As we all now know - a Pandemic creates escalating waves of uncertainty, causes policy and politics to collide, and forces hasty decisions during emergency response. But what can we learn from the global pandemic response that will inform our planning for a large scale cybersecurity incident? This keynote will discuss your readiness for operating with resilience during a large scale cybersecurity event.
2. CTEK SUMMIT
2020
How a Pandemic Can Inform Our
Response to a Major Cyber Security
Incident
2
3. 3 3
Sophisticated & Faster Threat
Attackers
Rapidly Changing
Environment
o 59% of attacks in healthcare come from the
inside
o 260% increase in ransomware attacks (1H2020)
o In 2020, 58% of victims paying ransoms with an
average demand up 47%
o 12.6% of Americans has their healthcare records
breached last year
o Average cost of a data breach is up 10.5% YtY to
$7.13M, nearly double other verticals
o Since 2009, 70% of US Population has been
impacted by a healthcare data breach
o Remote work increases the attack
surface
o Telemedicine accelerates 5-10 years
but with consumer grade tools
o Rapid influx of unmanaged devices to
address COVID-19 response
o Regulatory issues
(CCPA, GDPR, CMS)
o Significant Industry Consolidation
o Increased connectivity and data
sharing, information blocking (cloud,
APIs, etc.)
o Healthcare threat landscape has grown
as attackers have moved from other
targets such as airlines, hotels, retail
which are less lucrative during Covid-
19.
o Attack Surface has changed and grown
dramatically with remote workers and
telemedicine
o Board are asking – do our security
investments actually work?
o Ransomware is having a kinetic impact
Next Normal
Situation Report
Healthcare Continues to Be In the Crosshairs
7. CTEK SUMMIT
2020
7
What about the Internet?
Is the Internet A Global Public
Resource?
Is it a Domestic Resource?
Should it be Protected? To What
End?
9. CTEK SUMMIT
2020
9
Who is in charge?
“The pandemic has laid bare the limitations and interdependence
of both the private sector and the government authorities,
highlighting that any successful management of a crisis – cyber or
otherwise – will require a coordinated, well planned and shared
response.” - Cyberspace Solarium Commission May 2020 Report
10. CTEK SUMMIT
2020
10
What Laws Apply to Cyber
Conflict?
https://www.amazon.com/Tallinn-Manual-
International-Applicable-
Operations/dp/1316630374
Put together by twenty renowned international law
experts, it addresses such topics as sovereignty,
state responsibility, human rights, and the law of air,
space, and the sea. Tallinn Manual 2.0 identifies 154
'black letter' rules governing cyber operations and
provides extensive commentary on each rule.
12. CTEK SUMMIT
2020
12
Where are the heroes?
Cyber Incident
- 507,000 open US Jobs
- Concentration of skills in private sector
- Critical skills and companies outside of the US
Pandemic
- Doctors, Nurses, Healthcare workers
- Educators
- Grocery Workers
Cyberseek.org
13. CTEK SUMMIT
2020
13
Can we prevent this? A math
problem.• Only 44% of Healthcare Institutions Meet National Standards on Cybersecurity
• 12.6% of Healthcare records were stolen in 2019 (Office of Civil Rights)
• Average cost of a stolen Healthcare record is in the hundreds of dollars.
($429 IBM/Ponemon). Let’s just say it’s $300 as a conservative estimate.
Example:
You have 200,000 patient records under management and your security posture is average in the industry. What financial risk are
you carrying?
RISK = LIKELIHOOD x IMPACT
= 12.6% x 200k Records x $300/record
= $7.6M
14. CTEK SUMMIT
2020
14
So What Action Can We Take?
Being Prepared is a Whole of Governmentt Whole of Society Challenge
Evaluate Critical Infrastructure – what is YOUR critical infrastructure? Re-evaluate your supply chain and
understand both the security and the resiliency of your vendors.
Build Runbooks for Cyber – play out your worst day – Who is in charge? How do you communicate? How
do you gather information and make decisions?
What Relationships Are Critical During a Crisis – ensure the relationships are in place and that you jointly
have a plan for resiliency – think about peers, customers, suppliers, and government at all levels.
Control the Message – build holding documents for crisis communications and ensure you can control
multiple channels of communications both internally and externally and debunk misinformation /
disinformation
Look for Signs of Lateral Movement – use compromise assessments, access logs and Endpoint Detection
and Response to find and limit malicious lateral movement
Identify and Retain the Heroes – start thinking about your cyber security skills (on staff or contractor) not
in terms of open projects but access to surge skills when you need it
15. CTEK SUMMIT
2020
THANK YOU
Caleb Barlow
President & CEO – CynergisTek
@calebbarlow
caleb.barlow@cynergistek.com
linkedin.com/in/calebbarlow
www.ted.com/speakers/caleb_barlow
15
Editor's Notes
Good morning everyone. I really appreciate how many of you have decided to join us on-line for this years Summit. Stepping into this role just over a year ago many of you mentioned to me how helpful the Summit was for you last year both in what you learned but also in the opportunity to network with your peers. For me, this is my first summit and it’s certainly a bummer that we cannot be doing this face-to-face. I had an opportunity to meet some of you before everything got locked down and I am really looking forward to meeting all of you in person when we get on the other side of this. But realizing that may be a while , we wanted to move forward with the summit virtually. We have a packed day for you and our goal is to really bring forward expertise that you cannot hear anywhere else. So with that, settle in, grab some munchies and let’s start a conversation.
So what is our baseline? As we look at this from a healthcare perspective, where do we sit? What is our security posture and what has changed because of covid?
http://cyber-edge.com/cdr/#infographic
Home routers, home network, shared workstations now part of the corporate concern
https://www.privacyaffairs.com/healthcare-data-breach-statistics/#10
So that’s us… but let’s flip the whole dialog upside-down and backwards. What impact did Covid-19 have on the adversary? Remember there is a person on the other side of this and that Cybercrime is estimated to be a $1.5 trillion dollar industry. (perspective – GDP of Ireland is only 382B). But has it shut down? Has it been impacted?
Oh yes it has… remember that travel, entertainment, retail and education were all major targets for adversarial activity both nation state and organized crime, but they were all shut down. It’s not like a closed retailer is going to pay a ransom if their systems get locked up. Also remember that this pandemic is global in nature and they have likely been quarantined along with the rest of us and are moving to a work from home environment. Just like the rest of us, getting setup with a home office is not trivial. Hacking from home requires several steps … not only do you need a quiet place to work and concentrate away from the family but you also need to ensure that your equipment and your internet connection are untraceable and that’s not a trivial setup to do it right.
I see these impacts on the adversary in two ways. First, who are you going to target, what is often referred to as the threat landscape. Historically the most likely to be attacked industries were financial services, manufacturing and travel. Travel had relatively recently accelerated to the top of the pack as nation state actors realized that understanding travel patterns of individuals could reveal a lot about their habits, employment, religion and the like. But this threat landscape has changed. What we mean by this is the Actor, their Campaign and their Motivation has changed. Remember that the adversary is a HUMAN. Some of their past targets are now less lucrative. For example, there is no point in targeting airlines, travel or hotels as no one is traveling right now. Retail targets, again, are less interesting unless you want to target an on-line retailer. Targeting education does not make a lot of sense if no one is in school … granted kids are heading back and education is now back in the crosshairs as evidenced by schools in Connecticut that had to delay opening due to ransomware. So remember, just like the economy has changed for all of us, it has also changed for the adversary. They are making money in new places and new industries. Healthcare or industries involved in the Covid-19 response are much more likely targets and we see this in the growth in reconnaissance, phishing and attempted attacks in these industries. The point being, just like any business, the business of cyber criminals has pivoted to a new normal.
The second likely impact is more of a theory which will be difficult to prove but I still think it is worth mentioning. I call this the rise of the hobbyist hacker. There are professionals and hobbyists in this industry just like any other. The hobbyist typically had a full time job and only broke into things on the side for extra money or more likely for fun or as they call it the lulz.
Let’s say they lose their primary job due to the covid slowdown and all of the sudden the hobby becomes the career. Now you have a lesser skilled individual in the same dark web forums, buying the same tools and executing the same types of attacks as the professional but without the same level of experience.
This can be problematic for the hacker ecosystem as it introduces new “actors” into the mix that are not necessarily following the same rules of engagement. Part of what makes this industry work is the unwritten “norms” of how bad guys engage. If, for example, bad guys did not unlock systems if people paid a ransom then it would quickly kill that industry.
Having more “hobbyists” in the mix can also drive up the costs of commodity tools and services that bad guys need such as phishing kits. It’s a classic case of supply and demand. The more demand due to hobbyist hackers and the more costly some of the tools are going to be.
The other concern, if you are a bad guy in the ecosystem is staying clear of law enforcement and intelligence agencies. With more non-professionals in the mix the likelihood that someone accidentally burns a forum, exposes tools or gets into trouble only goes up and that causes issues for the entire ecosystem.
So my point here is the bad guys have been disrupted just like the rest of us.
One of the first things we have to ask ourselves when thinking about a large scale cyber security incident, like a pandemic, is what capabilities and resources do we need to respond. What systems and infrastructure are so critical that they must remain resilient even when faced with a devastating attack. Now what you see here are the 16 critical infrastructures as defined by the US Government. Notice that healthcare is on there along with other industries you would expect like energy, water and communications.
But let’s remember what happened in the early days of COVID-19. What did we need? It was a whole lot more than masks, gowns and ventilators. We needed a new way to work, a new way to educate our children, a new way to communicate as this quickly become more than just a public health crisis, it was also a financial and economic crisis. So I do not want to say in any what that these 16 sectors are not important but I do believe this is a bit of a WW2 mentality of what systems our economy really relies upon.
Zoom: Zoom is now a classroom for educating our kids, the place we all go to work and even substitutes as a bar where we can engage with friends and have a drink. Would you be at work right now without conferencing? Would your kids be at school? Is this a critical infrastructure? Well the bad guys certainly think so. A half million zoom passwords were up for sale in April. Disrupting zoom calls has become such a think it has it’s own word – Zoombombing
Amazon/Walmart: How different would our lives have been since March without these two companies? Now we look at food and agriculture as a critical infrastructure but do we consider the distribution mechanism as critical? Let’s face it.. How else were you going to security 47 rolls of toilet paper
Garmin: Admittedly this is a bit of a different one but worth mentioning. Most people think of Garmin as making fitness devices but they also make navigation equipment for the maritime and aviation industry. When their cloud services went down due to ransomware it impacted some of their navigation systems. The question in this example is not really one about disruption, but what if someone had modified data?
Twitter: A 17y/o kids gets access via vishing 2 presidential candidates, a former president, celebrities and other influencers. Could have been a lot worse. Remember in 2013 the AP News twitter account was hacked indicating there was an attack on the White House and the stock market lost 136B in market cap almost immediately. Imagine if the attacker had fostered a conversation between world leaders.
Trust – it’s one thing not to agree with what our leaders say, it’s a whole other to question the authenticity of a message. If it is now the preferred communication mechanism of the president of the united states, do we need to think about it differently?
So here’s the simple question – with what you know now coming out of the pandemic, what in your supply chain is critical infrastructure that must be resilient even during a large scale cyber event? My guess is your answers have probably changed in the last six months.
If we learned anything in this pandemic it is our reliance on the Internet. A working, robust Internet drives our economy and under quarantine it became lifeblood of our day-to-day lives. As social distancing and quarantines were enacted, the Internet became the method in which we procure supplies, educate our children and how we go-to-work. The Internet is a public resource, the critical infrastructure to top all critical infrastructures and we probably need to protect it at any cost.
But this has also become a political issue, authoritarian governments have been attempting to control the Internet for some time. Now as a free society we probably see these barriers as a problem impeding free speech and the ability to protest. But let’s ask a different question. One of the things we learned during Corona Virus is that barriers can stop the spread of an infection. Just look at what they have been able to do in New Zealand which is essentially an Island nation. I am not advocating for a great firewall but it does cause one to the ask the question – is it important that someone has the ability to filter what travels on the internet? Is it important that we have the ability to isolate systems, companies or entire populations? It is a very slippery slope but if we learned anything from Covid-19 is that a completely open society is much more susceptible to virual spread. Is the same true for a self propagating cyber virus?
Ok, so let’s say the cyber Armageddon comes and it is time to respond. It’s big – a not-Petya level attack with no kill switch and it is propagating like crazy.
Who is in charge if the event is global in nature
Example of a dam flowing over – fire chief
Example of a worm leveraging an operating system – it’s Microsoft
What if attribution comes into play and it was targeted by a foreign nation? What if that attribution is wrong?
Who develops the “cure” for a cyber event?
What if it has kinetic impact like a dam or power grid?
We must build the plans and connective tissue together before a crisis occurs and recognize there may be competition just like we see competition right now between nations over how to position their response and any potential vaccine. We also need to anticipate that the US Security community will also be in competition for a cure – every firewall, IPS and SIEM vendor will be claiming their solution can solve the problem.
Government needs a way to engage the private sector
‘Communication, coordination and command needs to be figured out ahead of time – we cannot be communicating via the press
This is a great read if you have a chance.
Ok, so let’s say it gets really ugly. We have nations blaming each other for the cause, attribution is not completely clear and the cure is going to take months to resolve. And let’s also pretend for a moment that the lawyers come into the mid. What are the laws that govern cyber? Well… it’s ugly and here’s a great read
I think one of the other things we learned from Corona virus is that we must have a way of combating misinformation / disinformation and this is not something in anyones runbooks. How would we do this? What happens if your company is drawn into the mix. Do you have the crisis communications plans in place? Do you know how to communicate at scale. Do you have trusted outlets you can work with that will ensure your message gets out?
Pharmaceutical Prevention
Race to a Vaccine
Source of the Virus
Efficacy of wearing a mask
Speed at which information spreads… particularly when there is no information and the difficulty in getting the right message through, how do we do this when trusted sources are down?
Look at how quickly the pandemic became political
With this connected world we also learned that responses (even inappropriate knee jerk reactions) travel across the globe with lightning speed. How many of us responded to shortages of toilet paper as an example. Shortages, mis-information and unexpected reactions can be global in nature and this means that our response to an attack of global significance must work across borders. Although some nations are trying, it’s nearly impossible to segment off or shut down portions of the Internet. What happens in one country happens everywhere and it happens instantly.
Let’s talk skills… another lesson learned from corona virus. Who are the heroes
But let’s also talk about supply chain – Saudi Aramco example
IT tools and resources would be similar to masks and gowns
Use the example of Saudi Aramco attack and hard drives
Keep your old computers
Let’s also talk supplies… remember the Saudi Aramco shamoon breach
35,000 systems impacted in a matter of hours – wiped or destroyed, unable to rebuild without a low level format of the drive and that was a risk
The corporate giant also flexed its muscle. It flew representatives directly to computer factory floors in Southeast Asia to purchase every computer hard drive currently on the manufacturing line. In one fell swoop, it bought 50,000 hard drives. Kubecka said the company paid higher prices to cut in line ahead of every computer company in the world -- temporarily halting hard drive supplies to everyone else.
Recovery capacity needs to be built in – we need the skills
Keep a cache of your old computers
But one of the other things we learned is that pandemics are ultimately preventable.. Its all about preparation
We all now understand the cost of downtime in entirely new ways, We a\ll just got to feel what downtime is like and the associated impact.