Our Physical Security Awareness Campaign

The CV19 volunteers’ mission is to protect the people who protect our health. The group was formed by three cyber security professionals, who were quickly joined by thousands of other volunteers, offering pro bono support to healthcare during the COVID-19 pandemic. I felt privileged to be approached to lead the awareness project and the Cygenta team quickly and enthusiastically joined me, especially Madeline Howard. We designed and delivered the first awareness campaign, with a focus on phishing and were delighted to see it receive such a positive response. We’re proud to contribute our efforts to CV19 and to publish our second awareness campaign now. 

Why are the cyber volunteers launching a physical security campaign?

While hospitals have been busy responding to the COVID-19 crisis, they are also being targeted by criminals. At CV19, we have received reports of many physical security attacks that are taking advantage of the crisis including thefts of PPE, hand sanitiser and healthcare workers’ identity badges. This is a widespread issue which has been flagged to us by healthcare providers across the UK and Europe. 

Some reports suggest that these physical security issues are becoming more pressing, with hospitals becoming more open as many countries emerge from lockdown.

Physical security is always an issue in hospitals, partly because so many areas of a hospital are open to the public. But as we continue to deal with the COVID-19 pandemic, protecting these hospitals and healthcare staff is more important than ever.

You can see all of the campaign resources and download them here.

Video for the CV19 physical security awareness campaign

Why did you pick this issue for this awareness campaign?

We picked physical security for the awareness campaign based on our experience and  consultations with the healthcare organisations that CV19  has been supporting. 

At Cygenta, we work with many healthcare institutions and so we understand their security pain-points. In a recent social engineering assessment of a hospital (before the pandemic), we were able to access unlocked computers and get our hands on identity badges and scrubs. In a social engineering assessment, we are testing the security of an organisation or building by attempting to compromise it in much the same way that criminals would. The difference is that we don’t break the law, we have a contract to do it and we provide a report of recommendations to improve security.

On a social engineering assessment of a hospital, we (Cygenta) were able to get hold of important resources

Through the CV19 group, we have heard of reports that hospitals have been targeted for their PPE, hand sanitiser, medicine and even loo roll during the pandemic. We have also been informed of cases where healthcare workers have had their identity badges stolen, presumably either to access restricted areas of a hospital or to fraudulently exploit goodwill offers made available to healthcare workers in recognition of their incredible efforts in the face of COVID-19. 

What do healthcare providers do about these issues and how can the cyber volunteers help?

It is important to be aware of the issues, first and foremost, and then to act on that awareness. We have highlighted three fundamental behaviours for healthcare workers to focus on when it comes to physical security:

  1. Protect your PPE

Thieves are targeting this precious resource

  1. Wear your ID badges inside, never out

Your colleagues need to know who you are but criminals don’t

  1. Log off your computers

Don’t leave your devices open to anyone else

We have produced this campaign to raise awareness of physical security in healthcare. We would like you to share the campaign, download the resources and use them to spread the word!

You can see all of the resources and download them here.

Poster for the CV19 physical security awareness campaign

About CV19

The cyber volunteers 19 group was founded to provide pro bono advice, guidance and assistance to healthcare providers across Europe during the pandemic. We can help hospitals with threat intelligence, free awareness materials for staff, advice on the current threats and vulnerabilities and help you identify risks and vulnerabilities to your specific organisation. If you would like any help or advice please visit our website for more information and get in touch.

Threat Intel Week 27, 2020

F5 Traffic Management User Interface (TMUI) Remote Code Execution (CVE-2020-5902) & XSS (CVE-2020-5903)

https://support.f5.com/csp/article/K52145254

https://support.f5.com/csp/article/K43638305

A critical vulnerability exists (CVE-2020-5902) that can lead to remove code execution from an unauthenticated network perspective. The vulnerability exists in the management interface, by good practise these interfaces would be on a private restricted network however we know this is not always the case as we can see from Shodan:

Image

https://www.shodan.io/search?query=http.favicon.hash%3A-335242539

This vulnerability has an active POC exploit in the wild covering path traversal to file read through to remote code execution. Examples of both the Metasploit module and public intel on HTTP requests are here:

https://github.com/rapid7/metasploit-framework/pull/13807

https://github.com/jas502n/CVE-2020-5902/

We strongly recommend management interfaces are not exposed to the internet, consider:

  • Removing the interface from the internet
  • Using IP Whitelisting to restrict traffic flows
  • Using a VPN and/or jump box solution to perform sensitive remote administration tasks
  • Restrict access using a management traffic interface/route
  • Patch the vulnerable devices

Palo Alto Networks PA-OS Authentication Bypass (CVE-2020-2021)

https://security.paloaltonetworks.com/CVE-2020-2021

When Security Assertion Mark-up Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

This vulnerability requires specific conditions to exist (which are not good practise from a Palo Alto deployment best practise point of view) so whilst this is still critical, it is wise to conduct a configuration review and take appropriate action.

Phishing

Phishing is a constant threat scenario, during the COVID pandemic we have seen lures adapted to take advantage of a range of situations, as always leveraging FUD and high-pressure scenarios such as PPE, Corona Virus testing equipment etc.

From an internet facing perspective we see the following generalisations:

  • Poor coverage of SPF, DMARC and DKIM deployment
  • Misconfiguration of mail protection records

Whilst we advocate security awareness with staff members, during a time of increased pressure it is just as (potentially more so) to leverage technical controls as well as soft controls to help combat the likelihood of a phishing incident achieving impact.

Useful Resources

Phishing and Web Content Filtering

Our friends in the CTI league and Cyber Threat Coalition both publish independent block lists which can be leverage my mail hygiene and perimeter security solutions (such as Firewall and IPS/IDS systems)

https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE

https://blocklist.cyberthreatcoalition.org/vetted/

NCSC Weekly Threat Report

This report includes links to the phishing reporting service recently stood up by NCSC:

https://www.ncsc.gov.uk/information/report-suspicious-emails

https://www.ncsc.gov.uk/report/weekly-threat-report-3rd-july-2020