Personal Health Data, the Dark Web, and Protecting Information

Credit: https://www.managedhealthcareexecutive.com

TLDR: Personal health information is a valuable target for the dark web. Organizations must do more to protect it.

During class this week, the topic of the Health Insurance Portability and Accountability Act of 1996, commonly referred to simply as HIPAA, came up. The primary topic of the discussion was about the vulnerabilities to organizations using HIPAA information and the penalties for violating the Act. I have had discussions about HIPAA in previous cybersecurity classes, but I never really delved into the "why factor" surrounding patient records until now. It is quite intriguing to know why an individual's records are so important to a hacker.

In the article, "Research Reveals Why Hacked Patient Records Are So Valuable," by Marianne McGee, she discusses this very topic. This article introduced new terms for me: fullz and identity kits. A fullz, slang in the dark web world, is a term used to describe an individual's full health history. This can be intricate records of health issues and also include such things as the pharmacy a person utilizes. These can be purchased on the dark web for as little as $20 and then turned into identity kits.

Credit: https://www.freepik.com/

An identity kit is a combination of lots of information farmed about an individual off of various venues and then combined with health data. These venues can be from websites, phone calls, and any other method an attacker can use to get information. A key part of completing these kits is social engineering. Perhaps an attacker has your medical data and contact information but needs just a few more details to put everything together. You might start seeing emails or receiving phone calls asking you to verify data that the attacker needs to put the pieces of the puzzle together. Once complete, attackers can then sell the identity kits on the dark web for thousands of dollars to other entities who can then use those kits to still the individual's identity. Scary thought, right?

An even scarier thought is that, according to Carol Amick, 70% of organizations are not compliant with HIPAA. Now, this does not necessarily mean that 70% of organizations are vulnerable to attacks, but that is a large number of organizations handling patient medical information who do not meet compliance to safeguard such information. An even scarier thought: it may only take one organization to cause havoc for millions of people.

In 2014 and 2015, Anthem Health was the target of a spear-fishing campaign. This attack resulted in the compromise of personal information for 80 million individuals. An attack of this magnitude as the result of a spear-fishing campaign shows that organizations, especially those with highly valuable personal information, must do more to combat vulnerabilities. These types of attacks will only get more sophisticated and look more authentic, so organizations must step up their defenses and train employees to be cognizant of organizational policies in place to prevent such compromises.

The Anthem Health case was considered a sophisticated attack. The attackers appeared to have full access to systems they should not have. The likely culprits, in this case, could have been malware or a response to login credentials. They were able to gain access to the organization's databases and run queries from some time in December 2014 until January 29, 2015, when the last noted query was performed. In reality, the Anthem Health breach was not actually a HIPAA violation since no actual medical records were stolen. Rather, full names, birthdates, social security numbers, and employment information, among others, were the target of the attackers; some of the needs for identification kits.

Anthem Health is just one case of an organization being compromised through malicious activities. As we move forward storing and transmitting more and more personal information across the Internet, it is imperative that organizations take stronger initiatives to safeguard this highly valuable data from falling into the hands of dark web constituents. Leadership at all levels of an organization dealing with such information must do everything in its power to protect individuals who have entrusted them to safely handle their personal information. This could be accomplished through stricter adherence to HIPAA standards, revamped training initiative for employees, and, where Anthem failed, encrypting such data to further protect it. Furthermore, IT departments can leverage strict spam and traffic filters to prevent malicious links from entering the organization and, if they do, prevent any damage by highly limiting traffic to suspected websites.

Will we ever eradicate malicious attacks? It is highly unlikely. However, through proper education of employees and strict enforcement of acceptable use policies within organizations, we can certainly make it harder. Organizations that work with highly sensitive information, regardless of who it might affect, must take steps to prevent breaches like the massive Anthem Health example from occurring. They only way they can is to make it harder for employees to unknowingly open the door to attackers and constantly monitor their systems for any sign of malicious activity. Anthem Health went for nearly a month before employees noticed something strange. That was nearly a month too long for something like this to have been occurring.

A Non-Rambling Discussion on Threat Modeling Approaches (CYBR 650, Blog #1)

TLDR: Threat modeling comes in a variety of approaches. Knowing what you are trying to protect can help steer you to a more appropriate method.

Unless you are vehemently against technology, you have used it at some point in your life. Perhaps you have a cell phone, a laptop computer, or, for most of us, have used a debit or credit card. Our lives, the organizations we work for, and the businesses we patronize all thrive on technology. With the explosion of technology to help make life easier for civilization, it is also imperative for us to continually remember there are those out there who want to inflict harm. This is where threat modeling can help an organization protect itself and, to some degree, individuals as well.

In his book, Threat Modeling: Designing for Security, Adam Shostack provides three primary approaches to threat modeling: asset, attacker, and software. Each of these three methods focuses on different areas of threats and how to mitigate, eliminate, transfer, or accept the associated risks. Now, it is certainly not feasible that individuals would perform construct a threat model for each new technology they add to their pocket or household, but some of these things should come to mind. Organizations, on the other hand, must perform threat modeling for each asset and system added to the inventory. While each model has its pros and cons, it may really come down to a mixture of all three approaches. Let’s look at each to see why that might be the case.

Image credit: BizNews

Asset-centric threat modeling means putting emphasis on what you value and then looking at the vulnerabilities associated with those assets. From a personal perspective, this could be looking at what threats you have to accessing your bank account information online. Can your password be stolen and used to long into the banking application? From an organizational perspective, this could be protecting a database full of client records. What threats exists to this data and how can we further protect it? The focus here is on what one values.

Image credit: FitDay

Attacker-centric threat modeling focuses on what an attacker might do. Instead of looking at assets to protect, this approach looks at the various tactics and techniques an attacker might use to attempt to gain access to an asset. If you think like a burglar when looking to protect your home, you might install a second lock on the door or find better ways to secure your windows. On the organizational side, this can include things like focusing on a list of usernames and passwords for critical systems. Perhaps you want to check these credentials to make sure they cannot be easily cracked. Again, the thought here is to consider, “what would an attacker do?”

Image credit: InformationAge

The last threat modeling approach Shostack discusses is that of a software-centric approach. This approach is focused on dealing with software and systems being deployed within an organization. On the personal side, you can think of this as installing software on your laptop or even your smartphone. You certainly do not want to install anything which would let someone have access to your personal information. Likewise, organizations need to use this approach to look for holes which may allow attackers to gain access to their assets. If software is being deployed within the organization, are there concerns which may open up vulnerabilities on the computers or networks critical to the organization’s operations? These are things to consider when using a software-centric approach to threat modeling.

Image credit: DZone

Another threat modeling approach is STRIDE. STRIDE stands for spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privilege. This approach really pertains mostly to information systems but can be thought of with other threats as well. Shevchenko points out that this approach was invented in 1999 and adopted by Microsoft in 2002. Knowing that this applies primarily to information systems (IS) helps to see why Microsoft adopted this approach to threat modeling.

Spoofing an identity, in the IS world, concerns the authentication of systems or the authenticity of packets on a network. Someone can steal your credentials, log into a computer system, and pretend to be you while they perform malicious actions. Similarly, a hacker can spoof the identity of a packet, launching a man-in-the-middle attack, and pretend to be the sender or receiver of information. In the physical world, this would be similar to someone posing as a repair person or a delivery driver to gain access to a building.

Tampering with data concerns the integrity of data within a system. This can be data at rest on a computer disk or memory as well as data moving through a network. A student finding their grades stored on the school’s computer network and modifying them to earn an A in all of their classes would be an example of tampering with data at rest. A hacker taking a packet of information, modifying it to change values, and sending it onto the destination is an example of modifying moving data. 

Repudiation pertains to validity of actions. If repudiation is present, one can deny the actions were taken on their part. For instance, if a critical file was modified or deleted, who was responsible for it? The violation of non-repudiation means there is no way to confirm or deny that a specific entity was responsible for accomplishing actions. From a physical standpoint, this would be like a sign-in sheet to a class. If you signed in, it is generally accepted you were there. In the absence of a sign-in sheet, it becomes more difficult to determine if you did or did not attend the class. This is something commonly handled through the use of log files to document all actions and who took those actions.

Information disclosure concerns information getting into the hands of someone it is not supposed to. For an IS, this could include incorrect folder permissions allowing someone to modify financial records in the accounting division when they should not have access to such documents. In the physical world, someone gaining access to an unlocked filing cabinet and pulling personnel records when they do not have a need to know falls into the same category. Information which should be safeguarded is compromised due to a lapse in confidentiality.

When talking about denial of service, this typically means that an IS is unavailable when needed. You have likely heard of DDoS attacks where attackers create an army of zombie computers to bring a web server down. They bombard the server with so many requests that the server cannot keep up and eventually access is denied to users who need to use it. The bombardment of bogus requests causes any relevant requests to be ignored by the system. You could liken this to a need to reach a 911 operator when thousands of pranksters are calling in to keep the phone lines busy. You have a legitimate need but cannot get assistance because all lines are busy.

The last part of STRIDE is elevation of privilege, which concerns someone being able to accomplish a task they are not authorized to perform. With IS systems, an example would be a regular workstation user being able to install software as an administrator. Their permissions should be set to prevent this, but they may be able to gain access and do this. An easy example of elevation of privilege lies in the Linux operating system. Normally, a logged in user should not be able to perform administrative tasks. However, if the user is in the sudoer group, they can issue a command with sudo to elevate their permissions to that of the root user and perform a litany of tasks.

Threat modeling comes in various approaches. Shostack discusses the three primary approaches: asset, attack, and software. He provides good information on when these are best suited for use but ultimately makes the case for a software-centric approach as the best. Additionally, we have the STRIDE approach to threat modeling which appears to be a solid model with which to evaluate IS assets to ensure threats and vulnerabilities are accounted for. Whichever approach you use, it is always wise to think outside of the box to cover all possibilities and determine if the threat should be mitigated, eliminated, transferred, or accepted.