In this webinar, we review the lessons we learned from forensics investigations in 2019 and give forensic predictions for 2020 to help you strengthen your organization's defense.
This webinar was hosted on January 29th, 2020.
To view more recent content, visit https://www.securitymetrics.com/learn/
This webinar covers:
Alright, everyone. Welcome to our webinar this morning. This is twenty twenty Forensic Predictions and What Happened in twenty nineteen.
My name is Andrew Garrett, and I work in marketing here at Securitymetrics.
And I'm pleased to announce our speakers today, David Ellis and Aaron Willis.
You can see their pictures here on your screen. Dave is our VP of Investigations here at Security Metrics, and he holds the credentials of GCIH, CISSP, QSA, and PFI.
We also have Aaron Willis joining us today. He is our senior forensic analyst, and he he also is adjunct faculty at Utah Valley University.
He has a a master's in digital forensics, and then also the credentials of CISSP, QSA, and PFI.
So as you can see, we have two very qualified, experienced individuals here with us today, and we're looking forward to hearing what they have to say.
Just a reminder, a question that we get asked quite often is if we will be sending out a recording of the presentation.
And the answer is yes.
So, please check your emails in the next couple of days. We will make sure that a copy of the recording gets sent to your email that you used to register today.
So let's go over our agenda before I pass the mic over to Dave and Aaron.
First of all, today we're gonna be talking about the twenty nineteen, what we learned from data breaches and and what we found in some of the forensic investigations.
We'll also be going over tips to avoid a data breach going forward this year in twenty twenty.
And then to wrap things up, we'll also have some forensic predictions from Dave and Aaron, so stay tuned for those.
As a reminder, we will be having a q and a at the end of the webinar for about the last ten minutes here today. So if you do have questions, feel free to chat those in using your GoToWebinar control panel.
And then at the end of the webinar, we will, answer as many of those questions as we can. If we don't have time to answer your question, we will reach out to you on an individual basis to make sure you get that question answered.
Well, again, we're happy to have you all here with us today. It looks like we have a good crowd here with us. So at this time, I'll go ahead and pass things off to Dave and Aaron.
Good morning. This is Dave. This is Aaron.
And we're happy to have you with us today. And and, for the folks on our friends on the East Coast, good afternoon.
Little disclaimer before we start. Wanted to let you know that the things that we're going to discuss predominantly come from experiences that we had during this past year, twenty nineteen, the investigations that we conducted.
So statistics, findings, things like that should all bear from twenty nineteen.
Some of the anecdotes, examples, other stories that we might get into may, traverse a little bit into, you know, more past years.
But, the the majority of what we're gonna discuss is going to be extremely current.
So before we get deep into that data, we wanted to start with something a little bit on the more light side. And you're going to want to pay attention to this because there is, there's some spiffs available for this. We're gonna start with a couple of, trivia questions for you, and we want you to chat in the answer as quickly as you can. And on this first one, I let's see.
We've got, we have an OGO backpack. I think we've got an OGO windbreaker, a a few other things along those lines. So over the course of of our presentation today, you can have an opportunity to win, you know, one of three prizes. So the first one who, chats in the answer on this next question, gets a an OGO windbreaker, let's go with.
Alright?
There's not gonna be enough time to Google it.
Yeah. Yeah. With any luck, yeah. We're not gonna give you a a lot of time. So who said the only truly secure computer is one buried in concrete with the power turned off and the network cable cut?
Looks like we have a winner, John Arikazo.
John Arikazo?
Oh, wow.
That was fast.
Alright. John Arikazo knew that it was Bill Gates in nineteen eighty one.
Now, you know, you could consider this a method of preservation of evidence. Right?
Oh, yeah. Yeah. I look at that and I think, wait, a computer buried in some concrete?
Give me a jackhammer or a sledgehammer in a little bit of time, and and I can get to that evidence.
That's right. You know, and depending on how valuable, the evidence is or how badly you need it, to what extent that that would dictate to what extent you would go to be able to recover it. I actually have some hard drive platters sitting on a shelf that are twisted, mangled, have scratches, and we're pretty sure that we could actually go in if we had enough money and time and recover some, or find some recoverable data on them.
So with that, let's get into our next one. So this one is gonna be for what do you want, Garrett? Ogeo backpack?
Yeah. Let's do the backpack.
Okay. This one's a a backpack.
And on this one, we're gonna ask a question. All we're looking for is the year that this event occurred.
When was the earliest documented wireless attack?
And then we'll we'll talk about how it happened.
Okay. Anything coming in?
Still no correct answer.
No correct answers. I hear keyboards clicking furiously.
Do you have a correct answer from Jeff Gordon?
Jeff Gordon?
G g e o f f.
Okay. Not the NASCAR. Not the NASCAR. Alright. Jeff, congratulations. Jeff knew that in nineteen o three, the Marconi wireless telegraph was was hacked.
It it it's kind of a cool scenario here. So Marconi and his colleague, who was a professor oh, I've forgotten the guy's name. Anyway, they had set up a a demonstration of the wireless telegraph. Now Marconi was in Cornwall, England, and three hundred miles away in London, his his colleague was giving a a a dissertation on the the telegraph. And at the end of his colleague's presentation, Marconi was going to send him a message in front of the audience, and everybody would be wowed and amazed that this, Morse code, message was gonna come through.
But unbeknownst to them, a, kind of a a competitor in the industry, was nearby, and he, had discovered the frequency that Marconi was gonna be sending his message.
And so he, this guy's name was Neville Maskelyne. Neville, using the same frequency but at a higher amperage, overwhelmed Marconi's, message and and, Maskelyne's message came through, and it was actually a limerick, that was telling the audience that Marconi was was taking them for a ride, basically.
Maskelyne was was essentially upset because, he felt that, the patent office, the government head, granted patents to Marconi that were too far reaching and and would stifle Maskelyne's effort to, make headway in that industry. So, anyway, congratulations to those that won those two. What we're gonna do for the third prize is, everyone who submits a a question, during today's webinar will be, you know, you know, put into a fishbowl. We'll draw it out, and and, you know, the the winner will be notified.
One of our our departments will get a hold of you and let you know that you won.
I I I think it's like a twenty twenty Corvette that we're giving away, the the new mid engine.
It it might be a little less less of a price than that.
So moving on Hot Wheels edition. Yeah. The Hot Wheels.
We so we'd like to start the the webinar today with kind of where we left off last year, and that was you know, we ended the webinar with some predictions of what we thought we might see in twenty nineteen. To set the stage for this, I'm gonna give you the exact quote that I gave last year because it's still relevant.
Maury Haber, CTO at BeyondTrust, once said, there's three jobs in this world where you can be completely wrong all of the time and still not have to worry about being fired. One is being a parent, another is a weather person, and the last is a technology trends forecaster.
So we've got that going for us.
And and remember, Bill Gates was right about com computer security to an extent, you know, that, computers he saw in the future that computers would remain vulnerable.
Now at the same time, in that same, later on in that same statement, he also said that, no one would ever need more than six forty k of RAM. So alright.
So even even, Gates wasn't right all the time.
So the first we, talked about large scale social media hacks leading to massive personal data losses.
Facebook didn't let us down. Two hundred and sixty seven million Facebook users had their IDs, including phone numbers, exposed, but they didn't stop there. Earlier in the year, there were five hundred and forty million Facebook accounts exposed.
But not to be outdone, they, the month prior to that, there was six hundred million Facebook accounts that had exposure of of personal data.
It's important to note too here, David. These aren't, accumulative. These are individual breaches.
Yeah. You know, when I first saw these, especially these last two, one occurred in March and the following in April, I I thought the April one was actually a correction of the data they released in March, but, no, it was it was separate.
Let's see. Aaron, go ahead and take this.
Some of the things we saw, were, a number of social media sites being, leaking data.
A lot of that was personal in nature, things like usernames, passwords.
However, I wanted to spend just a little moment and talk about some of the biometric data.
These are things like, fingerprints, eye scans, facial recognition.
One organization lost a number of, facial photos, used for authentication purposes, fingerprints from five thousand seven hundred organizations from eighty three different countries.
Overall, they lost biometric data for more than one million people.
Now one of the interesting things is if using if you use sorry. If you lose a username or a password, you can simply go and change that right.
However, you know, if you lose your employees fingerprints, they get a little grumpy when you tell them they need to blow torch their fingerprints off in order to protect the company data.
On that becomes even a little more problematic if if the biometric, vector that they're using is facial recognition.
Because now you gotta go and tell them, oh, you know, hey. You look great, but we we need to change your face now.
There was that there was that, case a while back where that government agent had their identity compromised and to remain undercover, they did have to go do that complete identity makeover.
I think we've got a clip of that, don't we?
Yeah. I think so.
This is me.
Wow. Very impressive, ninety nine.
You were truly hideous back then.
Some of us can actually probably benefit from a cosmetic makeover, but, employees might might not like that so much. Yeah.
Okay. So moving into our our next prediction from last year, a a cloud provider would be seriously breached. And in the the one I chose for that, there was actually a couple, but, Capital One Bank suffered a a massive breach that exposed account data for more than a hundred million customers.
And and the way that this one came about was a a former employee of Amazon Web Services, was actually aware of the methodology that they would need to employ to be able to steal this account data without it triggering, you know, safety protocols within the the Capital One organization. So it was definitely an you you'd kinda have to consider it a an insider attack, although the employee was no longer or the the suspect, Paige Thompson, was no longer an employee of Capital One.
Let's see. And as a result, you know, Capital One made all of the notifications, and then they they reached back and then employed, the s three buckets. They enhanced them and employed them.
And One of the issues about that, Dave, though, is with all the focus on s three buckets, that drew the the attackers attention as well.
And if you remember, they had a issue with s three buckets where some of the settings the access settings were defaulted to public.
And, we're still dealing with the blowback from that today where, any subdirectories within that bucket may have a a public access, setting still enabled.
We've been seeing breaches, even some pretty large ones where they came through, that public access in those s three buckets.
Yeah. I appreciate you adding that.
Yeah. The the one reason that we wanted to kind of highlight this is there are merchants and individuals out there that feel like if you put your data into the cloud, then you don't have to worry about it anymore. But, you know, it it security in the cloud is every bit as important that you stay on top of that as you do your, you know, security of the devices that you have physical control over.
The next, prediction we had was that foreign nation states would increase recruitment of corporate insiders to steal industry secrets. Now when I contracted or contacted friends within the government, that are, you know, kind of in the know about this sort of, thing, I received the proverbial, well, I can neither confirm nor deny answer. But basically, they said, yeah. There's a lot of that going on.
And the only time that they be can go public with it is when they make a, you know, a high level arrest or something like that.
We also have the prediction that passwords, are going to continue having issues.
We've seen this with the release of massive massive databases that contain billions of of passwords.
Even here at Security Metrics, our ability to test and crack passwords, in the last year has skyrocketed. We we've got our own databases that have billions of passwords.
We also continue to see these being, released out to the public.
There's that, was it a Scandinavian company that Yeah.
It it's yeah. It was it was an individual in, I I believe it was Sweden. He was kind of the first, you know, the the early pioneer of this. He has a system online, and and it's been a while since I've checked. His system may have been improved since then. But the last I saw is that he could crack any password, up to twenty characters, within, you know, a a matter of of a day or two. And and and so when I say any password, we're talking any possible combination of keyboard keystrokes.
Up to, like, twenty characters?
Up to a full twenty characters.
It's, you know possible, combinations.
Now what takes days today in in the computer world turns into hours tomorrow, which turns into minutes, which turns into seconds and milliseconds and nanoseconds.
So, you know, when you have, caches of known passwords out there, You know, you can go on the Internet and do a search right now. I I came up with some very, very quickly where they go, okay. This this one point five billion, you know, passwords is in a text file that, you know, we'll we'll send to you for free.
And they might sound like, okay, it's gonna take a a while to search through, you know, one and a half billion passwords, but the truth is is it it's in a text file. It takes a second, less than a second.
And hackers are taking full advantage of this as well.
We've seen an increase in the number of people getting those emails that say, hey, we've got your password. We caught you doing stuff you shouldn't be doing, please send us this amount of money, and they actually send you a lot of times a legitimate password.
And, you know the goal is to scare people into thinking they actually found something when in reality they just went out to one of these massive password databases and associated your email with, any password you may have used in the past. Hopefully, most of the time, those are passwords that you're no longer using if you're following a good password recycling program.
Okay. So what did we see in, in twenty nineteen? On a high level, we we just threw out a few things that were, commonalities.
One was understanding how, computer breaches happened for years and years and years.
It was the attacker going after the low hanging fruit. And so imagine a guy sitting in front of his computer at night, and he enters in a range of IP addresses and starts an IP scan. He goes to bed, wakes up in the morning, he's looking at his results, and he's looking for some things, in particular. He's looking for certain ports like, you know, fifty six thirty one fifty six thirty two, and he goes, oh, those are associated with remote access. And so now he against those, he's going to try to enter some default usernames, passwords, things like that, and try to break the remote access to get in. And it's not until he's actually inside the system does he realize where he is. Now he might have just, you know, broken into my, you know, grandmother's, computer at home, and he has a wonderful array of, you know, grandchildren and cat photos.
But or he might, you know, discover, oh, I'm inside of a of a commercial industry, a a business, and now he he refocuses on trying to, acquire credit card data, hospital information, you know, something along those lines. What we've seen though in the last year plus is that it isn't random anymore.
The attackers the the low most of the low hanging fruit for them has been picked, EMV.
The implementation of EMV has has kind of made that a little bit harder for them. And so now they are looking at at targeting specific businesses where they identify a a third party service provider who, provides a payment application or something where if you can get into there, that is a jumping off point for potentially hundreds of other businesses.
Yeah.
We we've seen, quite a bit of that, and maybe a a different analogy rather than low hanging fruit.
The attackers may have just moved to a different orchard.
Yep.
Now we've seen this with EMV where EMV has been proper properly implemented especially with, technologies like p two p e that that really, protect that cardholder data pretty well and and keep hackers from stealing it, you know, at at the card present locations.
With the implementation of EMV, it's it's moving the attackers over to to see glow or hanging fruit, in in other areas such as Yep.
Yep. E commerce. Yep. And right before I get that, I I wanna give you one example though of of a targeted attack.
And, you know, we had numerous of them, but, for example, there was a a financial institution. It was an investment company, a VC company, that an attacker got in, hacked the the company email server. And he was able to monitor communications from the CEO to the bank and was able to after after watching what these these communications between the CEO and the bank looked like, he engineered a an email from him, but spoofed it as if it were coming from the CEO to the bank to transfer a a large sum of money. I think it was about three and a half million dollars to a bank in, in Mexico.
Well, to the the the receiving bank that was transferring the funds, it looked exactly like the normal protocol that the the CEO followed. The one problem is they they didn't have a, a a mechanism to validate independently validate every requested financial transfer. And so the, you know, the the bank here in the United States transferred the money, out of the country, and, this was all done without the the CEO ever seeing any of these emails.
And you'll also see this type of an attack with title companies where people are transferring funds for the down payment of a house. And at the last minute, the title company receives an email supposedly from the buyer that says, oh, you know, these funds and or or or from the seller saying, oh, instead of sending the funds to the account I gave you before, send it to this one. And if that financial institution doesn't make pick up the phone, make a phone call, get somebody that they you know, on a phone number that they know and trust, then you've got the issue of of, you know, hundreds of thousands, if not millions of dollars going to the, you know, the the wrong party.
Yeah. When these attackers get in and and specifically target these companies, they may be in for quite a long time. You know, they They don't necessarily tip their hand and look for the lowest hanging fruit, so to speak. They're going after the big payouts where they can really take advantage of things like social engineering to to really make off with a lot of, valuable data or, you know, cash itself. Yep.
So as EMV technology has been implemented, that replaces the mag stripe with a computer chip that creates the one time use transaction code. Any data that an attacker might grab in breach of an EMV enabled device would be pretty limited at that point and insufficient to be able to reproduce a a usable credit card that they can then go sell on the on the dark web.
As a result of that, we expected to see and we did see a large reduction in in point of sale breaches at at individual merchants.
With EMV making a hacker's life more difficult to capture usable credit card data from a card present merchant, we knew that the attackers are going to work to become better at attacking ecommerce sites, and they have certainly done that.
Attackers discovered if they could alter a payment page, say, you know, not really to divert data because when the data stops flowing as usual, you know, people are gonna notice. You know, if a if a merchant doesn't receive an, payment for an order, they're gonna know something's up.
And, you know, they'll make sure that problem gets investigated, and that attacker's breach into that system has a very limited lifespan.
But rather, attackers will will copy the data.
They might hold on to it, or they might put their code in a place that's very difficult to spot, where they can just skim a little bit of data. And the reason it's difficult to spot is typically that ecommerce sites use file integrity monitoring tools to alert if any critical files have been altered.
The problem with that, however, is the payment page or the database is a highly volatile, very dynamic environment. Scripts are being pulled in, from various third parties, and and a lot of things are are constantly changing in a dynamic shopping cart checkout process, especially when, you know, analytics and advertising and marketing campaigns are all involved and all that data is, trying to be, put in place and and mine for all the relevant information that applies.
File integrity monitoring just can't operate in in that type of environment where where so much is changing all the time.
So in in the last year, we've seen, eighty percent of the ecommerce breaches that we've investigated have been, associated with changes to these payment pages where file integrity monitoring just hasn't been able to yield any valuable, protection.
Now if I remember right last year in this webinar Dave you gave the audience a tease about a tool, that we were working on that monitored unauthorized changes to these dynamic pages in a way that ASV scans and other tools were not doing.
Right. Yeah. And, that tool's been developed. We were actually granted a patent, during twenty nineteen on that tool, but I'll I'll toss it back over to you.
Yeah. We'll we'll take some more time later on and and talk more about that. But, basically, it's a tool that monitors for these malicious scripts as the card number and and the user's, address information.
All that cardholder data is putting being put right into the payment form right at the moment at checkout.
Okay. So, ransomware. Now last year, I I I reported that, ransomware was on the decline. It, twenty eight twenty nineteen showed or excuse me, twenty eighteen showed about thirty five percent fewer ransomware attacks than the previous year, twenty seventeen. And and so the trend was thought to be heading, heading south. That would happen.
Well, as I as I mentioned, you know, as merchants did better with implement implementing solutions like p two p e, the attackers would go to all the work of getting into the system to try to get that data, and would find out the credit cards that they were after, were no longer there. However, the the attackers aren't just gonna walk away. They're going to try to monetize their efforts in any way they can. And a lot of ways they're doing that is is they're returning to to the ransomware stuff that they were doing in earliest years.
In the last year, ransomware attacks tripled to around thirty six thousand dollars in losses per attack. That comes from no before.
Yeah. And and the thing to be aware on that one, when when you hear a figure of, like, an average amount of money that is lost or paid, you know, the average ransom, like, in this case, thirty six thousand.
This is my own personal opinion. I think it might be, related to their experience, in in the cases that they looked at. I I've seen others. I I there was a a forensic provider, on the East Coast, and their experience was that the, the average ransom being paid was much much larger than that. But I think that's relative to the you know, they were investigating cases that were where the victim, was on a much larger scale, had, you know, had deeper pockets, something like that.
There's actually a particular ransom, called rEvil, a ransomware called rEvil.
And the average ransom demand when that particular ransomware was deployed was two hundred and sixty thousand.
Yeah. And I mean, that if that hits a large organization, that can easily go up into the millions of dollars.
The the interesting thing to know, it's being being reported right now that, successful ransomware attacks are actually happening every eleven seconds.
I mean, that's just phenomenal. Yeah.
That's that's globally, not just in the Yeah.
Not just in the US, but but globally.
Ransomware is estimated to have global damage, costing organizations eleven point five billion in two thousand nineteen alone. That's US.
Yes. That's in the US. Yeah.
Globally, that that, that is projected to grow into the trillions of dollars.
Yeah. By the end of twenty twenty one, which is just mind boggling. You know? You think that's more than countries are worth. Yeah. That's more than the GDP of many nations. Yep.
A new tactic that attackers are doing is is not just encrypting the data.
Now they're actually going in and pulling confidential information, you know, customer databases, any HIPAA data that they can find, and they're holding that for ransom as as well. So, you know, if you if you try to use the excuse, oh, no. We we've got backups. We're just gonna ignore these guys and restore from backup.
They hit you up again and and say, well, we've got all your HIPAA data. We're going to release it publicly if you don't pay us, x amount of money.
Yeah. And they'll typically show you a snippet of your database or something. Yeah.
They'll they'll yeah. They'll prove that they've got your data.
The the danger in that is you have no guarantee that they're not going to release it anyway or that they're not going to hold on to it and just every year, hits you up for your extortion fee.
Yeah. Now one of the one of the positives, I guess, you you could say in in in ransomware, the sophistication level of the attackers has increased, and at the same time, their professionalism, I guess you could call it, has increased a little bit as well. Call it that?
Yeah.
It's again, it was that East Coast forensic company that, reported that in ninety seven percent of the cases where they had clients opt to pay the ransom, the key that they received actually was functional functioning. It it it worked. It decrypted the majority of the the encrypted files, which that's a big increase over past years. Last year, I think it was somewhere around the two thirds at at the time.
And one of the breaches that I investigated just just, a few weeks ago over the over the Christmas holiday, the ransom note that the attackers left on each of the machines was actually very cordial. They wished them a merry Christmas and, a happy New Year.
And they they put right in their rationale. Look. This is just a business for us.
It's not personal.
Nothing personal. We've got your data.
If you pay us, you know, we have every interest in restoring your data to you.
And in that case, they did elect to get the, decryption keys, and, they were able to very quickly restore their data.
You know, one of the one change I I think that we're seeing is it's reaching down a little deeper now.
And, you know, when ransomware was was, you know, first began to become the vogue, it was bigger businesses, deeper pockets, municipalities that were being hit. By the way, twenty two cities in Texas all got nailed with ransomware within, you know, a a few weeks of each other. None of those cities actually paid paid the ransom. But that said, what we're starting to see, though, is it reaching down to much, much smaller businesses and oftentimes even individuals.
I I've got a good friend of mine, that, told me he comes to work one day, and he finds that his work computer and and now he he runs a very, very small business. There's, like, two or three people in the office.
One business computer, and his business computer had been locked up with ransomware.
He reaches out to the, well, he he tries to, you know, get his files back, figures out that he can't on his own. So he reaches out to the attacker, and the attacker, when he realizes that he was dealing with, you know, really small potatoes, just said, hey. You know, give me two hundred bucks in in Bitcoin, and, you know, and and we'll restore it. So my friend, you know, takes him an hour or two to to set up a Bitcoin account or whatever, you know, a Coinbase account to be able to transfer the Bitcoin to him.
He transfers the two hundred dollars to the attacker, doesn't hear from him. So he reaches back out to the attacker and he gets an email back where the attacker replies, and and I'm quoting, hey, dude. I'm just a scammer. I don't even have the key.
So it it turns out that this guy that he was communicating with, I I I as near as I could tell, he he had launched sort of a man in the middle attack, but who lost out on this man in the middle attack wasn't your conventional one. It was actually he was scamming the scammer.
Yeah. He he was stealing money that should have gone to the legitimate scammer. Yeah. Yeah.
Okay. So I'm gonna worry about the next slide. There is a an abundance of of information on it. I know you're you're all going to get a copy of these slides later on. We wanna get have this data, but we're we're covering off on on things that you can do before you're breached by a ransomware attack, and then if you are actually locked out, you know, some do's and don'ts.
It's a it's a pretty busy slide, but it's got a lot of valuable information. Some of it's common sense, some of it might not be things you've considered.
Number one is make sure you've got a good antivirus software and and firewall in place.
A lot of times, the the ransomware, if you catch it, quickly, it it you can prevent a disaster from happening, catastrophic, loss of your data.
One of the breaches I recently looked at, they were relying on just the default antivirus that that came with the operating system. And the the issue with that is the ransomware will go in, and one of the first things it does, you you know, within microseconds of being triggered is it goes through and shuts down all processes that it thinks might have, the ability to shut it down. So they go in and they issue kill orders to all of those processes that that have that have the ability to shut that, ransomware attack down. So if you if you use a good antivirus, so a lot of them are successful at at stopping the attack before it gets underway.
Also, you need to employ content scanning and filtering on your mail servers. A lot of these ransomware malware files are coming in through, email vectors, and all those attachments need to be blocked and scanned.
Number three, make sure that all systems and software are up to date with relevant patches.
Exploit kits hosted on the compromised websites that commonly use spread malware.
You've got to get those patches put in place.
I know there's some requirements in in the PCI program.
My personal opinion is is those are not nearly quick enough.
When as soon as exploits are are announced, the attackers immediately start scanning their portfolios of known websites that may be vulnerable to those type of attacks.
We often see attackers hitting those exploits or those vulnerabilities with within minutes to hours of the exploits being announced. So if you think you can get around to it in in thirty days, you might regret waiting that long. We recommend all of our clients to to get those things patched within about twenty four hours if possible.
Block inbound network traffic from things like Tor.
And when you're traveling this is important make sure you've got a VPN set up, especially when using public Wi Fi or your hotel Wi Fi. Another important one, we'll talk about this one a bit later, is is bring your own device vulnerabilities.
This is where, employees are might bring in laptops or cell phones. We've we've seen ransomware attacks that came in through cell phones that have been compromised.
Also, don't trust your third party service provider security.
Recent announcement from a very large service provider where they got in through the service provider's access credentials. So you've got to vet those third parties continuously.
Most importantly, do not leave your backup devices connected. We see people, doing their best to back up their mission critical data, but the attackers will go in. And if you've got a time capsule or or a a file server that's acting as backup, those get those get encrypted just as quickly as anything else.
Okay. So moving to alright, you've you've done all of those things and despite your best efforts, you come to work and your systems are locked down.
We we recommend and and the United States government recommends that you don't pay the ransom. Now this is going to be a business decision that you have to make.
A couple of things that you can do is look at the type of ransomware that has been, employed on your system and then try to research to see if there's a history of these attackers providing usable decryption keys and factor that into the decision.
But the overall recommendation is not to pay the ransom because it just encourages further ransoming, you know, further illicit activities like this.
Aaron mentioned, the backup files.
The the best way trusted backups that you know that you can restore from, You know, you do that, but then you do hazard now. The the element that, Aaron brought up that we're starting to see is if the attacker then comes back to you and says, yeah. I I captured, you know, your database, your patient list, or or whatever it might be. So, again, those are all going to be business decisions, but it's essential that you that you maintain, backups and that you practice restoring from them, because some businesses find that, you know, they've they've got, oh, hey. We're we're in good shape. We've got all these tape backups, and then they realize how difficult it is to actually restore a system from the tape, archived backups.
When you're communicating with the attacker, we recommend that you create a new email persona and do all of your, communications through a a new email, not one of your, you know, previously known or used ones.
You just don't wanna give them more information than than they already have.
And then lastly, call for help.
Get a hold of of professionals who have experience working with ransomware, working with the investigation side of it, the the restoration side of it, things along those lines.
We've covered a lot of information. We're going to, you know, speed things up a little bit as we, you know, get through the remainder.
The the next area was, you know, fishing.
Has there been a change? Yeah. It's just plain gotten worse.
You know, phishing attacks are the gateway drug for ransomware and for, you know, so many other attacks. So it's really gonna warrant training your employees. We'll we'll touch on a little bit, later.
Service provider attacks, these have doubled in two thousand eighteen. Two thousand nineteen held a similar pace. Attacks against service providers are are especially egregious, due to the potential impact on a number of other businesses.
Two or three service provider investigations immediately come to mind, that we experienced last year.
In one case, the the service provider provided point of sale systems to a a number of different merchants, and, they also provided a back end website that would allow the service provider to come in and and support and upgrade and patch the the payment system as it was needed.
The the issue they had was attackers were able to get into that, back end support website and compromise anybody that was running that vendor's point of sale solution.
Another issue is that a lot of times there is code being included in the back end of websites, by entities that can have a significant impact on the security of the card data environment. These might include things like advertisers or, analytic providers.
So you'd call these guys the service providers that don't wanna be called service providers?
Yes. In fact, many of them specifically state that they are not service providers, that you're running their code at your own risk.
However, if that code is being deployed when credit cards are present on a checkout process like in a shopping cart, if that code is corrupted or or malware is introduced, that has a tremendous impact on the on the card data environment. And so if it's a service provider that's doing it, you know, the same code you might have on your website is very likely deployed across, you know, hundreds or thousands of other merchants. So a little small breach at a service provider, can turn into a large breach, throughout a service provider's portfolio.
And then, you know, one one case or actually a couple of cases that we've looked at, the the data loss looked very sporadic. It was it was really interesting. You you'd see a day where they're just getting pounded and and losing data all over the place, and then a week would go by of nothing, and then they get pounded again. And we found that it was these, these scrolling ads that were occurring where, you know, one particular ad was infected.
Well, it's kinda like what we mentioned before where, you know, if a if a and if an attacker gets into a system, they might grab everything and run, but these guys are smart. They know if they can just steal a few cards from a merchant and not grab everything, it may be years before that breach is detected or or reported.
You know, your acquirer may come back to you and say, hey, we noticed you're leaking a few cards. You might look and see that it's only, you know, two or three cards a week. But over over a large time period, that can lead to significant losses. Yep.
So, just the top organizational values, you can see them on your screen there.
Employees number one and numbers three through six are a distant, you know, second behind it. Employees, the need to train employees on how to spot a phishing attack, a spear phishing email, a a, an effort to social network incursions into your your environment. Those those are are critical.
Now the, breach trends that we saw, we're we're just gonna go through this very quickly.
Aaron, go ahead and start us off here.
Firewalls, we continue to to see the same type of issues. The worst thing, of course, is when there's no firewalls in place, and we we did see some of these, in recent cases, in improper configurations.
And another big issue is when a firewall is there, but between a service provider and the merchant, nobody is sure who is supposed to be in charge of that firewall.
Yeah. Yeah. And I I just got back from, an on-site where I visited numerous, franchise owned locations.
And while the corporation, you know, had set out some guidelines, each of these franchise owners set up their environment, you know, very distinctly. They all ran the same software, but they, their environments were different. And in in a couple of the cases, there was no firewall present at all.
Passwords continue to be an issue. We've talked about that, using default password. We still see it happening. Non complex passwords, passwords that exist in in public databases now.
All those things kinda are still issues we see. Antivirus, this is another instance where there may be some confusion between the merchant and the service provider of who is in charge of making sure antivirus is installed, making sure it's updated, and most importantly, looking at the alerts, knowing where those alerts is going and who's responsible for acting on those alerts.
Also, secure access, lack of multi auth multifactor authentication, we still see that. Weak passwords being used, shared logins, all those things continue to be an issue.
With multi factor authentication, I also wanted to address, multi channel authentication. This is making sure that if you're requesting a security token that it's not coming back to the same machine that you're going to use to access, the sensitive network. Make sure that those authentication tokens are going to your mobile cell phone or an authentication device somewhere else. Otherwise, the attackers will see that authentication token and they'll probably be in ahead of you.
So in the health care, what are we seeing there? Well, we're still seeing that the the health care industry is square in the sights of attackers.
They remain at high risk for principally three reasons. First, they they contain a treasure trove of of valuable information, confidential data that can be quickly capitalized on the black market. Second, they still lag behind when it comes to employing industry standard security protocols. And granted, I understand that, the environment of security is constantly evolving. The attack vectors are constantly evolving, so security protocols have to constantly evolve as well.
The sad truth, though, is that many health care organizations that we've investigated are, like, a decade or more behind where they should be as far as employing better IT security. And thirdly, they're more prone to pay the ransom. They need to get that data back. They need to get it quickly. I mean, virtually lives hang in the balance.
And they're also most vulnerable to having their HIPAA data exposed.
I mean, that's a that's a pretty powerful extortion request if if you know individual PII data is out there.
Right. Just some of the headlines from last year regarding, you know, health care, data breaches are gonna cost four billion for health care, breaches in twenty twenty.
Organizations lagging behind the NIST. The NIST are security guidelines that have been set up that, you know, virtually all organizations should be in compliance with, lab instruments leaking patient data, you know, hacking IT incidents are causing bigger breaches. So, anyway, just the point here is that, it it is still getting it's still happening in the health health care industry, still getting hit very, very hard.
Now that brings us into things that we can do to avoid data breaches. And the truth is is Aaron and I have already covered a lot of these things, so we're going to go through them fairly quickly. I think there's about nine of them.
Starting with the you know, I I've mentioned it. We we've got to do a better job of training our staff in being able to, I you know, identify security issues.
They need awareness training in identifying phishing emails, social engineering attacks.
We need to also give training to our incident response teams, those who are going to be we're gonna call on to get us out of the grease when a problem has come up.
Incident response training applies to the assigned incident response team, whereas, you know, the other security awareness really needs to go to everybody from the mailroom to the c suite.
Phishing, spear phishing, you know, we mentioned that, and we covered off on, oops, on the need to to train for social engineering.
Also, updating patches.
We spoke about this one. Just make sure you're getting those those patches applied.
You know, very, very critical if you're using things like Magento or OpenCommerce, any of those off the shell patches. That's all open source code, and attackers are watching that very, very closely.
Those type of sites are always under attack, and so those patches have to be applied right away.
Yeah. And we've seen numerous cases where a vulnerability comes up, a patch gets issued, and six months, nine months, a year later, a company gets breached because they never employed the patch. Yes.
You know, that it had been out there for Or the patch may be applied, but the attacker got in before it was applied.
And and so they got a foothold, and they're still there. Yeah.
Vulnerability scans and pen tests.
Get those scans scheduled.
They can find a lot of the glaring issues. Pen test regularly.
There are nineteen new vulnerabilities reported every single day in the National Vulnerability Database.
All pen tests are not the same.
I have very little confidence in automated off the shelf pen tests. I've seen too many times where automated pen tests failed to disclose a vulnerability that a skilled pen tester would have would have found in minutes.
Log monitoring, this is another one where if you've got a service provider, make sure you know who is monitoring who's in charge of monitoring those logs, making sure those logs are being kept and reviewed, and and who is acting on, alerts in those logs.
On passwords, we've mentioned it a couple of times.
The industry standard is a minimum of eight characters, case sensitive, so upper, lowercase, numeric, and special characters. Personally, I I wouldn't use any passwords that are under twelve characters, and and ideally, they should be changed, every six months.
Here is a site, you know, haveibeenpwned dot com, where you can type in a password. It doesn't ask for your username. It doesn't ask for your email address or anything like that. You just type in a password, and it says, hey. This password was captured in a, you know, previous breach, or no. We haven't seen this one in in a previous breach.
Now qualifying this, we believe that this site is is legitimate and safe.
There are sites out there, however, that are going to say, no.
It hasn't been captured before, but they have now because you entered it in there and they just added to to the database.
Yep. They're gonna grab that password and they're gonna be off to check social media and anything else they can where that might work.
Yeah.
Access, again, this is using the multi factor authentication principles, something you know, like username password, something you have like a code on your phone and biometrics that we've talked about.
Role based access.
We just had a case where the, SQL admin user had execution privileges. They were able to to take that execution privilege and elevate that into access on the web server. When we looked at it, there was absolutely no need for the SQL admin user to have the level of privileges that it needed. They were able to restrict it to simple read write privileges, and, that solved the issue.
Network segmentation, we've talked about this one over and over. Just make sure that that is is, happening so you get functionality separated, so there's less surface area for the attackers to hit. A lot of merchants are choosing to move their, checkout process to a third party.
That can get your website moved out of scope if you do it properly.
Switching to EMV terminals to hide that sensitive data or moving to, p two p e solutions is one of our number one recommendations.
We have not seen a p two p solution fail yet.
Make sure you're encrypting, the data. This this comes into play for things like hospitals where, if a an attacker gets in, if that data is encrypted, they're not gonna be able to to hold that data hostage.
Make sure those time machines are are backed up. Your cloud backups, make sure those are encrypted.
External hard drives, very very important to test those backups, make sure they work, and make sure they're encrypted.
Okay. Number nine is having an incident response plan. It's important for you to to have a plan, have everybody trained in what their roles are if something bad happens, and then conduct tabletop exercises to test your plan. And then the the greatest benefit that can come out of a tabletop exercise is that you identify gaps in your plan. You then modify the plan, and then you employ those, in your future testing, which brings us up very quickly to our predictions for this coming year. We just have three. Aaron, why don't you take the first two?
We're seeing organizations move a lot of their products and services to cloud based solutions.
We're gonna see attacks that are specifically adapting and targeting these cloud based services, including message platforms, things like the live chat apps that are going on. Storage solutions are gonna be hit more, and especially JavaScript code that's being delivered from cloud based content delivery networks. The attackers are going after that. A little bit of effort there can yield, a a lot of of payoff for the attackers.
We're also going to see a spike in the registration of look alike domains that are being used for nefarious purposes.
Merchants should register domain names that are similar to their own to prevent bad actors from doing the same and targeting their customers with fake domain attacks.
And then I I threw the third one on because I'm still holding out. I've had this one on here before.
That's, you know, Spy versus Spy. You might recognize the cartoon. And although this looks like owl versus owl, it's actually AI versus AI. And this is where attackers are going to try to get their, malware embedded into the AI while it is still in its learning phase so that as it learns about the environment that it's in, it is going to recognize the malware as part of a, an allowable element within that environment and then, you know, overlook it in the future.
And to to help combat that, Securitymetrics has, a tool that we are putting out, that uses a lot of, really cool intelligence techniques to monitor those checkout pages at the exact moment of checkout when that credit card data is being typed in. We're monitoring that security state. You know, all of these scanning tools and and things that are out there right now, if they're looking at the security state that is presented as a person enters the enters that environment, by the time you go through a checkout process and and put a product in the shopping cart and get to that checkout page, you might be in a completely different security state. And so the tools that we're, putting out there right now, simulate that process and actually look at what is going on at the moment of checkout. Great. Thanks.
The tool is called WIM if anybody, you know, wants to know, website integrity monitoring.
Yeah. If you wanna know more about it, get ahold of us. Okay.
And then that brings us to questions. Sorry. We had originally said ten minutes q and a. I think we've got about one.
Yeah.
We have time for for a couple, I think.
One question that that came in, is there any data about how much efforts are being made by law enforcement agencies to catch such hackers and recover the money, or is this money simply getting lost in thin air? Great question. I I'm also, you know, former law enforcement.
I I've seen a variety of statistics, but, traditionally, about five to fifteen percent, it depends on who who you look at, of these cases actually results in an arrest.
The funds are very rarely recovered.
I I did work a case, earlier this year where, it was a a redirect. It was, one of those situations where a a VC company, provided some funds, sent it to the wrong location, and they were actually able to recover, the money. Those are a little bit more rare. Law enforcement is getting better at at, you know, performing these types of investigations.
Most of them or a lot of the agencies, unless they are a larger municipality, actually request the assistance of federal law enforcement who are are better equipped at performing these long term investigations.
Thanks, Dave.
And and one other question. This this may be good for Aaron.
Is it fair to say that EMB has slowed the low hanging fruit when considering that many of the ecommerce breaches result in card not present fraud trends?
It has absolutely, lowered the amount of data breaches we are seeing at at card present locations.
Again, it's it's sort of rendering that card number a bit useless, because the the one time authorization code that that is present for the m v, makes it very difficult to physically replicate that card so somebody can go and and, you know, use it as they would any other card. However, that card is still vulnerable. If that card is captured, the person that that has that card number can now take it to a card not present environment and and use it at a variety of locations to to purchase other products and things like that.
Yeah. So so it validates the need to have all of the other security protocols in Yeah. Places. Yeah.
You you still have to have it. But, you know, the attackers are moving to, different orchards, specifically the ecommerce environment where they can still capture enough data to to make that, card number very useful.
Great.
And then maybe let's wrap up with one more question here. And, again, if we don't get to your question today, we will reach out to you via email.
But since we had the the get smart clip earlier with the biometrics, I thought it might be fitting to end with this question.
What are your views and opinions on China's facial recognition systems used to track and monitor their citizens? Do you feel that this will become a greater security risk as it gains popularity?
A greater security risk? Well, first off, I yeah. I as a law former law enforcement officer, I mean, I love anything that will bring bad guys to justice. So, you know, the thought that we can say, okay.
Here's the face of this guy that committed this crime, and then we can start scanning all of our cameras that are on street corners and and find them. I mean, the the law enforcement side of me says, yeah. That's awesome. The personal privacy side of me says, that is really scary.
Yeah. That that's really scary because, you know, anybody can be a bad guy if you look hard enough.
Yeah. And and so I this isn't necessarily the question he asked. I I'm I'm not a fan. I I think it's it's overreaching the way that, I believe China is employing it.
Would it reduce crime?
Yeah. People will be too scared to commit any. Yeah.
Or you see if you see everybody walking down the street with hoodies, you know, on and pulled down over.
Well, I get to the questions too of, the expectations of privacy. You know?
You can pretty much guarantee anymore if you walk outside, you're gonna have a camera on you somewhere. Yep. I just I just fell in the parking lot the other day, and they caught a good portion of me windmilling across the parking lot on ice. Yeah.
Thankfully, it didn't get uploaded to YouTube Yet.
Yet. Anyway, we're, yeah, we're about four minutes into X range right now.
So Well, yeah.
Thanks everyone for joining us today, and and thanks again to Dave and Aaron for for taking the time to speak with us. We hope you enjoyed this webinar. And, again, we will be sending out the recording, so stay tuned for that. And we hope to see you again at another webinar with us very soon. And the three winners.
Alright. And we will we will be drawing, we will be having a drawing. For those of you that did submit questions, we will we will pick a winner. We're not not going to announce the winner at this time, but we will be drawing a winner from from those of you that submitted questions. So we'll be reaching out to you for that. And our, our two trivia winners from earlier, we will be getting you your your swag, windbreaker and a backpack. Awesome.
Thanks, everyone. We'll see you next time.
.svg)
