In a recent episode of Agent of Influence, I talked with Sean Curran, Senior Director in West Monroe Partners’ Technology Practice in Chicago. Curran specializes in cybersecurity and has over 20 years of business consulting and large-scale infrastructure experience across a range of industries and IT domains. He has been in the consulting space since 2004 and has provided risk management and strategic advice to many top-tier clients. Prior to consulting, Curran held multiple roles with National Australia Bank.
I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music or wherever you listen to podcasts.
Cybersecurity Challenges of COVID-19
From Curran’s perspective, the COVID-19 pandemic has created a lot of challenges for organizations, many of which weren’t prepared for this situation. For example, some organizations primarily used desktop computers and now their employees are being asked to work from home without laptops, which is particularly hard at a time when hardware is difficult to source.
In addition, many companies had processes in place that they never tested – or their processes were too localized. While many companies are prepared to withstand a disaster in one location – for example, Florida in case of a hurricane – COVID-19 has affected the entire world, and organizations weren’t prepared to withstand that. The widespread global impact is why most companies’ disaster recovery and business continuity plans are failing.
The same thing goes for cyberattacks – they aren’t localized to a particular building or region, which is a challenge when most companies are only set up to lose a single building or a single data center.
As during other similar situations, we have seen an increase in cyberattacks during the COVID-19 pandemic, meaning organizations are not only having to implement their business continuity plans on a very broad scale, but also ensure cybersecurity during a heightened period of attacks.
What Makes an Organization Prone to a Security Breach?
People. Budget. And more. Sometimes it’s just that the organization is focused on the wrong things. Or they still believe that security is the security team’s responsibility – but it’s everyone’s responsibility.
Curran has seen organizations with a small number of employees and low budgets do some really amazing things, showing it comes down to the capability of the individuals involved and how interested they are in security.
Organizations also need to strike a balance of protecting themselves from old attack methods while thinking about what the next attack method might be. Attackers are very good at figuring out what security teams are looking at, ignoring it, and moving on to the next delivery mechanism. At the same time, ignoring an old attack method isn’t necessarily the right approach either because we do see attackers re-using old schemes when people have moved on and forgotten about it – or combining several old attack methods into a new one.
Key Steps After a Breach
It’s critical to first understand the point at which your employee fell victim to the virus. The day the antivirus program alerts you that you have a virus isn’t necessarily the day you got the virus.
Then you need to understand what the virus did when someone clicked on a link. Was it credential stealing or malware dropping?
To understand this, you can use toolboxes, which allow you to drop an email, an application or point to a website, and the toolbox will tell you what the virus did. Curran uses a tool called Joe’s Sandbox.
Once you understand what the virus did, you can determine next steps. For example, if it was credential stealing, you need to think about what those user credentials have access to. It’s critical to think holistically here – if the user gave away internal credentials, are they re-using those for personal banking platforms or a Human Resources Information System (HRIS)? People tend to think myopically around active directory, but Curran argues that we need to start thinking beyond that, especially as we start using cloud services.
Curran pointed out that social communication is happening on almost every platform, including Salesforce, Slack, and more. Everything has a social component to it, meaning also that there’s a new delivery mechanism that attackers could start to use.
It’s critical for organizations to start thinking more holistically about how they prepare for and respond to a security breach. For many organizations, the COVID-19 pandemic has created a perfect storm of trying to implement business continuity plans that weren’t tested or up to the task, while also ensuring security during a heightened time of cyberattacks.
To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.
Developing the CISO Role at the CIA
When I started as CISO of the CIA, no one really understood the role or what to do with the CISO. The government had mandated that every government agency had to have one, but as the second CISO of the CIA, it was evident when I took the role that there weren’t clear guidelines around my responsibilities in the organization. While we were an element in the overall security program with the agency, there was the classic argument about if I reported to the CIO or the Chief of Security. Therefore, initially, I was responsible for defining what the CISO role would be and how I could have the greatest influence and impact on the agency.
Over time, the organization grew, and individuals started to see areas where they could rely on the CISO. For example, as we started to use the Internet more broadly and began to consider taking on perhaps more risky technology or operational choices, people in the organization were asking, “Who do we go to, to find out what the risk is?” And that’s when they started to proactively turn to me as the CISO and get me involved.
As CISO, my primary responsibility was defining standards, policies, requirements, and responsibilities, and communicating those throughout the agency. Governance is the not so sexy part of cyber, but it was our primary responsibility to make sure every system we developed and operated met very high levels of security. This included all aspects, from planning, integration, testing, approval, and the standard way you would deliver systems.
The things we were super serious about were critical because we couldn’t make a mistake, so that was the easy part. The hard part was that the risks were high. If you made a mistake – and mistakes were made in judgment, in operations, in support, and in the use of certain technologies – you had to be able to recover from, understand them, learn from them and move on. No one’s perfect and none of our IT systems are perfect, so we had to deal with that issue.
Every system delivered and deployed was a collection of technology, so a lot of planning and thinking about how best to use technology and what things we needed to do to lower our profile and risks went into each project. In large part, I was trying to help senior managers understand what the risks were and make coaching decisions about cyber risk.
I experienced an interesting evolution of involvement in our own IT life (administrative IT and analytical IT) to also becoming more involved in operational use of IT technologies in the whole agency. Later, I also got more involved in strategic planning – looking into the future and what types of cybersecurity skills people would need and what technology we were going to be using.
Biggest Challenges of Being a CISO Today
1. Most Organizations Don’t Do IT Well
The problem in private industries that I see that make a CISO’s life most challenging is that they don’t do IT very well. If an organization doesn’t do IT well, they’re not going to do IT security well. I’ve never seen an organization do IT poorly but do IT security well.
What I mean by “not doing IT well,” is they have no central planning, no central governance, no focus, and no strategy. Everyone in the business is out building their own thing, making their own deals, going to the wrong cloud providers, building their own systems, and making connections with their own vendors. It’s a free-for-all and the poor CISOs are trying to keep track, keep management, and keep control from a security perspective of all this constant noise and constant change in the environment, which they say has to work at the pace of the business because they’re always looking for opportunities to grow the bottom line.
This posture forces CISOs away from good planning and good strategy towards running after the next big opportunity. The business is going to build the application, they’re going to deploy the application, or they’re going to make the deal with the third-party vendor whether the CISO is with them or not because there’s no penalty for not having the CISO with them.
2. The Bulk of a CISO’s Time is Spent on Reactive Projects
A second big problem for most CISOs is that they spend 80 percent of their time on reactive projects versus 20 percent on proactive projects. Even in organizations that are better or more centrally managed where there’s an IT portfolio of known projects and processes, you still have shadow or ghost IT where there’s a risk because of the way most businesses conduct themselves with their IT. The cloud hasn’t helped either. Most of these companies have three, four, five different cloud projects going at the same time across their company, making life very difficult for the CISO and forcing them to spend the bulk of their time being reactive.
Keys to Being a Successful CISO
1. Instill a Sense of Responsibility in Your IT Organization for Cybersecurity
CISOs should instill some sense of responsibility in their IT organization for cybersecurity.
I was working with a company recently where we finally got an agreement with all the senior IT managers of innovation, digital innovation, application development, and systems deployment that each one of them in their performance appraisal, would now have a rating on how well they implement cybersecurity policy and support the cybersecurity program – and the CISO will write that review. We did that because of the way the organization was continually disregarding cybersecurity policy standards. Many knew what they were supposed to do but were disregarding it, so we knew we had to fix that problem first.
You must make cybersecurity part of IT governance.
2. Don’t Focus on Compliance
This is hard, especially for financial services organizations that must comply with various regulations. But when you’re chasing the compliance checklist, you’re usually not focusing on the sophisticated APT (advanced persistent threat) groups. Too often when I go into organizations and find out what they’re doing, they’re working on a variety of cybersecurity projects, mostly because an author came down to their office with that direction and then the next month, came with different direction, and so on. And soon, the organization is working on an odd collection of projects.
But, most importantly, what they’re not focusing on is the real risk and the real risk is sitting in Russia coming up with better attack payloads and techniques. This is what organizations need to be focusing on, much more so than they are today.
On May 13, 2020, NetSPI President and COO Aaron Shilts was featured in Dark Reading.
Aaron Shilts, president and chief operating officer at security testing firm NetSPI, says faster software development life cycles and inefficiencies in manual deep-dive penetration testing programs are driving interest in PTaaS.
Organizations are overloaded with traditional pen-test PDF deliverables, many of which can contain a mountain of findings, he says. This has made it difficult for organizations to prioritize, correlate, and drive remediation activities.
“PTaaS is essentially an enriched delivery model, making it easier for customers to consume testing services, from initial scoping to reporting,” he says. “It ultimately helps to accelerate the remediation process.”
Read the full article here.
On May 13, 2020, NetSPI Managing Director Nabil Hannan was featured in Credit Union Journal.
As COVID-19 stay-at-home orders begin to lift, people who have the capability to do business from home are being encouraged to do so – and credit unions are no exception.
Throughout the pandemic, organizations have had to put business disaster recovery (BDR) and business continuity plans (BCP) to the test – and in tandem, we’ve seen an increased emphasis on cybersecurity resiliency.
Cybersecurity concerns have risen over the past couple of months as attackers continue to take advantage of the situation. Notably, the Zeus Sphinx banking trojan has returned, phishing attacks are up 350%, and the growing remote workforce has increased the use of potentially vulnerable technologies.
Read the full article here.
Back in the mid-1960s, computer experts warned of the inevitability of bad actors trying to access information across computer lines. In fact, InfoSec Institute cites that “at the 1967 annual Joint Computer Conference…more than 15,000 computer security experts, government and business analysts discussed concerns that computer communication lines could be penetrated, coining the term [penetration testing or white hat testing] and identifying what has become perhaps the major challenge in computer communications today.”
Fast forward to 2020 and businesses will find that the pentesting industry is made up of a lot of providers offering vulnerability management services. But does that mean all penetration testing services offer the same results? Simply stated, the answer is no. To help organizations choose the right team for their pentesting and vulnerability management (VM) programs, consider the following four paradoxical attributes that should help CISOs and CIOs select a top penetration testing partner.
Pentesting Should be Agile, Yet Consistent Over Time
It’s important to hire a talented penetration testing team – one that’s able to look at the environment through the eyes of an attacker and bring their insights of technical risk to the table as the environment and technology become more complex over time. The pentesting team needs to be agile to continuously improve and evolve to meet the ever-changing and elevated risk and complexities that your business may face.
While evaluating agility, it’s important to also look at consistency. Does your potential pentesting partner have a team orientation versus just an individual, or outsourced consultant, who owns the knowledge? What if that individual moves on to “greener pastures?” It’s my recommendation that you shouldn’t consider a white hat tester who acts alone. Rather, choose a pentesting team built around a consistent delivery of quality, service, and results, that can be an extension of your internal team and will bring you the foundational support you need in your vulnerability management program.
The Pentesting Process Should be Custom Yet Standard
With 640 terabytes of data tripping around the globe every minute, is it possible to put standards around your vulnerability management program? In my opinion, it’s not only possible, it’s a necessity.
Who you get doesn’t have to be what you get, as people so often think. From project management workflows and practitioner guides to standardized pentest checklists and testing playbooks, at NetSPI we have formalized quality assurance and oversight so we can deliver consistent results, no matter who your assigned NetSPI security consultant is. With these standardized processes in place, when new vulnerabilities are identified, we are able to quickly mobilize and study the attack scenario, and if appropriate, we add that specific vulnerability to our pentest checklists for future assessments.
Having said that, every situation has its nuances. While understanding that no organization is the same, there may be some commonalities between industries, like similar regulatory bodies to comply with, for example. This allows pentesters to put some standardization into their process while allowing for customization and flexibility that is unique to the client environment from a business or technical perspective.
Technology/IT Should be Automated to Increase Manual Pentesting
Automated scanning is foundational to any penetration testing program. It’s how an organization handles the thousands of results from those scans that is crucial as there will be duplicates, false positives, and many, many data points, oftentimes delivered in spreadsheets or PDFs. Your internal security/IT team is then tasked with sifting through, sorting, and evaluating that data. Is that administrative work the best use of their time?
In my opinion, your internal team should focus on finding solutions for effective and fast vulnerability remediation, rather than spending their time heads down in administrative tasks. It’s up to your pentesting team to identify and communicate the priority vulnerabilities, not hand you a document and wish you luck. Look for a penetration testing provider who has tools in place to automate pentest reporting functions and deliver results that can be easily sorted and acted upon so that the majority of human capital investment is focused on finding and fixing vulnerabilities. A favorite quote of mine from NetSPI product manager Jake Reynolds exemplifies the mindset of those individuals working to solve the technical complexities of vulnerability management (VM), “I want to hack and secure the largest companies in the world…I participate in solving real world problems that affect companies and people across the globe.”
A Focus on Internal R&D Will Strengthen the Entire Security Community
Being able to collaborate with a team is critical in our client relationships. We instill that collaborative mindset through an intense and immersive training program, NetSPI University, for entry-level security testing talent. Why dedicate so much time to continued education and mentorship? At NetSPI, we are consistently asked to see around corners and penetration test more and more complex environments. So, training and collaboration are key to helping us grow and scale pentesting talent to meet our industry’s evolving needs.
Training and collaboration can’t, and isn’t, just a NetSPI initiative. Collaboration and innovation are key to evolving as an enterprise and as an industry. As I wrote in this blog post, pentesters are intensely creative and have highly curious technical minds, and our team strongly believes that the effort we place in research and development with our colleagues should be shared with the broader security community. Case in point? The NetSPI blog is a treasure trove of information for the pentesting community at large, along with the content on our open source portal.
Final words on this subject: Penetration testing services are the same by definition, but none are created equal. When hiring a penetration testing service provider to test your applications, cloud, network, or perform a red teaming exercise, think beyond whether they can simply identify vulnerabilities. Consider pentesting talent, processes, technology, and culture to ensure you’re getting the most value out of your partnership.
In a recent episode of Agent of Influence, I talked with Anubhav Kaul, Chief Medical Officer at Mattapan Community Health Center near Boston about not only some of the medical challenges they are facing during COVID-19, but also some of the software and security challenges. I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music, or wherever you listen to podcasts.
COVID-19 Impacts on Telemedicine
Telemedicine has been available and used for multiple years and takes many different forms. For example, your doctor calling you on the phone and updating you on your results is telemedicine, receiving results through an electronic portal is telemedicine, or receiving feedback from your provider over a text message platform is telemedicine.
However, COVID-19 has drastically changed many doctors’ reliance on telemedicine to be the primary platform for how they provide care to their patients. According to Kaul, 90 percent of care being delivered by Mattapan is currently being delivered via telemedicine, including treatment of chronic conditions and urgent concerns. This has been made possible largely because the payers, both public and private, recognized the essential need of working in the current climate and have been able to help Mattapan receive reimbursement for providing telemedicine-based care.
The challenges Mattapan is currently experiencing are mostly around adoption of video and phone technology enabling remote treatment, since many clinicians have never had training on how to conduct effective telemedicine appointments.
In addition, while there is a tremendous amount of care that can be provided to patients without physically seeing them, the ability to be in the presence of patients and evaluate them in person is sometimes irreplaceable. In part to combat this challenge, Mattapan is leveraging medical devices to help manage certain conditions by patients from home, many of which automatically send data directly to doctors as it’s collected, including devices to measure blood pressure, glucose, weight, and more.
Kaul has also noticed that doctor-patient relationships, like so many relationships, are struggling with the lack of social connection, one of the most gratifying parts of providing care in person. With new technological developments, people are in general more distracted by their technology from the person right in front of them, including doctors when seeing patients. This may even be exacerbated as doctors leverage telemedicine to provide treatment and try to connect with patients over video and phone.
Staying Secure While Providing Remote Treatment
Providers have always had to focus on ensuring their communications with patients are secure and HIPAA compliant. Many clinicians want to provide the best care to their patients, which may sometimes mean giving out their cell phone numbers to patients or texting their patients to allow for accessibility of care. While they have every intention of doing the right thing for the patient, these are not necessarily considered safe modes of communicating with patients. They may be easy and accessible, but there is a level of risk when it comes to using unofficial platforms.
Using encrypted emails and online patient portals to send text messages are more secure options, even if they may not be as convenient for clinicians and patients.
Even outside of a pandemic situation, doctors and clinics will always face this security challenge that sometimes stands in conflict: trying to protect the patient’s information and trying to protect the patient’s health by providing accessible care. And at the same time, not putting themselves or their clinic at risk when using unsecure modes of communication.
Mattapan uses Epic, an Electronic Medical Record (EMR) system that is integrated with Zoom technology to provide telemedicine via video and which allows patients to send pictures that are then uploaded into their patient portal and medical record. However, most visits will continue to be phone-based, primarily because of accessibility. While getting people to adopt new technology is always a challenge, Mattapan is working to increase video adoption to give all their patients the full functionality that that medium provides.
As Mattapan and clinics around the world leverage new technology and medical devices to treat patients remotely, they don’t necessarily know the security threats these technology solutions pose because they’ve never used them before, especially to this extent. While hospital IT and security teams are working to quickly test and set up these systems, there are risks associated.
As a clinician, Kaul is not necessarily constantly thinking about security risks, but more about the most accessible way to provide care to Mattapan’s patients. He sees this time as presenting an opportunity in the market for telemedicine software solutions and medical devices, so that doctors can continue to treat patients remotely – and even offer broader and improved treatments.
I’ve completed a fair number of security assessments for electronic medical devices and organizations that build hardware leveraged by doctors, and in my experience, doctors hate security because it interferes with their ability to conduct the job at hand. And in certain cases, the job at hand takes significantly higher priority than the potential security risks. For example, I don’t think any doctor wants to have to enter a password before they can use a surgical device, because sometimes every second matters when it comes to the life of a patient.
Increasing Challenges of Patient Authentication
Another challenge when it comes to treating patients remotely is that of patient authentication. For example, you may be trying to monitor the blood pressure of your patient and you send them home with a device that’s continually sending data back, but how do you know that data is for your patient and not their child, sibling or someone else? Kaul acknowledges that there’s no easy way to authenticate this and it’s very easy for patients to cheat the system if they want to. These are challenges that need more focus and attention, of which they’re probably not getting right now because usability is taking a much higher priority than security.
Mattapan is focused on making sure any patient interactions they’re having are as reliable as possible, especially during this time. However, there are unique challenges. For example, sometimes they rely on talking with family members of people who can’t speak English, but maybe that family member doesn’t have full jurisdiction about their health care information and making decisions about their health care. These types of scenarios are opportunities for software and medical device companies to fill, but they may not be given the highest priority at this time.
Prescribing Prescriptions Virtually
Doctors have long been able to electronically prescribe most medications, but during the COVID-19 pandemic, they are also allowed to prescribe other medications that previously required a paper prescription, including controlled substance pain medications, certain psychiatric medications, and medications meant to treat addictions.
Being able to prescribe controlled substances electronically has made the process more accessible, especially in these current times, but it has also added security challenges. These challenges include making sure that the patient is properly identified, and they are receiving the prescriptions in a secure manner from the pharmacy. This level of accessibility is great for the patient and for the provider, but certain guidelines have been adopted to make sure this is done in a standardized fashion and to make sure that doctors are still connecting with these patients over the phone or video to see how their care is going, whether it’s for pain management or treating them for addiction-based disorders.
During these uncertain times, doctors and hospitals are working to increase accessibility of care, but with accessibility comes the responsibility of making sure that parameters of appropriately treating patients are in place – along with the appropriate security measures.
To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.