Securing Medical Devices Using Adaptive Testing Methodologies
|
|
- Jodie Parsons
- 6 years ago
- Views:
Transcription
1 SESSION ID: ASD-R10 Securing Medical Devices Using Adaptive Testing Methodologies Daniel Miessler Director of Advisory Services IOActive,
2 SESSION ID: ASD-R10 Securing Medical Devices Using Adaptive Testing Methodologies Daniel Miessler Director of Advisory Services IOActive,
3 About 18 years in information security Technical testing background (net/web/mobile/iot) Director of Advisory Services at IOActive Previously a founding member and principal at HPE Fortify on Demand Work on a number of OWASP projects: IoT Security, and OWASP Game Security Framework Project Read, write, podcast, table tennis 3
4 Agenda Why we care? The problem Adaptive Testing Methodology Practical takeaways 4
5 Why do we care?
6 Recent Issues: Johnson & Johnson - J&J insulin pump (Animus OneTouch Ping) - Jay Radcliffe, diabetic and researcher - Unencrypted command traffic - Could send unauthorized insulin injections Image: REUTERS / Weigmann 6
7 Recent Issues: St. Jude - St. Jude pacemaker - Many vulnerabilities found - PR + Shorting of stock - Vulns included wireless god key - MedSec found the vulns - Muddy Waters shorted stock 7
8 Hospitals being ransomed: US Hospitals Hollywood Presbyterian Hospital Tried to get help from authorities, ended up paying $17,000 Methodist Hospital Refused to pay, had to shut down part of the hospital Many, many more 8
9 Hospitals being ransomed: NHS One NHS area had to transfer patients because they were shut down 34% of Health Trusts in the U.K. hit with ransomware within the last 18 months 60% of Scottish trusts Other countries affected as well, including Germany 9
10 Bitcoin Readiness (a depressing state) When ransomware happens the payment is usually in bitcoin Companies getting hacked often don t know anything about bitcoin The time it takes to learn about and acquire bitcoin often costs companies massive amounts of money Many are hiring law firms to acquire and hold bitcoin for them in case they get hacked I like the preparation piece, but it s still quite depressing 10
11 A Dangerous Combination - Home users - Schools - Governments - Small businesses 11
12 A Dangerous Combination - The medical space is extremely vulnerable to these issues. 12
13 The problem
14 Recent Issues - Lots of vulnerabilities found 14
15 A Disconnect Current Attack Surface Future Attack Surface Testing Maturity The attack surface for medical devices is simply larger than the maturity of standardized procedures to test those surface areas. 15
16 The Attack Surface - Hardware physical interfaces Physical networking ports Debug / admin ports WiFi / RF Data transfer and storage Cryptographic implementations HL7 implementations Hardware sensors Input parsing / validation Command / data authentication 16
17 Attack Surface vs. Testers - How many devices are there already? How many have been tested? How many devices will there be? How many testers will be required to look at them? 17
18 Problem: Tester Desensitization - Comprehensive testing methodologies are usually massive - Testers can usually only read them once or twice - They can t use them over time - You only get a couple of strikes regarding irrelevant content 18
19 The Adaptive Testing Methodology approach
20 Adaptive Testing Methodology Contextual testing based on attributes of the target or situation 20
21 Adaptive Testing Methodology Contextual testing based on attributes of the target or situation Can apply to web apps, hosts, IoT, medical devices, etc. 21
22 Adaptive Testing Methodology Contextual testing based on attributes of the target or situation Can apply to web apps, hosts, IoT, medical devices, etc. Attribute types (potential) Target attack surfaces Time available Tools available Skill level available 22
23 23
24 OWASP IoT: Medical Device Testing 24
25 25
26 Real-world Usage Third-party testing requirements Trying to avoid tester fatigue from vendors Profile a piece of hardware using Adaptive Testing See which surface areas are in play Create a customized testing methodology for that device/ecosystem Reduce the size of a testing methodology by % Every section is relevant 26
27 Lessons learned over the years Visibility is king in security You can t defend what you can t see and don t understand Medical devices have many unseen attack surfaces Because it s an ecosystem, flaws in one can lead to overall weakness With vulnerabilities, often equals 7 27
28 Takeaways Visibility is problem #1 28
29 Takeaways Monolithic testing methodologies can lead to tester fatigue 29
30 Takeaways Simple methodology is consumable, and consumable methodology gets used 30
31 Takeaways Simple methodology is consumable, and consumable methodology gets used 31
32 Takeaways Friends don t let friends ship things without understanding the attack surface 32
33 Takeaways Friends don t let friends buy things without understanding the attack surface 33
34 Takeaways Friends don t let friends install / implement things without understanding the attack surface 34
35 Takeaways Place stress on approachable simplicity for understanding attack surfaces 35
36 Takeaways Modularize and streamline your testing methodologies to avoid them being disregarded. 36
37 Takeaways Focus on breadth before depth when covering attack surfaces. 37
38 Resources OWASP Internet of Things ect I Am The Cavalry 38
39 Future work: Medical Security Scenarios Project Medical Security Scenarios Project 39
40 Future work: Medical Security Scenarios Project Medical Security Scenarios Project Attack surface Vulnerability type Skill-level required Life-threatening or not 40
41 Thanks Podcast: Unsupervised Learning danielmiessler.com/ul Reach out any time! Participate. We re always hiring at IOActive! 41
What someone said about junk hacking
What someone said about junk hacking Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a! whole track called "Junk
More informationMEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018
MEDICAL DEVICE SECURITY A Focus on Patient Safety February, 2018 WHO I AM Adam Brand I Am The Cavalry Director Privacy and Security, Protiviti Focus on Medical Device Healthcare Security Custom EEG Manufacturing,
More informationDesignated Cyber Security Protection Solution for Medical Devices
Designated Cyber Security Protection Solution for Medical s The Challenge Types of Cyber Attacks Against In recent years, cyber threats have become Medical s increasingly sophisticated in terms of attack
More informationSURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital
SURVIVING THE CYBERPOCALYPSE Craig Felty Vice President, Patient Care Services Hancock Regional Hospital Independent health system, $150M annual revenue, 1,200 employees, 150 active medical staff members,
More informationWHITE PAPER Medical Device Security ADDRESSING THE EVOLVING THREAT LANDSCAPE OF MEDICAL DEVICE CYBERATTACKS
WHITE PAPER ADDRESSING THE EVOLVING THREAT LANDSCAPE OF MEDICAL DEVICE CYBERATTACKS TABLE OF CONTENTS CONNECTED MEDICAL DEVICES... 3 GROWING VULNERABILITY... 3 Medjacking: Beyond data to physical harm...
More informationCyberFence Protection for DNP3
CyberFence Protection for DNP3 August 2015 Ultra Electronics, 3eTI 2015 DNP3 Issues and Vulnerabilities DNP3 is one of the most widely used communications protocols within the utility space for the purpose
More informationINTERNET OF THINGS. Presented By Erin Bosman & Julie Park, Morrison & Foerster LLP ACC 14th ANNUAL GC ROUNDTABLE AND ALL DAY MCLE
Friday, January 27 th, 2017 INTERNET OF THINGS Presented By Erin Bosman & Julie Park, Morrison & Foerster LLP ACC 14th ANNUAL GC ROUNDTABLE AND ALL DAY MCLE This Talk s Objectives What is the Internet
More informationMobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry
Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry dave.kleidermacher@gmail.com Mobile Devices in Medical Cardiology Pacemakers Defibrillators Oncology Drug delivery
More informationWireless Sensors for IOT s
Track 4 - Session 8 - Wireless Sensors Wireless Sensors for IOT s Jeff Johnson Naval District Washington CIO August [XX], 2017 Tampa Convention Center Tampa, Florida Advantages of Wireless Communication
More informationConsolidated Edition. 5th Annual State of Application Security Report Perception vs. Reality
Consolidated Edition 5th Annual State of Application Security Report Perception vs. Reality January 2016 State of Application Security Report Consolidated Edition 2 Table of Contents Executive Summary...
More informationPULSE TAKING THE PHYSICIAN S
TAKING THE PHYSICIAN S PULSE TACKLING CYBER THREATS IN HEALTHCARE Accenture and the American Medical Association (AMA) surveyed U.S. physicians regarding their experiences and attitudes toward cybersecurity.
More informationInternet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came
Victoria Ellsworth Dr. Ping Li ICTN 4040 04/11/17 Internet of Things (IoT) Attacks The Internet of Things (IoT) is based off a larger concept; the Internet of Things came from idea of the Internet of Everything.
More informationUPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA
UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA ljohnson@ffalaw.com INTRODUCTION Cyber attacks increasing Liability/actions resulting
More informationR E P O R T. Cybersecurity in healthcare: The diagnosis. 1 Report Security in Healthcare: The diagnosis
R E P O R T Cybersecurity in healthcare: The diagnosis 1 Report Security in Healthcare: The diagnosis Foreword from Infoblox s Rob Bolton, Director of Western Europe The healthcare industry is facing major
More informationIncident Response Table Tops
Incident Response Table Tops Agenda Introductions SecureState overview Need for improved incident response capability https://pollev.com/securestate Overview of the exercise: Sample incident response table
More informationClinical and ICT Cybersecurity Overview and Cases A242-3
Clinical and ICT Cybersecurity Overview and Cases A242-3 Elliot B. Sloane, PhD, CCE - Elected Fellow of ACCE, AIMBE, and HIMSS President and Founder Center for Healthcare Information Research and Policy,
More informationForging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health
Forging a Stronger Approach for the Cybersecurity Challenge Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health 1 Speaker Introduction Tom Stafford, Vice President & CIO Education: Bachelors
More informationDNA Assurance. Predict Network Failures Before They Become Issues
PSOEWN-4360 DNA Assurance Predict Network Failures Before They Become Issues Damodar Banodkar, Product Manager, Enterprise Group Bill Rubino, Product Marketing, Enterprise Group Manuel Ortiz, Senior Wireless
More informationSecurity and Smartness for Medical Sensor Networks in Personalized Mobile Health Systems
Security and Smartness for Medical Sensor Networks in Personalized Mobile Health Systems I. Nikolaevskiy, D. Korzun, Andrei Gurtov Aalto University 23.04.2014 FRUCT 15 Motivation for Medical ICT Population
More informationA Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface
A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface ORGANIZATION SNAPSHOT The level of visibility Tenable.io provides is phenomenal, something we just
More informationInternet of Medical Things (IoMT)
Internet of Medical Things (IoMT) RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018 RiskSense, Inc. IoMT Is Here and the Risks Are Real It s always
More informationElectronic Communication of Personal Health Information
Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy
More informationToo Little Too Late: Top Reasons Why You Got Hacked
TUESDAY MAY 23,2017 2:00-3:15 PM Too Little Too Late: Top Reasons Why You Got Hacked MODERATOR SPEAKERS John Gross Director of Financial Management, City of Long Beach, CA Chad Alvarado Supervisory Special
More informationConnected Medical Devices
Connected Medical Devices How to Reduce Risks Inherent in an Internet of Things that Can Help or Harm Laura Clark Fey, Esq., Principal, Fey LLC Agenda Overview of the Internet of Things for Healthcare
More informationWhat Ails Our Healthcare Systems?
SESSION ID: FLE-F04 What Ails Our Healthcare Systems? Minatee Mishra Sr. Group Leader Product Security, Philips HealthTech @minatee_mishra Jiggyasu Sharma Technical Specialist Product Security, Philips
More informationExecutive Summary. (The Abridged Version of The White Paper) BLOCKCHAIN OF THINGS, INC. A Delaware Corporation
2017 Executive Summary (The Abridged Version of The White Paper) BLOCKCHAIN OF THINGS, INC. A Delaware Corporation www.blockchainofthings.com Abstract The Internet of Things (IoT) is not secure and we
More informationMulti-vector DDOS Attacks
Multi-vector DDOS Attacks Detection and Mitigation Paul Mazzucco Chief Security Officer August 2015 Key Reasons for Cyber Attacks Money and more money Large number of groups From unskilled to advanced
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationAnnual European ehealth Survey
Results, 3 rd Quarter 2017 Annual European ehealth Survey www.himss.eu/analytics 1 TABLE OF CONTENT Survey methodology page 3 Survey overview page 4 Results Key Findings page 5 Current ehealth priorities
More informationYou ve Been Hacked Now What? Incident Response Tabletop Exercise
You ve Been Hacked Now What? Incident Response Tabletop Exercise Date or subtitle Jeff Olejnik, Director Cybersecurity Services 1 Agenda Incident Response Planning Mock Tabletop Exercise Exercise Tips
More informationTHE REAL TRUTH BEHIND RANSOMWARE EDDY WILLEMS SECURITY EVANGELIST
THE REAL TRUTH BEHIND RANSOMWARE EDDY WILLEMS SECURITY EVANGELIST TWITTER: @EDDYWILLEMS 1 OFFERING SECURITY SOLUTIONS WORLDWIDE Founded in Bochum, Germany in 1985 First AV solution in 1987 Global head
More informationMaking Security Agile
Making Security Agile 2017 - INVITING SECURITY INTO DEVOPS SURVEY 1 CEOs are caught between a rock and a hard place. On one hand, there is tremendous pressure to digitally transform their companies. As
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationAddressing Cybersecurity in Infusion Devices
Addressing Cybersecurity in Infusion Devices Authored by GEORGE W. GRAY Chief Technology Officer / Vice President of Research & Development Ivenix, Inc. INTRODUCTION Cybersecurity has become an increasing
More informationHybrid 2.0 In search of the holy grail
Hybrid 2.0 In search of the holy grail A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify Software Inc 2008 All Right Reserved Fortify Software Inc. 2 Before we Begin: Expectations Objectives
More informationData Retrieval Firm Boosts Productivity while Protecting Customer Data
Data Retrieval Firm Boosts Productivity while Protecting Customer Data With HEIT Consulting, DriveSavers deployed a Cisco Self-Defending Network to better protect network assets, employee endpoints, and
More informationThe Next Frontier in Medical Device Security
The Next Frontier in Medical Device Security Session #76, February 21, 2017 Denise Anderson, President, NH-ISAC Dr. Dale Nordenberg, Executive Director, MDISS 1 Speaker Introduction Denise Anderson, MBA
More informationTHE DAILY NEWS THE WORLD S FAVORITE NEWSPAPER - Since 1879
THE DAILY NEWS Cyber Security: United We Stand! Sussex County Today & Tomorrow Conference The Power of Partnerships October 25, 2017 Michael J. Maksymow, Jr., CHCIO, FCHIME, FHIMSS Vice President & Chief
More informationStop Ransomware In Its Tracks. Chris Chaves Channel Sales Engineer
Stop Ransomware In Its Tracks Chris Chaves Channel Sales Engineer Agenda Ransomware A Brief Introduction Why Are Ransomware Attacks so Successful? How Does a Ransomware Attack Happen? How to Stop Ransomware
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationNARRATOR: Welcome to the RSA Conference 2016 StoryCorps. podcasts. Please enjoy this discussion between fellow
StoryCorps @ RSAC Podcast Transcript Episode 1: I Might Die Because of a Software Bug JOSHUA CORMAN & MARIE MOE, APRIL 8, 2016 NARRATOR: Welcome to the RSA Conference 2016 StoryCorps podcasts. Please enjoy
More informationCyber Risk and Networked Medical Devices
Cyber Risk and Networked Medical Devices Hot Topics Deloitte & Touche LLP February 2016 Copyright Scottsdale Institute 2016. All Rights Reserved. No part of this document may be reproduced or shared with
More informationCybersecurity for Service Providers
Cybersecurity for Service Providers Alexandro Fernandez, CISSP, CISA, CISM, CEH, ECSA, ISO 27001LA, ISO 27001 LI, ITILv3, COBIT5 Security Advanced Services February 2018 There are two types of companies:
More informationCybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY
Cybersecurity THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY Gary Meshell World Wide Leader Financial Services Industry IBM Security March 21 2019 You have been breached; What Happens Next 2 IBM Security
More informationOWASP Broken Web Application Project. When Bad Web Apps are Good
OWASP Broken Web Application Project When Bad Web Apps are Good About Me Mordecai (Mo) Kraushar Director of Audit, CipherTechs OWASP Project Lead, Vicnum OWASP New York City chapter member Assessing the
More informationMedical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare
May 5 & 6, 2017 Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare Marc Schlessinger, RRT, MBA, FACHE Senior Associate Applied Solutions Group Evolution of the Connected
More informationCompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]
s@lm@n CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ] Topic break down Topic No. of Questions Topic 1: Volume A 117 Topic 2: Volume B 122 Topic
More informationGETTING STARTED FOR MYTENTOWN PREMIUM PACKAGE. The parent sign in gives you access to your administration area as well as the printable resources.
FOR MYTENTOWN PREMIUM PACKAGE Overview to signing in When you sign into Ten Town you have two options: Parent sign in The parent sign in gives you access to your administration area as well as the printable
More informationApplication Security Approach
Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationTop Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES
Top Ten IT Security Risks - 2017 CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES INTRODUCTION IT S ALL CONNECTED IN 2017. All of our Top 10 risks impact both us as consumers and as professionals
More informationEndpoint Protection : Last line of defense?
Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationFuture Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group
Future Challenges and Changes in Industrial Cybersecurity Sid Snitkin VP Cybersecurity Services ARC Advisory Group Srsnitkin@ARCweb.com Agenda Industrial Cybersecurity Today Scope, Assumptions and Strategies
More informationAdaptive & Unified Approach to Risk Management and Compliance via CCF
SESSION ID: SOP-W08 Adaptive & Unified Approach to Risk Management and Compliance via CCF Vishal Kalro Manager, Risk Advisory & Assurance Services (RAAS) Adobe @awish11 Disclaimer All the views presented
More informationWhat to do if your business is the victim of a data or security breach?
What to do if your business is the victim of a data or security breach? Introduction The following information is intended to help you decide how to start preparing for and some of the steps you will want
More informationAddressing HIPAA privacy compliance on hospital wireless network
E-Guide Addressing HIPAA privacy compliance on hospital wireless network Medical devices, tablets, smartphones and RFID are forcing hospital wireless networks open. HIPAA privacy compliance is harder than
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationTrain as you Fight: Are you ready for the Red Team?
Train as you Fight: Are you ready for the Red Team? An inside look at Red Teaming Yves Morvan Twitter: @morvan_yves Email: Yves@securenorth.ca Agenda Introduction What is Red Teaming? VA s vs. Penetration
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationMedical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.
Medical Devices and Cyber Issues JANUARY 23, 2018 AHA and Cybersecurity Policy Approaches Role of the FDA FDA Guidance and Roles Pre-market Post-market Assistance during attack Recent AHA Recommendations
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationCyber Insurance: What is your bank doing to manage risk? presented by
Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an
More informationData Breach Preparedness & Response
Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication
More informationData Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH
Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication
More information2015 HFMA What Healthcare Can Learn from the Banking Industry
2015 HFMA What Healthcare Can Learn from the Banking Industry Agenda Introduction- Background and Experience Healthcare vs. Banking The Results OCR Audit Results Healthcare vs. Banking The Theories Practical
More informationProfessional Services Overview
Professional Services Overview Internet of Things (IoT) Security Assessment and Advisory Services IOT APPLICATION MOBILE CLOUD NETWORK Company Overview HISTORY HISTORY Founded in 2010 Headquartered in
More informationSeth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents
Seth & Ken s Excellent Adventures in Secure Code Review Training Course 17th & 18th of October Table of Contents Seth & Ken s Excellent Adventures in Secure Code Review 1 Course Abstract 2 What attendees
More informationINSIGHTS FROM NSA S CYBERSECURITY THREAT OPERATIONS CENTER
SESSION ID: AIR-T08 INSIGHTS FROM NSA S CYBERSECURITY THREAT OPERATIONS CENTER Dave Hogue Technical Director National Security Agency s Cybersecurity Threat Operations Center NSA CYBERSECURITY MISSION
More informationInternet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin
Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP
More informationSurprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS
Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is
More informationUsing Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach
Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach 2016 Presented by James Tarala (@isaudit) Principal Consultant Enclave Security 2 Historic Threat Hunting German
More informationIFEA Risk Management and Cybercrime
IFEA Risk Management and Cybercrime Digital information technology is becoming ever more deeply and rapidly entrenched in our society. It won t be long before everyone is permanently connected to each
More informationThe Journey to Mobility. Session NI5, March 5, 2018 Victoria L. Tiase, MSN, RN-BC Director of Research Science, NewYork-Presbyterian Hospital
The Journey to Mobility Session NI5, March 5, 2018 Victoria L. Tiase, MSN, RN-BC Director of Research Science, NewYork-Presbyterian Hospital 1 Conflict of Interest Victoria L. Tiase, MSN, RN-BC Has no
More informationASSURANCE PENETRATION TESTING
ASSURANCE PENETRATION TESTING Datasheet 1:300 1 Assurance testing February 2017 WHAT IS PENETRATION TESTING? Penetration testing goes beyond that which is covered within a vulnerability assessment. Vulnerability
More information12. Mobile Devices and the Internet of Things. Blase Ur, May 3 rd, 2017 CMSC / 33210
12. Mobile Devices and the Internet of Things Blase Ur, May 3 rd, 2017 CMSC 23210 / 33210 1 Today s class Security and privacy for: mobile devices the IoT safety-critical devices Discuss midterm 2 Mobile
More informationRetail Security in a World of Digital Touchpoint Complexity
Retail Security in a World of Digital Touchpoint Complexity Author Greg Buzek, President of IHL Services Sponsored by Cisco Systems Inc. Featuring industry research by Previously in part 1 and part 2 of
More informationEXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS
SESSION ID: SBX1-R1 EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS Alex Jay Balan Chief Security Researcher Bitdefender @jaymzu 2 IoT = hardware + OS + app (+ Cloud) wu-ftpd IIS5.0 RDP Joomla app 3 EDIMAX
More informationMission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS
Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS Stephanie Poe, DNP, RN-BC CNIO, The Johns Hopkins Hospital and Health System Discussion Topics The Age of Acceleration Cyber
More informationInstitute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11
AUDITING ROBOTICS AND THE INTERNET OF THINGS (IOT) APRIL 9, 2018 PRESENTERS Kara Nagel Manager, Information Security Accenture Ryan Hopkins Assistant Director, Internal Audit Services Packaging Corp. of
More informationSecurity Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE
Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real
More informationHealthcare IT s Top 3 Pain Points
Healthcare IT s Top 3 Pain Points & How to Fix Them Survey Results Introduction It seems Healthcare IT grows more complex by the hour, and most organizations ragtag mixture of legacy tools and high-tech
More informationOWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock
OWASP Top 10 2017 David Johansson Principal Consultant, Synopsys Presentation material contributed by Andrew van der Stock David Johansson Security consultant with 10 years in AppSec Helping clients design
More informationJourney to HIMSS18: Privacy, Security and Cybersecurity
Journey to HIMSS18: Privacy, Security and Cybersecurity Thompson H. Boyd, III, M.D., FHIMSS, FACHE, FABQAURP, CPHIMS, CHCQM Medical Director of Informatics Hahnemann University Hospital Today s Speaker
More informationDetecting breach. There are only two types of organisations in the world... Terry Greer-King Director, Cyber security, UK & Africa May 2017
Feeling lucky? Detecting breach There are only two types of organisations in the world... Terry Greer-King Director, Cyber security, UK & Africa May 2017 Industry average is 100 days to detect a breach,
More informationProtecting your Data in the Cloud. Cyber Security Awareness Month Seminar Series
Protecting your Data in the Cloud Cyber Security Awareness Month Seminar Series October 24, 2012 Agenda Introduction What is the Cloud Types of Clouds Anatomy of a cloud Why we love the cloud Consumer
More informationSecurity!Maturity Oc O t c o t b o er r 20 2, 0,
October 20, 2010 Security!Maturity About me - Joshua Jabra Abraham Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon, ShmooCon, Infosec World, CSI, OWASP Conferences,
More informationEFFECTIVE, SCALABLE, #FULLSTACK VULNERABILITY MANAGEMENT
EFFECTIVE, SCALABLE, #FULLSTACK VULNERABILITY MANAGEMENT edgescan Portal ABOUT EDGESCAN SaaS: edgescan is a Security-as-a-Service (SaaS) vulnerability management service which detects vulnerabilities in
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationCYBER SECURITY AND MITIGATING RISKS
CYBER SECURITY AND MITIGATING RISKS 01 WHO Tom Stewart Associate Director Technology Consulting Chicago Technical Security Leader Protiviti Slides PRESENTATION AGENDA 3 START HACKING DEFINITION BRIEF HISTORY
More informationWhat is Cybersecurity?
What is Cybersecurity? Protection against unauthorized access to or use of assets via electronic means Not limited to what we think of as Hacking : Fraud Prevention Misuse of Appropriate Access Important
More informationAttack Trees Red Teaming
Attack Trees Red Teaming who am i Matteo Beccaro Twitter: @_bughardy_ Chief Technology Officer at @_opposingforce. Conference speaker & trainer. Messing around with networks and protocols. Often flying
More informationAttackers Process. Compromise the Root of the Domain Network: Active Directory
Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH
More informationNIST Cybersecurity Framework Protect / Maintenance and Protective Technology
NIST Cybersecurity Framework Protect / Maintenance and Protective Technology Presenter Charles Ritchie CISSP, CISA, CISM, GSEC, GCED, GSNA, +6 Information Security Officer IT experience spanning two centuries
More informationTaking Control of Your Application Security
EDUCAUSE Wednesday, May 3 rd Taking Control of Your Application Security 2017 SANS Institute All Rights Reserved INTRODUCTION Eric Johnson, CISSP, GSSP-Java, GSSP-.NET, GWAPT Application Security Curriculum
More informationRegulators & Manufacturers (Ken) Hackers & Security Officers (Jon) Providers & Patients (Angel)
Regulators & Manufacturers (Ken) Hackers & Security Officers (Jon) Providers & Patients (Angel) Medical Device Safety and Security (MeDSS) AMC Security Conference Deloitte & Touche LLP June 2016 Introductions
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationSam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF
Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF Who am I? Sam Pickles Senior Engineer for F5 Networks WAF Specialist and general security type Why am I here? We get to see the pointy end of a lot of
More informationThe Crossed Swords wargame: Catching NATO red teams with cyber deception
The Crossed Swords wargame: Catching NATO red teams with cyber deception 2015-2018 Cymmetria Inc. All rights reserved. 2 BACKSTORY Once a year, the pentesters* and red teams of the countries of NATO descend
More information