CISA reports on healthcare risk and vulnerability assessment, offers cybersecurity recommendations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released on Friday a report on the findings of a risk and vulnerability assessment conducted for a healthcare and public health (HPH) sector organization. The report outlines the activities and key findings of the assessment team, providing valuable recommendations for network defenders and software manufacturers to enhance their organizations’ and customers’ cybersecurity. The assessment was conducted in response to a request from the HPH sector organization in January, to identify vulnerabilities and areas for improvement.

Titled, ‘Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment,’ the cybersecurity advisory called upon critical infrastructure organizations as well as software manufacturers to review the advisory and apply recommendations. The recommendations detail how organizations can harden networks to improve cyber resilience and reduce the likelihood of domain compromise.

“Adversaries and criminals will continue to target organizations seen as target-rich, cyber poor,” Nitin Natarajan, CISA deputy director, said in a media statement. “To reduce the burden of cybersecurity on customers, manufacturers of HPH technology products should implement the recommended actions in the advisory that are aligned to our Principles and Approaches for Secure by Design Software white paper. Also, we strongly encourage healthcare entities and all organizations to review this advisory, implement the mitigations, and enroll in our vulnerability scanning service which can further help reduce cyber risk.”

An RVA is a two-week penetration test of an entire organization, with one week spent on external testing and one week spent assessing the internal network. As part of the RVA, the CISA assessment team conducted web application, phishing, penetration, database, and wireless assessments. The assessed organization was a large organization deploying on-premises software. 

During the one-week external assessment, CISA disclosed that the assessment team did not identify any significant or exploitable conditions in externally available systems that may allow a malicious actor to easily obtain initial access to the organization’s network. Furthermore, the assessment team was unable to gain initial access to the assessed organization through phishing. However, during internal penetration testing, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the organization’s domain. 

The advisory detailed that the assessment team offers five services, including web application assessment, phishing assessment, penetration testing, database assessment, and wireless assessment. 

When it comes to web application assessment, the assessment team uses commercial and open-source tools to identify vulnerabilities in public-facing and internal web applications, demonstrating how they could be exploited. For phishing assessment, the team tests the susceptibility of staff and infrastructure to phishing attacks and determines what impact a phished user workstation could have on the internal network. The RVA team crafts compelling email pretexts and generates payloads, similar to ones used by threat actors, to provide a realistic threat perspective to the organization.

On penetration testing, the assessment team tests the security of an environment by simulating scenarios an advanced cyber actor may attempt. The team’s goals are to establish a foothold, escalate privileges, and compromise the domain. The RVA team leverages both open-source and commercial tools for host discovery, port and service mapping, vulnerability discovery and analysis, and vulnerability exploitation.

When it comes to database assessment, the assessment team uses commercial database tools to review databases for misconfigurations and missing patches. Lastly, in the case of wireless assessment, the assessment team uses specialized wireless hardware to assess wireless access points, connected endpoints, and user awareness for vulnerabilities.

CISA said that external assessment covered publicly available HPH-organization endpoints discovered during scanning. It included penetration testing, phishing assessment, and web application assessment. On the other hand, internal assessment dealt with internally available HPH-organization endpoints discovered during scanning. It used database assessment, penetration testing, web application assessment, and wireless assessment. 

The CISA team did not identify any significant or exploitable conditions from penetration or web application testing that may allow a malicious actor to easily obtain initial access to the organization’s network. When it came to phishing assessment, the CISA team conducted them to include both user and systems testing. The team’s phishing assessment was unsuccessful because the organization’s defensive tools blocked the execution of the team’s payloads. The payload testing resulted in most of the team’s payloads being blocked by host-based protections through a combination of browser, policy, and antivirus software.

“Since none of the payloads successfully connected to the assessment team’s C2 server, the team conducted a credential harvesting phishing campaign,” the advisory disclosed. “Users were prompted to follow a malicious link within a phishing email under the pretext of verifying tax information and were then taken to a fake login form. While twelve unique users from the organization submitted credentials through the malicious form, the CISA team was unable to leverage the credentials because they had limited access to external-facing resources. Additionally, the organization had multi-factor authentication (MFA) implemented for cloud accounts,” it added.

Moving over to internal assessment, the advisory assessed database, web application, and wireless testing where it identified that the team did not identify any significant or exploitable conditions from database or wireless testing that may allow a malicious actor to compromise the confidentiality, integrity, and availability of the tested environment. The team identified default credentials for multiple web interfaces during web application testing and used default printer credentials during penetration testing. 

Looking into penetration testing, the advisory said that the assessment team starts internal penetration testing with a connection to the organization’s network but without a valid domain account. The team’s goal is to compromise the domain by gaining domain admin or enterprise administrator-level permissions. 

Generally, the team first attempts to gain domain user access and then escalate privileges until the domain is compromised, the advisory identified. “This process is called the ‘attack path’—acquiring initial access to an organization and escalating privileges until the domain is compromised and/or vital assets for the organization are accessed. The attack path requires specialized expertise and is realistic to what adversaries may do in an environment,” it added. 

The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. It also found four high-severity vulnerabilities and one medium-severity vulnerability during penetration testing that contributed to the team’s ability to compromise the domain. Furthermore, the team detected three high and seven medium-severity findings. These vulnerabilities and misconfigurations may allow a malicious actor to compromise the confidentiality, integrity, and availability of the tested environment.

CISA advises the HPH sector and other critical infrastructure organizations to promptly implement the necessary mitigations to address the issue. These mitigations align with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.

Additionally, CISA recommends that HPH sector organizations implement and maintain an asset management policy to reduce the risk of exposing vulnerabilities, devices, or services that could be exploited by threat actors to gain unauthorized access, steal sensitive data, or disrupt critical services. 

CISA also suggests that entities secure their devices and digital accounts and manage their online access to protect sensitive data and PII/PHI from compromise. The focus areas for this mitigation strategy include email security, phishing prevention, access management, password policies, data protection and loss prevention, and device logs and monitoring solutions.

Lastly, CISA recommends that entities mitigate known vulnerabilities and establish secure configuration baselines to reduce the likelihood of hackers exploiting known vulnerabilities to breach organizational networks. 

Recognizing that insecure software is the root cause of the majority of these flaws and that the responsibility should not be on the end user, CISA urges software manufacturers to reduce the prevalence of misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team. Measures suggested include embedding security into product architecture throughout the entire software development lifecycle (SDLC), eliminating default passwords, and creating secure configuration templates. 

The agency also recommends designing products so that the compromise of a single security control does not result in the compromise of the entire system, mandating MFA, ideally phishing-resistant MFA, for privileged users and making MFA a default, rather than an opt-in, feature.

CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure-by-design tactics. By using secure-by-design tactics, software manufacturers can make their product lines secure ‘out of the box’ without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.