51. Dr. Eric Cole: "It's the same fundamental problem: we're not learning our lessons and keep repeating them over and over again."

Episode 51 of HIPAA Critical includes an interview with Dr. Eric Cole, a former CIA hacker and founder of Secure Anchor.

Rather read?

Dr. Eric Cole: Oh, it's my pleasure. Thank you for having me. 

Dr. Cole: To me, probably the biggest lie is that these adversaries are unstoppable. What we're hearing a lot now is that when you hear the ransomware or the Colonial [Pipeline] or all these different breaches out there, that is this big, bad adversary, and they're super sophisticated, super-advanced, Mission Impossible-style attack vectors that you can't protect against. 

And to me, at least what we're seeing is that is the biggest lie. 

Because right now, if organizations follow two simple rules, any systems accessible from the internet are fully patched and do not contain critical data. I studied this. Of all of the major attacks over the last three years, 93% of them would not have happened. 

So to me, yes, the adversary could do advanced capabilities. But right now we're leaving the front door unlocked, and they're just walking right in. And we're blaming them.

Dr. Cole:  Yes and no. So at a high level, in terms of understanding that it doesn't matter who you are, or what you do, that you are a target and that cybersecurity is your responsibility. I believe that those are the same. 

Now when it comes to individuals, to me, the big thing is, a lot of the applications and components we’re using, from online banking, e-commerce to others, there's a lot of security built-in that we're just not turning on. 

For individuals, if you go into your banking application, turn on two-factor authentication, turn on account notification. So, whenever somebody is logging in or trying to access your account, you get notified. You can take action that's going to go a long way to protect you. 

The problem with most personal individual attacks is they just don't have the visibility. They just don't know what's happening until it's too late. 

When we look at corporations, what a lot of it comes down to is making sure you're putting the critical things at 100%. What we were talking about earlier, I call it the law of 90%. 

If we look at any of these organizations that got breached, we can honestly believe that they have no patching policy, believe they have no data protection, they have no asset inventory, that that would be silly. 

However, what I realized is when you look at these big companies, 90% of their assets they're aware of, 90% of their servers are patched. 90% of their data is protected. Now if we're in school, and we're taking Physics or Calc 3, 90% is good.

But in cybersecurity, if you have 100 servers, and you’re only protecting 90%, that's 10 that are still vulnerable, and 10 that are still exposed. 

With companies, they're not getting the fundamentals correct. The foundational items like asset inventory, configuration management and patching. If they focused on that 100% that starts to solve a lot of those problems.

Dr. Cole: No, it's funny, you bring that out because to me, if you look at Equifax and Target, if we learned those lessons, we wouldn't be having the problems today. 

Solar Winds is Target all over again. The Colonial Pipeline is Equifax. It's the same fundamental problem: we're not learning our lessons and keep repeating them over and over again.

Dr. Cole: Yes. But it goes back to the companies that don't think they're a target. They don't think it's their responsibility. 

If I add a third piece to it: they're not focused on the detection. They think that “oh, we have firewalls and some IPS, and we can prevent all attacks.” When the name of the game of cybersecurity is prevention is ideal. But detection is a must.

Dr. Cole:  To me, the first step today that they should take is to assume they're compromised. 

If you look at all the data, it's scary because the number keeps going up. [It] used to be most companies were compromised for 19 months, before they detected, then it was 23, then it was 27. 

The latest numbers that just came out are 31 months, most companies are compromised. 

So especially after COVID, where companies basically did anything for survivability and ignored security for 6, 9 or 12 months, the probability that you are compromised right now and don't realize it is very, very high. 

So the first thing I would do is you need to do some threat hunting. You need to go in and see what's happening, what's occurring. The next thing I would do is it's all about critical data. If somebody breaks in, and they don't access, steal, or encrypt critical data, then it's pretty much a minor breach. So, understand what is your critical data? Where is it located? 

While a lot of security professionals in the past didn't like the cloud, to me, the lesson is: the cloud is a much safer place than a data center because that's what [the cloud] business is. So really get that data controlled and managed. 

Then the third thing I would say is, look at the endpoint, especially what happened with COVID. But even before that, look at laptops that people are carrying around. The average hard drive is four terabytes and most people have at 95% full. 

Dr. Cole: That's a lot of gold you're keeping in your house without a lot of security in place. I'm always a big fan of minimizing endpoints. The data can be better controlled and managed in a single spot.

Dr. Cole: The key to encryption is making sure that the key that you're encrypting is stored on a separate server. 

What I see in healthcare all the time is these attackers get in and within minutes, steal all the information. I talk to the executives or head doctors and they're like, “but Eric, it was encrypted, how could they have done that.” 

And the only option is the keys are stored with the data. So they basically break in. It's like putting the key under your floor mat. It's not fooling anybody. 

I would also say encryption doesn't work if you don't protect, control and manage the keys. That's where a lot of healthcare organizations fail on the security spectrum.

Dr. Cole: You hit the key spot. It’s important when you're talking about hospitals and healthcare [to remember],  doctors are the kings and queens of their kingdom. A solution, if it's cumbersome if it requires them to do an extra step, it's not getting done. 

That's why I love what you keep saying about it's transparent. It's better. Solutions that work in all areas, but especially healthcare, are transparent solutions that you're not even aware of and keeps you safe. 

That's what we need more of. As opposed to these super cumbersome, really heavy, user-based solutions that nobody's going to follow on. Nobody's gonna do this.

Dr. Cole:  To me, one of the big ones is recognizing that the two most dangerous applications on planet earth are email and web clients. That's pretty much the source if you're looking at ransomware, phishing, all those different attacks. 

My approach to security is, you have to give them solutions that adapt to how they do business. Not telling people not to do things. 

Don't get me wrong. I love awareness. I think awareness is great. But awareness isn't going to get the job done. I've seen it all the time where you tell people don't do it, don't do it. Don't do it. And it's like putting candy in front of a three-year-old.

We put way too much pressure on them. I had one client say “Eric, I don't understand why we get breached all the time. If our users just checked email, didn't click the link, didn't do this, they actually looked at this, they verify.” And I'm like, really? You're expecting [your employees] to do that?

So, that was one of the simple things we do for our clients. 

In my office, because we get targeted all the time, I have my Windows computer that I do my work. I write my reports, I do my analysis. And then I have an iPad that I only use for checking email and surfing the web. So I fired up or weeded them out. 

Now as you know, it's not that Windows is more vulnerable. It's that it's a ‘90% install base’. Most attackers are going after Windows. So, the probability of there being an iPad-based exploit is very, very small. Even if it did, I just reimage my iPad. There's no data, there's no information. I just have those two applications on it. 

To me, it's coming up with those types of technical solutions, where they can get trained to do it, but not expecting them just to analyze and trace back every email address to make sure it came from a legitimate source.

Dr. Cole:  I'll just throw it out there. Unless you wear bell-bottoms and like listening to the Bee Gees give up passwords. We need to give up passwords. Passwords don't work. 

People use the same password all over. Two-factor authentication is built into just about anything. If you're using a personal app or a third-party app, trust me, it's there. You just don't have it turned on. 

To me, the first hygiene factor is you’ve got to make sure that authentication is robust. You have to use two-factor authentication. Get away from passwords, get away from those areas. 

Next is to stay away from free. When you look at your phone, computer, all the free apps and free this and free that most people don't realize free is not free. Free means they're accessing your device. 

If you don't believe me, take any of your devices and go under the security advanced and look at the location tracking, camera, microphone and look at all the apps. I do that weekly. I'm always amazed. This Sunday I did it. And I'm like, “why is this application accessing my camera and my microphone? That's a little weird” 

So I turned it off. That's the other thing; is know what's on your system. My general rule is anything on my devices I pay for if I would rather pay $9.99 and control my data than have a free app that doesn't. So that would be the second piece. 

And then the third piece of good cyber hygiene is just awareness. Like I said, turn on alerts. 

It drives my wife crazy. Like this morning, she uses Venmo, which I don't like. But after 26 years, I realize you can't say no. So she's gonna do it. But, I get an alert that says, “hey, there was a $200 Venmo charge on it.” 

And I checked with her. And she was like, “yep, that was me.” And she was like, “so I’m being spied on?” I'm like, “No, we're checking and protecting.” 

It's a little annoying when you use a credit card or Venmo to get that alert. But here's the question I always have. I said, “Honey, there are two options. One is I texted you to verify and it took us 30 seconds, and it's legit, or it was fraudulent. I assumed it was you. And then our bank account was wiped out.” And she's like, I like option one. I'm like, that's what I thought. So you have to have a little inconvenience, in order to protect, secure and react to these things that are happening.

Dr. Cole:  The only thing I would say is it doesn't matter what business you're in, if it's large or small or individual, you need to recognize it, you're a target. These attacks are happening all the time. 

We didn't really get a lot into the ransomware, but I always find it fascinating where I get on these interviews. They say “Eric, so what's the cause of the increase in recent ransomware?” And I'm like, “What are you talking about?” And they're like, “well, it's only been in the last couple of months that ransomware attacks.” And I'm like no. I said the worry of 2020 small [business] and individuals being hit with ransomware. Now the ransom payment for individuals was $200. And for companies, it was $15,000. But it was still out there.

So I think the media, sometimes only covering the big stories gives individuals or companies this illusion that only the government and billion dollar companies and billionaires are targeted. But in reality, everybody is targeted. 

And in a lot of cases, it's the smaller individual that gets hit a lot more, because it's easier, simple. And they have their guard down. So just always remember, you are a target and cybersecurity is your responsibility.

Dr. Cole:  So if you can't do two-factor, and it's just not an option, you can't do it, then yeah, I'm absolutely a huge fan of a passphrase. The only trick that I do is use a passphrase, but use it to create a random string. So for example, if you say, “my first dog, Fido was born December”, you would go in and pick the first letter of each word and create a phrase. 

So now when you're typing in, it's uppercase m, lowercase F, etc., and it looks like this random string that nobody could guess. But it's very easy and simple for you to remember. Then it's one of those things where now you can have different passwords for each of your different accounts. 

The joke I always had is I used to use my kids, like my first son, my second. I told my wife, I'm like, “Listen, I need more passwords. We have to have more kids” and she was like, “come up with a different ski. Right?” That, that's not gonna happen there. So, it's picking things that are easy to remember but hard for somebody else to guess.

Dr. Cole: It is my pleasure. Thank you for having me.