Emergency Communication to Decision Makers

[Music] all right good morning delaware and good evening or good early morning india and everyone else joining us from multiple time zones thank you for attending so early on a friday morning to some of you are working um my name is michael maestro annie and uh this is a soft skills presentation so just be warned going into that i am a project manager mostly working on the information technology and information security side of new medical apps and processes often related to at this point covet infection prevention and tracing protocols at some of your neighborhood hospitals especially if you were in maryland delaware or the district of columbia also briefly going into some interesting ballot security stuff that came up this

year of course during the election as well as uh where that led us as information security specialist as you'll probably see from the slide here this was originally developed more for for the dev and it crowd in corporate settings but at uh at the urging of the incomparable janice paulson i started thinking more about infosec uh this year and also wanted to bring this presentation to more of an infosec crowd so this is it's sort of it's a first time out what does emergency communication mean especially and also what does decision maker mean here well when i'm talking about emergency there are two different kinds that you're probably going to run into as any kind

of information technology professional first is where chaos reigns which is usually a big crisis or an organizational crisis when something has gone terribly wrong or is about to go terribly wrong in some cases you might be the infosec advocate that recognizes that and no one else does and also a smaller emergency usually is when there is no help which is more of a team emergency or a project emergency usually when someone coordinating your work with others other vital members of the team isn't available so when you're going into either kind of emergency before you start the first thing you should be doing as an infosec advocate is know the other ones on your project team or in your organization

unfortunately in some cases and this is also what i determined working with compass early on it might just be you and this does give you a lot of opportunities but also opens up a lot of risks and that is more what we are going into today so let's start with the big emergencies that you often encounter that is where chaos reigns what do i define chaos as well it's really hard to define but in this particular case let's take it as it is especially from a hacker perspective a project or an organization has or may be imminently compromised by an attack a breach a flaw that you've discovered an internal element that could be a human or signal or an unscheduled test

because if a project organization breaks down during one then there's probably something seriously wrong we usually prescribe cpr for these cases as communication preparation and reaction communication is usually determining who you can communicate to resolve issues that you see coming or that are already happening preparation is doing what you can alone and with those people it's important to cooperate when you can but also be ready to do the work when you can't and also reaction which is running the plan you're coming up with and being prepared to deal with the unpredicted something that's been coming a lot up in the human resource and corporate world after spent a lot of time in psychology and sociology

is the risk and resilience model which originally was designed to determine personality resistance through trauma but also has been used to track a lot of community and corporate factors as it applies to a lot of the communications we're going to be talking about it goes from detecting or identifying an anomaly which in a more psychological model might be a stressor an anomaly is anything that's going wrong in this at this particular juncture writ and then sorting out the risk factors that it opens up a project organization too usually in this term you're seeing the bull's-eye on the left or two from the left to show risk factors are usually sorted from closest or in the psychological

environment more intimate to more remote so the ones that are more of an acute risk to a project or org are at the center and then you have protected factors so these are usually just the positives to the negative but they're grouped in different ways because protective factors for a person just like an organization or project always interrelate or interact somehow and that's usually what makes protective factors smaller just to go off of what we were hearing in the keynote about the uh the importance of preventative measures in the pandemic we're talking about protective factors being masks hand washing limiting your distance to friends the possibility of contact tracing in the case that you fail to prevent

infection these are all the protective factors that work together and strengthen each other because none of them are 100 effective on their own it's usually the same case for corporate resilience as well as infosec resilience when you're coming back from some sort of attack breach or flaw and then usually if you are doing a post-mortem you're sorting out comes by both positive and negative to try to strengthen your organization's response in the future so what does this mean for the infosec professional there's a lot on these slides but uh there's also a lot that we're covering in a short period of time here so from the macro perspective it's often important for infosec professionals especially if they feel like they're the

only advocates in the field to cultivate a culture of information security and good governance these are both very important or twin aspects that work in organizations and organizations usually pay when they fail to recognize one or both of them so infosec perfect in this particular case cultivating a cultural culture of security would be having more people become infosec advocates you're doing a lot of recruiting here there are usually more i.t professionals related to what you're doing then might even be on your team when it comes to using the resilience model it's often your job to translate that for information security so we're talking about reducing the identifying risk factors that you can reduce and identify protective factors

that you can increase you also often need to identify the ones you can't do anything about just to be aware of them in environment because we're usually doing our best work when we understand more about the context we're working in so what does this look like when you bring it to the rubber meets the road for the organization well a lot of the time it's one-on-one time with the people who can make those decisions like the chief information officers vps of technology in particular organizations and understanding how they have the rationale to make decisions this usually involves case studies and numbers especially when it comes to medical care executives both in the non-profit realm and

for-profit technology development and this is what we're going to spend a lot of our time working on is how how to use these to your advantage as an infosec advocate other ways of trying to make a difference in the macro level are creating an office of infosec czar or task force what task force often best involve uh teams from a lot of different disciplines like finance or elsewhere in the tech world in an organization like dev because and also detractors this is an important place to bring people who are not particularly prioritizing infosec or might not particularly believe in your mission here because they're the ones who diversify our thinking and also give us a lot of

information on how to promote infosec in an environment and also if you come up with solutions like new third-party apps or work that it can do protocols that we watch a lot of prospective apps and programs through which is something i do a lot of it's important to get the staff buy-in because everything is going to be easier and it's also going to be easier to track your performance and see if what you're doing is actually working on a micro level there are a lot of things where you know a more technical view would probably be helpful here but economizing codes so things that so forensic investigation would not take as long so forensic investigation would not be

necessary in the first place smaller you know this is something where more of a technical aspect would probably answer those questions when it comes to third party applications or things where you might be calling to consult we often try to figure out how do these work with other parts of the system can we confirm that they're interoperable can we streamline that interoperability in any way to reduce any risk that data that travels through it might encounter scheduling user tests to make sure that users are able to navigate all of these issues and also we're getting into user experience a little bit later as well as stress tests which might be something that only you are responsible

for for even conceiving let alone planning and it also comes down to more of an infosec presence in decision making meetings beyond the conversations that you have specifically about information security with the professionals around you and as we mentioned case studies and numbers this is a just the number one way of getting your message to people who are not information security professionals or technical professionals in a lot of ways when it came to the task force that we just came off of election systems and software which is a company that produces more than 90 percent of the voter tabulation technology used in the united states actually denied the possibility that there could have been third party access to their

machines then after an investigation they provided a letter to a senator senator wyden it's also known as the wyden letter several years later in which they admitted that pc anywhere which was a software system that had a critical security flaw was installed on several machines so this brought up a lot of different issues that infosec advocates had been knowledgeable about for years but really never were never made priorities by the right people one of which was the importance of user education and uh you know two-factor authentication well multi-factor authentication is the subject of our of our next uh track one talk here i'm sure that that is going to get a more uh closer investigation but just

thinking about the weakness of third-party vendors especially the weakness of third-party products when they're connected together without good governance this smallest weakness thriving without that governance the fact that ninety percent of voter tabulation technology was possibly up ended by this weakness and also the mystery which is the real problem here that from a hacker perspective it's probably easy to overlook a lot of these faults but the issue that es s originally lied about it and that investigation was almost impossible because that admission came years after the original suspicions a lot of states had to create their own security commissions to investigate this at the taxpayer expense so if there had been more of a unified governance in

investigating this technology a lot of this response later would not have been necessary but we're trying to move on here a little bit more into medical technology which is something that i try to use as an example for good information security governance because as i mentioned before i've often found myself the only infosec advocate on a team or sometimes in an organization so a few of the case studies that really resonate with the decision makers of healthcare are the ones that are also probably famous in the information security world anthem is the granddaddy of hacks began as a phishing scam and culminated in a seven week window of access for multiple hackers in 2014 2015 to access the names

healthcare id numbers and a whole lot of personal information for nearly 80 million customers and resulted in hundreds of millions of dollars in punitive fines a state actor was postulated in an investigation in 2018 which was confirmed in 2020 but this hack was so massive that it made the numbers do this the spike you're looking at is the year of 2015 when at the top left you're seeing individuals affected by healthcare data breaches at the right you're seeing the size of average data breaches and at the bottom you're seeing the number of records exposed in hacking your it incidents 2015 that is that spike is almost entirely anthem but of course you might be thinking these numbers aren't helping me

sell the importance of increased invest advocacy and care well these numbers do because what happened was the hacks didn't disappear they just went they just decentralized median data breach size is at an all-time high or at least it was with the last complete year of record keeping as well as the number of healthcare data breaches that affected more than 500 records and also the overall number of hacking rit incidents reported by healthcare networks and their third party vendors and if this isn't enough to motivate decision makers the fines aren't going anywhere although they have dropped in some cases the penalties that companies pay for violating hipaa the health insurance portability and accountability act which keeps health

care providers accountable for what they do with these records and who they might expose them to end up paying just like anthem usually on a smaller scale a couple other case studies that are related to this that came up a lot in decision making about paying more attention to infosec are amca the american medical collection agency which as a third party payment portal allowed an unauthorized user to gain access to quest diagnostic records and several other companies that used it as a third party same deal hackers access names and personal information for up to 70 million customers at least 26 million confirmed so far and it had repercussions for everyone involved the product was immediately

disabled which involved a loss of trust and business for a lot of those big vendors including quest amca operations were immediately suspended and recently the whole company filed for bankruptcy one of the big lessons from this particular hack was that the importance of vetting third party vendors that this payment portal had a lot of security issues that fell through a pretty poor governance system in the company that developed it and the company that ordered it next is sjic the science science application international corporation this is famous for being a sheer bonehead move of data loss an unencrypted backup including almost 5 million records for patients at tricare which is the us army navy and marine corps health

insurance system was stolen from a car while in transit so this brings up a whole lot of issues i've cited this so many times i've been accused of calling it the world war ii of hacks just because encryption encryption encryption is something that even internal records is often overlooked especially in internal records because there's some sort of buyout from dealing with it but this in cases like it show that between internal problems that can't that simply can't be predicted and also the sheer bonehead move of not encrypting vital data from beginning to end is something that executives have to look closer into and the roles of the infosec professional when it comes to these big

emergencies just to wrap up the when chaos rain section here is to understand the risk profiles that a private organization is undergoing this especially in medical care is a highly diverse and changing set of scenarios especially with iot devices uh bringing up a whole lot of security concerns when they are brought into patients rooms or interact with patients other technologies the legal and regulatory environment hipaa for example is something that we all operate in when we're dealing with medical records as any sort of professional and that's something that infosec and i.t professionals need to be highly aware of is the regulatory environment that they're working in especially when it comes to medicine or politics and also considering the human and

technology technological resources involved this is less of an issue for people who work in big organizations as people who work in big organizations can tell you it's more important to have the work done than necessarily keep it under budget but smaller projects and organizations might try to nickel and dime out from security concerns that could cost them big later on so it's important for infosec advocates to consider what they have to fight from beginning to end and also some of the easiest moves are the ones that are most effective making lists of required data and unnecessary data especially when you are think when you're holding your project or organization's ability to keep data safe in any kind of suspicion it's important

to eliminate unnecessary data from the chain wherever you can that way people simply aren't responsible for it systems simply aren't responsible for it and then recommending work that can be done to execute your plans creating guidelines for the organization or the team or advocates for the user to consider this is often more corrective than preventative we often say in healthcare we love our patients but we don't trust them so we often create protocols that simply edit out any possibility for the user to make themselves or the system vulnerable and creating an incident response plan because the next thing you'll have to do probably is respond to something so corrective action which organizations are often calling

resilient action the ability to get over something bad that's happened is you're going to have to activate that plan you might be the one execute it you might be the one to communicate it you might be part of the team that runs it but it's important to get it started as soon as possible and also leadership will want to know what contributed to the attack and it's important in a lot of ways to know what sort of executives you are dealing with at this point because do you need to use plain language do you need to use technical language what's the likelihood that you're going to get the decision that's going to help you as an infosec professional make the

calls that protect the data or respond to the loss of data and also be immediately ready to advise future preventative measures because the only real time the big organizations get anything done worth doing is when they absolutely have to so this and this big emergency may also prove to be an opportunity in the classic sense of the word and now a little bit that might seem pretty obvious to people who've worked in any sort of corporate or creative environment but where there is no help we're going to go through a lot of the roles that you may communicate with when the person that you get generally communicate with who's often a project manager of some kind

is missing distracted incompetent lost in a war zone unavailable been fired etc so instead of cpr we've got icr that's identify communicate resolve partially because you have to identify who you need information from or who you need to give information to when the person who's generally going to do that sort of thing isn't there you need to communicate it get it back and forth and then you need to make sure that whatever you just did resolve the problem because that's often also the job of who's missing in that situation so when it comes to medical technology development here's a brief outline of the creative or technical staff that are often involved and at the top we're going to go through

a lot of these roles information architects user experience researchers and designers user interface designers and then content all often reporting to some sort of project manager who may pass on products or information to an account manager and then eventually the executives who's ultimately responsible for the organization's work information security is kind of nebulous here because you don't really think of that as part of an agency setting especially when you're producing communication and not necessarily technology but it's always important when you're working with any sort of system that'll later handle records or collect data transmitted in any way and at this point in most health care settings that's pretty much all technology so going through these roles just to

figure out what they might need from information security or technology in general the ux staff these are the people who create a lot of this a lot of these products from the ground up they analyze the need they often reverse engineer results off of competitive analysis looking at other developments that were similar or equivalent at some earlier point and then try to provide some sort of framework on the client or the user's needs this is usually a briefing for the ux designer if they need to talk to information technology or information security they often want to know what can they can do and this is also what you want them to know they often make the decisions that help

prevent unnecessary data or unnecessary interactions from occurring in the first place and this is also in line with user interface which is our our next move here briefly talking about designers they're the ones who translate a lot of the research into concrete plans and they're the ones who either create or have to communicate the specifications so this often relates to the ability to inter operate third party information security apps or technology they're the ones who are going to need to know how that might affect their project or other parts of it they're juggling moving on to user interface hdi issues is the number one thing that any it people need to know about ui is that they're the ones who are going

to try to resolve all the user trust issues they're the ones who are going to try to resolve the need for iot devices or how they operate with data gathering mechanisms or systems so this is also a big part where information security can give and get a lot of advice on how to work best in the organization because although a lot of what they create is then later moderated by the by ux and pm or also other design elements they're often also the ones who can best communicate how to prevent unnecessary data from entering the system or prevent prevent any sort of loss mechanism which doesn't have to exist in the first place information architects or the librarians

i was often an information architect and uh making data logical is often as a revert as it refers to infosec more of an issue of preventing those unnecessary interactions or preventing any sort of unnecessary search by giving people what they want as fast as they need and content producers this is less of an interaction with uh with especially infosec but at it in general they're often um if they need anything or if they need to give anything it's regarding specifications of a project or a product and then we get to pms and we're wrapping up wrapping up here so talking about keeping all the team members working towards their goals so they're often the coordinators of all of this

work when it comes to dev tech infosec they're often reacting to a project within the organization through the pm the pm is also responsible for the deadlines and specifications so when it comes to pms talking about um dev infosec all that in general they often just want to be able to give the specs and get back what they need to contribute to the product or secure the product so what to consider when you're working with pms is sticking to the brief a project brief for a specially medical devices is the bible it's a starting point but it's always the thing that defines what you're able to accomplish so if the brief has any sort of language about

securing uh medical data or considering medical data security that is often the basis for your work on a project then even if you are not officially part of a project plan it often helps to know the context what's the project what's the product supposed to do what are the what's the technology that interacts with what's on the back end do all the parts of an app especially if it's uh related to excuse me um especially if it is related to a medical device or data collection unit how do they work together and what are all the specifications that are related and then finally as we finally run out of time how executives often see a project or a product well

they're usually responsible for mitigating risk ultimately and that is what we've been talking about a lot this morning so far is assessing and mitigating risk so the results of their work has to be the reputation of the company which is often what drives future business so they need to consider information security as an investment as well as a marathon not a sprint so it's often an infosec infosec advocate's job to express how things can be saved or projected into the future in a way that helps them do their job now so what can be expressed in numbers when it comes to options for third-party vendors that are verified what are the options when it comes to doing that work internally to

to keep a sort of chain of evidence over any sort of systems that deal with personal data how do you reduce these risks and how much protection will it buy to invest in them and also from a going back to the macro perspective you know how do you get buy-in for a good information security culture who are the most likely advocates to join you in positions of power who can really make a difference for an organization and multiple projects and then how do you prioritize these potential and real threats which is often which is also something that spam brought up in the in the keynote is threat assessment has to be one of the number one things

one of the you know real products that infosec advocates bring to the system you can consultation is often less of a product in itself but those sort of protocols that sort of ability to assess a threat and then allow others including yourself to prepare for it is the number one thing that you can bring to and also the number one thing you can recommend you bring in the future to these environments that are producing new products and projects and with that i guess i timed it almost perfectly although i will now go back on discord to answer any questions or help with any references if you're interested in more of these case studies or any specific examples of

communication you are also welcome to email me also happy to provide the references that are directly referred to what we've been talking about today all right so thank you very much and uh please enjoy the rest of b-sides