On-Demand Webinar

Ransomware Attacks on Healthcare Organizations

Request a Demo

Complete the form below to request a personalized demo of SecureAuth’s IAM solution

Transcription

0:00:03.5 Michelle: Alright. I know some folks are still joining here, but I do wanna keep track of our time, so why don’t we go ahead and get started, and we’ll let the other folks join in the next few minutes on their own. So, let’s see. Okay. So, thank you to everyone for joining us today. We’re super excited to have this group on board with us to have a nice discussion regarding healthcare and what’s been going on there. Our speakers today include some fantastic folks. We’ve got a healthcare customer of SecureAuth and Palo Alto Networks, Pete Rucys from Tampa General Hospital, and then we’ve also got the CISO of Palo Alto Networks, Paul Calatayud. I’m sorry if I messed up anyone’s names. And the CISO of SecureAuth, Bil Harmer. So just a couple housekeeping notes before we get going. If you could rename yourselves in Zoom to include your company name, that would be super helpful, just so we can see where everybody’s coming from today. And then also we will be having a discussion after Pete is done with his slides. And so what I’d love for everybody to do is turn their camera on, so that we could sort of mimic that feeling of being in the same room together, since we’re not able to do so right now. That would be really cool if everybody could put on their cameras.

0:01:36.1 Michelle: Also, if you’re not speaking, if you could please stay on mute to avoid any sort of background noise, any dogs or kids running around, that would be fantastic. If you do have a question, since this is a Zoom meeting and not a webinar, please go ahead and just use the chat function in Zoom, and then we’ll get to your question that way. We’ll call on you and then you can go ahead and unmute yourselves. If we can’t get to a question just in the interest of time, we’ll definitely follow up with you post event, so don’t worry. And I think that’s pretty much it for housekeeping, just a few quick things here. So let me go ahead and pass it over to Pete who’s going to kick us off today.

Show More

0:02:21.0 Pete Rucys: Hello everyone. My name is Pete Rucys and I’m the CISO for Tampa General Hospital. I’m here to talk about some of the minor, well, major challenges that we had recently this year with COVID, remote workforce, telehealth, telemedicine, and overall securities, especially the security at Tampa General. We can go to the next slide, Bil. So, I hope that everybody can relate to what I’m about to talk about, to reaffirm that if you had any questions that you are indeed doing the right thing or you have had a better path down the right way to accommodate a sudden demand for remote access. My situation was rather favorable when it regarded the surge of remote access of requests, due to the fact that most of our IT workforce was remote in some capacity, regardless of COVID, or the current situation in the world we’re facing right now. Our challenge was with the non-IT, non-clinical staff that had never worked remote before for the organization. That is where our challenge came. The licensing costs were our greatest hurdle. Examining how many licenses we actually needed to allow these folks to connect our Citrix workspace. GlobalProtect is our primary avenue for VPN, which we all know it is not based on a case by case basis.

0:04:12.1 PR: Once we increased the provision for remote access to the folks that never had it before, we began to see a number of problems with the agents running our endpoints and normal regular IT computing issues. We did not have any issues with our security staff, for a fact that our endpoints are all baselines. They must have certain security applications installed before they come on, before they even join the domain. So again, our issue mainly was discovering how many licenses we actually needed to accommodate our remote workforce. The next problem that soon, I mean rapidly followed the remote access problem was telehealth and telemedicine. The network folks were quite confident that a 10 gigabyte type would accommodate all telehealth as it was arriving. It was arriving, a little one-offs here and there. Then there was a waterfall of telehealth, telemedicine due to the fact that providers were limiting their face-to-face interactions and trying to curtail triaging calls and flus, keeping people out of the office. We saw that it was almost like a switch was flipped.

0:05:41.1 PR: And again, the main issue was with our firewalls. We were quite confident in the bandwidth that we had already pretty established, but we did discover rules and policies that were bottlenecking traffic, quality of service not implemented properly, but we spent a great, great deal of time policing our firewalls to accommodate the increased bandwidth due to telehealth. And then lastly, the email threats arrived. They arrived almost in coordination, in cadence with remote access, telehealth, and then the threats arrived. I think it took the bad guys a little bit, maybe they collectively joined their heads together to figure out the best way to attack healthcare at that time. What we saw were probing attacks via network scans, perimeter scans, immediately followed by a wave of mass phishing threats that for the most part, we’re not crafted very well. They were very obvious. But as the days went by, the complexity and the cunningness of these phishing emails, they became more complex. Whereas the flow, massive surge of email phishing threats kind of morphed into specific spear phishing attacks towards our staff.

0:07:21.3 PR: Go ahead, Bil, to the next slide, please. So our problems began in mid-March. We began to see a lot of personal protection equipment, ventilator offers, gowns, masks, gloves, you name it. It became flowing in almost like Niagara Falls into our environment. A lot of that information was beneficial. I do believe part of the clinical staff did take advantage of an offer that arrived via email and they turned out tremendous cost savings. It was beneficial to our organisation, but the most of them were noise. Then they also morphed into more specific malicious threats, whereas we receive the traditional fake Office 365 landing pages. We even had a phishing attack that mimic our Tampa General branded Office 365 landing page. So they began to become very, very sophisticated, and it lasted for a constantly 30-40 days of relentless phishing, spear phishing. It was quite a challenging time, and I didn’t even see light at the tunnel at the beginning of it. It was pretty bad, and I’m just curious to see how other organisations such as my own faced during that time period of March into April.

0:08:55.2 PR: Then again, we saw a direct correlation was with network perimeter scans and then soon following a spear phishing emails following thereafter. After some time of playing Whack-a-mole with phishing, a decision was made to close our email threat surface and bottleneck of that as well, by only allowing our own organisational email domain to communicate on the production network. This in itself may see Simple and perhaps that other organisations had already followed this policy. But, in my situation, our organisation is created by many community doctors that have their own practices, and they all come together essentially to make Tampa General what it is. With that, you can imagine, they’re using their proprietary email systems to communicate while at visiting Tampa General or connected to the Tampa General network either remotely or on-site. Cutting all of this off did have a somewhat of a business impact, which we had to weigh the benefits and the risk of allowing this continue or decreasing our threat surface by shutting off all non-business or non-TGH owned email. We opted with shutting off all non-TGH administered email platforms and we continue to do so up to this day.

0:10:40.5 PR: It did kinda curtail our threat surface. Our phishing did decrease somewhat, not all the way, not as much as I would have liked it to, but with that extra boost of confidence knowing that we don’t have to worry about personal email any longer, our staff was able to therefore really triage and examine the phishing emails and spear phishing emails that were arriving. Go ahead Bill, next slide, please. Okay, as months go by, summer time goes by, the phishing starts to, not take a back burner, but it definitely did let up a little bit. It’s still persistent to this day. But before Halloween, which was rather recent, we were notified by the FBI that Tampa General was under a direct imminent threat of attack by an actor that was discovered chattering on the darknet of selling 400 healthcare organisation’s information what was essentially for sale. The chatter did include a back and forth about pulling the trigger, When do you want me to do this? They gave me some good detail on what they saw and therefore warranted the notification to me.

0:12:11.2 PR: With that information, they provided 10 Tampa General accounts that they gleaned off of this chatter that were being passed around per se for an attack. Luckily, eight of those accounts no longer existed, but two of them were active accounts. They wouldn’t provide to me where these accounts came from, how they were able to obtain the username and the other demographical information associated to the two users. They were quiet mom about that and I’ll still follow up on that later. But out of 10, two of them were of concerning, so we took some precautions with the two active ones, as everyone could imagine, to sit back and see what happens or take proactive action to prevent something from happening. And we decided on the latter by completely disabling the two active accounts, and recreating their email and putting them on a watch list with our EDR tool, and also watching their traffic on our firewalls.

0:13:22.5 PR: In addition to this immediate threat, because we all know that a lot of us are more reactionary at times in the security world rather than proactive as we should be. I took advantage of this threat to expand the deployment of SecureAuth to our external-facing applications and systems. Now, mind you again, I mentioned that the hospital is made up of many community doctors that come together that has created Tampa General, so I’m faced with providers that have Tampa General credentials or they do not have Tampa General credentials, so a decision was made some time ago to protect our sensitive applications with two factor. Well, this threat over Halloween knocked that barrier off and we wound up, expanding out our SecureAuth to all non-sensitive and sensitive externally facing applications, just to add, get that added security in place in the event of credential compromise.

0:14:32.6 PR: We also pivoted to our Palo Alto firewalls, we were running the DNS license on one of our colocation firewalls, and I took advantage of the situation to expand the DNS license out to our Palo Alto staff. What that did for us was, it was able to save us, and several spear phishing events, whereas the domain name that was stood up for the attacks was quickly noticed by the Palo Alto team, which therefore added the domain to the DNS list, which therefore saved us from someone clicking on a link. It happened once, it happened twice, and three times and I’m sold. We also re-examined our Palo Alto firewall rules. And we became more specific with the new workforce, the new remote workforce that we were faced with in March. We were able to categorise these individuals based on their roles and create specific role-based rules to allow access to only specific systems on the production network and disallow access to everything else. And in some instances, we’ve created just a rule which only allows access to our internal network with no internet, and no external connection. So we’ve siloed off our workforce that’s remote, and really added some good technology to protect them. And also to recover if a mistake is made, such as, clicking on a link. Okay, Bil?

0:16:22.9 Bil Harmer: So Pete, thank you very much for that. I can only imagine what it must have been like having to go through this. And Paul, I’m sure you heard as well, back in the early days of COVID there was sort of an unwritten rule that maybe the threat actors would not go after the hospitals. But I think that’s out of the window as it stands. So what I wanna do is I wanna talk about some of the things that I heard in that in that presentation from Pete, and we can have a discussion about it. And the first one that really comes through right there is that remote access. So Paul, maybe to you first, “How do you think in the future remote access is gonna be handled?” We historically have used this as specialised skills, the administrators or somebody had specialised access but this looks like it’s gonna be everybody. What’s your thought on that? What are you seeing in Palo?

0:17:13.6 Paul Calatayud: Yeah, we’re definitely seeing entire organisation close up their corporate facilities, in some cases, indefinitely, right? They’re paying out… Buying out their leases and essentially closing up shop. Those are obviously extremes, but anywhere in between where we’ve had customers approach us and they’re like, we have 80,000 employees who have never accessed remote access and we need to activate them tomorrow, as a reaction to shutting down those offices, whether it was temporary or indefinite. So if I look at that across the entire industry, I would say, there’s no industry that hasn’t taken a hard and fast look at how they wanna manage productivity and their employee base, and as long as we all have good bandwidth and good collaboration products, I think that’s going to be the new norm moving forward. So that means every employee, every type of use case is going to be a remote access use case for most organisations.

0:18:23.0 BH: Yeah, I couldn’t agree with you more, and it’s interesting because I think it’s also redefining some of the terminology that we use for how this is being done. Pete’s environment, to me, is now a data center, right? It’s gonna be treated more like that data center, all the crown jewels are hidden in there and we have to defend that enclave from what is coming and going, what is inside and what is outside data centers, I was always happy with because nobody got into them, physically. Occasionally, you might have somebody wander in to do a cable change or something like that. But with a hospital you’ve got almost literally public access into a secure enclave and you have to start figuring out, “How do we manage that?” Pete, what are you saying? Are you guys looking at the world of remote access is now part of the tool bag for everybody?

0:19:12.7 PR: It’s funny that you mentioned that, I was gonna chime in as soon as Paul stopped speaking. We’re actually re-evaluating our corporate center. It’s where IT and finance are based outside of the grounds of the hospital, the main hospital building. We’re actually looking at selling it, we’re looking at also selling the other properties where our other non-clinical staff are located and co-habit other buildings scattered around downtown Tampa. We’re seriously considering selling all of our real estate, all of our property, and switching to a 100% non-clinical remote workforce.

0:19:56.8 BH: It makes total sense. Some of the studies I’ve been looking at, as I’ve been going through this and seeing what are the effects of COVID on the general workforce, the one study that I came across showed that the average workday is now 48 minutes longer, right? So there is not an executive team in the world that’s not going to take 48 extra, in their minds, free minutes of productivity by allowing somebody to work from home and maybe work in their sweat pants or their shorts versus putting on a suit and driving into the office. The cost of downtown New York real estate for the date for the stock exchange traders, etcetera, versus highly reliable dual fibre into their homes, I think is going to change. And small things, things that a lot of people never think about: Power, lighting, air conditioning, coffee, I’m drinking my own coffee at home, that’s not an expense that I have to deal with at the corporate office, so I think… My opinion, this is the new normal, we need to plan for it and understand it, because this is a threat, every one of these networks that connects into our world is a hostile network, and the internet is now definitely the new corporate network.

0:21:17.9 BH: So well, phishing. [chuckle] Based on what I saw with you guys, it’s back, it’s prevalent. I kinda hope that there is a way to get past this. Paul, I’m gonna throw this one to you first, simply because you probably see millions, if not hundreds of millions in the world of Palo. Is this going to be part of our lives forever? Or is there a way to maybe not eliminate it, but effectively eliminate, maybe make it the rare cases? What do you think?

0:21:52.9 PC: Yeah, I mean it is never going to go away because it is so… From an ROI perspective, if I’m an adversary, the cost of a phishing campaign is frankly fully automated, so there’s no… The cost of essentially conducting a successful phishing campaign, which results in data loss, usually becomes just too attractive to ignore. So that creates a constant reality which is, phishing attack is always, always there, and the human element of hacking is going to continue to increase, which correlates with phishing attacks, because now data and people are distributed, networks are becoming more distributed, information’s becoming more distributed, so credentials are continuously becoming more and more valuable. So that’s kind of the situation, but the result as far as strategies, to answer the other part of the question is, absolutely, phishing can be achieved as far as mitigating from a technical vulnerability point of view, meaning, I don’t think we’ll ever stop phishing attacks from occurring as far as humans clicking on or accidentally clicking on links.

0:23:18.8 PC: But the extent of their success as far as pivoting and use of that credential can be greatly diminished with the right type of strategy, whether it’s looking at the credential and protecting that in a different way kinda brings up zero trust or different approaches, or whether it’s looking at, ultimately, what a phishing attack’s goal is, which is to compromise the endpoint in order to get that credential, and so protecting that endpoint better becomes part of it. So some of our customers, obviously using our solutions are not seeing successful phishing attacks, when I think about their credential being stolen and the lateral movement, people are still clicking on the links, but those links are essentially now rendered benign.

0:24:07.8 BH: Right. So it’s sort of the accepting, users will do stuff, we all make mistakes. So how do we minimize the damage that… Pete is that the direction you guys are going as well, are you looking at, “I accept this is gonna continue. How do I minimize the damage?”

0:24:23.9 PR: Yes, certainly. The ease of starting up and administering a phishing campaign, it’s relatively easy, I mean it could be done out of the box relatively quickly with very little cost, so it’s very cost-effective as Paul stated. It’s a very cost-effective technique to obtain access to a network that isn’t yours, rather than doing the traditional perimeter hack scan or taking advantage of a vulnerability, phishing is by far easier. I guess it’s going to be with us for as long as email exists.

0:25:01.8 BH: Well, okay, so there’s an interesting point. I wasn’t sure if we were gonna go here unless somebody said it, but they did. Slack was in the news by being bought by Salesforce, and all the ultimate communication methodologies. I once did an internal plan for what they called escalated communication. You’d start with the text, the text would move to a voice, voice would move to video, video would move to walking in, or something like that. And now there’s just this… I feel that in some ways, there’s no workflow to communication methodologies, there’s just a “shotgun spray and pray way” of communicating nowadays, right? Some are Slack, some are Signal, some are WhatsApp, some are blah, blah, blah, blah, blah. Have we just taken the email problem and sprayed it across the world on a whole bunch of different levels? Because if we ever do get rid of emails somehow and we’ve tried, it doesn’t work. I don’t know where we’ll ever… Why… I don’t know the panacea that will get rid of email in the future, but if we did, are we gonna have all these problems in all the other channels? Pete, what do you think?

0:26:17.0 PR: Yeah, I think there’s always gonna be someone that will try to assume the identity of another individual in order to obtain what that individual has, no matter what the medium is. We saw it before email was predominantly used in business, it was the network scan, the network hack, the traditional one is what I’m referring to, and then it evolved, and hey, emails, you’re getting into a… You can obtain someone’s credentials really easy by just tricking them and it’s fast too, it works rapidly rather than attempting to hack into an externally facing system. So whatever media is being used to communicate between individuals and organisations, there’s always gonna be someone sliding in between the conversation to assume someone else’s identity for various purposes.

0:27:12.6 BH: Yeah, no, absolutely, I totally agree. And I think it is that identity that’s gonna be one of the things that we have to start looking harder at or closer at. I guess it’s no surprise, that’s why I’m at, an identity company, because… So, that’s what I saw when I was looking over the last four or five years, I just saw this… Paul said zero trust, which I firmly believe in it. I think we’ve said it in different ways over the years, the trust but verify, the always monitor, the different ways of putting it, and now it’s down to the… Well, I think you mentioned in your presentation that you found users who were using corporate email addresses for Spotify, right?

0:27:55.2 PR: Oh, yes.

0:27:55.3 BH: And it’s such a natural thing to do because a lot of people are… There’s still a lot of people out there that are not technical, and I think that’s sometimes we in the tech industry go, “Huh, non-technical? What do you mean, everybody does all this stuff?” And a lot of them don’t. And they go, “Hey, the Spotify thing is new, I’m gonna sign up. Well, I only have one email address, it’s my work email address, I’ve worked at this company for 20 years, I don’t need another email address,” so they use it. And then of course, users use what? One of three passwords, super secret for the bank, secret for work or the throw away for Zappos or something, so they’re gonna use the secret one for Spotify, ’cause they have to put a credit card in, and all of a sudden you have a corporate asset, the email address with a password that may be a variant of what they use at work, out in a world where you can’t control it. You don’t even know if it’s gonna affect you when they get compromised for some reason, and that bleed over, I think it’s what is hitting us on that side.

0:28:52.4 PR: In that situation, what I discovered is that some of our systems were not obtaining policy correctly, whereas someone in Edge or Chrome and they were signing up for a third-party service, and the field that says, “Enter your email,” Well, the Tampa General email would automatically populate because the endpoint didn’t get the right policies to prevent that from happening, so that is… When I walked backwards and look at what’s going on here? That’s basically what I was told, and our end users were doing this without, not thinking they’re doing anything wrong, it’s just, it automatically populated in the field and they hit submit and shrug their shoulders.

0:29:36.6 BH: Our systems help them into that. The need to make things simpler and easier. We have to look very closely at what we’re making simpler and easier and then the possible use cases.

0:29:50.6 PR: Correct.

0:29:50.7 BH: So cyber security team training then, and you talked about half of your cyber security team had to deal with phishing for a while.

0:30:00.0 PR: Yes.

0:30:02.5 BH: Were they trained for this?

0:30:05.2 PR: Yeah.

0:30:05.3 BH: I like to call myself a cybersecurity professional, but if you said, “Hey, Bil, I need you to go deal with phishing emails,” I’d have to pause and maybe do a couple of Wiki searches or something on what I was doing.

0:30:16.7 PR: I didn’t wanna whirl your head around thinking like, “Well, how am I gonna combat this? How am I gonna… It’s a huge subject. And how am I gonna attack it, right? How am I gonna prevent it from happening?” I feel you, I know exactly what you’re talking about. So unfortunately, we’ve been phished for quite some time, it’s been going on for years, but I have to emphasize, not at the level that I saw over the past few months, nowhere close to it. So what I have done in the past, and I will continue to do so, is I leverage phishing in our tabletop exercises. I also created a phishing playbook that’s very specific to our organisation and very specific to the systems and techniques that the security engineers and analysts should use when they’re triaging a phishing attack.

0:31:15.6 BH: Right.

0:31:15.7 PR: But we’ve gone through unfortunately, real world exercises related to phishing playbooks over and over again, almost on a weekly basis.

0:31:26.8 BH: No, I guess you’re gonna have to… And I’m sure, Paul, you’ve got a fairly broad background, having worked in the health industry as well, but now on the vendor side, the quality of training, are we training the cybersecurity professionals on our teams broadly enough, or we may be focusing them too much, what do you see?

0:31:52.2 PC: Yeah, I’ve been in retail, healthcare, aerospace, defense, military, it’s not a very checkered past as far as being a CISO and being a cybersecurity professional, and I will tell you that humans are humans, regardless of the vertical, so that I just wanted to start with, leading with the idea that depending on your business and the empathy employees have around the importance of the information is really… I haven’t seen one industry, aside from maybe financial services or a bank, when you ask a bank teller for money, they understand the value of that level of currency, but digital information, and quite frankly, the value of that, is not really well-understood by humans, employees ourselves. So I think that becomes a big challenge. My frank response is, I do train, I think it’s important. It’s good hygiene. Do we do enough of it? I think that question then becomes a little bit more of a personal opinion. For me, I don’t spend a lot of time training my employees because I’ve just seen too many scenarios where… And I may be a little bit jaded at this point in my career, but I’ve just seen too many successful phishing attacks, and of course, if you’re proactive, your team’s doing the fishing attacks, as well, to assess employees, and we get 100% success on our… We’ll call them audits of our employees, time and time again, right?

0:33:31.6 PC: So for me, I like training employees to understand the policies, so that they don’t obviously plead ignorant when they need to be penalized for misuse, but the reality of using employee awareness as a control, meaning I’m going to be more protected because of my training strategy, is a flawed strategy, in my opinion.

0:33:57.5 BH: I couldn’t agree more. I couldn’t agree more. The idea of… And not just my cybersecurity team, but my employees as a whole. This constant, “I have to train them. I have to train them. I have to train them.” I liken it to today’s society, right? I shouldn’t say I haven’t, because I have a little bit, but most people haven’t had formal law enforcement training, yet they still know how to make good decisions when it comes to not walking down the alley at two o’clock in the morning, right? And I sort of think of it more that way. This has to become almost self-evident in what appears wrong versus what appears right, and then deal with those exceptions as they come off.

0:34:43.5 PC: I agree.

0:34:48.0 BH: So the perimeter scans, I found that one interesting because when I was reading, I was trying to make a correlation between perimeter scans that are phishing email. Do you think they were looking for a way and not finding it, then going to phishing, or were they looking for something that they could use in the phishing?

0:35:06.8 PC: Well, I think both. Now, I should have added, and we missed that book. The perimeter scans and the phishing and how I correlated that they went hand-in-hand was due to the warning that we received from the SEC…

0:35:21.7 BH: Okay, from the FBI.

0:35:25.4 PC: And what they saw, and they were giving us that heads-up, was literally an organisation down the road, out-of-state, or up the road, same vertical faced day a perimeter scan, and then the next day their environmental systems and HVAC went haywire due to an externally exposed admin portal that was discovered and it was exploited. I was also warned that the fake deal, the perimeter scans followed were a precursor to phishing for looking for exploitable weaknesses in the perimeter. Using the traditional hacking methods of ‘look for a chink in the armor and then exploit it, and they were adding the phishing on top of it, I guess that’s extra insurance on how to get in. Or third, the third theory is they were throwing… Just walking down the line, throwing the kitchen sink at their targets, and then ascertaining the data coming back at a later date.

0:36:27.0 BH: Gotcha, gotcha, so Paul, that’s an interesting one. In the industry, are you seeing anything where there’s correlation between preemptive scans and email phishing? I mean, I know we look at what’s being scanned events, what we’re doing, and we try to build rules and have some automated response to that. But systems that are widely disparate, network scan and email, is there anything in the industry, or are people working on something that correlates those types of things to say, “We saw this scan, we have this open, now we’re seeing this phishing, now that might be something?”

0:37:05.0 PC: I think that’s a great question. I don’t think there’s anything out there that’s really directly going after that, we’ll say behavioral indicator from an adversarial technique.

0:37:15.2 BH: Is this a public forum where I can claim patent at this point, then?

[laughter]

0:37:18.8 PC: I would encourage you to. I think part of the challenge and maybe the opportunity at the same time is the level of signal-to-noise it’s very hard to create meaningful… We’ll say normalization or actionable correlation against what you’re seeing. The cost of being on the internet is very taxing as far as scams and threat. But to answer your other question, yeah, it’s absolutely part of an adversarial methodology, if you will, which is on the targeted sphere phishing attacks, the adversaries are [chuckle], in some degree they understand more about most of their targeted networks than the people in charge of those networks as far as administrating it. They understand assets, they understand the vulnerabilities. They’re constantly doing recon, and it is used as an element of launching targeted phishing attacks. They’re looking at job postings, they’re looking at everything when it comes to intelligence gathering, and it all gets used as an element of making those clicks, probability of success, as high as possible.

0:38:27.3 PC: For example, one that I saw recently that I thought was a little bit tricky, or at least successful in its intent was, a company had just launched a couple of acquisitions. There were some newer acquisitions that were coming down the pipe, and so they targeted, or people within the organisation that were in charge of corporate due diligence, M and A, etcetera, and they were saying, “There’s a new company we need you to evaluate,” and it was essentially from a law firm that they actually did business with, and they’re like clicking on it, of course, because it’s part of their daily tasks as an employee of the said company, right?

0:39:12.9 BH: Right, right.

0:39:13.1 PC: So successful phishing attacks do not look abnormal, they look like and are treated, and so if there’s any sense of urgency that is occurring within that business, whether it’s an outage or whether it’s a Black Friday or whether it’s a merger and acquisition or diversification, that is where they really hit their stride and success because even the most well-trained employee who’s doing their job in a pressure situation just doesn’t have the filters that maybe they normally do, and so I think that’s where… To get to your point around reconnaissance and scanning, that’s where those things are absolutely important to the adversary because they are trying to determine what the current business is, both on the assets, the vulnerability, and ultimately the transactional behavior of the organisation, because that creates the urgency that they’re looking for that ultimately lets us employees drop our guard, if you will.

0:40:10.6 BH: Yeah, and there was absolutely no hiding the urgency that Pete’s organization would have been under at the beginning, looking for PPT, looking for solutions out there, it was in the news, everybody knew it, every hospital was trying to find this stuff. So that was like a game for them, right? They’d be able to just flood with whatever they could, people were buying from suppliers that were not normal, that were way out of background checks or usual procurement methodologies. I’m just looking at the time, we’ve got about four or five minutes left. I wanted to see if maybe we could open this up for questions, so if anybody in the audience had questions for Paul, Pete or myself. Michelle, is there anybody out there with questions? I know there’s people out there. [chuckle]

0:40:57.9 Michelle: I don’t see anybody in the chat, but if you have a question, feel free to take yourselves off mute to ask.

0:41:08.5 BH: Or is this gonna be a classic IT security, “there are no questions, ’cause we did such a great job.” [chuckle]

0:41:15.6 PR: Well, what I’m not hearing about is insider threats, and yet a lot of my customers come to me with that question, so I’m curious, would you think about that relative to what we just discussed, which is the outside threat.

0:41:27.0 BH: So insider threats, and let me give you my opinion on what I think an insider threat is because it’s now fairly… I think very… There’s intentional and unintentional, and a lot of what we’re talking about from an external threat is to turn internal person into an internal unintentional internal threat where the device is now moved inside, the user is inside, we’re using inside credentials. And then there’s the intentional insider threat. So just out of curiosity, which one would you like to talk about?

0:42:00.9 PR: I think it’s the unintentional insider threat.

0:42:02.6 BH: Okay. And so, that’s the spear phishing, that’s the, “How do I compromise the machine?” That’s the, “Did they use their corporate credentials in a third-party system where I don’t know, maybe they’re on GoDaddy or LinkedIn or Facebook or one of the ones that’s been compromised in the past?” And now they’ve got a long period of just brute forcing those passwords and then coming back for that password reuse. I think that when you start to think about internal threats, if you separate them into that intentional, unintentional, the unintentional falls into the broader spectrum, the bigger picture of what we’re trying to deal with in general. Paul, Pete, what do you guys think?

0:42:42.8 PC: I love the question because I’ve been probably, for a year or more, I have similar to Bil, we all talk as peers, but I’ve kind of started to build up this internal CISO blind spots or just the things that aren’t really being looked at often, that end up being the issues that cause us all to panic, whether it’s quantum computing and just the implications of that. And the other one that I often pontificate on is what I would call inside threat. So Bil, how I use that term, and I deliberately remove the R because it’s an inside threat, it is my way of trying to help businesses think about the idea that you have someone that’s inside your network that’s a threat, they may be an insider, like an employee, or they may just be an external adversary who is now inside your network. So that’s how I try to define both, and I’m gonna pick on both because I think my view is a successful cybersecurity program should be able to handle both equally.

0:43:52.6 PC: Now, the probability of an insider going rogue is very low, but the impact is very high, right? So let’s just say one out of 100, but it’s 100 magnitude, so it’s 100. Or on the vice versa, an accidental insider threat, because of what we were talking about today, higher frequency may be lower impact. So when I look at the empirical data from breaches that have had both, whether it’s like an Edward Snowden or whether it’s an accidental like in the situation of the Anthem breach, the impact is equal. So me as a CISO, my job is to look at those risks equally, and I think if you look at the ability to protect your credential from being accidentally compromised, the same strategy should be used for both because… In other words, if I have an employee who decides to go rogue, they might accidentally click on things… Let’s just say we have an employee who clicks on something, well, was it accidental or was it intentional? It’s very hard to determine that, so I need to create a program that ultimately allows for both scenarios to be detected, blocked, prevented, mitigated.

0:45:10.3 PC: And when you look at the situation at Tesla, so Tesla had the FBI involved, which allowed us as practitioners to look in on a situation that occurred recently, and that was an adversary, targeting some employee and asking for their credential and willing to pay $1 million, right? So the value of a Tesla credential to the black market is about $1 million, so now find an employee. Then the question becomes, how loyal, how happy am I? And if I would take the situation of COVID, the reality is, everyone is remote, which is a good thing, but morale and loyalty might go down, the ability to really manage employees, engagement is harder for HR. It’s very hard to detect an insider who’s disgruntled before they become disgruntled. And if an organisation is willing to give me a million dollars, the question becomes, “Okay, how do you want me to give you that credential? Do you wanna go ahead and send me a phishing email and I’ll click away at it and hope there’s a paycheck at the end of it?” So again, the scenarios start to get very converged as far as the reality of both, and organisations really try to debate the probability and impact and whether or not we’re ever gonna see it, and I think a better approach is to assume a credential is stolen, whether or not the employees stole it themselves, and it’s just misusing it or whether an outsider looked at it. So that’s kind of my approach.

0:46:38.9 BH: I like this.

0:46:40.1 PC: Yeah, so we can talk a whole 30 minutes just on that topic, so I’ll just pause there.

0:46:46.5 BH: Quite probably, quite probably. I see we’re running out of time. Pete, I’ll give you a minute there, if there’s anything you wanted to add on?

0:46:51.2 PR: Yeah, insider threats are treated exactly as Paul, the risk is low, but the impact is tremendous to a fact that it cannot be ignored. We were burnt years ago by an insider threat. It wasn’t even a technology or a cybersecurity system would not have prevented someone from breaking into a shred box and stealing documents from that physically, so when that happened years and years and years ago, insider threat is taken quite seriously at TGH.

0:47:27.4 BH: No, that makes sense. And then there’s another topic where we could probably talk hours on, and that’s the physical, the world where you find CISOs that I’ve heard them say it, “I don’t own the physical security of… ” My opinion is you don’t own security then because give me physical access to something, I’m gonna own you sooner or later, and it’s probably sooner.

0:47:48.0 PR: Right, right. As Paul stated, I could talk for a lot, quite a bit about insider threat mitigation and what our concern is about the insider threat, but it is prevalent. It is a recognized threat. And actually, this is one area that we’re not being reactive and we’re being proactive then.

0:48:09.9 BH: Interesting, interesting, that’s good. So maybe a quick poll, if people out there that are listening want to hear more on insider threat and how to proactively deal with it, throw a comment in or maybe let Michelle know, we can always set up another one of these and go through it. And I’m sure it’s always nice to talk about these subjects ’cause we don’t have the conferences, we don’t have the hallway conversations, we don’t get to do that stuff. So what I’d like to do is, as we’re at the top of the hour coming up, and I wanna be respectful of everyone’s time, I would like to say thank you very much, Pete, for the case study and for showing us what you went through. I think it is incredibly important for us as professionals to share our experiences, because the theory is great, but the actual practice really is… That’s when we’re really truly tested. And Paul, I wanna thank you as well, with a background like yours, and the access to the customers and the people you have in the industry, I know that whatever you’re saying is coming from real world experience, you’ve seen it somewhere or had to deal with it, and I think those that are joining us today as well, truly appreciate it.

0:49:20.1 BH: Michelle, thank you for organising this, and I wanna thank everybody for showing up and taking time out of your days to join us, and if there’s a question that you have, or you’re looking for answers on something, whether it’s on Palo or on SecureAuth or in the health industry, please feel free to reach out to us, we can get those answers to you afterwards, and with that, I’ll say thank you. Let everybody go back to their day and get on with what’s happening, be safe out there, and if you have questions, please let us know.

0:49:48.8 PC: Thank you.

0:49:49.2 Michelle: Thank you all.