, where possible. The attack hinders the healthcare organisation (the clinical centre), affecting its capability to provide healthcare services and seriously threatening the health and wellbeing of its patients. The attack’s expected recovery time is estimated to be 1 working day, to identify affected assets and reconfigure the networking devices before enabling access to the centre’s databases

SPHINX Role and Added-value Benefits: SPHINX System is relevant in the identification of vulnerable critical assets (SPHINX vulnerability assessment tool), in the early detection of the attack by performing continuous monitoring of the network’s activity (SPHINX honeypot, anomaly detection and intrusion detection tools), in the isolation of the compromised asset for further inspection (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures (SPHINX decision support tool).

Hacking Health IT Systems

Description: A rehabilitation care unit does not have specialised cyber-security skills in its IT department. In that unit, a young patient has been receiving intensive treatment for several months and develops a good relationship with the care staff. Because the care unit does not provide guest Internet access, the young patient convinces the care staff to provide the password of the unit’s private wireless network. Inadvertently, the carer delivers to the young patient the access to the care unit’s IT resources and databases, including the patient records.

The young patient has good cyber-security know-how and expertise and sees the access to the care unit’s IT resources as a good opportunity to exercise her white-hacking skills. Accessing the care unit’s wireless network using network scanning, the young patient is able to build a map of the network connected devices, extracting detailed information concerning used operating systems, browsers and network protocols.

The white-hacker also deploys packet sniffers that collect user credentials and identifies the location of sensitive information, including financial information, contracts, employee personal information and medical data. The young patient’s intent is to draft a detailed report, informing the care unit of their IT vulnerabilities. She drafts the report, adding sufficient evidence to support the findings and proposing relevant security measures to improve cybersecurity policies and practice in the care unit. The report provides actionable intelligence to the care unit’s management that decides to upgrade its cybersecurity system, using the young patient’s skilled advice.

Attack Impact: This case portrays the activity of a white hacker. Should the same situation be exploited by a malicious actor, it would directly impact the care unit’s operations, causing the loss of availability of all healthcare services that are IT-dependent and forcing the care unit’s staff to revert to paper-based operations, where possible. In addition, it would have impacted the integrity and the confidentiality of the patient data hosted by care unit’s healthcare repositories and databases. The attack affects the healthcare organisation (the care unit), affecting its capability to provide healthcare services and seriously threatening the health and wellbeing of its patients.

SPHINX Added-value and Benefits: SPHINX System is relevant in the identification of vulnerable critical assets (SPHINX vulnerability assessment tool), in the early detection of the attack by performing continuous monitoring of the network’s activity (SPHINX anomaly detection and intrusion detection tools), in the isolation of the compromised asset (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures (SPHINX decision support tool).

More information about SPHIX Use Cases can be found in Deliverable 2.4 that publicly available here.