Joseph Carson:
Hello, everyone. Welcome back to another episode of 401 Access Denied. This is your podcast brought to you by both Cybrary and Delinea, and it's a pleasure to be here. I'm your host for today's episode, Joseph Carson, and I'm the Chief Security Scientist and Advisory CISO at Delinea.
Joseph Carson:
I'm really excited about today's topic. It's a very important topic and one that probably many of you out there have been really waiting for. And this topic we're going to be basically joined with two awesome guests. This is their first time on the show, and I would like to pass it over to Stan. So, Stan, would you tell us a bit about yourself, what you do and some of the fun things you get up to in InfoSec?
Stan Black:
Absolutely. Thanks for having me. So my current role is I'm the CISO at Delinea. Prior to that, I was an executive, or CISO or CSO and a CIO, remind me not to do that one again, for Citrix for a company called Nuance. And then I was a security executive inside what used to be the EMC family of products, VMware, RSA.
Stan Black:
And a little bit about my background is I've cut across much of the path of security. So transferring or evolving from a standard, or what I would call a rudimentary CISO of just IT security, that progressed along to products and software security, because as I've noted, all the companies I work for are technology companies. So I delved deeper and deeper into that area.
Stan Black:
As well as physical security. So guns, guards, and gates; can't get enough of those. And then that just keeps evolving into risk based mindset. So it's been an interesting ride, lots of bad folks out there and lots of smart folks trying to keep the bad folks out.
Joseph Carson:
Absolutely. I think one of the things, one, I was at an event last week, somebody compared us to almost like the Marvel team of superheroes: we're all out there to try and protect the world against all the evil that's there. So-
Tony Goulding:
That's right.
Joseph Carson:
It was quite an interesting conversation. But Stan, welcome to be here and really excited, and absolutely it's right, it's all about risk. Risk is the fundamental kind of area that we focus on. I'm also joined with another awesome guest. So Tony, welcome to this show. If you can tell us about yourself and what you do and some of the fun things you get up to.
Tony Goulding:
Yeah. Thanks a lot, Joe. And hello, Stan. Yeah. Tony Goulding here. Actually we're a merged company, but I've been doing what I'm doing in product marketing now for about six or seven years. Kind of externally, I'm a cybersecurity evangelist doing a lot of talking and consulting about cybersecurity. Kind of internally, I'm technical product marketing. So doing a lot of white papers and webinars and positioning and strategy and all of that kind of stuff. Very exciting. I love that stuff.
Tony Goulding:
But you'll probably tell from the accent I'm from another country. Although this is multinational so what does that mean? But I'm from Wales originally, born and bred in Wales. But I've been in the industry too many years. I've been in it probably the security industry over 20 years and kind of started off life as a programmer. So I've been down that path. I spent about 10 years programming. So getting a good feel for what people are writing and also the kind of security bugs that can be introduced very easily into software.
Tony Goulding:
But I would say that over the 20 years I focus mostly on vendor solutions. So I've worked for vendors. I worked for a company that many of you may have heard of kind of CA Technologies; if you remember eTrust, the security solutions around e-trust. Exactly.
Joseph Carson:
Absolutely, I remember CA. What was it?
Tony Goulding:
Now part Broadcom. Yeah, exactly. So I was knee deep in that when the eTrust brand was originally developed. I joined them as a senior consultant, pedaling that software, working with the sales teams trying to get that thing ingrained into people's minds and heads and IT infrastructure. So I've been in the IAM space and the PAM space for around 20 years. Still enjoying it. It's still a great place to be.
Joseph Carson:
Absolutely. This is a fun industry to be in. Just curious to what program and languages were you doing?
Tony Goulding:
Oh my word. You're asking.
Tony Goulding:
I programmed in... well, I started off down in the guts of machine code. So I started off at the machine code level, but then kind of went a little bit further up the stack. I did Ada. I did Pascal. I did Fortran, COBOL, C#. And then many, many years later, about 10 years ago, years after I'd finished programming, my daughter said, "Hey, why don't you write an iPhone app?" And I'm like, "Okay." So that was my first introduction to actually kind of MVP type of programming and that was fun. I actually wrote and published an iPhone app.
Joseph Carson:
That's pretty impressive. And I think some of those languages the really important part of it is they're foundational languages. A lot of what we do today is still built in top them, which is really important.
Tony Goulding:
Exactly.
Stan Black:
Yeah.
Tony Goulding:
That's very true. That's very true.
Joseph Carson:
So we're here to talk about a very important topic and that is that not so long ago, the latest Verizon Data Breach Investigation Report has come out. The 2022 edition, which is the 15th year that this report is running, which is quite impressive. And I think they really did this time they took a bit of a celebratory kind of action where they really wanted to celebrate the past 15 years.
Tony Goulding:
They did.
Joseph Carson:
Which I thought is great. I thought was really kind of interesting. What we think about... I mean over 15 years, and it's really evolved. Especially the last, I think, three to four years, it's really evolved because they really changed the way they've done reporting and analytical to present the presentation of it has really evolved. I struggled with the change between how they display the graphs to try and really understand the concept, but I'm starting to now, as they mature it much more and they get better at kind of presenting it, I definitely think it's moving the right direction because it's becoming more actionable.
Joseph Carson:
And for all security professionals, it's the pulse of the industry, is it time to have a glass of champagne and say the past year has been something we've been good at? Have we been defeating? Or is it something that we should raise concerns and think that there's things and areas that we must do better at?
Joseph Carson:
So Stan, I'll pass it over to you. Is there a specific area that you thought in the latest report that may have been interesting? Or any observations in the style or updates in the report itself?
Stan Black:
Well, I actually enjoyed because I've been reading this since the first edition; that is a bad indication of my age. But it's gone from an academic and an awareness and concept perspective, it's getting closer to practical. I did enjoy the 15 year victory lap. I mean, because when you look at that, those of us who had been in the trenches for so long before it was called cyber security, right?
Joseph Carson:
It's called security.
Stan Black:
Exactly. Or information security or MIS. So no, it's really evolved quite a bit. I've had a perception for a good number of years that if someone to ask me who doesn't know anything about this report in the industry, what did I pull out of it? I would distill it into the following sentence: without access, incidents do not occur. Whether that's an administrator improperly implementing a patch or an insider making a mistake or doing something malicious or malicious actor on the outside. Because often we are challenged by distilling the complexity of our industry into soundbites. And we've seen in the news that soundbites can get you in trouble and in my industry, and doing and delivering operational security at scale, oversimplification can get you in trouble. Too much data puts people to sleep, in brief. So yeah, privilege was an interesting piece of it.
Stan Black:
I was expecting to see a more inherent invisible shift with moving out of the office, the results of the pandemic. I was expecting to see a significant increase in mismanagement or error or what have you, but it's funny how the formerly insider is now the outsider because of the pandemic. And when you look statistics, that's exactly what it evidences. If you go back and look at say, firewall logs from pre pandemic, there's all kinds of things bouncing around inside of your enterprise and now that's decreased dramatically. And now all the noise is coming from the outside and hopefully your telemetry.
Joseph Carson:
Absolutely, you bring up an important part because I did take that away as well, is that what we saw was were insider and internal threats. So always kind of had quite a high percentage there. And what we've seen in the last one, and it's probably because everyone has now been treated as an external person because they're accessing remotely and whether that being with stolen or compromised credentials or whatever it might be, is that, yes, everyone has now been treated as external. Whether it being employees accessing through VPN's through a desktop. So you're absolutely right. And it was notable that this is always retrospective. It's always looking at the past years and not the current one. So I absolutely think that's a great observation in some of this trends. Tony, just kind of any thoughts from you on that on this or any observations you have?
Tony Goulding:
Yeah. The numbers were fascinating for me, but some of the takeaways that I got, I think much of it hasn't changed, it's just variations of the numbers. So certainly the human element was one of the big things that jumped out of me because they were talking about, I think it was like 80, 82% of the breaches, again, it was the human element involved, right? And as Stan was saying, but the external actors dominated over the internal actors.
Tony Goulding:
But an interesting blip on that was business partners, vendors, third party contractors. I think they said something like 40% of attacks from an external perspective involved business partners and vendors. So now we're starting to say, "Okay, so that's secure, remote, external connection into our infrastructure is very, very important to protect." Not only for our internal employees whose hygiene is maybe a little less strong in their own sort of home personal networks than it ever was when they were in the office, they're getting attacked more and more. And so we've really got to defend that. And the human element is really strong.
Tony Goulding:
Another blip, another statistic that jumped out at me, which again, it's something that we've been aware of, but cloud storage misconfigurations, right? They continue to kind of top out the error category in the report. So mistakes by humans that lead to that compromised data in the cloud. That's just the gift that keeps on giving as far as attackers are concerned.
Tony Goulding:
And then the big elephant in the room: ransomware. I'm tired of hearing about supply chain attacks, but it is top of mind, right? And ransomware is accounting for the vast majority of all malware breaches, like 70%. But at the end of the day it's software and it's not rocket science, it's software and software needs credentials and elevated rights to do what it needs to do. So that's kind of how we've got to look at that and not be scared of it. It's like it's software, it needs elevated privileges. Let's focus on how we can prevent malware and ransomware from getting a hold of those.
Joseph Carson:
Yeah. Just going to give you some stats as well. So in the past year, just kind of, so they breach investigation team rep basically analyzed, it was just under 24,000 security incidents in which it was 5,212 of those were confirmed data breaches. And it's really always important to understand that in the Verizon Data Breach they do have a very clear classification. A security incident doesn't always necessarily mean a data breach, so they always have them very clear. So just under 24,000 incidents, and then 5,212 of those were classified as confirmed data breaches.
Joseph Carson:
Now, just to kind of compare over previous years, this almost is similar to what it was in 2021. So in 2021, it was 5,258 data breaches. So it's almost comparable to the previous year. Where in 2020, it was 3,950. So it means that kind of roughly the same number of data breaches in the past year as of the previous.
Joseph Carson:
And it's also really kind of indicating as well, as you mentioned, just to kind of give you some of the statistics as well in regards to, it was 62% of the actual intrusions incidents, which basically was access incidents, not necessarily meaning a data breach, actually came through a partner or supply chain. So that's the number of incidents actually came through suppliers: 62%.
Tony Goulding:
That's huge.
Joseph Carson:
Which is significant. That's huge. And then you look at 82% of the analyzed breaches in the past year had a human element. And that either human element was either they made a misconfiguration, they made an error. It was misuse of their privileges that they had. It was through either social engineering attack. So that's a significant, 82% involved a human aspect of it.
Joseph Carson:
One thing that I always thought was quite interesting. And previous years, I always used to look at the number of techniques that was used in order to gain access, normally it was somewhere between four and five. In the past year, it's decreased to actually the majority of breaches only required three steps. So the attacker only required three steps in order to actually carry out the malicious activity. And that either being through a phishing was the step one, to then forcing that machine or person to download some type of malware or ransomware, and then the actually execution of that. So that really can-
Tony Goulding:
They want to be quick, right? They want to be quick and impactful and get in and get out. Because the-
Tony Goulding:
... the longer the chain. It's more opportunity for us to stop them, right?
Stan Black:
Yeah. And historically the actors that have come after at large enterprises are multimodal. So they'll give you the noisy hack, but what their goal is the secondary low and slow where you barely even see them, they're even cleaning up after themselves.
Stan Black:
And the partners item, Joe, it's 62%. But think about the world that we live in now too, many companies that would do the work or bring a vendor internally to solve an operational security challenge, you're now pushing out to managed service providers, to just external vendors to drive that. And staff augmentation is... Because hiring is so hard right now, at least in the States, that it's a significant challenge. So we've had to give, I don't know why I used the word give, but expect our vendors that we are bringing more and more in that they are trustworthy. And they may be trusted for a period of time, but they software and vendors and it comes down to back to the human element.
Stan Black:
Software's written by people. By definition, that will mean it will have vulnerabilities. Infrastructure is operated, maintained and managed by people. Wetware, let's just call hardware, software, wetwear. And because of that, we have to look at it with a little bit more dynamic lens and do our threat models that some folks have ignored doing for a period of time and understanding what our potential attack services may be.
Joseph Carson:
Yeah. And then you think about the last year started with Hafnet, which was the Microsoft Exchange attack, so that's where we started. Then we had numerous ransomware attacks specifically on Colonial Pipeline and meat production and others. So again, into different types of supply chains. So not just going through supply, but also impacting supply chains of the physical world. And then we ended the year with Log4j. I mean, what a scenario. That meant that we've had some ... especially from software supply, not just many services, but also you're using software from other vendors. And some of those vendors might be large and might have really good patch kind of mechanisms. And some of them like Log4j doesn't have patch mechanisms. You might not be able to patch it. You still might not have patched it. So this really means organizations really are exposed, especially through the different types of supply chains that's out there.
Tony Goulding:
Yeah. That supply chain can be very long, right? It's multiple opportunities for an attacker to break in and cause havoc and basically start the dominoes falling. And it was prevalent last year and I think it will continue to be so. Some of the data in the Verizon breach report, I mean, they talk about verticals and different attack methods used in different verticals in different countries. I think the data on the U.S. side, I think they gave a caution that's saying a lot of our data is more clinical, we get more visibility into what's going on within the U.S. data set than we do in others.
Tony Goulding:
But the trends are clear. I mean the whole ransomware and supply chain attack methods they're just the gift that keeps on giving. And of course, I think you and I spoke, Joe, about ransomware as a service, for example. And making it easy and easier to set up affiliate models where it's like, "Hey, I'll give you some money, I'll be an affiliate. Give me the software, give me the tools." Bang it's out there.
Joseph Carson:
Absolutely.
Tony Goulding:
It's just too easy. It's too easy.
Joseph Carson:
And in the report, they really highlighted, I think one of the key things is that we've really shifted away from these opportunistic types of attacks to more organized crime type of criminal activities.
Tony Goulding:
Organized crime is so true. Yeah.
Joseph Carson:
And I think this is what we really see is organized crime is now becoming the reality, is that they are investing in order to actually carry out financial motive types of attacks. They're investing in this area. And it really gets into specializing, where you've got those who specialize in actually gaining access. You've got those who specialize in creating decryptors. Those who even specialize and then using those combinations either through basically ransomware or crime as a service, and then deploying the ransomware. And then you have specialized into... Basically because those who might be carrying out the crime may not be native language speakers who the victims located and they'll hire basically specialize help desks who will basically communicate so hard to get cryptocurrency and how to actually recover data. So this is almost getting into very much a real kind of it's a business model for the organized crime. And-
Tony Goulding:
It is. It is.
Joseph Carson:
... you've got 25% increase in ransomware year over year, and four and five of the breaches were attributed to organized crime, which is phenomenal I think in what the data's kind of shocking when you get into reality.
Tony Goulding:
I kind of have this mental picture in my head of a bunch of hackers getting together with a portfolio and a business plan and presenting this to some investor and saying, "Help us with the funds necessary to bring on a development team, and to bring on a team of individuals that will do target acquisition and work on various channels to do our content distribution and our emailing. And figure out how we're going to monetize the data that we eventually compromise." It really is a business for sure.
Stan Black:
Well, it's interesting when you think about it, because whether it's organized crime or a nation state, see, during the course of the day, my team and I all have to make sure that our certifications are maintained, that we have people getting trained, that we're reporting to the audit committee correctly. Well, that slows down our ability to identify, contain, control and communicate an incident. And what's fascinating about this is the bad guys, whether they're organized crime or again, a nation state, they don't have a board to answer to. If they kill someone in the process of shutting down a hospital services, they don't care.
Stan Black:
There's not a single regulator that says, "Oh, you can't do that." So the barrier for them to accelerate is significantly less than my ability to keep up with them. I have to function within a series of rules and requirements. And now there are at least 350 standards, regs and laws related to security and privacy around the world. And let's just be clear, they haven't actually solved a single cyber security issue in my opinion. Many companies that are hacked and breached are also compliant, interestingly enough. And now we see a new trend...
Joseph Carson:
Yes. Majority of them.
Stan Black:
Yeah, well, exactly. I was trying to be nice. And now I'm getting notifications from the FTC that says, "If you don't patch Log4j, we are going to apply financial ramifications to your company." Never seen that one before. I'm not sure if it's happened elsewhere.
Stan Black:
And when you look at the report, I want to know, if I'm that person starting out in their security career, where do I start? Do you go out to the biggest thing? The report used to be used as a mechanism to get budget in security for security teams. Now, it's almost impossible to distill it down to a consumable format that says there are three problems, we're going after this one, this one, and this one, the rest we'll worry about them later. It's hard.
Joseph Carson:
We had an interesting... I was moderating a panel not long ago that was basically on the hiring side of things, getting people into the industry, and for many organizations... For those who are looking for entry, basically starting point in cybersecurity or info security or whatever it might be, that was actually the job requirements and descriptions for many industry organizations was actually so much higher than that of cyber crime. Cyber crime, they didn't need certifications.
Tony Goulding:
Of course not.
Joseph Carson:
They just wanted show me some of your previous work, and that was enough to get them in. So some of the entry levels it was interesting. We had a person his expert was that area of looking in the comparison between entry level, and how to try and get more people who were going down that cyber crime path, to get them kind of retrained and moved over before they carried out malicious activities. And I think this is something we have to look at here as an industry. And I think something I would like to even maybe, when the Verizon data breach investigation team some of the guys will listen to the podcast, and hopefully they'll take away and say, "What types of kind of job descriptions or requirements or skills do we need to help address these issues?" And that would be the one.
Tony Goulding:
Yeah. That's a good point.
Joseph Carson:
Tie it to the skills gap as well. Because one thing I really liked it is what they've done is they've really tied it to the MITRE ATT&CK framework. They brought in a risk element in the last couple of years, and that's all fantastic because it really makes it actionable. But as organizations we need to know what's the skill gap and be able to address these. Then basically to really look at what's the skills we need to bring onboard. Where do we need to train people? Where do we need to educate people? What skills, what things we need to outsource to really help us address many of these issues? Yeah.
Tony Goulding:
Right. I think the closest they got to answering that question, I was kind of just browsing briefly looking for this statement, but I think in essence, they said there's four main paths that lead to our data. That's lost, stolen, compromised credentials, number one. Phishing, which can often result in compromise credentials as we all know. Exploiting vulnerabilities and botnets. We need a solid plan to address them all. That's as close as it got to being prescriptive into what kind of skill sets you need in order to address some of these issues. But yeah, I agree with that. I think that giving more guidance in that respect would be fantastic.
Stan Black:
Well, and the interesting thing, when you read a report like this, it fills your head with all kinds of interesting information. But one of the items that I feel as if we've kind of lost track of, is all of the security technology that companies spend huge dollars on and more and more every year, why are we putting that in place? The answer is, it breaks down to applications that we've developed, operating systems that we've developed, communication protocols that are now older than my children, they were designed to deliver a information experience not aware that the world would be weaponizing it.
Joseph Carson:
Yeah.
Tony Goulding:
Yeah.
Stan Black:
Yeah. And so, why do you need antivirus and malware and all these other and browser protection? Well, they're designed to let you do anything. And it's up to us as security people to help our customers and our compatriots solve those issues. And we got to remember how we got here. Some of the new kids coming in, don't even know how to access or go to a command line to get to a directory on a hard drive. I know that's an old guy talking, but really.
Tony Goulding:
I was in my terminal this morning on my Mac trying to solve the problem at the command line level. Why won't you let me in?
Joseph Carson:
To your point, Stan, just to give you some also perspective as well, is in the ransomware data itself, it was a 40% of the ransomware incidents actually involved using of basically desktop sharing software. That the actually vendor was using themselves or the victim was using. So their own remote desktop sharing software was used in most of the ransom, so almost half. And then to get into also email, 35% of them were actually using email for distribution. It's still going back to things that if you're able to even just address those areas, you can significantly reduce the risk quite significantly down.
Joseph Carson:
I think it was RDP. One of the stats was around RDP, that majority of it was through was brute force attacks. And that means that what does brute force attacks means? That we, as humans, are creating weak passwords. We're leaving it to humans to make the choice in what is a strong password. And I think that's another area that we really have to start addressing.
Joseph Carson:
And I really liked, I think, the SMB summary really can hit it really kind of clear. And in the SMB summary in the report, it gets into providing these 13 steps of what you can do. And I think it doesn't just address... I think when we look at them, it's for all organizations. I think these are the things that SMBs can achieve, but probably the basic standards that all organizations should get right because it only takes one mistake in order to leave yourself at risk.
Joseph Carson:
And just kind of look at the top four of that 13 was using two-factor authentication. It's just making sure the password is not the only security control. Make it difficult for attackers to be successful. Force them to take in more risks. So number two was do not reuse or share passwords. I get scared because the next generation, that's the culture they've actually been brought into is sharing and reusing passwords. And then you get into, they do recommend to use a password manager or a password generator that will help create unique passwords. And then the fourth one was be sure to change default credentials, areas like point of sales and other hardware. That was the top four of those 13 steps for SMBs.
Stan Black:
You know Joe, it's funny, when you talk about passwords, remember I used the term "root cause" a minute ago, what company that isn't born in the cloud doesn't have on premise active directory? Which does not have the ability to do three of the items you just called out on passwords alone. Right? So when you download the entire hashed directory password structure of your company, you can find, if the company's name is ABC, "ABC123" hundreds of times.
Stan Black:
So when those breaches occur at major hotel chains that are tied to a corporate account, it's literally like marketing your target for the bad guys. And it gives you wonderful dynamic telemetry to be a bad guy targeting a company. And then you look him up on LinkedIn to figure out what the, "Oh, they're an administrator of such and such." And it's not hard to do. And our adversaries are using intelligent systems. They are learning by every attack and every outcome of every attack.
Tony Goulding:
Yeah. I think if I'm not wrong, Joe, the term is password spraying. Right? Where somebody may go to the dark web, you get Tony's identity and a password. And the assumption is Tony's fallible. He's probably using the same ID and password in other places as well, so you spray it at these other systems, hoping that one of them just sticks and lets you in. I mean, it's a common technique, right?
Stan Black:
Yeah. You normally start with something, then they move to spraying and then they move to highly targeted once they have their... Because that noisy attack of stuffing to sprinkling and so on, and then it becomes more and more fine tuned as they go.
Joseph Carson:
Hopefully. It does-
Tony Goulding:
I like those gardening metaphors: spraying and sprinkling and...
Joseph Carson:
The attackers do use a little bit more... There's more automation in this area. So one of the things, one of the previous episodes, I had EvilMog who is X-Force thread teams' password cracking guru. He's awesome and amazing. So we have the audience, if you want to know about password cracking, go back and listen to that podcast episode. And we do go into also talking about the password list experience. Experience, it's important to emphasize the word there.
Joseph Carson:
But we get into one of the things that they do is, Tony, to your point, is they do go and find previously compromised passwords that you have chosen. And there's tons of password list. I mean, almost everyone has been part of a data breach in this planet. You can't avoid it because there's been so many large data breaches. So somewhere out there is some of your previous password choices.
Joseph Carson:
And what they end up doing is they'll take that and they'll create the base word list, and then they'll understand about what your organization's protection is in place. So what's your requirements? Is it uppercase, lowercase, the password complexity. So once they know your choice of previous passwords, your password policy in regards to the complexity that your password requirements are, and they combine those together and then they'll put it through basically is a word list cruncher. And what that will now do is expand that word list to include all the possibilities that you may have kind taken that previous choices and get into the predictable pieces of which your future passwords might be. And then what they'll do is once they finish that word list, now they'll use that as the basis to do basically password spraying.
Tony Goulding:
Now, if they applied that to the stock market, then maybe they could predict the outcome of rises in stock prices. That would be awesome.
Joseph Carson:
I think they do. They do.
Tony Goulding:
They probably do. They probably do.
Joseph Carson:
They're always using all of these...
Stan Black:
I have a lot of folks that are all playing Wordle now.
Tony Goulding:
Oh, my word. Please.
Stan Black:
Which is exactly what you just described, Joe. What's the most common word? Start there, then... And so it's dictionary, it's still words, it's still dictionaries, and that's why that methodology and the need to use something more aggressive is so relevant.
Stan Black:
But now, many companies to enable a better user experience and reduce their help desk calls for password resets, have allowed and enabled MFA or multifactor self reset. Well, it's reset via the email that we were just talking about a moment ago. So then you actually give the bad guy an escalated credential and they have the multifactor token, and so they're in. So that's exactly the access concept that I was talking about earlier. Where essentially they know our business often better, to your point, Joe, about how people build passwords, most common words, all of that. When we look at this, we have to decompose that and say, "We need proper authorization, when enabling our users to have access, we need to enforce things." And so it doesn't need to be hard. It just needs to be managed.
Joseph Carson:
Yeah. Emails should never be the primary purpose of resetting passwords because what-
Stan Black:
Iranian funded teams are aggressively going after MFA with large enterprises with self serve models.
Joseph Carson:
Because, I mean, email that's literally, if you go to any cloud service application out there, that's basically it might send you a time based-
Stan Black:
Yeah. An OTP.
Joseph Carson:
... magic token in order to basically reset the password. And if an attacker gains access to your email account, they will basically go through, and again, through that intelligence, they will basically do a quick search through your email history and determine all the different services that you've ever signed up for. And then basically go through and automate the password resets of all of those services. And they'll be able to use their email in order to either lateral move into your networks or laterally move vertical up into your cloud environments and really cause a lot of havoc. So absolutely, really thoughtful at the password reset mechanism and how to verify that the person is really who they're claiming to be.
Tony Goulding:
I mean, the Verizon report says quite clearly, web and email mostly, along with workstations and laptops are the top assets impacted by breach.
Joseph Carson:
Absolutely.
Tony Goulding:
For a reason. For a reason.
Joseph Carson:
And the other thing here-
Stan Black:
I honestly was surprised to see file sharing so high because if we tie the report to a corporate environment from SMB up to the largest enterprise, in my mind file sharing should not... It's like having FTP. There's certain things you just don't do. So I didn't understand why it was so prevalent.
Joseph Carson:
Yeah. The challenge with file sharing is that a lot of... So a lot of techniques still using today is using techniques like Responder that takes advantage of NetBIOS and LLMNR poisoning. And what that really means is that a lot of employees, what they end up doing is when they're on a network, they'll automatically map network drives. So that machine will automatically remember that next time I'm on the network, it'll connect to it and have access to those files. And that's a very common technique that many employees use in order to share data between employees. And what happens is if you're basically on the same network as somebody who's running Responder, your machine will start to basically share your network NTLM hash with that attacker.
Stan Black:
That goes back to human error configuration.
Joseph Carson:
And what ends up happening is if that is a human created password and a human chosen password, it literally becomes, again, only a matter of time before the attacker is able to go and brute force that. So these are kind of these common steps and that's why file sharing is a major challenge and concern there, especially for employees who do travel or work remotely or commonly go to public wifi access points.
Tony Goulding:
I mean, for a user, it can be hugely convenient. I mean, this morning I was reading the news before I jumped on this. And a major OS vendor, whose name should not be revealed, is saying it's announced a new drop tool to let users share files across their logged in devices and platforms. So that'll be fun. Right? Let's see how well that works.
Joseph Carson:
And looking at industries as well, I always kind of zoom in the industries, and I think there's no surprise again. I think we're seeing the same industries pop up. Would definitely with the public administration was again high up there in the number of incidents and breaches. We saw professional industries as well up there. I think they were top of the list with a number of incidents and breaches. And we had manufacturing, information organizations and, again, finance.
Tony Goulding:
Well, credentials and personal data were the main types of data. And there's a lot of that in healthcare systems.
Joseph Carson:
Healthcare and education were much lower than I was expecting this time around. I thought they would be industries that would continue to be targeted, but this year they were not as really high up in the list over previous years. Education, it definitely was much lower and healthcare. Maybe people were a bit more, let's say, ethical and decided not to target the healthcare industry because it was overwhelmed in the past couple of years. Maybe that's an aspect of it, but they were areas that I did note that didn't have as much incidences as I would have expected.
Stan Black:
I think both of those industries, and honestly all industries, are consuming far more cloud services. So I think some of that number moving a bit might be how they're getting their technology or their services delivered to them. Because I don't know a single CIO or a CISO who wants to buy a piece of hardware or everybody just wants to buy a reoccurring license in the cloud.
Joseph Carson:
Yeah, absolutely.
Tony Goulding:
Yeah. No. The-
Joseph Carson:
Yeah. One of my observations in the last year's report, it was the first time, so in 2021 when the Verizon did a breach, it was the first time where actually cloud incidents had overtaken on premise, which was a massive change. That was a massive change in the targeting mechanism. And that was something that was very interesting, that I find is that cloud is now becoming somewhat the top target in regards to your infrastructure. A lot of it also was driven by digital and data transformations by organizations who were shifting to the cloud because of cost perspectives and also to enable remote working. So we did see, of course, organizations unfortunately not take advantage of cloud native security. And what they try to do is retrofit their on premise security and plug it into the cloud-
Tony Goulding:
Yeah, that retrofitting is-
Joseph Carson:
... it's a lot of misconfiguration, because the cloud incidents, a large portion were caused by misconfigurations where security it was enabled, but it had the default settings. Meaning that for a lot of those EC3 buckets, for example, were publicly available.
Tony Goulding:
I spoke to a lot of prospects and customers and lots of themes, obviously, DevOps was a big one. It's like, "Well, how do we secure our source code? Make sure we're not embed credentials in there." But along the data transformation, cloud transformation theme, I heard from a lot of companies where they do a typical thing, they'll stand up a new project in the cloud and they'll prototype something. And during that time that the developers and the ops teams are logging into those instances using local accounts, which is not a good idea. It's increasing your attack surface, et cetera, et cetera, et cetera. But when it comes to production and switching those things over into production, they're like, "Okay, that's not a good idea. Let's get rid of the local accounts, but how do we authenticate our administrators to those using their AD credentials that are on premises?"
Tony Goulding:
So that whole new cloud, hybrid cloud, dynamic has them scratching their heads because their legacy protections, their legacy security and PAM solutions, don't stretch to the cloud and enable that to happen. And there are ways of doing it, of course, but they're costly, and they introduce opening up firewall ports and standing up AD in the cloud and sort of different trust models.
Stan Black:
When you look at it, if you're a malicious actor and you're going after as many targets as possible and you went after individual enterprises, that level of effort is much higher than harvesting a 24-hour a day, public facing cloud resource, which was designed and built often by companies that are transitioning to the cloud with the same skills and team members that they've had for X number of years. And I think that many folks, actually, one of the best cloud architects I know is 72 years old, but he always kept up to date. And it's hard when your head's down solving day to day IT operations and security events, et cetera, et cetera, to keep your skills where you need and to keep up with the cloud services. Joe, you're spot on. Many of the tools to mitigate these risks are built in. You got to turn them on.
Joseph Carson:
You got to know they exist, which is the challenge. One of the things when I talked about as well, when I did the previous panel that I was hosting at a conference, we were talking about that the amount of time that organizations spent on enabling training for their employees is way under what it should be. Because if you want the employee to be able to take advantage of these new, let's say solutions and architectures and deployment models and delivery models, they need to be trained well to understand how to enable the security correctly.
Stan Black:
Agree.
Joseph Carson:
Because in our industry, two years can put somebody already their skill set is way behind. If you don't train them and you don't make sure that their training is allocated sufficiently to make sure you're able to take advantage of the latest security solutions and architectures and capabilities, then you're going to be getting into where that person may only know this stuff that was four years ago, and may not enable the right features. And therefore, at the same time end up having a misconfiguration that results in data breach.
Stan Black:
Well, and as a consumer of security technology, what I would say to that is you're absolutely right, it's often the line item that's most regularly cut because it's expensive to train people. My view on that is I push that to our vendors. "Hey guys, we really like your product. We consider you to be part of our long-term strategy. Help me utilize your technology in ways that we haven't even thought of." And building that into the relationship and the engagement of a partner, a true partner as a vendor.
Joseph Carson:
Spot on because that's exactly it. If you can get that, we're willing to give up people's time if you make the education of your product free and make it available. Make it something that person can really become the best at that area. And I think that's sometimes kind of a gap. Some people look at it as a line item, but it's actually it's a partnership. If you get the people that's actually going to be knowledgeable about the product, they're going to be wanting to use it. And that's also kind of an enabler as well.
Joseph Carson:
One of the things that I want to mention as well, that Tony also brought up as well and Stan, you also mentioned on, it does mean these are organized crime, as we mentioned, and they're investing. They're taking time and investment. They're investing in this because it takes money to make money, which is one of the major statements of the value chains here. Where actually, organized crime are actually investing in development of their attack tools, either looking at very specifically who to target and take advantage of. To your point about it's better to target somebody who will give you access to many versus doing them individually. So there's those organized criminals who even just specialize in targeting and access brokers.
Joseph Carson:
Then it's also the distribution where you've got into that affiliate program where those who are creating the decryptors may not want to put themselves. Maybe they're afraid that they're in countries where it's considered a crime and they will actually sell it off to those who will actually use it and abuse it in countries where it may not be considered a crime, where it's more of a business model. And then they have into the ability of how they can make sure they convert that into cash, which of course is cashing out and using things like multiple cryptocurrencies, buying things through loyalty cards, distribution models, trying to really convert that from-
Tony Goulding:
Loyalty cards.
Joseph Carson:
Yeah, loyalty cards are still a big one, is how they cash out and pay through because that becomes almost untraceable. Once you get it out. Once you don't know who's got the voucher number, and it can be significant as well. So this is really where there is a supply chain, there is a good mechanism and that's why we're seeing organized crime and ransomware really take off in this report and I think it's significant.
Stan Black:
Do agree.
Tony Goulding:
Yeah. I heard they're also, in terms of monetization, they're starting to use Stablecoin instead of Cryptocoin because Stablecoin being tied to fiat currencies is not as volatile, so they get their money's worth.
Joseph Carson:
Absolutely. And I did love-
Tony Goulding:
Good investment strategy.
Joseph Carson:
I'm going to kind of want to bring it to summary here and get your main summaries from. We do have a lot of awesome people listening to the podcast, and I do want to kind of raise awareness and thank you to the Verizon data breach investigations team who really put this together. This was 86 partners who worked together to really analyze hundreds of thousands of incidents to really narrow it down to really the ones that really make a good understanding. So there's Gabriel Bassett, David Hylender, Philippe Langlois, Alex Pinto, and Suzanne Widup. And also I did a special thanks also noted in there to Dave Kennedy who we've had on the podcast before. So definitely if you're interested in learning, go back and listen to the episode where we had Dave Kennedy from Trusted Security on the podcast, which we covered a lot about pen testing.
Joseph Carson:
And I really did like a lot of the Easter eggs in there about the DeLorean and like John McClane comment as well, which is always funny. So I do really like a lot of the the funny commentary that they put in the report. Because again, what that really does is it makes it makes it fun. If it was a very serious report, which it is, but I really like their ability to also put the interesting fun comments and to really bring it back to enjoyable.
Joseph Carson:
So Stan, I'd like to get any main key things that for anyone listening that you would recommend that they take away from the report.
Stan Black:
I think the one thing regardless of the size of the institution or company is be diligent on your access, patch, patch, and patch again. And don't assume that technologies that have been in place for years, that you have considered to be the MFA, whatever it may be, technology is designed and built by humans. Over time, high performance computing, things like Moore's law, have been broken by technology. We need to recognize the fact that it's built and designed by humans. So don't assume you are safe without having a clear understanding of what the associated threats might be.
Joseph Carson:
Absolutely. And Tony?
Stan Black:
And just the humor in this report is made me smile.
Joseph Carson:
It's pretty-
Tony Goulding:
Yeah, that humor is great. It really is.
Joseph Carson:
I know. I always love the humor.
Tony Goulding:
I like that tongue in cheek.
Stan Black:
There was a lot humor in there for a fairly dry topic.
Joseph Carson:
Exactly.
Tony Goulding:
It takes the edge off. It takes the edge off. It's very good. I like it.
Tony Goulding:
Yeah, we've been around the block on this a few times, but again, it's people. People are still fallible, right? And so that's what causes data breaches. So invest. Invest in education, invest in awareness. That plus, again, it's blocking and tackling, the basic hygiene, security hygiene like password rotations and patching and stuff of that nature is just so very, very important.
Tony Goulding:
But again, the thing that piqued my interest is secure remote access for vendors and third parties. That's a massive ingress point. I think that's underserved by a lot of organizations, especially with work from home and moving to the cloud and everybody's remote, it's that remote access vector that's I think is just underserved personally. So that needs attention.
Joseph Carson:
Absolutely agree. I think for me, really kind of go take a look at those top 13 kind of recommendations in the SMB section because ultimately they apply to everybody. And if you get those done really well, at least those basics, you do make it yourself a much more difficult target. And it means for attackers, they tend to move on to the more easier target. So sometimes just being a little bit a step ahead, a little bit diligent on your security controls, will definitely make the biggest difference.
Joseph Carson:
And again, for those listening in, definitely go take a look at the report. There is a good... Verizon will always do a webinar on it as well. So watch out for the webinar because they always talk about the data analytical side of things and the presentations and the forms and how they present the report. So definitely look at that. It will help you.
Joseph Carson:
Make sure you read the section about how to actually understand the data as well, because it's definitely important to make sure as you're reading through, understanding what you're seeing as well, because the representation's also important here in the report.
Joseph Carson:
So again, many thanks, Stan, Tony. It's been awesome having you a episode. For the audience out there, again, tune in every two weeks for the 401 Access Denied, and make sure that you go back and listen to some of the other awesome podcasts as well. Stay safe, take care and I will see you. I've got some exciting news for you coming weeks. So tune in and I'll talk to you soon. Thank you everyone. Take care. And goodbye.
Episode 56