DRF 27: Healthcare Cyberwar: Keeping our patients and our research safe

(upbeat music) – Great, thank you everybody
for joining us today. We’re very fortunate to
have Dr. Jeff Ferranti today speaking on Healthcare
Cyberwar: Keeping Our Patients and our Research Safe from
Hactivists, Nation States, and Cyber Terrorists. Obviously a very timely
topic with all of the issues around hacking and data
security that are going on. So Dr. Ferranti is the
Chief Information Officer and Vice President for Medical
Informatics at Duke Health. He is a Professor of
Pediatrics and Informatics and is responsible for the
vision strategic planning and adoption of technology
and information solutions within the health system. And he develops overarching
informatics strategy in support of the Duke Health mission. He was the leader of
Duke’s enterprise wide EPIC installation with four hospitals
and over 300 ambulatory clinics and through all
this, he maintains an active practice in neonatal critical care at the university hospital. Thanks a lot for joining
us today Dr. Ferranti. – It’s great to be here. And thanks for your
attention about a topic that I think impacts our life every day. Five years ago, when we were
putting EPIC in around Duke I never in a million years
thought I would spend 40% of my time actively
battling hackers and cyber terrorists, but that’s where
we do spend a lot of our time. And you read about it
every day in the newspaper. You read about Yahoo and
three billion patient records being stolen, you read
about Equifax, a 150 million people had their data stolen. And people ask me, what
does that really mean? Did they steal my email address? Think about it, Equifax
knows every single thing that you buy of any significance,
is in your Equifax accounts, as well as your social security number and lots of sensitive data. So a question that I often get is, why are we seeing so much more of this? Why are we seeing elections hacked, massive cyber breaches of major companies, foreign nation states, leaks
of information happening, what seems like near daily in my world. Probably weekly for people who are just reading the newspaper. I think the reason is
because we are living in what Thomas Friedman calls
the age of acceleration. And have any of you all
heard of Moore’s law? So Moore’s law basically
says that compute power doubles every 18 months to two years for about the same price. And so year over year
over year since the advent of computers, the amount of
compute power that we have has been doubling on a biannual basis. And that’s a hard concept
sort of to understand in your mind. And so Thomas Friedman, this is a great book if you haven’t read it,
Thank You for Being Late. He gives this example of the mathematician who created chess. And the king at the time said
chess is a fantastic game. I want to reward you for creating this. What would you like? And the mathematician
said, I just want rice to feed my family. Nothing too fancy, just
rice to feed my family. And the king said, “No problem,
how much rice do you want?” And he said, “Well since you
like my chess game so much, “why don’t we start with one
grain of rice on the first “square of the chessboard,
and then double it “for each subsequent square?” That’s effectively what Moore’s law is. And so you could see, you have one
grain of rice, then two grains of rice, four grains of
rice, eight grains of rice, 16 grains of rice. Seems pretty manageable. Well about half way
through the chess board, I think the king realized
he had a major problem on his hands, because
the numbers accelerate and get bigger, bigger,
and bigger over time so much so that by the
time he gets to the end of the chess board, all 64 squares it’s 15 quintillion grains of rice. That’s enough rice that if
you put them end to end to end it would go from here to Alpha Centauri, which is our nearest star and back. And that’s the power of acceleration. That’s the power of exponential growth. And that’s what’s happening in our world and in informatics. So in 2010, we entered
into the second half of the chess board in compute power. So we are not doubling small
numbers like two or four or eight, we are doubling huge numbers. Which means the amount of
change in compute power between 2018 and 2020 is
unthinkable right now. And we are living in that age and that’s what they call
the age of acceleration. What happens with exponential
acceleration is that as the advent of
computing in any real way, and you’re kind of just
sort of teetering along, somewhere around 2007, a
whole bunch of really big things started happening. We got iPhones, we got
Facebook, we got Ebay, we got Amazon, that all happened in 2007 as compute power really
started picking up, and since then we’ve gone
into basically this vertical stage of acceleration, where
the number of CPU transistors per CPU is growing exponentially. Every year folks say there
is no way Moore’s law is gonna hold for another two years and it holds and it holds and it holds year over year over year. And this is the environment
in which we’re seeing this uptick in cyber security events. On the good side, you folks
in DCRI are able to do more with data science, more
with advanced computing. We have GPUs that can do amazing things. We have our Forge Group
that’s doing amazing things. Some people are using it for good. Some people are using it for bad. Another way to understand
this exponential Moore’s law is to understand that not
everything follows Moore’s law. So computers do. But not everything does. I’d ask you to consider in your head a 1974 Volkswagen Beetle. And it looks something like this. We all know what it looks like. Now, it’s probably not a shock to anyone, but Volkswagen Beetles do
not follow Moore’s law, but if they did, that 1974
Volkswagen Beetle today would go 300,000 miles an hour, (audience laughing) would cost four cents and
you think about the fact that that would double in the next two years. So it would go 600,000 miles
an hour and cost two cents. And so that sort of growth
is what we’re talking about, and that’s the sort of
compute power that our cyber enemies are applying
to attack us at Duke. This is not hyperbole. This is not fear, uncertainty, and doubt. This is a very real thing
that we see in very real ways nearly every day at Duke. Someone with a pulse on
the other side of a screen actively trying to
steal your research data or trying to steal our
corporate information or trying to hack into our patient data and us actively trying to prevent that. So when you think about cyber security, we’ve gone through a lot
of different phases kind of in the history of cyber security. Back in 2009 to 2010, we were dealing with things
like laptops get stolen or left in an airport, a
memory key gets dropped. It was really about lost or stolen devices. And so we tormented everybody and we said your laptops need to be encrypted. Everybody screamed my
laptop is gonna be slow when you encrypt it. Now the compute power is
so fast, it doesn’t really even matter, you don’t even
notice that your laptops are encrypted. But that’s what we were
dealing with back then. 2014, 2015, we started dealing
with big hacking events. Anthem Blue Cross Blue Shield
lost 80 million patients. They just settled couple of months ago. 300 million dollars for that one breach. Premera Blue Cross Blue Shield
lost 11 million patients. These were hacking events,
hackers hacked into the network, stole data, and then their CMS finds. There’s credit monitoring for
all of your patients, et cetera. And now more worrisome is
this advent of ransomware. Where basically hackers come
in with a destructive mindset, but also this entrepreneurial
spirit that they want to make money from these things
and what they basically do is encrypt all your machines,
so you can’t do any work. And if you want to get into
those machines ever again, you pay ransom in
bitcoin to the hackers. Otherwise, you lose all of your data. And so we’ve gone through this evolution. You can imagine that encrypting
an entire health system is a really bad thing and that’s exactly what happened in the UK with the WannaCry attack,
which we’ll talk about, where basically 25 or 30%
of the UK health service was totally shut down. Couldn’t order labs, couldn’t order blood, couldn’t do surgeries,
couldn’t do x-rays, EHR down, totally down and they were
diverting patients to other hospitals because of a ransomware attack. Who are these people that hack? There’s a bunch of different
sort of personas of hackers. At the macro level, in
the IT security world, is what we call white hat
hackers and black hat hackers. So white hat hackers are
cyber security experts, the sort of people we hire here at Duke. They’re people who are on our
team helping us understand new techniques that hackers
are doing to break into our environment, but they’re
generally for the good. They’re generally employed
by academic organizations, the FBI, et cetera. Black hat hackers are hackers for the bad. They are cyber terrorists,
they’re extortionists, they are folks who are
trying to either steal value or wreak general mayhem
in an environment. Then you have gray hat
hackers, who sit in the middle. Maybe they’re like a
cyber security guy by day, but at night they dabble in
the dark side a little bit, and so we call them gray hat hackers. They can be nation state actors and we are seeing this
more and more and more. When you hear about Yahoo being hacked, or UCLA being hacked, or the Democratic National
Convention being hacked those are generally nation state actors. North Korea, Russia, China, organizations within
those countries that are hacking organizations. They can be criminal syndicates,
foreign corporations, security researchers, what
we call Script Kiddies. So this is like a 14 -year-old in Raleigh who goes and downloads
hacking version of Linux, and tries to break into stuff. And then more and more hacktivists. And hacktivist organizations
are becoming really common. Have you all heard of Anonymous? Anonymous is probably
the most notorious of the hacktivist organizations. They use these Guy Fawkes masks. Their slogan is We are
Anonymous, We are Legion. We don’t Forgive, We
don’t Forget, Expect Us. That is pretty menacing right? And last year, they started
what’s called Project WestWind, which is a hacktivist campaign
against academic institutions and academic health institutions. Where they are actively
targeting those sorts of places in sort of this distributed
network of hacktivists, who have a political statement to make. In this particular case,
they’re concerned about the raising cost of education,
traditional education, and medical education and
wanna show organizations that they’re not above being
hacked and embarrassed publicly and so they have a group
of folks who are trying to hack those organizations. What do they want? Lots of different things. We traditionally have talked
about electronic health records and people say why do you want
an electronic health record? Well its because if you
steal a credit card number, I can replace your credit card number. If you steal an electronic health record, you can’t replace your health history. And hackers can do a lot
of bad stuff with that. They can do false insurance claims. They can write false
prescriptions, all sorts of things to maximize that and
it’s something that will never really go away. More and more they’re
interested in research methods and results, and so there
are entire nation states and subgroups within
nation states that we call advanced persistent threat organizations that are out there to
steal research results. They don’t want to put the
time into doing the research themselves, so they’d rather
steal it from us and then use that to forward
their research mission. They wanna steal passwords,
financial information, cyber sabotage, so just break
stuff or bring things down. And then just cause general
mayhem as was the case in the WannaCry attack. Why do they do this? It might be for financial gain. It could be for strategic advantage and we are seeing a lot more of that. Generally people who
attack places like Duke are looking for some research
data or some proprietary information that’s going on in our labs to give them a strategic
advantage in whatever their research interests are. And different people have
different research interests, and that’s who they tend to
go after in the organization. Disruption of your IT
services, damage to your brand, so we often will have websites
hacked and then defaced for some purpose. Notoriety and then some
people just do it for fun. Now where do these folks hack? So you all probably hopefully
live in that top part of the internet, the part above the water, public websites, your CNN,
your Google, YouTube, Facebook, that’s 2-4% of the entire internet. And that’s about eight billion
web pages that is where you spend most of your time. When you go below the
surface, you get into what’s called the deep web, and
that’s where indexed sites are, password protected sites, some
sites that live on the fringe of the up and up internet
and the rest of it. That’s things like Mutorrent and Bitcoin that are becoming more and more popular. But they’re not really a big part of the mainstream internet. You have places like ThePirateBay,
where you can download hacked software, hacked
movies, hacked music. And as you go further down into
what’s called the dark web, there are parts of the
internet that’s just not indexed at all. And the only way you can
get to the dark web is using a special browser called Tor. These sites don’t end in .com or .edu. They end in .onion and you
have to use a Tor browser, where you know the URL to
actually go to those sites. This is where drug trafficking,
illegal information, contraband sales, you can
hire hitmen on the dark web, organ trafficking. This site called Silk Road,
which has since been shut down, was basically eBay for
controlled substances. You can go on the dark web,
you can buy your heroin with bitcoin, have it
shipped to your front door. That’s all happening down here. Then this thing here
called The Hidden Wiki is kind of the directory for the dark web because sites aren’t indexed,
there’s no Google down there and so you have to use something
to know where they are. So The Hidden Wiki is
something that you can use through a Tor browser to find
your way on the dark web. This is where 98% of the internet is. It’s 550 times the size of the public web, that we all use everyday. 7.9 zettabytes and one zettabyte
is a trillion gigabytes. There’s paywalled sites and
databases and things that are there, and that’s
where hacking secrets are traded as well. That’s where social
security numbers are sold, credit card numbers are sold, and medical histories are
exchanged on the dark web. What I’m gonna do today
is take you through four critical risks, four types
of hacks that we need to deal with today, and we have
experienced all four of these at Duke in the last year or so. We’re gonna start with phishing. So people at Duke are our biggest asset, but they’re also our weakest link. We talk about exponential
computer power growth. We talk about Moore’s law. There’s vision in everyone’s
head that these hackers are using super sophisticated
techniques to find things out and while
that’s true sometimes, one of our biggest vulnerabilities
is just our people. Just giving away secrets
through phishing style attacks. Systems can be defended
more easily than our people. Phishing is the number
one delivery mechanism for ransomware. When you look at how WannaCry
started, took down 25% of the NHS, it was a phishing email. Someone clicked on it,
and it caused this malware to propagate across networks
of insecure machines. Now this statistic, 30% of all
phishing emails are clicked on. I mean if I were to ask you all, who here clicks on phishing emails, probably no hands would go up. So we studied it, we
looked at it here at Duke. 32% will click on a
phishing email at Duke. Now they’re taking it into
voice calls, vishings. So how many of you all have
gotten weird phone calls on your cellphone? Maybe someone says they’re
Microsoft, they’re from a vendor they’re from somewhere. And you usually end up hanging up. We are getting more and more of those. I get them all the time. SMSishing, sometimes you get
weird text on your cellphone. Someone will ask for some information. These are all intended in
many cases to just gather little bits of information
that are put together, that will ultimately result
in some vulnerability that can be exploited. Now lot of folks say, well
DHTS people just block this stuff out, filter out the malware, it’s your job to protect us and you’re right. But what a lot of people don’t realize is this is a typical month at Duke. 231 emails flow through our
shop, get delivered to y’all. Of those 231 million emails,
a 176 million of them never make it into your inbox, because we filter them out
because they’re malware phishing, attackware, things
that are gonna somehow compromise your system. What actually sneaks through
is 55 million emails, which are the things that
we think are good emails and actually let through to you. When you get one that’s
actually a phishing email, it’s part of that 55 million
and often what happens is that gets presented back
to us, or reported to us, sometimes after you click on it and then we try to block
that at the firewall but that is sort of the
exception to the rule. That is the one that snuck
past the other safeguards that we have. Those are the sorts of odds
that we are dealing with. 176 million to 55 million. Those are tough odds to
protect the organization from. So we use tools like ProofPoint. ProofPoint says when an email
ends up in a Duke Outlook mailbox, if there’s a hyperlink in there, and you click on it, it doesn’t
go direct to the website. It goes to the ProofPoint server. ProofPoint has threat intelligence
from the whole country. It decides if it’s a safe link or not. If it is it takes you to the website, if it’s not, it blocks it right there. Problem is and we have
people at Duke, who forward their email to Gmail. Forward their email to Yahoo, forward their email to Hotmail. Use other email services here on campus. ProofPoint doesn’t protect those. ProofPoint is only protecting our Outlook, our enterprise email. There are lots of ways
that if you’re using tools outside of the standard tools, that you can inadvertently
click on something and break something here. We had an incident in the
cath lab probably nine months ago, where someone was using Gmail. They forwarded their Duke email to Gmail. Link came through, clicked on
it, encrypted a 100 machines in the cath lab. And they needed to be reimaged. They didn’t have any
PHI or anything on them. But they were the machines
that were used to take care of patients. They were the machines
that our echo machines are connected to, and so we had to reimage all those machines overnight
so that we could actually do business the next day. So clicking on nefarious emails
are a dangerous thing to do. But again what happens with phishing or what we call more
broadly social engineering is not glamorous stuff. Have any of you heard of Kevin Mitnick? If you’re interested in this stuff, these are interesting books to
read but Kevin Mitnick was one of the most wanted
hackers in the world, cost his victims over 300 million dollars. And his technique was dumpster diving. So he would basically go to
your house or your business, steal your trash and then
look through your trash to try to get clues on what
your passwords might be, what your secrets might
be and then use those in order to compromise systems. Kevin lived in Raleigh, got
arrested by the FBI in Raleigh and then went to federal
prison, got released, and then started this thing
called Global Ghost Team consulting, where basically
he is now a white hat hacker, trying to tell companies what
their vulnerabilities are. As a company, you can hire
him and he will try to hack into you. And he has a 100% success rate. He has never had a company
that he couldn’t hack into. Mostly recently he hacked
what’s called an airgap system where it’s kind of like
Mission Impossible. You have a big white room
with a computer in the middle of the room, it’s
not connected to anything. All your secret stuff is on that. There’s like air vaults
and doors between that. And to get any data off of it, you have to go in the
room with a memory key, physically take it off,
he hacked one of those. And so using a hack that’s
called Brutal Kangaroo, if any of you are interested
in reading about it. He has had a 100% success
rate using very simple techniques for the most part. His role is CHO, Chief Hacking Officer, which is kind of cool title to have. On the phishing side, be
aware of suspicious emails. Be aware of suspicious text
and suspicious phone calls. Lot of people don’t realize this, but I have a team of folks who
monitor this email address. So people send me stuff all the time. Jeff this email looks really, really bad. They send it to my inbox. (audience laughing) The first thing I do is
forward it to [email protected] which you all can do. We don’t care if we have a
really high false negative rate for these things. We want to make sure that
we’re catching these things. Just you get an email, you’re
not quite sure about it, don’t click on it, just forward
it to [email protected] You’ll hear back from our folks and they’ll tell you whether
or not it’s something you need to be concerned about. The good news is, if it is a bad email, we’ll block it at our
firewall so other people can’t click on it. We know who clicks on these things. And so often times what we’ll do is, we get a bad email like
this, we’ll block it, then we’ll go back and
look at who clicked on it. Then I got to hunt down these 10 people in order to make sure
that they didn’t have some compromise on their machine. So the sooner we can get
the email, the sooner we can block it, the fewer
people will click on it and we can do more to prevent things. Don’t forward your Duke
email outside of Duke. I know people do it, just don’t do it. Outlook is not that bad. I have friends at other
institutions that use Gmail. They wish they had Outlook and then we have folks
who use Outlook here who wish they were using Gmail. It’s our institutional email,
when you’re here at work, just use Outlook. It protects the place. If you click something
by accident and you have that oh crap moment, where
the skull and crossbones comes up or something, (audience laughing) don’t just close the
computer and run away. (audience laughing) Let us know about that because we really do wanna prevent these things from propagating. And then be aware that
Word documents, PDF files can also be infected. One of the worst where we actually
went above the 30% click rate was an email that came
out, and I don’t know who in the room may have gotten it, but it went out to like
leadership, managers, directors and it basically said there’s
a major security incident going on at Duke. Details are found in this PDF. Everybody clicked on that. It was an infected PDF file. Those sorts of things can happen as well. When you get that thing in Word or Excel that says do you want to enable macros, the answer is almost always no. Because that’s how they execute code in Word and Excel documents. Okay, moving on. Ransomware. Ransomware is bad stuff. This is an example of what one looks like. So you click on a bad link. Next thing you know you get
a black menacing looking screen like this and it basically says you are the victim of ransomware. Your private files are being encrypted. Transfer 47 bitcoins to us. Or we’re gonna destroy all of your stuff. That’s basically what it says. Now bitcoin, everyone who’s
been following these things, they used to be worth next to nothing, and then they jumped up to
like 20,000 dollars a bitcoin couple of months ago. They’ve settled in around $8,000 a bitcoin. But typical ransomware
for one computer might be 40 or 50 bitcoins. That’s like $400,000. So health systems across the country have had to work with
cyber insurance carriers who have ways to procure bitcoins in case you ever get in a situation. And so these insurance carriers
now have bitcoin accounts because you can imagine
that depending on the price bitcoin could cost a
whole lot to get some bitcoins if you really needed them. So that’s a service that
almost all the cyber insurance carriers have. Now whether to not you pay
the bitcoin is a matter of institutional policy and
I think those vary from institution to institution. But these guys are pretty sophisticated. Often they will have a
link in here that says, “hey, if you have trouble getting bitcoins, “just have your CFO call our help desk, “we’ll help you get them, “and then you can pay our ransom.” And my favorite is when
they have a link that says, “join our affiliate program. “Just put a little USB key “into the machine, we’ll
put our ransomware on there, “and then anything that you
in fact, whatever we collect “from that, we’ll give you 30%.” It’s sort of like spreading
the ransomware goodness. This is the WannaCry attack. So this is what our
colleagues in the UK saw. This one I like ’cause it had
this menacing timer here. So basically same deal. We encrypted everything. It basically just says the
ransom amount is gonna be raised in two days 23 hours and we’re
gonna blow up all your files in six days 23 hours. And so you can get it on
like the early bird deal, if you pay it early on,
otherwise they raise the ransom, and if you don’t pay it, then they just destroy all your data. And they give you the link. That’s how you pay. If anyone’s ever used
bitcoin, they give you their bitcoin public key and
then you would transfer the money to that public
key and theoretically, they would give you a decryption key, which in many cases they don’t. They just take your money and
let your files be destroyed. That’s why a lot of sites
would say don’t pay the ransom because your chances of getting a real key are pretty limited. So the National Health
Services, this is from the New England Journal of Medicine. What they did was not report
on how WannaCry happened or technically what WannaCry was. They focused on what did this
mean for boots on the ground doctors in the NHS when
they were all encrypted? So NHS entered the weekend,
countless elective operations were canceled, ambulances were diverted, patients were urged to stay away. However much they pretend
patient safety is unaffected it’s not true said a
junior doctor in London. At one of the capital’s biggest hospitals, automated refrigerators
used for dispensing blood were shut down. We couldn’t do surgery safely. Another hospital was
shut down trauma, stroke, heart attack Centers. So it was a very real
impact when this happened. They also published in this
article something that I’m sure the prime minister loved. The British press discovered that the National Health Service IT systems were particularly
vulnerable because they were using Windows XP. The IT folks had put
together a proposal for the prime minister, it’s gonna
cost seven million pounds, 5.5 million pounds, seven million dollars, to do ongoing support for
the outdated Windows XP operating system and they
chose not to pay that. Not to protect the systems, which is what made them
vulnerable and why some of this happened. But why it really happened is because your federal government,
and the NSA and the CIA Information Operations
Center learned about a whole bunch of vulnerabilities in a whole bunch of operating systems. Vulnerabilities in Apple,
vulnerabilities in Microsoft. Vulnerabilities in mobile
devices, Samsung TVs etcetera. Rather than reporting these
to the vendors to close those vulnerabilities, we held
onto those vulnerabilities to use against our enemies. But they got leaked. And Julian Assange
published those NSA secrets on something called WikiLeaks. You all know what WikiLeaks is? So there is thing on WikiLeaks,
which you all can go look at today, Brutal Kangaroo is on there, and they published these on
to WikiLeaks and it’s this thing called Vault 7. Vault 7 are the CIA hacking tools. They’re all categorized and directorized. And they’re available
for anyone to download. So WannaCry happened
because some, we believe, North Korean hackers
called the Shadow Brokers downloaded a CIA created
hack called Eternal Blue, and then used it to infect
all these machines in the UK. They continue to post new
stuff to the Vault 7 hacks. It was like 10% of the hacks
that they actually have are posted for the public. And so every couple of weeks
they throw some stuff out there just to make life
interesting for me and others who do what we do. So Shadow Brokers stole
the Eternal Blue hack and then used the Eternal Blue
hack to shut down the UK. The way it works is, this vulnerability, it’s something called SMB servers. SMB is the way that you
do file sharing in Windows. And it uses a particular
port, I think it’s like 445. So Eternal Blue opens up this port and makes it available to a hacker. Then they install some
malware into that open port called DoublePulsar , which gives the hackers command
and control of that box. Then they run a malicious
payload using DoublePulsar, which encrypts the machine with WannaCry. And that’s what happened in the UK. And it spread to hundreds
of thousands of machines in no time. Spread across the globe in 24 hours, ’cause it was jumping machine
to machine to machine through these vulnerable ports. WannaCry is doing its
thing and just encrypting like a virus, but there
is this like 20 -year-old security researcher, who
when he was looking at the WannaCry code, saw a line
in there that basically said there is a website called
like WannaCrystop.com. Not quite that simple but like that. It keeps looking for that
website but that website doesn’t exist. This security investigator
just went to something like GoDaddy analog and set up a blank website called Wannacrystop.com. When he did it all the WannaCry stopped. So there was a kill switch
built into the virus that basically said if
this website exists, stop the spread and if it doesn’t exist, just keep propagating
and spread to everyone. And most security researchers
think that this would’ve been billions of machines
if it had kept on going and this thing wasn’t stumbled upon and they actually spun up that website. That gives you an idea
of the spread of this. This started in the
Ukraine and in Europe. And 24 hours later, that’s
the spread of WannaCry. This may seem like an overseas distant, not Duke kind of deal. But in actuality, this
actually just happened to FirstHealth Carolinas so if you go out to Pinehurst
Moore Regional Hospital, 600 bed hospital, couple of months ago, the entire thing was encrypted. All 500 of their beds, 100
plus ambulatory clinics, with the same virus in our state. Here at Duke, we had 400
plus attempted infections that our Symantec Antivirus blocked. We had 96% of our computers
had already been patched and weren’t using outdated
operating systems. We increased that to 99% within a week. We had a problem with biomedical devices. And this is one of the
reasons why folks think I’m giving them a hard
time when they wanna bring a new biomedical
device in from the outside, but we really wanna
standardize on some vendors. So that when something like this happens we can call the President
of Phillips and say you got to patch your devices. That’s harder to do when
you have a ton of different device manufacturers out there. Some of whom who don’t
have the ability to patch these things that quickly. This is just the news article
about FirstHealth Carolinas. This just happened in
November or December timeframe of this past year. So if you see unusual emails
with links or attachments, if you see inaccessible
files on your computer, weird error messages popping up, countdowns going, cross bones sort of stuff, just know that once it
runs on your machine, it can spread laterally to other machines. And that’s why we want to
know about them quickly. And again any concerns,
email [email protected] If you can’t get into your
computer, do it on your iPhone. Okay, Advanced Persistent Threats. This is what keeps me up most at night. Advanced Persistent Threats
are sophisticated adversaries, they’re usually nation state
actors, North Korea, China, Russia are the three
that we see most often but it could be any number
of other nation state actors. They’re persistent. These are not folks who
come in guns blazing and try to steal something. These are folks who kind of
creep in in the dead of night, get a couple of footholds,
then go dormant for months, then pop back up, try to
get a little bit more data. Then go dormant for a couple of months and they’re very hard to detect and you have to be
actively looking for them. And they’re trying to
gain strategic advantage by stealing sensitive data,
specifically research data. Lots of Advanced Persistent
Threats in the news. Equifax, Yahoo, Penn State
shut down its entire internet in the engineering department,
School of Engineering for adversaries that were
on their network for years, they didn’t know about
until the FBI called them and told them we’re seeing
traffic that’s suggestive of these guys being on your network. Anthem, Premera, Excellus. The Office for Personnel Management. This is the US Government,
21 million employee and contractor records. So you’re seeing many of
these in the news now. One of the most notorious
ones is something called APT1. And Mandiant which is
a cyber security firm wrote a white paper on APT1 back in 2013 because they were so concerned about this, they felt they had to share
this beyond just their kind of corporate intellectual property. It’s based in Shanghai. That’s their office building in Shanghai. Staffed by hundreds, probably
thousands of military employed hackers. They’ve attacked 141
companies in 20 industries over seven years. The typical duration of
the attack is 356 days. So nearly a year that they’re
spending trying to get into a site. The maximum duration reported
in the Mandiant report is four years 10 months, although we know now
that some of them last even longer than that. Then we’ve identified at least
20 probably more like 30 now other APT groups in other
countries around the world who fit a similar sort of profile. This is a military run
operation PLA Unit 61398. And it’s a 9 to 5 job. These folks come in, sit
down, hack for eight hours and then go home to their families. So the hacks generally happen, it’s a 12 hour time difference from here. So it’s not convenient for us because this is a five pm
to five am sort of deal. But that’s when they are most active. They’re highly skilled professionals. They have unique tools and techniques. They have lots of compute power. And you think about the things
that we think keep us safe. So we did an exercise here. We have an 8-character password at Duke. We change it every six months. It requires capital letters,
special character, number and an alphanumeric character. Today with John the Ripper
which you can download off the internet, you could
probably hack that password in less than five minutes. You start throwing farms
of GPUs at these things in a military run operation. You can probably create
rainbow tables for 14 character passwords, then it’s just a
matter of looking up the hash and figuring out what the password is. So that’s why things like
multi-factor authentication and these kinds of things are so important because passwords will not keep you safe. And I always encourage
people on your Gmail account activate your multi-factor authentication. I do it for everything. I do it for my kid’s Xbox account. For everything because
passwords are not gonna keep you safe in this sort
of compute environment. This is how APT
organizations typically run. They compromise the organization. They might do it through phishing. Maybe you click on a bad email, but in this case,
nothing horrible happens. A window pops up, it’s blank,
you don’t make much of it. You close it and delete the email. But now they’ve a foothold
in the organization. They try to establish command and control. And they use something called a RAT, Remote Access Trojan,
which is a trigger point that they can connect with in
the future and get command and control command line
abilities in your organization. They escalate privileges. So maybe they have a single user account. Now they’re looking for
an administrator account. Then they scan the network. They look for vulnerable
hosts on the network. And again we might have
99% of our systems patched, but when you run a network scan, it pretty quickly tells you
which ones are not patched. And those are the ones they go after. So you got to be perfect,
’cause if you’re not perfect, they’re gonna find it and that’s
what they’re gonna exploit. They compromise more systems. They maintain a presence. They drop a few more
RATs in different places. So that if you find that
RAT, they have another one they can pop into after
they wait for six months and do nothing. Use this to sort of perpetuate
until they’re actually able to conduct whatever
mission they have, steal whatever data they wanna steal. And then exfiltrate it. By the way, when they exfiltrate it, they just don’t like upload
a terabyte of data overnight back to wherever the home base is. They kind of trickle it
out over months and months and months so you really
don’t notice that it’s leaving the organization. Then Internet of Things. This is the last one
we’re gonna talk about. But I’m sure you’ve noticed this now. Internet connectivity is
not just reserved to laptops and iPhones anymore. It’s scales and FitBits
and I have light bulbs that will change color with my iPhone. They’re all connecting to your network. And I can guarantee you that a light bulb does not have the same amount
of security built into it as your laptop or your iPhone. So IoT devices are becoming a huge thing numbers are expected to grow
to as many as 30 billion of these devices by 2020. And that doesn’t include
computers, tablets, or smartphones. So we’re gonna have 30 billion
things from small little companies connected to our networks. It could be the digital
scale that you use. It could be your blood pressure cuff. It could be your light bulb in your house. Connected to your network
and I guarantee you those light bulbs are not being patched. And we’re gonna have 30
billion of them on our network, on your home networks, on
our institutional networks. One of these was hacked
a couple of years ago. There were these Phillips smart bulbs. You may have seen them in Home Depot. These hackers just to make a point flew a drone up to an office building, that was supposed to be the
office building of the future and had every light bulb
in the building blink SOS, until people figured out what it was and what had actually happened. And they did that through a
vulnerability in the light bulb. But we deal with much
higher stakes things. We deal with biomedical
devices in DCRI, DHTS, Duke Health, we’re always
looking for the next cool insulin pump, the next cool
implantable defibrillator that we can use on our patients. These things are also hackable. What you hear from the
manufacturers of these devices is, “don’t worry about it CIO. “These are propietary interfaces. “Like no one could figure this out.” They could figure them out. And they do figure them out. They also say, “well applying
any patches to our implantable “biomedical devices is
gonna mess up all of our “FDA validation, so we
can’t touch these things. “But don’t worry, they’re proprietary. “You don’t need to worry about them.” Both of those things are false. So proprietary doesn’t mean safe. And there is no FDA
regulation that says that vendors of biomedical devices
should not be patching those devices on a regular cadence. And those are the kinds of things that we worry about before we bring
things into the environment because we don’t want to have devices that are coming from
vendors, who maybe don’t have the ability to patch
those on a regular basis. So this guy Barnaby Jack, any of you ever heard of Barnaby Jack? Barnaby Jack is a hacker. He says a hacker for the good, who has done several things, but most recently he was gonna go to the Black Hat Convention which
is a big convention Las Vegas every year where they show
security vulnerabilities, and show a vulnerability in pacemakers where he could effectively
deliver an 830 volt deadly shock remotely to
an implantable pacemaker from a laptop 50 feet away. The prior year he was able to
give lethal doses of insulin to patients with insulin
pumps from 300 feet away. There is an interesting
story that came out about Barnaby Jack,
because the night before he was supposed to give
this presentation at the Black Hat Convention, he was
found dead in his hotel room. There’s lots of conspiracy
theories on the internet about why and when that happened, but he was a guy who was trying
to make device manufacturers aware of the harm that could
come from their devices if they don’t security seriously. So this is a little news
clip about Barnaby Jack, right after he died. (electronic music) – The hacker community is
mourning the loss of one of its brightest, Barnaby
Jack, died Thursday morning at the age of 36. The San Francisco
Medical Examiner’s Office did not provide details
on the circumstances surrounding his death. Barnaby was known for
hacking into small devices and exposing their
security vulnerabilities. He was beloved by many
in the hacking community. Barnaby claimed international
fame during a hacking conference dubbed the
Black Hat Convention, where in a presentation he hacked an ATM forcing it to continuously spit out bills. He called this attack jackpot and at this year’s Black Hat
Convention just a week away Jack was prepared to give
another monumental presentation, this time about the security
of wireless medical devices. The Guardian reports last
year Jack had exposed a security flaw in insulin
pumps that could be made to dispense a fatal dose by
a hacker 300 feet away. This year’s presentation
was slated to discuss a new vulnerability in wireless pacemakers and defibrillators. Jack reported both
flaws to the FDA pushing some medical companies
to review the security of their devices. In an interview with BBC, Jack talked about his work
with medical devices saying my purpose was not to allow
anyone to be harmed by this. Hopefully it will promote
some change in these companies and get some meaningful
security in these devices. News of Jack’s death has spread throughout the Twittersphere with friends
of his expressing their love. Jack’s wife expressed her
gratitude for all the well wishes saying, “so humbled by the social
media flood of people that “loved Barnaby Jack. “Thank you all so much for your kind words.” The Black Hat Convention
will not replace Jack’s presentation, but will
instead leave the time open to commemorate his life and work. For Newsy I’m Jamal Andress. Multiple sources, a broader view. – These sort of network
enabled devices are something of concern and I just want
to make you aware of them because that’s something
that we are dealing with on a regular basis now. So I think the takeaway here
is that Internet of Things devices are becoming more and more common. We often don’t think twice
before we connect one of these to our home network
or our work network. And we have to consider
the patient safety aspects of these things and Duke is
trying to leverage its position to really work with
vendors to make sure these get patched appropriately,
before we put them in our environment. But it sometimes means
that we are not as quick and as nimble as we’d like to be when doing new and innovative things. So lots of things going
on in our information security program. I’m not gonna spend a lot of time on it, but I do want to mention
that you should all be on our mobile device manager platform now. This is what we call
AirWatch on your iPhones. And AirWatch has been a long
and challenging practice, program to get live
across the organization. But we have it up and running now. And basically if you want
to use Duke resources on your iPhone, you
need to be on Airwatch. If you’re not on Airwatch,
over time you’re gonna see access to things go away. You won’t able to access
email through your native client. You won’t be able to
connect to our network the way you do today. You won’t be able to access Maestro Care or any of the Maestro Care
iPhone apps and on and on. So the general idea is we
need to have some controls in place to understand
what’s on our network, so that if one of them gets compromised we can see it and filter
it off the network before it impacts other devices. This is just sort of a grid to tell you if you need AirWatch or not,
but I think the bottom line is if you have a Duke owned
device, you need AirWatch. If its personal, you ask
yourself these questions. Do I need to connect to the network? Do I need Duke Health
apps like Haiku, Canto, VPN for the library, Jabber and then do you want to
use your device’s native email client? If you say yes to any
of these, you need to be on AirWatch or else your
access is gonna be interrupted. And then more recently we’re
initiating something called network access control. So today it’s pretty
easy to go to Best Buy or to the Apple Store,
buy a computer connect it to our network. In the future, you won’t
be able to do that. What you’re gonna need to
do is have some baseline security software on your laptop that will probably be
something like BigFix, which inventories laptops for us and some antivirus software
like the CrowdStrike Agent that would need to be on the laptop. So when you try to connect
that to the network, what’s gonna happen once we turn this on, is it’ll say do you have
antivirus software BigFix on your laptop? If it’s yes, we’ll let you on the network. If it’s no, we kick you
on to a guest network, where you wouldn’t have
access to the resources on the rest of it. I wish we didn’t have to do these things. This is a huge headache
to have to roll out there, but I hope after this
talk today, you understand we live in a world where we
can’t ignore these sorts of things anymore and MDM
and network access control are two areas, where
we are probably behind other academic institutions. And so we need to catch up in those areas. Lot of other areas where
I think we’re ahead but MDM for example was out
there. Stanford, Harvard, Hopkins, all have MDM, Duke did not, so there was a real push
to move towards that. Network access control is less pervasive but certainly something that
we need to do relatively quickly, so in the next
year we will be turning that on as well. So I think the key
takeaway from today is that hacking is ubiquitous. You need to be aware
of social engineering. You need to be aware of
drive-by downloads on websites. We actually had a ransomware
attack in one of the basic science labs. Where someone went to the
website for Crabtree Valley Mall clicked on a link on the website and it encrypted all the
microscopes in the lab. So things you click on, even
through your internet browser if your browser’s not patched, can also be a delivery mechanism for these. Hacked web servers
continue to be a challenge. I know people wanna be
able to spin up web servers on their own machine, wanna be able to use
whatever cloud based provider they want, want to host
it in Amazon or LiquidWeb or any of these sort of things. It’s not safe to do that. And we have to have some
controls to make sure we’re patching these sorts of things so that they’re not vulnerable. I think we all need to work
to make Duke more secure. You should think before clicking on stuff. Use good passwords. The more complex, the longer they are, the better off you are. Shorter ones are imminently crackable. I try to encourage people
to use pass phrases. Think of a little sentence
with spaces and capitals and punctuation and
make that your password. Use multi-factor authentication. Always encrypt your
laptop and your storage, apply patches whenever they’re available. Adhere to the security standards. Report anything, anything
you’re worried about to [email protected] And help us make other folks
aware of some of the things. Hopefully we will take
one or two things out of what we talked about today
and help others understand why we’re talking about this
and why this is so important. That’s all I have for today,
but I have a couple of minutes left, if there’s any questions. Stunned silence. – First of all excellent presentation. You talked a lot about external threats and that’s obviously a huge part of this. I was curious whether
you have, along with the exponential increase in external threats, have you seen a corresponding
increase in internal vulnerabilities, because
obviously a big part of the security is also securing
things from the inside. As you said, the biggest threat is people. Have you seen any corresponding
uptick in internal threats and if so, what’s being done about it? – Well, so I think internal
espionage and internal threats are always something that
we try to pay attention to. It’s hard to say if
there is an uptick or not and the reason why is
we weren’t looking at a per device level before. We would look for network
anomalies, traffic anomalies, access logs, these kinds of things. But we weren’t looking
at a per device level. We are now. So if you have a device
connected to our network, we’re looking, and so what we will see is hey this guy over in,
I’ll pick on DCRI is, connecting his laptop to the dark web. We can see that. Or you know a Tor exit node
just popped up in this area. We can see that. Or ransomware just ran on
this machine, we can see that. We are definitely seeing
more in the way of internal vulnerabilities and threats. But we are also looking in
a way that we never looked before, so I don’t have
a good baseline to know whether it’s going up or not. It’s significant. Other questions? All right, thanks everyone. (audience applauding)

Leave a Reply

(*) Required, Your email will not be published