AA

Computer Science Case Study: Ethical Hacking

CyberHealth Security & MedTechPro Hospital (MTPH)

Scenario

  • CyberHealth Security is hired to review cybersecurity systems at MedTechPro Hospital (MTPH).

  • MTPH relies heavily on electronic health records (EHRs), internal communications, and IoT medical devices.

  • The team must conduct penetration testing to uncover vulnerabilities using the Penetration Testing Execution Standard (PTES).

Penetration Testing Execution Standard (PTES)

  • A structured approach to penetration testing and reporting results.

  • Consists of seven phases:

    1. Pre-engagement interactions

    2. Intelligence gathering

    3. Threat modelling

    4. Vulnerability analysis

    5. Exploitation

    6. Post-exploitation

    7. Reporting

Phase 1: Pre-engagement Interactions

  • Collaboration between CyberHealth Security and MTPH to define:

    • Goals

    • Scope

    • Rules of engagement

    • Logistics

    • Testing approaches

    • Timeline

  • Ensures alignment with hospital operations, security concerns, and ethical standards.

Goal Setting and Target Identification

  • Establish clear test objectives based on MTPH's key concerns:

    • Patient data integrity

    • Uninterrupted service delivery

    • Compliance with health sector regulations

  • Identify specific targets within the hospital’s network:

    • Patient record databases

    • IoT-enabled medical devices

Defining Scope and Rules of Engagement

  • Confirm test boundaries to avoid disruption to critical operations.

  • Agree on rules of engagement to ensure mutual understanding of testing methods and extent.

Testing Approaches

  • Consider implications of:

    • Black box testing

    • White box testing

    • Grey box testing

Black Box Testing

  • Simulates an attack from an uninformed external hacker.

  • Considers immediately apparent vulnerabilities.

White Box Testing

  • In-depth analysis with full knowledge of the hospital’s IT infrastructure.

  • Requires access to network diagrams, system configurations, and known vulnerabilities.

Grey Box Testing

  • Mixture of black box and white box testing.

  • Uses partial knowledge of the hospital’s systems.

  • Simulates an insider threat or external hacker with partial inside information.

Phase 2: Intelligence Gathering

  • Collect publicly available information on MTPH to identify potential vulnerabilities.

  • Employ Open-Source Intelligence (OSINT) techniques using:

    • Search engines

    • Social media

    • Forums

    • Internet-facing resources

  • Create a map of the hospital’s external presence.

Examples of Information Gathered Using OSINT:

  • Employee details: Analysis of staff's social media presence (especially IT and admin).

  • Technology usage: Insights into software and hardware solutions from public sources.

  • Security policies: Examination of publicly available security policies and procedures.

Reconnaissance Techniques:

  • Gathering targeted information: Using search engine dorking to find exposed sensitive files or login portals.

  • Network scanning and mapping: Identifying network topologies, including internal/external servers and firewalls. Key activities include:

    • Port scanning

    • OS detection

    • Network topology mapping

  • Catalog IP addresses of all devices.

  • Social engineering reconnaissance: Using vishing (voice phishing) or pretexting to gather information from employees.

Phase 3: Threat Modelling

  • Conduct a detailed threat analysis for MTPH’s cybersecurity which involves:

    1. Identifying potential adversaries: Cybercriminals seeking patient data or insiders.

    2. Assessing hacker capabilities and intentions: Analysing what adversaries can do and how they might use accessed data.

    3. Methods of exploitation: Documenting how adversaries might exploit vulnerabilities (malware, social engineering, network attacks).

    4. Valuable asset evaluation: Determining critical assets like EHRs and impact of their compromise.

    5. Prioritization of security efforts: Focusing penetration testing on the most valuable and vulnerable areas.

Phase 4: Vulnerability Analysis

  • Employ automated tools and manual techniques for a thorough vulnerability analysis.

    1. Scanning for vulnerabilities: Using automated tools to identify known vulnerabilities.

    2. Manual examination: Combining automated scans with manual checks for subtle or complex vulnerabilities.

    3. Assessment of weaknesses: Evaluating the potential impact of identified vulnerabilities.

    4. Prioritization: Determining critical vulnerabilities based on ease of exploitation and potential damage.

Phase 5: Exploitation

  • Initiate the exploitation phase when vulnerabilities are identified.

    • Targeted breaching attempts: Using specific techniques to exploit identified vulnerabilities.

    • Exploit development: Crafting custom scripts or tools tailored to specific vulnerabilities.

    • Employing various techniques: Including SQL injection, cross-site scripting (XSS), buffer overflow attacks, and password cracking tools.

    • Assessing the impact: Seeking to understand potential damage or access achieved through successful exploitation.

Phase 6: Post-exploitation

  • Assess the consequences of exploited vulnerabilities.

    • Data access and analysis: Investigating types of sensitive data accessible post-breach.

    • Privilege escalation: Examining the extent to which access can be increased.

    • Establishing persistence: Evaluating methods to maintain long-term access.

    • Operational impact assessment: Assessing the potential impact on hospital services and patient safety.

    • System forensics and malware analysis: Analysing traces left by exploitation. Examining system logs, detecting malware, or identifying system configuration changes.

Phase 7: Reporting

  • Compile a comprehensive report of the penetration testing.

    • Vulnerability and exploitation details: Overview of vulnerabilities, methods used, and potential impact.

    • Actionable recommendations: Prioritized suggestions for mitigating security risks.

    • Security posture assessment: Holistic analysis of cybersecurity strengths and weaknesses.

  • Enable the IT team at MTPH to develop a response plan: Incident detection, response strategies, and recovery processes.

Ethical Considerations

  • Address ethical considerations before any penetration testing.

    • Proper authorization

    • Data confidentiality and integrity

    • Non-disruption of services

    • Reporting and responsiveness

Challenges Faced

  • Evaluating black box, white box, and grey box penetration testing approaches.

  • Explaining how to maintain operational continuity and protect data during vulnerability testing.

  • Investigating how network scanning, network mapping, and OSINT tools can be used.

  • Developing a response plan (incident detection, response, recovery).

  • Discussing the ethical implications of penetration testing at MTPH.

Additional Terminology

  • Buffer overflow attacks: An anomaly where a program writes data beyond the allocated buffer, potentially causing a crash or allowing malicious code execution.

  • Cross-site scripting (XSS): A type of web security vulnerability where malicious scripts are injected into websites, allowing attackers to execute code in the browsers of unsuspecting users.

  • Exploit development: The process of creating or modifying exploit code to take advantage of software or system vulnerabilities.

  • Hacker: An individual who seeks to breach and exploit computer systems or networks.

  • IP address: A numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.

  • Malware: Malicious software intended to cause damage or unauthorized actions to computer systems.

  • Network mapping: The process of discovering and documenting the structure of a network, including devices, connections, and configurations.

  • Network scanning: The process of scanning a network to identify active hosts, services, and open ports.

  • Network topology: The arrangement of a network, including nodes and connecting lines, describing how devices are connected.

  • Open-source intelligence (OSINT): Techniques used to collect and analyze information from publicly available sources to gather intelligence.

  • OS detection: Techniques used to determine the operating system and versions running on a target computer or network device.

  • Password cracking tool: Tools and techniques used to recover passwords from stored or transmitted data.

  • Penetration testing: A method of evaluating the security of a computer system or network by simulating an attack to identify vulnerabilities.

  • Port scanning: The process of scanning a network to identify open ports and services running on them.

  • Pretexting: The act of creating a fabricated scenario to persuade someone to divulge information.

  • Response plan: A structured plan that outlines procedures for identifying, responding to, and recovering from security incidents.

  • Search engine dorking: Using advanced search engine techniques to locate specific information or vulnerabilities.

  • Security posture assessment: A comprehensive evaluation of an organization's security measures, including policies, procedures, and technical controls.

  • Social engineering attacks: The use of psychological manipulation to trick individuals into divulging confidential information or performing actions.

  • SQL injection: A type of security exploit where