Transcript:
Adam
Hello and welcome to the HIPAA Vault show, where we discuss all things HIPAA compliance and the cloud. My name is Adam Zeineddine, and I’m joined by the ever knowledgeable Gil Vidals, CTO of HIPAA Vault. Hey, Gil.
Gil
Hey, Adam. Happy new year to you, if I didn’t wish you that already.
Adam
Yeah, well, happy new year. Never too late to wish someone a happy new year.
Gil
Yeah, that’s right. Even if it’s summertime. I like that there.
Adam
Yeah. So today we are going to be talking about the top three cyber attack vectors of 2024 and how to defend against them. So let’s dive in. First up, we have two factor authentication, commonly known as two Fa. It’s become a little bit of a buzword, but it’s a crucial layer of security. Gil, can you break down why two Fa is more relevant than ever in 2024? And I’ve got a little bit of recent, not to be too current, but the recent SEC debacle with Twitter.
Gil
Yeah, I heard about that. Very interesting that the SEC approved the spot bitcoin ETF. And you’re right, it had a big impact because the Twitter account didn’t have the two factor authentication. And we should pause there and describe what is authentication. So when you log know, you put in your username password to get in. Well, now there’s an extra code. Most of the audience would know about that because the banks have it and most financial institutions have a second code. They send either to your phone through text messaging or they send it to you via email. It’s usually six digits. You just type them in. So it’s like having two passwords. Right.
Gil
So what happened was Gary Gensler, the chairman of the SECurities Exchange Commission, he didn’t have his account secure with two factor, and someone took over his account and they said, hey, guess what? The SEC has approved the spot ETF, first time in history, and then bitcoin shot. Yeah.
Adam
Here’s the update from Twitter’s safety account. We can confirm that the account SEC gov was compromised and we’ve completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of exas systems, but rather due to an unidentified individual obtaining control over a phone number. And it looks like it’s cut off there. But, yeah, that’s the gist of it, I think, to follow on from that, I think they also confirmed they didn’t have two fa enabled.
Gil
Yeah. You say, well, what impact that have? It’s just information. This cost people millions of dollars. I’ll tell you why? When the price soared on this fake news, the price went up. And then some people had their call and put options or whatever they were doing based on the price level. When the price went up to a certain level, it triggered one of their contracts, open interest contracts, either put or call option and it liquidated probably $100 million. So, I mean, this is huge, right? And of course that’s in that case. Now we’re here to talk about health care, not bitcoin and financial stuff, but same thing. Let’s say you’re a healthcare provider or you’re a healthcare medical practitioner and you don’t enable two factor authentication, then it’s easier to gain access to the application and you don’t want that.
Gil
So it’s low hanging fruit. Right. I thought at one point were going to call this podcast, what are the three things that most healthcare apps are missing in terms of security? And if we did name it that this would be one of the top ones, I would select, it’s low hanging fruit. It’s not that hard. You don’t have to be a technical genius to figure out how to do it. We encourage everyone enable that two factor authentication. You’d be surprised how many haven’t.
Adam
I was going to say the exact same thing. How many even websites that have a lot of important information other than healthcare, that financial information that don’t even require it.
Gil
Yeah. So that’s one of the top things that should be done. I agree.
Adam
So would you recommend that the application enforce it for the users? Yeah, I guess if it doesn’t enforce it, then who’s going to do it, right? At a user level?
Gil
Yeah. Now keep in mind, Adam, that there’s probably three groups of application developers we see. There’s one that they hand know. They have their own code, they wrote everything from scratch and that’s their custom application. There are others that use WordPress to host their application. And then the third one is you have other cms that are also not as popular as WordPress, for example, Drupal or some other CMS editor. And so all three of those, whether you’re custom coding or WordPress, is easy. There’s a plugin for two factor authentication. So you just enable the plugin, pay for it. You want to pay for these plugins and enable it. So it’s not that hard to do. And that’s just something. Now, again, I always emphasize, in every one of these podcasts, I always emphasize, these podcasts are for the managers too.
Gil
This isn’t a technical one like, oh, I don’t understand this. I leave that up to my tech team. As a manager, you shouldn’t take that position. It’s a mistake to take the position. Well, I have this great tech team. I let them take care of it. You as the manager, all the crap flows up to you. If something great happens, it goes to you. Credit to the CEO. Something terrible happens, it goes to the CEO. So you’re obligated to check in with your tech team and say, hey, I logged in the other day, I got a guest login, I logged in. And there’s no two factor, guys, so you don’t have to be a technologist to just grab or go to your own website and say, hey, let me just go in as a new customer.
Gil
I’ll just make up Joe blow, log in, and if I don’t get two factor, it’s time to talk to your developer. Yeah.
Adam
Next up we have phishing and we can go into what phishing is, but I thought bring up a recent event that was highlighted on patch stack. They describe it pretty well in this instance. So fake CVE phishing campaign tricks WordPress users into installing malware. This goes on to say, for the past couple of days, the Patchtack team has been monitoring a mass scale phishing campaign with multiple variants of phishing emails going around that are notifying users about a supposed security vulnerability in their WordPress website. They claim it’s a remote code execution RCE vulnerability and you’re asked to immediately use a patch created by the WordPress team to patch the vulnerability with the identifier CVE 2002 345124. It’ll get the user to install malware on the WordPress site, right?
Gil
That’s right.
Adam
So phishing in 2024, it just doesn’t seem to go away. And things seem to get even more intricate and elaborate when it comes to how legit these things look. So this is what the email looks?
Gil
Yeah, I think it’s gotten more sophisticated. By sophisticated we mean that the camouflage is even better. So in the old days you would get a phishing attack that says, hey, log into your bank. And of course if you do try to log into the bank, they’re just capturing your credentials. You’re not really logging into the bank. But now that they’ve stepped it up a notch where instead of just some bank or something like that, sometimes it could be your own company. Like it might be a logo of your own company saying, hey, I’m Frederick, the new employee here on the fourth know. Nice to meet you, Sam. And you’re like, oh, it’s a new employee. What a nice know, saying hi and you’re fooled because you see your own company logo. So it’s called a spear phishing. It’s much more accurate, more refined.
Gil
So that’s really quite devious and ingenious at the same time from the part of the bad actor. And the rule of thumb to prevent these things is to do the phishing simulation testing within your organization. It doesn’t matter if you only have two employees or you have 2000, it doesn’t really matter how many. You should employ phishing simulation where you randomly send employees a simulated phishing attack. And if they do click on it that you as the manager would find out, you say, oh, my employee Bob or Sue, she clicked on it and they’ll tell you exactly what she clicked on and what time, what simulation test. And then it’s not about reprimand, like, oh, you’re going to go over and get mad at them. It’s about training and it’s about logging the incident and it’s about offering them a training module.
Gil
And some of these phishing not experiments, simulations, they actually offer a module. So if the person does fall for it and if they do click on it, then it’ll say, hey, you need to take this learning module. So right there on the spot it says, oh, here’s your learning module. And then now they’re retrained. So that’s something important. So phishing, I think the training and testing is important.
Adam
It’s part of what we always talk about, like the arms race between the good guys and the bad guys, the good actors and the bad actors.
Gil
Right?
Adam
Everyone needs to keep tooling up because the other side is always going to be improving and getting more sophisticated. As you said, I’d like to encourage our listeners to reach out to us, hipaavault.com. Fill out one of our contact forms and you’ll get access to our regular newsletter. And in this edition of the newsletter, we dive into some key tips, ways to see and analyze phishing emails. A lot of them are common sense, but there’s probably going to be, I guarantee there’s going to be a couple there that you hadn’t thought of. So do check out that newsletter. It’s packed full of information, not just about HIPAA vault and the products and services we offer, but then also useful tips for security. And the final tip is regarding ransomware. So rounding out the top three is ransomware.
Adam
Gil, this has been a persistent threat for years. What’s new or what should we be looking out for on the ransomware front in 2024 and beyond?
Gil
I would just want to give two points. The first point is that ransomware is extremely powerful because the bad actors, they encrypt the information on your systems and they won’t give you the decryption passphrase until you pay them a fee. And so you’re stuck. You’re like, oh, my gosh, I lose my whole business, or I pay these guys the amount they’re asking for. Technically speaking, there have been many cases of this ransomware attacks being successful because the company they attacked had some kind of a remote software running. By remote software running, I mean, like pc anywhere. These other applications where anyone can log into your systems, maybe you have that installed so that a vendor can come in and help you troubleshoot something on your computer. So instead of the vendor getting in the car and driving over to your office, you have this.
Gil
Yeah, there’s lots of them out there, right? So what happens is a lot of these tools, they’re just left running all the time. And these tools are meant for remote people to access your system. So imagine they’re already built for that. And then here comes the bad guy, and he knows how to exploit the vulnerability, and he’s using this tool to log in, not to help you resolve a tech issue, but to install ransomware. So if you do use something like that, a remote viewing software, make sure you have it very tight. Only enable it when you need it, turn it off, or better yet, don’t use it, don’t have that. And then the second factor that’s important is ransomware is happening all the time, every week. And you have to check your insurance.
Gil
Check your cybersecurity insurance, which is also called errors and omissions. Eno insurance, check that insurance. Make sure you have it, a, and then b, make sure that you’ve read through enough of it, you understand what they would cover, because they don’t cover every single scenario. And you could always talk to your broker, like, if you don’t have time to dig into it, just call your broker and say, hey, I bought this insurance from you last year on the cybersecurity stuff, but I want to review it. It’s worth your time to understand what you bought and what you’re paying for to make sure it fits what you need. So those would be my comments on ransomware.
Adam
Fantastic. Thanks, Gil, for those insights. So there you have it, ladies and gentlemen. The three cyber attack vectors to look out for in 2024. And hopefully we provide you with some tips on how to prevent them. Two factor authentication, phishing and ransomware. If you haven’t already, drop us a like on the video and hit subscribe. And and if you would like more information, would have any questions, reach out to us at podcast at hipaavault.com or visit our website. There’s a bunch of information at hipaavault.com stay safe out there, and remember, knowledge is the best defense in the digital world. Until next time, thanks for stopping by.