Security challenges in medical research, intensify need to redefine zero trust
Article By : Lou Covey
Massive reports on attempts to steal and even damage the research on COVID-19 Coronavirus since 2019, have raised concerns about adequacy of security. These attacks are said to be through a method known as “password spraying”...
Massive reports on attempts to steal and even damage the research on COVID-19 Corona Virus countermeasures by governments and private medical organizations in the United States of America (US) and United Kingdom (UK) since the beginning of 2019, have raised concerns about adequacy of security. These attacks, which according to reports, allegedly coming out of Russia, China, Iran, and North Korea, are said to be through a method known as “password spraying.” This has beamed the searchlight on why zero-trust design is crucial for digital systems and it updates.
According to an annual survey by Healthcare Information Management Systems Society (HIMSS), in 2019 more than 80 percent of hospitals and almost two-thirds of research organizations reported a brute force attack on their systems. The rest did not know if they were attacked, much less compromised. The 2020 survey will probably show a significant uptick in those numbers. This is because of outdated network equipment and poor cybersecurity practices which, are common in these organizations, thereby, making them particularly vulnerable to this type of attack.
Brute-force cyberattacks are so well known that they are a common plot mechanism in television and movies. All that is needed is a program, that can attempt to log onto an account with as many common passwords as possible, before security is alerted to the attempt. This single point of attack is easily thwarted by locking out an attempt after three or four tries. However, password spraying gets around that barrier by targeting as many accounts in a network as possible, by using one password at a time until they gain entry. The odds of finding one account with a weak password this way, are in the attacker’s favor.
This type of attack is best used against single sign-on (SSO) and cloud-based applications using federated authentication protocols, allowing the malicious actor to compromise the authentication mechanisms. Once he gains entrance, the attacker moves laterally, capitalizing on internal network vulnerabilities, to gain access to critical applications and sensitive data.
Zero-trust is the first line of defense in this situation, it is simply defined as not trusting anyone in the system. A basic step that IT managers can employ is requiring resetting passwords every few months. The Social Security Administration requires users to change their passwords every 6 months, which is still generous. Network members should be required to use strong passwords, the longer the better to keep them from being easily guessed or too common and with a mix of letters (upper and lower case), numbers, and symbols; no ties to personal information; and no dictionary words. Regular security awareness training is also helpful. Next, employing multi-factor authentication (MFA) is an excruciating pain, but it reduces the attackers’ chances better than just changing passwords. “Any decent security logging system must lockout login attempts after three failed attempts, and the time to wait to retry must go up drastically after every three failed attempts,” according to Axiado’s Chief Technical Officer (CTO), Axel Kloth.
If an organization has 100 accounts on its network, and 99 percent of the members are following the rules of zero-trust, such an organization has achieved some measure of success in its security. That’s great because several studies going back a decade, consistently show that 75 percent of network members on any network do not stick to these set rules. The problem is that the hacker only needs just one account to get in, especially that of a member who is using a weak password or recycling a string of weak passwords over multiple accounts.
“Every network has different levels of security,” said Gopi Sirineni, Chief Executive Officer (CEO), Axiado Corporation. “You have individual credentials and then device security in form of virtual private network VPNs and mobile device management. But if one person uses a weak password, the security systems are at risk.”
These are however, considered extremely time-consuming and expensive, thereby rendering it ineffective. The weakness is in human fallibility and laziness, which support the argument for removing human responsibility for security and enforcing it through automation.
Authentication can be automated and monitored directly at the device level with firmware and services from companies like Keyfactor and Intrinsic ID. However, only 500 companies are in Keyfactor’s customer base worldwide and Intrinsic ID is only in financial transaction devices like ATM cards. It is unlikely a user can trust that their device is using these technologies and can be considered safe. The good news in the case of the medical research world is that is Keyfactor’s primary customer base. However, even if that approach was universal, it leaves the server at the core of the network vulnerable.
There have been multiple stories in the past three years about the security vulnerabilities of x86 and ARM cores and new holes seem to pop up every few months. All it takes for a hacker to access those servers, is to bribe a janitor to carry an infected Universal Serial Bus (USB) stick into a server room and plug it into the network, Sirineni pointed out. The malware can then steal credentials and infect the entire network for months, before it is detected.
Finding that intrusion on its own, is a major problem since the standard microprocessors used in servers have many hiding places, including those designed with security features. Because these features are considered proprietary, the chipmakers do not want just anyone prying into the design for any reason. That makes the forensics of finding malware so difficult. That is a big selling point of the open-source RISC-V platform. Anyone can see what is in the chip firmware at any time.
Dany Nativel, SiFive’s French subsidiary’s General Manager (GM), platform security pointed out that a 15-year-old architecture has a hard time with security, as patches and updates make the code more and more complex. As the complexity grows, so does the number of attacks faces for hackers to insert malware. He said it is imperative that legacy systems be eliminated from networks and replaced with truly zero-trust systems, with a clear root of trust that are easily auditable. RISC-V according to him, offers a clean slate with simplified, reduced, and more secure code running on the security operations center (SoC).
“With the exponential number of connected devices, having a clear and clean root of trust is a must-have,” he emphasized. “There have been a number of companies offering third-party patches to improve RISC-V security, but none addressed system-level security and, more importantly, the patches were not open like the RISC-V is.”
Nativel said, RISC-V already includes physical memory protection (PMP) that protects the core and all applications running inside the core, but he admitted that it doesn’t scale very well across multiple cores because you need to enforce the same PMP configuration between the different cores.
“There is no simple way to protect your individual tasks from each other,” he said. “You need to allocate a PMP region in the core to protect each peripheral, and there are just not that many regions in the core. The key to solving these issues is, the adoption of open hardware and software security solutions, so we can have a shared security scheme.”
Axiado agrees with Nativel, basing its approach on the holistic RISC-V platform. Rather than focus on a single point of protection, e.g., a device or a server, Axiado wants to place their protection at the edge of the cloud, between the device and the server, so it isolates one infected device from the rest of the network and prevents other points from infection as well
To address the forensics, Sirineni said the company is developing a “golden boot,” for defense, and artificial intelligence that can detect an attack before it can enter the network, as well as evaluate member’s usage. “For example, if the system detects a member suddenly increases the number of emails sent in a given period, it can isolate the account to determine if it has been hacked.” Sirineni calls this “redefining zero-trust.”
The term “zero-trust” was coined in 2010 by John Kindervag, then an analyst at Forrester Research Inc. and currently the field Chief Technical Officer (CTO), Palo Alto Networks. Google was the first company to adopt the term saying they had implemented it throughout their network, and we all know how well that is working out. It is an industry buzzword and my own pet peeve every time it is rolled out in a presentation is because we are nowhere near close to actually being able to implement it anywhere. Security functions through the internet are too easy for users and hackers to circumvent.
Nativel said SiFive’s IoT customers are getting closer to demanding security-hardened devices and systems no matter what it does to performance but, still, the problem of legacy systems with access to most networks is almost insurmountable, especially in the medical industry. It is hoped that companies like Axiado, can enforce security without an international move to eliminate the legacies.
This article originally appeared at sister publication EEWeb.
