Maril: 0:15

Welcome back to The Cyber Queens Podcast.

We are your hosts: 0:17

Maril, Erika and Nathalie. I'm Maril resident red team and offensive expert.

Erika: 0:23

I'm Erika Eakins your slightly technical sales baddie in cyber.

Nathalie: 0:28

I'm Natalie Baker blue team extraordinaire.

Maril: 0:33

Blue teamers things I don't understand. No, I'm kidding I understand the blue team. All right today we are discussing the cyber security implications in overturning Roe V. Wade. Now we do have a small disclaimer. This is not going to be our feels on the overturn. This is not going to be our stance as women on how the state and the governments choose to regulate our bodies. This is strictly going to be addressing the cyber security and information security implications that decisions like this have on us, the daily people who utilize, own, and protect that data, with that in mind.

Nathalie: 1:10

I think that so many people completely overlook the entire privacy implications and all that when they're thinking Roe V. Wade. They're just thinking of, "I don't want my body regulated," but it's more than that. There's so much more than that. Who's securing this data?

Maril: 1:29

Before you guys brought up this topic to me, I was thinking,"what do you mean the implications?" I wasn't even cognizant, I wasn't even aware and I work in this industry every day, y'all. Don't be scared. Everything is fine.

Erika: 1:37

There's breaches all the time. How much information do I have to divulge as an employee to my manager or to HR, to the company for things that need to be done or not need to be done? There's a very fine line of where your data can go because obviously it's still going somewhere. We're having breaches all the time but not only that, do I really have to give that information that I need to go out of state to get services to my direct boss and then have everybody know my life. We all know everybody talks in an office or in a company. So how am I gonna be sure that's not gonna leave over to the receptionist, the CEO. What do you do?

Maril: 2:19

I know, how many times do you get to use this benefit? Do you get to use it multiple times? Is it a one time only thing or are people gonna be judging you on how many times you need to go out of state for medical services that aren't available in yours? What people don't realize is COVID had this effect too. When companies were very graciously giving people time off, To go get vaccines or things like that. It's like, oh, I'm using my COVID half day. My COVID vaccine half day and not my normal sick time. In today's privacy driven world because everything today is privacy driven. Apple's really, really good at user privacy and letting users determine just how much of their data is given to the apps that reside on their mobile devices. In today's privacy driven world when you say I'm sick, I'm calling out sick today no one can even ask you why no one can even ask you what's wrong if you're hungover.

Erika: 3:02

Yes.

Maril: 3:03

If you have COVID, if you have strep, if your kid was in the ER, no one gets to know those details. You get to just say I'm calling out sick. I have sick time in the bank. I'm out today. Bye done. So when it comes to things like COVID vaccine time off and out of state necessitated medical services. How are we navigating that as employees, managers, HR departments, and C level leadership?

Nathalie: 3:24

Yeah because you have to remember the defense of security it all comes down to the CIA triad. So it's confidentiality, integrity and availability.. Data that is highly available integrity, which is very important. It's really important to remember that. So when we're looking at the security aspects of it that's what you have to think about is how highly available is that data now going to. Who has that data at their fingertips?

Maril: 3:51

If my personal health data is, we're only as strong as our weakest link, right? If my personal health data and whether or not I needed to have an abortion is protected by Cindy sitting in HR who doesn't even know what her operating system is, oh my God, I'm scared. That can have so many implications on so many other aspects of your life that you're not even aware.

Erika: 4:10

Well the other thing is, when I was at a previous company and the COVID vaccines, people had to give proof of their COVID vaccines. They had to upload it, email it to HR....

Nathalie: 4:22

I refused.

Erika: 4:23

They had to upload it in a non-secure link or they'd have to attach it as an email and send it to HR. So that disaster could have been, that could have been a huge disaster because I'm emailing an attachment or a picture of my personal health data, that by the way is not something that I have to give to my employer ever but I'm now having to do that.

Nathalie: 4:48

Yep.

Erika: 4:49

Now coming to Roe V. Wade I need to go outta state cause I live in a state that I cannot get those services. So now I have to go outta state. So I have to give doctors information, letters.....

Maril: 5:01

Take time off

Nathalie: 5:02

Medical record numbers.

Erika: 5:04

Medical record numbers.

Nathalie: 5:06

Insurance information.. Erika: It's impossible, I It's gonna be very hard to protect that information from people that don't need to see it. People that are chilling in a company's network and they're trying to deal with their security problems as it is not letting their data leave. How about an disgruntled employee? Do I have an HR person pissed off at the company leave or even an IT person pissed off and email my health records to everybody that's extreme, but I've seen it happen on the sales side. I have seen it. Happened at Tesla, a disgruntled employee and he stole data.

Maril: 5:41

It's insider threat. Insider threat is really your number one threat. Your number one threat is the employees that you already gave token access to your system.

Erika: 5:49

Nobody's talking about how that's gonna be secured because they're just gonna say, oh we support you. That is great that companies support this. Awesome. Let's really think about that. My social security gets breached from Verizon, how are you gonna protect my health data?. Maril: Yeah and it goes At my former organization, they rolled out a process for the COVID vaccination compliance, right? Because we supported the government. So the government hands down a mandate. A mandate is by the way, when the federal government issues a law of compliance. A federal mandate saying anyone supporting the government needs to have this done and HR sent out a notice saying there is a portal and we all know how secure portals are. Yes.

Maril: 6:26

To which you upload this thing and your manager is not going to know if you've done it or not. So your immediate manager can't reprimand you, there will be no repercussions if you have or have not done it, they will not know. Well except for in the case where you're not vaccinated you're not compliant. So eventually they're gonna be notified a member of your team is not compliant to this federal mandate, which we as a company have to adhere to. So, where does your privacy really stop? You think you're cutting the managers out and giving me privacy. You're not really giving me any privacy at all. Also if that's not being stored in my environment that I work on securing for a fricking living. Where the hell is it going?

Nathalie: 7:02

We started to cover some of the lingo. PHI, Erika you covered that one. HIPAA if you hear us say that a lot health insurance portability and accountability act, it's also a federal law and then the privacy rule. These are the three things that really rule around HIPAA and help ensure that your healthcare stays private. Then you have to think about in the past 10 years there have been, we're just gonna cover the top 10 government data breaches and these are just, you have to think about it. Number 10 being the state of Texas, they had 3.5 million people's data breached in April of 2011. Maril: Yes, that's a state government. Yep, that's state government.

Maril: 7:46

That's a government infrastructure. Yes.

Nathalie: 7:49

And there in Texas that's whole population too. They have more cows than people down there.

Maril: 7:57

The cows... none of the cows were affected in this breach of information security. No, it's true.

Nathalie: 8:03

You dunno, they all have numbers!

Erika: 8:06

Well and they can't track it most of the time. We can't give you the exact numbers but we know it's a percentage or it's this or it's that. How are you telling me that this is gonna apply? I'm supposed to feel safe about Roe v. Wade and my information going somewhere.

Nathalie: 8:19

That's exactly what we're about to get into because that was notorious when I was in the military and I know Maril you were in the military too. When I was in the military three times in my eight years, I was notified that my information may have potentially been breach. But they don't know, they don't know if it has or not.

Maril: 8:39

We dunno how bad the breach is.

Nathalie: 8:40

We're gonna give you a couple months of free credit monitoring service.

Maril: 8:46

Personal identity monitoring.

Nathalie: 8:48

I don't feel great about the services that you're requiring here.

Maril: 8:52

Yeah so let me get this straight. Someone access my information and in order to make that better, you sold my information to a third party. You now trust to monitor my information?

Erika: 9:01

So they can monitor it.. Maril: Do they have a TLS set up? Do they have minimum amounts of encryption? I haven't seen their network but you bring up another great point, Nathalie. One that I didn't even think of until just now, Tricare department of veterans affairs. What if.... not only have these been breached.

Nathalie: 9:16

9 million people were affected.

Maril: 9:20

Not only have they been breached, not only have they been breached, but what about current service members?

Nathalie: 9:26

Oh yeah.

Maril: 9:27

And veterans...

Nathalie: 9:28

Breaches they don't know about...

Maril: 9:30

Who need these services, right? Because this has been obliterated. So, a lot of people don't understand about the overturn of Roe V. Wade at its core is that they're not technically making abortion illegal. What they are saying is at the federal level, as it goes in the constitution, the federal government cannot protect or eradicate abortion and abortion related services. It's gonna be up to each state so they didn't make it illegal. They just said it's up to each state government to determine whether or not that's right for their constituents. Unfortunately, we live in a democracy and in the democracy, certain issues are too big to rule at the one for all level. They think it should be ruled at each state level. So, what about federal employees? What about employees who do not have private healthcare? Their healthcare is going to come from the government in the form of Tricare or in the form of veterans health. So, are they able to take advantage? Where would they go? Can they pick a state? Can they, is the government even gonna cover it? Because the government isn't really supporting this now is that.

Nathalie: 10:23

Government is not going to because even when I was in the military they would not cover an abortion. They would cover your pregnancy, that's a whole different conversation but they would even cover one in the military.

Maril: 10:36

I know, so now we have how many millions of service members who because of this can't even trust that they have access to certain services and if they did, that information is definitely not secure.

Erika: 10:51

It is not secure.

Nathalie: 10:53

Then you have Georgia secretary of state, their office 6.2 million people were affected in November of 2015. So, these are just, we're going through the top 10. Then it's the office of Texas attorney general. Texas really needs up their security quiet a bit, apparently.

Maril: 11:10

Darn it, Texas. Isn't everything bigger and better there? Get on it.

Nathalie: 11:13

6.5 million people affected again, that's probably half of their population in November of 2015. Then you have Virginia department of health professions. Again, a healthcare organization, 8.3 million people were affected. The number four is the OPM, which is the us office of personnel management. I know people like postal service workers, they are usually going through this office OPM and they had, but service members also can go through OPM. So they had 21.5 million records breached in June of 2015.

Maril: 11:53

Yeah, I think the point is we're seeing a trend here.

Nathalie: 11:55

Top three though.

Maril: 11:56

Well we haven't touched the top three.

Nathalie: 11:58

We're already seeing the trend, then you have the Department of Veteran Affairs 28.5 million, then the National Archives and Records Administration. Which is what you filed your DD two 14 with when you leave them service. And that's a 76 million people affected 76 million. The number one breach was the us voter database. And that was 191 million people affected, which was even crazy.

Maril: 12:25

Yeah.

Erika: 12:25

Correct.

Nathalie: 12:26

These are just the breaches. Do you know how long it takes from the time you've been breached to normally figure out on average? It takes about six months to figure out you've even been breached.

Maril: 12:36

Pick me. No, it's not even six months. On average from date of entry to date of discovery is about one year. Companies who are really, really, really on top of it are finding about companies.. Erika: Government is slower. Companies who spend the money on enterprise solutions to be able to know. When breaches and anomalous activities happening in their environment, the government, the government, very segregated, not even two bases systems can very nicely talk to each other. If there is a breach happening on a military installation somewhere we are not gonna know cuz it's just too segregated. It's almost like too many v-lans to be affected.. Nathalie: It happened, we They were on the Iraqi army side. So they were on our side basically. They were our allies over there. We were training 10 or 12 of their pilots and 10 of them went missing overnight. 10 of them went missing overnight. They just went gridless. So, It's craziness.

Erika: 13:37

The government spends less money on cyber security and protecting their networks than private industry does. I've worked with.

Maril: 13:43

Way less.

Erika: 13:44

A ton of government, state, and local and education because they don't have the budget. Now, you hear the current president he's talking about all these cyber security regulations and rules that they have to but they don't even follow that themselves sometimes because they don't have budget and it's not to knock the government. I'm not saying there's anything wrong and that I'm not saying your data not completely unsecure. What I'm saying is that security is not a top priority. That's why you see this list has tons of government agencies because they just can't put the money towards it, like a private in industry like Amazon or somebody like that.

Nathalie: 14:18

And those are just the state and federal governments. Local government's going to prosecuting this. They're the ones that have hardest time getting that funding because it's local government who not everybody pays local taxes half the time. So, if they don't have those taxes paid, I mean, it is what it's, but they're the ones that are gonna be prosecuting it. And then your medical records are now is now becoming evidence against you.

Erika: 14:45

Well not only that the local government, it's usually a network guy. That's also the security or lady.

Nathalie: 14:51

Oh, it always is. You know how many hats I've worn when I was at a local government, a county government, I wore six different hats and was trying to tell them about their security. It's insane.

Erika: 15:02

Well all I was saying is that the person that's in the local government, that's gonna be prosecuting. They're gonna be prosecuting on these things that are happening but yet they don't even know what they're doing within their own network. Cuz like Natalie said, she wore six hats. So you're doing network, you're doing security, you're doing help desk or IT service management. It's impossible for this data not to be stolen.

Maril: 15:26

Yeah and that vulnerability goes back to something we in the cyber security industry call segregation of duties and it's actually a control. So a control is a protection or a defense we can put on a vulnerability, right? So a security control is a thing we use to protect them. They can come in the form of technical administrative, operational, preventative, things like that. So segregation of duties is an administrative control, right? We're saying. If it is your job to make this network work, it should not also be your job to secure this network because those are two completely different full-time jobs, but Nathalie's right. Oftentimes it's gonna be one like sys admin, whose job not only is to keep the network up and running, but it also is to secure it. And security people are full-time jobs for a reason. This guy can't do. If he's doing both right, he's doing both poorly. It brings up another question like because Nathalie used to be a paralegal and she knows these things. If they're gonna be using our medical records as evidence in prosecution of violation of these state level laws, where the heck do you get that information from? Is there no such thing as doctor patient confidentiality? I'm sorry, CIA triad confidentiality. What? Where is this information coming from and why are you entitled to it? Why are you entitled to use it against me? Are previous incidents gonna be grandfathered in or if I've had one, could I walk into the state of Texas and be persecuted for it now or prosecuted, not prosecuted. It's not religious. Could I be prosecuted for it now? So it brings up a whole myriad of ethical questions that frankly cannot be answered and are currently being handled very poorly is the bottom line.

Nathalie: 16:56

Then you have a jury too that's being told all this information and being shown this information. They can't have their cell phones on them in most courthouse in the United States but the jury is being told this information and it's your personal healthcare information but you have the right to trial by jury.

Erika: 17:17

Again personal data going somewhere.

Nathalie: 17:20

Are being access, able to access this.

Maril: 17:23

And what about super small towns where everybody knows everybody? Oh, did you hear Mabel was on trial for an abortion? Now we know and we're gonna tell everybody. The privacy implications, this is going to have on everyone from state senators all the way down to your elementary school teachers. I don't think anyone really considered this butterfly effect. I don't think the lawmakers and the policy makers, I get that the thing was not by law, I guess, constitutional to have at the federal mandate level. You should have thought of the backing you were gonna create with regards to personal information and privacy issues when you removed it. I know it wasn't ideal but it was already in place. Let's leave it there until we come up with all the supporting systems. To support, overturning this decision and turning it over to other people who are completely ill-equipped to handle it overnight, by the way, overnight, this effective.

Nathalie: 18:13

Yeah.

Maril: 18:13

Information security, I'm concerned for myself.

Erika: 18:17

The same thing with the vaccination we've been talking about that had to happen overnight. People are not ready for this companies can't secure that because you're gonna know who's not vaccinated and somebody's gonna tell somebody about that. Somebody else is gonna tell somebody about that but let's not talk about Joe blow or Jane blow who's hacking into my network and now she knows everybody that's vaccinated, that's not vaccinated. You could lock down that data and ask for ransom, put ransomware in.

Maril: 18:46

You could lean on people, you extort people. Hey yes pay me this much money or I'm gonna tell your fricking employer that you're not vaccinated and you'll lose your job.

Nathalie: 18:54

Oh my gosh, when COVID happened people were posting photos of their vaccination cards online.

Maril: 19:01

Don't even get started, I literally know someone who had a vaccination, had a vaccination for real left their card at home. We were in Hawaii for a conference where we had to have them on us and like that's okay. I'll just flip up a fake one real quick. They literally did it on their phone and then showed it and got, and there is no checks and balance to this system at all.

Erika: 19:20

So bringing it back to Roe v. Wade, I'm a CIO, I'm a woman, I get knocked up, it's illegal in my state, I have to tell my boss, which is usually the CEO.

Maril: 19:30

The CEO.

Nathalie: 19:31

Owner.

Erika: 19:31

CEO and then I have to tell HR, which there's men in HR as well. It's not just women, so you're not supposed to talk about people's privacy. But you know CIO, everybody kind of hates her because she's a woman and they think she slept her way to the top, which is something we've talked about in other episodes. I'm gonna blackmail her and I'm gonna take all this information or somebody from outside of the company and I'm gonna extort her and get her fired. That's an extreme topic but it also again, talks about how the privacy of the of my health information or a woman's health information is being violated. I can't do anything about it, I can't tell the company to secure it. They can't even secure their stuff because they have so many other things because, data loss prevention like we talked about in the past it happens daily. How far is this going to go? Before people are just alienated, they don't wanna come outta their houses and they basically just shoot themselves in the head because everybody knew I had an abortion, I had to leave. I know that again, I'm being extreme but...

Maril: 20:36

Well we work in cyber security, right? We have to put on our paranoid hats at all times. It's never this could be bad but we'll just assume it's gonna be okay. For me, it is already that bad in my brain. I'm already at this is not, this is DEFCON level one.

Nathalie: 20:48

From the defensive end of security, you have to think that way you're already breached. If you're not...

Maril: 20:53

Already breached.

Nathalie: 20:54

We're already breached, it's already a problem. You're not thinking right.

Erika: 21:00

There's another thing, I'm in cyber security sales. I come in here, I wanna show you my product. Cool. You wanna test it? We get you set up on a proof of value, my company finds all this stuff. I go back to the my contact and I say "hey look at all this stuff. Oh my God so and so left the state for an abortion." I now know that I'm under NDA, I now know that women are leaving this company to go outta state to freaking get abortions. My SE and everybody on my company side can see that, again we can't share that information but think. Nobody even thinks about this they're testing new security products to improve the security posture. Everybody at my freaking company can see this, what the freak. Nobody is thinking about this and it enrages me because I used to sell firewalls. I'd go in there and this is how I would close my deal. Put my firewall in there for two weeks, run some fricking test, come back with a report and say this is everything that we found, how we found it. Blah, blah, blah. Now these IT guys know that you're having an abortion. Boom.

Maril: 22:08

Yeah, it's absolutely a valid consideration.

Erika: 22:11

Because HR is always the one that is considered the least secure and they don't handle security properly. So, now we're supposed to trust them with this data even more.

Nathalie: 22:23

Yeah and I just do not think that our government, especially our local government entities are capable of prosecuting. I don't think information is very secure in their hands. How are you encrypting data rest and data in transit? What protocols are you using? Is there a standard to ensure that these breaches aren't happening? Do you have data loss prevention enabled? As a public citizen, I deserve to know that for every municipality that decides that they wanna prosecute. So, for every state that decides they wanna prosecute.

Maril: 22:59

Configured properly, yeah.

Nathalie: 23:01

Yeah because you can have encryption all you want.

Maril: 23:05

But encryption downgrade attacks. Oh, I don't have that encryption but I have this. Do you also have this? Oh yeah, I've got that too. Great. Let's just communicate at this insecure level of encryption and not your fancy level of encryption that suits me the hacker much better. Thank you very much. Additionally, going back to DLP my old org. When people got annoyed with the fact that they couldn't email out social security numbers because it would get flagged and kicked back. All you had to do was type the word secure in the title and it would automatically encrypt the message.

Nathalie: 23:32

Yep.

Maril: 23:32

In transit.

Nathalie: 23:33

Yep.

Maril: 23:34

When they got annoyed with that! When they got annoyed with that! They would just start sending screenshots of social security numbers you can't fingerprint a fricking P and G and I'm like, oh, oh, for the loss of all that is offensive. Are you kidding me right now? Are you kidding me right now? So it doesn't matter oftentimes the enterprise level solutions we put in the environment to protect you and to protect us. People are gonna get around it every time people cannot be trusted. Inherently insider threat is admittedly a company's biggest problem.

Erika: 24:04

Yes.

Maril: 24:05

In the government which is by the way, the nation's biggest company. They are a company they function like one. Even worse they have very poor oversight, they have very poor identity and access management, they have very poor governing group policies. Which are some defense and depth measures that we out here in the private sector rely on very heavily because what we call a flat plane of security is if the biggest baddest thing you have is the firewall. Let's say you have a vault door on your front of your house. That's really thick and made a cement and bang and bad and beautiful but the second you get past that door, if you happen to everything is open game.

Nathalie: 24:37

Yep.

Maril: 24:37

That's called flat security you don't have security in depth. Everything is accessible behind there. So, that is how the government largely functions. By the way, you have to keep in mind everything that the government uses is manufactured by the lowest bidder. I know for a fact they still run windows XP in some of their environments. You know why?

Nathalie: 24:55

Oh yeah.

Maril: 24:55

Cause they have C components they can't afford to upgrade. They have to maintain that operating system in order to make that component be able to talk to them the rest of the network. Those are two points of vulnerability right there.

Nathalie: 25:05

Government websites you still have to use internet Explorer to get the full functionality.

Maril: 25:10

Everybody do me a favor, do all your network browsing in safari cuz they don't encrypt their cookies and it makes my job really easy. So we're not saying the government is running rampant, just treating just leaving your data at an unsecured S3 somewhere. What we are saying is there are ways and the hackers know the ways and the more information we give them about us to store the higher risk likelihood of that information being breached.

Erika: 25:33

Don't forget about phishing emails. So hacker could send email and click on something and there's your health data.

Maril: 25:40

You don't need to give away my secrets like that, okay? You don't need to know those things! No, it's absolutely true. I can man in the middle of the everliving frick outta you and get access to your SSO credentials and now I own all your stuff.

Erika: 25:52

Yeah.

Maril: 25:52

I don't even need that, I can download an unencrypted cookie and give myself a browsing session that mirrors your browsing session now you're double screwed.

Nathalie: 25:58

Yep.

Erika: 25:58

Absolutely.

Maril: 25:58

Now you kick me out one, I've got another one. We call that a back door.

Nathalie: 26:01

Yep, yeah.

Maril: 26:02

So the point is this was a major to do obviously socially for the entire country but a lot of people didn't even consider the backend logistics that a decision like this would have on the average person.

Erika: 26:13

No.

Nathalie: 26:13

Nobody did.

Maril: 26:14

So we are here to educate you on the cybersecurity and privacy implications that decisions like this have on your data. Make sure that you know what your rights are. Make sure you know the avenues to protect your data. Make sure you advocate for and utilize your privacy rights, which are guaranteed to you by law in this country. Please stay safe when operating out there and giving away your PHI. Most importantly, seeking those services which might be crucial to your health. We love you.

Erika: 26:39

Rock on.

Maril: 26:41

Thanks so much for joining us for this episode. We'll see you next week.