The Cyber Threat Landscape Evolution: How the Pandemic Changed the Attack Surface in Healthcare: Evolution of Attacks
Tony UcedaVélez is the Founder and CEO of security consulting firm VerSprite, based in Atlanta. He founded VerSprite after working in the IT and information security space for nearly a quarter of a decade.
Tony UcedaVélez: Okay, now comes the fun part, I told you how the world’s on fire. Now it comes apart where how do we actually contain the fire and mitigate some of these risks?
So your first officers dive in awareness, it’s a broken record. I know, you know, train your employees, teach them about security, teach them how they can get hacked, blah, blah, blah. Yeah, I know, the record is a classic. It’s like one of those annoying, you know, pop songs that you just keep hearing all the time on the radio, you just wanted to get out. But the reality is, is that awareness has a lot of benefits, right? It’s just it’s a matter of execution. It’s not necessarily about just a binary Oh, we did awareness, you know.
So let’s talk about some things not to do that first bullet point there is, you know, classic is the leaving forget LMS. You know, the entity is like, Oh, yeah, they have a great funny cartoon-like learning management system, we can just basically pay for this, we got, you know, 200 seats, we got 100 seats, let me just license this and then go ahead and roll it out checkbox, happens a lot with large organizations that are again, just looking to check box and cross off a security strategy, as if it’s basically a project management task.
And that is the large problem with just, you know, healthcare execution, especially when we’re trying to respond to remote workforce challenges is the execution. The other major football is that there’s a generic flavor of a security awareness training or investment that’s just doesn’t even fit, the culture doesn’t even fit, the workflow doesn’t even fit the technology that is being used. So the users, when they take a look at it, it doesn’t really reconcile to their job function.
Another one too lengthy, you know, they’re there, they feel like they’re watching like an episode at c span, you know, and so they’re, they’re bored other minds, and they definitely hate security now. So it’s not really good preparation. In fact, they might have a very bad disdain for security, we’re in this year, two years.
Again, this disjointed the company tools and governance is a major part there. What I mean by governance here is that oftentimes you roll out training, and it doesn’t even reconcile to the policies that you might actually be asking your employees. So abide by. So the ROI in terms of both the policy side and the tool side goes down the water.
So what you want to do is you want to exercise your employee’s minds, you want to basically, your end goal is to change the culture, the mindset of security, is not this sort of like lame paranoia, you know, the thing that’s just kind of, you know, Chicken little, the whole entire organization, to a level of fearmongering, what you want to do is you want to make it fun, but you want to make it informative, make it relevant, contextual to their operations, you know, for example, you know, if you’re an orthopedic surgeon, if you have an orthopedic practice, what are the types of information that you have that are different from like, you know, a dental practice, right.
And I make the short contracts on purpose because there’s different equipment, different software, different data, obviously, different, you know, information in that data, I should say, yeah, there are images. Yeah, there’s no protected health information. Absolutely.
But when it comes to mitigating the threat of phishing, and the context of someone leveraging that information, they’re going to make things very contextual. So make sure that you make your awareness contextual as well gamify it, make it more frequent, and make the threat patterns that when you’re exercising your team, to be you know, something that’s relevant to what’s going on in your specific industry or sub-industry. So the goal is to change the culture and the way that it integrates within your culture within your workflows.
Now, let’s talk about Endpoint Protection, you got to be done with EP if we’re going to basically really mitigate the new frontier of the remote workforce, which is not going to go away anytime soon. So really quick, for Endpoint Protection. You know, there’s a lot of different ones that are out there. endpoint protection is looking to look at your laptop, see what’s going on, inspect it, and then fly something that looks like it’s an anomaly.
There might be a process or a memorable event that kicks off that is just doesn’t jive with what normally happens on that endpoint. And so it’s important to get providers and partners that know that they’re looking to evolve that technology, look at trends that are happening so they can bake that technology into the endpoint so they can improve their anomaly detection.
Ideally, you want to be able to rope in an EP solution that encompasses services so that if something were to hit the fan, you pick up the phone and you call the service provider, they can get boots on the ground, or you can ship out compromised endpoints and they could run forensics on it, and then ship in a new, pristine endpoint that can hopefully be imaged with the systems and software that your users need. You want to evaluate different solutions away ahead of contract renewals. So don’t want to basically, you want to make sure you do your homework, when you’re trying out different EP solutions, make sure that you find the things that are most important to you.
Ease of management, you know, technological accuracy, you definitely don’t want a lot of false positives. So you want to know those things well ahead of time, before the contract renewal hits, consider supplemental managed services, you know, there might be things that, you know, again, a lot of the solutions with software that goes on to infrastructure endpoints, these configuration. And oftentimes, companies, again, they buy, they install, but they’re just using the basic flavor, without all the juicy nectar of security configuration that comes along with a security solution. So whether it be an email, online solution or an endpoint solution, it’s important that you make sure that you lean on the service providers that can actually help you do a better job there.
And then last, but not least, you know, you want to make sure that you you develop the proper policies around you know, MPP solutions, so that there’s an awareness and hopefully, you can get some level of compromise with BYOD owners Bring Your Own Device owners so that they can actually run some of the software and improve the security of their own device, without thinking that it’s big brother agent running on their laptop. Alright, so business email compromised super hot issue. It’s usually there’s a couple of these a week that we see on an ongoing basis.
But email is a right vector, what we want to focus on here is how do we how do we actually validate the authenticity of the sender? How do we basically reduce the opportunity for impersonation, so you got to check out different types of solutions that are out there that helped evaluate the the accuracy of the sender, the accuracy of the context of the information, a lot of providers today are using artificial intelligence to understand normal behaviors and patterns in email. And so that they can evaluate and determine whether is an anomaly in terms of requests in terms of language use, in terms of a lot of different things. It’s not, it’s not just about don’t click blanks and don’t open up the email. It’s also about being able to not call on the phone number or simply respond, respond by to an email that has nothing but text.
So it’s important that you team up with the right product or security provider that can look at, you know, they can make in threat, Intel, and some level of AI and advanced threat detection defense into their solution, either at a gateway level, or through API integration levels, and things like that. One thing I wanted to harp on here is it Look at this last point here, integrate email events into a broader, you know, sim strategy where you’re basically correlating a lot of security events, security incidents into a, a larger pool of security events, that’s really important.
We don’t see a lot of organizations do that. It’s really important that you take those online logs and you funnel them into there so that there’s a separate set of security eyes through that those technologies and sim and soar technology that can look at those logs and see if there’s a problem. Okay, so now, one consideration here, there are two more slides on countermeasures really quick, you can either get better or you can outsource, right, you got to focus on your core capabilities, especially as relates to backup threat, Intel, and managing a sim for backup and recovery. You know, it’s more than just doing a data backup, you know, anyone can right-click and a lot of different things and different types of server environments or management software, and just enable backup to happen.
You know, there needs to be a lot of activities that go in order that you can mitigate against threats that are happening right now in a remote workforce, like, you know, ransomware, and part of those activities include scheduling proper backups, doing the right types of, you know, configuration on incremental backups versus full, making sure that you have access controls of those backups, you know, and making sure that you have encryption applied, you know, the frequency of doing the backups and also the testing, making sure that you know, the backups actually work and actually support restoration in the event that you do get extorted threat Intel, making sure that you are aware of the threads that are happening.
You know, today I kind of started this whole presentation with a little snippet of very, very recent thread combat campaigns that are happening now that are leveraging, you know, the exchange vulnerabilities and the perpetration of different vaccine campaigns. So make sure that you have a robust threat Intel capability either internally or outsources so that your collective group can be aware of how to better configure the tools that you are leveraging today. Last but not least, it’s important that you make sure that you have an effective Sim, the security incident event monitoring solution where you’re aggregating the full stack of your attack surface, you know, in the cloud on-prem, you know, system logs, Ed, you know, EMR record logs, anything that basically is going to be obviously of importance related to possible breach scenario, possible security violation. You want to make sure that you calibrate those Sims so that you can evaluate how well they are aggregating log events, security events.
And then don’t forget the SAS, don’t forget the SAS logs. A lot of your, again, the proliferation of cloud services, especially with SAS, in healthcare in this post-pandemic timeframe, is staggering. So there’s a lot of online SAS solutions out there that are enabling web-related technologies, all that infrastructure has logs, and some of those providers should and can provide you, tenants, I’m sorry, you as a respective tenant log information that can help you to see if you actually have a problem with the data that you’re managing with the accounts that you’re hosting within your respective tenancy in that cloud solution. All right now other candidates before we do closing dots, other candidate or considerations for countermeasures is MFA everything, multi-factor everything SAS solutions, your domain accounts, multi-factor everything.
It’s just a good habit to have at a personal level, and something to definitely reinforce in your training. DLP considerations.
My biggest takeaway here is make sure that you don’t just simply do passive mode, or what I call zero ROI mode, I’ve worked with fortune 15, that have bought a lot of this sort of DLP solutions, and they put it in passive mode, and they kind of check the box for auditors, but it does nothing in terms of actual mitigation. Because there’s maybe no one looking at those passive alerts, you want to be able to get it you got to be able to evaluate your organization. This is where you determine do we build or do we outsource? So maybe outsource the alerting or the monitoring aspect of the alerts if you’re gonna go passive mode, because you’re just going to put something in passive mode, and they’re just gonna say you have a DLP problem DLP problem, but let me go ahead and let this email go through, then you’re really not stopping anything.
And you know, a year later or a lawsuit later, you might actually found out that you implemented something that you didn’t really use to the full extent and point considerations as well really important to take the EP solutions and make sure that you can apply a DLP solution locally so that you can see if there are abuses on sensitive files and information. And there’s a lot of different solutions out there that have matured quite well in that area, encrypt the world encryption is cheap. And I know there’s some debate always in terms of like, you know, especially for high traffic transaction-based applications, encrypt decrypt, can place a toll. But you know, where and where possible, make sure that you can encrypt the data. It’s cheap and effective to implement. The real part that is not cheap is property management.
And that is underscored, oftentimes making sure that you have the right key management routines, where are you keeping your keys or asymmetric keys or symmetric keys? Where are they? Where are they being secured in terms of a key store? How are they being maintained in terms of expiration, in terms of revocation in terms of key wrapping, and things like that?
Last but not least, consider building an organizational threat model. An organizational threat model is basically a model of threats for your organization. I mean, it’s, the name is self-explanatory, but what it does is it helps to build a simulation on how to attack your organization, maybe throw in simulations on email vectors, maybe some SMS vectors, maybe some in-person vectors, or maybe some, you know, wireless vectors, and you can do some sampling and remote workforce environments, where, you know, the, a lot of companies want a sample size of how secure is the wireless installations at a sample size of some of their employees.
Of course, in this case, from a legal standpoint, they typically have to get some level of consent. But the point is, is that, you know, there’s a lot of ways to do an organizational threat model in this very remote workforce type of environment that we’re in conducting, you know, Red Team exercises that use phishing. Targeted phishing attacks, is a great way to start that can funnel into awareness training. And that can reconcile also to governance requirements that you have for employees on security policies.
And so last but not least, you want to make sure that you reconcile your organizational security controls to a threat model that you develop, you’re going through a threat model, you find out things that you’ve actually weakened The good thing about a threat model is that it can define the roadmap is like where do you need to focus on? Do you need to focus on NPP or maybe business email protection? Do you need to focus on awareness? Or do you need to focus on your backup strategy? So it’s a great way to kind of if you’re wondering, like, where do we go? Well, you know, what is that comprehensive assessment that I need to do? Then you might want to check that out. loud. So closing in, in closing thoughts here, just a couple of six key takeaways.
Number one, all habits die hard. And so make sure that you’re training your staff and train often. And it doesn’t have to be very laborious or very kind of ceremonious to training, quick, effective, relevant and fun is it goes a long way. And that’s email security. That goes without saying business email compromise, compromise, is an all-time high. spearfishing is, you know, used to be like a flavor of fishing now is almost the de facto, make sure that you harden your email configuration, enable MSA to enforce email security and security training.
Don’t forget about your DNS. Definitely, hackers are looking to compromise your domains, your subdomains, and in an effort to perpetuate your customers perpetrate your employees may be perpetrated. I’m sorry, not perpetrated. But try to, you know, trick your employees trick your vendors trick your customers, and things like that.
So don’t forget about DNS and make sure that they’re you take appropriate measures for protecting that defend the endpoint. So new battleground remote workforce, you have an endpoint that might not see the time of day in a centralized corporate environment for a long, long, long time. And so making sure that you have the right software that is up to date, that is doing more than just anti-virus, this is way more than just antivirus.
Anti-virus is a small sense of security, you want to do something that’s looking at anomaly detection, heuristic analysis, understanding patterns at the endpoint so that it can respond and react in a remote workforce setting. security of your SAS, we talked about the very beginning, in remote workforce, a lot of dependency on the cloud and web technologies.
So those web technologies have configuration panels and are really the responsibility of the security team in it to really go in and harden those configurations, making sure that the most stringent level of security implementation can be applied and implemented and integrated with those SAS services that you’re depending on as a healthcare organization.
Last but not least, don’t forget the supply side, you’re buying a lot of software, you’re buying things that are going into components that are trusted, maybe into your cloud infrastructure that you’re might be hosting in Amazon or AWS or Google Cloud. So or Azure, I’m sorry, on in Microsoft Azure. So it’s important to understand what is going into these establishments and make making sure that you pick the appropriate tires because cybercriminals are in fact using the supply chain as a conduit to broader compromise and threat campaigns that they’re looking to to to fulfill
Watch every minute of Tony UcedaVélez's session here. Learn more about Paubox Spring Summit, Secure Communication During a Pandemic.
Read a full recap of Paubox Spring Summit. Learn more about Tony UcedaVélez.