This document discusses cyber security risks in the financial and healthcare industries and their impact on homeland security. It covers three parts: examples of information disclosure vulnerabilities in access points; connecting these vulnerabilities to critical infrastructure protection and homeland security; and arguing that an asset-centric rather than product-centric approach is needed to address industry-specific security challenges.
1. FromYour Pocket, to
Your Heart, and Back
Cyber Security in the Financial and Healthcare
Industries, and How They Affect Homeland
Security!
!
Ian Amit, Director of Services
17. The RAP Console is unauthenticated and displays information about the access point. Figure 1
shows a screenshot of the RAP Console home page.
Figure 1: Unauthenticated RAP Console
On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper
debug logs. The rapper debug log will log the PAP Username:
18. The RAP Console is unauthenticated and displays information about the access point. Figure 1
shows a screenshot of the RAP Console home page.
Figure 1: Unauthenticated RAP Console
On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper
debug logs. The rapper debug log will log the PAP Username:
Wireless Network Penetration Testing Services
setup_tunnel
Initialized Timers
IKE_init: completed after (0.0)
(pid:16341) time:1999-12-31 16:37:53
seconds.
Before getting PSK
PSK:****** User:xiaobo1 Pass:******
A more serious information disclosure is the “Generate & save support file” option available on
the home page of the RAP Console. The support.tgz file contained 73 files, including the ikepsk,
pappasswd, and papuser files, as shown in Figure 2.
30. Fairly unique to healthcare, right?!
Need to provide people access to medical facilities…
Kind’a like a financial institution needs to provide
customers access to facilities, and their money…
54. Let that last one sit there for a second…
Product Centric Threat/Asset Centric
55. Let that last one sit there for a second…
Product Centric Threat/Asset Centric
56. Let that last one sit there for a second…
Produc RiskProduct Centric Threat/Asset Centric
57. Let that last one sit there for a second…
Produc Risk
Zero lateral knowledge transfer Peer knowledge transfer
Product Centric Threat/Asset Centric
58. Let that last one sit there for a second…
Produc Risk
Zero lateral knowledge transfer Peer knowledge transfer
Zero self learning (experience) Improves with practice
Product Centric Threat/Asset Centric
59. Let that last one sit there for a second…
Produc Risk
Zero lateral knowledge transfer Peer knowledge transfer
Zero self learning (experience) Improves with practice
Based on lab threats Based on real (relevant) threats
Product Centric Threat/Asset Centric
60. Let that last one sit there for a second…
Produc Risk
Zero lateral knowledge transfer Peer knowledge transfer
Zero self learning (experience) Improves with practice
Based on lab threats Based on real (relevant) threats
“Industry Best Practice” Tailored for YOUR practice
Product Centric Threat/Asset Centric