Cybersecurity Threats to Healthcare – the Attacker’s Perspective with Etay Maor, Senior Director of Security Strategy at Cato Networks: Audio automatically transcribed by Sonix

Cybersecurity Threats to Healthcare – the Attacker’s Perspective with Etay Maor, Senior Director of Security Strategy at Cato Networks: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Saul Marquez:
Hey everybody, Saul Marquez here. And welcome back to the Outcomes Rocket. Today, I have the privilege of hosting Etay Maor. He is the Senior Director of Security Strategy at Cato Networks and an industry-recognized cybersecurity researcher and keynote speaker. Previously, Etay was the Chief Security Officer for IntSights where he led Strategic Cybersecurity Research and Security Services. Before that, Etay held numerous leadership positions in research and execution at IBM. And he also wears a hat as an Adjunct Professor at Boston College. So I’m really excited to have him on the podcast today. You guys are gonna get your minds blown by what cybercriminals are doing up there and things that we need to be careful of when we are running our businesses, organizations, and even our personal computer stuff. So it’s such a pleasure to have you here, my friend.

Etay Maor:
Thank you for having me on.

Saul Marquez:
Absolutely. So today is about security. And obviously, we are a health care base of community here that you’re speaking to. But what inspires your work in security?

Etay Maor:
So I actually got into security when I was young. The history of it is I actually hacked my school’s database to change my grades. People sometimes ask, how do you become a hacker? And I think most hackers would say it comes with necessity. So I had to change my grades, but ever since it evolved, I really got into how computers work and how things operate. And today, I’m just glad to have the opportunity to help companies and help people secure their devices, their environment, and their business because unfortunately, they’re well, we have a lot of good minds on the defending side. There are a lot of very good minds on the attacker side as well.

Saul Marquez:
Yeah. So did you actually change your grades?

Etay Maor:
Yeah, I did. I wasn’t very smart about it because I was a very bad student in Arabic and I changed my grades from a failed to an A+, which I’m thinking about. It probably wasn’t the smartest move. Now my dad, who was Department of Defense back in Israel where I live thought it was really funny. But my mom was a teacher at that school. She didn’t find it funny at all and I got punished. But, you know, it got me thinking about it. It wasn’t called cybersecurity that time. It got me thinking because I thought, well, wait a minute, if I would have broken into the school and changed my grades on a piece of paper and got caught, I would have a police record. And all I got here will this little slap on the wrist. This seems interesting. Let’s think.

Saul Marquez:
It is interesting. Very funny, By the way. I mean, and the dichotomy at home with your mom and dad. Bu your love for this stuff started there. And so talk to us a little bit about how you and the work that you do is adding value in the security space.

Etay Maor:
So I think today most organizations understand that they can be a victim of an attack. You know, if you talked several years ago, many organizations would say, well, we don’t have any information or anything interesting for attackers. Most of them go after financial institutions because as the old saying goes, that’s where the money is at. So that’s what the attack. But it has significantly changed over the past, I would say seven to eight years. Very different discussions from what we had when I started in security in the early 2000s because any organization can be a target today. When you think about threats like ransomware attacks, the target, everybody. They started by target, if you recall, way back in the day. They started by attacking individuals at home. But then very fast, the attackers realized they can make a lot more than ransoming somebody’s PC for five hundred dollars if they can ransom a hospital in California for half a million dollars. And it just grew and grew and grew. So there’s that hat side of things. There’s also the side of things of all the nation-state attacks and the value of data. So it’s not just about money anymore. There’s a lot of ways that criminals threaten actors, nation-state attacks can monetize or use data that they steal or get a hold of. So that’s kind of been my passion throughout these past years. And what we do is we help organizations, first of all, understand where they may be vulnerable, understand what they’re currently doing wrong and how they can make things better. Now, don’t get me wrong, not every threat can be stopped. You know, if you think about a nation-state attack, I can’t think of a single person to say, yeah, I can stop any nation-state actor out there. I’d be worried if I heard that from somebody. But we need to do a better job of early detection and mitigation and yes, in some cases prevention of these attacks. It’s important for us to be aware and it starts with awareness.

Saul Marquez:
You know, I had a chance to chat with you the day before our podcast, and just like, wow, the amount of things that could happen are just mind-blowing. And so I was excited to get him on here for all of us to learn and listen to what some of these things are. So why don’t we start off with the kind of showing us some of the things that are happening, talk to us about those things and then talk to us about what people could be doing that’s different or better than what the average is doing.

Etay Maor:
And you know what? Let’s talk about people. You know, every time I go to a cybersecurity conference, I’m also part of the CFP committees for different events, we always talk about people, processes, and technology, but we really focus on technology, zero-days, and the cool systems, and artificial intelligence and blockchain or whatever. But if you look at it, at the end of the date, the attackers, most of the breaches start with targeting the people, not the technology. So let’s start with talking about the people. And I think it’s especially important during this day and age because most of us have started working from home. We’ve been forced into this really fast. And I don’t think we did a really good job of securing our home environment, which is actually our work environment now. And one thing that I think we should definitely discuss is the initial portions of an attack. How do the attackers even start their breaches? What is the initial point of access, which is usually a person. And what I don’t think a lot of people realize today is how much information is available out there about you, not because it was stolen. Well, yeah, you could find some stolen databases on the deep web or the dark web. But just stuff that you put out there by yourself and people tend to think of some of these attacks as super sophisticated and indeed they can be really sophisticated. But in many cases, they start by very simple, what we call open-source intelligence, just scanning social networks for, you know, breadcrumbs and information about your victim. Because if somebody is out there and they’re saying, this is my hobby, this is what I like to do, this is where I like to travel, this is all kinds of information that can be gathered by a threat and put together as the first stage of an attack, something to do with social engineering. So somebody who really likes dogs, for example, advertises that take all that information and attack. It could potentially send him an email saying, hey, we’re a new dog shop in your area. Here’s a coupon. We know you love dogs. Here’s a coupon for your first visit, 50 percent off and they get a piece of malware in it. And that’s not a new type of attack, actually. You know, we’ve seen these in the past against large organizations as well, where somebody’s not necessarily the CEO or the CFO received an email that was embedded with a piece of malware, and that’s how they got in.

Saul Marquez:
So what is the malware doing? What does it do?

Etay Maor:
What malware does, it can do, depends on what it was programmed to do. A lot of these pieces of malware, there are many categories that can do everything from keylogging to collecting information and sending them outside. And ransomware is a form of malware so it can encrypt your computer. There is malware that RATS that stands for remote access tool. So they actually take control over your device.

Saul Marquez:
Get out of here.

Etay Maor:
So yeah. So yeah, there’s a lot of different options. And one of the things that really changed in the last decade is this has become a lot more accessible and easy to obtain and operate. It’s not like when I started as a kid in order to learn these things and understand how they work, I used modems and BBSes bulletin board systems. If anybody remembers those Friday nights, I would say nobody picks up the phone, I’m on the computer. So that’s how I got that information today. You can go into these forums on the web and you can buy these products. And in some cases, you don’t need to buy these products.

Saul Marquez:
So there’s a marketplace for malware, too.

Etay Maor:
Oh, yeah. Yeah. There’s a lot of forums and shops on the Web, on the deep Web, and on the dark web. Well, here’s something even more interesting. In some cases, you don’t even need to buy the products. Some of them are sold. So there’s a service we call fraud as a service. So you can hire somebody who will help you do this. So almost with zero knowledge on the technology side, you provide the attacker. Here’s my victim. Here’s what I know about them. And they’ll provide you with malware or a phishing attack or an email or something that will help you attack.

Saul Marquez:
Wow, that’s terrible. But it’s good to know it. All right. So, you know, so we’re all thinking here. Oh, my gosh. So if all this stuff is possible, how can I protect my business? How can I protect myself? Talk to us about that.

Etay Maor:
I think one of the important things here is, first of all, not to be the lower hanging fruit, because like I said before, you can’t stop a nation-state attacker. An attacker With unlimited resources, unlimited time, and a goal is hard to stop. On the other hand, you can’t stop and prevent some of the other types of attacks. And interestingly enough, Just as I said that some of these attacks are very simple, some of the very simple ways to stop them is doing what I think everybody should be doing anyway, which is Petrof systems. Keep everything up to date. Don’t use easy-to-use passwords. Update your passwords on your hardware as well. I mean, people start working from home, right? Have you updated your router’s password or your home camera or password? Because those are ways for attackers to get in.

Saul Marquez:
I got to update those. Yeah, I wasn’t thinking about those,

Etay Maor:
But it’s so easy for attackers to get to scan the Internet for devices, which are other printers, routers, whatever they are. And they use default passwords and brute force attacks to attack them. So very simple stuff that we can do and at least not be the lower hanging. Now, that’s for people at home, organizations can do other things as well. I mean, they have to protect their employees, their infrastructure as well. And I think we’ve now moved to the cloud. It’s actually that’s one of the biggest changes we’ve seen ever think because most of the solutions that we have today are what we call on-premise solutions. Everything is on a server or on a computer in your organization’s immediate vicinity. With a move to the cloud, we actually have an opportunity to do much better security, much better security, and much better networking. So I think there’s an opportunity here and it’s something we should take advantage of this convergence of networking and security. Now, I do have to say it’s really easy for me as a security person to say, hey, patch all your systems and I get it. It’s not that easy if we’re especially if we’re talking about hospitals or critical infrastructure. It’s easy for me to say. But, you know, patching the system may cause some systems not to work. What about systems that life depends on? Or what about systems that control, I don’t know, an oil refinery. So it’s not as easy as it sounds. So I just wanted to put that kind of put that little remark out there. It’s easy for me to say. It’s harder to do. But I do think we have an opportunity now with, like I said, with the move o the cloud. Yeah.

Saul Marquez:
Now for sure. And I appreciate you highlighting those things. So talk to us about some of the things that you guys have done to protect organizations and help them overcome some of these issues that are becoming all too common.

Etay Maor:
Sure. So Cato Networks is in the SAS space, secure access services, which is actually the convergence of networking and security. And what we’ve done is we’ve actually helped customers not only have better networking for their devices, for their users or their data centers wherever they are, because, again, I mentioned before, we’re the age of working from home. Now, if you have, say, a physician working from home, shouldn’t he get the same level of security as if he was in the office today? The answer is they’re not getting it. Maybe they’re using a VPN, but they definitely don’t have all the protective mechanisms they would have if they’re in the office. So providing everybody, whatever devices they’re use, wherever they are, the same level of security and networking is something that is top of mind for us. But when you look into the security side of things, the fact that we can see our customers’ network and security means that we can identify different threats even before we understand their threats, which sounds kind of weird. So I’ll explain in one second. In a short sentence, we can look at different attributes and say we said we mentioned malware before. Somebody has malware on their device. We can say, well, we see this stuff going on the network and we see a computer going to a domain we’ve never seen before communicating. That by itself may not be too suspicious, but then we see that it communicates every week, once a week, and the same type of packets, exactly the same communication that looks a little bit more suspicious. And now that we see that it’s trying to morph and change its signature, well, these by themselves are not good enough. But when you combine this holistic view, you can say, OK, this plus this, plus this. I don’t know what it is, but it’s bad. And so we can help our customers identify these types of threats before they even start. And that’s just a small example. I can talk about what I mentioned before, securing everybody wherever they are, whether they’re working from home, from the office, from the data center, or whatever it is, things like identifying threats, making sure the threats don’t jump between locations. A lot of times we look at what we call northsouth traffic and not eastwest, but with ransomware, lateral movement, All of that, the traffic goes between different sites. And so I think these things are extremely important.

Etay Maor:
I think it’s also important to bust some cybersecurity myths that we see out there today.

Saul Marquez:
I love myth-busting.

Etay Maor:
I have several, but I’ll just mention one by the one that’s going to make a lot of security folks angry at me. But I have to say it. A lot of times when you go to security talks, you hear people say, you know, the attackers have to be right just once. The defenders have to be right all the time. I even used to say that a couple of years ago, but I actually now think it’s exactly the opposite. If you look at the attack lifecycle against any organizations, even the ones that targeted health care organizations, you’ll see that the attacker has to be right so many times before they get to the crown jewels. Think about what the attacker needs to do in order to put a ransom on a hospital’s data center. They need to persuade somebody to click on a link and then they need to get access into the network. Then they need to jump between different servers to find where these crown jewels are. And they need to have a staging server and they need to encrypt the server. There’s just many stages. So actually the attackers have to write a lot of times and us the defenders we have a lot of opportunities to catch them. And I think one of the things that we fail in today is that we have a lot of siloed solutions. We have a lot of point solutions. We have an antivirus, but it doesn’t communicate with whatever other systems are there with our firewall, with our sim, whatever it is, and the attackers are taking advantage of the siloed view that the defenders have, and so this notion of the attackers need to be right just once is incorrect. It’s actually the opposite. And we have a lot of opportunities today to actually stop or at least detect and mitigate these threats.

Saul Marquez:
Yeah, I love the perspective here. So thank you so much for that. So what would you say you’ve done to improve results and security and make business better?

Etay Maor:
So aside from what I do in my jobs, what I try to do is kind of shape the minds of the future. I teach in Boston College. I teach actually a course called designing offensive and defensive capabilities. So I tried to educate my students about how attackers think about, things to think out of the box. We do this through different types of simulations, games and then actual proof of concept. And what’s really interesting is at the end of the course that I teach the final project is I split the class into teams and I let them choose a company, whatever they want, and they have to have an attack planned on them. So based on information they find about them defending their systems legally, everything should be done. Legal, of course.

Etay Maor:
Yes, yes.

Saul Marquez:
Open source intelligence about the executives, whatever it is, they have to come up with a plan. If they were attackers, how they would launch an attack against this company. And now that you mention it, what’s really interesting is last year’s class, we had four teams, all four chose pharmaceutical or health care related companies. I didn’t tell them to do it. Yeah, they just saw them as the most high reward, low risk, I’m sorry to say, types of attacks for attackers. And they showed me how they collected information against several companies, actually. One is the COVID-19 vaccine manufacturer. They collected information about their servers and where they would be vulnerable. They collected information about executives, where they live, their kid’s names, license plates. They even went into the deeds registry, the local registry, and obtained copies of some of their mortgages, which is I have no idea why, but it’s public information. But now they have the signature, the physical signature of VPs of COVID-19 manufacturing company. They showed me, for example, attacks against an executive that they were running an executive in a local hospital and how they were able to obtain her personal information, design a social engineering attack directly towards her. And I mean, these things are just what my students with one course under their belt can do. But if you go into the deep and dark web, you can find stuff that’s being sold there. I mean, I’ve seen a physician’s home computer that they infected with a remote access tool. We were talking to the criminal interrogating him and he said he has access to a physician’s computer. And we said, you know what? We don’t believe you. So he sent us a screenshot of their desktop with all the folders. And you can see patient name and you can see is the credit card reader. And you could see directories called x rays and all kinds of information. And I can’t really blame him. You know, this person is trying to work from home. If we don’t provide him with everything he needs to be secure and to do his work effectively, as I mentioned before, necessity is the mother of hack. Yeah, this person needed to work, probably downloaded information to his or her computer. Well, it’s his computer. I know who that is, to his computer and tried to do the best Ting for his patients. But unfortunately, an attacker was able to put a remote access to his computer and now has all that information. So we’re talking about hit-by issues and PCI compliance issues because there’s a card reader, there’s a credit card reader. There is so much information. So going back to your original question, I’m trying to educate the future generation with what an attacker would do to think out of the box, to try to think what they would do to attack the organizations, because you can’t really defend unless you know how to attack a man.

Saul Marquez:
That’s so cool, Etay. I love that you’re doing this. And I mean, it’s so practical what you’re teaching these kids to do. And if you are thinking in the shoes of the attacker, you can protect yourself better. So something for all of us to think about. And man, I mean, I just have all these questions running through my head, like, how about stored passwords and how about stolen credit cards? Oftentimes we use browsers to store these items. Do you recommend for or against? Protective ways to do it?

Etay Maor:
So before I answer that, let me just say that I don’t even like to talk about what we do as security. At the end of the day, it’s risk management. On the one side of the pendulum, you have completely secure our system. On the other hand, you have the easiest system to use. Now, where do you want to put it? And that’s something that I talk with organizations. We don’t make it as simplistic, but where do you see yourself? What is your risk tolerance? And that applies to people at home as well, because I, for example, try to not use the autosave of passwords and I don’t like to save my credit card in the browser. These systems are relatively secure, but if somebody gets a hold of my computer with remote access tool. It doesn’t matter because they just opened the browser and all the information is in there, but that’s me and I have to keep in mind that it doesn’t make my life easier, because it’s much easier to just click and everything works. So where do you want to go between security and usability? And that’s something that everybody needs to decide for themselves. Having said that, definitely, definitely not using the same password everywhere.

Saul Marquez:
Oh, yeah, for sure.

Etay Maor:
Well, you know, it’s a common mistake.

Saul Marquez:
And I made a mistake for a long time. And now all my passwords are crazy different for every single thing. And there are those auto-generated ones that I’m like, how in the world could anybody guess this?

Etay Maor:
And that’s great. But it’s still fun and especially for systems. I don’t want to tell you just how many times I run into systems and also medical systems where the default usernames and passwords are admin. I mean, finding some of the manuals for these devices online is very easy. And then you can see the default password that nobody changed because who would hack into whatever it is, a CT scanner? Unfortunately, it’s I did some checks on this. I did look into CTI scanners and what is called the ICOM, I think was one of them. And these are easy to find on the Web as well. So these are basic things that I think we can use. And then it’s up to you regarding your tolerance for security versus usability. I would like to mention that I’ve recently seen an interview with a Russian ransomware group, and I also saw I have some screenshots from negotiations with the ransomware group. In both cases, they actually gave at the end of the interview and at the end of the negotiations some tips on how to avoid being targeted by them. And a lot of these tips are the basic security things that everybody should be doing. They say don’t use default passwords. Make sure you don’t have administrative privileges for those who don’t need it. Closed different sessions. Make sure that you don’t use knowledge-based authentication to authenticate people. So don’t ask questions like what’s your mother’s maiden name or which car did you drive in? Eighty five. These are crazy easy for attackers to overcome. So it’s the basic things that can really help us at least mitigate or detect some of these attacks.

Saul Marquez:
Yeah. Thank you, Etay. Very useful. Thank you. And so what would you say is one of the biggest setbacks you’ve experienced and what was the key learning.

Etay Maor:
Setbacks? Well, you know, at the beginning of this COVID-19 Situation, the whole move To remote work wasn’t shocking, but it came faster than than we thought. I mean, we knew that remote work was going to happen in the next five years. It just happened right now. And so I think it wasn’t really a setback. But for me, it was, you know, here’s a learning moment. And it really pushed me back to something that happened to me about seven or eight years ago. I was running a simulation with a bank. We were doing breach preparedness. And at one point I decided, when you do breach preparedness, everybody is in the hustle. OK, which team talks to who? How do we handle the situation? We always try to have what we call the mike in the room that just throws problems. And I started out of the blue to say, you know what, all your systems are down now due o ransomware. And immediately one of the managers stood up and said, you know what, you can’t do that. That will never happen. And I, I give full kudos to the CISO, the Chief Information Security Officer company of that bank that said, no, don’t say that. We don’t know what’s going to happen. This might actually happen in the future. That was before ransomware became really big. And so I think it threw me back to that because I think we need to be. How would I say this? I don’t want to say prepared for the unknown, but with every plan, we always have a business recovery plan, disaster recovery, or disaster recovery plan. We have plans for all kinds of physical situations in our environment, whether it’s a fire or something happening or something happening to the business. The cybersecurity plan needs to be there for any event that might come up. We need to have this as part of it. I think a lot of companies are now having this as a board-level discussion. What do we do in case of and not have anything off the table because we don’t really know what what’s really up and coming. And so it connects to what I mentioned before. One of the opportunities that we have here is this whole move to the cloud that allows us to be a little bit more flexible and prepared for some of the unknown because we don’t really know. We might have in the next five to six years a new type of device or communication that we want to implement into our network. How do we use it? How do we secure it? How do we approach it? We just need to Have these unknowns to be thought of, but be prepared for the unknown, if that makes sense.

Saul Marquez:
Yeah, it makes a lot of sense. Thank you for That. And so what would you say you’re most excited about?

Etay Maor:
Well, first of all, I’m really excited about everybody coming back to face-to-face meetings pretty soon.

Saul Marquez:
It will be nice. I’m looking forward to that too.

Etay Maor:
Yeah, but, you know, we’re not going to move. It’s not going to go back. We’re not going to be working from our offices as we were before. I don’t think it’s ever going to be back as directly as it was. And so I think this is really an interesting time for us because we’ve never experienced something like this before. With changes in our security architecture, with changes with how people work and how they operate. I think we have we honestly do have an opportunity here to do better security to help organizations and people in how they secure their personal environments, their work environments. We’re also coming to very, very fast to talk about 5G and Iot Internet of things. We’re going to have so many new devices starting to be connected. That’s going to create a lot of challenges for us as defenders, but I think a lot of opportunities as well for detection and securing people. I think one of the things that really I’m grateful that is happening is the move away actually from passwords. You mentioned passwords before. I hate passwords. I hate passwords because even the complex ones are complex for humans. But they’re not they’re complex and complex for machines. So moving away from it, using all these different sensors, not that we have around us to authenticate us, whether it’s how we move our mouse where we are currently versus where we claim to be somebody is logging into of health care account. But we know based on a phone that is driving. So how can that happen? All kinds of sensors and devices around us that will allow us to better secure ourselves and hopefully even up the fight with the attackers.

Saul Marquez:
Yeah, well, we’re using voice. We’re using facial recognition. I mean.

Etay Maor:
Oh, no, you got you. Thank you. But I just did an interview not too long ago, a webinar with a deep space expert, and he showed me how easy it is to alter the voice and to synthesized voice and faces. He got me worried. He was showing me I think we’re getting close to the age where we can are able to create deep breaks in real-time so you can join a meeting and look like somebody else and like somebody else.

Saul Marquez:
Oh, my gosh.

Etay Maor:
Yeah, some of these things are crazy. Interesting. And they’re going to come they’re going to make it. It’s going to be an interesting world to live in. I remember my discussions with him, Raymond. He’s a great guy. We talked about how deep face are going to be used for fraud and for different types of attacks. But also another element of it is what he referred to as as the liar’s dividend. You could potentially in the future say, hey, that wasn’t me on the phone call. That was somebody who did fake my voice. I didn’t do it. Or that’s not me. That video with that person, but somebody else, it’s all fake. So now what is reality? But that’s a whole other discussion.

Saul Marquez:
That’s troubling. You can also basically stay in your house and not leave your office ever if you worry about everything. And it’s that balance, like you mentioned earlier, that ease of work versus security. And we all have to make the decision. But the key of today’s podcast was awareness, making all of us aware that these threats are out there and that solutions are also available as just a matter of how we want to approach it. So Etay, thank you so much for this. This has been a real treat. Why don’t you give us a closing thought and then the best place the listeners could get in touch with you if they want to continue the conversation. Sure.

Etay Maor:
So I think you said it nicely. It’s all about awareness and being aware that what we do online digital information never goes away. And so it may be used by attackers for different types of attacks. I’m not saying don’t use social media and social networks. I’m just saying be aware of what you shared. And then if somebody sends you something that’s related to that doesn’t mean you should automatically trust them. So it’s the notion of being aware of what’s out there and what is your risk tolerance. I can tell you I do these practices for myself, for my family, for what my daughter installs on her Ipad and so on. So we have to keep on living. I love personally enjoying all the technology that’s around me and I have to consider what do I give and take for that. To reach me, we have our website, Cato Networks. I also have a master class of these topics where I talk about open source intelligence, ransomware attacks, supply-chain attacks, and I’m trying to train you similar to what I do at Boston College about these aspects and how an attacker would think. So if you want to see that, I welcome you to join that.

Saul Marquez:
And where’s that available?

Etay Maor:
On Catonetworks.com.

Saul Marquez:
Ok, it’s on catonetwork.com. Folks, check that out. If this seemed interesting to you, is just the tip of the iceberg. It goes deeper. Cato Networks, that comes to look out for that masterclass. And I thank you so much, Etay. This has been really valuable and I hope you have an amazing rest of the day today.

Etay Maor:
Thank you. Thank you very much.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp3 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including transcribe multiple languages, advanced search, enterprise-grade admin tools, world-class support, and easily transcribe your Zoom meetings. Try Sonix for free today.