The 101 covered what happens on the wire: A-ASSOCIATE handshakes, AE Title “authentication,” vendor fingerprinting. This one covers what’s inside the files. DICOM’s Part 10 file format was designed for interoperability and absolutely nothing else. No integrity by default. No authentication. No validation. That makes it a file format worth understanding if you’re testing or defending imaging systems.
Threat models and risk assessments are universal. If you have the mentality, you can consistently apply it in all aspects. I spend a lot of time thinking about medical device security, but I also spend a lot of time on rivers doing whitewater rafting and kayaking. The crossover between the two is striking.
Medical device product security doesn’t fit cleanly into a strict IT or OT security categorization — but if you had to say, they lean OT, as far as how to secure them, but with IT assets. Let’s break down why and where either analogy breaks.
Most people don’t know that Nmap — the port scanning tool everyone and their grandma has used — supports DICOM. And not in a half-baked way: there are Nmap scripts revealing network protocol-level insights. So this post attempts to: give you some basic protocol fluency, review existing Nmap DICOM support, review my Nmap DICOM PR on Fingerprinting DICOM systems, touch briefly on my Scapy DICOM PR, and overall network attack surface analysis.
All threat modeling methods define abstractions of reality; what differs is the entry point.
I keep finding myself repeating the same advice to junior engineers. None of it is about tools. None of it is about certifications. All of it is about how you think.
My viewpoint on threat modeling has matured since my last post on templates. Recently, I have been using a combination of template threat modeling, combined with process and user-needs threat modeling with some GenAI sprinkled in to help out. If you’re not familiar with template threat modeling, check out my other post.
I’ve been kicking around some ideas on threat modeling lately – scoring timing, PASTA’s problem, where to start, and some project ideas that keep nagging at me. None of this is groundbreaking. Most of it is stuff the community has been circling for years.