Governance & Risk Management
,
Healthcare
,
Industry Specific
Advice Is Based on Agency’s 2-Week Security Assessment of a Large Entity
The U.S. Cybersecurity and Infrastructure and Security Agency is urging healthcare sector entities to take critical steps in fortifying their environments based on findings from a two-week risk and vulnerability assessment performed by the federal agency on a medical organization earlier this year.
In a Friday advisory, CISA said it had performed the assessment in January at the request of a “large organization deploying on-premise software” that the agency did not identify.
The risk and vulnerability assessment is a two-week penetration test of an entire organization. The first week is spent on external testing, and the second week focuses on assessing the internal network. The CISA team identified default credentials for multiple web interfaces and used default printer credentials while penetration testing. Other internal assessment testing found several other weaknesses.
Based on its findings, the agency recommends healthcare and public health sector organizations ensure measures such as enhancing their internal environments to mitigate follow-on activity after initial access, using phishing-resistant multifactor authentication for all administrative access, and segregating networks. It also recommends verifying the implementation of those hardening measures, including changing, removing or deactivating all default credentials.
CISA said its recommendations can apply to all critical infrastructure organizations as well as to software manufacturers.
The agency said that as part of its assessment, its team had conducted web application, phishing, penetration, database and wireless assessments.
The assessments resulted in positive and negative findings. In its one-week external assessment of the organization, the CISA team did not identify any significant or exploitable conditions in externally available systems that could allow a malicious actor to easily obtain initial access to the organization’s network.
The assessment team also was unable to gain initial access to the assessed organization through phishing.
But during internal penetration testing, the CISA team exploited misconfigurations, weak passwords and other issues through multiple attack paths to compromise the organization’s domain.
CISA used the MITRE ATT&CK for Enterprise framework, version 14 for mapping its findings, which are detailed in the agency report.