When Ransomware Hits During a Health Emergency

John Vecchi:

Well, hello everybody. You’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. We have a really, really special guest today. Joining us is the ayatollah of rock and rolla himself, the master of disaster, Jeffrey Vinson. Welcome to the show, Jeffrey.

Jeffrey Vinson:

Thank you. Thank you, Brian. Thank you for that intro.

Brian Contos:

So Jeffrey, we’ve known each other now for many years and you’ve had leadership positions really throughout your life, but maybe you could give us a little bit of background on how you came up and got into cybersecurity and what it is you do now.

Jeffrey Vinson:

Well, yeah, like you said, Brian, I’ve been in this industry for over 25 years doing this and all across the spectrum from military, federal government, local state government. I came up through the way of initially being in IT, working there, of course military, signal officer as I was doing it in the ’90s, was a transition over to more of, what I call the server side. So natural progression for me to go from doing IT things to securing those networks from a Cisco perspective, IDS perspective. And again, naturally now I call myself a pure cyber guy. I look at what I do as the special forces of technology.

So pure cyber. Still have those hardcore IT skills, but a cyber guy that looks at how to defend an organization against these cyber threats out here.

Brian Contos:

Yeah, that’s always interesting. We meet so many people in the industry that do come from that military background. I’m wondering if not only the leadership skills, I’m certain they port, but just operationally how you approach problems and view risk mitigation. Does that port well from the military life to what you’re doing now as a civilian?

Jeffrey Vinson:

Yeah, it certainly does. In my military days, I was an officer. I just so happened to be in doing the global war on terrorism. So I traveled across the pond to help defend against what was happening after 9/11. So when you look at leadership, you lead from the front and you have a lot of terms from the military tip of the spear, all of those things. So when you look at that, and you bring that down to the cyber perspective, it’s a natural fit. It’s a natural fit. If you look at defending sometimes and being out there looking at reconnaissance, what’s coming towards us and how do we get into a defensive posture to protect against those threats.

But then there are times where you have to take the fight to the enemy and certainly we have to do that sometimes in cyber as well where we start going out there and not just blocking and tackling but taking certain organizations down, infiltrating those organizations and sending things back their way that they’re bringing towards us. So it’s a great fit.

John Vecchi:

Jeffrey, I love that, the kind of thought of the special forces of IT and IT security. If you think in terms of the special forces themselves, they’re trained in certain areas very specifically. When you think in terms of cyber and what are some of the areas you consider that make up your special forces and cyber, some of the key areas? Is there some that just trickle to the top that you can talk about?

Jeffrey Vinson:

Yeah, some of the key areas when you look at it from an IT perspective, the common goal is availability in IT. Is the blinking light on? Am I passing data? But when you look at it from a cyber perspective, I need to know more than that light is blinking. I need to know and understand how it’s working. The bits and bites down on a level that typically you don’t get to see from an IT perspective.

So when I look at the skillset from cyber, I certainly translate a lot of the things I learned from the military into my civilian life in cyber by saying, “First and foremost, I need you to be certified.” You cannot say you are a sniper without going to sniper school in the military. Right?

John Vecchi:

Yep.

Jeffrey Vinson:

You can’t say your special forces without going through all the training. So one of the things I do on my teams is I make sure that they have all of the cyber training and certifications. Everybody on my team has to have a cyber certification. Even my chief of staff has to have some cyber experience because we have to understand what the goal, where we’re moving towards, and they also need to understand if they need something, who to go to.

So everybody on my team is certified in some shape or form, whether that’s on risk, whether that’s on a tool, even getting down to specifics on vendor tools. But everybody has to know how things work because we not only need to understand how to protect these things, but in an advisory role, much like in a special forces sometimes, we have to go and advise certain people what to do.

So all of my people can advise the business on what they need to do to protect EPHI, the patient information and protect the organization from cyber attack. And we do it very well.

Brian Contos:

Let’s double click on that. You were talking a little bit about what it’s like working on the healthcare side, you talk with your peers, CISOs in a vast number of organizations, financial services and public sector, so on and so forth. And then I know you have your healthcare ISACs and the folks that you work with in your area that are leaders within healthcare providers, maybe payers, sciences, so on and so forth. What are maybe some of the chief concerns that you see in healthcare that are maybe concerns above and beyond or different from other verticals like financial services or manufacturing?

Jeffrey Vinson:

Well, that’s a great question. So in healthcare it’s different in all of the other industries because at the end of the day, it’s really about saving lives, patient safety, positive patient outcomes, financial services. It’s about the numbers. Am I protecting your financial investments? Depends on what you are. Are the investors happy? Are the stocks moving? But in healthcare it’s about protecting patients and saving lives.

So it’s a very daunting task. Ian, you have to have a very delicate balancing act when it comes to cybersecurity and patient safety. We’ve been doing this, I’ll say at my organization, I’ve been there nine years and the industry is slow to catch up with us as well as if you look at the actual HIPAA compliance. It came about in 1996. We had some evolution in 2001 then of course 2009, 2013.

But historically in overall healthcare has not changed a lot of the HIPAA and security rules for years. If it’s not keeping up with what’s going on, how can you ever protect it? So you look at what’s going on in financial services, the SEC. They’re starting to mandate. You need to have some cyber expertise on the board.

Healthcare doesn’t have that, right? Healthcare doesn’t have that. Yet, it’s the number one attacked industry. So I’m hoping that we’ll see some things from, say, a legislative standpoint here very soon. I know this current administration has been trying their best to bring about a lot of change as far as the critical infrastructure, 72-hour window to report an incident, maybe 48 hours if you got hit with ransomware. There’s a lot of movement that’s happening in healthcare.

But again, the other industries, most certainly they get attacked, but the challenge in healthcare is they will not, I’ll say focus on all the things you need to do to secure the enterprise because at the end of the day, the patients are at risk. But at the same time, cybersecurity is certainly a patient safety issue. So it’s kind of a catch 22, but it’s a very difficult challenge at the same time.

John Vecchi:

Jeffrey, you were talking about the fact that healthcare in one sense is a little bit maybe behind or just thinks about it differently than, say, financial services, but yet they’re an attack target in many ways. Why is that? What are some of the attack methods that you’re seeing in healthcare that might be different than some other industries out there.

Jeffrey Vinson:

I’ll just give you some data points. So in healthcare we have something that’s called a wall of shame. The Office of Civil Rights requires that any organization covered entity, business associate, that they have to report a breach of 500 records or more. Right?

John Vecchi:

Mm-hmm.

Jeffrey Vinson:

And this came about, I believe in maybe 2008, 2009. So last year during the same time period, there were about 280 breaches reported. Now fast forward a year later we have 580 or so.

John Vecchi:

Wow.

Jeffrey Vinson:

So clearly the numbers indicate that there’s still a challenge in healthcare. Some of those challenges are, again, you look at what’s at stake, the patient safety. So you have the infusion pumps. You have Pyxis machines. You have all types of things that are internet of medical things, IoT devices for medical purposes that need to be protected, but no one really wants to do that in a fashion where it might interrupt and influence a negative patient outcome.

But at that same note, everybody is fully aware that healthcare is a number one attacked industry. The other industries, of course, again, they don’t have the same risk far as life safety issues. So for an example, if your credit card gets compromised, you might know within seconds because they’ll shut off your credit card. They’ll tell you, “We have some suspicious activity. Cancel that card and reissue you another one.” In healthcare, once your medical record is compromised, you can’t get a new medical record.

If you on that table and a ransomware event happens in real time, what are you going to do other than fallback on your downtime procedures? So it’s very difficult and it’s alarming with those numbers I just gave you of what’s happening. Clearly things did not slow down during COVID. We’re three years into COVID. And again, those numbers I just gave you indicate there’s no slowing down.

So they’re just coming and coming. And if you look at healthcare versus some of the other industries, everyone knows that it’s the wild, wild west. Right? Everybody is challenged right now for resources. What you see is healthcare, at the end of the day, when I keep talking about the patient safety, if you get hit with a cyber attack or ransomware, the healthcare organization is more than likely are going to pay because they cannot operate and people cannot sustain working in the downtime procedures for weeks.

People just don’t practice that. And there have been some major ones in the news here recently and you hear about them, but you don’t get the gory details on truly the impact because they will downplay it and say, “Well, we were still able to treat patients. It may be true, but there are indicators that because your systems are down, you don’t know how to administer the medicines properly. You may have to transfer them to another facility. And when you are on diversion, it may be a few miles away or it may be a hundred miles away.” So it’s a very challenging industry and it really needs some true, I’ll say evolution to really combat the issues that are happening.

Brian Contos:

Jeffrey, in healthcare, it’s pretty clear that every dollar you spend on cybersecurity is a dollar you can’t put into a patient’s care. Hiring doctors and nurses, buying MRI machines and things of that nature. There’s always going to be a trade-off. But given the wall of shame, knowing that you’re the most attacked business vertical out there, the growing volume even across COVID, the high profile events. You’ve been doing this for a while with a healthcare provider.

I’m not talking about security leadership, just leadership overall ’cause I know you’ve been in a thousand of these meetings, is it something that it’s one of the key concerns that they understand that cybersecurity and patient care go hand in hand or is this still a matter of education and awareness?

Jeffrey Vinson:

I’d like to say they do get it, but at the same time they don’t. There’s been some movement of the needle with a lot of the profile, high profile breaches. But as you stated there, once you invest in cyber, you can’t do some other things. What we’ve been trying to do at my organization is rebrand it. So we used things, as I said before, cybersecurity is patient safety. We just had national cybersecurity awareness month. Last month, so we came up with this cyber care is patient care.

But overall, when you look at the industry, certainly they still don’t get it. That direct correlation, for some reason is not being able to be hardwired into the clinicians and the organization. It has to be hardwired. They really do not get that the cybersecurity aspects truly doesn’t impact those positive patient outcomes and quality of care.

I believe as I talked about the other industries, SEC, financial services, how they’re mandating cyber expertise on those boards. There needs to be some mandates in healthcare because they’re not doing what they need to do to change. And again, it really goes back to the question is do they really understand? They do and they don’t at the same time because most organizations still see cyber as a technical piece, but it’s not. It’s a business enabler, business protector, protecting this patient care.

Once they change it from that IT talk, IT security, which is a term with my teams we don’t use where the information security or the cyber team, you have to put it on that business lens. Just like you look at business continuity and resiliency. If they do that and if it’s mandated down to these CEOs or the organizations, I’m certain they will get it, but by and large they don’t. As you hear and see in the news, they just for some reason have not been able to get that direct and hardwired correlation between cyber care and patient care. And that’s part of my mission to make sure they understand that.

John Vecchi:

Let’s talk a little bit Jeffrey zero in a little bit on, this is a podcast about what we call the extended internet of things or XIoT and that’s pretty broad, right? It covers all the enterprise IoT devices you might think of, things like printers, cameras, VoIP phones and things. In your case is medical, healthcare internet of things, medical devices and all those kinds of things. All the kind of network devices. Right? It could be a layer two switch or a wireless access point or router, a network-attached storage or something like that.

And then you’ve got kind of what we call the OT kind of industrial control, SCADA side of things. And all of that is what we call the extended internet of things. And the question’s a little bit twofold. I imagine it’s challenging because of the broad area of those devices in a healthcare environment because you may have kind of typical IOT devices combined with medical devices and very critical care devices, as you said, that life and death.

Many of those perhaps maybe you can tell us, might not even be managed by you. Maybe there’s a outside third party that kind of manages some of those devices. How do you think of all that? How do you approach all of that and how do you view it from your perspective as part of your attack surface?

Jeffrey Vinson:

Well, great question again, John. And as you said, it’s very complex with all those devices. Clearly everything has an operating system. It has internet capability, networking capability. And to your point, largely my team is not aware. We try to get our arms around these things because we are at least in tune enough to know that these are risk exposures to the organization. But as you indicated, attack vectors as well. So when we look at those medical devices, IoT, IoMT, it’s very challenging, very concerning, especially when some things can fit into your pocket. There are devices that people can bring in and they can perform ultrasound capabilities and you not even know it’s going out. It’s a blip on a wire. Right?

John Vecchi:

Mm-hmm.

Jeffrey Vinson:

And if you allow certain ports open like 443 secure port, which you want it to transmit securely, it’s a beauty and a curse at the same time because it is transmitting securely but you can’t see anything. So it’s very challenging. It’s a hard problem that to solve. But I certainly know you guys are working your way in there to be able to do that and give that insight and that forward looking to do that. But again, as you indicated, very complex, a never ending, what I’ll say threat and risk exposure to the organizations, but they keep coming and coming.

And as you look at COVID and you look at the work from home initiative and how these organizations just move to the cloud so people can continue to provide services not just in healthcare, but all the other verticals, they move without a plan. A lot of people applaud themselves because it works. But also I think there’s a direct correlation between those numbers I gave you earlier, 280 last year to about over 580 a year later to the adoption of these fast, and what we call innovative solutions without security in mind and plans in mind and being able to monitor these things.

Brian Contos:

You know what, what’s interesting, so we spoke a little while ago to somebody that works for another healthcare provider and this particular healthcare provider deals with a lot of well-known individuals, whether they’re celebrities or business executives, what have you. And I’m sure every healthcare provider has some set of this, but this one in particular gets a pretty uneven share of that.

One of the things that they were concerned about were people attacking their healthcare devices not to encrypt them and lock them up for ransomware and not to use them for just general access to sensitive data that might be on the network, but specifically to target information that might be related to those high net worth individuals in order to blackmail him after the fact.

You don’t really think of that necessarily into financial services or retail or manufacturing, but like you said earlier, you get your credit card stolen, you deal with it. It’s kind of a pain, but at the end of the day it’s probably going to be taken care of and you’ll get free credit monitoring services for a year, which at this point probably people have that times 50 years.

But if you get your healthcare information stolen, hey, you just had an MRI and they found this. Maybe you’re an athlete and there was an x-ray and it shows there’s a problem. I mean, these can be career limiting or career destroying type events and embarrassing things like that. One of their biggest concerns was, “We’re continually printing and scanning stuff and information’s there. There’s security cameras everywhere. If somebody was to tap into that and spy on us, if they get access to these critical systems…” I mean there’s a lot of sensitive patient information that’s not stored in just a database or just a file server.

It was a really interesting perspective because unless you’re in the business of providing healthcare, you don’t necessarily think about that. Is that type of thing saying where do we have all of our sensitive patient data sitting and maybe it’s on some of these XIoT devices. Is that a concern that people like you and your team are thinking about right now?

Jeffrey Vinson:

Yeah, absolutely. We’re all about protecting electronic patient health information. Protecting those records. Our EMR is supposed to maintain all of the key information. However, as you alluded to, there are fax machines that have patient information in there. There’s the MRI machines may have patient information in there and you name it. So how do you know it’s there? How do you monitor those things for ingress and egress?

I mean, how do you do that? And to your point, once that medical record is compromised, it also may cover your mental health. Someone may not want to know that they have mental health issues because that changes the lens of how people are viewed as well. So protecting that privacy is key. So when you look at the security and privacy of the information, that’s paramount to doing a great job.

Right now, the industry is just under attack. I mean, we have the top two we always hear about, China and Russia, but Iran is emerging very rapidly. They are being very aggressive to the US as well, those nation state attacks. And they’re very savvy. At the end of the day, they’re compromising these networks and people don’t really know what they’re after. But again, it’s not just a financial standpoint either, it’s what we call those recons.

Critical infrastructure, and I think a lot of folks in my business forget that healthcare truly is critical infrastructure. Those 16 critical infrastructure designations that are out there, healthcare is a big one. As you saw earlier during the year February to Ukraine- Russia conflict, that is still ongoing, all of these CISA alerts, the alerts from the FBI about the out of date and obsolete medical devices, you look at the groups that just compromised the large organization out in Chicago, CommonSpirit. You look at what happened there.

I mean that organization is posture, 21 states. A lot of impact just from there from a ransomware event. Let’s not forget when we talk about last year, last December with UKG, the Kronos in the cloud. How many organizations were impacted by that? So when you look at what’s happening, no one really goes and tells you exactly what was the source of the ransomware. But again, IoT is big.

All they need is one entry point and that’s how it starts. But that’s what we’re not seeing. We do know that clearly as we’ve been talking about, there are so many points of entry that you need to protect and is only so much that you can do and that’s why you need to look at getting some solutions in here that can help monitor these systems that may not be conventional systems because most of them are not.

John Vecchi:

It’s always interesting, I think for us, Jeffrey and our listeners too, to just hear a little bit about your actual team and how it’s comprised. How do you build your team? Where are specialty areas? Can you talk just a little bit about how you structure your team and those people and their specific focus to do all the things that you’re talking about you have to do every day?

Jeffrey Vinson:

I talk a lot about my military foundation. So you look at everybody, no matter what branch you’re in, you have to go through what we call the conventional forces, conventional training. Everybody goes through it, so you can have a baseline and then you get into your specialty areas. So I do the same thing for my teams. I like to look for people who have a core understanding of tech, but I also like some folks with some softer skills.

So the way my team is set up currently, we have a team that does all of the monitoring and protection and response and all of those things. Those are my hardcore techies. People who’ve been down range. They have all the certifications, the ethical hackers, pen testing, IDS. They know all the technology and blocking, tackling. They’ve been doing it for quite some time.

Then I have my team that looks at risk. Even my risk people are certified in that arena. They understand the tech, but if they don’t understand that they partner with the folks on the side that do all of my security operations piece. So when I look at that, it’s people who have a passion for it who need to be very attention to detail. And what we try to ensure is people realize that we are not just technology, we are the business enablers.

We provide that strategic lens to the business so they can make informed decisions all the way up to the board level. We’re lucky that my organization that we have the attention from the CEO. So we get an opportunity to brief our CEO every month on what we see are the threats to the organization, what’s happening in healthcare, and then we bubble out to what’s happening across the industry.

So he pays very much close attention to what’s happening. And then in those briefings, we’re also able to show what we’re doing to make sure these things are not happening at our organization. So again, the build out of my team, it’s pretty much those hardcore cyber professionals, people that understand the technology and they cannot be afraid again to advise the IT folks and the rest of the business on how we need to do things and why we need to do them.

Now, course at the end of the day is about patient safety. So there are some times where we always say, “We will bend but we will not break.” So the key is to give them what they need. We are not the operational or shop that talks about no. You hear that all the time in cyber. People always saying no. Well, we’ve never just said no.

Even if there’s a situation where we don’t advise, we do just that. We advise you that this is not the approach. However, ever from a business perspective, if you need to do it, here’s how we could do it to minimize the risk. So again, my folks understand the business because you have to be more than just a cyber professional. You have to understand the business that you’re in, what’s at stake, what those out outcomes are.

And again, we’re a healthcare organization. We want to have positive patient outcomes, the quality of care. We want it to be the best. And we’re a teaching institution. So we feel like our organization is building those key leaders for the future and we want to make sure that cyber is a part of that.

So as we look at the goals that we have, we’re certainly in those goals. We show our organization, our CEO, and each goal that he has, we can show him how cyber aligns and helps those goals to be achieved. Because at the end of the day, as we look at it and we try to educate and advise, if there is a cyber event, here are the possible negative outcomes and we can show you proof from these other organizations who’ve had these things happen and what happened with them.

So we take a lot on the lessons learned. And again, going back to those military training and in those days is you look at the previous wars and you learn what not to do and how you need to sometimes adapt and overcome to make sure that your organization is fully protected and aware of what’s happening. Because, again, as the old saying used to be, and I still use it, situational awareness is key. Knowing is half the battle. We pride ourselves in my organization, our cyber team of being aware of everything that’s happening out there.

A lot of times people may send us something. We’ll get it today and we’re like, “We don’t tell them.” We’ll say thanks, but we’re like, “We knew that a week ago.” We’ve already briefed on that. So we’ve already briefed internally. We know about it. We know it’s coming. So again, being at that tip of the spear is very important for how I lead my team. And again, I have some very sharp people on the team and they’re growing that they’re adapting. But again, at the end of the day, it’s about those positive patient outcomes and we make sure that we have that happening.

Brian Contos:

Well, clearly you’ve built an amazing team because it’s hard for me to find a day when I go on LinkedIn where you’re not getting an award or someone is asking you to be their spokesperson. I don’t know. You’re there all the time. It’s like LinkedIn is Jeffrey Vinson.

Jeffrey Vinson:

Well, you said, I attribute that to my team. I tell them all the time, I’m just a handsome face out there, but it’s really their work that’s getting that recognition, so thank you for that. Grateful to you.

Brian Contos:

Well, I’m wondering, Jeffrey, you’re on this frontline and you’ve been on these front lines for so long. Are there any interesting war stories or use cases that you can anonymize and maybe share with us?

Jeffrey Vinson:

Well, there’s several that come to mind. I tell people cyber is a bit of the internet police when you come to organizations and sometimes that wide net… So one thing I can share and I can… Let me try to clean it up a bit, is when we see all of this interesting traffic here. So Houston, fourth largest city in the nation. The Texas Medical Center is the largest in the world. So there are always people operating here, the nation states that are probing, prodding, attempting to get inside of oil and gas, hospitals, you name it. So we’re operating, we’re doing our thing, and as I said, we have very strong attention to detail.

One of the things that we’ve been doing very well for years are internal phishing campaigns. We started doing internal phishing campaigns back in 2013, November of 2013. So what’s that? How many years is that? Let me do my math. Nine years. Right? So we’ve honed our skills. We sharpened our blade at that, but we also know how to detect that type of, I’ll say attack that’s coming. So probably about a year ago we’re looking at interesting traffic that is coming in.

Of course, everybody gets phished, but we start looking at things that look like they were possibly targeted for us. These weren’t just drive-bys, right? Because sometimes if people are just spraying, I’m like, “We’re trying to figure out who will click and fall for the bait.” But these were starting to look like, “Man, these are just for us.” And as you work your tentacles throughout the community, you start asking, “Hey, are you seeing these types of phishing emails coming in?” They were not.

So as we dug down a bit more and start looking at these interesting toolkits, we found something that was like, “Okay, this person seems to have this kit.” And we dug down a little bit more, found out the GitHub name and all those things. We come to find out the guy was actually on a list from authorities to be looked at.

So again, those are success stories of just attention to detail and looking at how cyber can, again, be an enabler, but also help the rest of the community because as we always talk about now, the big buzzword is cyber is a team sport and it certainly is a team sport. So it’s like share one, help one. And as you know, Brian, years ago, 2015, my organization received the first ever cyber threat information sharing grant for the entire healthcare public health.

So we pride ourselves on being able to help and talk to other organizations. But that was an interesting story to know that we found a phishing kit out there that was being utilized by someone who was on the radar from the law enforcement, federal law enforcement. So very interesting.

John Vecchi:

That’s very cool. So Jeffrey, we’re in the midst of the holiday season approaching the end of the year. How could we not ask you if you gaze into your crystal ball, you look ahead in 2023 and you were to ask your risk team what’s on the horizon? What do you anticipate? Anything you think is coming in 2023? What do you think? What’s on up ahead that our listeners might be interested in hearing?

Jeffrey Vinson:

Well, I tell you, I hate to sound like the gloom and doom guy. I was recently down in Miami speaking at an event, and of course that’s how I was labeled the gloom and doom guy. And I just don’t see a lot of positivity coming out. I think it’s going to be more the same until… Again, we start holding people accountable. I think in this industry, a lot of the leadership, they’re not being held accountable for what’s happening. Clearly, there’s not enough talent to go around, but sometimes the blinders are on. People don’t want to hear the truth. And as Brian was asking before, “Does the leadership fully understand?” I believe they do in a donut at the same time.

So I think we need more accountability. The federal government cannot save us because they can’t even save themselves. Let’s just be honest. These federal agencies get breached all the time. People target them. So if they can’t save themselves how are they going to save us? But I think there does need to be some in incentives that are out there that can help. Just like some of the federal dollars were given in the midst of COVID and then you look at when we had the economic downturn for the automotive industry. I believe there could be some federal assistance with being able to purchase tools that can help these organizations monitor better.

Because as we look at, again, moving to the cloud, we have these managed security providers. When the hackers know that if I attack place, I got a thousand people over there, guess what they’re going to do? They’re going to attack over there and get a thousand companies all at once. We talk about what happened a couple years ago with SolarWinds with, what we call the tainted software update.

There’s all types of ways. So unfortunately, I don’t see a lot of positivity from a cyber perspective on stopping the breaches unless, again, we get some assistance. We have some great products in there that can look at IoT, monitoring of these things that are for years have been kind of unconventional, if you will. You have your video cameras out there. They’re everywhere. How do you know whether they have the default passwords on them?

How do you know whether they have those vulnerabilities out there? There just needs to be more accountability. In healthcare, at least they’re trying to get more accountability from the medical device manufacturers. They’re trying to do that. But until those things happen, I just don’t see a lot of improvement. Now, that’s good for us cyber professionals because we always have a job. Right?

John Vecchi:

Mm-hmm.

Jeffrey Vinson:

I like to say there’s always a war to fight, but at some point you’re going to get tired of fighting those wars because it’s a never ending battle. You do want at least a little break in. So I’m hoping that we can get more accountability would be my desire across all of the industries. I just saw something recently. City of New York is going to start mandating certain things for their board members. Once again, cyber expertise, anything from a pen test the CEO and CISO have to sign off on, you name it. Clearly it’s not perfect, but it’s a great start. Also, recommending threat briefings to the CEO of these boards.

At least once a year, I’m like, “Oh man, that’s pretty stale. Once a year of threat briefing?” When things change on a daily basis. So I think it’s more the same, but again, we just need to break monitoring tools to look at those things that are what I would call not conventional.

Brian Contos:

One of the things that you mentioned earlier that I thought really kind of hit home were these targeted phishing attacks. Dor example, when we talk about XIoT, most of the time I would say it’s hard to give a percentage, but I would say the grand majority of the time, most attacks get in through traditional IT means. So a phishing attack that came through email or messaging or social media, whatever. Ultimately somebody clicked on something and got infected. When these attackers, whether they’re cyber criminals or they’re nation states or just some type of rogue nefarious user, they get in, what we’re finding now is their first step is look for an XIoT device to compromise.

So look for that printer, look for that camera, look for that voiceover IP phone because at the end of the day, they’re just Linux operating systems. It’s Linux or Android, maybe BSD. On the SCADA side, things like VxWorks. But they look for these devices because, one, there’s usually about three to five per employee. So 10,000 people in your organization, about 30 to 50,000. So there’s a lot. Half of them don’t have a password or if they do, it’s a default password. All of them have vulnerabilities. And they all have extraneous services and bad search. So they’ll get there.

So they can mean persistence and evade detection because they know nobody’s looking and they’ll use those then to attack all those IT devices and then potentially siphon out sensitive data or conduct ransomware attacks, spying through cameras, so on and so forth. But it’s a great sort of hide, if you will, back to your sniper analogy earlier, what a great place for a nefarious actor to hide but an XIoT device because everyone’s so sort of laser focused on the traditional IT assets, not to use your words, those unconventional devices that they have out there.

So from my perspective, if I look into my crystal ball, if I’m a nation state or if I’m a cybercrime organization, man, that’s what I’m going to start targeting now because it’s why bang my head against firewalls and IPS and intrusion detection solutions and encryption and app security and everything else when I can, “Oh, I can just get in through this KVM switch or this UPS or this load balancer,” what have you. Do you feel that that’s going to be the new, new?

Jeffrey Vinson:

Well, that’s already occurring, to your point. Excellent point you just made. Those unconventional ways of getting in. We look at the harden of the network, the perimeters, but now the soft spot is what the end user. So all those devices you named. People don’t really care about those a lot. They use them, right? The video cameras, they use them, but nobody cares that it has a default password on it. Right?

They really don’t look at those things. They’re not really being monitored. As we look at traditional monitoring, traditional monitoring, most cyber teams don’t monitor those devices you just named. Right? So again, it’s already being utilized. And I go back to understanding these large breaches that we’re seeing in the news. We know they got hit with ransomware, but no one really indicates how it was compromised, right? Ransomware can take on many forms. The most easiest is phishing, but to your point, we don’t know.

But all those other devices are threat vectors and ways to access and they expose your organization to risk. So excellent point you made. I certainly agree with you. It is happening right now. They are exporting those things and they will continue to export those things until people start expanding their focus and their lens to say, “Hey, these things really do matter. It is not just about tech, it’s about protecting our brand, protecting our enterprise, and also that financial reputation. Because if you’re in a regulated industry, there are fines that you need to have to be administered if you have a breach. So it’s far wide and it’s far reaching and it’s really about protecting the business.

John Vecchi:

Again, we look at this and see oftentimes 30% of the attack surface can be made up of XIoT devices. It’s really a lot. And to your point, no one’s looking at this stuff, even adding on some of what we’re seeing average age of the firmware is six, seven years old. These things haven’t been patched and updated for forever. As you look ahead, Jeffrey, I mean you seem pretty well aware of these. You’re already seeing it. Do you think the awareness of these unconventional devices, these connected XIoT devices, do you think the awareness will get higher as we move into the next year? Do you think it’s going to stay the same? And if it’s going to stay the same, why?

Jeffrey Vinson:

Well, I believe more awareness will come about. As I mentioned earlier about that situational awareness, knowing it’s half the battle. So I believe more awareness will come about. CIS is doing some really great things there in collaboration with the FBI and sometimes the NSA are putting out those alerts. And I think as they try to alert the community, those 16 critical infrastructures out there, I believe again, more awareness will certainly be happening.

Will we take action on those? I can’t be for certain that’s going to happen based upon the numbers that I’m seeing in healthcare alone. And you look at the biggest breaches thus far. It’s going to be interesting to see at the end of the year and once we pull all the numbers together, how many records overall were breached across all of the sectors, not just in healthcare.

Last check, I think maybe a week or so ago, we were up to about 43 million records so far that have been compromised in healthcare alone. Let’s see what happens overall in the states. Again, this is a business for them. Right?

John Vecchi:

Mm-hmm.

Jeffrey Vinson:

So all those devices that Brian named, all those devices are opportunities for financial gain for them. Right?

John Vecchi:

Mm-hmm.

Jeffrey Vinson:

This is no longer about the script kitties. As you alluded to, Brian, nation state cyber criminals. They are making money in this industry and people need to realize that it is not just about the technology, this is about these business being enabled, being informed and being able to protect one another is where I see this going and where it needs to go. But certainly more awareness will come about.

Brian Contos:

Awesome. Well, Jeffrey, this has been amazing. As always, you’re such a eloquent speaker and I’ll just ask you one last question to leave with our listeners here. What words of advice for somebody like you that’s been through the trenches, would you give to some of our listeners that are working in cybersecurity? Maybe they’ve been there a short time, maybe a long time, but just you’ve got the battle scars to prove it. What’s some advice that you would leave with them?

Jeffrey Vinson:

Well, some advice that would be awareness is key. You need to look out there every single day. I like to use this term, the only secure day was yesterday. Each day is a new challenge for you, so you need to read and be aware. You cannot just be a nine to fiver in cyber and think you’re going to be excellent. There are so many things in cyber that you need to be aware of, policies, procedures, risk, and also understand the business that you’re in for these up and coming folks out there even the other CISOs.

Understand your business. As I said earlier, there are some times where you are going to have to bend to the business. Bend, but don’t break. Advise them. At the end of the day, our advisors to the organizations. We give our expertise. But in order to be the expert, they must trust you, which means you must understand the business.

You have to be a business leader that understands cyber, right? So that’s what you have to be. So study hard, know what’s out there, understand the threats that are in your industry, but most importantly, understand your organization. Understand the business outcomes that they want to achieve and show how cyber can align and make them and allow them to achieve those objectives at the same time. But also be aware of the dangers. Be aware of the organizations out there that can help you on your journey to protecting your enterprise.

When we talk about IoT, look at what organizations are out there that are blazing the trail on looking at how to protect and monitor IoT devices. Okay? That’s what you really need to do because, again, we have the network stuff down. Horse phishing is still a concern, but there’s so much technology out there that can help you with the phishing detection.

On that same note, make sure you educate your users. A lot of times this is about educating your users as well in the leadership. They must be advocates for your program. They must be advocates for themselves to make sure their business is protected. Because without the advocation, you’re going to be spinning your wheels and you’ll have all these battle scars that I have right now.

But again, we do things a little differently. We have the lens and the ear of our board and CEO, and it’s about a culture change. I would leave that with you as well. Change the culture. You have to make culture a big key and cyber should be part of the fabric of your culture. That makes your life much easier. And then you will be seen as an equal participant in the business discussions with your organization.

John Vecchi:

Wow, Jeffrey, amazing discussion and tremendous insights. And speaking of awareness, thanks for giving this podcast and our listeners all the awareness of your wisdom and all the great, incredible stories and advice you provided today. So it was really just fantastic discussion. Thanks again, Brian, our co-host, and thanks so much again, Jeffrey Vinson for joining us today.

Jeffrey Vinson:

Thank you guys for the opportunity. See you down the road soon. Brian, let’s link up.

John Vecchi:

Fantastic. And remember everybody, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive, full scope security for the extended internet of things. And until we meet again on the next podcast, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

We’ll see you next time on Phosphorus Radio.