Watch to learn about breaches from the past year and important lessons learned from them, giving a 2021 security year review.
Having issues accessing the video above? Watch the video here.
Listen to VP of Security Assessments Gary Glover (CISSP, CISA, QSA, PA-QSA), VP of Forensic Investigations Dave Ellis (GCIH, QSA, PFI, CISSP), and Director of SIEM Operations Matthew Heffelfinger (GSTRT, CyRP, GRCP, SSAP, ITIL4-F, GISF) discuss breaches from the past year and important lessons learned from them.
This presentation was part of our recent virtual conference SecurityMetrics Summit, where 18 experts discuss the latest news and best practices for cybersecurity, PCI compliance, and other compliance mandates in 8 presentations.
Welcome to the SecurityMetrics Summit. This is a year in review.
Here at SecurityMetrics, we hail from the Silicon Slopes of Utah.
We help large businesses, small businesses with affordable, high quality, simple to use data security compliance and network security tools.
And with me today in this roundtable of subject matter experts, we're going to learn a lot.
Let's start with a sensational Gary Glover and see if we could, learn a little bit about Gary, and then we can talk about some of the elements that are of concern.
There you go. Hi. Hey. I'm Gary Glover. Been working here at SecurityMetrics for about sixteen years.
Before that, software development, and before that, rocket scientist at McDonnell Douglas. So Alright. So happy to be here and and, talk about the year.
Thanks, Lee.
So when you say he's no rocket scientist, that doesn't apply to Gary? Yeah.
You can't use it. Can't use it.
And it's not that hard.
Hi. I'm Dave Ellis. I've been with SecurityMetrics for about, gosh, what? Fifteen, sixteen years.
I prior to that, I was with the Oakland Police Department for twenty years, and so I've been in in investigations for north of thirty at this point.
I head up the forensics team here at SecurityMetrics. We investigate, all things hackers.
Yeah. And I'm Hef. I'm with the SecurityMetrics, Threat Intelligence Center. I'm the director of the Threat Intelligence Center. I've been doing this for about eighteen years, and, I've been with SecurityMetrics about a year or so. And we we're the team that goes out there, and we're we're like the Smokey the Bears, notifying our clients. Well, Dave is more like the firefighters.
So best way to describe it.
We're glad to have you, Adam.
Thank you.
Glad you joined us. Oh, well, let's start with some fun stuff with forensics, Dave. So what kind of predictions do you have for us, and and what can you tell us about this past year in review?
Okay. Well, earlier this year, we put out a number of predictions of things that we thought we were gonna going to be seen.
The first one was about payment iframes. And the important thing there is a lot of people consider payment iframes as sort of a panacea.
You know, when they were first employed in the, in the in the CDE for card processing, everyone said, hey.
This is awesome.
We don't have to do anything else for security.
And we predicted that we were gonna see some problems, and and as it turns out, we really have.
Where the the understanding with payment iframes is important is is to remember that it it's simply an HTML element on a page.
And no matter how well you secure the data inside of that iframe, if you don't secure the access around it, it still gives the the attackers an opportunity.
And what we've seen is, a number of cases now, an increasing number, where the attackers had some access to the the environment where the iframe was was housed, if you will.
And in particular, they were able to change the origin.
And so what happened is from outward appearances, it looked like the iframe was still operating, still doing its, you know, its thing.
But if you went in and you saw that it was the iframe was no longer being hosted on the processor side, it was actually being hosted on the home site.
And it gave the attackers the ability to capture the card data before it hits the iframe.
So we predicted that back in January, February that we were gonna see that. So we we have seen that, increase. And until we can, you know, get the message out of the importance of not ignoring the security, you know, outside of the iframe, it's gonna continue to be a problem.
Mhmm.
And so with changes in technology to make our lives easier, the problems creep in as well. Mhmm. Tell us a little bit about virtual meetings and how twenty twenty and twenty twenty one have, brought us into a new realm.
You know, that that was almost a a cheat. That that was kind of an easy prediction, because with with COVID and and all of the companies, companies, churches, everything you can imagine going to virtual meetings, it, it it really wasn't a stretch of the imagination to say we're gonna start seeing virtual meetings, get compromised.
And and we have seen that. We haven't seen a lot of that impacting credit card processing or anything along that line.
But we have seen it in everything. I I mentioned church. You know? You you imagine that you're you're a minister and you and you're, you know, talking to your congregation virtually, and suddenly a pornographic site comes up, you know, over your audio.
Things along those lines. It is still a the potential for a problem still exists with businesses holding virtual meetings. And and the one of the big security elements is actually really easy, and that's just to pay attention who is on your call. You know, if you see a lot of, foreign phone numbers that you don't recognize, you might wanna to go ahead and vet those to to see who's who's listening in.
Yeah. Gary, those, and and Dave, those Zoom bombing attacks have just proliferated. And the the vendors that make these tools like Zoom Zoom and what is it? The Microsoft Teams, they they've done a really good job of trying to minimize some of that damage from people randomly joining just random phone calls and and and ruining your meeting. But, yeah, it's the Zoom bombing has just been nuts.
Yeah. And, you know, while they can be kind of morbidly entertaining, it it does pose a a security risk as well. So it's something not to be ignored.
Yeah. Listening in on sensitive content that is internal Mhmm. Data from a company. Sure.
Moving to another topic for you, Dave. I think we've all gotten emails in the past where we've seen a domain that we're supposed to click on and it looks legitimate, but there's just one spelling off.
Yeah.
Now there's something even trickier about this called the obfuscation.
Yeah. Yeah.
So an obfuscation attack would be, for example, if if the attacker creates their own website to mimic a a legitimate website, and the URL that would guide a user to it looks almost identical to the actual one.
So take, for example, costco dot com. Not that Costco's had a problem with this, wanting to throw that disclaimer out. But if you were just to replace the two o's in Costco with zeros, at a glance, you might not notice it. What's happened with the obfuscation attacks that has made them, much more problematic than they've been in the past is attackers have figured out that they can actually employ, Unicode characters in their URL. And so it might look absolutely identical to the the legitimate URL. And, you know, an an I in English, you know, character and an I in Unicode is gonna look like the same character, but the computer's gonna treat it differently. And just that one digit alone could be enough to send, a user to an illegitimate website.
Oh my goodness.
Yeah. Devious. Yeah. Let's talk about, how we've seen the improvement with chip cards. Right? EMV.
Are we good there? Good to go?
You know, it it it did revolutionize things here in the United States. Granted, we were a little bit slow to the game.
You know, across the pond, the UK was ahead of us by fourteen years, I think, something along that line. But it it did improve things. We saw we went from where prior to the EMV card or the EMV EMV chip on your card, about eighty percent of the investigations we were performing were in a card present environment, hotels, restaurants, hardware stores, what have you.
With the widespread implementation of EMV, that number dropped to twenty percent and even below. We we bottomed out around fifteen percent of our cases were, point of sale related, and then the inverse was all the attacks were were Internet related.
What's come out now, that has it's not widespread.
It's a little bit difficult. The technology required is is high level. But some skimmers have been developed that are thin as a a a piece of tape.
And so if you if the attackers put that, you know, into a device like a a a gas pump or something along that line, it is it is very difficult to detect. They don't have to get inside of the the workings like they used to.
One of the problems with skimmers that they would've, attached to, card processing devices in the past is they had to get power to it. And so they'd have to be inside the pump or inside the cash register or under the counter of a of a store. Well, these new skimmers that have recently been developed actually derive their power from that little electronic blip that occurs in the chip itself when the card is inserted. That is sufficient energy to power it and capture the the card. So, again, the, with all of the security advances that we have, the attackers never stop working.
And when we roll out or when I say we, when when the industry rolls out some, implementation, the attackers then have seemingly unlimited time and and energy to to figure a way to attack it. And that's what we've seen in these, these wafer thin skimming devices that have been found on on some terminals and devices. Amazing.
So it's a moving target security, isn't it?
Always.
Yeah. So with the EMV, we thought and predicted that ecommerce would get a little more attention by the hackers. What do you have to tell us there?
Yeah. Yeah. Like I said a second ago, everything went inverse when EMV came around. And right now, eighty five percent of our our cases are, e commerce attacks.
And part of that goes back to, you know for example, it was roughly twenty seventeen, I think, when the what are have come to be known as mage card attacks. When those first came up on the radar, they are a case where attackers employ malicious JavaScript code into a a shopping cart process that captures the cart. What makes them especially effective is they don't have to have server access, you you know, for the the system. They can do it from the public facing side.
And when a a credit card is processed, it used to be that, you know, that was an extremely secure environment because the only thing occurring was the actual processing and communication between the the device and, you know, the processing elements.
Well, there's a lot of noise now in in the checking, in in the shopping cart process. You have data analytics happening, adware, what we call malvertising. So, you you know, if if when you're on a on a a site and you're purchasing something and you see over in the margin, you see advertisements or you might be interested in this or that, Those are all, you know, pieces of code that are coming in, oftentimes, from third parties.
Well, what this has given the attackers is numerous opportunities to breach a site.
And one of the ways that that we first stumbled onto this was a few years ago where we were analyzing a site that the credit card brands were confident had been breached.
But they had already had a PFI investigation, and the investigator didn't find anything.
They ended up employing us to do a second PFI investigation.
And, initially, we went through it, and we didn't find anything either. And what happened is we continued to test the site in in kind of a live environment running transactions.
And all of a sudden, in one of them, we saw that the data was captured.
Took a while for us to figure out what was going on as there was an ad that was malicious.
And this ad would only appear every three, four days or every six days on the site. And in a when that ad was present, they were capturing credit card data. The brilliance on the part of the attacker was that it would be it it would make sites much slower to be detected to be, you know, as a compromised site. Because while it's not on your site, it's on somebody else's site capturing their credit card information.
So we've affectionately, dubbed those malvertising instead of advertising.
But the you know, these these malicious JavaScripts are extremely difficult to detect.
Common antivirus isn't going to do it. File integrity monitoring isn't gonna do it. You actually have to, run, checks and dig very deeply during, the checkout process.
And we've got some services for that. So if anybody's interested, give us a holler.
Yeah. We do. We actually have gotten them.
So Yeah.
People sometimes hop on searches and try to find help Mhmm. For a a largely scaling problem now. And we've we've actually had calls coming into our company asking for help with ransomware where they're completely shut down. How about that, Dave? What do you got to say?
Yeah. Ransomware is that gift that just keeps giving.
It was one where it it popped up, again, four or five years ago, grew in popularity, some defenses were were figured out, and then as they have so often do, their sophistication increased.
And with that, it proliferated. What's made ransomware so so problematic now is you have, you you can have somebody who has very modest computer skills, tech technological skills, but there are ransomware as a service products available to them where companies will they will provide the the malware itself, the ransomware.
All the attacker has to do is breach the system and employ the the ransomware, and then all of the communications between the victim and the attacker actually circumvents the person who caused the problem and goes back to the the service company.
They facilitate, the the negotiation for however many Bitcoin it's gonna going to be. And then once they they have the money, then they send the the, commission, if you will, to the the person who who launched the attack. So what happened is when you the the ransomware in, you know, four or five years ago was perpetrated by a few, groups or people that had, you know, exceptional skills.
And now it's being done by hundreds and hundreds of, thousands of attack attackers around the world. For that reason alone, it's it's not going anywhere anytime fast or so.
Yeah. If I could just add to that. I mean, that that concept of ransomware two point o is so prevalent right now. And it used to be just the bad guys would get in, and they would exfiltrate the data out, and then and then that's it. They're done. Now what they're doing is they're not only exfiltrating the data out and holding it hostage for ransom, but then they're also entirely locking you out of your network. So they're hitting you twice, which makes it even that much more dangerous, you know, having that team that can help support your business is critical at that point.
You know, another point to make, and I'm glad you brought that up, Pef, is you're not only dealing with the ransomware. Although that's all you're seeing right now. But a lot of times, companies will pay that ransom. They get they they may or may not get legitimate credentials.
You know, sometimes they the credentials they get won't work. But let's say in in the case where they get the control of their systems again, And then all of a sudden, two weeks later, two months later, or a year later, they find that they've they've got an attack going on, and somebody's now capturing their credit cards. Well, what happened is when the the ransomware popped on their system, they also dropped a backdoor as well. Or they captured database information.
And now they wanna hold this hostage saying, hey. You know, unless you pay us, we're gonna release the you know, your entire database on the dark web.
It it brings up two things that you that you need to focus with on ransomware. One, you know, doing your best to to keep it off your system, which the number one thing that companies need to do there is train your employees.
The vast majority of them are coming in through, through phishing, you know, through emails to to employees.
So do your best to train them to to not respond, not click, not do anything with any any kind of an email that looks even the least bit, odd. And and I would even say if it comes from within your company and it has something, you know, an embedded link in it, pick up the phone, call the person who you think sent it to you, and say, hey. Is this a link I'm supposed to be opening? I mean, you really need to get that paranoid.
Now then, that that's trying to keep it out in the first place. And there's other things, file integrity monitoring, antivirus products, email scanners, all of that. You want all those tools in place.
But next, you need to plan for what do we do when it hits.
And in that case, make sure you have good backups. Make sure your backups are not online twenty four seven because the I'll I'll tell you more than more often than not, we get calls of somebody who got hit by ransomware, and we ask, do you have backups? And they go, yeah. And those were, you know, locked up as well because, you know, it it that's what it's gonna do. It's gonna spider your network and lock up everything it touches. So keep your your, backups offline.
And lastly, practice restoring from your backups. Because the other thing that we have is we'll talk to people, and they'll say, oh, yeah. We've got backups. We should be good to go.
We're not gonna pay the ransom. And three, four days later, a week later, two weeks later, they are still trying to restore from their backups. Loss of productivity. Yeah.
And if you'd like to know more about this, make sure you catch, if you didn't, Dave and I's talk on ransomware, earlier in the summit, for sure.
Great. That's excellent information.
Thank you, Dave. Well, Hef, let's talk about threat intelligence center. So much going on. A banner year. Right? Yeah. News stories, all kinds of stuff.
It's been absolutely nuts. And when you think about the news, I'm sure the audience probably remembers some of those names, Ubiquiti breach, the solar winds breach, the colonial pipeline, the exchange server, zero days, parlor. I mean, the list goes on and on. I know from, like, an industry perspective, it it's definitely can lead you to burnout, you know, constantly.
It's like one thing after another. You get one thing fixed, and the next thing is there's another third party or a vendor getting breached. Those those supply chain attacks just absolutely maddening this past year. So it's been a real challenge for our team.
There's so much we could talk about in this area and you're trying to summarize it all for the audience to to just have some sort of, you you know, idea of what the heck is actually happening out there and how crazy it is. But I know in our air threat intelligence center, we've had about seventy different threat seventy different, countries with threat actors from all of these different locations just hitting our clients left and right. It's like a like a a prize fight. Just them out there, buffet for for especially, like, creative threats.
The number of just creativity that these threat actors have been doing. I I, you know, Dave highlighted some of them.
But You need to get those guys a job. Yes. Yes.
Absolutely.
I think they have a job.
Well, I say and that's a great point too because a lot of these, you know, malware as a service, they actually have benefits, and and they work at a corporate locations.
It's amazing.
Yeah. These ransomware as a service, they're affiliates. I mean, they they run it like a business where you can license their technology to attack a business.
So Yeah.
Call centers for dashboard.
Yeah. Call centers.
Dashboard with news. Yeah. Updates. All kinds of stuff. Yeah.
But I have to you know, for the audience out there, if you are a a small to medium sized business, I would definitely focus your thoughts and efforts around some key critical areas. And these are areas that we have seen come up time and time again for this past year. A lot more brute force attacks. We've seen a lot of those. We've seen a lot more password spray attacks. We we call those like pray and spray type attacks.
We've seen a lot of creative uses of social engineering. And and Dave kind of touched on it. It. I you know, the one the one that comes to mind is the most recent one that I've seen is that they take, the bad guys take, emails of, the Digital Millennium Copyright Act, and they say, hey.
Your small business is violating the Digital Millennium Copyright Act. And here it is, you know, you're the owner of this business and you're thinking, oh my gosh. What do we what do we do? How do we get ourselves in this mess?
And then the email says, click on this link and we can, you know, fix this issue for you.
I've seen three of those in the last week.
It's terrible for these folks. But I gotta tell you, you know, the audience out there, number one, the number one thing that you should be concerned about right now if you're a small to medium sized business is absolutely weaknesses in your Windows architecture, your authentication architecture. A lot of zero days have been around that. Specifically, it's one vector, one threat vector that once the bad guy gets into your environment, once the threat actors in there, they move laterally, they find something of value in your network, your crown jewels, and they try to exfiltrate them off your network.
So if you're not securing the network, your perimeter, your network perimeter, and your cloud, you're in some serious trouble. And what we find then is the bad guys also will impersonate credentials. So you got this impersonating your legit users, which makes it such a challenge, and then bypassing your your multi factor authentication. So even with all those controls in place, the threat actors finding ways to get your environment, and they they install those back doors for later access.
So, you know, don't pay the ransom, obviously, is is the key takeaway here.
But you also have to be aware of there's so much cyber hygiene that a business should absolutely be doing to protect themselves.
Yeah.
I have one of the things on that too that we see is that they'll when the the threat actor gets into the system, he'll sit back and and he'll monitor. He'll watch and he'll he'll read, you know, hundreds of of your company emails to get kind of the tone and flavor of of it so that he can craft one that looks legitimate.
It's it's amazing. The one the one use case that we've been dealing with a lot right now, Lee, is these camera security cameras. And how the bad guys will get into your environment through a flaw in your security camera, and then they'll pivot from there into other areas of your network. So it's it's one of those things where you think you have a secure camera, and here it is.
It's it's built maybe by a company called Hikvision, for example. And you you you're that camera is branded, OEM branded through multiple other security companies. So you didn't even realize that you had a Hikvision camera in your environment. And here it is, this crazy flaw that's out there this past week that we've been trying to help our clients with.
So it's just absolutely nuts. Every week, it's a different fire that we're trying to put out.
But but those are pretty similar to what's been going forever. Right? Is the get in through some other way and move around. So Pivot.
Yeah. Over and over, people are thinking, what is it I've got to do today? And it's like, well, do what you're supposed to do yesterday. We'll talk more about that.
Yeah.
That cyber hygiene stuff is great.
That is amazing. There was a how many breaches does T Mobile have now?
Yeah. It's I think it's they're going on six is what I've read. It's and and they're great at making TV commercials. That's for sure. And at sponsoring arenas, I don't know if I trust them for my cybersecurity.
So So much going on. Well, workforce threats are expanding in in so many ways. Right? What, what what what kind of pivots are there with, APIs? People are talking more and more about connecting services between two different talking points applications.
What do you see there?
Yeah. A lot of it is this creativity. And we kinda mentioned it a little bit, but these tactics, techniques, these procedures, processes that bad guys are doing right now, I would say that the the creativity behind these data scraping and a lot of people there's some controversy out there. Some people don't call them breaches when your API gets scraped.
It's publicly accessible data. It's out there for the world to see. But oftentimes in these these APIs that get scraped, we don't know all of the data points. We don't know the geolocation IP stuff.
We sometimes don't know if the the company that's being breached, if they're being completely truthfully honest is, you know, what was all included in the API being scraped? And and that's a challenge. But there are so many just creative uses. I I could probably take, like, three hours here today, folks, and just go over all the creativity.
It's a challenge, especially for for cyber teams to stay ahead of all these different new threat vectors that happen in the environment. And then on top of that, trying to be the Smokey the Bear and alert our clients of what's going on in their environment.
And then as soon as you educate them, the bad guys are onto that and changing their approach.
Oh, yeah. Absolutely. You know, you think about it. It's it's not just the the supply chain attacks with SolarWinds and these third parties and this impersonating legit users on your network.
I mean, that stuff's that stuff's been going on a long time. And the remote workforce stuff, we talked about that last year, how that was growing. But you're seeing so much the the bad guys pivoting. They're using a lot of more exotic code in their malware, which means defense systems sometimes can't see that stuff from happening.
That makes it a challenge. There's a lot more use out there of bad guys hiding their tools in the processors, in your GPUs, in your video card, in your I mean, that that stuff's insane because a lot of people don't look for threats in in the processor.
So In image files even.
Oh, that's even big too. Yeah. So, you know, and then now we're seeing this deep fake stuff, you know, where the bad guy is impersonating the voice of your owner of the business or the CEO of the business. And you you wouldn't know on the phone, it's it sounds like your CEO or your business owner.
Yeah.
So much to do.
Yeah. It's faster and new techniques, and they're just pivoting so quickly into new areas that it just it's a real challenge.
Well, that is remarkable and something to never let the never let your guard down on. Absolutely. Have the right people on staff, watching out for you. Well, let's let's segue a little bit to the audit discussion now.
We've we've we've heard from Hef and and Dave about, about the various threats. How does that affect the audit world? And and what kind of strategies are any new and improved systems? Or or what's the approach to prevention in the audit world of IT?
Yeah. Well, before we do that, Lee, I wanted to go back a little bit. I think hearing all the stuff that that, Half has talked about, it's it's really interesting. And, again, we are seeing, things that are more more sophisticated.
Right? As Dave mentioned, it's because the bad guys don't have to write their own stuff. They can get it from other people who are smarter, who sell their services. And, you know, that's the way the world has gone.
I mean, you you don't have to be an expert in everything anymore just like in in many areas. So it's kind of the same. You know, the thing that that, Heath mentioned earlier about cyber hygiene, I think that term is used a lot. And and, you know, we hear all these things about all this new stuff, and I think it's really easy to get pretty pretty any penny.
Oh my gosh. There's no way I'm gonna be able to survive the next year. Right? My company I should just give up.
And, you know Don't don't. Don't. Don't give up. Because there are some basic things that you just need to do that people have needed to do for a long time.
Right? And close-up those holes, beef up security.
There's not this magic new product that you hear about some new exploit or some new way that they're attacking. There isn't some new thing necessarily that you have to do always. It's let's do the old stuff. So, you know, the simple answer is, has has all of this stuff that that these guys have talked about, has it changed kind of the way an IT audit auditor would say what you know, we're on the these guys are kind of offensive side. Not not not sure offensive. Right? But on we're we're they kind of deal with the offense side.
And my team, all of the audit and the the pentest guys were more on the defense. We're telling people, here's what you should do to defend against these things. And, you know, you'd think that because there are so many new advancements in all these other areas, there'd be all kinds of advancements in in defense. And, you know, there are some.
But, you know, what what has changed? Has this has all this stuff changed our prevention strategy? Well, you know, the simple answer is no.
You should be doing the same things that you've been told to do for a lot of years.
All these security standards that people are working with out there that are having to be compliant with have been doing telling you what you needed to do for the past fifteen years. That hasn't really changed. Are we still seeing breaches because of remote access? Yes. Are we still seeing breaches because of of other things, that are pretty simple? Password, stuff. Yes.
So now with that said, in other words, nothing has there's really no new defensive strategies that have been coming up, and that sounds kind of, right, why why aren't we having the cool developments as well?
There are some things that some of these changes do inform, and that is maybe you need to change your priorities based on what you're really trying to to defend against.
If you're trying to make sure you're you want your data to be protected from somebody snagging it all at once with ransomware, then you should ask yourself, am I encrypting my data? Am I protecting that data where it's being at rest?
And, am I actually paying somebody to break into my network, like a pen tester, a good guy, and and saying, here's how I got in?
Those are some defensive things that you can do that really thwart the offense. Right? And as Dave said, are you practicing your backups? Have you got your multifactor authentication? Is it really working? Is it gonna stand up against these attacks where people are trying to go around?
Have somebody try to go around and make sure that that you can't fake out your multifactor authentication, training on phishing. Again, all these things are about the same, as they've been forever and ever. So we got a really good story. I think, Dave and his team worked with a big company. Maybe you ought to tell that story, Dave, about a big retailer. He didn't lose any data.
But Yeah.
So it was a company that, the the we had an auditor go on-site to to do an the annual audit for. And the company proudly, you know, said, hey. You know, we made the transition this year to end to end encryption. So, you know, according to the standard, you don't have to look at, you know, in anything outside of that. And the auditor, you know, was trying to encourage them. Hey. You know, you really need to look at at at all of your perimeter security.
And, anyway, they they held firm, you know, end to end encryption says we only have to look at this. And they they limited the auditor. Well, about four months later, they called us back and said, we just got hit by ransomware.
So the good news is the card data environment was was secure. There there was no card data at risk, but they were at the point where they had to try to restore from their backups. There was about eight or nine hundred, locations affected by this. And for three days, they couldn't take any credit cards. They lost tens of millions of dollars in income because they were trying to skimp a little bit on their on their audit.
Yeah.
So much of this is you focus on the fundamentals.
It's like the game of basketball. If you focus on the fundamentals, you have a better shot at trying to keep the threat actor out of your environment. But if you're not doing those things, you mentioned the backups, the multifactor authentication, security awareness training, a patch management program in place, and you know your inventory of all your hardware and software in your environment. All those little things add up that make it so much easier for the bad guy to get in if you're not doing the fundamentals.
Yeah. You know, and and just to be clear, many of these audit standards out there define fundamentals, but at what level? Yeah. At the very floor. They define the floor of what you should be doing, not the ceiling. And and I think that's interesting. A lot of people will say, well, I'm compliant to PCI or HIPAA or HITRUST or or any of these standards.
And that's the minimum you have to do to be compliant. And so as Dave the point Dave's making is, you know, that's great. Minimum is good. Do that first.
And then the next year, start asking your question, what other systems could I use some of these principles on and protect that I'm not saying are in scope, right, for PCI or or something else? So I think that's pretty important. Now after Hef's talked about all these you know, the stuff that they do in the SOC is awesome. They're finding and detecting hack sign, like, like, worm sign.
Right? Dune's coming out, so everybody gotta watch Dune. But the hack sign is coming, and it's really important now even more than ever to be watching that hack sign and to be and to be cognizant of what's really happening, who's coming, whether what are they trying to do? That way, you can reorder your priorities and make sure that you're looking after stuff.
I think Dave, again, has another good customer story on this one.
Yeah. Forensics is usually not short on on, you know, horror stories when it comes to card data breaches. So and, again, a very large nationwide retailer, actually, international retailer.
We got contracted because they had some nine hundred locations, believed to be breached. So we're going through doing a very thorough and and this is a, you know, a very large investigation.
And as we go through and we're examining the data that we captured from them, we found that they had a a wonderful detection system in place, and it was throwing alerts all over the place. And nobody was watching.
It actually alerted on day one that if if somebody in the company had been assigned with the responsibility to look at at these security alerts, they would have headed it off in day one and and saved millions of of of what it cost them. I mean, we didn't make millions, you know, on the investigation, but the ex the investigation is expensive, and then there's fines from the card brands, loss of brand trust, and on and on. Right.
And it and it really kind of is what was the exact question they might have been asked during an assessment, let's say, that they would had or even asking themselves.
Do we have monitoring in place? Well, yeah.
We got all the logs. Check.
Nobody asked me to look at them.
Yeah. Right? Right.
And, you know, we did an audit once where where I said, you gotta buy an an IPS or IDS system. And they go, got it. Okay. So I show up, and I said, let's look at your IDS system.
Where where is it installed? I said, well, no. It's right there. It's right there on the floor.
In the box.
In a box. In a box.
Because you just said I had to have one. You didn't say I had to install it. So, you know, security catch up mode is always common. Right?
And we're not trying to say everybody's horrible at it. It's just, you know what, basics are still the key. And and don't forget, it's like do an exercise every day. You just have to do it.
And so overlooking things like your information based website, you don't have any shopping cart on there, so why should you worry about it?
Exactly. Which we know from Dave and other things. And, you know, who knows? We'll see any some changes coming to PCI two dot o. We'll find out. Or in four dot o, I mean.
We'll find out.
Now let's talk a little bit about that. What's happening with four point o?
So, yeah, this has been an interesting year. Again, COVID and everything and has has slowed the process down a little bit. We were expecting a new version of PCI coming out.
Late this year was the original schedule.
And, you know, to the council's credit, they have done an incredible job of really getting the industry involved in this iteration of the security standard. And I think that's pretty rare. Typically, you know, the government or some organization will just say, here's the standard. Go follow it.
And the council is going, well, here's the standard. What do you think? And and they're giving opportunities for auditors to give feedback for merchants and and people that are being affected by it. And they're saying, hey.
This one I don't understand this. This is really hard to do. Do you understand how hard this is to do? And and if we did it this way so they're taking that feedback.
And and I think because of the incredible amount of of response they've gotten from the industry, they're kinda going, hey. These are great. Let's take a little longer and incorporate some of this feedback into the standard development itself. So it's taken a little longer.
And, so now, currently, it's, gonna be a little bit later. We'll we'll actually show a schedule a little bit later here in in a second. But, these changes really are driven by the industry and the feedback that they're getting. Now it's gonna be the same twelve areas because security doesn't change.
The same basic things are always happening. You need to have a firewall and logs and system configuration and malware and software development and all this kind of thing. You don't have to have malware. You have to prevent it.
But, so they're focusing a lot more on security objectives. However, they're changing the wording in the standard. That's taking a little bit of time. Trying to make it more understandable for people and a little easier to customize without losing the intent.
Right? Sometimes people will try to think of a way or a loophole around a requirement.
Doesn't actually say that.
But, I think the security objective is really kind of a new thing, which is gonna be great.
There's some areas in the standard that are expanding. They've spent some more time on doing a risk assessment, direction and requirements. They're expanding multifactor authentication to make sure that we're stronger there.
We're adding a lot of cloud considerations. Cloud when I started fifteen years ago, I don't you know, clouds are in the sky.
And and now clouds are everywhere. Almost every one of our customers has a cloud portion. You know? It's gone from zero percent to, you know, sixty, eighty percent of people are having, you know, major cloud sections.
So the council's knowing that and and adding that in rather than just kind of saying, well, it's the same as everything else. Just treat it the same way. Right? They've added phishing, social engineering.
I think we're gonna be seeing some of that come out.
Good.
And I'm not telling you anything secret here. All this stuff is what's on the council's website. We're still under NDA about everything that's there. But, anyway, enhancements to validation.
I've been on a a a task force to update the SAQs.
They've added a thing called the customized approach for really large organizations where they can say, well, this is a great requirement, but I do this and it's even better. So, you know, we can throw up on the screen there the PCI development timeline. You can see here that we're we're in the end of twenty twenty, and they had a second a second RFC that came out, a request for comment. They're processing those now. We expect to see, as members of this count this, review board, a, a draft of the standard standard in January, and then one more quick review time, and then they'll be publishing it near the end of, q one in twenty twenty two.
So March time frame, we're hoping. And soon thereafter, they'll have all the supporting documents and things like that. And and, another quick slide then says, what about the transition? How much time do I have to move?
You know? Four dot o is released. What do I do? People are gonna be worried about it.
And, you know, if I had one of those cool keep calm things, I'd hold it up and say, keep calm. It's just four dot o. Right? And we've got plenty of time.
They've built almost two years, I think, twenty two months of transition period until three dot one three dot two dot one is retired.
And and then beyond that, another year where all the future data requirements are, you know, like the, say, the fishing requirements, they're giving you a little more time to get that stuff in place, for example. So clear out to q one twenty twenty five is where we're at now. So my message on four point o is you got plenty of time. Don't worry.
Focus on three, two, one right now. Focus on compliance. Focus on those things you're already supposed to be doing that you're supposed to be doing for the past fifteen years. Right?
Anyway, that's four dot o in a nutshell.
Well, it's exciting, and and it's good to know that there's support along the way, so it's not an instant switch over. Yeah. So that's good.
So, who can talk to us a little bit about this zero trust strategy proposal that's in the works right now?
So let me give you my take, and I'll let you guys say anything. I did a little research on this because, you know, to me, it's exciting to see I don't like the word mandate, but see guidelines being provided by large organizations. A lot of times people are thinking, the government needs to solve this security problem right now. This is their responsibility.
No. It's not. It's always been our responsibility. Yeah. You know, always been the the people who have data or systems that need to be protected.
It's our responsibility. I protect my house. Right? So, this new thing, Biden's zero trust strategy, it basically is having some proposals that sound just a little bit familiar.
You should have better identity and authentication controls. You should have enterprise wise enterprise wise single sign on.
Good. You should have multifactor authentication.
Oh, good. You should have stronger passwords, and you should, make them longer instead of changing them so often. Right?
And, So like complaint with NIST guidelines.
NIST guidelines. You should follow the NIST guidelines that have been out for a long time. You should be encrypting your internal network traffic.
You should be segmenting your networks.
Oh my gosh.
Who would have thought?
Brilliant. You should be encrypting your sensitive data.
Is it new? No. It's not. But is it good that it's coming from a high level?
Yes. Because security always has to start high and move low. The CEO has to be in and and know what security things he wants to enforce, and then he can have his people support that policy. We will be secure.
We will secure our data. So, anyway, that sounds pretty familiar. So it's interesting. It's in the news, but it doesn't sound a whole different.
Yeah. It's not gonna it from what we can see, it's not gonna change a lot. But I I totally agree with Gary that the fact that the president is talking about it, people will hopefully listen. Maybe it'll get some people to act that otherwise wouldn't have.
But, yeah, a zero trust strategy doesn't really invoke any new, you know, magic pill.
But a lot of focus.
And and we've talked to a lot of IT guys that are kinda caught in the middle because they've got budget constraints. They need more approval from a pie. You know, maybe that will give a little bit more of an impetus into into funding and support and focus.
We're also seeing a lot more, focus on some other audits that are getting popular. The the government has this new CIS controls. I mean, it's not new. Actually, the CIS controls came from the SANS top twenty from the late ninety or mid nineties that started by the FBI and some of the guys.
So it's now getting a whole lot more attention with a lot of municipalities and a lot of, things. Again, what is it? It's a it's a selection of those basic controls, prioritized in different ways. And so if you don't know what you're supposed to be doing, there is no excuse for not knowing because there's plenty of places to go to look up.
Yeah. So we've had some some interesting takeaways, from from the year of twenty twenty. Going forward, we're we're already thinking about twenty twenty two, and yet we've learned a lot from twenty twenty. Now in twenty twenty one, we're seeing a lot of the carryover from the effects of twenty twenty. We're still seeing people having to do remote work. It's not like twenty twenty one just changed gears. We're still in the thick of a lot of problems.
And I think, you know, the remote work point is really interesting. There's more people working from home on their own computers, on their own home networks, which companies are going, oh my gosh. How do I control that? How do I know what they're doing?
And so you can't. Right? You can't control what's going on there. Then what you need to do is get them to be using processes, and procedures and applications that that kind of ignore the security of the home network.
What can you do to Or the lack thereof. Or the lack thereof. Right? What what can you do to protect the actual thing they're using to input the data on?
Can you provide them with a little device that that that only can see one location, and that's your office, you know, website or whatever? I think companies are having to be pretty, creative.
And it's not that it's expensive. I think most of our people that are remote, in our call centers are using a little Raspberry Pi box that that, you know, lets them get access to a few things, but not much else. And and that's that's, I think, the wave of the future of twenty twenty two and beyond.
I think a lot of companies are finding out that maybe their employees will be staying remote some part of the time. And so that's gotta be incorporated into our planning and into our security budgets and and vulnerabilities of those things. You know, it's still kinda new to us, I think.
Keep it from turning into the wild, wild west out there. Yeah. Well, it already is that. Yeah. Or more so. Yeah.
Interesting that, a data point of people compromised, how many of those compromised were fully compliant with PCI at the time?
Let me look up the number. Zero.
So there's always work to be done so you don't become that guy. With PCI DSS, fifteen years history, it's still the backbone of what needs to be done. So lots of new stuff, lots of new approaches.
But the philosophy and the categories to look at the same.
And they're the same. It's the same as the HITRUST. It's the same as HIPAA. It's the same as CIS and FISMA and FedRAMP and all these things.
They're basically saying the same stuff with a little bit more or less depth. And, we live in a society where those can't be ignored anymore. You know, you can you can think that nobody will find you and get to you, but I think Dave would say, yeah. Good luck on that.
Yeah. Yeah.
Doesn't matter how small you are.
The days of dial up and Juno mail are kind of long long gone. Yeah. And, speaking of keeping on top of things, we wanna put a plug for Hef's podcast that is just Oh, thank you. Remarkable. Give us some more news.
Yeah. Thank you. I'm glad you brought that up. So we do this really high energy podcast.
It's it's the weekly lessons learned from the top cyber news stories, and and we encourage everyone out there to to take a look at it and listen to it and watch it. It's my, my partner in crime from the security operations center here. Forrest and I, we we talk about the latest breaches, the news. What can you take away from that in your small business, small to medium sized business to try to help secure your facility?
So, yeah. That's absolutely you can actually find us on YouTube, Stitcher, all the top channels. And then we also do something really cool. We started this recently.
We we we do a weekly curated list, email. It's a it's I wanna call it a threat intelligence briefing.
And it's a highlight reel of all the top stories, all the top reaches, all of the top vulnerabilities that are out there, all the top risks, the GDPR news, the PCI news, the HIPAA news, all that stuff, all condensed into a very short briefing type email. So we encourage people to subscribe to that. You can find that on the the SecurityMetrics website and definitely check it out. It's a it's a really cool briefing email every week.
Oh, I I follow whatever you need.
It's high energy. I've watched. Right?
Yeah. Yeah.
Usually, I speed up books that I listen to in podcasts. Those guys, you can slow it down.
There's so much stuff.
So The way we try to explain things, Lee, very simplistic.
So we have, you know, we have people in the audience that may have a deep technical background and people that don't. So I always say if my mom can watch the show and really, like, take away oh, I didn't know that, Matt. You know, then then WIC did a good job. So, yeah, please please subscribe.
Yeah. It's loaded with good information, and it's it's it's entertaining as well. Oh, thank you. It really moves along.
I have I have audit customers that require watching, the Heffs and the Forest broadcasts.
So Excellent. That's good reason. That's all good stuff.
You know, and the content is always fresh, and which is is great. And a lot of times, you know, you you you get, an article that you might read or something like that. And just in the time that it takes that article to be written, to go to publication, to get disseminated, you know, it's two, three, four weeks old. This stuff isn't.
This stuff's, like, you know, twelve hours old.
Happened yesterday.
Yeah. Right. Right. Yeah. Or just an hour before you started. You gotta change your script now.
Yeah. That's that's true. Yeah. That's remarkable. Well, we really appreciated having you guys, share your experience, years and years of experience.
And and I I can tell you, I've worked in SecurityMetrics on the sales operation side for several years. And people call in, and and I don't even have to hesitate to recommend what we can do for them. Well, that wraps it up, and we really appreciate everybody's participation in the SecurityMetrics Summit. And that will do it for us this time, and we hope to see you soon.