SlideShare a Scribd company logo

Securing Medical Devices Using Adaptive Testing Methodologies

Daniel Miessler, profile picture
Daniel Miessler

Daniel Miessler presented on using an adaptive testing methodology to secure medical devices. He discussed that the growing attack surface of medical devices outpaces the maturity of testing procedures. An adaptive methodology tests devices based on their attributes and context to create customized and consumable test plans that reduce tester fatigue. Key takeaways included that visibility of attack surfaces is critical, testing plans should be approachable and modular to avoid being disregarded, and understanding surfaces should occur before buying, installing, or implementing devices.

Technology
Related topics:
Internet of Things Information Security medical-devices
1 of 41
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
SESSION ID:SESSION ID: #RSAC Daniel Miessler Securing Medical Devices Using Adaptive Testing Methodologies ASD-R10 Director of Advisory Services IOActive, Inc. @danielmiessler
SESSION ID:SESSION ID: #RSAC Daniel Miessler Securing Medical Devices Using Adaptive Testing Methodologies ASD-R10 Director of Advisory Services IOActive, Inc. @danielmiessler
#RSAC About 3 18 years in information security Technical testing background (net/web/mobile/IoT) Director of Advisory Services at IOActive Previously a founding member and principal at HPE Fortify on Demand Work on a number of OWASP projects: IoT Security, and OWASP Game Security Framework Project Read, write, podcast, table tennis
#RSAC Agenda 4 Why we care? The problem Adaptive Testing Methodology Practical takeaways
#RSAC Why do we care?
#RSAC 6 - J&J insulin pump (Animus OneTouch Ping) - Jay Radcliffe, diabetic and researcher - Unencrypted command traffic - Could send unauthorized insulin injections Recent Issues: Johnson & Johnson Image: REUTERS / Weigmann
#RSAC 7 - St. Jude pacemaker - Many vulnerabilities found - PR + Shorting of stock - Vulns included wireless god key - MedSec found the vulns - Muddy Waters shorted stock Recent Issues: St. Jude
#RSAC 8 Hospitals being ransomed: US Hospitals Hollywood Presbyterian Hospital Tried to get help from authorities, ended up paying $17,000 Methodist Hospital Refused to pay, had to shut down part of the hospital Many, many more
#RSAC 9 Hospitals being ransomed: NHS One NHS area had to transfer patients because they were shut down 34% of Health Trusts in the U.K. hit with ransomware within the last 18 months 60% of Scottish trusts Other countries affected as well, including Germany
#RSAC 10 Bitcoin Readiness (a depressing state) When ransomware happens the payment is usually in bitcoin Companies getting hacked often don’t know anything about bitcoin The time it takes to learn about and acquire bitcoin often costs companies massive amounts of money Many are hiring law firms to acquire and hold bitcoin for them in case they get hacked I like the preparation piece, but it’s still quite depressing
#RSAC 11 A Dangerous Combination - Home users - Schools - Governments - Small businesses
#RSAC 12 A Dangerous Combination - The medical space is extremely vulnerable to these issues.
#RSAC The problem
#RSAC Recent Issues 14 - Lots of vulnerabilities found
#RSAC A Disconnect 15 The attack surface for medical devices is simply larger than the maturity of standardized procedures to test those surface areas. 0 25 50 75 100 Current A/ack Surface Future A/ack Surface Tes8ng Maturity
#RSAC The Attack Surface 16 - Hardware physical interfaces - Physical networking ports - Debug / admin ports - WiFi / RF - Data transfer and storage - Cryptographic implementations - HL7 implementations - Hardware sensors - Input parsing / validation - Command / data authentication
#RSAC Attack Surface vs. Testers 17 - How many devices are there already? - How many have been tested? - How many devices will there be? - How many testers will be required to look at them?
#RSAC Problem: Tester Desensitization 18 - Comprehensive testing methodologies are usually massive - Testers can usually only read them once or twice - They can’t use them over time - You only get a couple of strikes regarding irrelevant content
#RSAC The Adaptive Testing Methodology approach
#RSAC Adaptive Testing Methodology 20 Contextual testing based on attributes of the target or situation
#RSAC Adaptive Testing Methodology 21 Contextual testing based on attributes of the target or situation Can apply to web apps, hosts, IoT, medical devices, etc.
#RSAC Adaptive Testing Methodology 22 Contextual testing based on attributes of the target or situation Can apply to web apps, hosts, IoT, medical devices, etc. Attribute types (potential) Target attack surfaces Time available Tools available Skill level available
#RSAC 23
#RSAC 24 OWASP IoT: Medical Device Testing
#RSAC 25
#RSAC Real-world Usage 26 Third-party testing requirements Trying to avoid tester fatigue from vendors Profile a piece of hardware using Adaptive Testing See which surface areas are in play Create a customized testing methodology for that device/ecosystem Reduce the size of a testing methodology by 50-300% Every section is relevant
#RSAC Lessons learned over the years 27 Visibility is king in security You can’t defend what you can’t see and don’t understand Medical devices have many unseen attack surfaces Because it’s an ecosystem, flaws in one can lead to overall weakness With vulnerabilities, 1 + 1 + 1 often equals 7
#RSAC Takeaways 28 Visibility is problem #1
#RSAC 29 Monolithic testing methodologies can lead to tester fatigue Takeaways
#RSAC 30 Simple methodology is consumable, and consumable methodology gets used Takeaways
#RSAC 31 Simple methodology is consumable, and consumable methodology gets used Takeaways
#RSAC 32 Friends don’t let friends ship things without understanding the attack surface Takeaways
#RSAC 33 Friends don’t let friends buy things without understanding the attack surface Takeaways
#RSAC 34 Friends don’t let friends install / implement things without understanding the attack surface Takeaways
#RSAC 35 Place stress on approachable simplicity for understanding attack surfaces Takeaways
#RSAC 36 Modularize and streamline your testing methodologies to avoid them being disregarded. Takeaways
#RSAC 37 Focus on breadth before depth when covering attack surfaces. Takeaways
#RSAC Resources 38 OWASP Internet of Things
 https://www.owasp.org/index.php/ OWASP_Internet_of_Things_Project I Am The Cavalry
 https://www.iamthecavalry.org
#RSAC Future work: Medical Security Scenarios Project 39 Medical Security Scenarios Project
#RSAC Future work: Medical Security Scenarios Project 40 Medical Security Scenarios Project Attack surface Vulnerability type Skill-level required Life-threatening or not
#RSAC Thanks 41 Email: daniel.miessler@ioactive.com 
 daniel@danielmiessler.com Twitter: @danielmiessler Podcast: Unsupervised Learning
 danielmiessler.com/ul Reach out any time! Participate. We’re always hiring at IOActive!

More Related Content

PDF
The Art and Science of Alert Triage
Sqrrl
 
PDF
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
PDF
How to transform developers into security people
Priyanka Aash
 
PDF
Yaksas CSC - Vulnerability Assessment & Penetration Testing
Uday Mittal
 
PDF
A worldwide journey to build a secure development environment
Priyanka Aash
 
PDF
Collaborative security : Securing open source software
Priyanka Aash
 
PDF
Securing 100 products - How hard can it be?
Priyanka Aash
 
PPTX
Splunk for Enterprise Security featuring UBA
Splunk
 
The Art and Science of Alert Triage
Sqrrl
 
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
How to transform developers into security people
Priyanka Aash
 
Yaksas CSC - Vulnerability Assessment & Penetration Testing
Uday Mittal
 
A worldwide journey to build a secure development environment
Priyanka Aash
 
Collaborative security : Securing open source software
Priyanka Aash
 
Securing 100 products - How hard can it be?
Priyanka Aash
 
Splunk for Enterprise Security featuring UBA
Splunk
 

What's hot (20)

PPTX
Seen at InfoSec Europe 2015: Spot your Snowden!
John Wallix
 
PPTX
ATAGTR2017 Security Testing for Healthcare applications
Agile Testing Alliance
 
PDF
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Priyanka Aash
 
PPTX
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
PPTX
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Sqrrl
 
PPTX
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
PDF
Application Security by Ethical Hackers
Entersoft
 
PDF
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
TechWell
 
PDF
Defending Healthcare Networks with NetFlow
Lancope, Inc.
 
PDF
SplunkLive! London 2016 Operational Security Intelligence
Splunk
 
PPT
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
PDF
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA Cyber Security
 
PDF
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
PPTX
Cloud Storage and Security: Solving Compliance Challenges
Eric Vanderburg
 
PPTX
Survival of the Fittest: How to Build a Cyber Resilient Organization
Tripwire
 
PPTX
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
PDF
Post IPv6 Implementation and Security: Now What?
Zivaro Inc
 
PDF
Security at Scale - Lessons from Six Months at Yahoo
Alex Stamos
 
PDF
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
PPTX
Splunk for Enterprise Security Featuring UBA
Splunk
 
Seen at InfoSec Europe 2015: Spot your Snowden!
John Wallix
 
ATAGTR2017 Security Testing for Healthcare applications
Agile Testing Alliance
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Priyanka Aash
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Sqrrl
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
Application Security by Ethical Hackers
Entersoft
 
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
TechWell
 
Defending Healthcare Networks with NetFlow
Lancope, Inc.
 
SplunkLive! London 2016 Operational Security Intelligence
Splunk
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA Cyber Security
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
Cloud Storage and Security: Solving Compliance Challenges
Eric Vanderburg
 
Survival of the Fittest: How to Build a Cyber Resilient Organization
Tripwire
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Post IPv6 Implementation and Security: Now What?
Zivaro Inc
 
Security at Scale - Lessons from Six Months at Yahoo
Alex Stamos
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
Splunk for Enterprise Security Featuring UBA
Splunk
 
Ad

Viewers also liked (20)

PDF
Implementing Inexpensive Honeytrap Techniques
Daniel Miessler
 
PDF
Evolution of The Application
Daniel Miessler
 
PPTX
Adaptive Testing Methodology [ ATM ]
Daniel Miessler
 
PDF
Gdz ridna mova_pentuluk_2006
Lucky Alex
 
DOCX
Configuracion,estilos,secciones
DAYCIQUISHPE
 
PDF
Gdz angliskiy kalinina_2014
Lucky Alex
 
DOCX
Citas y organizaciones
DAYCIQUISHPE
 
DOCX
Capturas wwe (3)
Isaacklilop
 
PPTX
El desarrollo sustentable y los procesos en la informatica
Adalif Mora
 
PDF
Contributing to open source
Devin Abbott
 
PPTX
Promoting a Fit and Active Future
Logan Profetto
 
PPTX
Your Family is not obese yet
Tomas Kennedy
 
PDF
PGH-UP College of Medicine Social Media Policy DRAFT
Iris Thiele Isip-Tan
 
PDF
Social Media & Healthcare
Iris Thiele Isip-Tan
 
PDF
NANOTECHNOLOGY APPLICATIONS AND EMERGING OPPORTUNITIES FOR CLEAN WATER #scich...
selcancinar
 
PDF
Health Literacy for Young Scientists
Iris Thiele Isip-Tan
 
PDF
RTI against Supreme Court of India dated 05.01.2017
Om Prakash Poddar
 
PDF
強化学習その2
nishio
 
PPTX
全脳アーキテクチャ若手の会 強化学習
kwp_george
 
PDF
対話破綻検出チャレンジ2016: NCMを用いた対話と破綻の同時学習
Takahiro Kubo
 
Implementing Inexpensive Honeytrap Techniques
Daniel Miessler
 
Evolution of The Application
Daniel Miessler
 
Adaptive Testing Methodology [ ATM ]
Daniel Miessler
 
Gdz ridna mova_pentuluk_2006
Lucky Alex
 
Configuracion,estilos,secciones
DAYCIQUISHPE
 
Gdz angliskiy kalinina_2014
Lucky Alex
 
Citas y organizaciones
DAYCIQUISHPE
 
Capturas wwe (3)
Isaacklilop
 
El desarrollo sustentable y los procesos en la informatica
Adalif Mora
 
Contributing to open source
Devin Abbott
 
Promoting a Fit and Active Future
Logan Profetto
 
Your Family is not obese yet
Tomas Kennedy
 
PGH-UP College of Medicine Social Media Policy DRAFT
Iris Thiele Isip-Tan
 
Social Media & Healthcare
Iris Thiele Isip-Tan
 
NANOTECHNOLOGY APPLICATIONS AND EMERGING OPPORTUNITIES FOR CLEAN WATER #scich...
selcancinar
 
Health Literacy for Young Scientists
Iris Thiele Isip-Tan
 
RTI against Supreme Court of India dated 05.01.2017
Om Prakash Poddar
 
強化学習その2
nishio
 
全脳アーキテクチャ若手の会 強化学習
kwp_george
 
対話破綻検出チャレンジ2016: NCMを用いた対話と破綻の同時学習
Takahiro Kubo
 
Ad

Similar to Securing Medical Devices Using Adaptive Testing Methodologies (20)

PDF
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
Health IT Conference – iHT2
 
PPTX
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
Andris Soroka
 
DOCX
Past and Future Speaking Engagements
Matthew J McMahon
 
PPTX
Fle f04 mishra-v0.9
Minatee Mishra
 
PPTX
Understanding Risk Management & Cyber security Principles in Medical Devices
Keerthi Gunasekaran
 
PDF
10 best cybersecurity companies in healthcare for 2021
insightscare
 
PDF
Cybersecurity Risk Assessments for Healthcare Facilities
sharmakunal995566
 
PPTX
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
PPTX
Network Connected Medical Devices - A Case Study
SophiaPalmira
 
PPTX
Secure Software Development Best Practices
Joe Orlando
 
PDF
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
Levi Shapiro
 
PDF
Cybersecurity in smart medical devices
Stefan Weiss
 
PDF
8 Mandatory Security Control Categories for Successful Submissions
ICS
 
PDF
Cybersecurity in Healthcare - Looking at the security issues that impact the ...
sara182573
 
PDF
Cybersecurity in Healthcare - Looking at the security issues that impact the ...
sara182573
 
PDF
Critical hygiene for preventing major breaches
Priyanka Aash
 
PDF
CISO Application presentation - Babylon health security
Dinis Cruz
 
PPTX
The challenge of building a secure and safe digital environment in healthcare
DefCamp
 
PDF
Bearing solutions healthcare security ver 0.1
Lennart Bredberg
 
PDF
Healthcare Security by Senior Security Consultant Lennart Bredberg
Lennart Bredberg
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
Health IT Conference – iHT2
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
Andris Soroka
 
Past and Future Speaking Engagements
Matthew J McMahon
 
Fle f04 mishra-v0.9
Minatee Mishra
 
Understanding Risk Management & Cyber security Principles in Medical Devices
Keerthi Gunasekaran
 
10 best cybersecurity companies in healthcare for 2021
insightscare
 
Cybersecurity Risk Assessments for Healthcare Facilities
sharmakunal995566
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
Network Connected Medical Devices - A Case Study
SophiaPalmira
 
Secure Software Development Best Practices
Joe Orlando
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
Levi Shapiro
 
Cybersecurity in smart medical devices
Stefan Weiss
 
8 Mandatory Security Control Categories for Successful Submissions
ICS
 
Cybersecurity in Healthcare - Looking at the security issues that impact the ...
sara182573
 
Cybersecurity in Healthcare - Looking at the security issues that impact the ...
sara182573
 
Critical hygiene for preventing major breaches
Priyanka Aash
 
CISO Application presentation - Babylon health security
Dinis Cruz
 
The challenge of building a secure and safe digital environment in healthcare
DefCamp
 
Bearing solutions healthcare security ver 0.1
Lennart Bredberg
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Lennart Bredberg
 

More from Daniel Miessler (10)

PPTX
The OWASP Game Security Framework
Daniel Miessler
 
PPTX
Practical IoT Security in the Enterprise
Daniel Miessler
 
PDF
The IoT Attack Surface
Daniel Miessler
 
PDF
The Game Security Framework
Daniel Miessler
 
PPTX
Peak Prevention: Moving from Prevention to Resilience
Daniel Miessler
 
PDF
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
PDF
SecLists @ BlackHat Arsenal 2015
Daniel Miessler
 
PDF
RSA2015: Securing the Internet of Things
Daniel Miessler
 
PDF
The Real Internet of Things: How Universal Daemonization Will Change Everything
Daniel Miessler
 
PPTX
Understanding Cross-site Request Forgery
Daniel Miessler
 
The OWASP Game Security Framework
Daniel Miessler
 
Practical IoT Security in the Enterprise
Daniel Miessler
 
The IoT Attack Surface
Daniel Miessler
 
The Game Security Framework
Daniel Miessler
 
Peak Prevention: Moving from Prevention to Resilience
Daniel Miessler
 
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
SecLists @ BlackHat Arsenal 2015
Daniel Miessler
 
RSA2015: Securing the Internet of Things
Daniel Miessler
 
The Real Internet of Things: How Universal Daemonization Will Change Everything
Daniel Miessler
 
Understanding Cross-site Request Forgery
Daniel Miessler
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Encapsulation theory and applications.pdf
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

Securing Medical Devices Using Adaptive Testing Methodologies