ORLANDO, Fla. — Before the 2017 HIMSS Annual Conference and Exhibition kicked into high gear, the CHIME-HIMSS CIO Forum opened with a keynote address Sunday morning that reinforced just how terrifyingly easy it is to hack into seemingly sophisticated systems, using the right tools and brainpower.
Given the fact that managing the health of populations is becoming more reliant on data, protecting this growing repository of information from cyber attacks is becoming increasingly important — especially to a room full of CIO’s.
However, according to the 2016 HIMSS Cybersecurity Survey, two-thirds of respondents experienced a recent significant security incident, but admitted to only an average level of confidence in being prepared to defend against cyberattacks.
In that vein, during the keynote “The Art of Deception: How Hackers and Con Artists Manipulate You and What You Can do About it,” Kevin Mitnick carried out real-time hacking demonstrations, through the most common form of attack used today — “social engineering,” he says.
The technique involves a “con” tricking a human user into doing something, let’s say downloading a software attachment from what seems like a trusted source, then having the software feed information to the hacker to get further valuable information down the road.
The approach is relatively easy to use, cheaper and hard to trace, says Mitnick, who once earned a spot on the FBI’s most wanted list after hacking more than 40 corporations, but now serves as a security consultant to Fortune 500 companies and governments. “All it takes is one employee inside the business to screw up,” he says.
With four computers spread out over a table on stage, Mitnick breezed through more than five different data hacks. One hack, which he called his favorite, involves sending a barrage of pop-ups to a user requesting to update a simple program such as Adobe. The pop-up annoys the user into downloading the false upgrade. Mitnick’s overhead screens showed simple, but useful data flow onto his computer as the user (his other computer) installed the false upgrade.
In another demonstration Mitnick borrowed a common HID Access card, commonly used to gain access to floors in buildings, from an audience member, and used a small device to automatically hack into the card and gather all the information necessary to gain building access.
Even more terrifying, was the larger version of the device that he says can be stored in a backpack and can steal information within three feet of a similar badge. He handed both cards back to the gentleman saying, “if you lose that one, here’s a backup just in case.”
As the session was nearing an end, and I wondered if he came to Orlando just to send chills down every CIO’s spine, the man billed as "the world’s most successful hacker” offered some advice.
Protect HIPPA and proprietary data and create a more sophisticated type of system that is difficult to hack, he says. The people looking to make money fast will not target you, they will go to another company with less security.
“You can take the steps necessary to make yourself a hard-target.”