Cybersecurity for dental office

Hi, HTB newbie here. I work reception/management at a small dental office that has been hacked and had data encrypted once before. I joined HTB a few months ago mainly to gain some experience in penetration testing so that i can hopefully help to prevent further attacks in the future. The office doesn’t host a web server (which seems to be the main attack point for most HTB boxes), so what other services might be common attack vectors for a dental office? I know we used to have a windows remote web client & teamviewer but these have since been stopped. Also, if we really need to have a remote desktop connection available, what is the best way to secure it ? Thanks in advance

If you need to expose RDP to a third party, you should make it available only via VPN, not directly from the internet. Depending on the router/firewall appliance/VPN service, you might be able to secure it via 2FA/MFA.
Another option would be to use TeamViewer QS on your side. That way, your IT service partner (or medical device manufacturer) can only “dial in”, after they called (or you called them), you actively started the QuickSupport module, and told them the current session id and password.
Other than that, never underestimate “client-side attacks”. A phishing mail is easily crafted, and people “love” to open arbitrary attachments. To reduce the attack surface, here, disable Macros inside your office suite (Word, Excel, Powerpoint, etc.). Also, change the default application for .js and .vbs files to Notepad.

Backup your data to true offline locations. I’m still a huge fan of tape-based backups: one tape per day, and 5 “rolling” tapes for fridays. That way, you can restore data for up to one month, and ransomware wont encrypt it (as compared to some network storage that is available 24/7 for each and every system inside the network).

@rama3124 said:

Hi, HTB newbie here. I work reception/management at a small dental office that has been hacked and had data encrypted once before. I joined HTB a few months ago mainly to gain some experience in penetration testing so that i can hopefully help to prevent further attacks in the future. The office doesn’t host a web server (which seems to be the main attack point for most HTB boxes), so what other services might be common attack vectors for a dental office? I know we used to have a windows remote web client & teamviewer but these have since been stopped. Also, if we really need to have a remote desktop connection available, what is the best way to secure it ? I can’t seem to find a way to attach 2FA to the windows remote web client or teamviewer. Thanks in advance

Awesome question but it has a series of fairly complex answers. The real answer is “it depends” (this is nearly always the answer to any cybersecurity question, although it is pretty frustrating to hear).

Ideally, if you know how the last attack happened you can use this as a lesson’s learned to prevent the next one. It’s not ideal but better than fixing problems which might not exist. Look at running your own “penetration test” or vulnerability assessment to work out what problems exist and fix them as a priority.

You might find getting rid of Teamviewer and remote web access solves 99.99999% of your problems as both are inherently evil.

At a basic level, most ransomware attacks through one of two paths:

  1. Email
  2. Web activity hitting an exploit kit.
    (there are exceptions for SMB type ransomware but today that is still a minority path)

The single most common attack vector right now is an employee being phished and executing a ransomware payload. The best mitigations for this are ensuring mail is properly sanitised at the gateway and users run with low privileged accounts. If you have users who log on for day to day activity with Admin rights, you need to fix that right now.

Then look at web activity. If you can run it all through a proxy of some sort. This can be fairly cheap if you have a small environment but it does mean that you have an extra place to scan executables and capture malicious activity.

Ensure an up-to-date AV is running. This is not a silver bullet but if you don’t have it, the attacker’s job is easier.

Lock down file permissions. Dont let users write to system folders and dont let users execute files from temporary or download locations. User A should never be able to modify the files belonging to User B etc.

Make sure backups exist and a copy is stored OFFLINE. Versioning is awesome (vss in windows works well) but ransomware often disables this. Have your backups stored offline, so an attack can’t corrupt them. If you have all your data on a NAS, ransomware will just see it as another drive to encrypt.

I am not sure about how you implement 2FA on RDP. If it is challenging then at the very least enforce strong passwords - if your users have 18+ character passwords, the chances of a brute force attack diminish quite a bit (especially if you lock the account after 5 tries).

Make sure your firewall is effective. Things like SMB should never be allowed through it and if you aren’t hosting your own website, you probably only want to allow 3389 to the single RDP box, block everything else.

Lastly - this is where it gets hard for a small environment - have some form of monitoring in place. You probably won’t want an IBM hosted QRadar instance but having some way to know if something bad is happening makes sense. If you have the knowledge, putting a tool like SOF-ELK or Security Onion in the environment and forwarding logs to it, is a great way of getting visibility.

I am 100% confident there are other things to consider, but it all boils down to how big your network is, what you want to defend, how you want to defend it and what budget you have.

Like @TazWake says a lot of it is going to depend on your exact environment and requirements. Honestly I don’t think its something you can really get an answer to on the internet just by posting a question like this. I think if you’re serious about it you’d need to get someone to do a security assessment/audit of your network and actually go through things with you.

At the very least though I would say if you need remote desktop access then do it through a VPN like @HomeSen suggested, rather than exposing it to the entire internet.

Thank you all for the input. I found the suggestions thorough and very useful. I plan to remove access to RDP all together if possible or go through VPN and will look at upgrading our gateway to make sure emails are properly being sanitized. We have already locked down admin access to only be available to the owner or to IT so i think we’re good when it comes to user permissions too. Haven’t considered offline backups but i think i’m going to need to suggest this too to the owner. In terms of firewall, does windows defender do a good enough job or is it better to invest in something like malwarebytes too?

The firewalls you’re talking about are on a per computer basis - what you really need (and I suspect you already have) is a network firewall that separates your entire network from the internet. Presumably you have something like this that was forwarding specific ports on to specific machines for RDP access etc. At home the firewall is usually built into your router, but in business networks its often two separate things. Again its hard to advise because we can’t see your existing setup

I agree with @VbScrub (again :smile: ) and just want to add you really need a network firewall and a host based firewall.

Make sure you fully understand the differences between Anti Virus, Host Firewalls / Host IPS (“HIPS” and other names), Network firewalls and Network IPS etc.

Security must be layered - defence in depth - so the more layers of control you can implement the better. Apart from anything else, this means you are under less pressure to make any one-level work perfectly, all the time.

With regards to endpoint AV, Defender is probably good enough for most of your needs, just make sure you configure all the components (for example, the “Windows Defender Firewall with Advanced Security” is pretty effective).

all suggestion are good. here i am going to add few. In order to prevent such attack in future make security policy implement, check, monitor and revise time to time. put all high priority asset on risk assessment list and do threat and vulnerability analysis and put control against them. most of the control available without investment some need budget so its up to you which approach u will take to mitigate high risk asset. You need to monitor all activity using solid and effective monitoring system and alerting mechanism which automate your task and remove attacker before they exploit or penetrate your system. offline back up is must plan well and make record and do restore once to know recovery time , fail success and document them. Good Luk ! Think like Hacker so you can put maximum defense.

First of all, I think it’s great that you are taking the initiative to learn about pentesting/hacking to secure your business! I’d be happy to help via pm if you have any questions that you don’t want to share publicly.

While this thread has a lot of very good suggestions already, I feel like some of them might be slightly overkill for the scenario you’re describing and it might be difficult to decide where to start.
For the beginning these are the parts I personally would focus on.

  • Find out your external IP address(es) and perform port scans on those over the internet Please double check that you have permission to do this, e.g. from your boss if applicable. Also, the adresses might change periodically, so be careful that you don’t end up scanning another customer of your ISP. Ideally, there should not be any open ports reachable from the internet.
  • I’m assuming your office can receive e-mail. Are there any protections against malicious attachments? If you use MS office, you should probably try to fully disable macros (no prompt shown to the user) and also inform staff about the dangers of phishing.
  • Create personalized user accounts for all staff and only give administrative privileges to those who really need it. This can help reduce the impact of a potential breach.
  • Ensure that automatic updates are enabled and working properly on all machines.

The next step aftwerwards should probably be looking for a good backup solution. Ideally the backups should be off-site and set up in a way that an infected network does not also infect your backups. Since you’re protecting medical data, confidentiality should also be a high priority, so simply pushing everything into the cloud might not be a good idea.

Good luck!

@zaicurity I wouldn’t say you should aim to have NO open ports on your public IP. If you have an on site mail server you’re going to need port 25 open. If you want to be able to connect with a VPN, you’re going to need a port open for that, etc. Yes the less ports open the better really, but if you have a valid reason for needing internet traffic to enter your network on a specific port then that’s not necessarily an evil thing that you need to get rid of (as long as you make sure the service listening on that port is patched and secured etc).

Idk maybe I’m just out of the loop and there’s ways to do everything without open inbound ports these days, but I know a few years ago when I worked in IT admin it was very normal to have a few.

phishing is very often the main vector

@VbScrub said:


Idk maybe I’m just out of the loop and there’s ways to do everything without open inbound ports these days, but I know a few years ago when I worked in IT admin it was very normal to have a few.

Well, you can use TeamViewer for that, since it uses a “System in the Middle” that orchestrates the actual connection. But then you are basically routing everything through their systems.
Another option would be to restrict access to ports by source IP addresses, if your IT service partner has a static external IP.

But in general, yes. There is nothing wrong with exposing necessary services to the internet, as long as you secure them appropriately.

Type your comment> @VbScrub said:

@zaicurity I wouldn’t say you should aim to have NO open ports on your public IP. If you have an on site mail server you’re going to need port 25 open. If you want to be able to connect with a VPN, you’re going to need a port open for that, etc. Yes the less ports open the better really, but if you have a valid reason for needing internet traffic to enter your network on a specific port then that’s not necessarily an evil thing that you need to get rid of (as long as you make sure the service listening on that port is patched and secured etc).

Idk maybe I’m just out of the loop and there’s ways to do everything without open inbound ports these days, but I know a few years ago when I worked in IT admin it was very normal to have a few.

Fair point. I wrote the recommendation since in my mind a dental office probably does not host their own mail server (or any other services for that matter). That said, as long as any exposed services are actually necessary and properly secured they should not be a problem.

use 2FA for all logins/authentications

Must really be a pain for small businesses nowadays, to have to be concerned about VPNs and weird stuff you know nothing about, on top of your regular stuff when, as a dentist, as a cake-maker, as a painter, you go back home at night…