Ordr Announces Integration with ServiceNow Service Graph Connector Program! Read more here!

Ordr

Request a Demo Search

Author: Zach Baier

The past two years have been extremely challenging for healthcare providers. The pandemic thrust healthcare providers into an unprecedented period of transformation. It increased the importance of asset management as medical devices were mobilized and rapidly deployed to deal with the surge of patients. This was followed by the hybrid workforce trend and telemedicine adoption that extended the caregiving environment (and devices) beyond traditional hospital walls. At the same time, cyberattacks like ransomware increased in frequency and severity, reverting many hospitals to pen and paper and disrupting patient care.

The modern healthcare environment now must support the proliferation of connected medical devices that are critical to patient care and operations. Healthcare providers monitor these devices continuously and keep them functioning efficiently but must also protect them against cyberattacks.

Addressing Healthcare Provider Challenges

When Ordr and GE HealthCare first began collaborating, we spoke to several Biomedical & Healthcare Technology Management (HTM) and Security teams about the top challenges they were facing.

From these conversations, we learned there is untapped potential in optimizing healthcare networks with real-time data to improve clinical productivity, enable equipment uptime, simplify troubleshooting, and maximize the utilization of clinical assets. With hospital funding challenges and workforce turnover, the more efficient biomedical and HTM teams can be, and the fewer manual processes they have, the happier they will be.

Here are some of the challenges Biomed and Clinical Engineering teams are facing and how we are helping them:

  • Locating devices and understanding utilization: Biomedical engineering and HTM teams can spend more than an hour per person per shift locating devices and patient data modules in the hospital. Often, once they finally locate the devices, they discover that the devices are in use and cannot be serviced, patched or updated.  Our new service offering helps eliminate this costly inefficiency, enabling biomed and HTM teams access to connectivity (physical or network) and near real-time utilization details for every device. They can locate specific devices for maintenance or troubleshooting, including GE HealthCare patient data modules and the bedside monitors to which they are connected.
  • Visibility into devices and flows: Manual processes to discover and manage device fleets can be inefficient.  With this service, biomed and HTM teams will benefit from automated discovery and classification of devices, visibility into device flows and connectivity, and near real-time and accurate device data that can integrate into their existing CMMS. This reduces the need for biomed and HTM teams to perform labor-intensive and error-prone tasks of walking around hospitals trying to identify devices, their serial number and where they are connected to. Behavior anomaly alerting on traffic flows can help identify compliance issues such as medical devices moving to the guest VLAN.
  • Monitoring and troubleshooting Intermittent outages: Biomed and HTM teams may not be aware of devices impacted by communications or performance issues until it’s too late. When medical devices are impacted by downtime, clinical workflows suffer. Essentially, clinicians’ ability to provide quality care is compromised If they are unable to use these devices or access the information they need to do their jobs and treat their patients. As part of the Ordr and GE HealthCare’s service offering, we have developed new application and network monitoring functionality for the CARESCAPE network. Healthcare systems can proactively identify issues before they impact clinical care. An early “diagnosis” of potential issues, along with granular insights for troubleshooting, can eliminate major failures, decrease downtime, and lower service costs.
  • Vulnerability management:  When new vulnerabilities are published by manufacturers or software providers, it can take a great deal of time for healthcare providers to determine which of their devices are impacted, slowing their response time. Lack of accurate device data (OS, software version, etc.) can make it difficult to assess risk and identify devices with vulnerabilities. Our service offering enables hospital security and biomed/HTM teams to identify and focus on specific vulnerabilities affecting clinical assets under their management, prioritize vulnerabilities with Clinical Risk Scores, and self-manage the remediation process with simplified workflows and custom tags.

Why Ordr and GE HealthCare Collaboration

“Empowering Biomedical Technicians, Clinical Engineers, and Hospital IT with easy-to-use tools aimed at improving self-managed network security, productivity, and equipment uptime is key to enhancing critical patient care.” said Alla K. Woodson, GE Healthcare’s Global GM, Patient Care Solutions – Services & Consumables. “This network performance and security solution brings together the technology and scale of our two organizations to help ensure that our customers have visibility and access to actionable insights.”

“Hospitals and healthcare facilities rely on GE Healthcare’s CARESCAPE networks to host critical patient care devices, it is of the utmost importance that these networks – and everything connected to them – remain secure and operating at peak efficiency,” added Jim Hyman, CEO of Ordr. “The deep integration of the Ordr platform with the GE Healthcare CARESCAPE network will help give healthcare organizations comprehensive clinical asset visibility, security and performance capabilities they need to optimize and protect their environment of care.”

GE HealthCare’s Service Offering for CARESCAPE patient monitoring networks that harnesses the power of Ordr platform, will be available early this year.  For more details on the offering, contact info@ordr.net.

It’s a new year, and with so much uncertainty, seven of Ordr’s executives and subject matter experts offer ironclad predictions for what to expect in connected device security in 2023.

Bryan Gillson – Head of Vertical Market Strategy

As a result of the convergence of information technology (IT) and operational technology (OT) and expanding connectivity of once isolated industrial infrastructure, there will be a notable increase in attacks targeting OT. Ransomware, cyberterrorism, and other attacks will be the unfortunate result and critical infrastructure environments will be a primary target.

OT like industrial control systems (ICS), supervisory control and data acquisition (SCADA), and similar equipment was once protected by air-gapping their networks from traditional IT and the internet (the Purdue Enterprise Reference Architecture, or Purdue Method). However, as trends like remote supervision, automation, and digital supply chain management have taken hold, greater levels of connectivity have opened those once isolated environments—including legacy systems running obsolete, unsupported, and unsecure equipment—putting them in reach of threat actors who have proven themselves all-too willing to take advantage of any vulnerability, and any type of organization.

Jim Hyman – CEO

CISOs and cybersecurity champions inside more organizations will see a sharp increase in support as corporate boards bring in cybersecurity expertise. When the U.S. Federal Trade Commission (FTC) issued guidance last year putting corporate boards on notice that “data security begins with the Board of Directors,” it added fuel to a process that had been slowly gaining momentum in recent years by elevating the issue of cybersecurity within corporate governance. In 2023 that process will translate to meaningful support for security initiatives, including budgets and staffing.

Similarly, in 2023 more organizations will be held to account for their lax security programs and we can expect to see greater attention given to the issue of cybersecurity by federal legislators. Lawmakers are growing impatient with corporate inaction even as threats begin to affect individuals amid attacks on critical infrastructure, including hospitals. As Senator Ron Wyden told MIT Technology Review, “There’s a tendency to hype the capabilities of the hackers responsible for major cybersecurity incidents, practically to the level of a natural disaster or other so-called acts of God. That conveniently absolves the hacked organizations, their leaders, and government agencies of any responsibility.”

In 2023 more organizations will be held to account for their lax security programs and we can expect to see greater attention given to the issue of cybersecurity by federal legislators.

Kahil Thomas – Regional Sales Manager, Healthcare

Inventory tools like configuration management databases (CMDBs) and computerized maintenance management systems (CMMSs) will play an increasingly critical role in cybersecurity as the number of connected devices continues to soar and organizations turn to automated solutions to scale security efforts. The importance of these tools , in turn, will prioritize the need to automate the collection of asset details, aggregate data from multiple sources, and ensure accurate, real-time information.

Gartner has identified the expansion of cyber-physical systems, including IoT and other connected devices, as a major risk for organizations that fail to account for all assets across their environment. Human effort alone is not capable of keeping up with the growth of connected devices and that is why automation is essential to all cybersecurity related tools.

Gnanaprakasam Pandian – co-founder and Chief Product Officer

In 2023, organizations will finally have a single, unified asset knowledgebase for cyber security. This is essential to achieving and maintaining a Zero Trust security posture that spans IT, OT, and IoT. That is because maximizing protection demands there be no blind spots; and gaining a unified view of all connected assets, along with their essential business context, is foundational for cyber security today. That capability represents the keys to the cybersecurity kingdom, and it will be available to most organizations in 2023. Many organizations (but not all) will embrace it.

Also, the era of proactive protection using behavioral models will finally displace the era of reactive remediation. This will relieve a tremendous burden from security teams that currently spend an enormous amount of energy on reactive remediation and allow them to apply their skills to other areas of security, like optimization, automation, and forensics. Effective security means knowing what a device does much more than what the device is. Hence, behavioral modeling of devices will form the foundation of threat detection and automated response.

The era of proactive protection using behavioral models will finally displace the era of reactive remediation.

Darrel Kesti – VP of Sales

Healthcare will see an increase in mergers and acquisition activity in 2023 as a result of the financial toll on the industry since early 2020, including effects related to both the pandemic and a sharp increase in costly cyberattacks. Smaller and independent hospitals, clinics, and related service providers that are no longer able to deliver a high quality of care will see some operations shut down while others will be absorbed by larger providers, extending their reach and expanding their market footprint. But because many smaller healthcare organizations have been targeted relentlessly by threat actors, acquiring organizations must be careful to conduct thorough due diligence to determine if any threats exist before merging IT estates.

We will also continue to see an increase in cyber insurance premiums and coverage limitations in 2023 across healthcare and all other industries. As a result of the growing number of claims and increasing scrutiny, cyber insurance providers will demand greater documentation of essential security controls and will refine their audits and reviews to verify adequate security measures are in place, paying close attention to the complete 3PT (People, Process, Policy, and Technology) elements of security programs to reduce their risks.

Bryan Wallace – Head of Partner Sales

Network administration teams will be squeezed between being short-staffed due to a tight labor market and tightening budgets even as security requirements and expectations increase in the coming year. Trends toward network segmentation, Zero Trust implementation, and complete cyber asset attack surface management (CAASM), among other network-centric security priorities, will push organizations toward adopting new tools to simplify the definition and implementation of rigorous security policies (e.g., firewall, NAC, switch ACLs) and that allow teams to do more with less.

Similarly, both security and network teams will require a unified view of inventory and risks across IT, OT, and IoT assets as connectivity between industrial and administrative networks continues to expand. The blending of these environments will increase complexity and risk, while making security and IT operations management impossible without the right (automated) tools.

Trends toward network segmentation, Zero Trust implementation, and complete cyber asset attack surface management (CAASM)… will push organizations toward adopting new tools to simplify the definition and implementation of rigorous security policies

Paul Davis – VP of Customer Success

Cyberattacks targeting the healthcare industry will continue to increase, driving legislation at the state and federal level in the U.S., and abroad, while also prompting the industry to adopt stricter security standards on its own. In response, healthcare organizations will look for ways to generate efficiencies for security in what are often complex organizations.

With the overlap between traditional IT security teams and biomed/clinical engineering becoming more apparent, there will be pressure to adopt monitoring and security management tools that address requirements across the teams in 2023. The goal of these efforts is to improve visibility of the attack surface and response to threats while providing a more consistent and effective way of communicating security risk across the whole organization.

What a year it has been. Looking back there were plenty of surprises, but much to celebrate, be grateful for, proud of, and to leave us with ample optimism for the year to come. We’ll make our resolutions on January 1st, and have offered our opinions on what might transpire in 2023 elsewhere. But for now, let’s review the last twelve months and take in all that we accomplished as an organization–every member of the Ordr team together with our partners, customers, and advisors.

For starters, despite economic friction remaining from the pandemic and the headwinds of inflation and recession, the Ordr team scored many new customer wins, including many large enterprises representing every industrial sector. The message that organizations need to secure their growing inventory of connected devices is spreading, and Ordr stands head-and-shoulders above all other solutions in meeting that need. Among our many representative new customers earned during 2022 were:

  • Large pharmaceuticals companies;
  • Major children’s hospitals;
  • A multinational financial institution;
  • One of the largest U.S. federal agencies;
  • Global industrial and high tech manufacturers;
  • U.S. and UK universities; and,
  • Many healthcare services providers throughout the U.S. Canada, and Europe.

Wins like these don’t happen without a lot of hard work. And as it has been since our founding, the Ordr team put in a lot of hard work during 2022 to build on past successes and execute against a goal of continuous improvement.

Bringing the Power of Personalization to HTM Teams

In March we launched Clinical Defender to enable Healthcare Technology Management (HTM) teams to manage their connected medical devices more efficiently and accurately in the face of an explosion of IoT and IoMT deployments in healthcare environments. As many as 20% of connected devices operating in healthcare organizations are unaccounted for. Clinical Defender closes that visibility gap while providing focused, actionable, and accurate HTM insights and workflows, so HTM and clinical engineering teams can:

  • Access a dedicated dashboard for simplifying HTM workflows and address specific use cases;
  • Automate real-time asset inventory without impacting device operations;
  • Address compliance by identifying missing, newly connected, or misplaced devices;
  • Mitigate risks by identifying devices with vulnerabilities, recalls, and outdated operating systems;
  • Accelerate remediation efforts for devices with clinical risks; and,
  • Save millions of dollars by optimizing device utilization.

Then in August we released Clinical Defender 8.1, adding the Ordr Software Inventory Collector and integration with Crowdstrike and Crowdstrike Humio to enhance the value of the platform by making it easy for Clinical Defender to gather contextual information from connected devices, and collaborate with security teams to defend the healthcare enterprise.

Expanding Our Partner Network, Embracing the Technology Ecosystem

In May Ordr announced expanded technology integrations with our long-time partner Cisco, making Ordr available as a hosted application on Cisco Catalyst 9000 series switches. The integration enables Ordr’s seamless visibility, comprehensive insights, and enhanced security for connected devices in every environment using the Catalyst 9000 product family, and extends Ordr integrations with Cisco Meraki, Cisco Identity Services Engine (ISE), Cisco Software-Defined Access (SDA), and Cisco Trustsec.

“Ordr is a great purpose-built product that delivers exactly what they promise it will. It’s easy to work with and easy to maintain.” Network Engineer, healthcare and biotech industry.

Our partner relationships expanded further through new technology integrations with Arista, AWS, BigFix, Cisco Prime, CrowdStrike, Microsoft, Qualys, Rapid7, ServiceNow, and Tenable, as well as support for Osquery, contributing to the list of  more than 80 integrations with the Ordr Data Lake. In total, these new integrations deliver stronger “ground to cloud” visibility, device management, and security capabilities for our customers by enabling them to operate with a richer, more contextual understanding of their connected device operations.

And then in November we added Sodexo Healthcare Technology Management to our partner network. The Ordr-Sodexo relationship delivers a people, process, and technology solution combining Sodexo Managed HTM Cybersecurity services with the Ordr platform. By combining the strengths of Ordr’s connected device security platform with Sodexo’s healthcare technology management services expertise, HTM teams can more easily identify threats and mitigate risks to their enterprises by securing all connected healthcare devices.

Enhanced Device Management, Security, and Segmentation

In November we also published our healthcare connected device maturity model entitled A Practical Guide: Implementing Connected Device Security for Healthcare Organizations. The guide outlines five stages of an effective connected device security program and strategies to achieve and maintain a Zero Trust security posture for healthcare organizations beleaguered by a relentless onslaught of cyberattacks. These stages include:

  • Gaining Full Asset Visibility Across Infrastructures;
  • Acquiring Vulnerability and Risk Management Insights;
  • Achieving Reactive Security Capabilities;
  • Evolving to a Proactive Security Posture; and,
  • Maintaining Optimized, Zero Trust Security Operations.

Ultimately our product improvements and partner relationships mean nothing if they don’t translate to greater connected device management and security capabilities for our customers. Our mission to help organizations See, Know, and Secure their entire connected device inventory and maintain a Zero Trust security posture was evinced throughout the year when we stepped up to help our customers identify and protect their devices from new threats like the Log4j and OpenSSL vulnerabilities, rogue device communications to risky foreign locations, malware variants like Maui Ransomware, and other threats to connected devices and the organizations that rely on them.

“Overall, we have a great experience with the Ordr system where our IoT and IoMT devices are well detected and inspected for inventory and vulnerability purposes.” Manager, IT Security and Risk Management, healthcare and biotech

Ordr’s Journey of Growth Continued

Finally, it’s worth noting that every move we make is part of a strategy to grow Ordr into a strong, stand-alone technology leader that our customers know they can trust for years to come. That position as a market leader was reaffirmed during 2022 by respected organizations like KLAS Research, who named Ordr a healthcare IoT security leader for an unprecedented third year in a row, and IDC, who named Ordr a top innovator in healthcare security technology.

Our success and growth to date allowed us to attract another $40 million in new, C-round capital investments in June. Those funds are already at work building our organization through new hires and research and development, including the award of four new patents in October. Those patents are associated with processes for addressing unique challenges to securing connected devices, including the way we profile new devices, as well as innovations that make it easier for organizations to use our technology.

And as we continued to add human capital, among the many new faces Ordr welcomed to its roster was our new CEO, Jim Hyman, who took over the office formerly occupied by Greg Murphy during the last four years of incredible growth and success. Greg remains an integral part of the Ordr family operating as an advisor to the company. His hard work left Jim an organization well-positioned for future growth and success.

New Year, New Opportunities

2022 was a big year for Ordr during which we achieved many important milestones. We look forward to helping even more organizations protect their networks from the increasing threats to their connected devices next year and beyond. After all, we are well-positioned to continue capitalizing on our unparalleled ability to secure the huge and growing number of healthcare and industrial IoT deployments.

“Deployment was easy; once running and we immediately got visibility. Support is great and helpful in tuning system, upgrades have been painless. Ordr has aided us in identifying unwanted devices and remediation activities, the behavior violation alerts position us to drive investigations based on known good traffic.” Director, IT Security and Risk Management, healthcare and biotech

As always, Ordr is here to make a major difference improving the way security controls are implemented, even as enterprises grow more complex. We are eager to meet whatever challenges 2023 has in store with confidence in our mission and clarity in our vision.

If Ralph Waldo Emerson had been a CISO and not a poet, he might have said, “Like life, Zero Trust is not a destination, but a journey.” And he’d be right, of course. For all the love Zero Trust has gotten from zealous marketers who promise that an investment in their cybersecurity product will deliver Zero Trust, the fact is that enterprises are far too dynamic for any one product to achieve that state. In fact, Zero Trust is not a static state, but an ideal that must be as dynamic as the environment in which it prevails.

Dynamic Environment, Dynamic Tool

When Ordr talks about Zero Trust, it is within the context of the challenges of protecting organizations that are increasingly reliant on connected devices to manage and run their operations. Devices within the domains of the Internet of things (IoT), Internet of medical things (IoMT), and operational technology (OT) are, by their nature, dynamic. They connect to and disconnect from networks often, finding a home where they are needed. They move around and increase an enterprise’s attack surface as they aggregate and grow in number. That kind of changeability and complexity requires a security platform like Ordr that has the speed and intelligence to discover, identify, and secure every device operating in the network.

According to the FBI, healthcare was the industry most targeted by ransomware gangs in 2021.

This is especially important for healthcare organizations that rely on IoT, IoMT, and OT devices to manage their facilities and provide a high level of care to patients. These devices gather data, provide diagnostics and therapeutic functions, and automate activity at all levels. But those devices also expand the attack surface of the organizations that deploy them, and threat actors have been taking advantage. According to the FBI, healthcare was the industry most targeted by ransomware gangs in 2021, affecting more than 550 organizations, compromising the protected health information (PHI) of more than 40 million people, and inflicting financial losses of $6.9 billion.

Wisdom of Old CISOs

Standing up to the threat requires thoughtful investments in security tools that address the specific needs of each organization, backed by a deliberate and strategic plan that maximizes the efficacy of those tools to achieve and maintain a continuous Zero Trust posture. And as Emerson said Zero Trust is a journey, another famous CISO, philosopher Lao Tzu said the journey of a thousand miles to Zero Trust begins with a single step. Fortunately for healthcare organizations looking to protect their IoT, IoMT, and OT assets, that single step is one of five in a connected device security maturity model that Ordr has outlined in a new ebook entitled  A Practical Guide: Implementing Connected Device Security for Healthcare Organizations.

Five Easy Pieces

Authored by Gartner veteran and Ordr strategic advisor Brad LaPorte, with close consultation by many of our own subject matter experts, “A Practical Guide” includes recommended actions, technical considerations, and helpful insights that complement each of the five steps of maturity for connected device security, which are:

  • Step One – Asset Visibility: a foundational exercise that must be launched and operationalized to discover and classify every device, and map its flows.
  • Step Two – Vulnerability and Risk Management: used to extend the capabilities of the organization to effectively see and know about all the devices present in the environment.
  • Step Three – Reactive Security: prioritization of activities necessary, such as blocking specific inbound and outbound communications to mitigate risks, risks.
  • Step Four – Proactive Security: establish automated policies to ensure rapid threat detection and prevention, and begin to implement proactive Zero Trust segmentation policies.
  • Step Five – Optimized Security: use of real time analysis and micro-segmentation to automate dynamic policy changes, scale protections reflective of an environment’s current state, and enable continuous improvement.

As you can see, each step in the maturity model builds on the previous step in sequence; there are no shortcuts. And the speed with which an organization progresses from Step One to Step Five will differ. It’s also important to recognize that, when starting from a place of no or incomplete connected device visibility, each step of the journey represents a significant improvement toward Zero Trust. And when a connected device security strategy is implemented and fully matured, it can be applied holistically across an entire organization or focused on multiple critical areas, in sequence or in parallel.

When starting from a place of no or incomplete connected device visibility, each step of the journey represents a significant improvement toward Zero Trust.

If you want to read A Practical Guide: Implementing Connected Device Security for Healthcare Organizations, you can download it here with our compliments. We’ve scheduled a webinar for January 19 to discuss the topic. Or, if you want to talk to one of our healthcare connected device security experts (or an expert in any other industry), get in touch. We’d love to hear from you.

(Updated on November 10th with new Ordr capabilities) 

On October 26th, OpenSSL Project a critical vulnerability associated with OpenSSL versions 3.0 and higher. The version released on November 1st — OpenSSL version 3.0.7 —addresses this vulnerability.

  • CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE).
  • CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial-of-service state via a buffer overflow.

  • These vulnerabilities were downgraded from critical to as high (CVSS score 8.8 from 9.0) on November 1st.

Here is what you need to know about this critical vulnerability:

What is OpenSSL? 

OpenSSL is a widely used open-source cryptography utility implemented to keep secure the web traffic exchange between a client and server. It is used to generate public and private keys, install SSL/TLS certificates, verify certificate information, and provide encryption.

Most web servers across the internet and within Intranets use SSL certificates to secure connections and the website being browsed. These certificates are traditionally generated by OpenSSL.

How concerned should we be about this vulnerability? 

OpenSSL can be misused if the vulnerable version is in use. The good news is that this vulnerability impacts a very specific version of OpenSSL and patching quickly will address any associated risks.

A flaw in OpenSSL has previously affected businesses. In April 2014, OpenSSL’s Heartbleed flaw was discovered. Numerous web servers, including those running popular websites like Yahoo, included it. Security teams rushed to apply updates because the vulnerability was simple to exploit.

How is this OpenSSL vulnerability exploited? 

Both CVE-2022-3602 and CVE-2022-3786 vulnerabilities are prone to buffer overflow attacks that can perform RCE (Remote Code Execution) or expose contents of the memory that contains private keys or proprietary information.

The chances of these vulnerabilities getting abused are low because one of the conditions is a malformed certificate signed by a trusted CA.

The issue lies in the verification process of certificates that OpenSSL performs for certificate-based authentication. The exploitation of the vulnerabilities could allow an attacker to launch a Denial of Service (DoS) or even a Remote Code Execution attack.

Patches for the two weaknesses found in OpenSSL v3.0.0 to v3.06 have now been released.

Which OpenSSL versions are vulnerable? 

  • OpenSSL versions 3.0 and above are vulnerable.
  • OpenSSL 3.0.0, the first stable version of OpenSSL 3.0, was released in September 2021, about one year ago. Any older operating systems prior to 3.0.0 are not impacted by this vulnerability.
  • Open SSL version 3.0.0 to 3.0.6 are affected by this vulnerability.
  • OpenSSL version 3.0.7 includes the fix for the critical vulnerability.

CRITICAL Severity: This affects common configurations, which are also likely to be exploitable. Among these are significant disclosures of server memory (potentially revealing user information), vulnerabilities that are easily exploitable to compromise server private keys remotely, or situations where remote code execution is possible. We will keep these issues private and release a new version of all supported versions as soon as possible.

HIGH Severity: This includes issues that are of a lower risk than critical, perhaps due to affecting fewer common configurations or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month, where this is something under our control.

Is the Ordr platform impacted by the OpenSSL vulnerability?   

Ordr has reviewed our usage of OpenSSL. This vulnerability does not impact Ordr as we do not use the impacted version.

How Ordr can help? 

Ordr has added two new capabilities:

  1. A new scanner that will detect versions of the OpenSSL that are vulnerable.

  1. New IPS signatures that can detect exploits of this OpenSSL vulnerability

New Ordr Scanner to Detect Vulnerable Versions of OpenSSL  

  • Ordr scanner uses the following command-line Options:
  • As servers have an open HTTP port; A curl command is used to connect to them to find the SSL version
  • In cases where clients do not usually have web services, the “ssh” command can be used instead.
  • As for a detection method, we use HTTPS headers, SSH headers, and credentialed scans to get the information.
  • Some scanners use only authenticated approach that requires full credentials, but Ordr uses an unauthenticated way to get information about Open SSL versions.
  • Ordr scanner also uses tools like Nmap to find open ports as a precursor before finding out about the OpenSSL version.
  • Example screenshots of detecting Open SSL that is built into the Ordr scanner.

Sample SSL command 

Sample SSH command 

Packet Parser with IDS Signatures to Detect Exploit Attempts 

  • While the Ordr scanner detects all the machines that have this vulnerability, the next step is to see if any exploits are exploting this vulnerability.
  • There is a parser on the wire that we need to enhance with rules to get versions of TLS, certs, and cryptography.
  • Ordr has an intrusion detection engine that scans for exploits of this vulnerability with the correct signatures. For example, given below is a signature that would help identify the exploit of this vulnerability.
  • CVS-2022-3602 Detection – Detection of this pattern was done using IDS Signatures.
  • A buffer overflow can be triggered by sending an X.509 certificate with a specially crafted email address in the “id-on-SmtpUTF8Mailbox” field (OID 1.3.6.1.5.5.7.8.9), resulting in a crash (Denial of Service – DoS) or potentially remote code execution on a vulnerable client or server. Potential opportunities for exploitation can occur if a server requests authentication information after a malicious client connects or if a client connects to a malicious server, which would then make the client vulnerable.
  • “OpenSSL x509 crafted email address buffer overflow attempt” is detected with the following signature.
  • In the event that there is a malicious activity involving OpenSSL, Ordr has pushed the latest signature to all its customers, and the alarms will be raised.

Figure 1: Ordr Open SSL Scan Launching Screen

Table Description automatically generated

Figure 2: Open SSL Jobs Status with Reports

Graphical user interface Description automatically generated with low confidence

Figure 3: Scanning Job List

Graphical user interface, text Description automatically generated

Figure 4: Latest Security Threat

Graphical user interface, text Description automatically generated

Figure 5: Incident Summary

Graphical user interface, text Description automatically generated