In this episode of Security Gets Serious, host Ben Carr sits down with Chaunda Dallas, MSIT, a Healthcare Cybersecurity Specialist dedicated to safeguarding patient data and driving innovation in healthcare and sports technology.

Ben leans into Chaunda’s more than twenty years of hands-on experience in healthcare, which began with her work as an emergency room nurse where she has seen firsthand the critical role of technology in patient care and the risks to patients presented by system downtime, which motivated her transition into the cybersecurity field.

As an educator and current Ph.D. student, Chaunda's expertise bridges the gap between healthcare and technology, and she actively mentors aspiring cybersecurity professionals through Women in Cybersecurity (WiCyS) as a Technical Mentor and is an active member and volunteer with BlackGirlsHack (BGH) and The Diana Initiative (TDI).

Chaunda contributed to several research projects on healthcare information technology and data protection during her master's degree studies, including Detection of Heart Disease Using Mobile Health Technology, The Use of Healthcare Information Technology in Ambulatory Surgical Centers, and The Adoption, Issues, and Challenges of Wearable Healthcare Technology for the Elderly.

Your Host, Ben Carr, Halcyon Chief security and Trust Officer: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Chaunda Dallas, MSIT, who went from emergency room nurse to healthcare cybersecurity specialist on her journey to safeguard patients and their most sensitive data.

First off, we take a look at a Microsoft advisory regarding an affiliate attacker dubbed Vanilla Tempest Leveraging who was observed utilizing the JScript Gootloader malware to drop INC ransomware.

GootLoader is typically spread via SEO poisoning waterhole attacks by a threat actor tracked as Storm-0494, and Vanilla Tempest is assessed to be associated with Vice Society, which has not been very active recently. They have been observed dropping BlackCat, Quantum Locker, Zeppelin, and Rhysida payloads previously.

Then we dive into some post-event regulatory and legal actions which significantly benefit from hindsight, of course. It’s a much different perspective looking back at chain of events than when making decisions in real time pre-event or during an attack.
So, does that make these critical assessments just Monday morning armchair quarterbacking after the fact? Well, the SEC recently dismissed much of SolarWinds case for this very reason.

The SEC had claimed that SolarWinds' website over-stated their compliance with government standards in implementing strong password protections and following a secure software development protocol, insisting that internal conversations uncovered in the investigation suggested otherwise.

The judge in the case disagreed, stating the regulations in question were for financial controls, not security controls. Subsequently, most of the case against SolarWinds and their CISO were dismissed.

Three other cases (very different) from last month also call into question whether it is fair to deeply scrutinize security decisions well after the fact with all information post-event in hand.

Case one involved Enzo Biochem, a biotech company was ordered to pay $4.5 million to the attorneys general of New York, New Jersey, and Connecticut following a 2023 ransomware attack that compromised the data of over 2.4 million people.

Key failings included poor password management, lack of multi-factor authentication (MFA), and the failure to encrypt sensitive data on all systems. The attackers gained access using shared credentials, one of which hadn't been updated in a decade. Clearly there were egregious lapses in security here – not a best effort.

Case 2 involved attackers accessing Lehigh Valley Health Network (LVHN) and deploying ransomware after exfiltrating healthcare data. The brunt of the enforcement actions involved the attackers leaking sensitive images of breast cancer patients.

A class-action lawsuit, filed in March 2023, accused LVHN of failing to safeguard patient data, although there was no indication of poor security practices as we saw with Enzo Biochem, so for the sake of discussion we assumed that none had occurred.

As security pros, we know a determined attacker with enough resources will eventually succeed – so is any and every organization that handles sensitive data basically facing default judgements when they get popped?
Case 3 involved over 2.7 billion records being exfiltrated in an attack on a company called National Public Data, where the information eventually found its way to a hacking forum. The breach resulted in a class action lawsuit against National Public Data for failing to protect this sensitive information.

What is interesting about this case is the fact that the information that was compromised had been scraped from public sources by National Public Data, which aggregates and sells the data for background checks and other purposes.

In this episode of Security Gets Serious, host Ben Carr sits down with Richard Greenberg (CISSP), President of ISSA-LA, a well-known cybersecurity leader and evangelist, former CISO, advisor and speaker.

Ben and Richard dive into the buzz around how AI is being used to both enhance cybersecurity defenses and as a tool for cyber attackers, then they examine the potential for bias in AI models as it becomes more integrated into security systems.

They also look at what ethical concerns arise regarding bias in AI algorithms, and how organizations ensure their AI-driven security measures are fair, effective and unbiased.

Ben then asks Richard about his thoughts on to what extent is it ethical for organizations to monitor their employees' activities to ensure security, and what guardrails should be in place to protect employee privacy.

The of course we have to dig into some of the latest ransomware trends, and what steps can organizations take to protect themselves – like engaging with ethical hackers for penetration testing, and how organizations ensure that these practices are conducted responsibly and ethically.

Ben and Richard also delve into whether Zero Trust is really working or if it is just another security strategy that puts too much focus on a concept and not the execution, and cloud security challenges and how organizations can mitigate risks.

Lastly, they discuss the culture of security and learning from failure – namely how security failures can lead to significant improvements in an organization's security practices and why we need to do to a better job in fostering an environment where failures are seen as learning opportunities.
Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security as a CISO, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.

Be sure to check out Richard’s spot on Will Ferrell’s Ron Burgundy Podcast – it's a riot.

Your Host, Ben Carr, Halcyon Chief security and Trust Officer: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.