The more than 700 CIOs and other senior healthcare IT leaders gathered Sunday morning at the Hyatt Regency Orlando for the CHIME-HIMSS Forum, sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), in conjunction with the Chicago-based Healthcare Information & Management Systems Society (HIMSS), were “treated” to a live demonstration of the tremendous risks facing their patient care organizations on the part of criminal hackers. Kevin Mitnick, the famous hacker-turned-white-hat-hacking-consultant, spent nearly an hour demonstrating, live, how easy it is to hack organization’s information systems, individuals’ computers, and online/web and network connections.
The opening keynote address at the CHIME-HIMSS Forum, entitled “The Art of Deception: How Hackers and Con Artists Manipulate You and What You Can Do About It,” offered a chilling view into the world of hacking.
As described in the event’s brochure, “There is no one like Kevin. Kevin Mitnick is the world’s most famous hacker, bestselling author, and the top cyber security speaker. Once one of the FBI’s Most Wanted because he hacked into 40 major corporations just for the challenge, Kevin is now a trusted security consultant to the Fortune 500 and governments worldwide.”
“Why do hackers do social engineering?” Mitnick asked, near the beginning of his presentation. “Because it’s much easier than executing on technical exploitation.” Among the numerous reasons that hackers are flocking to social engineering-based hacking: “Social engineering evades all the security monitoring tools, and it’s basically free. It’s very low-risk for the attack; the chances of getting caught are very small. And it’s nearly 100-percent effective. Whenever an organization allows my team to use social engineering to white-hack, the success is almost certain. All it requires is one end-user to let the hackers in,” he said, pointing to the tremendous end-user-based vulnerabilities to which patient care organizations are exposed in U.S. healthcare.
“What’s the real problem? It’s your users. Their actions could cause problems. A few years ago,” he noted, “there was a conference in London called the Info Security UK Conference. They went to Waterloo Station in London, armed with free pens, and asked for their domain name and user password, in exchange for a pen. And nine out of 10 gave them their real user name and password. The next year, they went out to Marks and Spencer armed with Easter eggs, and got seven out of 10.” Mitnick shared a number of other examples as well of easy confidence-based hack jobs.
Kevin Mitnick at the CHIME-HIMSS Forum
Why do hackers want to know the professional titles/positions of people in your organization? It gives them information. They can use LinkedIn and SalesForce.com and target certain positions in the company. Target network engineers, system administrators, database managers. But more often, they’ll go after people in sales and marketing, because all they need is one “in” to get control.
What about Facebook and Twitter? “Hackers want to obtain the contacts to the circle of trust of individuals within organizations—partners, vendors, etc., because they’ll likely trust them. We could send a text message and make it look like a friend of the person. And you can break in through peer-to-peer online netowkring.
We will look at the target’s circle of trust and send them messages to infiltrate. I will put a red sticker, marked 'payroll salary history, third quarter 2016,' on a USB drive, and send it in the mail to a target, in a test. And the end-user might format that USB drive, because they don’t trust it. And it will say, 'format complete,' so it will be seen as a 'clean drive.' But it won't be."
Hackers, he asserted, are able to get virtually every American’s Social Security number and mother’s maiden name. Given those pieces of information, most verification questions are easy to answer.
He also demonstrated, live, how he could weaponize a HID-provided office building access card, duplicating it through physical proximity, and providing access to the building involved. I believe in attacking the user. Doing simulated online and phone attacks on end-users. Give them notice that th
So how do you manage the risk of social engineering. “I believe in attacking users in your organization, first giving them notice that you will be doing so. And it is very easy to spoof company identities. So do a domain spoof test regularly. And get your IT department to not only configure incoming firewall rules, but also outgoing ones,” Mitnick said. “Because you can make it harder for the malware to be connected to your organization. Establish a social engineering incident response program.”
One of the key points Mitnick made with regard to end-users was this, in terms of “building the human firewall, as he called it: “I believe in the ‘keep it simple, stupid’ method. No one wants to read a telephone book-sized manual. You want to create brochures that are simple and entertaining, with lots of pictures. Perform social engineering pen-tests. Discover the weak links. Develop interactive social engineering resistance training, including phone training. Everyone is so afraid to be impolite.”
What’s more, he said, “Whenever possible, try to take away decision-making from your end-users. And don’t forget the periodic dumpster diving.”
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.