BSidesATL 2015: The Art of Speaking With Muggles by Martin Fisher

I'm one of the uh organizers on the organiz comme for B Atlanta I'm really glad you managed to hang out with us all day it's been I think a pretty amazing day uh I want to thank the rest of the Coordinating Committee there's Mike and Nick's around here somewhere um it's been huge working with all these folks um besid in Atlanta is a very special thing I also want to give a very U big thank you to the red shirt team from KSU you guys did a fantastic job today um I'll make sure Andy knows and you get like a little special extra note on your next exam so so let's talk so um I manage it

security at Northside Hospital uh it is the baby Factory right um the people I work for they do Healthcare they don't do it security and yet it's my job to essentially sell the program and as I talk with people I realized we're not good at this so take a moment examine yourself right in in our community people see themselves in a lot of different ways right and if you look within our community we have these sub communities and these sub communities sometimes people who think they're like the Cyber hacker type right we all know these guys and and and girls that they're they're just cyber hackers right and and ninja Elite people some folks see themselves as a friendly

superhero out there to save the day and be happy with the business and I just turn the screen off I'm doing awesome today and lastly we have the iconoclast it's the person that no one understands in deep in his heart he has desires to rule the world right generally all of us fall into one or more of these things but the problem the issue is is that the people in the business that we deal with don't see us the way we see ourselves they see us as Wizards and they explain we dress funny right we really do um we we have strange implements that do bizarre and amazing things that they don't understand and most importantly we we

have women in our community who are generally smarter faster better than the guys kick ass harder but always get second billing what is up with that [Music] so this is me uh we'll talk more about get in touch with me one thing uh I do the southern FR security podcast the number one atlanta-based information security podcast Andrew nothing personal um and I'm it's something I'm really proud of avette Johnson is here who's also on the podcast and she's actually supposed to be doing interpretive dance right now there it is seeet if you want like a sticker we have those so Shall We Begin and let's let's talk through this thing so the first thing that we need to do is

get rid of this language that we use amongst ourselves which is really effective and really efficient the challeng is is that when we turn around and use that with the people in the business it sounds like this take a moment I'm do I'm I'm I know I'm crossing multiple meme things but this is how we sound to the business right which causes them to look at us with this expression on their face right and in the past that was okay right if you've been in information security for a while there were the days when the business just threw metric boatloads of money at us to make problems go away and we said magic words right and we bought all these

shiny boxes that that Blinky lights right and had Engineers with questionable personal hygiene that managed it on the day is did it work no so how do you fix it all right you need to be able to explain the processes and the Technologies we use to your organization in ways they understand the number one way people learn and if you're a parent you know this it's by analogy so I'm in healthcare right so I had a conversation my second week at at the hospital talking about signature antivirus as we were about to do a pretty substantial renewal with our signature AV company and not my CIO but my coo said I read an article that said

it wasn't worth it why are we doing this I have a great Chief Operating Officer and I use this you know signat at the flu vaccine you know it works great for the strains they they planned for it but the other strains that have mutated out not so much this this year's flu vaccine is only about 15% active 15% effective against the majority of the strains that are going around does that sound like the antivirus that we actually put on our end points very much so also you can use real life as an analogy I was asked uh a previous employer you what intrusion detection was all about and it's like a gate guard right she'll look at the cars coming

through and She'll follow the procedure but you know if someone r really wants to get past the gate guard they can isn't that right Eric so what do you have to do as well if you're going to communicate effectively with the business please for all that is Holy if you only hear one thing today hear this you must fight the urge to prove you're the smartest person in the room this is the number one cardinal sin all of us me included do on a regular basis and we do it inside the community and that's okay right because there's this one-upsmanship we love to do to each other right and it that's okay right you start doing this with you know the HR

Director or the supply chain people and you're not seen as someone who's fun to be around haha you're look you're a dick right the next thing we need to do is reduce the amount of fud in the environment right and I'm looking at vendor types so recognize these there's about to be the most ragy episode of the podcast ever um that we're actually we recorded a commercial for a new movie that's going to get released on April 1st and that'll be in the next episode but let's face it we start talking about heart bed and shellshock and poodle and freak and all this other crap that's in our environment the media the the the the mass media is

picking it up and our business people are seeing it right and it's completely unfiltered it's 99% utter bull crap and what's happening is some of us are like going wow my boss is scared the CFO is scared excellent I feel a new IDs coming on don't don't do that so what should you do cuz at the end of the day if you keep doing this you moaning M Myrtle remember her she was the one who bitched in wind in the bathroom all the time and no one want to go talk to her except Harry ended up there a bunch of times suck through yeah okay but no one wants to be around this person ever so

what do you do one of the coolest things in healthcare is we have this concept called the SAR where's carpello he left he left he used to work for me all right SAR is a way that in health care when patients are being transitioned from one location of care to another for example out of the back of an ambulance into the emergency department when the shift changes on a med surge floor they talk about the situation what's going on with the patient the background how did we get here an assessment an unemotional assessment and then a recommendation of what you what you have to do to to deal with the patient I actually had my team where you

made I see Jake out of going yeah I see what you did to me I'm having my folks do this this is how we talk about information security in my department it's amazing how you take all of the stupid hype out of the conversation by going situation background assessment recommendation and if you can even if you don't talk specifically this way to your your your business leadership if you think through it this way you start with becoming incredibly credible right Andy how often is the um in healthcare we frown on smothering people with pillows so in my environment and we'll talk more about that in a second you're getting ahead of me all right the next thing we have to do is we

got to realize what our mission is and in information security this this dber makes me cry and laugh at the same time because how many of us have worked or worked for or with or had someone like morak work for us I have how many of us have fired morc it was awesome so you need to be able to get context right you need to be able to talk to the business in terms they understand so if you don't get invited to the meetings of the business anymore um they avoid you like you they see you coming into the hallway and like guys are going in the women's restroom to get away from you or your emails just go out

to The Ether you might be that guy nobody likes that guy how many of you heard the Phoenix project remember John in the beginning of the book don't be John don't be John so let's talk about goals and objectives for an information security department again I run the information security department North Side Hospital uh we generate more new people in our building than any other Hospital in the United States except one Parkland Regional in Dallas Texas uh 25 to 27,000 babies a year come out of our Women's Center it is awesome all right so we have three hospitals 154 different locations 13,000 employees tens of thousands of biomedical devices these are windows C devices Windows XP devices that are

connected to machines that are connected to people so given what you know and you've been all you're all cissps right what is the number one mission of the information security department heard speech before yeah they've heard people have heard the speech before it's ensure patient safety when you come to my hospital when you come to my cancer center when you come to my Radiology clinic or your just visiting your family doctor you're not coming there to get hurt by a malfunctioning infusion pump a badly acting x-ray machine or or a computerized physici order entry system that can't dispense the correct uh prescriptions right there's this concept in me in healthcare called The Sentinel events how many of you heard of

hospitals like amputating the wrong leg removing the wrong these are Sentinel events right and they're huge my goal my number one goal is to protect patient safety so what's number two what's number people who have worked for me in the past you can't answer this what's number two seriously communication got to vote for that what else data privacy all good answers all wrong cyber cyber next is quality of patient care so I don't want you to get hurt or killed that's number one but I also don't want the quality of the patient care for the two almost two million encounters a year that we do at North Hospital to be less than what that caregiver needs them to

be I I cannot put the security environment between the person The Physician the midlevel whatever caregiver between that position and you do you want a host IDS system between the physician's decision to treat you and your kid if you do defax is just illustr here we go visit them you don't want that so then number three ensure the security of sensitive data so I actually briefed this to our director's meeting and when I threw the goal number one up was ensure patient safety there were audible gasps because they were assuming that I was coming in as the brand new security guy to preach fire Doom damnation and destruction on them to talk about PCI Hippa all the things all the

cybers right but I about patient safety so when I start talking about patient safety I talk about information security in the context of patient safety one they immediately assume it's a trap right but it's not because I start making we we make decisions knowingly in north side that if you are on the outset say you're reducing your security posture maybe I am but I'm getting out of the way of quality you know of of impacting the quality of patient care and I've got these other compensating controls I'm going to turn on to make up for it now over time you gain credibility because your goals and objectives are aligned with the goals and objectives of

business this is exactly what Physicians Care about right there's no card more powerful toloy in healthcare than the patient safety card now how does that work for me so um some of you may have heard me rant about biomedical devices now biomedical and skada systems are uh very close kissing cousins so just to give you a sense of how things work we talked a little about you C devices XP devices that are attached to people there are brands of infusion pumps and these are the pumps that are connected to multiple vials which go through and it you know um Does chemotherapy for people chemotherapy sessions can last anywhere from 90 minutes to 4 and a half hours these are

XP Service Pack One machines all right embedded there's no AV there's no security controls on them whatsoever so how many of you are red team people or pesters okay you get it on a network on a segment what's the first thing you going to do scan what's there and you find an XP service pack one machine right your eyes widen a little bit right your eyes diate you get a little bit moist under the armpits you're like I have like 16 bazillion exploits I haven't had a chance to use in like seven years you line them up you hit the metas button and you just attack now you had no idea it was an diffusion P right but

you just dump four hours of chemotherapy drugs into a person in seven minutes what just happened you killed somebody because you you that wasn't your intention your intention was to go to the domain controller right the that's that's the thing so when I talk about biomedical devices being patient safety issues I'm gaining a huge amount of traction inside the environment because it's scaring my leadership it's scaring my Physicians because they get that right I lay that scenario out they get it and we are making huge Investments to fix this problem so what do you think now I know some of you are probably thinking [ __ ] we are information security people we care about confidentiality

Integrity availability I have a cissp on my wall that says so I know this because I've interviewed people for positions on my team who essentially tell me this none of them work for me right what I'm saying is that some of these people want to be the Cyber ninja they want to be the friendly superhero they want to be the iconic class and they can't imagine themselves in any other role the challenge is they're wrong the days of being able to have a successful career in information security and being the superhero the iconic class the Cyber ninja are over can you get a job doing it absolutely will you ever be a manager or a director

or a ceso nope not anymore the mues need us okay they really really do they need our help we need their money their staff and their ability to run organizations effectively because I will be honest if you simp look at the way this conference got organized information security people should not run organizations okay seriously so you have a choice do you go to the dark side do you keep trying to be the Cyber ninja do you keep trying to be the icon the iconic class are really the one that scare me right or do you realize as a wizard your job is to be able to talk to Muggles in ways they understand and help

them now my hope is you join this band you come you know come on this journey I'm taking me and my folks on because this we're in a very weird time in information security for years when I first got into this cesos complained what we don't have a seat at the table the business doesn't listen to us and it was true really was um guess what they do now I meet with my coo every month for two hours right I have a seat at the table a lot of my peers have a seat at the table unfortunately too many of my peers have no idea what to flip and do with it all right because they're still in

superhero mode or Worse their their iconic class okay this is me if this resonates with you I would love to talk with you more about it more importantly if this doesn't resonate with you I want to know who you are that way if I ever see you post on a job for me I can simply move it to the other side because this is the path of information security going forward it really is we can't be what we've been to the outside world now internally we are a messed up family right and I wouldn't have it any other way right but when we start talking with the people out there we have to talk to

them differently so with that thanks very much we have a little bit of time for questions anyone anyone went in and presentation to your said this is our priorities did you come from I so I joined I joined North Side about 10 months ago before that I spent three and a half years at WellStar Health System here in town prior to that my experience with the health care system was taking my kids to Pediatric EDS that's one of the things you have to learn because everyone's mission is different for you know um I'm looking at Andrew and Phil right they're they're in a totally different industry and the business mission is different than mine but knowing the two them they're

aligning themselves with the mission of the business that's what you have to do there's another question over here Andy that yes next question

oh yeah you're you're like the SE at even in higher education right so there're sort of this balance between healthare between education running quality education and security privacy um I only know one person has it worse and he is the ceso for Emory so he's got the university and he's got a hospital yeah so again the whole I guess at the end of it is you look at the institution right and you look at what their goals and values are right and you have to map what you're doing to that and if you're again if you're top two three missions don't exactly mirror the organizations you're dis you're disconnected right and you'll never be able to get

the credibility and the traction and the collaboration you really need want and deserve yes sir well in terms of medical being a regulated profession both the medical side and now the regulation do you find from so let's talk so the question was around hi well not just so here's the challenge um most of the regulations to health go toward the privacy and confidentiality of data points and most healthare providers I think are doing a horribly reasonable job of it the challenge is the thing that I'm most worried about in biom medal is regulated by the FDA the fda's drive uh for regulated medical devices until very recently was efficacy does the device work and in a sterile environment can

you guarantee me it won't hurt somebody and that's how they T well Hospital environments are not sterile not even Ed is U why pass the challenge and the FDA is working with the national healthare is act I'm joining that working group to talk about how do we Harden these the problem is there are literally millions of them in place right now that can't be upgraded can't be patched they cost literally trillions of dollars to replace and most of your community healthcare providers do not have the financial wherewithal even if new hard devices were available they couldn't afford to replace them I meant more like from the medical ethics perspective they begin getting to talk from the people's

side the medical side are they begin me to talk to doctors about the importance of this um sorry I'm sorry I misunderstood the question yes those conversations so so the questions the conversations are happening with physician leadership um in in in my world we talk with phys leaders um and explaining them what's going on and there are Physicians who are just naturally U more attuned to technology and they get very interested in it some of them don't uh it's like any organization um where they generally all get concerned is is um there are certain aspects of compliance where Physicians are held individually and severly liable um understand the malfunctioning of a biomedical device is not medical malpractice which is what

they are mostly concerned

about right learning some other controls is that something you can talk about and share not right now question was with the XP service pack one embedded devices can we share what we're doing no we have ndas in place with a couple people but my goal is to by the end of the year be able to actually publish something other questions sir so would you say that you have like a leadership role and I imagine many other hospitals have that same issue that oh yeah here's the thing did you guys know that XP service pack one embedded is still supported by Microsoft you can still buy stuff with that yeah 29 and it has it has a

15year depreciation lot of so overall I think the way in the end we help care what we're going to do is much like if you ever talk with Tom Wilson and his team from The Southern Company the way that they're protecting the ska systems of the nuclear plants is you essentially create a separate control Network that that is completely access controlled as secure as you can possibly make it that's where all those devices live then you have an administrative Network for the rest of it end of day that's how things are going have to work with us because we just can't replace all these devices other questions it's fantastic thank you all right so what I want to do Chris you got

cfp results we do cfp C CTF all right so we've already been talking about cfp for the next bsides Atlanta that's why I've got it on the mind so