Lessons from 2018 Forensic Investigations
This webinar covers:
- Current data security and breach trends
- 2018 forensic investigation findings
- Tips to avoid a data breach in 2019
This webinar was hosted on January 31st, 2019.
0:00 Alright everyone, welcome to our webinar this morning. We're going to go ahead and get started now. My name is Andrew and I work in marketing here at SecurityMetrics. We're grateful to have all of you joining us this morning. Our presenter today is David Ellis and he's the Vice President of Investigations here at SecurityMetrics. He has a lot of experience in Forensics. He also holds the credentials, as you can see on your screen, GCIH, CISSP, QSA and PFI. So we'll be looking forward to hearing from Dave and also with us today, we have John Bartholomew who is our SVP of Technology here at SecurityMetrics. He's known as JB around the office and we're excited to hear from him as well. We'll hear a little bit more from him as the presentation goes on and he will also be joining us for our Q&A session at the end of the webinar. To start, just a quick disclaimer.
1:00 When we get to statistics, that will be from the totality of the investigations from last year. Anecdotes usually will come from last year, they might reach back the year before that if it's applicable. So, with Forensics and predictions, I want to start off where we left off last year to see how we did on those predictions. To set the stage for that, I want to begin with a quote from Morey Haber, he's the CTO of BeyondTrust. He said, “There are three jobs in this world where you can be completely wrong all of the time and still not have to worry about being fired. One is being a parent. Another is a weather person. And the last one is a technology trends forecaster.” So, with that in mind, the first prediction that we made last year is that e-commerce breaches were going to continue to increase, as would attacks against Healthcare. The reason for that prognostication was that the United States was just getting into the EMV technology and the assumption was that as it became more difficult for attackers to grab credit cards from point-of-sale merchants they would shift their attention to e-commerce and that did bear out. 80% of the PCI related or credit card related investigations that we performed last year were e-commerce. That's almost a complete inversion of the statistics from about four years ago, where about 80% of our in PCI investigations were point of sale.
2:50 Number two; the smaller merchant breaches will come under greater scrutiny. Now this prediction stemmed from a change the industry made several years ago. Five or six years ago the card brands softened their mandates so as to not overly financially burden a small merchant with the high costs of a Forensic Investigation. Prior to that, though, virtually every merchant that was suspected of being a victim of a data breach was mandated to have a Forensic Investigation. So if you owned a mom and pop shop and you had one terminal and you got breached, there was an investigation but that's not really the case anymore. They, the card brands, have fairly high thresholds before a mandated investigation will be required.
3:48 And what happened in the shadow of that was, smaller merchants fell off the radar for a little while. It wasn't that they weren't getting breached, it was just that not a lot of attention was being paid to them. Their banks were put in charge of overseeing and getting the problems rectified but we moved into an arena where that wasn't happening. The merchants weren't self-remediating well enough. And now, while I can't get into specifics, some of the card brands are beginning to require small merchants to prove that they are investigating and remediating these suspected breaches. The third one; okay, the truth is that our stats didn't prove out this one to have increased yet; that is the coordinated attacks that begin with your cell phone.
4:49 Attacks against individuals are going to increase, I believe, because the cell phones tend to lead to so many other potentially juicy things for the attackers. Number four; passwords may not be the security that you're looking for. When I when I gave number four and number five last year, I did say that these might not come to pass during 2018, but they are coming. And the truth is I'm going to shift these down into the latter part of this year's predictions as well.
5:27 The groundwork is being laid for the AI. Point number five; Intelligence. Where I see this one going is, computers basically launching the attack or being designed to attack a system and then being designed to change its attack as the environment changes. On the security side of that I envision that we will employ computers to defend against computer attacks that are AI based. So I don't think we're quite where Hollywood is going to jump in and say, “Yeah, the computers are controlling everything.” But as far as computer security, I do see AI playing a role in the future. I kind of skipped past passwords. We're going to talk through those a little bit more later in the presentation, but password cracking technology has escalated immensely. Let's just leave that there and we’ll cover it a little bit later. I reviewed this last year, but I was asked by some of those attending today to include it again.
6:45 So we'll go through this quickly, but I did add a piece to how hackers hack and how they pick their targets. In short, they begin by scanning the internet for open remote access ports; they brute force credentials using an online password list. They will start with something. Let me get back to the ‘scanning the internet’. So imagine you come home from work and your side job is as a hacker. So you go to your computer and you tell it to run port scan across, let's say 500,000 IP addresses and then you go to bed you wake up in the morning, you're having your coffee you pull out the paper and then you're glancing at the results of your port scan but you're specifically looking for a couple of open ports something like 5631, 5632, because if those ports are open, the attacker knows that LogMeIn is being used in that environment.
7:47 And so, he then goes, “Okay. Well, let's say I want to log into this and my credentials are going to be administrator and then I'm going to try to hack the password.” If administrator or admin is a username that would allow them to get into this LogMeIn he's halfway there. All he has to do at this point is to discover the password, which is becoming increasingly easier for them. Then they're going to test the remote access credentials. If they're successful, they gain access into the system and it's not until this point that they actually know where they are. It's been extremely anonymous, but they get in and they determine this is a merchant. This is a healthcare organization. This is in a corporate environment. There might be something in here that I want. So they're going to sit and monitor your activity. They might install a keylogger, memory scraper, or something along those lines but they're going to sit and monitor. They may download other malware onto the system with the eventual goal to capture confidential information, healthcare records, credit cards, corporate secrets, anything that they can turn around and sell. Now the next part is, how are they going to use this and how are they going to capitalize. They use stolen credit cards to buy prepaid credit cards, gift cards, make online purchases or they go on to the dark web and and they sell them in bulk. The bad guys go in and buy a block of credit cards and they go online and they start purchasing things. A little while ago my Visa card apparently made a trip to Australia without me and purchased a set of golf clubs in Sydney.
9:46 So that's where that happens. Here's a clip that we took from an ad in the Onion Router (TOR), and getting into the dark web. And if you go through that you'll see that credit cards will sell anywhere from $20 to $200 on this particular site. On other sites I've seen credit cards can go for virtually 50 cents to a dollar. You can see from that previous slide where credit cards sell. So it’s easy to see how they capitalize on credit cards that they capture. For healthcare organizations, the revenue is a little bit different but it's interesting. It's an escalating thing. A medical insurance ID card will go for a dollar or two. Medical profiles will sell for $5.00 and up.
10:44 The value to a hacker for healthcare documents is that the data from the ID cards and medical data can help them obtain other documents. It can help them apply for and get a driver's license or other government IDs. Those types of things can usually be sold for $170 to $250.
11:07 Adding on to this, a completely farmed identity containing a full set of PII (personally identifiable information) and healthcare data, often created from the details of a deceased individual, that will likely sell for a thousand dollars or more.
The last point that I'm going to get to is ransomware. The thing to remember here is that this is an attack on the system where they are not, at least they're telling you that they're not, capturing your data. They're just freezing your data and making it unavailable to you. They usually demand a ransom and encrypt some form of cryptocurrency. And then they promise to provide you with the decryption key once you transfer the Bitcoin over to them.
12:01 Experiences where they follow through with giving you the decryption key are between two thirds and three quarters of the time. One problem we sometimes see is that the provided key doesn't always work perfectly. It only decrypts some of the files that it's corrupted. Additional work has to be done. One last way that they make money through ransomware is, on the dark web there's a service called ‘ransomware as a service’ and it provides easy to follow instructions for an attacker on how they can then launch their own attack. It's like the novice hacker being able to stand on the shoulders of someone more talented and benefit from the technology work that they have done.
12:59 So, what's new in hacking trends? We saw something last year that was a little bit different, and this is especially true in the HIPAA space, service provider and payment processor investigations. Attackers, now more than ever are targeting specific entities that they are going to attack because of the desired payload. So, before when I was describing the steps to you, it was very anonymous. Now we’re finding that they are willing to do their homework and go after a specific organization because they know the added work will be worth it because the payday will be larger. Now, this has always been the case for hacktivist attacks, where they attack a particular corporation because they want to make a political statement.
14:01 But now we're seeing that they can't resist the bigger paydays. They're willing to do all of the extra work. They'll do social engineering attacks. They'll study everything they can about a business, medical facilities, etc. so that they can craft a legitimate looking email to try to capture user credentials. This process might take months, but they're not up against a deadline so they'll work however long it takes. In other words, in these cases, it's just not random anymore. So what did we see in 2018? What were some of the trends? The first, I alluded to earlier. What changes have EMV made in with its advent? A quick explanation of EMV.
14:56 This is a technology which replaces the use of the magstripe strip on the back of the card. The magstripe contains data. It contains the card number, the cardholder’s name, the expiration date and CVV information and it's unchanging. What is coded onto that magstripe stays on that on that magstripe so that when an attacker was able to steal the card data, they would get everything that they needed to replicate another card. Then they could sell that card a hundred times and make plenty of money on it. The little computer chip that you see on the credit cards replaces the communication with the magstripe data by interacting with the point of sale terminal and creating a one-time transaction code that if an attacker were to capture, would be useless to him. Because, again, it's a one-time code. If you were to try to replicate that and use a card in some other location using that same transaction code or a made-up code you would just get a denial.
16:17 The EMV was making it more difficult for hackers to capture usable credit card data. So the attackers were going to have to become better at attacking elsewhere such as in the e-commerce side, and they did just that. There were some attacks where attackers would divert the data. Those would get flagged pretty quickly because when the system stops working, the owners of the system want to know why. But in this case attackers discovered that if they could just copy the data, they found that such an attack would be more difficult to spot. And the reason why it's hard to spot is that typically e-commerce sites will utilize a tool called file integrity monitoring to alert them if any critical files have been changed. So file integrity monitoring does just that. It's looks at a critical file and says, “Hey, this has changed. Somebody needs to tell me whether or not this was supposed to change.”
17:32 The problem is that in the case of a shopping cart or a database for that matter you have a highly dynamic environment, an environment that is naturally changing a lot. So file integrity monitoring doesn't work there, inherently. So we looked at all the e-commerce investigations we performed last year and about 80% of them have modified payment pages. If you had a tool that could monitor slight alterations to a payment page, that would be a pretty useful tool.
18:21 Hopefully a little later this year we'll have more to say about that.
18:28 Ransomware was the big thing in 2017. How is it evolving? There was about a 30% decrease in total ransomware attacks in 2018. In 2017 ransomware was the most prevalent attack, certainly in the healthcare environment. About 60% of the healthcare attacks in 2017 involved ransomware. That fell off a little bit last year. But what we saw with ransomware is that it became much more sophisticated. It did fall to the sixth most popular attack method.
19:20 It was replaced by crypto miners, (which have also fallen in popularity in the last five months), banking Trojans, adware, spyware and other types of backdoors. The successful attack showed an increased scrutiny in targeting their victims. Like the last point that I was bringing up earlier about hackers being willing to do more homework. The victims of choice are healthcare organizations followed by businesses and the public sector, city, state and federal government.
20:08 Attackers recognize that these kinds of entities can't afford to be down or inoperable for very long and they have the ability to pay. There were businesses like Allscripts, LabCorp and Boeing, (the Boeing aircraft plant in South Carolina), that were all successfully targeted last year as well as the cities of Atlanta and Baltimore just to name a few. The ransomware that it infected them with was sophisticated.
20:37 It was usually polymorphic. Which means that it changes slightly each time that it's loaded so that it's very good at evading antivirus products. According to Sophos, 75 percent of organizations infected with ransomware were running up to date endpoint protection. Case in point on that is the Colorado Department of Transportation. It was infected with two variants of the SamSam ransomware just two weeks apart.
21:07 So they had one infection, they remediated it and then because it had morphed a little bit they were infected again. And why does ransomware hang on? Part of its decline was because more and more entities were just refusing to pay. That said, the SamSam ransomware alone netted over 6.5 million U.S. dollars last year. So while they are declining, with revenue like that it's not likely going to go away anytime soon.
21:45 One big change that we saw last year was an increase in service provider attacks. Successful attacks against service providers doubled for 2016 and they doubled again in 2018. Attacks against service providers are especially dangerous because the potential impact is on numerous unrelated businesses.
22:16 A couple of service provider investigations immediately come to mind. One was a credit card processor. It suffered a breach, it self discovered in a fairly short amount of time. But even in the quick time that it discovered and remediated the situation, about a hundred and fifty of the merchant clients were also breached as a result of it. Another case was an industry application vendor. They provided a web interface for a specialized type of business that allowed their online customers to place orders and things like that. They suffered a breach that resulted in the attackers installing malware on the systems of more than 450 separate businesses.
23:02 So attackers are now targeting specific businesses because they know the payday at the end can be exponentially better than if they're just breaching one business. Now I'd like to share one last example.
23:39 So this is a case that is not so much about the number of businesses that were breached, it’s more about the things that went right. The client was a point-of-sale hardware and software provider and one of the employees access credentials were stolen. The attacker then monitored their systems until he gained remote access that he needed to log into the service provider’s entire clientele base. After doing that they immediately installed malware capable of capturing credit card accounts. There were about 250 businesses in the service providers portfolio that were infected.
24:34 The good news is that about 95% of the merchants had already employed P2PE which is a point to point encryption and our tests validated that all of the merchants that had employed the P2PE did not suffer any data loss whatsoever. So only 5% that hadn't got on board yet. So it was a nice validation of the value and importance of P2PE. Some of the things that were the most common problems, frequently it is employees like the last example, it was an employee who had their credentials stolen.
25:25 I'm not going to go down that road too deeply right now. We're going to hit it a little bit later. Also, the insecure coding. We will talk about that in a minute as well as third parties. The BYOD that's bringing your own device. I think we're going to see companies starting to lock that process down a little bit because of the problems that it creates. Let's say you work in a highly secure environment. You take your laptop home, you log into your home network, which probably doesn't have the security protocols that the internet at work does. And I'm not saying you personally do this but this individual visits sites that you probably wouldn't be comfortable visiting in your work environment.
26:17 And as a result some malware lands on his or her laptop. He goes back to work, logs in at the corporate environment or hospital or wherever and the attacker now has access into this environment.
26:35 It's a frequently repeating scenario and it's going to require a lot to remediate. It's going to require a lot of training and I think we're going to see companies start to tighten down or create rules that may not allow you to take your work laptop home or something along that line. Lastly, insecure remote access remains on the horizon. We've talked about this before, the importance of ensuring that you have multiple factors of authentication in place for remote access. We'll talk about that in more detail as well.
So how did the breaches happen? What caused it? What were the most key vulnerabilities? We’ll go through this kind of quickly. No firewall or an improperly configured firewall.
27:41 Meaning that their rules were not quite sufficient. In one case we examined, I was going through the firewall rules and they had 18 to 20 pages of firewall rules and well down through it I found the rule that says ‘allow any to any’ and what that meant effectively was that everything they had written prior to that was now null and irrelevant because it just opened up the firewall. Little tiny things along those lines that that the coder just missed when he was putting it in place. Other points of failure, default passwords. When a company comes in and sets up the merchant environment or whatever environment.They usually have default passwords that are used and if they're not changed, the attackers can easily gain access to them. An attacker can walk into a restaurant see that they have NCR terminals.
28:46 Later he's trying to hack into them and he knows the default passwords for NCR or micros. He knows that the micros default password is M the number 1 C 0 and a dollar sign, if I remember right. They're all available online. So that's the most important part.
29:09 The other important part about passwords, they need to be lengthy and not be in a dictionary anywhere. Other key points of failure, the antivirus was inadequate. It either wasn't updated or it wasn't pushed out to all of their endpoints. They would have it on a server, but they wouldn't have it on terminals on user desks, things along those lines.
29:45 Users sharing login credentials is one of the biggest key points of failure. Not uniquely identifying the users. Because what you tell one person they tell somebody else and pretty soon it gets out. I've seen passwords written on stickers next to the devices that are in public view. I also mentioned earlier, authentication passwords that include admin or administrator, I highly recommend you change it. Having your administrators first name is going to be harder for an attacker than if you leave ‘administrator’ as a user profile.
30:32 And then there is the lack of multi-factor authentication. Again that continues to be one of those things. We're catching up a little bit but businesses have a ways to go. You know, there's a thing in IT security, a lot of times your focus is on compliance. In the credit card industry you have a PCI. You have the payment card industry data security standards that you need to be compliant with. Healthcare organizations have HIPAA and you have OCR overseeing that. You have government entities, there's FedRAMP. Businesses that do business with with governments have FedRAMP to comply with as well. So there can be times where compliance and security collide with each other a little bit. If your focus is too much on the one at the expense of the other one.
31:31 A case in point on that is, there's a merchant, I can't give too many details away on it because I don't want you identifying them, but a large merchant in the hospitality industry. In this particular instance about 900 of their locations were affected. What happened is they were required because of their size to have an annual audit on site by a QSA. So the QSA who has done their audit in previous years arrives on site and they say, “Hey we've employed point to point encryption. And so now the scope is only the card data environment right?” And the QSA says, “Well, yeah, but you don't want to only look at the card data environment at the expense of the surrounding environment if there are vulnerabilities there.”
32:31 This merchant was adamant that the QSA was only to evaluate the point-to-point encrypted card data, the immediate card data environment, and would not allow him to comment on the surrounding technology that was in place. Well, what happened is this merchant ended up getting hit with ransomware. No card data was ever lost. The P2PE was doing its job and encrypting and rendering the card data unusable, but the ransomware attack froze up the merchant. They didn't have backups that they could swiftly restore from. And that's the key to ransomware, if you have backups make sure that you test your backups.
33:23 Your backups should not be connected to your immediate environment because we've had cases where the merchant says. “Yeah, we have backups, but they're encrypted by the ransomware as well.” Off-site backups aren't bad. Being disconnected from the network is the most important part. It took this merchant three days to restore their systems and three days spread across nine hundred locations where they couldn't take any credit cards equated to millions and millions of dollars of lost revenue.
So I want to look at HIPAA attack trends this year. In evaluating the state of security within the healthcare industry, I came across the Healthcare IT News and pieced together a number of articles regarding healthcare data breaches last year. Here are just some of the headlines which give a hint about what happened. Three Phishing Hacks Breach 20,000 Patient Records. Data Breach Affecting 75,000 in the Federal ACA Portal. Two Phishing Attacks Breach 21,000 Patient Records. Misconfigured Database Breaches Medical Advisors. 3 Massachusetts Hospitals fined a Million Dollars by OCR. 5 Breaches Cost $3.5 Million for National Provider in HHS Settlement. And it goes on and on and on. Healthcare organizations tend to have a few attributes that make them attractive targets for attackers. They often have legacy systems that aren't regularly updated making them a little easier to attack.
35:20 Often that's that's not directly their fault. They may have embedded systems that due to the way that the manufacturer created them, they can't be easily patched. If the healthcare IT department were to do so, it might cause problems with the way the vendor can support them.
35:41 The critical nature of the services that are provided in the healthcare industry puts them in the sights of the attackers. Health data is an essential commodity and it makes it a valuable commodity in the criminal world and subsequently a target for theft. With respect to ransomware attacks, hackers believe that hospitals, medical practices and other healthcare organizations are going to feel that they're putting lives at risk if they can’t access patient records, so they're more likely to pay the ransom.
36:18 Those are just some of the things that I wanted to put out there so that the healthcare organization understands why they're coming under attack. And what the attackers can do with the information. We talked about the value to the attacker because of how they can sell or escalate the data that they acquire there.
36:41 Now that brings us to tips to avoid being breached. Employees are seldom very far away from attacks on the healthcare side. One of the increases that they saw last year is that in 42 percent of the cases, insider involvement was suspected in the loss of the healthcare data. More often though, the employee involvement is one of omission or lack of understanding. They fall for phishing, social engineering or things along those lines.
37:28 So hopefully you will be training your staff, if they see people in their in their company that they don't recognize, to challenge them and ask them for credentials. Another social engineering type would be the phone calls that come in after hours by a person identifying themselves as anything from the custodian, the telecommunications representative, an IT tech or a representative to an application provider, anything along those lines.
We’ve got a question here. I had lots of comments last year from franchise groups and it became obvious to me that if you are part of a franchise or a satellite of some group and you're running the same or similar system to dozens or hundreds or thousands of other locations and if they get into an organization and understand the management structure, the key software components and the method of operation, anytime they do that in one location it will be similar to all the others. Are we seeing that type of thing?
38:47 Yes, you bring up a really good point because of the consistency that's across the environment. It’s usually mandated from the corporate side and franchisee owners may not have any choice on the systems that they have installed. We had one case where a guy went into a restaurant, he probably had dinner and he observed the terminals that were being used there.
39:23 He went back and looked up a phone number for all of the other locations. Several of them were disparately owned, one franchisee owner might have on three or four.
39:39 In this case, he ends up calling 28 of them and he poses as a service provider for the point of sale terminal. He said, “I have to do some system maintenance. Could you get what your manager on the line.” And he directs the manager to go back and sit down and he talks the manager through opening up a VPN for him and then he covertly installs malware. The good news is that 20 of the 28 managers that he spoke with asked him for further credentials and didn't allow him in. The bad news is that 8 did. So yes, the consistency does give the attacker the ability to say, “I called this one and didn't work. I'm going to keep going.” And in this case, he got eight paydays out of it. I heard the same comment that social engineering attacks had increased. I was talking to a friend who has thousands of locations and they're saying, “We're hearing this all the time now.”
I’m going to try to go through the rest of the slides fairly quickly so we will have a few minutes for some Q&A. Some of the other problems that we saw consistently that could have been remediated or prevented. Applying patches in a more timely manner. There was a vulnerability in a payment application and the patch came out for it almost two years ago. We are still seeing businesses get breached as a result because they haven't applied the security patches or the subsequent updates. Vulnerability scans and penetration tests. It is great to hire somebody from the outside to try to hack into your systems and test them. I think these are unbelievably valuable. Logs. The importance of logs are that you have somebody looking at them. We had one investigation, it was a large customer, I think they had 800 plus stores and they had been breached for nine or ten months. Millions of credit cards were ultimately at risk.
41:58 The sad part of this was that as we dug into it, we saw that they had a file integrity monitoring and an IDS system in place that flagged the breach the day that it occurred but nobody was watching it. So if you if you have these tools, file Integrity monitoring and intrusion detection or intrusion prevention systems, have those alerts go to somebody and have it in their job description that they are required to look at those alerts every day.
42:32 If this particular merchant had looked at those alerts, they could have shut it down on day one and avoided millions of dollars of losses, in consumer confidence, in fines from the card brands and on and on. Passwords. Going back to passwords, they should be complex. They should be changed regularly. They should be a minimum 8 characters, I really prefer 12. I prefer that they mostly contain disparate special characters. They should be required to be changed every six months.
43:09 They shouldn't be anything that can be found in a dictionary of any language. This site right here, haveibeenpwned.com, you can type in a password and you don't have to type in any of your other information. You don't have to put in anything identifying your email or whatever. This is just going to do a text search to see if the password you typed in has been found in any of the recent data breaches that have exposed passwords. There are about a half billion passwords in that database. I did mine. I've got four or five passwords that I use regularly and two of them came up and three of them were okay.
43:53 I highly recommend that you check that and do everything I just mentioned here. Passwords should be changed, they should be complex. Would it be okay to talk about the technology increases in breaking passwords? Yes, I'll put this out real quickly, the technology in breaking passwords has exponentially increased over the last two years. The manner in which they're doing it is a little bit different. It's not a brute force of the password itself. It's a brute force of the password hash, which leads to the password. And so they must have already broken into the system somehow to get to the hashes. Right. But then they can get everything else. Yeah, and to tell you a little bit about where the technology is, there's a system set up in Sweden right now that's pretty advanced. Its liquid cooled, he probably spent a million dollars on it, but it can go through billions and billions of hash iterations per second.
45:02 And it can virtually discover every potential keyboard combination of potential passwords in a matter of several hours. We've built a similar system here at SecurityMetrics. Well, similar is a generous tagging, but I think we spent about seven or eight thousand on it and we can search over a billion hashes per second. So going back to the prediction that I mentioned earlier, passwords may lose their efficacy as a security measure, but for the time being, hackers aren't using liquid cooled, password cracking technology right now.
45:52 So, do your best to avoid the problems. Restrict access to a need-to-know basis. Your SVP might think he needs access to all your systems, he probably doesn't.
46:07 I have a question about passwords. About not saving them in a web browser. The same tool that allows for breaking the hashes or a similar tool is also putting you at risk. If they get into your system they can access all of your subsequent passwords saved in a browser. Yes, absolutely. If it's saved in a browser it's saved with a hash and it's just going to look at the hash and break it so, you know, if you get 10 passwords in there, it'll get all of them. So once they get into your system one way, if you have every other password and user ID saved, they're going to own that. In fact, it's actually pretty fast.
So let’s get to the last couple of these. Network segmentation. If you think back to the TJ Maxx hack a few years ago, their entire corporate across the entire United States was protected by a single firewall. Essentially it was one perimeter.
47:06 So have multiple firewalls to create a safe zone for your most critical information. If you store sensitive data, and most everybody has to, encrypt it, tokenize it, hide it. Don't make it so easy for the attacker. If he gets into your system at least then he has to worry about if he can decrypt your critical information. Do the same with your backups. As I alluded to earlier, test your backups so that you can restore your system if need be. If everything hits the fan and you have to nuke your system and rebuild it, if you haven't tested your ability to do that, you may find that it's a lot more difficult than the service provider described it when he sold you the back-up technology.
48:02 Lastly is the incident response plan. Have a plan in place to know how you're going to react in the event of a suspected breach and then test the plan. The importance of testing a plan is so that you can test your response to it when none of your critical assets are actually at risk. And then train everybody on it. Do desktop training. There are companies that can help facilitate that. They can come in and put on some training so that you can actually see, “What would I do?”
48:35 I know you are trying to hurry through but will you mention multi factor authentication particularly for remote access? Yeah, so multi-factor authentication includes not just having to enter two different passwords into different usernames. It's two different ways of saying yes, you are who you say you are. So the first factor would likely be a username and password. The second factor has got to be something else, something you are or something you do. So it could be a biometric fingerprint. funny. I mentioned that in my predictions and or it could be a device like an RSA key, so you have to answer something that is sent to your phone.
49:34 Something along that line where it's something completely separate from the username and password that might have already been hacked. Do you recall a single case where anybody was brute forced who we're using multi-factor authentication? Do you know of anyone who actually broke past that? Yes, the cases are limited and it's usually because the other factor was also discoverable on their computer system. There was also a case and it was in the healthcare environment where a dentist's wife’s cell phone was hacked and the hacker eventually was able to get the dentist’s cell phone and then was able to eventually migrate from his cell phone to his laptop and from his laptop to his work environment and then he had all the keys. He had made all the factors.
50:29 Those are those are a little more rare but it if they can get your cell phone that's a problem. So going into the predictions for next year. I want to start with the first one. Large scale social media hack leading to massive personal data losses. I was checking out a site that reported being able to grant users unlimited lives and coins. My son was playing this game. It wasn't Candy Crush but it was kind of along those lines. It was a real popular tablet game and one of the other users said, “Hey, if you go to this site, you can get unlimited coins and unlimited lives to use in this game.” So he tells me about it. So I go to the site and look at it. And what they ask for is your email address associated with the game that you're using and the type of device you're on whether it's an iOS or Android device.
51:35 And it says, to get the unlimited coins and unlimited lives, you just need to download two of the apps that we are offering here. They they offered five apps and they said they do this for two reasons, one to prove that you're not a robot and two so that we can keep this service of offering unlimited coins and lives for free. So I downloaded two of these apps into a sandbox environment and I looked at them and they're both VPNs. They are installing a VPN on to the system. So all of the kids and maybe some grown-ups out there are giving this hacker site absolute access to their device and then those devices go home. They get on your home network. You know, you Venmo somebody with them. With that said, I really think that one of these social media hacks is going to lead to massive personal losses.
Biometrics are much more common. There's a lot of computers that you're logging into that are going to be your thumb print. With iPhones and face recognition, all of that data has to be stored somewhere and that data if it's stored somewhere can be then stored elsewhere by an attacker. I think we're going to start to see the first inroads into hacks of biometric data.
53:13 Third I think that a cloud provider is eventually going to be seriously breached. We haven't seen that yet and everybody's moving the data to the cloud for the added security. I think it's only a matter of time until that happens. Fourth, I think there's going to be a lot more recruiting of legitimate employees and US companies to foreign nation states so that those employees can provide corporate Secrets. They're coming under a lot of scrutiny from the government for hacking into our companies and so I think that's going to be a work-around for them.
53:49 My last one. Okay. I kind of cheated and put two in here, but it's just repeating the the two that I had last year on passwords not being as secure as they used to be and AI making inroads into both hacking and security.
Question and Answer
54:07 There we go. Sorry, I’d hoped to get done a little bit sooner but if we have a minute or two for a couple of questions, let's go ahead and take them. There was a question regarding breach identification timeframes. Have they grown or shrunk? It hasn't actually changed much in probably the last two to three years. In that period of time and it shrunk a little bit. Before that we would see cases frequently where the hacker had been inside the systems for a year or 15 months by the time we got there. We had cases this year where it was very swift and that was a result of card brands or the entity themselves monitoring their systems much better. Card brands have become much more sensitive at being able to identify at-risk businesses based on fraud being reported to them.
55:06 But at the same time we still investigated a case that had been breached for 14 months before it was identified. So yes, I think they're getting a little bit better but a lot of them aren't. So, next question. You talked about the increase of e-commerce and card-not-present versus card-present. You seem to have mentioned that the little guys are still getting hit. So are the small merchants out of the woods? No, not the small e-commerce side or the small point of sale merchant. What happened is they're just getting less attention because the card brands have had to focus on the larger businesses. But the small merchants are still getting pounded. They are still kind of the low-hanging fruit. In a lot of cases the attacker doesn't have to do as much work for it. So he knows he's not going to get as big of a payday.
56:07 But a couple of thousand small merchants is going to equal his payday for a couple of biggies. Next question. You made comments about nation-states verses organized crime versus hacktivists. Do we have a sense of where the players are and if they're growing shrinking? Yeah nation-states, the biggest offenders, probably no surprise to anybody, are North Korea and China. The hacktivists are an annoyance but they're not as big of a dollar threat on a large scale. They may pose individual issues to individual businesses, but that's not where the focus is. Organized crime is behind a lot of it.
57:05 A lot. In fact if you look at the organized crime organizations that used to run drugs and guns and that kind of thing, the drugs have actually fallen to a much lower echelon in their organizations to be replaced by internet-based crimes. Organized crime worldwide is making far more money on internet based crimes than they are in narcotics. That paints a little bit of a picture. So that's not going away. Organized crime is with the internet to stay.
You're not on the police side or the enforcement side so much anymore, but you have friends there? Oh, yeah I stay involved them. I'm in touch with the FBI. Are they getting better? Are we catching more bad guys? Yeah, we are and there are more prosecutions and the sentences have improved. Ten years ago if somebody got convicted of a computer crime, it was considered a white collar crime and they might do 12 months in ‘Club Fed’. Now, you're seeing 15 and 20 year sentences coming down for some of these hackers.
58:19 So, here are some comments from the cloud. Why do you think we haven't seen a big one yet? What do you think they're doing? I hear, “I'm in the cloud, I'm safe,” Is that true? Well, the safety that comes from the cloud is that your information is spread across multiple servers. So they can't just hack one server and get all of your information. That's where the cloud gains its security posture. But at the same time somebody coming into that environment may be able to, they haven't yet but I think it's coming, where they’ll be able to clone the entire environment. I'm just postulating on that. But that was why I threw that one in as one of my predictions. Especially in the cases of some of the smaller cloud providers. It may not be AWS, but I think you're going to see it.
A couple of questions to finish. Do we do speaking engagements? The answer is yes. Both Dave and I and others tend to get around to those. We do our latest version of the Livehack demo. It is still a crowd-pleaser and we've added hash cracking to the latest version. Yeah, that's kind of fun watching us go through a billion non-textual passwords in a few seconds.
Last question, What are some signs that you've been hacked? That's a good question. Yeah, it's harder and harder these days isn't it? There are four or five ways that you can see that your hacked. In one case, a waitress walks into the restaurant, she goes to the computer to enter an order, she sees the cursor moving on the computer and she sees a terminal services window pop up. So that that was her clue. In other cases, hopefully, it's your IT security team identifying it because they're looking at logs that concerned them. It can be an outside administrator such as a card brand who says, “Hey, we're getting indications that customers have used credit cards at your location and then their cards were subsequently compromised.” So it can come from the outside.
Probably the worst way to learn that you've been hacked is from, we call it ‘Krebs is my IDS’. To read in an article from Krebs that has identified you in a breach or you turn on the news and you see that your business is listed on CNN. The very best possible way is self-identification and finding it soon. Going to the point of the question, if your systems suddenly aren't doing exactly what you expected them to do, or if they slow down for an unknown reason, that might be an indication of it.
1:01:44 I'm trying to think of others. Those were those are all the standards. Yeah, systems not responding. You got more software running on your system than you knew about. Something along those lines, but have an IDS, an intrusion detection system, have your file Integrity monitoring working. Outside of that, if you're in the e-commerce world, wait, just a few more months until we get a patent.
Thanks again David and JB for joining us today. We've had a lot of great questions come in that we won't be able to get to on this live webinar. But feel free to keep chatting those in if you have any final questions. We do take down every question and we will respond to you personally over the next week or so to make sure you get your question answered. Again, we are recording this session, so we will be sending out this slide deck along with a recording of the audio and the presentation today. We will send that to the email address you used to register for the webinar. Thanks again everyone for joining us today, and we hope to see you again at another webinar very soon. Thanks. Bye.