Penetration Testing: If You Can't Beat the Hackers, Join Them

, there’s not much about John Nye that would lead you to believe he’s been hacking into computer systems since he was 12 years old. Nye isn’t really a tech wizard, and he’s lukewarm on video games. He has no desire to dole out digital damage to his enemies and—surprise—he doesn’t live or work in some dank, spooky basement.

“I live on the fourth floor, actually,” he said during a presentation at HIMSS 2018 in Las Vegas.

Though he identifies as “Head Hacker” in his Twitter bio, Nye is far from the stereotypical data thief you’d find in movies like Hackers or Firewall (which miss the mark, he said. The real thing is much closer to Mr. Robot or Sneakers). On the contrary, he is the very public vice president of cybersecurity strategy at Cynergistek, an information technology (IT) management consulting firm located just north of Austin, Texas. His job, and the firm’s mission, is to serve and protect what is perhaps the most complex IT industry of all: healthcare.

It’s also an industry infamous for its lagging cybersecurity, and one where would-be hackers stand to make the most cash. Compared with credit card information, which usually goes for a buck or 2, medical records can fetch upward of $300 to $400 on the dark web, Nye said. It’s no surprise then, that in the first 60 days of 2018, data from 300,000 patient records had already been compromised.

With such low barriers to entry and such high payoffs, hackers aren’t likely to stop mining data from health systems any time soon. So what can healthcare’s c-suites do if they can’t beat the hackers? According to Nye, they should join them.

ATTACKING YOUR OWN NETWORK

Many industry executives start and end their cybersecurity efforts with a vulnerability scan. For Nye, a so-called “vuln scan” is a great first step. But just because it requires little effort upfront, doesn’t mean it can make any difference without lots of follow through. Knowing your vulnerabilities is one thing, but determining which ones are most likely to be exploited, and identifying ways to patch them up, is another.

The best way to figure that out? Penetration testing. It’s a method that the most secure businesses leverage to ensure they’re on the cutting edge of cybersecurity, and one that health systems haven’t made sufficient use of. “You’d much rather I find your vulnerabilities than one of the bad guys,” Nye said.

Companies that occupy the cybersecurity vanguard, like Google and Apple, have security systems so sophisticated they can crowdsource their penetration testing in a process called Bug Bountying. It centers on a company’s readiness and willingness to offer up cash rewards to hackers who can identify and exploit vulnerabilities in their systems, and is akin to “painting a target on your back,” Nye explained. Other organizations have in-house penetration testers, whose primary duties are to test and patch up potential inroads that hackers might use to break into their data stores.

For those with less sophisticated data security operations (this includes most hospitals and health systems, according to Duke Medicine’s chief information security pfficer (CISO), Chuck Kesler), the best option is often hiring a third-party penetration tester.

“If you pick the right expert, you’ll get a true unbiased third-party view of what’s happening in your network. They can bring the perspective of how vulnerabilities can be used within your environment, so that you can choose to focus on fixing the ones that matter most,” Kesler said alongside Nye during HIMSS.

WHAT CAN PENETRATION TESTERS DO?

Third-party penetration tests vary depending on the unique needs of each business. Executives can decide to have testing teams perform “blind” tests, to determine how their staff would react to a real world security threat, or “informed” tests, which give in-house security teams the opportunity to put their best foot forward. They can “time-box” the penetration tests, to specify how long attacks will occur, and they can “scope” the tests, gearing them specifically toward a particular application or computer network, for example.

In most cases, third-party penetration tests involve what Kesler called a “war game,” where a so-called red team (a third-party team of hackers pulling all the stops to make their way into your system) face off against a blue team (your in-house security experts, who do their best to thwart all advances, and learn in the process).

Nye often plays the role of Red Team captain. His attack descends from all angles. He’ll strut right through your front door, often without prior warning to the building’s staff and physical security officials. “I’ve never walked into a facility and not walked out with something—anything—like a laptop,” Nye said. “It’s pretty easy. Hospitals are surprisingly easy to walk around.”

Physical security is a only a tertiary aspect of the penetration test. While Nye creeps through a hospital, he’s also remotely controlling a gang of hackers who flood the hospital’s network with phishing emails and probe their phone lines for employees who are willing to divulge proprietary information. It’s the social engineering aspect of hacking—the penetration strategies that require little or no technical skill but often turn out to be the most effective.

“It’s hard to trick someone into doing something that you know is going to get them in trouble,” Nye said. But “I’d much rather make a phone call than try to hack your system.”

Besides phishing emails, probing phone calls, and physical theft, Nye and his team also run their own versions of vulnerability scans. Then they pool results and meet with executives to determine the most pressing security concerns and how they can be patched. The full-scale turnaround time is usually pretty quick compared with other types of tests, Nye said.

As effective as they can be, third-party penetration tests fall short of in-house testing teams and bug bounties, because they are boxed within a finite window of time, and sometimes miss evolving threats as a result. Moreover, Nye said that not all third-party penetration tests should be considered equal. “You get what you pay for,” he said, and the cheap ones are often no better than a simple vulnerability scan that any company could run free of charge.

A GOOD, HARD LOOK IN THE MIRROR

Digital data theft is a booming business, especially in the medical world. As Nye put it, “The records we hold in healthcare are significantly more valuable than the records in a bank,” but significantly less secure. Even so, many health systems continue to have IT departments run by non-IT professionals. On top of that, the number of devices entering the healthcare environment, from hospital to home, grows every day, compounding the potential for data breaches and inroads for malicious hacking.

“We don’t have the appropriate controls in place to vet [our data, devices and people] to ensure they’re secured,” Kesler said. “If I stack that up against what I saw in [my previous experience] in financial services, it’s safe to say healthcare is the most complicated IT environment we’ve ever seen.”

Finding a solution means staying proactive, and getting to know your enemy. Nye’s advice? If you can’t beat the hackers, you can always hire them.

Related

Who's to Blame for Healthcare's Cybersecurity Problem? Its Employees, For Starters

The Worst Healthcare Cybersecurity Breaches of 2017

Latest WannaCry Attack Stresses Healthcare's Need to Fortify Defenses