Governance & Risk Management , SASE , Video
ISMG Editors: Is SASE Living Up to the Hype in 2024?
Also: Apple Wi-Fi Vulnerabilities; Cyberattack on Ascension Hospital Anna Delaney (annamadeline) • May 31, 2024In the latest weekly update, Information Security Media Group editors discussed the current state of Secure Access Service Edge solutions in 2024, vulnerabilities in Apple's Wi-Fi-based positioning system, and the patient safety questions arising after a cyberattack hit a U.S. hospital.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Tom Field, senior vice president, editorial - discussed:
- The state of SASE technology nearly five years after Gartner first introduced the concept;
- Why a labor union representing nurses and medical professionals at an Ascension hospital in Michigan is asking for better patient safety measures after a cyberattack left electronic health records and clinical systems offline;
- A warning from researchers that Apple's Wi-Fi-based positioning system can be exploited to track device owners globally - posing significant privacy and safety risks, especially in conflict zones.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the May 17 edition on why synthetic ID fraud is on the rise and the May 24 edition on UnitedHealth Group's HIPAA breach fallout.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. And this week we'll be discussing the current state of SASE in 2024, vulnerabilities in Apple's WiFi-based positioning system, and the impact of a cyberattack on a U.S. hospital's patients' safety measures. The merry team today includes Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity; and Mathew Schwartz, executive editor of DataBreachToday in Europe. Wonderful to see you all. Tom, it's been nearly five years since Gartner first introduced the concept of secure access service edge or SASE. And I know that recently you hosted an event, which examined the state of SASE in 2024. What did you learn?
Tom Field: I did host an event just outside of Seattle last week and have hosted some webinars on this topic, as well as some interviews. So SASE isn't AI. It isn't the hot topic everyone's talking about, but it's not going away. It starts with the notion that it has been almost five years now since Gartner analysts came out and coined the term SASE. And components of that include software-defined networking, secure web gateways, CASB, firewall as a service and zero trust network access. Essentially, it's AppSec meets network security. And initially, it was just okay - here's another acronym we're going to deal with in cybersecurity. We even had these conversations within our editorial team. But then along came COVID, another acronym, and that changed everything, because all of a sudden, what had been a topic, like zero trust, at RSA Conference, became a pretty active pursuit as organizations realized that they had more of an urgent imperative to secure the edge than they ever had before. And so initially, for a lot of them, SD-WAN was an entry point, or there's zero trust journeys, because all of a sudden, during COVID, zero trust got the credibility and the urgency that it enjoys today. But the challenge was how do you put the pieces together? It wasn't like there was a SASE platform out there. You had to put together a best of breed system and the components of it, which is what Gartner recommended at the time. So there was no platform; it was best to breed. But things have changed, and even Gartner has come around to changing its recommendations and urging customers to consolidate their vendors now when it comes to SASE. Also there are platforms in the marketplace. And this is the topic we've been discussing. Cisco has one certainly, as well as Fortinet and Palo Alto Networks. They're coming on and trying to have these conversations. A lot of organizations that embarked on the SASE journey four years ago didn't have the best of experiences. And so they're coming back and taking a fresh look at that now, but they've got a bad taste in their mouths from it. And so when we go into these discussions about the state of SASE and where it's headed, we are talking a lot with security leaders about the lessons they've learned. We're talking about how the attack surface is far more active now on the edge than it was four years ago. The needs to secure that edge are greater than ever, and they are not going to go away, just given the way we live, work and conduct business these days. And the platform conversation is more relevant now than ever. I think, Mat, you had this discussion with some of our guests at RSA Conference. And I went into it with the whole notion that great platforms is what the vendors want. So they're pushing the narrative. Because I've received a lot of pushbacks in the past from security leaders saying we want to consolidate our vendors. But when you come to these platforms, they might be Grade A, 7 out of 10, but they're B or C at the other three components. And how do I go to my CEO and say, we're going to be a B or C here? Now, security leaders are coming around telling there is a real need to consolidate their vendors. And maybe they don't have to be A+ in every area. So they're entertaining these conversations a lot more readily than they were before. Hence, the conversation about going to a platform was SASE. So my point is it's a lively conversation. Again, it's not the AI conversation you are hearing. But this is happening a bit below the surface. And there's a lot of relevance here and was fun for me to be able to participate in an event with Fortinet exactly on the topic of SASE At 5. What's the state now? Where is this headed? Great conversation and happy to share a bit of that here.
Delaney: Yeah! Sounds like it was and where is it all going then? Any trends or predictions that you'd like to share?
Field: It's certainly not going away. I think that a lot of organizations are understanding that as they focus on zero trust network access - the SASE platform is something that's compelling for them. And the platform is something I think we're going to be talking about for the next 6 to 12 months. I came away from the RSA Conference impressive. This is not just a vendor conversation; this is something that the enterprises are talking about. And there are some solutions out there that always kick the tires on.
Schwartz: Yeah and what we're hearing more and more, especially at RSA, was, like you said Tom, it used to be that if you weren't with a platform - we're talking 10-20 years easily now - you might get a couple of As, a couple of Bs and then some Cs or Ds in terms of your functionality. And what analysts are saying is, you've got a sweep of As now and the things that were C or D or maybe a lot closer to B. And all of a sudden, it's not such a stark contrast between what can we afford to not be great at. And I think this might be partially powered by AI and expectations around AI. But also a lot of savvy investments by some of the big players.
Field: If Michael Novinson was here, he would educate us for sure. You're right. It's been a part of the market consolidation and savvy acquisitions.
Delaney: And so did you learn anything from attendees in terms of when it came to networking? Did they share anything with you?
Field: The news is their readiness to kick the tires on these platforms. That readiness wasn't there even two years ago when I had these conversations but it is now.
Delaney: Great stuff. Thank you for sharing Tom. Marianne, a labor union, representing nurses and medical professionals at an Ascension Hospital in Michigan, is petitioning for patient safety measures after a cyberattack left electronic health records and clinical systems offline. So what can you share with us?
Marianne McGee: Sure. Ascension is indeed dealing with IT outages that resulted from the May 8 cyberattack, and their electronic health records and various other clinical care systems are still offline at many of the 140 hospitals and other healthcare facilities that the organization operates in 18 states and in the District of Columbia. It is very frustrating for nurses, doctors and other clinicians when they can’t access patients’ electronic health records. But it's also a patient's safety concern because decisions about treatments and medications and other important patient care considerations have to be made without the current and complete information that is usually easily accessible through EHRs and other electronic clinical systems. So, the local 40 of the Office and Professional Employees International Union, which represents nurses, radiological technicians and other medical professionals who work at Ascension Providence Rochester Hospital in Michigan, is trying to pressure Ascension into making the workarounds that clinicians are using safer for patients. The union sent a petition to the hospital demanding a list of moves it wants the hospital to make to help protect patients. And that includes unit shift huddles to ensure effective communication coordination and information sharing among healthcare professionals regarding patient care, safety protocols and other emerging issues that pop up, especially during handoffs at the end of shifts. They want training sessions for all clinical staff on how to navigate the array of challenges in providing care without access to EHRs. They want weekly progress reports from Ascension's leadership to update staff on the status of restoration of EHRs. They want to set a maximum ratio of four patients per nurse until the IT outage is fully resolved, and they temporarily want the hospital to reduce elective surgeries and nonemergency admissions to alleviate the strain on resources and clinical staff. Ascension as of now did not specifically respond to our requests for comment on the petition or the union's demands. But it says it's working very much around the clock to restore IT functionality across all regions as soon as possible. Now, some of the patient safety experts that I've spoken to say that the union's demands are actually important measures that all healthcare sector entities should keep in mind in case they are hit with the sort of cyber disruption that Ascension - and so many other hospitals - have been faced with in recent months and years. That includes preparing clinical staff in advance with so called cyber drills and how to care for patients when information is not electronically available, and the kinds of workarounds and patient safeguards that should be familiar to them in case of a prolonged outage. Now, one of the challenges is that many of the younger clinicians today in the workforce have never worked without the help of digitized patient records. And they may not be familiar with proper paper processes. Also, nurses and doctors caring for patients without the help of EHRs and other clinical IT systems are going to require more time for each patient encounter because they have to manually look up and document all this information. And that indeed means that nurses will be likely unable to care for the same number of patients during a shift than they usually do. So, the union wants that the nurse to patient ratios need to be adjusted. But all of these issues present big challenges for hospitals on top of the immediate cyberattack and breach response that they're faced with. For instance, nursing shortages make it potentially unrealistic to assign fewer patients per nurse. And the suggestion for hospitals to reduce the number of elective surgeries or nonemergency admissions during IT outages could also translate into potential cashflow problems down the line for many of these cash-strapped healthcare organizations if they suffer a prolonged IT disruption. So if anything, this petition is a reminder that in the aftermath of a cyberattack and in preparation for such an attack, there is a growing list of concerns that healthcare entities and their frontline patient caregivers need to consider.
Delaney: Interesting move on behalf of the union. Have you reported on anything similar in the past?
McGee: There have been incidents where, especially with a larger change, a couple years ago, it was CommonSpirit that had a prolonged IT outage. There's even been individual hospitals that have had outages, where either nurses or the clinical staff or sometimes a patient files a lawsuit. In addition to the inability to access patient records, there are some cases where a medical monitoring equipment is not functioning properly. It could be imaging machines, or in some cases, there’s been incidents where cancer care centers can’t deliver their treatments to patients, and you have to be diverted somewhere else. So, yeah, this is a common issue. I was trying to find out when I was reporting on this story, if there's been other cases where unions have actually confronted leadership about their concerns and I have a feeling that there probably have been, but I haven't come across that. But the nurses and the doctors don't want to make mistakes that might harm patients because then their professional careers are on the line as well. So it's a lot to think about for the hospitals themselves and the people who care for patients.
Delaney: Sure. If an event has to happen again Marianne, from your perspective, how prepared is the staff to handle such situations in the future?
McGee: When I was doing the reporting on this piece yesterday, I was talking to some patient safety experts. And one of them was Josh Corman, who was also an advisor to CISA during COVID. And he says that organizations often have sort of like incident response or preparedness kind of drills, but the hospitals need to have focused cyber drills that are not just led by the IT or security team. They should be led by the clinical people who can deal with actual hands-on sort of workarounds that they're going to be faced with. And it could even go beyond their own organization, because you could be in a big city like Boston, there could be a major hospital facing an attack and they took their systems down. But then all those other hospitals in the area have to jump into action to care for patients that are being diverted. Like the example I gave before about cancer patients that are getting their treatments at a hospital that has been attacked. All of a sudden, the patients of this hospital may need to be moved temporarily to get their treatment somewhere else. So there's always the influx of patients that these other hospitals then have to pick up the slack on. So it affects everybody in a community when a hospital is attacked or any doctor office for that matter.
Delaney: Thank you Marianne. Great stuff. Great overview. Thank you. Mat! This week, our colleague Akshaya Asokan has written that researchers warned that Apple's WiFi-based positioning system can be exploited to track device owners globally, posing significant privacy and safety risks, especially in conflict zones. Can you tell us about it?
Schwartz: Definitely. This is a interesting story that comes out of some research conducted by a couple of University of Maryland researchers. And what I love about this is it takes a system that's widely used and shows how it can be used for unintended purposes. In this case, the system is Apple's WiFi-based positioning system - WPS. And this doesn't just involve Apple devices. But this is a system also offered by some other organizations like Google and others. And this positioning system is very useful. Because if you're carrying a mobile device, for example, and you want to know where you are, you could use GPS - the global positioning system. But this uses a ton of battery power, relatively speaking. And so you have these WPSs that had been developed, which give you an alternate way of figuring out where you are. The way they do that is by looking at what's around you. So we have these massive maps, or I should say Apple and Google have created these massive maps of access points that devices see when they're on the move. So if you think about what you can see at the office, in terms of WiFi connections, things that you might connect WiFi to, even if they're locked or you are not able to, or if you think about what you see when you're at home, this is a fingerprint that turns out to be pretty unique. And so from an engineering standpoint, this is brilliant. They have a catalogue of all of these, or many of these hotspots, as well as their signal strength. So that when you query or your device queries this system and says, I don't know where the world I am but here's what I can see, and here's how powerful each one is, i.e., how far away it probably is from me. They can say, we know where you are. And they can push additional data, so that if you're walking down the street, for example, it'll be able - if it's feeding you map directions - to keep pace with where you probably are along that route. So great stuff. Unfortunately, with Apple's system, it turns out that you can enumerate all of these different pieces of stored information. So all of these devices have what's called a basic service set identifier – or a BSSID. And this is like a MAC address. So anything that connects via Bluetooth or WiFi or Ethernet typically gets a media access control address. This is meant to be unique. But on a network, say inside the enterprise, you can look at the MAC address. And if you’ve cataloged it in advance, you know exactly what that is. That is a travel router, for example, travel modem, or that is a Windows laptop that's been assigned to Anna. So you have some degree of assurance about what it is that you're seeing. Similarly, these devices have a BSSID and they're being cataloged by Apple's WPS. They're typically unique, not always, in terms of the assigned number, because some of the cheaper gears reuse things in ways they shouldn't. Long story short, the ability for researchers to go in and basically pull all of this information out of Apple's system is concerning. And the researchers have a proof of concept attack where over the course of a year, they were able to recover a billion of these BSSIDs and their locations. Now, this is a challenge because if you had an unfriendly government, intelligence agency for example, in possession of this data, they could use this to track people on the move, for example, if they have a travel modem or if they're using Starlink. This now poses a mass surveillance problem, especially in a war zone, because this could be used to track people using Starlink based on how and where the devices are connecting, because Apple's WPS is keeping track of where those devices are when they're on the move. And so you could get near real-time live information about where that device is, because other devices are seeing that device and reporting its position. So here you have a very useful system, which could be subverted. Now Google and some others have gotten around this via some innovative tricks. Google charges people who want to use its API lookup for this - it charges very little, unless you start to use it a lot, where it becomes cost prohibitive. So that's one way. Another way is you can rate limit when people are asking for this information. You can give them maybe 10 or 100 addresses, but only every 10 or 15 minutes. And if it looks like there's some abusive patterns happening, you block it. So the researchers have flagged Apple, flagged Google, although that's less of a problem for Google, and also flagged one of the big travel modem manufacturers whose devices have this problem, as well as Starlink. And Starlink has responded by saying what it's going to do is it's going to randomize the BSSIDs. So even if it's on the move, you won't be able to track the device because it won't have a continuous BSSID. Unfortunately, GL.iNet, which is a Hong Kong manufacturer, said that it's not planning to do anything like that. So if you have a travel modem and it's made by them, you are very much at risk of being tracked.
Delaney: Fascinating and quite concerning as you say. What about the broader tech community? How has it responded to these findings?
Schwartz: I think this is not unexpected. You have these functionalities that often get built with an engineering mindset as in what we can do. And then you have security researchers coming along later to find out what maybe you shouldn't have done or what you maybe should have better secured. So we've already seen some updates from Apple. They're cagey with what they're doing when and why. But they have told people that they can add a little underscore no map to the name of any access point. And Apple will not map it. That's a feature Google has offered since 2016, which makes you wonder why Apple is so late to the show here. But I think Apple will definitely be doing some other things to make it more difficult for a system to be abused. So as with all things - security and research - we lauded these sorts of things when they happened, and thankfully, there's been a positive reception to these findings.
Delaney: For sure, we're very grateful for researchers who do all of this work. Thank you, Mat. And finally, and just for fun, if there are hackers' restaurants, what would be the signature dish?
McGee: Terabytes! You get samples of all different kinds of weird stuff, kind of like when they start posting little tidbits on the dark web. Corny!
Delaney: I love that - all sorts of weird stuff. Tom?
Field: There is a hacker cafe in Lisbon. I haven't seen their menu. But I will tell you this. If I were to put together a menu, I would take a dish from your native country. You know what it would be called - Fish and chips.
Delaney: I would eat that. That's great. Mat?
Schwartz: So I would have something called chaos cake. You would order a cake and it may or may not arrive, and if it did, you wouldn't know from which direction.
Delaney: Oh I love that. Bonkers flavors I'm sure. I'm going on the bite platter theme - all American style binary bites. Encryption rolls, cyber slaw, server chips, with a smoky hack source. Delicious.
Field: It's a sequel sauce there.
Delaney: Yes, that's great. Thank you everybody. That was a lot of fun and very informative. Educational as always.
Field: We'll do it again.
Delaney: Yes.
Schwartz: Thanks!
McGee: Thanks.
Delaney: Thanks so much for watching. Until next time.