The ongoing, rapidly changing cyber war has created a need for us to change our viewpoint on cybersecurity. Yes, we need to worry about cyber hygiene and continue working on ways to secure our systems, networks and data. However, there is also a need to take the “plan for the worst but hope for the best” approach and start focusing on cyber resilience.
In this episode:
New Goal: Cyber Resilience – Ep 373
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Mar 12, 13, 14 and 15, 2023
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[08:26] Hackers have laid siege to U.S. health care and a tiny HHS office is buckling under the pressure – POLITICOJohn Riggi, the national adviser for cybersecurity and risk at the American Hospital Association, has called for federal support in training workers and grants to help organizations boost their security efforts. And in testimony to Congress, Erik Decker, chief information security officer at hospital chain Intermountain Healthcare, called for the Centers for Medicare & Medicaid Services to look into developing payment models to “directly fund” cyber programs.
In contrast to King and Gallagher, many in the industry said they are encouraged by progress on information sharing. HHS’ Health Sector Cybersecurity Coordination Center has helped, they said, and the public-private 405(d) Program and Task Group has received high marks for its work to develop guidelines to help health care organizations defend themselves. Congress called for the collaboration in section 405(d) of a 2015 law.
New Goal: Cyber Resilience
[18:48] We’ve had the term cyber resilience bouncing around for a while now. Based on the things we keep hearing and seeing it is time to change our viewpoints and think beyond cybersecurity and focus on cyber resilience.First, what the what!?! There is a difference between them. The cybersecurity we all are used to hearing and discussing isn’t changing. Yes, we need to worry about cyber hygiene and continue working on ways to secure our systems, networks and data. However, there is also the point of “planning for the worst but hoping for the best” approach in play. That’s what we should really focus on achieving these days.
NIST gives us specific definitions of the terms.
Security is doing everything you can to protect things and understand that you need to be prepared for all your plans to go out the window. Resilience is the next level to security. That is to assume an attack will be successful no matter the level of security you have in place. We just accept that fact and create a plan to withstand any attacks and without allowing the organization to completely collapse.
[25:53] If we focus on resilience instead of just security, we will all be better off because things are not improving out in the cyber sphere. Let’s cover a few of the articles we have reviewed recently.First, a threat alert about the latest iteration of a ransomware gang that is actively targeting the HPH sector.
Karakurt Threat Profile from HC3 researchers reporting its first emergence in late 2021. This notice was published Aug 24. HC3 has noted at least four attacks affecting the US Healthcare and Public Health Sector since June 2022.
A survey of cybersecurity leaders around the world makes it clear that things are not going to get better any time soon. When we saw this article and the associated study it only reiterated that we need to change the way we think about cybersecurity. It should not be focused primarily on just keeping them out. We need just assume they are in our networks and focus on limiting the damage or what some call the blast radius of the intrusions.
The survey was done in July 2022 asking the opinions of 1,101 security decision makers across the United States, United Kingdom, France, Germany, Benelux (Belgium, Netherlands, Luxembourg) and Australia.
77% of security leaders fear we’re in perpetual cyberwar • The Register
We have been talking about being in a cyberwar for years.
NotPetya, Windows, and Ransomware – Ep 112
5 Laws of HIPAA Cybersecurity – Ep 153
The survey, organized by Venafi, showed The (nation) state of cyber: 64% of businesses suspect they’ve been targeted or impacted by nation-state attacks | Venafi
Notes from the survey:
- 77% believe we’re in a perpetual state of cyberwar
- 63% doubt they’d ever know if their organization was hacked by a nation-state
In the survey write up, Venafi states:
LastPass Source Code Stolen in Breach
Notice of Recent Security Incident – The LastPass Blog
About the same time, we get this: Okta one-time MFA passcodes exposed in Twilio cyberattack
MM: This happens often. Especially when several people own the exploit, or pour logs from the same traffic market if we are talking about extracting initial access credentials with a stealer. I took some source codes, so-called proof-of-concept, from GitHub and modified them. If you remember, there was a well-known CVE for the Fortinet VPN. We found it with one programmer from the forum. Based on the list of IP addresses, we got approximately 48,000 entry points. I was very surprised then, really shocked. But we did not even work out 3% of this list. Not enough time.
And when others — well, let’s say our competitors — began to use this vulnerability, there were intersections across networks. I often went into the networks already locked by someone and didn’t touch them, because it’s not my job to encrypt for the second time, but some guys overlocked networks. They come in and see that it is encrypted and so that nobody gets it they encrypted it again. There were cases when the guys and I just crossed paths on the network during development, exchanged contacts, and somehow discussed what to do next. We basically always agreed.
And it even happened that we then jointly did some other projects. In the summer of 2022, this happens all the time, because everyone is hungry for the material. How can we get to the initial access? Actually, there aren’t many options. There are vulnerabilities, such as RCE in various products of VPN devices, everything that can give access to the network. Or a network access login from stealers. But basically, everyone is now flooded from traffic exchanges and there is little unique traffic. And those who have it, they pour just for themselves or are already working in some teams, so it’s absolutely normal that there is a conflict of interest on the networks and now it will be even more.
Will ransomware die?
But at the moment, ransomware remains the leader in monetization. There are no other schemes on the internet that would carry more monetization. Or I don’t know about them yet.
MM: I will not call it a war in Ukraine, I will call it a special military operation. I hope you understand. It had a huge impact. I had many friends from Ukraine. From my entire contact list of residents from Ukraine only one or two people at the moment communicate with me. The rest are all gone. They call me an occupant.
It is terrifying, the industry has reorganized. I don’t know if a special operation would have begun, but as far as we all know, Russia began to quietly come into cooperation with the USA regarding cybercrime. I crapped myself and then I was very afraid, I was drinking a lot. I re-read our Constitution and understood that they’ll leave me, damn well, in Russia, but it was scary [editor’s note: Russia does not have an extradition treaty with the U.S.]. I had already forgotten about the money, and then the special operation had begun. I was [redacted] happy. Although you know it’s dumb to talk about it because my interview will also be read by the citizens of Ukraine, and someone’s father could have died, or their child. I started to rejoice, you know, with impunity. But, if it weren’t for the special operation, I wouldn’t have behaved the way I’m behaving now — I’m even a little ashamed of it.
MM: What worries me the most? If these two structures start cooperating with each other — then I’ll get [redacted] up, with at least three life sentences.
Don’t think you can keep putting it off and it’ll get better. The threat landscape is going to keep getting more complex and sophisticated. So, let’s start talking about cyber resilience, not cybersecurity. Cyber resilience is something I think that organization boards and owners will respond better to than cybersecurity. If we’re working on resilience, not security, can we withstand?
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.