Security Assessment Report (SAE) of Hospital Windows Operating System

 Security Assessment Report

1. Purpose 

This Security Assessment Report (SAR) is in response to a recent breach of Bluebird Hospital’s Windows operating system (OS). An employee’s email was infected with a malware virus known to infect users via phishing emails containing malicious links. Over 1,000 patients PHI was compromised in the breach. Bluebird is operating on an outdated version of Windows XP that was released in 2001. Operating on outdated system makes Bluebird an easy target for attackers that exploit known software vulnerabilities in older systems. This security assessment report will document the results that will show the necessary measures that are needed to successfully achieve compliance with the organizational security requirements.

2. Scope

This SAR will examine the Windows and Linux operating systems. Windows OS, developed by Microsoft, allows users to navigate through several programs and open numerous windows simultaneously. Linux is an open-source operational system that has easily available program codes for software developers. Linux is considered one of the most tested operational systems in the world and is used by thousands of programming developers (Elson, 2000).

3. OS Overview

• Operating system (OS). A set of programs that manage the communication between the software and hardware on a computer network. The entirety of the computer environment makes up the operating system (Elson, 2000).
• Information system (IS). A distribution of information that is made of multiples pieces of equipment such as hardware, software, computer system connections, and information system users.

4. OS Vulnerabilities

An OS vulnerability is a weakness in the information system that can be exposed by a threat actors. This can result in a detrimental impact in the protection of the CIA of Bluebird’s information system. A vulnerability in a network can be due to a flaw in a design or error that can lead to a malicious attack from local or remote users. Vulnerabilities can appear in all areas of your system if not protected (Chen, Mao, Wang, Zhou, Zeldovich, Kaashoek, and Csail, 2016). The following outlines some vulnerabilities in Bluebird’s current operating systems:

1. Windows vulnerabilities. Windows based operating systems have more known vulnerabilities than any other platform. One known vulnerability is the 0-day privilege escalation. This is a buffer overflow in kernel that allows potential attackers to invade user access controls in Windows systems (Zdrnja, 2016).
2. Linux vulnerabilities. Linux is one of the most tested operating systems in the world which makes vulnerabilities easier to discover. Two newly discovered vulnerabilities are discussed in detail below.

1. Missing pointer checks lead to memory corruption by the kernel, allowing bugs authorization to read and write random kernel memory locations.
2. Missing permission checks allows the kernel to perform privileged operation without checking whether the calling process has the privilege to do so (Chen, Mao, Wang, Zhou, Zeldovich, Kaashoek, and Csail, 2016). 

3. Mac OS vulnerabilities.
   1. Allows local users to perform attacks impersonating something unidentified through unspecified injection.
4. Vulnerabilities of medical devices. Many of Bluebird’s medical devices are supported on outdated operating systems. The lab machines used by Bluebird employees has several versions of Windows that are out of date. More than 97% of medical devices cannot have antimalware software added to them because the manufacturer has not validated it in accordance with FDA guidelines (Brost, 2014). Most of the medical devices used by Bluebird hospital does not have data encryption supported data encryption capabilities. This makes the equipment highly susceptible to cyber-attacks.

5. Motives and methods for intrusion of the Microsoft and Linux operating systems.

Healthcare data such as Bluebird’s is tremendously valuable to cyber-attackers. Health insurance credentials have a value perhaps of 10 times to 20 times that of a credit card. Cyber-attackers know that healthcare networks are quite vulnerable and offer considerable reward .Understanding the motives behind Bluebird’s targeted attack of Windows and Linux is important because it can help our software developers understand what cyber attackers are after. Understanding and knowing the motives can help our organization protect the system from future attacks on our system. We can also get an insight on what the attackers are capable of. Our Bluebird’s confidential information records are one of the top targets for cyber criminals. The information can range from customer information, business critical information, or intellectual property.

In order for Bluebirds organization to protect its system from intrusion we must first identify the types of intrusions we are exposed to without protection.

1. SQL injection (Structured Query Language). Commands that can read or modify data from a database. Attackers used advanced variations of SQL to write random files to the server. This is used to follow out operational commands that can completely override the system and cause denial of service and data loss.
2. Xml injection (Extensible Markup Language). An attacker inserts malicious data into XML which resides on the server. The impact it has on OS Ability to modify or remove data that should not be accessed.

Bluebird needs to protect its system from future attacks. Security awareness technologies are needed such as intrusion detection systems in order for this to happen. Intrusion detection is the attempt to monitor and possibly prevent attackers from intruding into your system and network resources. Intrusion Detection systems for Windows fall into two broad categories network based systems and hot bases systems (Elson, 2000).

1. Network based systems. This type of network is positioned near the system to keep track of network traffic to determine what is acceptable.
2. Host based systems. These systems are mostly installed in systems that are susceptible to attacks. They collect data on the on the system they are installed on to gather information (Bace, 2005).

The two main kernel intrusion detection systems for Linux systems are OpenWall and LIDS. These two intrusion detection systems prevent buffer overflows, increase file system protection, block signals, and make it difficult for attackers to override an information system (Elson, 2000).

6. Vulnerability Assessment
   1. Plan and Methodology

With understanding the types of attacks and damage Bluebird hospital has been exposed to a plan has been developed to identify vulnerabilities using tools such as MBSA (Microsoft Baseline Security Analyzer) and OpenVas (Open Vulnerability Assessment System). MBSA looks for missing security patches and security misconfigurations to find out the potential security issues the system will be faced with. MBSA identifies issues within operational system as well as Microsoft services and applications such as the SQL server (Chauhan, 2012).

1. MBSA. An MBSA scan can decrease possible threats to a computer system. MBSA vulnerability tool can help secure Bluebird’s network or it can be used by potential attackers to identify weaknesses in our system. That same attack can be used by Bluebird to identify weaknesses before the attackers find them first. (Chauhan, 2012).

When running MBSA reports several indicators appear to inform you of system vulnerabilities such as employees who have expired passwords or if their computer system needs to be updated shown in Figure 1.

Vulnerability Check	Meaning
	This vulnerability check is used when a major check has failed
	This vulnerability check appears when something that is less major occurs in your system.
	This check appears when nothing has failed
	This check is used to determine if everything is properly updated
	This check is used to give information on what is being examined

Figure 1. Interpreting scan MBSA scan indicators (Chauhan, 2012).

ii. OpenVas. A framework that scans your system and reports any vulnerabilities. OpenVAS then provides a detail description of what security issues are within your system. It offers details on what the problem entails and solution on how to fix it.

V. Recommendations

From performing an in depth analysis on Bluebird’s system when running the MBSA and OpenVas it was found that our system had several vulnerabilities. The list of recognized vulnerabilities identified and recommendations are listed by priority.

1. Finding 1. It was found that firewall connections were off. This could make our system highly vulnerable to cyber attackers. Firewall connection needs to be on at all times. Information systems can be comprised due to no protection.
2. Finding 2. MBSA identified that 19 out of 20 employees have non expiring passwords. A recommendation is that passwords should be renewed every 30 days.
3. Finding 3. 1 out of 20 employees have blank or simple passwords.  A recommendation would be that each employee should be at least 10 characters long consisting of uppercase letters, lowercase letters, special characters, and numbers. No passwords should consist of the employees name or important dates.
4. Finding 4. OpenVAS has identified that there are several weak encryption algorithms. This could make it easy for hackers to break in to our system because we are not properly protected.
5. Finding 5. MBSA identified that the computer was under 5 administrator accounts. No computer should be connected to more than one administrator. According to Bluebird security policy all computers are open to one administrator at a time. This could lead to someone breaching in to the system due to them having access.

Being exposed to these risks can be mitigated by enforcing all recommendations in company policy. If the recommendations are enforced Bluebird’s system can be exposed to intruders who can exploit the password weaknesses and break into the system.

7. Conclusion

Bluebird’s information system suffered vulnerabilities that were exposed using MSBA and OpenVas. Upper management has to take in consideration the risks Bluebird will be exposed if the recommendations given to them in this report is not executed. Management should update policies to enforce staff of all Bluebirds system infrastructure.

 

References

• Bace, R. (2005). Use offense to inform defense. Find flaws before the bad guys do. Found at: https://cyber-defense.sans.org/resources/papers/gsec/host-vs-network-based-intrusion-detection-systems-102574
• Brost, D. (2014). Beware these nine medical device vulnerabilities. Found at: http://eds.a.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?vid=5&sid=25c04772-0fc9-443f-bae7-f3a052055a91%40sessionmgr4007
• Chen, H., Mao, Y., Wang, X., Zhou, D., Zeldovich, N., Kaashoek, M, and Csail, M., (2016). Linux kernel vulnerabilities: State-of-the-art defenses and open problems. Found at:  https://content.umuc.edu/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://content.umuc.edu/file/1ee4d6fa-2bf2-48dd-8a57-25bc15b6a0f1/1/LinuxKernelVulnerabilitiesStateoftheArtDefensesandOpenProblems.pdf
• Elson, D. (2000). Intrusion detection, theory, and practice. Found at: https://www.symantec.com/connect/articles/intrusion-detection-theory-and-practice
• Zdrnja, B. (2016) Privilege escalation 0-day in almost all windows versions. Found at: https://content.umuc.edu/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://content.umuc.edu/file/66753910-c294-42b0-9ad0-b355c36b835c/1/PrivilegeEscalation.pdf