ORLANDO – Kevin Johnson, white-hat hacker and CEO of Secure Ideas consultancy, had a statement and a couple questions for the infosec professionals in the audience Monday afternoon at HIMSS22.
“I think that most people don’t understand what they’re actually protecting against,” said Johnson. “I’m going to ask for a show of hands.”
He asked: “How many people here – and we will assume with permission – have dumped credit card data, Social Security data, health records, whatever, from a system they should not have been able to dump that data from? OK, I’ve got like three hands that I can see, other than my own, maybe four.”
Another question: “How many of you have ingested code into a web application that ran somebody else’s browser? OK, a couple more.”
Johnson cut to the chase.
“Here’s what I worry about: They want me to act like the real bad guys do,” he said, referring to the clients, such as banks and healthcare organizations, who hire him to “break in and steal stuff.” (“We always give it back.”)
“But here’s the thing that concerns me,” he told the audience of healthcare IT leaders. “You’re making decisions on what security controls you’re going to implement, either as an individual for yourself or for your organization – yet the vast majority of you have never seen a hack pulled off.”
All day long at the HIMSS22 Healthcare Cybersecurity Forum, ransomware, unsurprisingly, was a constant topic of discussion.
But ransomware “is probably the least of your concerns if you want to truly assess risk,” said Johnson.
“Ransomware is bad, don’t get me wrong. But in most cases with ransomware – most, not all – you’ve lost no data to the attacker. You may have lost data because of [lack of] backups and things like that. But what’s a bigger concern for me – and really should be a bigger concern for you, in my opinion – is the loss of data that impacts patient care. The loss of data that impacts your ability to help patients.”
A good defense must understand how an offense is constructed, said Johnson.
“In football, they’re trying to get that weirdly-shaped ball from one end of the field to the other end, and there’s a couple of ways they can do it. But if the defense doesn’t know those couple of ways they can do it, how are they going to defend against it?”
Even worse, some healthcare organizations are embracing the wrong approaches.
The answer, said Johnson, is not to compel employees to attend “yet another stupid damn user-awareness training!”
“The number of times that I see people get an email, that they click on to go to a training that tells them not to click on links and email is asinine,” he said.
“Let me be very clear,” he added: “I took complete control of a hospital organization by sending out a user-awareness email. The guy who hired me clicked the link and logged in!”
Here’s how it works.
“You hire me. I say, ‘OK, we signed a contract.’ I come up with a ruse. I send it to you for your approval because I want to make sure that I’m not doing something that’s going to cause you problems. And I want to let you know what the ruse is, so when you start getting the questions, you know what’s going on. So, I sent the email back. And he said, ‘Yes, that looks good.’ Five minutes after him approving the email, he clicked the link and logged in.
“It took us half an hour to get domain admin credentials,” said Johnson. “When we were doing our debrief that evening, I said to the guy, ‘Hey, dude, you didn’t need to test that email. We tested it before we sent it to you. And the guy let out an obscenity I’m not repeating here. And that’s when I realized he hadn’t tested it. He was an enterprise admin on the Windows network and gave us his credentials. Oh, and they didn’t have multifactor authentication.
“One of the attacks I do quite regularly is I will send an email to you that tells you it’s time to change your password,” he explained. “And there’ll be a link for you to change your password. I hate to break it to you, but that link doesn’t go to your system. It comes to mine. And we get to play.
“The reality is, and this is the bad news, I do not care what you do. I will break in. And I want to be clear. I’m not saying that like, ‘Man, I’m a badass hacker and I’m getting in.’ I’m not even that smart. I’m telling you, I’m going to get in because I’m going to keep trying until I do.”