One of the world's largest pharmaceutical companies had recently migrated its chatbots from private AWS servers to a managed solution and wanted to ensure there weren’t additional security risks in doing so. The company also wished to assess the security posture of internally hosted machine learning applications maintained by it.
As a long-time technology partner for the company, Modus Create led a security assessment and created an action plan to remediate the most critical of 127 security findings uncovered.
Our Work Involved
- Source code review across hundreds of Git repositories
- Machine learning assessment for ML-based applications
- Threat modeling and risk assessment
- Infrastructure deep-dive reviews
- Due diligence review of all engineering documentation
- Escalating, triaging, and assisting with remediation
Impact
- 8 critical findings identified, triaged, and mitigated
- Action plan to mitigate 127 vulnerabilities
- New master document for security best practices
13 Petabytes of Data Protected
127 Vulnerabilities Uncovered
Organizations with sensitive data are at a high risk of cyberattacks, even more so when they are in the limelight. This made a global pharmaceutical organization a prime target for malicious actors online.
Additionally, the company's infrastructure relied on several third-party providers. Fortunately, the company has a strong culture of conducting frequent security audits to evaluate their risk exposure and maintain an efficient QA and CI/CD process. They reached out to us to help them get a complete picture of risks and a plan to remediate them.
Understanding the Risk
The company used over 50 different chatbots across multiple platforms worldwide. Driven by integrations with most engagement platforms, these bots functioned to accelerate the timeliness and accuracy of information provided to customers and health care professionals. The integrations included: Facebook, Google Voice, IVR, and various mobile and web-based integrations within websites.
The company also leveraged several machine learning model-based applications and data pipelines to support various sensitive activities.
Intelligent applications such as chatbots and ML applications process a large amount of data. As a pharma company, the client was extremely careful about how it used data and ensured that it was being protected in line with regional legislation.
The company had recently moved its chatbots to a third-party application called Kore.io, a commercial platform with support for multilingual content. Kore.ai simplified the organization's ability to adapt, support hundreds of languages, all while integrating DevOps best practices.
Their previous chatbots had separate portals, middleware, and hosting. Kore consolidated the process, ensuring that even junior developers could build powerful chatbot interactions.
The company knew that such a massive migration could create additional risks for cyberattacks. So, they reached out to their long-time technology partner, Modus Create, for a security assessment. Our team of six cybersecurity experts embarked on a comprehensive security audit to identify any risks and deliver an action plan to address the vulnerabilities.
Organized Crime and Financial Fraud
The FBI informed health care and public health sector partners in June 2021 of fraudulent prescription coupon card billing schemes, whereby criminal actors had obtained reimbursements from pharmaceutical manufacturers while teaching the scheme to other individuals.
Fraudulent billing and supply chain manipulation based on high reimbursement and specialty medications is often a focus of criminal actors seeking to implement “shortage schemes'' and primarily targets insurance systems and government subsidies for fraud. These and similar threats by nation-state actors were clearly outlined and communicated in our recommendations to help the pharmaceutical company understand the types of commodity supply chain attacks they are likely to face.
Examples included the notable supply chain compromise by the REvil group which led to the ransoming of several thousand downstream supported customers and clients who had IT providers utilizing Kaseya software.
White Box Security Audit
The team included experts in specific areas of the assessment: red teaming, code review, machine learning, and DevOps. The rationale was to evaluate the security posture from each relevant perspective.
As this was a white box assessment, the team worked closely with the company's engineering and security teams to understand the architecture, logic, infrastructure, compliance rules, and data regulations. This approach ensured that the team had access to relevant information to prepare a complete assessment.
Over a two-month period, the assessment covered over hundreds of applications, integrations, and services, from source code contained in git to sage maker deployments hosted within AWS:
- Static Application Security Testing (SAST) as the first level of source code triage
- Manual source code review by a development team for best practices and logic
- Dynamic Application Security Testing validating vulnerabilities in the deployment of application
- An OWASP Top 10 Risk Analysis
- Network Topology Analysis focusing on what services are exposed to what network segments
- Account management, role-based access control, and identity and access management analysis
Apart from threat modeling and DevOps/infrastructure resiliency check, the assessment also included consolidating engineering documents as part of a due diligence review to create a comprehensive view of the current application landscape.
Impact of the Assessment
The team discovered that passwords in the repository were open to anyone with GitHub access and not encrypted. There weren't enough checks in place to restrict information from malicious actors if they gained access to the client network.
Modus Create provided actionable suggestions to fix vulnerabilities and upgrade their overall security posture: on both the process and tooling front. The assessment enabled the pharmaceutical company to make a series of improvements in strategic areas such as application design, lifecycle management, QA, rights management, network segmentation, and resilience implementation.
A proactive mindset has positioned the client to successfully deal with future cybersecurity threats. They have reinforced strong measures to not just protect proprietary manufacturing information, but also personal patient information by maintaining complete HIPAA (Health Insurance Portability and Accountability Act) compliance.
Vital Stats
Security vulnerabilities discovered
of data protected
Critical threats uncovered
involved in code review
If you need help with leveling up your cybersecurity posture, talk to Modus. Our experts have helped both the Fortune 500 organizations and emerging startups mitigate the risk of devastating cyber attacks.