The Healthcare industry is one of the major industries targeted by cyber threats, security breaches, and malicious attacks at an alarming rate. Off late five of the eight largest security breaches have affected the health care industry as per the IBM X-Force Interactive Security Incidents in the year 2015. All five incidents occurred in early 2015 with almost nearly 100,000,000 health care records compromised.
Anthem Medical Data Breach
As many as 80 million customers of the nation’s second-largest health insurance company, Anthem Inc., have had their account information stolen The hackers gained access to Anthem’s computer system and got information including names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses, and employment information, including income data
https://www.anthem.com/health-insurance/about-us/pressreleasedetails/WI/2015/1813/statement-regarding-cyber-attack-against-anthem https://en.wikipedia.org/wiki/Anthem_medical_data_breach http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security/
The health care industry underspends on Cyber Security although the attacks accelerate
Healthcare providers are far behind other industries when it comes to protecting their data and the number of attacks is only expected to accelerate. Healthcare providers are averaging less than 6% of their information technology budget expenditures on security, according to the survey from HIMSS Analytics, the research arm of the Healthcare Information and Management Systems Society. But in fact, the number of healthcare attacks over the past five years has increased by 125% as the industry has become an easy target. Personal health information is 50 times more valuable on the black market than financial information, according to the survey.
Possible attacks on a software application
Cross-site scripting (XSS): This exploit occurs when someone tricks a website into accepting malicious code, which will be shared with other visitors, thus compromising their security. The term “cross-site” applies to an entire family of attacks in which users are tricked into doing something on a site without their knowledge or consent.
SQL injection: With this breach, an attacker tricks a website into running an arbitrary SQL command on the database layer of an application, usually within queries, where user input is incorrectly filtered.
Denial of Service (DoS): This attack involves someone performing a malicious action to prevent a computer from delivering an intended service. Here, it is most often a concerted effort on the part of multiple people to prevent a site from delivering a vital service. Targets for such attacks often include applications that are hosted on large web servers (i.e., banks, credit cards, government services).
Content spoofing: Content spoofing is when an attacker tricks an application into believing they are someone (or something) they’re not. For example, a hacker may duplicate an eCommerce site in an effort to get users to enter their credit card and personal information.
Buffer overflows A complex attack to trick an app (desktop, mobile, and occasionally web) into executing malicious code. Bugs like this are hard to discover without code review, mindless automation, or evil geniuses. An overflow occurs when a program allows input to write beyond the end of the allocated buffer. This can result in an attacker gaining control of an entire operating system. Many famous exploits are based on buffer overflows.
Social engineering: Simply put, this exploit involves breaking computer security by tricking people, not software. This is one of the easiest ways to compromise security and one of the hardest to prevent. Examples of this breach include fake anti-virus software, which “alerts” users to recently discovered “vulnerabilities.”
Brute force attacks: A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values. The attack takes advantage of the fact that the entropy of the values is smaller than perceived. For example, while an 8 character alphanumeric password can have 2.8 trillion possible values; many people will select their passwords from a much smaller subset consisting of common words and terms.
Remote code execution: This exploit is the ability for an attacker to access someone else’s computing device and make changes, no matter where the device is geographically located.
Are we doing it right as Software testers?
Research conducted by Gartner, WhiteHat conveys that more than 75 % of the mobile applications fail basic security test, 86 % of the website has a serious vulnerability. According to the Open source foundation over 1000 separate incidents are reported each year where personally identifiable information is lost.
The majority of these vulnerabilities are found in the application layer, there is an increased emphasis on application security testing. Security testing is now being rapidly integrated with mainstream quality assurance (QA) activities. Security testing should be adopted as an end to end approach across the SDLC & should be considered as a checkpoint for the application release in order to enhance the customer’s confidence.
Goals of security testing
Confidentiality: Does our application keep your private data private?
Integrity: Can the data from our application be trusted and verified?
Authentication: Does our application check to see if you are who you say you are?
Authorization: Does our application properly limit privileges?
Availability: Can an attacker take our application offline?
Non-reputation: Does our application keep records of events for later verification?
Types of security test
Vulnerability Scanning: This is done through automated software to scan a system against known vulnerability signatures.
Security Scanning: It involves identifying network and system weaknesses, and later provides solutions for reducing these risks. This scanning can be performed for both Manual and Automated scanning.
Penetration testing: This kind of testing simulates an attack from a malicious hacker. This testing involves an analysis of a particular system to check for potential vulnerabilities to an external hacking attempt.
Risk Assessment: This testing involves an analysis of security risks observed in the organization. Risks are classified as Low, Medium, and High. This testing recommends controls and measures to reduce the risk.
Security Auditing: This is the internal inspection of Applications and Operating systems for security flaws. An audit can also be done via line by line inspection of code
Ethical hacking: It’s hacking Organization Software systems. Unlike malicious hackers, who steal for their own gains, the intent is to expose security flaws in the system.
Posture Assessment: This combines Security scanning, Ethical Hacking, and Risk Assessments to show the overall security posture of an organization.
Security Testing Best Practices:
1> Forecast the common threats based on the application’s nature and technology based on the previous familiarities.
2> Threat Modeling for Identifying Vulnerabilities– Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an app. Threat modeling is not an approach to reviewing code, but it does complement the security code review process. The inclusion of threat modeling in the app lifecycle can ensure that apps are developed with security built-in at the start.
3> Prioritize the threats based on the impacts
4> Identify the countermeasures & incorporate the same in the application
Security testing tools
Wireshark: A comprehensive yet easy-to-use protocol analyzer (sniffer) that will allow you to view, filter, and analyze all network transmissions.
Paros: Acts as a proxy that allows the tester to intercept and modify all HTTP/S data between server and client, including cookies and form fields.
Burp Suite: Integrated platform for attacking web applications, which contains several interfaces for handling HTTP requests, persistence, authentication, downstream proxies, logging, alerting, and extensibility. Acts as a man-in-the-middle between client and server, thus allowing the tester to intercept and modify all HTTP requests between both parties.
OWASP WebScarab Project: Framework for analyzing and modifying all HTTP/S requests and responses between the browser and the server, which uses several plugins.
SQL Inject Me: SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities.
XSS Me: XSS is a common flaw found in today’s web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.
Tamper Data: View and modify HTTP/HTTPS headers and post parameters. It’s a similar tool to the Burp suite; however, it features basic and limited data tampering capabilities directly via Firefox.
Benefits of security testing to QA- Customer’s trust Even a single incident of compromised customer data can be costly in terms of both negatively affecting sales and tarnishing an organization’s public image. With customer retention costs higher than ever, no one wants to lose the loyal users that they’ve worked hard to earn, and data breaches are likely to turn off new clients. Security testing helps us avoid data incidents that put our organization’s reputation and trustworthiness at stake.
References:
http://www-03.ibm.com/security/xforce/xfisi/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US
Comments