“Defending Things” for Over 20 Years
Ismael Valenzuela is a 20-year cybersecurity industry veteran and coauthor of the SANS SEC530 course, Defensible Security Architecture and Engineering. He started his career as a consultant, worked as a penetration tester, and has since worked for one of the largest public health organizations in the United States. Today, his focus is on the defenders, or what we like to call the blue team.
I asked for his perspective on the key challenges that the healthcare industry is struggling with in responding to ransomware warnings. There are numerous challenges, but the two most significant are gaining security maturity (many of these large healthcare environments have only centralized security operations very recently) and knowing what assets and patient data you have and need to protect.
Ransomware and Patching
There’s a common thought out there that those affected by ransomware are running very old and unpatched versions of Windows and other applications all over the place. They just need to start updating and patching. In reality, it’s not that simple.
“It took me a long time to get here,” Ismael said, “but it’s not about patching. Patching is something you get to do, but it’s just like wearing your seatbelt. You gotta do it, but it’s not going to save your life if you’re driving 200 miles an hour and you hit a tree.”
What’s needed is an understanding of how attackers break into a network and the ability to translate that into action. “It’s about thinking as an attacker and knowing what are the things that you need to do at each stage of those attacks, not to prevent it, but to mitigate the impact of it,” Ismael said.
Looking at the other side of the equation, some organizations think red teaming is great, but that they aren’t ready for it. Paul noted that in certain situations this is true, but that doesn’t preclude all components of red teaming. There is still red teaming or penetration testing that can be done to help identify vulnerabilities and help an organization prioritize which to address first.
On the patching question, Paul noted that, especially in the medical industry, you can’t always patch. A lot of the medical devices are embedded devices, with components integrated from different vendors. In this case, healthcare organizations need to know what components are in the devices that are on your network and trust vendors to make them aware of and report vulnerabilities.
Thank you to Ismael and Paul for joining for this critical discussion!