In their April Cybersecurity Newsletter, Office for Civil Rights (OCR) addressed an emerging threat known as “Man-in-the-Middle” (MITM) attacks. A MITM attack occurs when a third party secretly intercepts and relays the message between two parties who believe they are communicating directly with each other.
There are several forms of MITM:
- Man in the Browser: Malware installed on a computer, used to modify online transactions and has the ability to bypass encryption and antivirus programs.
- Man in the Mobile: Hacker inserts a self-signer certificate which allows them to intercept data from a free mobile app.
- Man in the Cloud: Hacker gains access by intercepting a synchronized token, spying on file sharing and storage.
- Man in the Internet of Things (IoT): Devices that are compatible with Bluetooth or the internet (security cameras or biomedical devices) without default usernames or passwords.
- WiFi Eavesdropping: Hijacking a WiFi connection to spy a user, most likely to occur while using public WiFi.
An MITM attack can be used to achieve various outcomes. Some of these outcomes include: injecting malicious code, intercepting sensitive information like Protected Health Information (PHI), exposing sensitive information or modifying trusted information.
Protection from MITM Attacks
As with all malware and cyber-attacks, being aware of the threats and implementing appropriate safeguards are critical to creating a strong cyber security program and protecting PHI.
Below is a list of safety measures to protect against an MITM attack:
- Implement firewalls that can provide https filtering / deep packet inspection (SSL and TLS)
- Utilize web content filtering anti-spam protection devices or applications
- Avoid using un-encrypted free WiFi hot spots to transmit sensitive data
- Verify that sensitive data is only entered on websites using https
- Discontinue use of websites that provide warning about issues with the certificate
- Maintain your operating system software and verify your hardware is patched and up-to-date
Utilize a 2 factor authentication system whenever possible
- Configure web-filters to deny any “zero-reputation” websites/URLs to reduce chances of compromised banner-ads
Training, it is very vital to constantly train and remind users, at the end of the day WE are the front end, top layer of any security device and without training we are not going to know what to watch for
HTTPS Inspection Products
To offset the threat of a MITM attack, many organizations have implemented end-to-end connection security to internet transactions using Secure Hypertext Transport Protocol, or “HTTPS.” Additionally, some organizations use “HTTPS interception products” to detect malware over an https connection. These products are known as “HTTPS / SSL inspection or deep packet inspection” and are designed to intercept the https network traffic then de-crypt, review and finally, re-encrypt it.
One issue organizations utilizing https interceptions products need to be aware of is the potential vulnerabilities due to an inability to verify web servers’ certificates and validate the security of the end-to-end connection. These products do requires users systems to trust the device vendor self-created certificate so there to facilitate communicating with the device which is decrypting and encrypting the inspected data.
PHI and HIPAA Security
The HIPAA Security Rule specifies that PHI must be encrypted stating “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 Definition of Encryption.) PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if confidential passwords or keys that enable decryption have been breached. Additionally, encryption processes must meet the standards set by the National Institute of Standards and Technology (NIST) and Federal Information Processing Standards (FIPS).
In a previous blog post we introduced the United States Computer Emergency Readiness Team (US-CERT), a team designed
to respond to cyber security incidents and analyze data from partners about emerging cyber threats. US-CERT has weighed in on MITM attacks and recommends that organizations verify that their https interception product properly validates certificate chains and passes any warnings to the client.
For the latest recommendations from the US-CERT, visit: https://badssl.com/