{"id":247,"date":"2017-05-26T14:08:02","date_gmt":"2017-05-26T14:08:02","guid":{"rendered":"http:\/\/securitycurve.com\/?p=247"},"modified":"2017-05-26T14:08:02","modified_gmt":"2017-05-26T14:08:02","slug":"omg-why-does-it-always-take-the-worst-case-scenario","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=247","title":{"rendered":"OMG. Why does it always take the worst case scenario?"},"content":{"rendered":"

\"\"<\/a>Here’s an article about how medical device manufacturers continue<\/a> to not get it done securing what they produce. \u00a0It references a few data points, including one from a\u00a0Ponemon survey<\/a>\u00a0outlining how people are concerned about it, but yet action taken is relatively low. \u00a0I’ve been writing about this for years: not only the near-continuous stream of research highlighting issues in\u00a0implantable biomed (pacemakers, pumps, defibrillators, etc.) which this article focuses on, but likewise biomed that you see in institutional care settings (pharmaceutical dispenser systems, patient monitors, imaging systems, etc.) \u00a0Security on these devices is terrible. \u00a0Like, when I can routinely bring down an HL7 interface engine by port-scanning it, that’s a problem — when your MRI machine uses default passwords for the OS on which it runs, that’s a problem too.<\/p>\n

I’m not usually a “doom and gloom” person. \u00a0In fact, those of you who know me know that I explicitly hate that — FUD generally causes more problems than it helps solve. But on the other hand, I get frustrated with the interplay between human nature and certain types of risk. \u00a0Specifically, people seem to generally tend toward ignoring a threat – or, if that seems unfair, let’s say “downplaying it” –\u00a0until such time as some actual problem occurs. \u00a0And then, when it does, it’s “hair on fire” time: everyone runs around trying to react, people demand action, everybody and their brother wants to make statements to the press, and there’s generally a big brouhaha. This happens until people lose interest and everyone can go back to safely ignoring the issue again.<\/p>\n

Don’t believe me? \u00a0See WannaCry. \u00a0A CVSS 9.3 issue in SMB is discovered and publicly disclosed? \u00a0Let’s hit the “sleep” button on that. \u00a0Patch is published by Microsoft, marked as critical? \u00a0Pipe that one to \/dev\/null. \u00a0But then some malware gets released that actually leverages that situation to do some nastiness? Panic-button time. \u00a0Then, when WannaCry ends, we go back to status quo until some variant emerges to start up the panic cycle once again.<\/p>\n

WannaCry was an issue, but what really gets my dander up about the biomed thing is that the consequences are human lives – or at least human health. \u00a0I prophesy (and I hope I’m wrong) that this issue is going to eventually lead to loss of life on some scale. \u00a0It’ll probably be a small scale, but could be larger depending on what’s exploited and how (see Therac-25<\/a>)…\u00a0 or at least to\u00a0making sick people worse. \u00a0I predicted back in 2006 that all it takes is a motivated attacker using the right biomedical device as an attack vector and they could assassinate someone under the right conditions. \u00a0It’s still true now. \u00a0In fact, it’s arguably worse.<\/p>\n

Why does it have to be the worst case before people address this stuff? \u00a0\/RANT<\/p>\n","protected":false},"excerpt":{"rendered":"

Here’s an article about how medical device manufacturers continue to not get it done securing what they produce. \u00a0It references a few data points, including one from a\u00a0Ponemon survey\u00a0outlining how people are concerned about it, but yet action taken is relatively low. \u00a0I’ve been writing about this for years: not only the near-continuous stream of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[68,81],"class_list":["post-247","post","type-post","status-publish","format-standard","hentry","category-security","tag-human-nature","tag-medical-devices"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=247"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/247\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}