Tony UcedaVélez: Extortion, readiness and supply side considerations

Tony UcedaVélez: Now, understanding a little bit about the landscape of where we are today, one thing that’s paying off a lot and that’s really risen in really been a kind of a gasoline Meads, you know, in a really an existing fire is extortion, and then the pandemic, the pandemic provides a new context, a new excuse, if you will, for cyber criminals to leverage and that, that aspect of life to introduce, you know, false false claims or false pieces of information, all for the purposes of trying to inform trying to protect, but they’re really perpetrating a valid entity, there’s a lot of entities that are trying to perpetrate the CDC as an example, or maybe the World Health Organization, or NIH, or, you know, different even local hospitals, and health care providers, that might have some role within, you know, the current pandemic that we have, there might be a hospital that’s issuing vaccines, it would be trivial for a cyber criminal to be able to enumerate what are all the different hospitals where vaccines might be given, and then maybe create a false propaganda on this. So this really adds to an opportunity for extortion.

And so the challenges that we have extortion in general, you know, especially with a remote workforce is that you know, you can’t really protect as much when you have BYOD, you know, so you have, if you have BYOD, have everyone kind of bringing their own device, and they’re working for an organization. And then on top of that, you have wholly owned and managed assets that are pertaining to an entity, but they’re remote.

And there, it’s difficult to really govern, you know, what, how they’re being patched how they’re being configured, that makes it a challenge, and they could be susceptible to being compromised through some sort of ransomware. Now ransomware, the Clemson the kids that are operating them, there’s a lot of money with ransomware, the payouts are getting higher and higher and higher. So there’s a lot of humans are becoming increasingly involved in operating these types of this, this flavor of malware that can be delivered, you know, through multiple different mediums, not just email, not just drive, drive through download, but also through other types of nontraditional devices like ivrs, and VR use and things like that.

So one thing to note related to the business of extortion is that the cost of recovery and the resulting downtime is oftentimes, actually more than the actual cost of paying the ransom. So we’ll get into mitigations. Because obviously, ransomware is at the top of many that are in healthcare. And so I want to make sure that we have adequate time on that. But kind of foreshadowing to some of the mitigation strategies. Let’s take a look at this slide.

So the question is, are you ready? and to what degree are you ready across these four different types of capabilities, which, honestly have been proven to be quite effective. So as we look at this, you know, infographic here that we got from, you know, being a part of the gardener family, we basically see four different types of efforts here. So if you as an organization and healthcare are investing in some level of ransomware, readiness, and that level of effort is high, you’re lowering your risk for an overall you know, ransomware, you know, event.

Now, if we look at, for example, phishing, click through rates, if you have if you’re doing security awareness training, and or maybe you actually aren’t doing any training, but you’re going through and some real-life phishing exercises, courtesy of, you know, any sort of hacker or you know, fraudster out there, then if you have higher click-through rates, then you have a higher chance for being susceptible to ransomware. A higher level of backup and restore readiness, which encompasses governance, planning, testing, defining proper scope, etc, is going to equate to you being ready for restoration in the event that you have a ransomware event. So the higher the level of effort, the lower amount of risk for that, on the flip side, on the business continuity readiness, if you’re not doing much in that area, if you’re not planning if you’re not testing. If you’re not doing much in this area, then guess what you’re going to be, you know, probably more susceptible to ransomware payouts that are pretty substantial.

Now, what this slide this presentation here is really about trends. One trend that’s really should be on everyone’s mindset should be on the mindset of encompassing supply, supply-side attacks are increasing. We’ve seen a number of different supply-side or supply chain attacks, and the premise is pretty much the same. You know, if I’m a hacker group, I’m looking to perpetrate trusted software, trusted devices that are going into, you know, insert entity name or industry entity, I will looking to get individuals to have this implicit trust on a device on an appliance on a network, you know, resource or maybe a software that’s going into my infrastructure, and that’s neighboring to where I might have PHI.

So perpetration, and then is what the threat motive is, and supply-side attacks, they want to perpetrate trusted entities that get introduced into these environments. They’re hoping that through the integration, that there is an implicit trust with these types of components, software, hardware, whatever, so that they can then you know, spread out and do recon on the environment, find out where the data is finding out where the weak points are, find out where there might be exfiltration opportunities, maybe even disseminate, you know, some malware. Establishing persistence is a goal.

You know, there’s nothing like you know, just basically latching on like a parasite as a cybercriminal. And then not doing your full payout with one fell swoop. But just going ahead, just establishing residency, if you will illicitly into a compromised healthcare entity, and then staying there for a while, you know, doing your homework, blue, casing the place, you know, logically speaking, as it were. But some key things to consider here is that, you know, as we are all familiar with HIPAA and high trust, in terms of evaluating, you know, how we ourselves as covered entities or as a business associate might be performing, it’s important to understand that these are just the minimal thresholds for security, and especially as relates to vendor security or your vendor security, it’s important that you make sure that you categorize your vendors adequately enough so that they are, you know, the HIPAA high trust levels are going to be your bare minimum, you want to be able to think about what’s at stake with that relationship with that supplier.

And making sure that that, you know, they’ve been asked the tough questions, so that if you’re depending on them for a service, that they have the necessary security mechanisms in place to respond favorably in the event of an attack or a threat. You know, from a legal standpoint, you know, the legal communities are supporting the healthcare entities need to make sure that there’s adequate legal protection, that the risks are not entirely sustained and burdened by the business associate, or the covered entity that might be liaising with a third party vendor yet another business associate supply-side SAS vendors, they’re also in scope.

You know, a lot of these you know, EMR, you know, players out there are definitely pushing for more SAS-related services to their customers. And so it’s important to understand there are a couple of different security considerations like authentication authorization models, your our back model, your logging and monitoring what’s going on there, how they’re applying crypto, things like that. So most importantly, don’t forget that your security solutions and vendors are also on the supply side. So make sure that you kick their tires just because they’re waving the security flag doesn’t mean that they go through and they might actually be the biggest offenders of lack of security. So make sure that you place the scrutiny on them.

Watch every minute of Tony UcedaVélez's session here.

Learn more about Paubox Spring Summit, Secure Communication During a Pandemic.

Read a full recap of Paubox Spring Summit.

Learn more about Tony UcedaVélez.