Building a culture of a compliance is something we have talked about many times in this podcast.  We never looked at it as a community problem.  The things we heard about training the human element to build a cybersecurity culture were very exciting

to us.  Well, at least to Donna.  The concepts they covered about training, not just the workforce but training the community as a whole to better understand what cybersecurity really means.

We also followed that up with a session that explained some more scary darknet activity.  Your machine could be for sell on the darknet and you don’t even know it.

Between those two we certainly understand why there should be a discussion for making a culture of cybersecurity nationwide.

HIPAA For MSPs Can we build a national culture of cybersecurity?
00:00:00 00:00:00

In this episode:

  • HIPAA Boot Camp and other events
  • Discussion about HIMSS session on building a culture of cybersecurity
  • Mayo clinic is doing some cool things in their workforce training and in their community
  • Teach how to keep your kids safe online instead of how to be secure at work. Same info but different interest level.
  • Selling access to computers on the darknet.

Mayo Clinic data security officer

  • Behavior management is new term they use
  • Not just tech folks in these positions but educated HR folks
  • Example used was 2fa implementation
    • planned for all things the humans could do and have a plan for it like here is how you get your Apple ID if you forgot it
    • expect questions but also who will they ask. Inform the people they will ask in advance and deeper
  • set tiers and design messages for each tier
    • social engineer the executives with being non-techie and unassuming
      • deal with providers who are different too
      • High-level targets like financial folks.
  • keep message simple brief and relevant
  • use communication channels in place to get support
    • what to protect?
    • how to protect?
    • what is impacted?
  • thou shall or thou shall not approach doesn’t work
  • password locker vs password manager message – which one is better
  • phishing campaign should share results in medical style like the reason we keep doing it like a booster shot to your security awareness vaccine
  • allow groups to compete for numbers in phishing campaigns and post scores for everyone to see
    • competition starts to feed awareness
  • teach employees about protecting kids with same behavior you want from them
    • volunteer to do it at school and invite parents

NCSA public private partnership National Cybersecurity Alliance

  • DHS funding
  • 25 companies funding
    • this is a national problem for public and business safety
    • education and awareness programs including Cybersecurity awareness month and Stop Think Connect. Data privacy day was Jan 28
    • working to bring CSF down to SMB levels
    • catch a problem you get a prize and start teams to look for problems and get discussions.
  • FB group worked to trick sec team and win a price
    • people know the pwd matters but they still don’t do it right so just teaching them to know about it is not helping
    • market research is basically what you have to do.
  • Don’t just tell them what to do figure out what message will work.

SAN securing the human all about Cybersecurity awareness programs

  • how do we communicate the behavior we need others to do
    • most people are geeks so we need better commutators
    • stop being complex.
    • find the most bang for your buck with change in behavior
    • every behavior has a cost and you find where the cost is too expensive

Security training for the masses

  • teach that it is everyone’s responsibility
  • don’t worry about specific app worry about behavior
  • Snapchat is a great example. Ask kids to explain it to you
  • stranger danger and crossing street lessons for safety so is Cybersecurity
    • adults cross streets safely every day. Teach this the same way. No tech details required
  • resistance and resilience. Try not to see it but if you do then know what to do when it happens

Cybereason season selling machines in a botnet

  • THIS IS WHY WE HAVE TO HAVE EVERYONE INVOLVED
  • attackers have vulnerabilities too just have to use them back
  • openings to networks are found by hackers and then they sell them on the dark net
  • Adware machine sold up a chain based on value of the machine
  • $5 basic
  • machine that does e-commerce or financial next level
  • enterprises connections at all it is an adware botnet jackpot where they resell access via adware access
  • darknet site offer to just tell you if there is a machine in your network Russian site astetic?
  • there is a code of conduct for black market
    • only buy and sell RDPs or SSHs and we don’t know how they end up here we just connect buyer and seller
      • the RDP or SSH gives access to command and control machine
      • fair price trading – no rip offs here
        • Hacker can resell it but I still have to pay the 80% commission again
  • filter for US-based machines and you get a long list
    • found a $14 machine at subsidiary of Microsoft
    • intel data center machine sold for $13
    • Houston TX medical center sold for $18
    • Wellstar health system in ATL sold for $17
  • freeware or click fraud all low risk threats then sold by machine one at a time – spray everywhere and resell them

Can we build a national culture of cybersecurity?  We don’t know but we can try!