.st0{fill:#FFFFFF;}

New Goal: Cyber Resilience – Ep 373 

 September 16, 2022

By  Donna Grindle

cyber resilience

The ongoing, rapidly changing cyber war has created a need for us to change our viewpoint on cybersecurity. Yes, we need to worry about cyber hygiene and continue working on ways to secure our systems, networks and data. However, there is also a need to take the “plan for the worst but hope for the best” approach and start focusing on cyber resilience.

A 5 star review is all we ask from our listeners.
1x
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

New Goal: Cyber Resilience – Ep 373

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!


HIPAA Say What!?!

[08:26] Hackers have laid siege to U.S. health care and a tiny HHS office is buckling under the pressure – POLITICO

Due to its shoestring budget, the Office for Civil Rights has fewer investigators than many local police departments, and its investigators have to deal with more than a hundred cases at a time.
There are other ways the government could help health care organizations improve their cybersecurity. Advocates for the industry point to two key areas: cash for better defense systems and funding for workforce development.

John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association, has called for federal support in training workers and grants to help organizations boost their security efforts. And in testimony to Congress, Erik Decker, chief information security officer at hospital chain Intermountain Healthcare, called for the Centers for Medicare & Medicaid Services to look into developing payment models to “directly fund” cyber programs.

In contrast to King and Gallagher, many in the industry said they are encouraged by progress on information sharing. HHS’ Health Sector Cybersecurity Coordination Center has helped, they said, and the public-private 405(d) Program and Task Group has received high marks for its work to develop guidelines to help health care organizations defend themselves. Congress called for the collaboration in section 405(d) of a 2015 law.

New Goal: Cyber Resilience

[18:48] We’ve had the term cyber resilience bouncing around for a while now. Based on the things we keep hearing and seeing it is time to change our viewpoints and think beyond cybersecurity and focus on cyber resilience.

First, what the what!?! There is a difference between them. The cybersecurity we all are used to hearing and discussing isn’t changing. Yes, we need to worry about cyber hygiene and continue working on ways to secure our systems, networks and data. However, there is also the point of “planning for the worst but hoping for the best” approach in play. That’s what we should really focus on achieving these days.

NIST gives us specific definitions of the terms.

The process of protecting information by preventing, detecting, and responding to attacks.NIST Glossary
The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.NIST Glossary

Security is doing everything you can to protect things and understand that you need to be prepared for all your plans to go out the window. Resilience is the next level to security. That is to assume an attack will be successful no matter the level of security you have in place. We just accept that fact and create a plan to withstand any attacks and without allowing the organization to completely collapse.

[25:53] If we focus on resilience instead of just security, we will all be better off because things are not improving out in the cyber sphere. Let’s cover a few of the articles we have reviewed recently.

First, a threat alert about the latest iteration of a ransomware gang that is actively targeting the HPH sector.

Karakurt Threat Profile from HC3 researchers reporting its first emergence in late 2021. This notice was published Aug 24. HC3 has noted at least four attacks affecting the US Healthcare and Public Health Sector since June 2022.

The observed attacks have affected an assisted living facility, a dental firm, a healthcare provider, and a hospital.

A survey of cybersecurity leaders around the world makes it clear that things are not going to get better any time soon. When we saw this article and the associated study it only reiterated that we need to change the way we think about cybersecurity. It should not be focused primarily on just keeping them out. We need just assume they are in our networks and focus on limiting the damage or what some call the blast radius of the intrusions.

The survey was done in July 2022 asking the opinions of 1,101 security decision makers across the United States, United Kingdom, France, Germany, Benelux (Belgium, Netherlands, Luxembourg) and Australia.

77% of security leaders fear we’re in perpetual cyberwar • The Register

Earlier this week Lloyd’s of London announced it would no longer recompense policy holders for certain nation-state attacks.

We have been talking about being in a cyberwar for years.

NotPetya, Windows, and Ransomware – Ep 112

5 Laws of HIPAA Cybersecurity – Ep 153

We are #CyberAware – Ep 176

The survey, organized by Venafi, showed The (nation) state of cyber: 64% of businesses suspect they’ve been targeted or impacted by nation-state attacks | Venafi

Notes from the survey:

  • 77% believe we’re in a perpetual state of cyberwar
  • 63% doubt they’d ever know if their organization was hacked by a nation-state

In the survey write up, Venafi states:

Cyberwar is here. It doesn’t look like the way some people may have imagined but security professionals understand that any business can be damaged by nation-states,” said Kevin Bocek, vice president, security strategy and threat intelligence at Venafi.
Everyone is a target and, unlike a kinetic warfare attack, only you can defend your business against nation-state cyberattacks. There is no cyber-Iron Dome or cyber-NORAD. Every CEO and board must recognize that cybersecurity is one of the top three business risks for everyone, regardless of industry,” Bocek said.
[36:57] To top it all off, Last Pass, a tool we have used for years was hit along with other identity management tools Twilio and Okta.

LastPass Source Code Stolen in Breach

Notice of Recent Security Incident – The LastPass Blog

We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.

About the same time, we get this: Okta one-time MFA passcodes exposed in Twilio cyberattack

We assess that the threat actor used credentials (usernames and passwords) previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for One Time Passwords sent in those challenges” – Okta
[42:08] While you let those stats and cases sink in, let’s throw some more at the wall.

An interview with initial access broker Wazawaka: ‘There is no such money anywhere as there is in ransomware’ – The Record by Recorded Future

DS: How often do people from different affiliate programs compete in the same network to extort victims? Have you had such situations?

MM: This happens often. Especially when several people own the exploit, or pour logs from the same traffic market if we are talking about extracting initial access credentials with a stealer. I took some source codes, so-called proof-of-concept, from GitHub and modified them. If you remember, there was a well-known CVE for the Fortinet VPN. We found it with one programmer from the forum. Based on the list of IP addresses, we got approximately 48,000 entry points. I was very surprised then, really shocked. But we did not even work out 3% of this list. Not enough time.

And when others — well, let’s say our competitors — began to use this vulnerability, there were intersections across networks. I often went into the networks already locked by someone and didn’t touch them, because it’s not my job to encrypt for the second time, but some guys overlocked networks. They come in and see that it is encrypted and so that nobody gets it they encrypted it again. There were cases when the guys and I just crossed paths on the network during development, exchanged contacts, and somehow discussed what to do next. We basically always agreed.

And it even happened that we then jointly did some other projects. In the summer of 2022, this happens all the time, because everyone is hungry for the material. How can we get to the initial access? Actually, there aren’t many options. There are vulnerabilities, such as RCE in various products of VPN devices, everything that can give access to the network. Or a network access login from stealers. But basically, everyone is now flooded from traffic exchanges and there is little unique traffic. And those who have it, they pour just for themselves or are already working in some teams, so it’s absolutely normal that there is a conflict of interest on the networks and now it will be even more.

Will ransomware die?

If it dies, it dies. You need to come up with something new. But ransomware is worse than heroin. I haven’t tried it, but I’ve seen people who are on it, and I’ll tell you this: ransomware is worse than drug addiction. There is no such money anywhere as there is in ransomware. I even compared it to drug dealers from hydra [the world’s largest dark net marketplace, which was shut down this year]. They earn less than us.

But at the moment, ransomware remains the leader in monetization. There are no other schemes on the internet that would carry more monetization. Or I don’t know about them yet.

DS: How has the war in Ukraine affected the ransomware scene and cybercrime in general?

MM: I will not call it a war in Ukraine, I will call it a special military operation. I hope you understand. It had a huge impact. I had many friends from Ukraine. From my entire contact list of residents from Ukraine only one or two people at the moment communicate with me. The rest are all gone. They call me an occupant.

It is terrifying, the industry has reorganized. I don’t know if a special operation would have begun, but as far as we all know, Russia began to quietly come into cooperation with the USA regarding cybercrime. I crapped myself and then I was very afraid, I was drinking a lot. I re-read our Constitution and understood that they’ll leave me, damn well, in Russia, but it was scary [editor’s note: Russia does not have an extradition treaty with the U.S.]. I had already forgotten about the money, and then the special operation had begun. I was [redacted] happy. Although you know it’s dumb to talk about it because my interview will also be read by the citizens of Ukraine, and someone’s father could have died, or their child. I started to rejoice, you know, with impunity. But, if it weren’t for the special operation, I wouldn’t have behaved the way I’m behaving now — I’m even a little ashamed of it.

DS: Tell me a secret. Between the FSB and the FBI, who scares you the most?

MM: What worries me the most? If these two structures start cooperating with each other — then I’ll get [redacted] up, with at least three life sentences.

Don’t think you can keep putting it off and it’ll get better. The threat landscape is going to keep getting more complex and sophisticated. So, let’s start talking about cyber resilience, not cybersecurity. Cyber resilience is something I think that organization boards and owners will respond better to than cybersecurity. If we’re working on resilience, not security, can we withstand?

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.

 

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: