 we've got on my right, we've got Nellis the nerd who will be doing most of the talk because of his colleague Dave is kind of an introvert person who doesn't say much but otherwise here's Nellis and he's an enthusiastic nerd who likes to share the things he's working at and he's working at a computer emergency response team or a cert especially focused on health and that was inside it just before SHA 2017 so after five years we're really interested to see what Z-Cert exactly did so far and Nellis it's up to you to tell everyone thank you thank you everybody so it's great to be here today standing here so five years ago I was a shuttle driver at SHA and then I met some colleagues future colleagues actually one of which is here in the room today and well that escalated into this so who am I? I don't really like to talk about myself but you know it's important to introduce yourself a bit so my human name is Nils Beekhuis most people from the hacker community probably know me as Nellis the nerd during my day job I'm a DevOps engineer at Z-Cert and yeah today I am let's go back look at the speaker nose Nils I'm also the team lead for the Hacked Health Village which is here on MCH sadly it's already third known day so we don't have much left we have Dave Dave is our shining star of the village and in my free time I'm a member of the Hackerspace BitLayer in Amersfoort where I like to make stuff out of cardboard alpacas for instance so yeah I'm here today to talk about Z-Cert and why do you want to talk about Z-Cert because just like the MCH we are a non-profit foundation and I thought it was important that the community which we have a close connection to it's important to know who we are and what we do so but I do have a little bit of a warning my presentation may contain memes in fact it does contain memes because having fun is a big part of MCH so you know I decided to have a little fun with this presentation as well so what is Z-Cert some people here might know it other people can be like what is it well it's not butter but it is the Dutch healthcare computer emergency response team and in 2017 just before shah 2017 actually a group of organizations came together from the university hospitals the general hospitals mental health care institutions and also the ministry of health care because they saw a need for a cyber expertise center in cybersecurity for healthcare and the reason because is a lot of medical devices these days have an internet connection or a network connection and of course you have the medical device the the electronic patient dossiers so cybersecurity is is very important because if one of those devices gets hacked and they can't do their job anymore lives are at risk people can die so Z-Cert was created and we were created as a non-profit foundation which is very important is a very important distinction we are also not part of the government we are partly funded by the government but mostly funded by our members and our members are hospitals mental health care institutions youth health care and our our founders gave us a mission and that mission was to achieve to strengthen the digital security of the Dutch health care and the way we achieve that is by scanning but also by providing vulnerability information and to give advice on how to improve information that that security the comparison we like to make is that we like the digital the digital firefighters so firefighters you might see them in the street when they drive around with their big flashy red cars and their big blue sirens on top of it but firefighters do much more just like Z-Cert we do a lot more we do also do a lot a lot I think mostly our work in prevention and so we talk about how to how you not how do you not get into a cyber security incident but if you do get in a cyber security incident of course you can call us sadly we don't have a fire truck yet it's one of my ambitions in life to sometimes have a fire truck for Z-Cert it's on the backlog I'm working on it so yeah just like I said we we exist now for five years and I was I was I was thinking six months ago when I submitted this talk I was like yeah I'm going to mch I'm going to do stuff there and I want to show off my my the awesome organization I work for but the problem is you know what time I'm going to talk about talk about because there are so many awesome talks here about many technical subjects so I was thinking and I was thinking and I submitted the proposal and I had grand ambitions to talk about all these cool tools we created on the inside you know scanners and other vulnerability stuff and then I thought you know what there are many more people who are better at this than me so what should I talk about and then I saw some inspiration on twitter and it talked about soft skills in cyber security and that soft skills are hard skills are nice to have you know it's it's good that you're proficient with linux and know how to crack the latest windows version but soft skills are maybe a little bit more important because that's that's what that's what gets you in the end of the day so then I decided let's throw it around a little bit let's talk about soft skills and these are the lessons I learned in the last five years and the first lesson that I learned was it's important to know your members so we have hospitals as members but also mental health care institutions they are both health care but they are completely different because in hospitals you have x-ray machines you have MRI scanners you also have infusion pumps that's not so much the case in a mental health hospital you'll have you will have for instance security systems to monitor the patients you will have maybe risk bands to keep track of the patients so yeah it's really important to know what your customer needs and what your customer has to provide them with the right information because there is a lot of information out there and if you just flood them with information like we did in the beginning eventually they are like you know I don't know what to do with this this is much information so we are now working on providing them with the right information by providing for instance information about the systems they have I mean most of the people probably use windows so you can take a guess at that but sometimes there is a little bit more specialized equipment medical equipment for instance and we would we would like to provide them with the right information for that another thing is build a community and why build a community well we might be the expertise center for cybersecurity in the healthcare but we don't know everything and that's why it's so great that we have 300 members and we have a chatplot platform on which all the members can log in and ask questions to each other and we encourage our customers to log into that platform as well and if we don't know it then they can ask the question there and somebody else might know it and it's also nice to see the discussions for instance about a new newly closed disclosed vulnerability in a windows or a medical device and see the discussion about hey how are you going to tackle this what are you going to do first stuff like that that's and that's a great thing about the community because we also learn from that we learn from our community talking about stuff and we learn what we should do better next time and the last lesson I learned was to connect with others not only with our members and fellow organizations with healthcare isaac's government institutions but also with communities like these communities like hackers who send us responsible disclosures about our member institutions it's important to connect because it's you guys you find you find the vulnerabilities you make healthcare safer and that's why it's important to connect and that's also the reason I wanted to come here to build this village we made called hack the health and with hack the health we we wanted to come here to show what we do but also to connect with you guys because like I said you're an awesome community of individual individuals and you are passionate about your subject just like we like we are passionate about our subject and uh yeah that's pretty much it any questions that was fast yes it went a little bit faster than I expected you weren't nervous were you yes oh excellent so let's come for some more questions come please come to the microphones in the middle of the room and we'll look at it nothing okay thank you yep all right I have two questions the first one is I saw you guys posing Dave a lot with a lot of signs which sign was your favorite for posing him oh that's probably the first one it's uh it said on him this is what happens when you do an unresponsible disclosure I think that sums it up yeah yeah and the second question I had is you mentioned being a DevOps engineer and then you guys are you know a cert team how do you those two things kind of work together what is the actual day-to-day of a DevOps engineer on a cert team so uh like I said like I said we have a few tools hey nice nice seeing you again okay if you have a question I can come to you with the mic okay so yeah day-to-day stuff about of a DevOps engineer well I always say to people I have the best job in the world I might not drive a Tesla but I have the best job in the world and the day-to-day stuff I basically run the sys admin team together with my colleagues as a DevOps engineer I'm mostly for the Linux part of things so we have a few homemade tools we have a few new tools as well like open gut that we are trying to get we are getting running right now and I just make sure that everything keeps running and that you know in case the shit hits the fan I'm there looking good looking good thank you so next question yes have you ever had pushbacks for responsible disclosures just from your members yes and how did you deal with that well so when we do for the responsible disclosures we're basically the middle the man in the middle party so we try to negotiate with the responsible disclosure the one who does the responsible disclosure and our members sometimes our members are very reluctant to do something but then we will push them and be like no this is real fun ability you need to stop do stuff with with this most of the time we will we will get there and something a lot of a lot of swag has been sent so you got quite a few good responses on that yeah yeah most in the beginning the the we don't do this for every member they have to specifically sign up for at us for to do it but eventually when we get it rolling the responses are only positive because they see it the people who do the response of the disclosure are not bad people they see like hey they were they want to make us better and I think that's uh that's pretty great it is a background phone please hi there thanks for the talk my question is how do you measure success do you measure success at all because in the beginning of your talk you said people could die if if things go wrong that could be a kpi number of lives saved it might be a bit hard but my question is a bit broader so how do you measure success and how do you measure success if you do um I think the biggest measure of our success is how the the members think of our services if they think that our services are of value I mean we don't have insights on how many lives we have saved or how many ransomware incidents we have prevented there's a uh yeah so I think that that's that's the biggest measurement of our success of course I have some some hard kpi metrics that I don't know on the top of my head but yeah all right thank you you don't if you don't know them from the top of your head they're probably not that relied on the kpi so I think that's good think about the results yeah keeping our members happy and safe that's exactly that's the most important thing we do the front mic please thank you thank you for the talk at first it was very easy since there's some time left I was just wondering could you go to more details maybe about a example case or maybe something about the internal tools you were teasing all the time oh yeah so um a few of the internal tools uh so we are a non-profit foundation so uh money is we don't have a very big pool of money so we prefer to use open source tools and one of the tools we use a lot is the hive with together with cortex but we also are exploring some new options uh for instance we're looking at the sireware and we also of course we are nerd we like to do technical stuff so we have a lot of scripts we use here and there um a lot of bash scripts actually python also really nice so yeah that's uh that's that's most of the stuff we use thank you the back microphone please uh yeah question from the internet from vision uh perhaps yeah you already briefly touched on this but perhaps uh yeah it liked for some more depth to it how did you get involved at sea cert yeah so yeah like I said at the beginning I was a shuttle driver here at shaw 2017 that's why I met uh Jeroen and Jasper who is sitting there in the audience he's a great baker of pancakes by the way sadly it's closing day life skills life skills yeah so uh yeah I was a shuttle driver and I met him there and I was just talking to him about sea cert and he said you know this is a cool new team we are uh working with and starting with so I applied there for my graduation internship to research how to use the hive for phishing email research and well it was a pretty successful graduation internship I barely passed but that was not because of the tool that was because I'm a very bad writer uh I'm a better talker apparently um so yeah I uh I passed I uh did my presentation on a Friday they said I passed and then sea cert said to me you know we really like your meals and so do you like us I said yes so I graduated on a Friday and I started on a Monday working there so yeah and uh I think that's also uh that's that's one of the lessons I tried to to incorporate to the end so this community and these angel shifts they are not just like for helping out the people they could also provide something for you maybe your next job maybe a next opportunity for something else so yeah that is the best you're better than the heralds at asking for new new angel shifts yeah you're really good at that thank you yeah thanks again for the talk um one question I'm not sure if you want to answer you or you can just say silent if necessary um how do you deal with requests from government or um like organizations like secret services uh to like halt your um probably zero days or other disclosures you you get uh to use or abuse them for secret service purposes uh and not forward them immediately to your customers well fortunately we have never been in such a situation we don't do active zero day research so uh fortunately no we have not been in that situation uh and I I am not sure what we would do if we would be in such a situation so yeah I can't really uh can't really answer it I was wondering about how to start up or set up a cert like you have a incredible cert a computer machine something for the Zorg could you get slightly closer to the mic please you have an oh you have an awesome cert for the Zorg in dutch or healthcare in english um I was wondering like in other organizations or maybe even on smaller companies how to set up an internal sort of how to start yeah checking some more well there is actually a great course uh being developed by Ines I believe I'm looking at just for what was the course called again transits transits one and transits two that basically teaches you how to set up a cert it gives you all the the procedures the paperwork uh lists of who to call when it's in the middle of the night that you get hacked um if you want to learn how to do that I would recommend following one of those uh trainings okay thank you hi Niels I'm the other yester um I've got a question how secure do you consider medical x-rays to be again how secure would you consider medical x-rays medical x-rays um honestly I don't know how to answer that question I I I don't work with it those devices I don't do research into them so I can't answer that unfortunately uh if you want to know that information we have John from the biohacking village who has a very strong opinion about that so uh oh that's one of the one of the people I forgot to thank we are here with Hector Held and we also got a lot of help from John from the biohacking village um it was quite awesome uh we were we were planning to organize this we put it on the wiki and I got an email from John saying hey you're doing this want some help yeah he just mentioned that you don't know how much you've prevented um but are you so to say still at the front do you see the attacks and if so um do you notice where they come from is their increase decrease over the last few months you know anything insightful on that um I'm not sure about if there is an increase or decrease we we we see a sort of a stable flow of attacks so the biggest threat for healthcare is not government sponsored attacks the biggest threat is actually ransomware government sponsored attacks are mostly there to gather information not to break things ransomware is there to break things and that will that will interrupt the day-to-day operation of the of the hospital so that's that's one of the biggest things we we're watching out for fortunately we do not have a big ransomware incident yet this is not an invite by the way um so yeah luckily uh we have not seen that yet and indeed there is not a challenge no challenge not accepted please Niels thank you so much for this wonderful talk on the situation ladies and gentlemen thank you