This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Newsday: Attack Surface Reduction and Mac Vulnerabilities with David Ting

This episode is brought to you by Tausight Tausight uses patented AI and advanced machine learning technology. To discover both structured and unstructured PHI. Going beyond DLP solutions to safeguard patient data from breaches, their experienced team is dedicated to mitigating the financial losses and reputational challenges healthcare organizations face allowing providers to focus on delivering quality care.

Trust the experts, trust Tausight check them out at thisweekhealth. com slash Tausight.

Bill Russell: Today on Newsday.

David Ting: So attack surface reduction controls. are designed to say, hey, let's take those master keys and really secure them away so that the majority of your people don't have them. And then the attacker slash intruder can't easily steal them. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts

Bill Russell: Now, let's jump right in.

All right, it is Newsday and today I am joined by David Ting. Chief Innovation, Chief Technology Officer for Tausight. Essentially, the mad scientist who comes up with the products and builds things. that the wrong terminology? Mad scientist?

David Ting: would be way too much for me.

Bill Russell: I'm just a humble programmer. I

David Ting: am a humble engineer that happens to love doing what I do. But Bill, it's good to see you. Hope you're staying well with all the

Bill Russell: Yeah, we're actually recording this on Wednesday. Wednesday Storm Week. We'll call it Storm Week.

I am, Still in Naples, Florida. The storm is heading in our direction, but it's more heading towards Tampa and here we are, I'm actually looking at the, right here on my desk, I have the portable radio, the crank radio that you can listen to. Yep. I've got all that stuff going with I don't think we have enough water, but we have a wine fridge.

I'm not making light of this, but it's if the water's out for 30 days. We're not going to be here. Like we will get in a car and drive somewhere, but we are nowhere near the path we're in zone D is not evacuated nor considered even remotely an evacuation area. Last major hurricane that hit here let me get this straight.

So our house will be surrounded by water. I will walk out into my yard and I will be ankle deep in water. But that's fairly normal. The thing about Florida is that people have to remember is. It's built on sand. It's all sand. It's designed for tons of water. It sinks into the ground. If you come back here in a week, you won't be able to tell that rained that much.

But, what happened in North Carolina is it rained 14 inches on the top of a mountain. It doesn't sink into the mountain. It runs down the mountain and it takes the mud and anything that's not attached with it and that becomes, catastrophic. And so that's why when you have These kinds of storms in California, you end up with mudslides and terrible things, but when you have them here it's just part of the ecosystem.

The wind is damaging. Right now we're under tornado threat, and I didn't know that when I moved here. When a hurricane hits, it generates a whole bunch of little tornadoes, and those do an awful lot of damage.

David Ting: I still think it's crazy to see that much energy being built up from the warm water.

That funnel effect of hot air, hot moisture can generate that much energy.

Bill Russell: Yeah I now know more about weather than I ever wanted to and I appreciate, we have news station down here, Wink News, W I N K News, and they have two phenomenal We call them weathermen, but they're really meteorologists. They study the weather.

And I used to joke that, to be the weather person in Southern California is the easiest job in the world. You just point and say, 82 today, 81 tomorrow, 80, whatever. But down here, it's a real thing. These people. study it they impart their knowledge to us. It's really

interesting. So I hope everyone, they will be hearing this after the fact because we're going to record this and release it probably on Wednesday. And I hope everyone is safe. Clearly last hurricane that hit us last week was pretty devastating. And so I mean we can talk about the hurricane.

What I want to talk to you about though is We can stay on this topic because you and I a lot of times talk about security in healthcare. And let's see if I looked at the news headlines, there's a major event going on in Lubbock, Texas, University Medical Center.

David Ting: Yeah, Becker has just reported that I think I just read the OCR fines a Levi at Providence Medical out in California. It is a pretty telling story if you read actually what the OCR found and The federal government just said, Hey, these double extortion attacks are focused on healthcare.

Duh, . I think every CIO already knows that, but. To hear it again, and for them to reiterate the dangers that it poses for healthcare. Lubbock has seen that, where they, the ransomware, they're turning away ambulances selectively, closing down. This has just become rampant.

Bill Russell: Since this is Storm Week, let's talk about it in those terms.

When I moved down here we got hurricane windows, we got a generator, we did a bunch of things to the house to prepare it for a hurricane. And what's crazy to me is it's a 25 year old house and the people who lived here before had none of that, had no hurricane windows, no generator, no whatever.

But, my IT background and Okay let's minimize the potential damage that could happen. In healthcare, I want to talk to you about minimizing the potential impact or the potential for vulnerability at these health systems. What are you seeing? What are people doing? What's the current thinking and approach to really reducing the threat of exposure?

David Ting: I think your analogy there is perfect. It is like securing it from a, potential flood and wind damage and debris damage. You fortified your house, it's going to see a lot of impact from wind, rain, and then water. Water seeps in everywhere and I think that's how you always have to think about how you secure stuff.

So you have perimeter security, you have probably built your house on stuff that will give you some elevation in case of water. starts to creep up. You've got storm wind, hurricane windows. You've got defenses layered in around the house. But then at the inside, you have things that are critical to you.

Your critical documents, your things that you want to keep. The picture of Einstein, all the stuff that you value. At some point, you're going to say, hey, there are tiers of layers of importance to me. And then the most secure stuff, all your personal documents, whatever your things that you say, hey, in the worst case, if water rises to eight feet, what am I going to do?

I should offload them. I should digitize them, store them offline, take them to a place that's high and secure. That's the strategy. So the thinking these days is really, hey, we have layer defenses, but really what you want to do is to reduce the attack surface. Attack Surface Reduction, or ASRs, as they're commonly known, are ways that organizations take to say how do we reduce specific gaps.

How do I put sandbags around the most vulnerable entrance into my place? How do I create defenses that make it harder for things to come in? With the assumption that eventually all these defenses, your attackers, once they become intruders in your house, they'll ransack, they'll spend time, they'll find all the defenses, and one by one, depending on how vigilant you are, they'll take them apart.

I read enough of these attack vectors to say, these attackers spend as much time as they possibly have to get through each of your layers. Now, most of attack surface reductions are aimed at things like, gee, how is your operating system protected from rogue software? How have you taken layers to make sure that they don't get in phishing attacks that come in?

How have you tiered the privileges that your users have so that they don't get easily admin rights. Even if they had admin rights, how do you limit what the admin rights will give an attacker slash intruder? Because they will get in. That's how common extortionware and ransomware works. They get some credentials.

They elevate and they find your trove of admin rights, credentials, and boom, they walk all through your system. It's like they found the master keys to your house or your apartment and they go through everything. And so if you don't have tiered levels, you are going to get attacked. So what we're looking at these days is how can we help organizations reduce that exposure to having too much privileges, even for your admins.

That's actually your target. If you're an attacker or becoming an intruder, find that account that will give you access and then spend as much time going through your Files in your system, creating havoc, steal your data, and then drop the bomb, encrypt everything. Now, the critical thing is, most It's the set of privileges that your admin walk around with that gives them that right.

And it's been built into the Windows operating system since Windows operating systems 3. 1 became relevant. Which is the ability to do backup and restore. to open up any file. Once you have those privileges, you basically have the master key. You can go around opening every door, every cabinet, because it's the master key.

And it was designed just for the operator group, but we find that a lot of organizations administrators walk around with those anyway, because they're easily, nobody took it away from them. So that creates an easy attack surface. As an example for attackers to take advantage of. So they come in, they steal an account.

The admin account has these Backup and Restore enabled and they go, Hooray! I can go and open any file and all the controls you placed. It doesn't matter. I can just open it with the backup privilege and with the restorer, I can overwrite it. And that's how they get away with this broad blanket.

I can steal every file. I don't have to go to every individual account. So attack surface reduction controls. are designed to say, hey, let's take those master keys and really secure them away so that the majority of your people don't have them. And then the attacker slash intruder can't easily steal them.

And we find that is such a common attack.

Bill Russell: appropriate amount? I was talking to a CIO. And a firm came in and said, Hey, you need to reduce the number of people that have that kind of access down to three people. And they're like,

David Ting: I would go down and say, even those three people, it should be a fractional percent of all your employees.

So what's the scary part? numbers. How many people do you think some of these organizations walk around with? And our data, based on real time telemetry, will indicate that some places have 75 percent of their employees walking around with those.

Bill Russell: No! 75 percent of their 75 percent of their staff? 75 percent of their staff.

That's insane.

David Ting: It's insane. I go, whoa, this can't be right. And then we look at some really tightly controlled IT shops. They're down in the 2 percent and I go, 2 percent is okay, but it's still hundreds of people because of large team. I have large groups that have 20 percent I'm going, come on people.

This is not rocket science. You need to reduce those privileges. And so it's a fear of, gee, how do I control it? Who's really using it? Now, the truth is. There are two things, so we can really get into the nuts and bolts of it, but I'm just telling you, the stats are frightening when it comes to how many users walk around with way too many, quote, admin level privileges, much less administrators.

Now, even with the administrators, There's a uniformity between, gee, once I have admin group rights, I have all these privileges anyway, because nobody segmented the backup and restore high privilege level users to a subset. Fraction, it would be fractional percentage. If we did that, we can substantially reduce the risk that we are seeing, the exposure.

So attack surface reduction is all about saying, Hey, I've got this huge place. It's got doors everywhere. How do I reduce the chances that an attacker walking in gets in and go, Hey, under the doormat, look what I found.

Bill Russell: So that happens either because people don't recognize it as a serious issue.

Correct. Or there's no visibility into it.

David Ting: I didn't know about it too. Do I really need it? And three, what's the exposure if I do have, if my users walk around with this? A really easy thing for you to say, I gave right, all my users that because now they won't complain that they can't do something.

But you can do that with, there's, there are 65 privileges. There's a handful, what they are known as dangerous privileges. So

Bill Russell: You're talking about Windows devices. Does that same issue reside on the, in the Linux world?

David Ting: Linux world is far better from protection. Because they never had that concept of blanket access control.

Where you could take a magic key and say, Look, every door opens unless you become root. You can have root privileges, but root privileges are way better managed in a Unix environment, way better.

Bill Russell: It's interesting because I was talking to somebody. CIO at Health System.

And they are actually it was Alistair Erskine, who's the CIO at Emory. And they're actually going to take a hospital and they're going to put it all on Mac. Computers

for the endpoints. And I was like, oh, okay. First of all, the natural things pop up like, oh my gosh, are your devices gonna work?

Is Epic gonna work? Is whatever. And so he worked through all those issues to put 'em out there. but I asked him why, and he gave me eight reasons. And one of 'em is, he goes, look the lifecycle on a Mac versus a pc. is like double.

And he goes the security the Mac is just far better than a Windows PC. It's just, it's designed on a Unix platform and it's just better.

David Ting: The PC was designed to be a personal computer, which meant you could basically hook into everything and you had.

API that gave you access to almost anything you want, which is great if you were a personal computer device. Layered on top of that is the NT operating system, which had the controls that were derived to be more enterprise like, built jointly with the OS2 team that started to segment concept of, gee, users should be isolated from each other, and the notion of privileges.

They designed it really well, and it's used by the government, and it has all the C3 kinds of controls that need. It's very easy to screw up. It's very easy to say, gee, I have one control that I enabled, and I forgot to turn it off, or I was overly generous with these rights.

And all of a sudden, you have thousands of users. that have those privileges.

Bill Russell: talk about visibility. Is this something Tausight provides, just out of curiosity?

David Ting: Yes, we do. We check, gee, when you launch onto your machine, what does Bill use for privileges? And what are his token rights associated with the apps that he launches?

And are those considered privileges? And the way you want to reduce exposure is basically to say I have taken away the pathways that can be exploited. The other half of it is liability reduction. You have valuables in your house that you haven't used and you haven't looked at and you go, gee, maybe we should.

Put those things into waterproof bags,

Bill Russell: Case in point, I'm in the process of doing something with my car and the lean to my car is sitting right here on my desk as the hurricane and thing goes through. It's so what essentially you're saying is the valuables should be put away.

David Ting: The things that you don't need to look at every day. And here's another stat that we found in looking at people's sensitive data. The majority of sensitive data is online. Not obsolete, but hoarded, right doctors and look at a active window just like we do. But we have this propensity to say, Hey, I might need that data, so let me hold onto it.

They hold onto it. For years,

Bill Russell: Google taught us not to throw anything away. One of the reasons I use Gmail and I hate to give people, Hey, what does Bill use? We're on the Google workplace environment, but part of the reason I do that is. I've never deleted an email for I don't know, it's been five years.

David Ting: Oh, that's not bad. have people on Outlook that kept their entire work history because, hey, look, I can just in case I may need to bring up that client again, I have it in my email. And emails become hoarding places, documents you generated, they get hoarded.

Bill Russell: researchers are known for this.

David Ting: I do that. I have test code or sample code that I wrote 15 years ago. That I have in my directory. I I know how to do that. Let me just pull that up and use it as a starting point. So we're great hoarders, and when I run out of storage, I go buy another storage device and I put it on the network.

We are great at hoarding.

Bill Russell: Attack, surface, reduction, ASR.

David Ting: ASR the way you want to systematically think about everything in your organization. is a risk point. second balloon. The larger the balloon, the more likely you can puncture it. the smaller the attack surface, the harder it is for somebody to come in and penetrate that.

And for every attack surface, you need to understand what's the pathway to getting to a valuable thing that you have on your system. So attack surface would be A. I have really relaxed privileges. What is that going to do for an attacker to get access to my sensitive data? It allows them to walk through and bypass all the access controls that you painfully layered in for role based access or you have predefined and say, hey, business users shouldn't be able to access clinical data.

legal documents should be isolated. If I have those handful of privileges, none of those controls matter. I can just as easily open a business document as I can a legal document or a clinical note. Gone. Rights are gone. That's the heart of the problem we have today really

Bill Russell: interesting because that concept we adhere to that concept in the EHR itself. Like we know it, we understand it, and we segment it so specifically that if you're like an intern who's just coming in, you're just going to get access to your stuff. And if you're a nurse, You get access to just your patients and Inside

David Ting: the EMR, you have that control layer.

Outside of it, you have the Windows layer. And so all your unstructured content that sits outside is secured by your Windows control layer. Windows control layer has the known Vulnerabilities, that if you don't secure the controls correctly, allows an attacker to easily gain it through, the three people that should have those controls.

It's not, it's really much, much broader. And that's the scary part about what we see. And we keep going and say, please do us a favor, because you don't want to be on that end where an attacker gets in. through any of the credential dumping, credential hacking mechanisms that can occur. And there's a pathway, right?

That surface reduction would say, Hey, I get access to Bill's Windows machine, and if the admin had logged in prior to you, I can get an app that will track that local security database. Where the credentials are cached, pass the hash attack, and you're an administrator on Bill's machine. And if I find a program that's got the, or an administrator that has those privileges, you're toast.

Bill Russell: David, I love, I love these conversations. We didn't talk about any specific news story. I'm sorry, I didn't

David Ting: mean to digress, but this is like so, It

Bill Russell: is top of mind. Well, David, thank you for your time. As always, great to catch up with you.

David Ting: Same here, Bill.

Take care.

Bill Russell: Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Thanks for listening. That's all for now