Tesla thwarted a ransomware attack and is making global headlines. We discuss lures and seven ransomware red flags. Henderson Behavioral Health is winning, and UCSF pays more than a million dollars to hackers. Anders Norremo from ThirdPartyTrust chats about his unique platform and Third-party Risk Management.
Here’s the full transcript of this episode.
Olena Heu: Welcome to another edition of the HIPAA Critical Podcast. I’m your host Olena Heu and joining me this week is Marketing Manager of Paubox, Sierra Reed.
Sierra: Hi, Olena. Happy Wednesday.
Olena: Happy Wednesday to you, too.
Now coming up on the show: Tesla. Yes, Tesla is making big news when it comes to ransomware. Find out what exactly is going on.
A behavioral health facility out of Florida is winning this week and we’ll tell you why over a million dollars has been paid out after a ransom demand. Find out which educational institution coughed up that money.
But first, here’s what’s happening in the news right now.
Sierra: Today I’d like to talk about ransomware trends, lures, and red flags to look out for.
Some of you may have heard of the ransomware attack thwarted against Tesla as it made global headlines. It was an insider enabled ransomware attack. Network defenders need to consider the possibility that not just attackers outside the firewall, but malicious employees within it could now be the origin of an attack.
This is especially important to note as ransomware continues to surge due to COVID.
Other ransomware campaigns to look out for are campaigns that lure victims to install malware that steals financial data and other personal information. Additional lures that include information about vaccines, masks, and short supply commodities like hand sanitizer are perfect examples.
Lures that include free downloads for technology solutions that are in high demand are another example. If you’re thinking of a solution like a virtual video and audio conferencing platform, as all in-person events are now virtual, this is an excellent example of this.
Another lure might be an update to collaboration solutions and social media applications.
Olena: What are the red flags also that you can look out for to spot and hopefully stop ransomware attacks?
Sierra: Yes – there are red flags you can look out for, and I’m going to highlight seven of them quickly.
Olena: Great. So guys, have a pen and paper handy. It’d be an excellent time to take some notes, or you can also listen to the podcast again.
Sierra: Good idea. Here we go:
First, the Active Directory will show multiple login failures.
Second, brute force attacks will hit the network.
Third, phishing emails land with strange domains.
Fourth, the network starts making a string of questions about a single machine.
Fifth, security tools are being used in environments where they weren’t assigned to.
Sixth, unusual timestamps appear on VPN connections.
Last but not least, traffic is suddenly redirected to questionable places on the dark web.
Olena: Wow. Well, thank you, Sierra. That’s great.
Now let’s move on. Tell us who’s winning this week?
Sierra: Our winner of the week is Henderson Behavioral Health. They are one of the oldest and most successful providers of behavioral health services in Florida.
Tony Cox, Chief Information Officer, wanted a state of the art email encryption solution and to implement an inbound email security solution specifically to filter out spam, malware, and virus email threats, like we’ve been talking about with Tesla.
Tony ran into a challenge with Office 365 inbound security — Office 365 only filters spam emails.
That is one of the reasons that he sought Paubox out.
Initially, most of Henderson Behavioral Health’s email communications went unencrypted because, like most staff, their staff found it too time-consuming to tailor each email to meet encryption requirements.
So, they enlisted our help and went with Paubox Email Suite Plus.
Olena: What exactly is Paubox Email Suite Plus?
Sierra: Yes, great question Olena.
Paubox Email Suite Plus is a product that provides email security and protects against display name spoofing malware and phishing attempts specifically.
Olena: Excellent. What kind of results could people see just by using Paubox?
Sierra: Well, I do have Henderson Behavioral Health’s data right here.
In the past 12 months, Paubox has encrypted nearly 60,000 emails sent by Henderson Behavioral Health. We’ve blocked 24 emails containing viruses and six phishing attempts. Any one of which could have led to a security breach and a hefty HIPAA fine.
If you want to learn more, Tony Cox is speaking at our September 8 Virtual Executive Roundtable next week, so be sure to tune in.
Now, as we always do, we like to highlight the winners and the failures. It’s time to highlight who’s failing.
Sierra: For the failure, and in sticking with the theme of ransomware, the University of California San Francisco recently paid a 1.14 million ransom demand after NetWalker threat actors infected several servers of its School of Medicine with ransomware.
Now, isn’t this one of the facilities spearheading a good amount of COVID research?
Sierra: Yes, it is. UCSF is leading the COVID-19 response by working with other researchers on antibody testing and clinical trials.
NetWalker first posted the data they stole from UCSF to their dark web blog during the first week of June and included screenshots.
UCSF has been working with a third-party cybersecurity consultant and other outside experts to strengthen its security defenses. The affected servers are expected to be fully restored very, very soon.
Despite the FBI’s advice not to pay, because paying doesn’t guarantee a return of data and it also fuels further attacks, they did pay a 1.14 million ransom demand.
Olena: Wow, that’s crazy. All right. Well, thank you, Sierra. That is great, invaluable information, no doubt.
Now we’re going to move on to our encrypted interview series. Sierra chats this week with Anders Norremo, the CEO and Founder of ThirdPartyTrust. ThirdPartyTrust is a unique platform that automates security questionnaires and collects information and evidence from reports.
Let’s listen to this interview.
Sierra Reed: Let me ask you, what do you see organizations struggling with the most when it comes to assessing third-party risk?
Anders Norremo: Sure, yeah.
I’ll take a step back then.
Again, when I started the business, I looked at a couple of things: “Hey, all right. The problem today as it sits, how big is it? Will it be big or smaller tomorrow or in the future?” There were three key factors that I identified that were going to drive this up.
One was the sheer number of third-parties.
The second one was the breaches due to third-parties. A lot of the examples out there happen to be third-parties that have gotten breached, and their customers, the big enterprises, end up in the news.
The third one is regulation.
We saw regulation early in banking like I mentioned, which then crept into insurance, which went into energy and utilities. That went into privacy into different states; you name it. So regulation is really pushed.
So what that means for companies is a bigger and bigger need. They all face those three same factors. They have more vendors. The risk of a breach keeps going up, and regulation is forcing companies to take action.
Where companies really struggle is, “How do I start and scale a program? What tooling can I use to get through this without having to add bodies to the process?”
Budgets are minimal, and even if you had the budget, how do you find people with expertise that could do this?
Companies are struggling with that to figure out, “How do I find people? What do I do?”
Companies’ natural inclination is to just do it manually with the tools they have: emails and spreadsheets. Well, that doesn’t scale; it’s extremely time-consuming. It’s frustrating for both parts.
Also, it doesn’t get you great results. You get through a process, and you might be gathering data, but the critical thing that we always talk about is what are you doing with that data.
Gathering data for the sense of gathering data is like a rocking chair. It gives you something to do but doesn’t really get you anywhere. So this should be about risk reduction.
What you need to do is quickly be able to get data, then make decisions and push for changes for the better at that third-party and be targeting what you do. Have them change things that will materially change and improve their security posture. That’s how you lower risk.
What companies mostly struggle with, is starting up a process and scaling that process. They might have an approach that scales to let’s say, 20 or 40 vendors a year, but in reality, they need to do 400.
Well, they can’t 10x the resources, that’s impossible. They don’t have the tooling to do this. We try to come in with a platform and a new approach to how this should be done. We’re using data-driven decisions for when you go deeper in your assessment, when you can step back and say “the data that our partners provide to us is good enough, I’ve assessed it”.
The critical thing that we really stress is: don’t use a one size fits all approach.
Every vendor type needs a different approach, like SaaS vendor versus someone developing code for you. That’s two completely different vendors. The controls that you need to worry about are really, really different.
Another one would be law firms.
With law firms, I would say, look at email security. Do they have Paubox or something like that? Something installed that’s really securing their email communication? That’s important for law firms.
For a SaaS company, how are you encrypting data in transit? At rest? What are your development practices? Again, these are entirely different controls that you want to look at and make sure that they have in place.
Companies right now are taking a one size fits all approach. That’s kind of a shooting side of the barn with the shotgun. It doesn’t really do much, you get really widespread but doesn’t do much.
Our focus is always to change your approach and go really deep in the areas that matter. That requires you to be much more agile with your assessment because every vendor or vendor type is different.
Do you have the tooling? Do you have the means to go about ten different assessment types and get to the same kind of outcome? Which is to assess the gaps and drive that remediation quickly.
Sierra: What can third parties do to cut down on the number of requests they get for security questionnaires?
Anders: Great question.
I can mention my sort of business. This was my pain point.
I was a vendor. I was getting inundated with these requests, and it felt like death by 1000 cuts, where it’s just one more, one more, one more event. You just end up dying, right?
The goal of ThirdPartyTrust was always not just to help the enterprise do it more efficiently, but also can we add value? Can we solve the vendor use case? Which is, “I keep providing the same data over and over again.”
The approach that we took with ThirdPartyTrust is the application itself; it’s almost like LinkedIn, but for B2B. The idea being companies have security profiles inside ThirdPartyTrust. Vendors build a profile that has answers to standardized questionnaires. It has SOC reports, HITRUST certification, cyber liability insurance, their pen test, etc. All these different artifacts explain to an outside party what your security posture is.
Of course, all the things I mentioned, all the other rating providers, are part of that package, too.
What we encourage our vendors to do is now that you’ve completed an assessment for one customer, get some mileage out of the work you do.
In ThirdPartyTrust, you can build that profile, and you can start sharing it out with other customers.
So when they send you maybe that one-off Excel spreadsheet that doesn’t pertain, you can say: “ThirdPartyTrust this is great, let me first share what I have built already. It has up-to-date information around our security posture; it’s very detailed, check that out; if there are any questions, let me know.”
What we found is that it works in the majority of cases, not all cases. It’s not a silver bullet, some companies will say, come hell or high water, you better fill out my custom questionnaire, and that’s okay. If that happens, you’re kind of back to where you started.
When companies do accept it, alright, you just saved yourself a tremendous amount of time, and it’s so much more of an efficient way of going about it.
The critical thing that we always talk about too, is that as they build this profile, the vendors can maintain it over time as things change.
They can update it, just like your LinkedIn profile. “I got a job with Paubox!” boom, and you update it, everyone can see it, everyone can give you a thumbs up or congratulations.
Again, the core of what we thought was why we couldn’t take the same concept applied to third-party risk management that will help the vendors. It will help them with the initial onboarding and again, security review, and the ongoing thing that happens typically yearly where you have to update the information and provide it back to your customers.
Sierra: Okay, great.
Outside of assigning the questionnaires and performing on-site audits, what are other services or technology that allow organizations to digest third-party risk?
Anders: Yeah, so I kind of mentioned a few of them.
On sites, I think this will not happen for a very long time because of COVID. I don’t think anyone wants to be liable for sending employees on site. I don’t think the vendors want that liability either having people come in. I think on-sites are mainly in the past, we’ll see.
Then you’re talking about remote assessments. Again, I mentioned this because questionnaires are useful. They’re self-attestations, and they’re not always appropriate. Why? Because a questionnaire can produce a lot of information.
We’d like to take what we preach, this risk-based approach to third-party risk management. The idea being first, measure inherent risk. What that means is how critical this vendor is to us? What if there was a breach? What would the impact be beyond the business?
We always stress that it should be quantified.
You should look at that vendor and say, how much data? What type of data? Is there any regulation around this relationship that we have?
Quantify impact first. Then based on that, make a decision. How deep do I want to go?
If it’s a low impact vendor, use our partners’ data sources to make an assessment. If that information looks good, then maybe that’s enough.
Maybe you take that data and say, “Based on the posture of the impact to this vendor, and what BitSight is telling us, this data is enough. I feel I’ve made an assessment or risk-based decision that I’m not going any deeper based on the impact.”
In another case, maybe the bits of data don’t look that great. Then you send out a questionnaire to go deeper.
No matter what, you want to do that deep dive for your really critical vendors, and you want to understand much more detail around how they’re securing their infrastructure, their processes, and procedures.
Sierra: Anders, I know you mentioned that your platform does remove some of the administrative tasks such as spreadsheeting.
Does your platform help information security teams eliminate administrative tasks associated with third-party risk management?
Anders: A key problem in the industry, or how this happens, is a lot of the data gathering, it’s kind of put on the infosec team.
So infosec teams at enterprises spend a tremendous amount of time just gathering data. Well, data gathering is a very low-value activity. It’s necessary for a proper TPRM process. To run, you need data. Without data, you can’t run the TPRM process. The act itself is a very low value add.
A critical thing that we’ve always thought about is how do we make it easier for vendors to do the deck data gathering? How do we enable vendors to build and maintain these profiles? How do we enable them to bring in the entire team at that vendor site quickly?
A critical thing that we try to do is the low-value activities of gathering data, what needs to live with the vendor anyway.
If you move that away from the enterprise, now all of a sudden, the employees have a lot more time to spend on high-value activities. What we mean by that is reviewing the information in detail, opening, and discussing findings with your third party, then driving those findings to remediation.
That’s really where we want these highly skilled folks to be working on. We don’t want them working on gathering data or sending follow up emails or checking in. All those things can be automated.
Every day what we’re thinking about is taking each of those administrative tasks and building automation around it and intelligence. We know that there’s always a follow-up or people asking, “What’s my due date?”
The platform can do that for you. It can tell the vendor when it’s due; it can remind them. It can provide training on how to use a tool or what’s not needed. The platform can easily do that. You don’t need a person.
So, with a lot of these low-value activities, what we’re looking to do is to say, “How do we take that off the hands of the infosec team?” and “Has the tool automated the task?” or “How do we enable the vendor to do more on their own without being directed by the infosec team at the enterprise company?”
Sierra: Okay, great. Thanks so much for sharing that.
Anders, what sets your platform apart from your competitors?
Nine times out of 10, when we are in the sales cycles, we’re competing with a homegrown solution. We’re competing with manual spreadsheets and emails. All the things I just said, we’re leaps and bounds ahead of anything like that.
When I look at other tools out there, many are the same players that, when I started five years ago, were already there. The big GRC providers: Archer, Rsam/Galvanize, and a few others.
A lot of the same players I saw when I started are still in business, and the main issue with their solution is still there. The number one differentiator that we do is how we approach this whole problem.
A GRC tool like Archer or Galvanize is what we call silo.
A silo means that the enterprise has to gather all this information on their own, put it in the tool for producing value reports, etc.
Well, that’s really difficult. It’s very time consuming, and it’s hard for enterprises to do that.
So with ThirdPartyTrust, our main differentiator is that we are built more like LinkedIn for B2B. It’s a network-based approach to third-party risk management.
Now that we bring on customers, they ask, “how many of my vendors do you have in your network?” In most cases, we already have half of them on the platform. So, data for half of their vendors is readily available using ThirdPartyTrust instead of starting from scratch.
That’s the main difference between what you’ll get with these other tools out there versus what we provide.
Our goal is actually to crowdsource this information in some way across all our enterprise customers. That helps them.
It helps the vendors because they can standardize, maintain a golden source of data they can share with all their customer base. Again, that has all these network effects because now it’s even better for the enterprise, which makes it better for the vendor and so forth.
The network is our primary differentiation.
Other than that, you go to the other secondary things that we look at, making it easy to use. Making it seamless, no training required, anyone should be able to pick it up and start using it.
The other difference would be how we integrate data, how that data drives the process, and helps to speed up and provide intelligence.
In this space, our integrations are the strongest. They’re the most well defined, they’re the deepest, and they’re the easiest to use.
Olena Hue: Thank you so much, Sierra. Big thanks to everyone for tuning in. If you’d like more information, be sure to visit our website Paubox.com and follow us also on social media.
Until next time: like and subscribe. See you!
Sierra: Bye, everyone!