We get this question all of the time: How do they get in? How do the bad guys get in and attack my network? Seems like a simple question, right? Well there’s not always a clear cut answer. The first thing you need to understand is that cybersecurity isn’t a problem you solve. It’s a chronic condition that you have to manage.
In this episode:
How Do They Get In? – Ep 358
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Sep 12, 13, 14 and 15
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[05:42] Employees vs patients.Extra careful clients are a great thing. It means they are on track and constantly asking the question “will this action violate the CIA protections of PHI under HIPAA?”
Here’s a recent question: Two staff members of an organization were lost to COVID-19. The organization wanted to do something to honor them, but checked in with us to make sure there would be no HIPAA violations or concerns with the plan they had made. We were very happy to see them ask – prefer that any day over assuming you are correct when you are not!
In this case, employees were not being treated by the organization nor was the organization running their own health plan that could trigger HIPAA. Employees fall under normal state and federal employment law. I do not know all of those, but I am not aware of one that would prevent them from honoring team members they have lost.
We get a lot of requests from random folks on the internet, not necessarily listening to the podcast, but finding us nonetheless and asking us questions. We do appreciate the fact that people are taking the time to research and ask questions about privacy and security.
405(d) Tip of the Week
[10:04] Practice #5: Asset Management
Asset Management is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization. If you don’t know you have them and where to find them you can not properly protect your assets, can you?
Asset Management Poster from the 405d website.
We did a full episode on this back in January this year. Why You Need Asset Inventories – Ep 337 – Help Me With HIPAA and it covers this topic in detail.
For Small Organizations:
- Keep an accurate inventory. A complete and accurate inventory of the IT assets in your organization facilitates the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet.
- Procurement processes should be implemented and followed at all levels of your organization. Processes should be part of daily IT operations and encompass the lifecycle of each IT asset.
- Establish policies to appropriately decommission and remove assets. It is critical to properly dispose of retired assets, because these assets may contain sensitive information.
For Medium/Large Organizations you also need to add:
- Provide secure storage for inactive devices. Assets that are not in circulation should be returned to the appropriate IT department to avoid threats.
- Establish integration with network access control procedures. This can mitigate complications when employees use personal devices or devices are donated to your organization.
- Implement Automated Discovery and Maintenance systems. In order to maintain thousands of data elements Automated Discovery systems provide the ability to maintain all records and track the lifecycle of assets.
How Do They Get In?
[15:26] We talk about all the things you should do to prevent the bad actors from getting in, but what about how they actually get in when an attack occurs? We get asked this question all the time. How do they get in? Depending on who is asking and the environment, the answer varies slightly. I know way too much information and this question makes my brain go into overdrive every time. It is so very hard to answer simple questions about complex topics.To help with that question all the cyber groups got together again and said let me tell ya another thing. On 17 May (because everyone else says dates weird like that), another joint advisory was published by the cyber security authorities from the US (CISA, FBI, NSA) plus their counterparts from Canada, New Zealand, the Netherlands and the UK. This time it was: Weak Security Controls and Practices Routinely Exploited for Initial Access
What is really tricky here is the number of ways I have had to deal with attacks starting. One very important thing is almost always, always in the mix: A human failed to follow policy, made a mistake, or fell for a scam of some sort. The only question is which one of these took place to allow attackers in.
There is a lot of that kind of formal language in this advisory, so we thought we’d group several of them together and give you the “how they get in” and some things you can do to fix it.
[20:03] Way in: Remote Desktop Protocol (RDP) is one of the most common infection vectors for ransomware. They steal credentials, use a brute force attack, or security vulnerabilities that get them past the username and passwords. Once they get in that way, they are able to wander around using other tools and tricks to attack the organization. Every group that tries to protect RDP with a VPN connection needs to make sure the VPN connection is also protected because they are breaking into the VPN.Fix: Stop them with MFA on anything that can be accessed from outside your business network. Every single account must have it. Security is not convenient, but leaving these connections open without strictly enforced MFA is asking for trouble. Think of it like having encryption on your laptop but then adding a post it note on the bottom of the computer with the key.
[25:41] Way in: Unpatched software with known vulnerabilities and fixes are being used and not otherwise protected, which lets the attackers quickly scan your network and run tools that take advantage of that opening.Fix: Patch everything on a regular basis. We did a whole episode on this one too: Why Security Patching Matters – Ep 239. That one was long ago, BC, but still applies.
[29:37] Way in: Improper use of password controls, permissions, privileges and/or use of default login information for devices and software. Printers… please worry about the printers. They get exposed to the open internet with default logins plus never being updated. If you give everyone permission to do anything they may ever need to do, then so can the bad guys. It isn’t just the printers, there are plenty of devices that could be sitting there with very little login protections in place.Fix: Do regular scans for what is open on your network. Do real access control that addresses Donna’s three security rules. They must all be met for proper implementation. Listen to Passwords are a necessary evil – Ep 187. Even back then we knew it and it hasn’t changed.
[34:54] Way in: Cloud services let attackers in, which they then use to drop off things or find information that lets them go further into the services or even the network. Cloud services relieve some of the openings, but they also add new ones you need to worry about.Fix: Risk analysis and security plans should be built before adding new services. If they are already in place, do the analysis and plans now. Build a plan for implementing controls, audit them for effectiveness and efficiency, monitor them for failures and intrusions.
[40:14] Way in: Configurations allowing devices and software to be exposed to the internet without any, or very little, protections in place. Too often there is an assumption that certain things don’t have to be secured because they aren’t exposed to the internet. Then, they get exposed to the internet.Fix: Do not assume anything about security other than if a flaw is exposed, it will be attacked. Any other assumption on your part will result in what we will just call a series of unfortunate events.
[44:57] Way in: This is my number one answer any time I am asked “how hackers get in” – email. Phishing in its many variations continues to be the source that we track back to for the entry point. That problem is only exacerbated when your endpoints are not set up with layers of security to catch the actions the user initiates in the phishing attack.Fix: Ongoing phishing tests and training for every single person with an email account. Endpoint protections with more than basic antivirus.
As I like to tell providers: Cybersecurity isn’t a problem you solve. It’s a chronic condition that you have to manage and medicate.
If you don’t understand anything else about cybersecurity, understand this: The problems in cybersecurity do not get solved. They only get managed. And training every single person to be cyber aware and to recognize phishing emails, is a great first step in managing cyber risks. You can’t always throw technology at the problem. You have to also address the people and processes.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
