X

 

 

I’m Surrounded by Cyber Threats: How Do I Know What to Protect Against and How?
Episode

Errol Weiss, Chief Security Officer at Health-ISAC

I’m Surrounded by Cyber Threats: How Do I Know What to Protect Against and How?

In recognition of the 19 annual National Cyber Security Awareness Month, The Outcomes Rocket Network has launched a 10-part podcast series to elevate Cyber Security Awareness in Healthcare on our main channel, the Outcomes Rocket Podcast. Partnering with leaders in healthcare cybersecurity in their capacity as members of the Health Sector Coordinating Council, the podcast aims to illuminate advances made in protecting critical healthcare infrastructure and patient safety, and areas that need further focus to put a stop to Cyber Crime.

Let’s watch each other backs and learn from our experiences in cyberspace!

In this episode, Saul Marquez sits down to talk with Errol Weiss, Chief Security Officer at Health-ISAC, about today’s cyber threats and what measures we can take to prevent them.  Throughout this eye-opening conversation, Errol breaks down the three main reasons why cybercrime is committed and how it can impact any organization, but healthcare ones specifically. He explains what an ISAC is, why they were created, and how your organization can benefit from it by learning which are the threats and attacks in your industry. Additionally, Errol shares some examples of these cybercrimes that will make your jaw drop, so listen closely and learn from them.

Tune in to this episode to learn about cyber threats and how you and your peers can protect each other from them!

I’m Surrounded by Cyber Threats: How Do I Know What to Protect Against and How?

About Errol Weiss:

Errol Weiss is Health-ISAC’s, Chief Security Officer. He has over 25 years of experience in Information Security beginning his career with the National Security Agency and conducting penetration tests of classified networks. He created and ran Citigroup’s Cyber Intelligence Center and was a Senior Vice President Executive with Bank of America’s Global Information Security team. Errol has an M.S. in Technical Management from Johns Hopkins University and a B.S. in Computer Engineering from Bucknell University.

 

Outcomes Rocket _ Errol Weiss: Audio automatically transcribed by Sonix

Outcomes Rocket _ Errol Weiss: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Saul Marquez:
Hey everybody! Saul Marquez with the Outcomes Rocket. I want to welcome you to this amazing series for October. Cybersecurity series brought to you by us at Outcomes Rocket and also the Public Health Sector Coordinating Council. We’ve got an amazing lineup of guests and today I am super privileged to be with an incredible person and a leader in this space. His name is Errol Weiss. He’s HEALTH-ISAC’s Chief Security Officer. He has over 25 years of experience in information security, beginning his career with the National Security Agency, conducting penetration tests of classified networks. He created and ran Citigroup Cyber Intelligence Center and was a senior vice president executive with Bank of America’s Global Information Security Team. Errol is an MSN Technical management from Johns Hopkins, and he’s got his BS in computer engineering, but the track record that he has in the industry and security is just unbelievable, and it’s a privilege to have him here on the podcast with us. Errol, thank you so much for being with us.

Errol Weiss:
Saul, thanks for having me. It’s great to be here.

Saul Marquez:
Absolutely, now, before we get into the meat and bones of our discussion, in particular to, I’m surrounded by cyberthreats, how do I know what to protect against and how, talk to us about you, Errol. What is HEALTH-ISAC, and what got you into security now?

Errol Weiss:
What the heck is an ISAC besides the worst acronym on the planet, probably? So, I didn’t pick the name, Saul, but, no, it’s all good, just to really introduce the topic, the idea about an ISAC started in the mid-1990s when the US government realized that most of the critical infrastructure was owned and operated by the private sector and cyber risks were started to take off at the time, the internet was starting to be a thing at the time, realizing that the critical infrastructure could be impacted remotely. And so, they really encouraged the formation and creation of this Information Sharing and Analysis Centers for each of the critical infrastructures, so finance, water, transportation, health, etc., energy. And the idea was to get the private sector to share information with each other in order to learn and better protect the critical infrastructure from cyber threats. And of course, it’s grown and evolved over the last 20-plus years, but that’s essentially what it is at its core.

Saul Marquez:
Love it, and no, that’s great to know, and glad that the work is being done, Errol. What got you into cybersecurity?

Errol Weiss:
So as you said during the introduction, I did have a chance to start my infosec career at the National Security Agency and learn how to and became quite good at penetration testing. So a lot of fun at the time, it was great. I learned so much, it was challenging. You know, it was almost like like solving complex, complex puzzles, and it was really great, interesting work. I thought it was really satisfying, and then I left the government and was doing it for commercial customers like banks and insurance companies for quite a bit of time. But as I say, I used to be fairly technical and I lost all those technical skills. I realized that the day that I had to call tech support to come fix my printer, hung up the phone and I was like, I cannot believe I just made that phone call.

Saul Marquez:
That is too funny. Well, listen, you know, that’s what happens, right? Like, you get into leadership roles, you start kind of working on the big picture strategy things, which are also very important, where is this going? And so, gosh, I mean, we’re dealing with a lot of things. I mean, most recently, Uber got hacked and that made the headlines. Give us an example of the kinds of attacks healthcare organizations are facing.

Errol Weiss:
Yeah, it’s all over the place, that Uber one’s a great example, we should definitely talk about that, too. But, you know, traditionally I try to focus, there’s so many different groups to focus on, but I try to focus on things like cybercrime where the bad guys are literally out to try to steal money or to make money by monetizing stolen information. And then number two would be nation-states, so like China, Russia, North Korea, Iran, you could throw the United States in there for that matter, but the whole idea about motivated nation-states primarily doing things like espionage, you know, to learn about their adversary, maybe to steal company secrets or whatnot but that has been the name of the game for a long time. The other thing that I literally have recently added to the mix, although we’ve been talking about it for ten-plus years, is hacktivism. It’s normally, it’s been out there. I think one of the first examples that I like to talk about is Occupy Wall Street from 2011. But, you know, traditionally more of a, I’d say more of a nuisance sort of a thing where we have social, politically motivated threat actors taking to the net, to do something, normally, exposing people or publishing personal information or personal documents online in order to embarrass their targets. But it’s become popular as of late, again, following the Roe v Wade decision that was overturned a few months ago, and now we have either side of that abortion debate using hacktivist techniques to further their cause as well.

Saul Marquez:
Wow.

Errol Weiss:
So from the health sector standpoint, we have providers who look at hospitals or clinics that are providing those kinds of family services that are being targeted by anti-abortion groups. They’re also targeting even insurance companies that are paying for those services so it’s fairly serious.

Saul Marquez:
Wow, you know, Errol, that, this is the first time I’ve heard of that term, hacktivism. Appreciate you sharing it here. These cyber-attacks are being used in a lot of different ways, and so this is fascinating. And what would you say is the motivation behind a lot of these attacks?

Errol Weiss:
Starting that conversation off again, you know, looking at the cybercrime landscape, the threat actors that we see there are looking to make money and they’ll do everything they can to either steal information or threaten to release private information, so essentially extorting their victims, or using things like ransomware. And again, there’s been a ton of ransomware that has impacted the health sector, it has gotten quite a lot of media attention because of how serious it is. When you start potentially impacting hospitals from delivering patient care and they have trouble delivering that care or ambulances get diverted because they can’t accept any new patients because their electronic health record system is down because of a ransomware incident, those tend to get a lot of media attention, and the payouts have been enormous, right? And so, so what we’ve seen happening in this ransomware ecosystem is the ransoms keep getting higher and higher, people are paying them, and it continues to motivate the attackers just to do more. And so it’s not unusual for us to see multimillion-dollar ransomware payments being made these days, unfortunately. And again, it just fuels the malicious actors to continue to do what they’re doing.

Saul Marquez:
Yeah, that’s incredible. I didn’t know it was that high. Like, literally they’re asking for millions. And how do they ask for the money? Like, do they ask for a wire transfer, or how the heck does that even happen and how do they receive it secretly?

Errol Weiss:
Yeah, so here’s the other side of the coin here, where they are using digital currency, cryptocurrency, things like Bitcoin in order to be paid.

Saul Marquez:
Is that right?

Errol Weiss:
Yeah, and as you can imagine, they’re telling a hospital, hey, send us a million dollars worth of Bitcoin, and the hospital says we don’t have any Bitcoin, we don’t know what that is, how do I do that? And the next thing that shows up is an extensive, beautiful tutorial on how to do that. So they are very good about teaching their victims how to execute those payments. And to your point, Saul, unfortunately, you know, in a lot of ways, once they make that payment, that money is very difficult to track. So the digital currencies, these cryptocurrencies are very good about allowing the cyber criminals to maintain their anonymity and they can get paid through those currencies and have essentially almost no fear of being caught. So it’s one of the downsides of the whole digital ecosystem. And just to give you a little bit more on the numbers, HEALTH-ISAC actually partnered with Microsoft back in April, and we filed a civil lawsuit against one, just one of the ransomware families that’s out there, a delivery system called ZLoader. And they filed a civil lawsuit to essentially obtain the infrastructure that the bad guys were using to deliver that ZLoader botnet. And as part of that lawsuit HEALTH-ISAC, we were there to represent the health sector to talk about the impact that things like Ryuk, which is one of the families of ransomware that ZLoader delivers, what Ryuk impact was on healthcare. And so we were able to track that Ryuk ransomware since 2018 and tracked that back to over 200 hospitals that were impacted by that ransomware. And again, things like ambulances being forced to divert, diverted, disrupted delivery of chemotherapy treatment for cancer patients, caused, it caused delays in reporting of lab results, people’s appointments had to be rescheduled, for example, electronic health record systems down for weeks at a time, patient records that were leaked. And so when we aggregate all of those losses, there’s over 100 million dollars worth of revenue losses because of those canceled procedures. And then even worse, there’s over 500 million dollars worth of costs associated responding to those attacks. So everything from ransomware payments to hiring a digital forensic services company to come in to help figure out what happened and pick it, and pick up the pieces, and then also some of the security upgrades that were made after the fact as well. So it’s, and again, that’s just one family of ransomware.

Saul Marquez:
Geez, and the numbers you shared, like that’s just for that family of ransom? Holy smokes, it’s a big problem. And so, you know, there’s so many impacts, and thanks for sharing all of those. What are companies and providers working together to stop and manage some of these threats? You gave us a really good one, right? You guys are doing this with Microsoft, but what else is happening out there?

Errol Weiss:
Yeah, so I think, you know, when you look at again, what we do at the core from the ISAC perspective and HEALTH-ISAC is just one example. I would say that, you know, and I can share some more resources with you, but we can point your listeners to, there’s an ISAC for everybody, depending on what critical infrastructure you’re in or what organization you’re in, there’s an information sharing place for you that you can benefit from things like this. But we have members that are actively sharing incident information, things that they learn from the threat landscape, again, sharing that information with each other. And the whole idea is that you can learn from your peers what the threats are, what kinds of attacks organizations are actively seeing literally right now, and figure out like, hey, have you seen this attack in your own environment? Or if you could replay that attack, essentially, would your infrastructure be vulnerable to those kinds of attacks? And maybe even block that activity specifically from entering your own environment. So the whole idea is to learn by what’s happening from your peers across the industry and use that information to better protect yourself.

Saul Marquez:
That’s fantastic, Errol, and I would love that link from you, will definitely include that in the show notes for today’s podcast and obviously, as part of the entire series. So you know and guidelines here, I mean, you know, people are talking about hey, there’s cybersecurity insurance now and you know, like like talk to us about that. You know, what are some things that our listeners that run organizations and businesses could be thinking about as ways to protect themselves from this?

Errol Weiss:
Yeah, I mean, you know, the cybersecurity, I’m sorry, the cyber insurance industry is definitely another complex issue. It’s a way to help mitigate your risks and to have some coverage in case something does happen. It’s not the only thing that you should be doing. But I think as organizations look into this and as they become more aware of the risks that are out there and they work with those insurance providers to understand what their premiums would be, could be, the insurance providers are also asking their customers to do certain things in their own environments. So it’s, I think it’s, you know, it’s a good move. It’s all part of sort of raising the awareness about what those threats and risks are. Again, it’s just mind-boggling when you think about all of these risks that are out there and how I always say about how bad the Internet neighborhood is, that you need to be aware of those things and really be cognizant of what those risks are when you literally connect to the Internet so that you can help protect your environment. And it’s a constant job, I mean, you’re never done, which is just the unfortunate part of it, as there are new vulnerabilities that are discovered every day with the existing software. I mean, I was just reading something literally a day ago about a vulnerability from 2007, so it’s 15 years old now, but still a problem today that people have not patched and the bad guys are still taking advantage of it.

Saul Marquez:
Geez, well, this is totally eye-opening, and your organization specific to health, HEALTH-ISAC, has so many resources. Give us an example of, maybe one or two, that people could take advantage of today by clicking on the ISAC link that we’ll share with them in the show notes.

Errol Weiss:
Yeah, I know one of the ones that we want to share with you is this document called the Information Sharing Best Practices, White Paper, Toolkit, call it what you will, but you’ll see we share it in a word doc format so we don’t put it up and put it in a PDF, for example, and there’s a reason for that, because we want you to take that document and make it your own. We want you to use it as a way to build your own information-sharing set of procedures within your own organization. So what’s the document all about? We were originally going to call it Info Sharing for Dummies, so that, you get the context of really what it is. People, when we talk about info sharing, everyone will agree, hey, that sounds like a great idea, we should all be doing it. But it’s hard to get started, and there’s obstacles. Like people are like, wait a minute, I’m going to share my incident with everybody else out there? That sounds a little scary, it sounds like, not only scary, but it sounds risky. If I’m going to share what happened to me and we had an incident, we may have had a breach, I would do, I really want to share that information publicly, and is there a safe way to do that? So, there’s certainly there’s resistance from leadership. If you go to your legal team internally and you’d say that, hey, I want to share information about incidents, of course, the first thing they’re going to say is, no way, we don’t do that kind of thing. So the document talks about how to approach this topic internally. How do you have that conversation with your boss and with internal counsel about how to begin information sharing? And so it breaks down into the kinds of things that you would want to share. What’s in play here and who may own it internally? And start to provide examples of what that data may look like. And when you go to the table to have those conversations with legal counsel, with your boss, and say, okay, I want to share this IP address, for example, that we got an email from that was malicious. When you start looking at it that way, you’re like, oh, okay, that’s not so bad, we could definitely share that. That seems to be pretty useful information to know and won’t cause any harm to us if we share that kind of information. So it really tries to break it down into those kinds of steps. We offer also in there, with the kinds of organizations that you might want to share with, so not only ISACs but maybe other incident response teams, law enforcement, even other government partners, globally as well. So there’s some hints and tips in there about that, too. So it’s really, you know, it’s a primer on really how to get started. And as good as info sharing may be in some circles, people need a lot of help in order to get started, so that was really the intent with that document.

Saul Marquez:
Wow, that’s huge, what a great resource. Folks, I always say this, but it’s worth emphasizing. If something today resonated with you, don’t just stop at listening, take action. And inside of the show notes, the document that Errol is sharing with us, it’s right there for you and your organization to start. You know, it’s kind of like, it’s interesting, right? Because for the longest time, Errol, I think of like, I kept thinking about, like mental health and how it was taboo to talk about mental health. And it still is to a certain extent, although it’s gone away, right? We’ve normalized it more, one in five Americans has mental health challenges, we’ve normalized it. In a way, it’s almost like taboo to talk about if something happened to you, but yet we could learn so much from each other as these things happen, like a neighborhood watch.

Errol Weiss:
That’s exactly right, and I’d say it’s also it’s contagious, too, to a large degree. And we talk about it in the paper about some of the other benefits that might not be so obvious and to put an obvious one out there. Just to reiterate from my own personal experience, you know, when I was in the banking finance sector before I got into healthcare doing this kind of work for large banks back in 2012 and 13, the Iranian government was attacking the banking and finance sector in the US. They were throwing, distributed denial of service attacks at bank after bank after bank because of the sanctions that were going on at the time. Of course, nobody knew that until a little later, but the banks were having a hard time dealing with a lot of this denial of service activity, and it was causing some severe web impacts at the time. And the neat thing about, again, about the ISAC was that we were able to come together and talk about the experiences, talk about the attacks that we were seeing, and provide some real-time tips and tricks on what was working and things to watch out for. And it really helped the other banks from becoming, let’s say, victims of that DDoS attack at the time. And then the other thing I see also was just from a personal standpoint, learning so much. You know, even though I was working at a big bank like Citibank at the time, thinking that we had all the resources in the world available to us, it was not unusual for me to get into some of these info-sharing circles and learn an incredible amount from someone at a bank I’ve never heard of in the middle of nowhere. And so you never know who you’re going to learn from is my point, and it’s just, it’s a great environment to be able to put yourself out there and to be able to learn and absorb information from others. So from a personal standpoint, really, it’s a growing opportunity, these little information-sharing circles. And then the last thing I’ll point out is, is even leadership, so, and leadership under fire, I’ll say. So, I saw a lot of people during incident response times exhibiting leadership behavior, exhibiting exemplary behavior while they were under fire, dealing with an incident, and how they conducted themselves. And so I watched that behavior myself and saw like, wow, they’re there, they’re acting cool and they’re under a lot of pressure right now, and this is the way that you want to be able to present yourself when you’re talking to your own leadership and trying to try to deal with an incident that’s complex and certainly very, very stressful.

Saul Marquez:
Yeah, wow, listen, you’re a wealth of knowledge, Errol, and folks, this is just the tip of the iceberg. This month the theme is, see yourself in cyber. That is the theme for October in Cybersecurity Awareness Month. And the whole idea is that is people. People are the part of cybersecurity that can make the most difference, and what Errol is sharing with us could make a huge difference. So thank you, Errol, so much. I really appreciate your, just being with us today and sharing what you know. What call to action would you leave the listeners with? And then finally, the second part to that last question is, where can people follow you and learn more about the work that you’re up to?

Errol Weiss:
Yeah, so I think from the call to action standpoint, the kinds of things that we would say from a security standpoint is, I tell people that, you need to protect yourself online, and ultimately it comes down to when we look at all of these kinds of attacks and we talked briefly about Uber in the beginning, and I just want to use that as an example here.

Saul Marquez:
Yeah, let’s talk about it.

Errol Weiss:
That Uber attack, one of the things that the bad guys did there is they used this new attack technique called MFA exhaustion or, I’m sorry, MFA fatigue. So the idea is, it’s multi-factor authentication fatigue. And so the idea with that is, when you use two-factor authentication or multifactor authentication and the system that you’re logging into will, sometimes it will email, it will send you a text message with a six-digit pin number that you need to enter in, some of the newer apps will send a notification to your cell phone. Hey, did you just try to log in from Jacksonville, Florida? Yes or no? This MFA fatigue attack, the bad guys had this person’s username and password, but they were protected with multifactor authentication. The bad guys just kept logging in and started to text the victim to say, hey, accept the MFA, I’m with IT support, you need to accept the MFA, I’m trying to log in on your behalf. And they did it repeatedly, repeatedly after time. Over the course of an hour, kept sending repeated login attempts to this person until they clicked on the yes, that’s me. And once they did that, the bad guys were in. So we talk about using multifactor authentication as one of the ways to help really protect accounts and keep the bad guys out. Now, the bad guys have figured out a way to get around that essentially and get through. So the thing, the lesson learned out here is, again, is educating the users. Everybody out there listening to this, tell someone at work, tell somebody at home about it. Make sure that they don’t fall for this kind of a scam and protect those accounts. But as I said earlier, the long story of protect your own stuff, protect your email, all your password resets, all your information is going in and out of your email account. Make sure if you use Gmail, Yahoo!, if you’re old enough to have AOL and you’re still using that, whatever, turn on multi-factor authentication, They all support it, right? So at least, in lots of ways, you’re making yourself a very hard target compared to everybody else out there. So protect your email, that’s one of the things that I would say to protect yourself and protect your firm eventually, ultimately, the place where you work from potentially becoming a victim because the bad guys are going to figure out where you are, whether they attack you at work or at home, they’re going to leverage all of that to try to get into your work account at some point. So we see that happening all the time, and again here, this Uber example is a classic example where the bad guys were texting the victim on his personal device to let them in. So that’s a big part of it, so, anyway, I’ll give you the link to the HEALTH-ISAC website and people can certainly follow us there, and we publish white papers and we make toolkits like the info-sharing best practices document available there for free as well.

Saul Marquez:
Amazing. Errol, I can’t thank you enough for jumping on with us. This has been insightful and certainly thank you, for all the work that you’re doing with the Council as well as just for the industry in healthcare. We’re grateful for it.

Errol Weiss:
Okay, Thanks, Saul. Appreciated being here.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp3 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including automated subtitles, transcribe multiple languages, world-class support, secure transcription and file storage, and easily transcribe your Zoom meetings. Try Sonix for free today.

 

Things You’ll Learn:

  • An ISAC, Information Sharing, and Analysis Center is a place for each of the critical infrastructure industries to share information with each other to learn and better protect themselves from cyber threats.
  • The three main reasons for cyber attacks are money, nation-state espionage activity, and hacktivism.
  • Hacktivism is a social, politically motivated threat. 
  • Normally, hacktivists expose information or documents online to embarrass or shame their targets.
  • Digital currencies allow cyber criminals to maintain their anonymity, which is why they can get paid through those currencies and have essentially almost no fear of being caught.
  • Every day new cyber vulnerabilities are discovered.
  • There’s a cyber attack technique called Multi-Factor Authentication Fatigue, where attackers repeatedly try to go through the MFA until the user unwantedly clicks on or accepts the entrance.
  • Protect your email by turning on the Multi-Factor Authentication, as it still makes you a very hard target for attackers.

Resources:

  • Connect with and follow Errol Weiss on LinkedIn.
  • Follow HEALTH-ISAC on LinkedIn.
  • Discover the HEALTH-ISAC Website!
  • Read the Health Industry Cybersecurity Information Sharing Best Practices Document!
  • Visit the Health Sector Coordinating Council’s Website!
Visit US HERE