Heartless Hackers: Thwarting Cyber Attacks During a Pandemic

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Malicious attacks were the listed as the dominant threat vector and source of healthcare breaches this year according to IBM’s 2020 Data Breach Report [1]. Top sources of compromises from these malicious attacks included compromised access credentials, cloud misconfigurations, and vulnerabilities in third-party software.

Opportunistic cyber attackers have seized the moment of a pandemic to target vulnerable healthcare entities and their remote workforces for their own personal gain. Attacks have leveraged COVID-19 themes for social engineering assaults, phishing campaigns, ransomware entry, and more. Healthcare organizations are on their heels trying to thwart unprecedented viruses, both physical and virtual alike.

In this CyberPHIx episode, we speak with Kevin Sacco, who leads the Ethical Hacking and Penetration Testing practice for Meditology Services. With almost 20 years in the field, Kevin talks about his experiences hacking healthcare organizations, including recent pandemic-era attacks. Highlights of the discussion include:

  • Heartless hackers: the bad guys and their motives
  • Common healthcare security vulnerabilities and cybersecurity weak spots identified in penetration testing assessments
  • The impact of the pandemic on attack methods, remote workforce targeting, and protection mechanisms
  • Recommendations for the most cost-effective and impactful security controls to mitigate attacks
  • War stories from decades of hacking healthcare entities

The average breach costs healthcare organizations $7.13m. Organizations that conduct routine penetration testing save an average of $243k per breach.

Healthcare is likely to remain in the cross hairs of attackers for some years to come. Kevin provides practical and cost-effective recommendations for thwarting these damaging attacks on our critical healthcare infrastructure.



Brian Selfridge: [00:00:00] Hello, this is Brian Selfridge, host of the CyberPHIx, the leading podcast for information security, privacy and compliance, specifically for the health care industry. I would like to welcome my guest, Kevin Sacco.

Brian Selfridge: [00:00:10] Kevin is a storied and talented career ethical hacker who has specialized in hacking the health care industry and has served almost 20 years in the field. Kevin leads Meditology Penetration Testing and Ethical Hacking Services line and has a long history of successful virtual breaking and entering into health care environments. Prior to Meditology, Kevin held security and compliance roles with prominent organizations including PricewaterhouseCoopers and Citrix, and is also an expert in PCI card payment security. Kevin has obtained more technical security and compliance certifications and I can name in one sitting, so I'm not going to bother. I'm very honored and excited to have the opportunity to speak with Kevin today about his experiences hacking the health care entities over the years. And we're going to do our best to distill those war stories and lessons learned into a single short podcast episode so that Kevin can get back to pillaging, plundering and hopefully rescuing many of the health care entities that he serves. So, Kevin, welcome to the CyberPHIx and thank you so much for taking the time to be here with us today.

Kevin Sacco: [00:01:06] Thanks, Brian. Looking forward to it and excited to be here.

Brian Selfridge: [00:01:09] So first off, Kevin, tell us a little bit about who are these bad guys? Who are these heartless people? Maybe they're not all guys. I don't know, I shouldn't assume, that are attacking health care entities during a pandemic. What are they after? Why why target health care and particularly during a time of crisis?

Kevin Sacco: [00:01:25] Yeah. So a few questions there.

Kevin Sacco: [00:01:27] Hackers are opportunistic types of folks. What we're seeing with the pandemic, I think it's the same actors that have been acting all along and there's different ones. You know, you have the nation states that's coming from China, Russia, Ukraine and other areas of the world that are targeting. You know, you have folks that are just doing it for economic advantage. You have hacker groups out there. So there's a lot of hackers that are out there. I think,with the pandemic, like I mentioned, that hackers are opportunistic is that they see that there is something that's happening in the world, a big event, and looking for opportunities in that to hack into an organization. Some of the big things that we're seeing is an increase in phishing and social engineering activity, especially around COVID. We've even done it with some of our our phishing and social engineering using COVID and doing those type of things. You're seeing an increase in remote workers that are out there. So that's another target that that I'm seeing that the hackers are targeting. Health care, I think right now is overwhelmed with coping with the situation that is happening, and that can be another opportunity when organizations get overwhelmed, that can lead to insecure practices.

Kevin Sacco: [00:02:48] Additionally, the switch to remote working and in dealing with that whole thing and the dynamics of having to stand up new infrastructure and having people work remotely, it just creates more opportunities for the hackers to target these individuals, especially through phishing and social engineering attacks or VPN attacks, external attacks.

Brian Selfridge: [00:03:11] We keep having all these ransomware attacks in health care. Is that is that because the bad guys are going after health care entities specifically for all the reasons you just mentioned? Or are we just really have really weak security controls and we are sort of getting lit up more than other industries. Why do we seem to be having bearing the brunt of these these ransomware attacks?

Kevin Sacco: [00:03:31] Yeah, I think with the ransomware thing, you have a couple of things happening there. One, that the data the health care holds to what health care is doing in serving people, causing a ransomware attack at a health care organization, it can be very detrimental, could stop them in their tracks and just locking up patient data, not being able to help patients anymore is more enticing for attackers to exploit the health organization's inability to recover from that quickly. And I think pay a ransom. The other thing that you have out there is health care overall. And I think we'll get into this maybe in a little bit is just there is an overall weak target, just just a lot of places that a hacker can target and get into a health care network. So they're going to target them over somebody else that may be really mature in their security practices and have a lot of controls and really lock down environment. If there's a health care entity that is out there and has some weak security controls that they can get in and also not get detected, that's just going to lead to them getting hacked.

Brian Selfridge: [00:04:37] You mentioned health care being a relatively weak target. Can you elaborate on that a little bit? What are what are some of the more common security weaknesses that you see as you are "breaking and entering" ethically.

Brian Selfridge: [00:04:47] What are some of the most common exploits that you use or areas of weaknesses that you see for health care entities?

Kevin Sacco: [00:04:55] Yeah, I think overall what we see is speaking first externally. We still see a lot of organizations, they don't have multifactor authentication in place, so that's a big one. And then know organizations that we've seen put multifactor authentication in place. We've seen some misconfigurations in that. And one of the big ones is self self enrollment still configured. So if, say they have multifactor authentication out there and they enroll all their doctors in it and only half of them enroll to get a security token, we can take advantage of that self enrollment process and enroll ourselves in our device into it if we know their username and password. And that's a big issue and kind of and some other issues around multifactor authentication that we've been able to get around. I would say probably in the past, just year alone, the health care providers that we targeted probably about more than half the time we've found ways around their multifactor authentication. The other big issue that we see out there is password management. So we're seeing a lot of weak passwords. And I'll probably talk about that throughout this podcast because it's a big sticking point for me in a big area. I see that that is really weak, especially in health care. We're seeing a lot of password policies that still allow passwords such as Summer2020. So it meets your password policy, has capital letter, has some numbers in it. It's it's fairly long at 10, 11, 12 characters.  So it's password policy. And you see a lot of users do that. And then their passwords are up for that 90 day rotation in the fall and it turns into Fall2020.

Kevin Sacco: [00:06:31] This still meets the password policy and passes fine. So every organization that we target that doesn't isn't doing more advanced type of password management, things like password filtering and bad password list and those type of things. We see a whole handful of accounts that have that some of the biggest areas we see externally, some of the other things that we see, some legacy protocols. These protocol could have multifactor authentication on your email system, but we can access your your email that way and start pulling things down the global address system and start looking through emails for other ways into the network and passwords that may be in email and data so that there's some of the biggest, you know, that we see from an external standpoint, the other kind of going more into the internal side of the house. One thing that we really like to take advantage of is and we see quite a bit of is default clinical vendor accounts out there. There is just a whole bunch of them out there. And, you know, sometimes we've seen the VPN allow those accounts in and then usually that gives us quick access to a clinical server and we can escalate our access up to domain and other issues that we see out there.

Kevin Sacco: [00:08:02] You know, just some basic patching type of stuff that's out there. We still see quite a quite a bit of EternalBlue's that's out there. And it's very easily to exploit with exploit code. We're seeing a lot of still low hanging fruit. It's gotten better through the years, but we still do come across things like open authentication and see we find a lot of open shares. We're seeing scripts out there that have passwords and even domain admin passwords and service account passwords hard coded in clear text and, you know, a batch filer VBS script or PowerShell scripts. So we're still seeing those quite a bit that I think a lot of organizations overlook. One other thing that we take advantage of a lot, too, is we see from Kerberoasting a lot on our networks and that type of attack. If we get a user account, we're able to interact with the customer service and get those tickets that are hashed with an encrypted hash and then we're able to crack those. And really, the only way to prevent that type of attack is really having really good, strong passwords on your service accounts. And I'm talking about twenty five character type passwords. So a lot of times we get in, we get a user account, we do that type of Kerberos attack and we gather a whole bunch of hashes for service accounts and then we're able to crack those and have a domain admin account pretty quickly as well. So they're probably the biggest areas behind that that I really see kind of that we constantly are taking advantage of.

Brian Selfridge: [00:09:32] So in a nutshell, Kevin, can you walk us through how a typical hack plays out for health care entities? So how do you go from having absolutely no access and sort of approaching a target to getting to a place where you do and can obtain some sensitive information or maybe elevated access to the network? And just a quick disclaimer for our listeners here, for those that might think as we describe these processes, that we're sort of giving away state secrets and those types of things. These are the same types of attacks that the bad guys are doing. Every day we look at the breach reports, we look at the ransomware attacks, the targeted attacks, they're using the same techniques. So so before you send us nasty emails about that, we hopefully, by and illuminating some of these scenarios, we can give you a better understanding of how you need to protect your own environment. So that's my disclaimer.

Kevin Sacco: [00:10:18] Sure. So starting with with conducting tests from that black box, external testing perspective, one of the first activities that we're doing is that open source intelligence gathering out there. So we're really trying to gather any information that we could use to attack the health care entity and looking for things like user names and email addresses. So first thing we're going to do is target a user repository. So one will be for a health care entity. And a lot of times you go on the website and the whole doctor's directory is published. So we're going to pull that down and create some user names. With that, we're going to go on to social media, especially LinkedIn, and find that organization and pull all of what we can from LinkedIn. We're going to look at some of the breach databases out there. So some of the big databases like the LinkedIn hacks, the Yahoo hacks and stuff like that, and search some of those for any of the email addresses of the health care entity. From that standpoint, the next thing that we are targeting is looking for log on portals that are out there. So identifying what is out there on their external perimeter. So we're starting to do kind of some discovery and probing, looking for services, looking for postings out there, looking for those log on portals that are out there. Some from there, once we kind of know what the username structure is, we're able to validate that we have a healthy list of usernames.

Kevin Sacco: [00:11:44] Then we'll usually start a password spraying attack on one of the portals that we identify. And this is using some various different tools. Sometimes we use proxy, sometimes we're using different scanners and different things. But typically they're automated type of tools, essentially doing a password spring saying, hey, this username, do you have this password and looking for any any success that we have with those. And we'll keep doing that practice. And we're doing it usually once or twice a day, most because we want to we don't want to lock out accounts. We don't want to cause any issues in health care. And and we don't want to also alert that if an organization is seeing a bunch of locked out accounts, then they might get alerted and be like, oh, somebody is doing something, you know, and what's happening? And we can we kind of get alerted. So that's typically the way that we would start to we'll find kind of a valid username and password. And once we have a few of those valid usernames and passwords, the next step is really kind of identifying can we gain access with those credentials that we have? You know, like I said, a good amount of the health care organizations that we run across now have implemented multifactor authentication on their VPN or their remote access portals. So a lot of times we're up against that. But again, like I spoke about earlier, what we'll find different ways around that multifactor authentication into another one that we've had success with is, you know, is the push notification.

Kevin Sacco: [00:13:04] And this is really kind of interesting because, you know, a lot of times we see it more of a behavior type of issue. So the way to push notification is you log log in and then you push kind of the authentication to the smartphone that's registered for that multifactor authentication. So we have a handful of accounts. We'll go through them and start pushing to those people's phones. And, you know, I think it's a lot to do with kind of we're getting so much stuff sent to our phones. I think that's one of the things. And so some people are just kind of clicking things, you know, just kind of out of habit. Oh, I'm just doing that. And then the other the other reason is to is, you know, they may be logged already in to their VPN or email, especially during COVID, because they're working remotely. Right. And they're accessing the VPN. So they may just think, oh, I'm getting another notification that I need to authenticate it. And so they're just getting pushed and make sense. You know, one things we might do is like, OK, they start work at eight a.m. will trigger all those around 8:00 a.m. because we know they're starting to log in for the day. Right. So it's an interesting thing, but we've had a lot of success with with the push notification as well, getting around the multifactorial indication.

Kevin Sacco: [00:14:12] So that being said, you know, see, we were able to get know we got some credentials. We're able to get around the multifactor authentication that they had in place. You know, the next step is what do we have access to? So if we have access to VPN or web portal.

Kevin Sacco: [00:15:24] Recently, I've set up my own videoconferencing session with my PC and the PC on there because that was what they allowed, didn't allow any other types of file sharing apps or anything like that. And I couldn't copy and paste. I couldn't get access that way. So I set up a videoconferencing reading session and then it has a file upload and file download functionality. And I use that and start uploading my tools that I need. So that's another way I kind of feel about it. Like I said, with the clinical default to say, I would say that's probably a pretty common way that we we get in. So I kind of go with that route right now and say we got identified a few servers out there that are clinical servers that have some the default credentials. Now we've got local admin on a server. Once we got local admin on the server, then it kind of really it's just about escalating now that level access up to a domain admin type of level of access.

Brian Selfridge: [00:16:34] So, Kevin, I saw also in the in the recent Ponemon IBM report that dwell time for an attacker for a bad guy in a health care environment is 329 days. Gosh, that's almost a year that the bad guys are in the environment doing bad things before they are detected and hopefully kicked out.

Brian Selfridge: [00:16:52] And a forensics analysis is put in place and all kinds of recovery is done. But why do you think it takes that long for health care entities to detect the bad guys once they're inside doing these things?

Kevin Sacco: [00:17:05] Kind of speaking from my own experience.

Kevin Sacco: [00:17:06] First, I would say the majority of time that we get in, especially kind of from that what I just kind of walk through from an external to to an internal level of access and you're going to look at that and see that, OK, you know, we found some accounts with some weak passwords and we found some, you know, issues with the multifactor authentication. A lot of that stuff is is fairly hard to detect. And I don't think a lot of health care entities are detecting that stuff. It's pretty rare that we get detected on the outside from a health care entity. And you got to remember, we're doing these assessments in one to two weeks. So we don't have the luxury to kind of slow down and kind of spread it out over a three month period where a bad guy may, you know, they may have can really, really take their time if they want, and really be kind of the slow type of kind of roll with it and and not cause any type of alert.

Kevin Sacco: [00:18:00] The whole hacking and testing world is there's so many tools out there nowadays where there used to be maybe a good 30 to 50 tools out there. Now there's thousands of tools that are that are out there. And a lot of them are really good. A lot of them are evading or utilizing different kind of data methods that the operating system and things that are just kind of hard to detect unless you're really kind of utilizing some good detection controls and some good tools out there. So I think that's another thing is just kind of around being able to do that kind of initial detection, having kind of the tools and the processes in place to to get those detections. And then just kind of the security vulnerabilities that I talked about that are kind of taking advantage of, you know, typical user behavior of logging into a VPN and accessing a web portal, even accessing a default vendor account. Like that's a legit account that's out there that somebody is accessing. And it's you know, they're seeing a log on attempt that successful kind of hard to detect that type of stuff.

Kevin Sacco: [00:19:04] So identifying these issues is half the battle. What are the attacks? How are they doing and how are they getting in?

Brian Selfridge: [00:19:10] But we know health care entities need to make some really tough choices around where to spend their budget and their time to achieve optimal protection without taking away critical resources from the rest of the business or patient care if their if their provider or a delivery organization. What are some of the top two or three places that you recommend health care entities invest to get the maximum return on being able to either prevent, detect or mitigate attacks?

Kevin Sacco: [00:19:37] Yeah, I think the first thing I'm going to talk about with is people and processes type of thing before kind of getting into more practical tools and things they can do. The organizations that I've seen do security well, and this is health care that's coming from a very limited budget that a lot of times when we have two or three security staff members and resources. They don't have the luxury of being in another industry that has a huge budget, that has a huge amount of resources at their disposal for security. What I've seen work well is a good partnership between security I.T. application teams and across departments and really putting some processes in place and training some of the IT folks and some of the applications of some of the people in the party as essentially security liaisons. So, for example, you know, you have DBAs, you have network admins, you have admins getting those folks sharp on their security and really responsible for the systems that they're owning and managing for the security of that. So getting them trained, whether that's the security team training them or them getting some outside, some good training in place around that and really taking ownership of those type of things and being kind of the the security resource for those type of things. You know, where there is kind of a partnership between security and and application teams, where they're working together and they're all in it together in a way of securing the environment.

Kevin Sacco: [00:21:10] Another good thing may be also looking at for departmental liaisons where there's a person that has a little more above kind of the typical user technical knowledge and understanding and may be able to help with the security team of kind of being that point person for that department and helping kind of look for things and have some process and have some operational type of processes in place to kind of be the eyes and ears for that particular department. You know, another big thing I think is really getting an understanding of your threats and your threat vectors. One area that might be really helpful is getting those different teams together, security and I.T. and different folks in your organization, and then also bringing in some bring in some all kinds of security people from the outside that are that are doing offensive security and understand it, getting some some people to have some great experience and have partner with those to come in and and help kind of work with those and identify those threat vectors and threat models and really understand kind of where they're at and addressing those and prioritizing those and then really addressing from there, breaking that down into controls and understanding what controls you have in place to prevent those threats and then testing around it.

Kevin Sacco: [00:22:22] If you're not testing, you're just going to be guessing. So you really have to have to do the testing around it. And whether that's penetration testing, whether that you have somebody that has the technical chops and house to kind of be looking for that low hanging fruit and learning how to do that type of stuff, and then also looking at specific areas. Right. So passion management will take, for example, one of the things that it's you know, there's plenty of free tools out there you can do password cracking with. Or if you have the funds, you can hire information that that does it all the time and try to crack your passwords out there. So, you know, putting the controls in place. So having the password policy, maybe putting password filters in place, putting bad password. Listen, the next step is doing some periodic audits because there's going to be gaps. And I think what happens is a lot of times we put the controls in place and then we don't realize that there can be gaps, that somebody created that password or a vendor came in and created that password or somebody a doctor was having trouble with their account. And it helped us change their password to something easy for the time being and took off the password expire flag or there's some legacy accounts sitting around and kind of we get this warm and fuzzy that we have a password policy and it's all good and we think everything's good with it, but has actually been tested.

Kevin Sacco: [00:23:39] Same thing with endpoint controls. Do we really know that they work? Well, do we know that your antivirus is can it be invaded? Can it can it stop? What can it do? What it's what does it keep its capabilities? Not everybody can afford the greatest latest next generation type of stuff. But what can you do around that? Was there some issues around active directory controls, issues around permissions in the organization? So all of that type of stuff getting a good handle on it and really addressing kind of those low hanging fruit to begin with and then really kind of deep diving into the certain areas that from a prioritization of those threat vectors and really addressing those controls through looking at it and thorough testing. And then, you kind of can build out a program from there that that's what I see. And Brian, I am interested in your experience, being a former CISO and living in that kind of operational world, you know, maybe what have you seen works?

Brian Selfridge: [00:24:38] Well, I'm always fascinated about the different types of security leaders out there. And I put them into buckets sometimes. And I and I've worn different hats in various stages of my career. So I'm not throwing stones at anybody.

Brian Selfridge: [00:24:49] There are some security officers that are very tool-centric and will sort of gravitate toward a comfortable, IT focused place to solve some of these problems, so they'll want the latest intrusion detection stuff or data loss prevention tools or, you know, monitoring software or the list goes on to rattle off all the tools. There's a million different capabilities that you can automate in the security realm these days, and that becomes its own challenge of figuring out which ones to use. So there's sort of the tool-centric view. Then there's others that will be more process oriented, which I think you've alluded to, that really focus on audits, controls, assessments and being able to sort of drive and validate controls that way and then just close up the gaps.

Brian Selfridge: [00:25:38] If we've assessed and we validate and we see that there's gaps here, there and the other, then looking at what tools or processes do we need to put in place and prioritize. So for me, I've leaned more often toward a process view, and that might just be how I was raised professionally in large professional services organizations and then and the like, where I like to start with process and to look at where our actual exposures before I throw money at anything. I mean, there's some fundamental capabilities you have to have, right? I've always understood that there's anti malware and basic "bread and butter" controls like password policies and things that, OK, we've got to have those in place, I mean, to audit those. But when it comes to the next level of where do I spend on that discretionary spend, for me it's a lot about process and it's a lot about putting the right technology in the right spots and and really investing in the people side of things, whether it's awareness and training or my own security team and the like. So that's how I view it. I think it's a philosophical thing and everybody's a little bit different. But I do know that at some point the budget runs out and there's only so much you can do. And I'll ask you about that, Kevin.

Brian Selfridge: [00:26:44] Are there places where you've seen organizations under spend and fail to invest in maybe one or two areas that you think are are no brainers?

Kevin Sacco: [00:26:56] There's a few things that come to mind, Brian. You know, one thing is, you know, I think the external perimeter, you have to have that tightened up as much as possible.

Kevin Sacco: [00:27:05] And I think the way to do that is, is testing. And I think that kind of dovetails into password management, vulnerability management, authentication, multifactor authentication. You got to remember the external parameters. You open up to the whole wide world. That is a huge risk to me. And if somebody can get through your perimeter and get into your network from anywhere in the world, that is a big kind of risk and probably the most riskiest type of thing that's out there when I kind of get it down a little further. Right. What does that mean? And I talked about password management a lot. And I think this is definitely an area that is not focused on enough. We see it over and over and over again, bad passwords. And I mean, we see some organizations. We walk in, you know, three or four hundred accounts with a password of "password". It's surprising and concerning. I think when the whole recent NIST password standard came out to there was a lot of cherry picking around that. And you can really dive into it. You know, they're talking about doing password filters, using bad password lists, not using passwords that have been in breach databases, because they're all of the things that we're taking advantage of. We're understanding kind of the, you know, the philosophy of how users are creating passwords,how they get around just the password policy. If you're not blocking the specific type of passwords, passwords with the organizational name, passwords, password and passwords with the seasons or the sports team, like those type of things that that we know we have knowledge of.

Kevin Sacco: [00:28:39] Same thing kind of when you get into the authentication thing is multifactor authentication. It's deployed and then everybody's happy and like, OK, we deployed multifactor authentication. It works great. But what we're seeing out there and we're constantly seeing is just that there's ways around it, whether it's the whole self enrollment process, whether it's a push notification, which seems like it would work great. But kind of there can be some behavioral stuff around that or some legacy type of services out there. So I would say they are kind of the biggest areas, you know, and then kind of the other area I think that is concerning is there's some organizations that have hired for us for test. I just think they're they're overwhelmed and they're not addressing root causes sometimes.

Kevin Sacco: [00:29:56] So we see we come in. We do a test one year and we come back the next year and we find the same thing. Take, for example, users and passwords issue where we might identify 20 accounts with a weak password that we identified from the external. And we give them a list of those accounts. They change the passwords and then check off the box that it's remediated. We're really recommending that you need to address it from a root cause level, like I was talking about the password filters, the bad password as those type of levels doing password auditing. They make sure that it's cleaned up and keep auditing until you've got it really solid and strong. And that's not you know, they're not huge spends. You know, there's a lot of things that you can do that are built in. There's tools out there that are not that expensive around password filters. Password cracking is pretty much free besides the resources and time or if you hire a third party to help you with that. So I just kind of see that those areas really need to be addressed. The other area I would say that we see on the inside is a lot of default accounts out there and web apps, you know, a lot of those vendor default accounts that you need to get with the vendor and start changing those that are out there.

Kevin Sacco: [00:31:09] And then vulnerability management. We're still seeing like a good handful of systems out there that are still haven't been patched and have 10, 15 year old missing Microsoft patches or a lot of EternalBlue type of big kind of vulnerabilities that ransomware and a lot of public exploit code out there that can take advantage of them.

Kevin Sacco: [00:31:31] So I think the vulnerability management side of the things can really be better. And a lot of it, if it's a tool thing, there's some free tools like openvas. But I think the big thing is kind of getting that operationalized and getting that process really nailed down where you're you're patching systems and you're also patching the systems that attempt to work. What's happening is that we're patching just the systems that are on in Active Directory. And, you know, don't worry about those systems the vendor put in, and they're sitting on the network and they're they're an entry point. They're a point of entry. And we're going to target the weakest thing that we find out there. So so those areas getting a handle on the vendor management, the medical devices and the clinical aspects that just are not well managed. I can't tell you the number of times we've identified a whole whole bunch of systems out there and the security. I've had no idea that they were out there on the network and some vendors come in and plug them in and hook them up. And sometimes we even find them joined in domain and they're just being overlooked. So really kind of doing that good discovery and understanding of what what is out there on your network and does it have the security controls and can we put security controls on it? If not, how do we compensate that? How do we segment it? How do we keep it untrusted?

Brian Selfridge: [00:32:57] Kevin, I really appreciate these insights and I know our listeners do, too, in the interest of time and letting them get back to their lives, as I'm sure they'd like to. I know hackers in general tend to have some very interesting war stories along the way. Do you have any any more interesting, strange or surprising things that you've identified in health care environments or situations you run into that you might be willing to share with us without naming any naming any names?

Kevin Sacco: [00:33:28] Yeah, I mean, there's there's a lot of stories that come up, you know. You know, I think some of the biggest things are kind of like the "wow's" that I see from a security side.

Kevin Sacco: [00:33:40] There's been clients where we've connected to their guest wireless network and we find it's completely not segmented from the internal network, things like that or like another client from the wireless side of the house. Again, they had a self registration process, but before you self registered, you were actually connected to the internal network. And then once you self registered, you got dumped into a security VLAN that the guest was on. So those type of things are kind of like, well, eye opening. I mean, there's definitely a lot of the fun stories, you know, I could talk about from social engineering and fishing. You know, one of one of the big things that we're seeing from a social engineering perspective, especially with with covid know we've been taking advantage of it is videoconferencing. So we've been finding a personnel on LinkedIn. That's part of the IT team. IT service does great help desk team. And then we'll find some employees that we're pretty sure that are probably working remotely right now. We'll target them, give them a phone call, and instead of essentially a videoconferencing session with them where we're giving them a scenario, hey, you know, we know your remote, your systems, not reporting back to our management console. We're not sure if you're getting the latest security patches.

Kevin Sacco: [00:34:58] There was a security update released, we need to make sure that your update, you know, can we check your system to make sure that it's update or can we have you run some commands for us? So we so we'll give them a set up a videoconferencing session with them and we'll put the logo of the organization that we targeted and spoof the person like it's really easy to steal somebody's identity session because you can just make up whatever you want and spoof it. And once we're on there, we're like, oh, let me take control of your computer. And then we access their computer. And a lot of times we've had them walk away like, oh, I got to get lunch anyway, so go ahead and just fix it, OK? So we got a good hour on a computer that's connected to the VPN, to their network and can you have that as target? And if we want to set up a back door or do whatever we want, same thing with videoconferencing. We can upload a file if we want and launch a script or launch an attack. So it's kind of this it's an interesting kind of scenario that we're in with a lot more remote workers where, you know, this this this scenario has been really I'd have to say we've had quite a bit of success with it.

Kevin Sacco: [00:36:02] With the phishing side of things, too, is like we've been using COVID as well as sending, updated guidelines on COVID coming down and sending it out. And please open this, this office document that has macros enabled and it will tell them you have to enable this to be able to do this and things like that. So really kind of taking advantage of those type of things has been interesting. And like I spoke about, I think in the beginning of this call is that hackers are opportunistic and we're doing the same thing. Right. We're simulating that type of thing of, OK, we got a situation and what's happening, what's changing and how can we take advantage of of that. Right. And utilize that to our advantage where there's a security issue around that.

Brian Selfridge: [00:36:50] I think, Kevin, your points around the social side of things and the messaging around the awareness and education that needs to happen in organizations is really a great way to close things out here, because I think there's some misconceptions that hacking and penetration testing in the bad guys are just these people with sophisticated tools that are picking locks, virtual locks and getting in and stealing things, which is true.

Brian Selfridge: [00:37:15] There's some of that. But so much of it either starts or is enabled or perpetuated by actions by regular people and in the workforce. And I think that's a great place to just remind everybody where to put our energies in addition to the technical capabilities. So there's a lot to do.

Brian Selfridge: [00:37:33] The attacks seem to be continuing and we really appreciate the work that you and others do to help us test and identify these these weaknesses before the bad guys do and and give us awareness into what they're the tactics they're using so we can be lot smarter but have more visibility into ways to protect ourselves that are actually going to work with with real world attacks. So with that, I would like to thank my guests, Kevin Sacco. Kevin leads Meditology's Penetration Testing and ethical hacking services specifically for health care entities. Kevin, thank you so much. This has been a fantastic conversation. We really appreciate your time today.

Kevin Sacco: [00:38:07] Thanks, Brian. Thanks for having me on.

Brian Selfridge: [00:38:19] Again, I would like to thank my guest, Kevin Sacco, for a fascinating discussion about real world health care, hacking attacks and protection approaches. I've been a pen tester myself in health care for quite a while, and I still always learn something new from Kevin. Great stuff and great insights to take back for your own security programs. As always, we'd like to have your feedback and hear from you listeners. Feel free to drop us a note about what topic you'd like to hear about or thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of CyberPHIx. And we look forward to having you join us for another session coming up soon.