Episode 3: National Cyber Security Awareness Month (NCSAM) 2021 – Podcast Transcript
Abby Rose: Welcome to the MediSked Podcast! October is National Cyber Security Awareness Month, so we are pleased to welcome three panelists from MediSked’s cybersecurity team to the podcast today. Let’s have them introduce themselves before we get started.
Shayne: Hello, my name is Shayne Champion, I’m the Chief Information Security Officer at MediSked.
Sara: My name is Sara Sofia, I’m a Security Engineer.
Luke: And I’m Luke Franzelas, I’m a Cyber Security Network Engineer.
Abby Rose: Awesome, and I am Abby Rose Esposito, Marketing Specialist here at MediSked, and I will be the moderator today! So we can get started – first, what are some cybersecurity attacks you’ve witnessed in your careers? Does anyone have one they want to start with?
Shayne: I’ll start off with a few interesting ones. I worked for several years with a company that did incident response across the country. We had some very interesting ones and what surprised me the most, doing those on a fairly consistent basis, was the number of attacks that were very simple things that everyone should really know better than to do – leaving commonly used ports, like remote desktop services, open to the internet; not patching devices; a bunch of silly things. But we also did penetration testing, which is where you hire an organization to attempt to break into your network, and sometimes that would be electronically or physically trying to break into the building. And it’s really amazing how much we allow just because we trust people sort of inherently, and that trust is something that the bad guys can always use to expose your organization or your network.
Sara: My favorite was at the last company I worked with, we actually hired penetration testers like Shayne used to do in his past life, and the penetration tester went to one of our satellite offices and fumbled with his fake badge outside the door until somebody felt bad for him and just let him in, didn’t check his badge, didn’t verify that he even worked at the company. And then he just stated that he was new to the company, and they brought him and said ‘oh, here’s a cubicle for you,’ and helped him setup his laptop and connect to our network. At that point, he sent out a phishing email to our executive team, one of which was a domain admin, from spoofing our network engineer who was actually on vacation for her wedding, and everybody knew she was out of the office so nobody should’ve responded to this email. And he sent the phishing email that said ‘hey, we need you to reset your password for this, click this link and reset your password,’ in which one of the domain admins – which, domain admin is basically credentials that are keys to the kingdom – and that person handed their credentials over to the penetration tester, who then just basically had a field day because they could do anything they wanted. Another one that actually happened at that company that was actually a real attack was one of the finance people received a phishing email that was an invoice and when they clicked it, it installed ransomware on our system – which, ransomware is an attack where they basically go through and start encrypting your files and then you have to pay them in order to get the decryption key. And it started going through our local network share and just going folder through folder. Now we got really lucky on that one because we caught it in action and we were able to stop it in its tracks when it was only on like file system letter C, and then we were able to restore backups so we didn’t actually have to pay anything, but there was a lot of fun confusion and panic for that attack.
Abby Rose: That is wild.
Luke: I experienced a situation where I’d been hired to install firewalls between two entities that were once one entity and they were splitting up, part of it was purchased. And there was a lot of pushback to get firewall setup in place with the, only the things that needed to communicated across the firewall for what business relationships they still had limited to. During that time, the environment was wide open and I was doing package sniffing to determine what rules needed to be created as I wasn’t getting any assistance from anybody in the environment to limit that. And during that time, while it was wide open, somebody from the entity that we were leaving had an individual on their network that found a device that was responsible for lots of storage for our customers and it still had default usernames and passwords set up. He figured those out, got into that device, and filled the storage that was supposed to handle several years of data in about a week with information for his own personal web service. Needless to say, I got a lot more support getting that firewall setup after that incident.
Shayne: Sara brought up the ransomware episode that she experienced – there was one client I’ll never forget who had been hacked by a foreign entity, they were a world-leading manufacturing organization. And obviously the bad guys were using Google Translate to communicate with us over a encrypted email account. And because the organization didn’t have sufficient backups, they ended up having to pay them three ransom payments to get some of their data back. And it’s not as simple as it seems it should be, just to get data back from the bad guys, but the organization was having some problem restoring that, and I’ll never forget the bad guys emailed back and said ‘well if you’re having problem, if you’ll give us admin access, we’ll be happy to go in and fix it for you.’ And I thought, ‘wow, that really is some true bravado there to hack our information and attempt to be helpful after.’
Sara: Sounds very kind of them, I mean you paid them at this point, they were providing good customer service.
Abby Rose: Right.
Shayne: I’ll never forget that one.
Sara: But, I mean, also, if you look around in the news lately, ransomware is huge, it’s everywhere. Like Kaseya is a company that provides remote IT support, and it took down grocery stores all throughout Europe. And so it really goes to show how these small attacks can, like, go from just being something that happens on the internet to impacting people in their daily lives. And there was also one that, what was it, a Florida utility company? And there’s all kinds of fun ones in the news lately, happening constantly, because they make a lot of money doing it. The only reason you don’t hear about smaller companies or the average person in the news is because nobody cares about something that small scale, where I think they’re more common.
Abby Rose: Right, yeah, and they’re scarier because they feel like when you hear something happening to a big company, it’s like ‘yeah well I don’t work for a big company, that’s not going to happen to me.’ Whereas if you are hearing examples of places like this, it’s more scary.
Shayne: And attacks really have jumped up during the COVID era. The bad guys are really taking advantage of organizations being more distributed, people being more open to trying to help people with COVID, and using all those to exploit. And it’s really, it’s jumped up the frequency of ransomware attacks on a astronomical level.
Sara: Unfortunately, once you start kind of watching, you do start to notice that it is impacting normal users more than you think. Like in my blog post I added a photo from one day I was shopping at Home Depot and I was checking out and there was a sign at the register that said, ‘You know, the IRS doesn’t take gift cards from Home Depot, please talk to a manager.’ And it’s very interesting that one of our line of defense against vishing and phishing emails now has become a Home Depot cashier saying, ‘hey the IRS and your utility company don’t accept Home Depot gift cards as payment,’ like stop, think, don’t fall for these things. So it is really impacting regular users except they just don’t know where to go to report it – most people, when they get these kinds of attacks, like the IRS is coming to you and saying ‘you didn’t pay your taxes, you’re a bad person,’ and then they’re embarrassed, they don’t want to tell their friends and relatives and they’ll just do anything to get out of the situation before it gets more embarrassing. So that has led to cashiers being our front line.
Abby Rose: Yeah I wonder how many people that’s helped and I wish they would do it everywhere. My grandfather actually had someone call him and he claimed to be my brother, so he claimed to be my grandpa’s grandson, and he said he sounded different because someone broke his nose, and he needed – he like gave some excuse for a reason that he couldn’t send him money, he needed someone to send him these gift cards, and my grandfather went to Target and bought on all of the, like, I think it was Amazon gift cards that he could find, and it’s just so sad.
Sara: You see people on Facebook with their accounts getting hacked and then you get that random messenger popup from someone you know being like, ‘I’m somewhere in the world in jail, send me bail money’ and something weird like that. So it is happening to the regular person in the world, we’re just used to it, we’re desensitized.
Abby Rose: Yeah. What about HIPAA? What kinds of HIPAA violations have you witnessed?
Luke: I worked for a healthcare system for a little while as a security analyst and I was actually demoing a product that sat online on our egress point of the network, so all of the traffic that people were sending to the internet would go through this device and it would take that information and recompile it into images and whatnot and digitally sign it if there was anything we needed to take to court. And this is just what I was demonstrating. And I had that machine on the network for about five minutes before I found so many incidents of what I would consider violations – and this is a company that has regular training for all their personnel, and they were still happening. And the one big one was somebody sent an Excel spreadsheet with about 3,000 patients’ medical record numbers, their social security numbers, to their personal email so that they could do work from home. That’s a pretty big deal.
Abby Rose: Yikes.
Sara: I worked at an insurance company and one of the call center people was just trying to be helpful and emailed a mother her son’s healthcare information. Now it didn’t end in anything catastrophic but she wasn’t allowed to receive it.
Abby Rose: So like our MediSked Portal, individuals can decide what they want to share with their people in their circles of support, and I know there are a lot of people who don’t want their mom, for instance, knowing about their personal information because – yeah, they’re close with their mom, but there are some things you don’t want your mom to know.
Shayne: I had a pretty bad one, I worked for a large, national health insurance company that may or may not be blue, and we were moving our corporate headquarters from thirty separate buildings throughout the city to a new campus that we had created, and we had one that was our call center that was in the middle of an older mall and we had a small data center right in the middle of that to support all of the equipment we needed for the folks who did the customer support. So we’re a fairly good ways through the process and our physical security department decided that we had moved enough stuff out, the data center was closed, so they turned off the badge proximity reader system and that night a janitor came in to clean, found the door open, so he went in to start cleaning and finds a box of a bunch of hard drives sitting on the floor, and he thought he could take them and pawn them and make some extra money for beer. $14.5 million dollars later… the way HIPAA works is because he happened to steal drives from the machine that did recordings of the voice and video from the desktops of our call service agents, and because it could have been any of a wide number of customers, we had to assume all of those customers were implicated, but we had backups of everything. So we had a staff of almost 100 people working for three and a half months, day and night, 24 about 7, listening to every second of audio and watching every second of video to determine who may have been compromised in the breach. And fortunately, the organization had just bought cybersecurity insurance like two months before it happened, it was fairly new at the time. But it was a massive breach. The interesting thing, though, is that, while it was huge news at the time – this was in the late 2000s – about 1.5 million records were compromised, that wouldn’t even make the top 500 now. The level of attacks has increased at such a degree, it wouldn’t even be a huge newsworthy event anymore.
Sara: It’s also a lesson on why you encrypt your hard drives.
Shayne: They were encrypted.
Sara: Oh, well, still encrypt your hard drives!
Shayne: The problem was it was a proprietary encryption that that particular vendor had and not a NIST-140-2 encryption, so it didn’t count for safe harbor.
Sara: And encrypt your hard drives the right way.
Shayne: True that.
Abby Rose: What are some other vulnerabilities that people in the HCBS industry need to look out for?
Sara: Internet of Things devices, medical devices, monitoring systems – like video cameras or even like Ring doorbells that show video of who’s at the door – any extra device that you’re adding to your network adds risk. So, as I normally tell my friends and family as they’re about to add one of these devices, I’m like, the minute it’s on the web, it’s available to the world. And I think that’s one of the interesting things with people, and even the people who create these devices – everyone’s thinking of the benefits of how quickly, like, ‘ooh, I can get this lightbulb that I can get to turn different colors at different times throughout the day,’ but they’re not thinking about the risk that they’re taking on. And I’m not saying don’t use these devices, I’m just saying that there are steps you need to go through to get it on your network and secure it. Like make sure your network’s up to date, watch what devices are on your network, change the default password if there is one. I mean, one of the stories I always found interesting was there was a casino in Las Vegas that was hacked through the thermometer in the lobby fish tank and they were able to escalate privileges from the thermometer in the fish tank and get onto the casino’s network, and we all know that, like, casinos have some of the best security on the planet. And they were able to go through the network and get through their list of, like, whales, all of the very rich people, essentially, and get all of their information. And so they were able to steal all of that data because they got in through a thermometer in a fish tank in the lobby. So yes the device, like there, nobody had to sit there and take the temperature of the fish tank every day, but then they exposed themselves. So just secure it if you’re gonna use it.
Shayne: And everybody remembers when Target was hacked in 2013 and they got such a bad rap about their security but it wasn’t actually the Target network that got hacked, it was actually the air conditioning system which had an external sensor that allowed the organization to set that for the entire facility remotely, and that’s how the bad guys got into the network. And once they were in the network, they found the point of sale system and compromised that. But getting back to talking about individual things for assistive technologies, as Sara said, there are a lot of those monitoring technologies, and the core problem is that these organizations, they say, ‘we’re developing webcams so we can monitor those people,’ or ‘we’re developing a new doorbell system’ or whatever, but they think about themselves as providing that instead of providing security first. Security tends to be an afterthought. There was actually a story that came out just this month where a webcam company called Dahua, their webcams turn out to be very susceptible to an unauthenticated remote access attack, which means people can basically flood the network and anybody can get access to the video feed directly from that camera system. And that has huge HIPAA violations, depending on where that camera is. So it’s those sort of things that get us in trouble. And as Sara was talking about, there are a lot of things you can do to protect those systems, but one of the other things we need to do, as we learned from the Target attack, is any of those systems that you have, whether they’re in your home or they’re in the workplace or they’re in a care facility – they need to be on their own independent network. Any Internet of Things device, any internet-connected device, doesn’t need to be on the network with your data and the rest of your systems.
Sara: One of the other things is also thinking about what other ways that device could be susceptible. For instance, a certain coworker came to my home and as we debated something he yelled out, ‘Hey Alexa,’ and I like, was bewildered, ‘cause I was like, ‘how dare you?’ First off, I don’t have Alexa in my house so that didn’t work, and when that didn’t work, he yelled out, ‘Hey Google,’ and I was like ‘Hey!’ Like what? You’re literally a regular person trying to take advantage of what you’re hoping is in my network. And there’s been stories too where like certain TV shows like Pranksters and stuff will say things that will trigger people’s Google and Alexa like through the TV. So maybe just considering the placement of those items, and how much do you really need to tell Alexa to order that Tide detergent from every point in your house? Do you really need it everywhere or do you just need it in certain locations? Think about like, for instance, I’m in my office and we work in an environment with PHI [Protected Health Information], so this is not an environment where I want devices listening in. So smart placement I think is also something to consider when you’re setting up things like this.
Shayne: You know, there’s actually a really good test I was taught once to determine if you really have those risks in your environment, and it goes like this: OK Google, Alexa, Siri, rice cooker bomb. Welcome to the NSA Watch List. If you just had a certain fear and tightening in your chest where you were worried, then you haven’t paid enough attention to your security.
Abby Rose: That was too funny.
Sara: Shayne is also not invited to my house now.
Abby Rose: My Google will be moved after this conversation.
Shayne: Our work is done here.
Sara: Well also one of the things we had talked about is even – going back to the Internet of Things devices and how they’re created really for the customer experience, which is great – but Amazon came out with something called Amazon Sidewalk, and what that is intended to do is it takes a portion of your network – which me, personally, I already don’t like, like who are you to take a portion of my network, Amazon? – but then it opens it up to any other Amazon device. And the goal of it is, it’s a noble goal, the goal is to make sure that these devices have the best internet connectivity that there is for all users. So if my next door neighbor has Amazon devices and I have Amazon devices and something with my network goes down, it can jump over to their network. But I don’t particularly enjoy the idea of devices that I didn’t invite on my network taking a portion, or even Amazon deciding what to do with my network. And they turned it on for everybody by default because their goal is to make sure all of their devices can connect, whereas I have strong opinions about not liking that. Some people don’t care as much. I care, but I think they should’ve at least given people the option to make sure they knew what it was and make the appropriate decision.
Shayne: And if you’re worried about that being enabled on your device, which a lot of Amazon devices enable it by default, all you have to do is open the Alexa app and go to More > Settings > Account Settings, which is an odd place, and then select Amazon Sidewalk and turn it off.
Sara: Can’t you just say ‘Alexa, turn off Amazon Sidewalk’? See, I don’t have Alexa. I don’t have these devices because I’m like, why are you doing that? You can’t be on my network, we’re not friends!
Abby Rose: Yeah. Before I started learning about all of this stuff, I really had no problem with, you know how your phone is listening to you and then you’ll see an ad about what you were just talking about? I used to say, like, ‘that doesn’t bother me at all, I have nothing to hide.’ But ever since I’ve started learning more about this from you guys, I have learned that not being protective about – even though I don’t think any of the things that I’m talking about are what anyone cares about, they can be used for security questions and all these different ways to get at my identity. What are other ways? Why is that risky for someone that doesn’t really care about if people know about their life, why is it still a concern?
Sara: Do you care about your bank account?
Abby Rose: Yes, I care about my money!
Sara: Well then someone else cares about it, too. You have something. I mean, I don’t think you’re going to meet many security people who aren’t actually privacy advocates, and it’s not because we’re sitting here with something to hide. It’s because it’s something we believe is a right and we know what could happen with that information. But one of the things that I would tell people to stop doing, first and foremost, is stop taking those Facebook quizzes that say like what street you were born on and what’s your favorite color. First off, no one cares. They’re just trying to get your security passwords. I know they’re fun for you to fill out – stop it. Just don’t fill those out.
Luke: Well and a real-life example – my mother’s email account was hacked this year and as a result, they got banking information, they got credit card information, and she’s actually sick right now in hospice and also now having to deal with cleaning up her credit, trying to recover thousands of dollars. So it’s kind of important and it’s something that everybody could care about because she doesn’t have the resources of a big company behind her to help clean up the mess that has giant cybersecurity insurance. She’s at the mercy of the people that were attacking her and whatever coverage her bank and credit card companies have, and having to deal with all that bureaucracy. She did get it cleaned up but she did not eliminate that email account or even change the password and a month later somebody hacked her Facebook account, changed all her security questions, and she couldn’t get back into it. And she’s been posting all these pictures to share with the family and stuff like that, and now all that stuff, she has no access to that anymore. So even if it’s not a financial thing, there’s things of sentimental value that you could lose by not being careful with that stuff.
Shayne: I have a couple of other fairly good examples of that but to start with, most people don’t realize that when you go and use Google, you’re getting that for free, right? But you’re not. Google makes about $182 per year off of each user. That’s what they’re selling your information for. Facebook? $158. Twitter $81. LinkedIn $69. That’s what they’re making per user per year for selling your information to other organizations, and this can get used in ways that you don’t intend. One of my favorite stories, this is from several years ago, but there was a dad who was in Target with his daughter and they went and checked out and she bought some things and used her credit card to pay and you know how they put coupons on the back of the receipt? Well when she returned her receipt over there were coupons for newborn baby diapers and baby formula, and the dad goes nuts because this is his 15 year old daughter and they’re making implications about her, right? And he literally goes a little postal and ends up going to Target corporate headquarters and complaining about what they were assuming about his daughter. Turns out she really was pregnant – her dad just didn’t know about it yet. But they know from your buying habits than we do in a lot of situations, and that causes some real problems. Another way that our data is used less tangentially is if you think about the things we post when we go on vacation, we post things on Facebook and we post things on Twitter and on Instagram to show everybody what a great time we’re having. They’re actually a website called PleaseRobMe.com that information security professionals put up just to show us how dumb we’re being about social media. So let’s say somebody puts something up on Twitter that says ‘hey I’m so excited about my new two-week vacation, can’t wait to go get some off time’ and then they post a picture on Facebook of being in the Bahamas, it can triangulate that information along with your home address and say, ‘Bob Smith, 123 North Street, gone for two weeks to the Bahamas from this date to this date.’ And we’re really giving that kind of information to the bigger world, we’re just not aware of how it’s being used.
Sara: I used to post like, ‘so excited to be going on vacation here! Thanks to x and yz person for watching my house with their 100-pound German shepherd,’ then everyone would be like ‘no one’s watching your house.’ But you can wait until you get back from your vacation to post your photos – there’s no reason to check in at the airport. That’s fine, you don’t need to do that. Once again, one of those things people like to post but no one actually cares, don’t post it.
Shayne: No one cares that you tweet because you’re out at the restaurant, all you’re doing is letting everybody else know you’re not at home.
Sara: Ok but I still like to send pictures of my food sometimes, I’m that person, deal with it. I guess my #1 tip is, I always tell everybody like, ‘hey, do you know who that phone call’s from? Don’t answer it then. Do you know who’s at the door? No? Then why are you answering it? Do you know who that email’s from? Then why are you clicking the link?’ I know there’s the curiosity but just don’t. Just get used to saying no. Be a hermit. Don’t talk to other people. *laughs* But really, why would you open the door if you hear the doorbell ringing? I live in the city so I think anyone who lives in any urban environment knows that, if somebody’s ringing the doorbell and you don’t know who it is, it’s someone who wants you to sign some petition, sell you on some religion, or get you to sign some political thing, so I’m like, that’s ok. Or – I’m sorry boy scouts, but you really need to find something better than that popcorn. Girl scouts, I’ll open the door for, I’m about the cookies. I’m not opening the door for the boy scout. That popcorn’s awful and I don’t want it. Sorry if the boy scouts hear this but I think someone needs to tell them.
Abby Rose: Do you guys have any final tips or parting words now that you’ve adequately scared us about cybercrime?
Sara: I don’t think we even scared you that bad! We could’ve done far worse.
Abby Rose: That’s true. It could’ve been worse.
Luke: We were gentle. From a real easy, low-hanging fruit kind of standpoint, any time that you have accounts that are out there in the cloud, the internet – like Gmail, Netflix, your bank account – use strong passwords and most of those places have the capability to add a second form of authentication, so not only do you have to type in your password but you get a ping on your phone and have to type in a number or hit approve and do a face ID or fingerprint ID on your phone in order to get access. This has stopped quite a bit of the people getting into accounts that you don’t want them to get into that are out on the internet. Not saying it’s 100% but it makes you a harder target.
Sara: One of the areas that I’ve actually realized that I don’t think people pay enough attention to is actually their cellphone security, considering it’s the computer they carry with them daily. One of the things I read is that one of the best security mechanisms to stop a hack from happening on your phone is restart it once in a while, and I do it once a day ever since reading that and I don’t know many people who even do ever restart it, and that’s one of the quick ways that, if there ever is any connection to your phone, you’re cutting it off right there instead of leaving it on there for weeks on end.
Abby Rose: Interesting, yeah I definitely don’t remember the last time I reset mine.
Sara: Restart your computer, too. That’s for IT people everywhere.
Shayne: I think most people are blissfully ignorant on just how big cybercrime is. It is literally a multi-billion-dollar industry. I read a report last year that said if you took all the major cybercrime organizations in the world and put them in the same geographic spot, they would represent the fifth largest GDP in the world. I mean, they are making ungodly amounts of money, and they’re making it off of us because we do the same senseless things over and over. And they’re a lot of simple things that we’ve talked about today – passwords, using multi-factor authentication, making sure your devices are patched and updated, even rebooting your phone, but I think the biggest tip to leave everybody is that our core weakness is that we trust. Human beings are generally trustful by nature, and we think that we can trust our phone and we can trust Google and we can trust information that we store just on our computer or just on our Dropbox account. But every single hack I’ve ever seen – whether it’s a pen test hack, a vulnerability, even the physical pen testing stuff – they’re all a violation of trust. Most people want to be nice. Most people want to be helpful. And the bad guys wantonly abuse that. I saw a great video one time where this guy is taking these huge servers out of a federal data center in Virginia, and they’re big and he can barely carry them, so people are opening the door, one guy even helps him take two of them to his car. The guy stole five servers from a federal data center in broad daylight, and people helped him. And that’s the problem – that’s what social engineering is, is hacking people instead of hacking computers. And ultimately, people are even easier to hack than computers, and when you put the two together, it creates a real vulnerability that we all need to be aware of. So I’m not telling you not to trust anybody, but as Ronald Reagan stole from the soviets, trust but verify. You have to be on your guard, and the internet is a big place and lots of people don’t have the same intentions that you do and we can’t assume that they do.
Luke: And don’t hold the door for people carrying heavy servers.
Sara: And don’t be afraid to get yelled at by people if you ask them to comply. For instance, when we were in the office, a UPS delivery guy, as I was standing next to a side door that was badge-only and employee-only, he’s like ‘can you open that door for me?’ and I said no. And then he looked at me and goes, ‘do you have a badge?’ and I said ‘yeah,’ and he’s like, ‘well then open the door for me.’ I’m like ‘the door’s around front, you have to sign in,’ and he like started yelling at me and I’m like, ‘go to the front door. I don’t know you, go to the front door.’ And it’s not you being mean – it’s actually them asking you to do something that’s inappropriate, and it’s OK to say no to those things. Don’t get bullied.
Abby Rose: That’s a good reminder. These are all good reminders! Thank you guys so much. If you want to hear more, we have more resources that these guys are putting out all month long, so you can go to our website and find more information about how to say safe. So stay cyber smart out there! Thanks guys.