[BreachExchange] Frank Abagnale, world-famous con-man, explains why technology won’t stop breaches

[Audrey McNeil]

https://arstechnica.com/security/2017/02/phish-me-if-
you-can-frank-abagnale-says-tech-will-never-defeat-social-engineering/

Frank Abagnale is world-famous for pretending to be other people. The
former teenage con-man, whose exploits 50 years ago became a Leonardo
DiCaprio film called Catch Me If You Can, has built a lifelong career as a
security consultant and advisor to the FBI and other law enforcement
agencies. So it's perhaps ironic that four and a half years ago, his
identity was stolen—along with those of 3.6 million other South Carolina
taxpayers.

"When that occurred," Abagnale recounted to Ars, "I was at the FBI office
in Phoenix. I got a call from [a reporter at] the local TV news station,
who knew that my identity was stolen, and they wanted a comment. And I
said, 'Before I make a comment, what did the State Tax Revenue Office say?'
Well, they said they did nothing wrong. I said that would be absolutely
literally impossible. All breaches happen because people make them happen,
not because hackers do it. Every breach occurs because someone in that
company did something they weren't supposed to do, or somebody in that
company failed to do something they were supposed to do." As it turned out
(as a Secret Service investigation determined), a government employee had
taken home a laptop that shouldn't have left the office and connected
it—unprotected—to the Internet.

Government breaches of personal information have become all too common, as
demonstrated by the impact of the hacking of the Office of Management and
Budget's personnel records two years ago. But another sort of organization
is now in the crosshairs of criminals seeking identity data to sell to
fraudsters: doctors' offices. Abagnale was in Orlando this week to speak to
health IT professionals at the 2017 HIMSS Conference about the rising
threat of identity theft through hacking medical records—a threat made
possible largely because of the sometimes haphazard adoption of electronic
medical records systems by health care providers.

Abagnale warned that the value of a medical record to identity thieves far
surpasses that of just a name, date of birth, and social security number.
That's because it provides an even bigger window into an individual's life.
Abagnale says the responses of organizations (including the state
government of South Carolina and the OPM) to theft of sensitive personal
information is far from adequate—and because there's no way to effectively
change the data, it can be held for years by criminals and still be
valuable.

Nikki Haley, the governor of South Carolina at the time of the breach,
"ordered credit monitoring for every citizen in the state for free for one
year," Abagnale said. "I wrote her a letter the next day that said one year
of credit monitoring services was worthless, because people who steal mass
data warehouse that data for sometimes three to five years. So they're not
going to put it in the marketplace when you told them you're giving credit
monitoring for one year." President Obama ordered free credit protection
for those affected by the OPM breach for 10 years—though the original plan
ran out in December, and it's on the shoulders of those whose information
was exposed to re-up for the protection.

When credit card data is stolen, Abagnale explained, criminals "have to get
rid of it right away"—because credit cards can be replaced and fraud
stopped quickly. "But if it is someone's name, Social Security Number, and
date of birth—they can't change [those things]. So the longer I keep the
data, the more valuable it becomes when I go to sell it." Abagnale noted
that some of the personal identity data stolen from the breach at TJ Maxx a
decade ago is just starting to surface on the black market, for instance.

Abagnale said that there's been a surge in the past few years in medical
identity theft. "It's as simple as, I'm in Orlando and I break my leg, I
have no insurance, and I go to the hospital and say I'm you," he explained.
"I give them your information, they treat me, they bill your insurance
agency, and then your insurance company eventually notifies you because
there was a deductible. And you say, 'wait a minute, I was never in
Orlando, I never broke my leg.' But it's not that simple—trying to get that
fixed, and trying to get it off your medical records, and then having
collection agencies hounding you for that money is just unbelievable."

Such a scenario is just the beginning of what's possible with the theft of
medical data today. "Like every form of identity theft, if I can become
you," said Abagnale, "what I can do as you is only limited by my
imagination."

That's why Abagnale is particularly concerned about the security of smaller
healthcare organizations, especially pediatricians' practices. "These days,
we're very concerned about the theft of children's identities," he
explained. "We see a huge uptick in people stealing the identities of
children. The younger that child, the more valuable that identity
is—because if I can become that child, I can become that child for a long
period of time before that child is going to be getting a credit report or
applying for credit or a job. And a two-year-old's [stolen identity] is not
going to look like a five-year-old a few years later, because someone can
use that identity over and over."

Ransomware. Thanks, Obamacare

The wave of ransomware attacks against hospitals last year served as a
stark wake-up call to health providers that they had a security problem,
according to Rod Piechowski, a senior director at HIMSS. "Ransomware got
the most publicity," he said. "It put a sense of threats in people's minds
more than any conversation they'd had previously."

For many health organizations, those threats are well outside their
wheelhouse. Healthcare organizations have faced a "real lift" in adopting
electronic health systems over the past seven years, Piechowski explained,
particularly for those that never had an information technology department
before. It's "thousands of hospitals and hundreds of thousands of providers
having to implement information technology," he says.

Regulations like those under the Health Insurance Portability and
Accountability Act (HIPAA) have always placed privacy and security
requirements on healthcare providers, but the Affordable Care Act's
incentives were intended "to get people using and reporting that they were
using these electronic systems," Piechowski explained. However, the focus
wasn't on security practices. "So now all these companies find themselves
in a situation where they’ve become way more of a target. We're seeing an
uptick in the intensity and aggression in targeting of healthcare
specifically. There are attackers out there that are aware of the lack of
real defense mechanisms in place—it's a new game."

Piechowski's description of what the healthcare industry now faces is
similar to what many companies have been facing for much of the last
decade—"they're constantly seeing phishing attempts, constantly seeing
malware," he said. And while there are technical means to screen against
many of the more brute-force attacks, the value of data in hospitals has
led to much more long-game attacks based on thorough reconnaissance and
probing for weak points. "There's a longer road, where first they find out
who you are, they learn more about you, and about the hierarchy of your
organization," he told Ars. "We're seeing more sophisticated approaches to
learning about your organization."

In other words, hospitals are ripe targets for social engineering—something
Frank Abagnale remains an expert in. "It's what I did 50 years ago as a
teenager. I didn't have the access to computers, so I had to use the
telephone. Social engineering is just as powerful today as it was 50 years
ago when I used it." Abagnale believes that technology alone will never
defeat a good social engineering game—"the only answer is to absolutely
educate your employees about how to protect themselves and how to protect
their company."

To that end for the past eight years, Abagnale has done "cyber awareness"
training at major companies across the US to demonstrate just how
vulnerable employees are to the most basic of social engineering tricks. "I
don't park in the visitor parking lot—I park in the employee parking lot,
and then I remove from my pocket 25 or 30 memory sticks that say on them
'confidential' [and drop them in the parking lot]. Then at lunchtime, I'll
open my laptop to see how many employees actually went to see what that
memory stick had on it, and I can tell whether they put it in their
computer and didn't open it or if they opened it. In the 7 or 8 years that
I've been doing cyber awareness month, I've yet to be to a company—and
they're all household names—where someone hasn't gone to see what the file
on the stick says. And of course what it says is, 'this is a test and
you've failed.'"

Bureaucracy is the answer

Abagnale's seminars hammer home the damage that employees can expose
companies to by simply plugging in a USB drive they found in the parking
lot. "I explain to them that I could have cost their company a billion
dollars overnight. I could have destroyed the hundred-year-old brand of
their company just by the act of their taking a look at that," he says.
"That's the way you have to bring home that point, and you have to keep
bringing it home. They will get it, but they need to understand how these
things occur. You can't just say to them, 'Hey, people will hack in; you
need to be careful.' You have to explain to them how they do it, why they
do it, what they're trying to obtain. And once they understand it, they're
smart enough to protect themselves from being a victim against that risk."

Abagnale and Piechowski believe the best defense against breaches is using
this sort of reinforcement of the threat posed by not following policies
and procedures. "What we're alluding to here," explained Piechowski, "is
that it's not just technology—there's people involved, there's process
involved, and if you don't have a process in place that people understand,
then technology alone is not going to keep you safe." The only effective
way to get people to understand and change to follow policies, he noted, is
to spell out what’s at risk.

"The culture of the organization will change in time once it recognizes the
business threat," Piechowski said. "Because if the business isn't viable,
that's their livelihood."

So the next time you're frustrated by the arcane processes of your health
provider, remember—they're in place for everyone's protection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170223/2c614db9/attachment.html>