The more than 700 CIOs and other senior healthcare IT leaders gathered Sunday morning at the Hyatt Regency Orlando for the CHIME-HIMSS Forum, sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), in conjunction with the Chicago-based Healthcare Information & Management Systems Society (HIMSS), were “treated” to a live demonstration of the tremendous risks facing their patient care organizations on the part of criminal hackers. Kevin Mitnick, the famous hacker-turned-white-hat-hacking-consultant, spent nearly an hour demonstrating, live, how easy it is to hack organization’s information systems, individuals’ computers, and online/web and network connections.
The opening keynote address at the CHIME-HIMSS Forum, entitled “The Art of Deception: How Hackers and Con Artists Manipulate You and What You Can Do About It,” offered a chilling view into the world of hacking.
As described in the event’s brochure, “There is no one like Kevin. Kevin Mitnick is the world’s most famous hacker, bestselling author, and the top cyber security speaker. Once one of the FBI’s Most Wanted because he hacked into 40 major corporations just for the challenge, Kevin is now a trusted security consultant to the Fortune 500 and governments worldwide.”
“Why do hackers do social engineering?” Mitnick asked, near the beginning of his presentation. “Because it’s much easier than executing on technical exploitation.” Among the numerous reasons that hackers are flocking to social engineering-based hacking: “Social engineering evades all the security monitoring tools, and it’s basically free. It’s very low-risk for the attack; the chances of getting caught are very small. And it’s nearly 100-percent effective. Whenever an organization allows my team to use social engineering to white-hack, the success is almost certain. All it requires is one end-user to let the hackers in,” he said, pointing to the tremendous end-user-based vulnerabilities to which patient care organizations are exposed in U.S. healthcare.
“What’s the real problem? It’s your users. Their actions could cause problems. A few years ago,” he noted, “there was a conference in London called the Info Security UK Conference. They went to Waterloo Station in London, armed with free pens, and asked for their domain name and user password, in exchange for a pen. And nine out of 10 gave them their real user name and password. The next year, they went out to Marks and Spencer armed with Easter eggs, and got seven out of 10.” Mitnick shared a number of other examples as well of easy confidence-based hack jobs.
Kevin Mitnick at the CHIME-HIMSS Forum
Why do hackers want to know the professional titles/positions of people in your organization? It gives them information. They can use LinkedIn and SalesForce.com and target certain positions in the company. Target network engineers, system administrators, database managers. But more often, they’ll go after people in sales and marketing, because all they need is one “in” to get control.
What about Facebook and Twitter? “Hackers want to obtain the contacts to the circle of trust of individuals within organizations—partners, vendors, etc., because they’ll likely trust them. We could send a text message and make it look like a friend of the person. And you can break in through peer-to-peer online netowkring.
We will look at the target’s circle of trust and send them messages to infiltrate. I will put a red sticker, marked 'payroll salary history, third quarter 2016,' on a USB drive, and send it in the mail to a target, in a test. And the end-user might format that USB drive, because they don’t trust it. And it will say, 'format complete,' so it will be seen as a 'clean drive.' But it won't be."
Hackers, he asserted, are able to get virtually every American’s Social Security number and mother’s maiden name. Given those pieces of information, most verification questions are easy to answer.
He also demonstrated, live, how he could weaponize a HID-provided office building access card, duplicating it through physical proximity, and providing access to the building involved. I believe in attacking the user. Doing simulated online and phone attacks on end-users. Give them notice that th
So how do you manage the risk of social engineering. “I believe in attacking users in your organization, first giving them notice that you will be doing so. And it is very easy to spoof company identities. So do a domain spoof test regularly. And get your IT department to not only configure incoming firewall rules, but also outgoing ones,” Mitnick said. “Because you can make it harder for the malware to be connected to your organization. Establish a social engineering incident response program.”
One of the key points Mitnick made with regard to end-users was this, in terms of “building the human firewall, as he called it: “I believe in the ‘keep it simple, stupid’ method. No one wants to read a telephone book-sized manual. You want to create brochures that are simple and entertaining, with lots of pictures. Perform social engineering pen-tests. Discover the weak links. Develop interactive social engineering resistance training, including phone training. Everyone is so afraid to be impolite.”
What’s more, he said, “Whenever possible, try to take away decision-making from your end-users. And don’t forget the periodic dumpster diving.”
Mitnick proceeded to do several demonstrations that should chill every IT executive in healthcare. He showed how incredibly easy it is for skilled hackers to penetrate organizational networks of all kinds, as well as to penetrate individual consumers’ information system defenses, and how to hack their social media accounts, credit card accounts, and other personal spaces, thus making it exceptionally easy to gain access to organizational networks. His live demonstrations, in minutes, showed the audience how profoundly easy it is for skilled hackers to penetrate nearly every kind of defense imaginable.
Following his live hacking demos, Mitnick responded to audience questions. The first question asked was, what would the first thing be that he would do if he were hired into a healthcare CIO position? “The first thing I would assess is,” Mitnick said, “is that I’d be really concerned about protecting HIPAA data; I’d want to make sure my network was segmented. My skill set is attack and defense, not management,” he emphasized. “Given that, I would look into architecting the network, and making sure the data is properly segmented, that you have good authentication and audit controls on that data, so if it’s accessed, you can quickly detect where. I recently did a pen-test for an organization, and we were quickly able to penetrate their entire network, because there was no segmentation whatsoever. That’s one of the first areas.”
There will always be an exploitable human error. How do we protect against threats when humans are involved? was the second audience question. “Obviously, with regard to any attacks that target the human element, it’s really important to educate the people who are using and operating your systems, about the latest threats,” Mitnick emphasized. And in a lot of cases, a successful hack “requires the victim to do something, like tricking them into installing an update, before the exploit an take place. So I would do a show-and-tell every once in a while, to keep them involved.”
Do you think the federal government should get involved? one audience member wanted to know. “I’m not really a proponent of federal regulation of anything, given my experience” with investigation and incarceration, Mitnick said, to laughter. “I think companies really need to take this into their own hands. You need to take security into your own hands, and manage it properly, and do it well enough that you’re doing it well enough that you’re deflecting 80-85 percent of the attacks out there.”
Do you think the use of ransomware or malware has peaked? Or will we see a rise? Another audience member wanted to know. “I definitely am seeing an increase in ransomware, and of new, more sophisticated versions of ransomware. I recently was working with an oil and gas company; and it turned out that during one of our pen-tests, an employee opened a phish that claimed to be a credit card company’s email. The employee installed a Java update that installed ransomware, but fortunately, the company was able to restore quickly, to the backup of the night before.”
And, another audience member asked, should healthcare IT leaders use multi-factor authentication in their organizations? “Absolutely,” Mitnick said. “Will it stop all attacks? No, because hackers can steal session keys and can bypass two-factor authentication. Two-factor authentication usually works very well at the front door. But sophisticated hackers can still get in. But you should absolutely install two-factor authentication.”
Finally, asked the one piece of advice he might leave with the audience, Mitnick responded, “You can always mature your security processes. You can segment your network. You can make sure that people connecting you use VPM. You can enforce two-factor authentication. You can take the steps necessary to make you a harder target, so that the bad guys can go to another company that doesn’t use rigorous security controls.”
Shortly prior to Mitnick’s opening keynote presentation, CHIME president and CEO Russell P. Branzell referenced a survey that the association was set to publish on Sunday around cybersecurity. Branzell noted one key survey result: that, even now in 2017, fewer than 50 percent of the organizations whose CIOs were surveyed had yet hired a full-time chief information security officer (CISO).