Watch this webinar to learn current data security and breach trends, 2020 forensic investigation findings, and tips to avoid a data breach in 2021.
Having issues accessing the video above? Watch the video here.
In this webinar, we review the lessons we learned from forensics investigations in 2020. Dave Ellis and Aaron Willis also give their data breach predictions for 2021 to help you strengthen your organization's defense.
Watch this webinar to learn:
This webinar was hosted on April 29th, 2021.
Good morning. My name is Sarah Kemple, and I'm on the marketing team here at SecurityMetrics. Thank you for joining us today.
Our webinar, twenty twenty one forensic predictions and what happened in twenty twenty, will be presented by David Ellis and Aaron Willis of our forensic investigations team.
SecurityMetrics forensic investigators work with breached organizations to help them discover and quickly recover from a data breach. So let me introduce you to our presenters.
Dave Ellis is VP of investigations at SecurityMetrics. He is a former commander with the Oakland Police Department and has over thirty years of criminal investigative experience along with PFI, GCIEH, QSA, and CISSP certifications.
Aaron Willis is senior forensic analyst at SecurityMetrics and has over fifteen years of diverse experience in all aspects of IT security, business intelligence, data mining, SAS consulting, and programming.
He also has a master's degree in digital forensics along with CISSP, QSA, and PFI certifications.
A little housekeeping item before we get started. We get asked this a lot. We will be sending the slides and the recording of this webinar out tomorrow.
Also, throughout the webinar, if you have any questions, please chat them in, and we'll address as many as we can.
If we don't get to your question, we'll reach out to you on an individual basis.
Let's get into the presentation.
We appreciate, you taking care of, all the introductions there. Aaron, good to be with you today.
Good to be with you, Dave. You're a little bit overdressed.
I I wanted to start this whole segment off with, eating a Carolina Reaper, but I'm just gonna have to settle for making fun of you being overdressed.
Well, yeah. So my wife and I have, started rewatching person of interest. And, so I'm I'm kinda going for the the the dark, mysterious man in the suit.
He he doesn't usually dress like this. Normally, yeah, he he's much more casual on a Friday.
T shirts and jeans. Yeah.
I won't tell him about the pink bunny slippers.
They can't see under the table. Okay. Hey.
Getting back to where why we're here today. One of the things I wanted to mention in the beginning is, normally, we try to put this information out earlier in the year, kind of going over what we saw in the previous year and then looking ahead to the year to come. The reason this is going out a little bit later than we had anticipated is because right as the the New Year turned over, we started seeing a couple of things on the horizon that we needed to to investigate a little bit deeper and see how they were going to unfold because we wanted to include them in in our content today. So that's why we're here at the end of March instead of, the end of January. Alright. Do you wanna start off with our, our trivia question for today? Sure.
We like to start off with some fun little pieces about, interesting things people have done or said in the forensic or or in the digital communications industry.
So we we've got a a quiz and we're going to, give away some prizes. Right, Dave? What what do we have?
Oh, you know, I don't know for sure. We've got a little bit of SecurityMetrics swag. It might be a backpack or a jacket. I mean, they're they're pretty cool things.
But today's today's trivia question that Erin's gonna read in a sec is a two part question. So if you think you know the answer or like everybody else is gonna actually do, you're gonna Google it and whoever's the fastest to key it in, it it's a two part question. You have to get both, correct.
And, and and if we get multiple correct answers, we'll do a drawing and and contact you after the fact and and get the swag off to you.
Yeah. Are they allowed to Google?
A little little hard for us to proctor it.
So Stop. No. You can't Google it. Alright.
Yeah. They're on the honor system.
So Hey.
We've we've got some quotes here and and you've got to guess or Google, who said these quotes. Okay. First one is computer viruses are an urban legend.
You said it. Can you start humming the Jeopardy theme song?
And the second quote, the problem of viruses is temporary and will be solved in two years.
And and should I say that this was said in nineteen eighty four?
Yeah. Yeah. The context is good.
They're still working on that one. Alright. And the answer is?
First one, computer viruses are an urban legend. That was Peter Norton, from Norton Antivirus.
And, and the second, the problem of viruses is temporary and will be solved in two years. John McAfee, nineteen eighty eight. Oh, I correction. Yeah. I said nineteen eighty four.
It was a couple of years later, but, these two moguls in the, IT security fields, have Really the two biggest.
Right?
Yeah. Yeah. I'd call that a big swing and a miss. So where we're gonna go with this, today, we're gonna start with where we left off last year, and that was the predictions we made for twenty twenty, the things that Aaron and I thought we might see in the in the coming twelve months.
And, and let's just kinda go into it and see how we did. Starting off, our first prediction last year was that there would be more attacks targeted against cloud based products and services and platforms.
Oh, yeah. Man, do we ever hit the nail on the head on this one. Besides the cases that that we knew about that that we investigated, I just did a quick Google search to to see what was going on out there and found this, article, from Business Insider.
And just from the headline alone, a staggering failure to adopt basic security habits led to seventy percent of companies storing data with Amazon, Microsoft, or other big cloud vendors getting hacked or exposing data last year. Ouch. Yeah. That is phenomenal. Yeah. I mean, I, I thought we'd, you know, see a handful, but, you know, according to this article, seventy percent.
Yeah. You know, and storing data in the cloud, that was the thing that was gonna secure systems a couple of years ago. And now, I mean, I I don't know what the percentage is. Probably close to ninety percent of the cases we're investigating, it's involving data that was stored in the cloud.
Yeah. Even in a lot of our smaller forensic investigations, we are often in the cloud Mhmm. Dealing with cloud issues, you know, vulnerabilities and things like that that that attackers were able to compromise.
Yeah. So our our second prediction last year was a spike in the registration of look alike domain names for evil purposes. And you can see by our little thing there if, if you caught that the j's were changed in the, in the URL, with, you know, very creatively using fish hooks.
Yeah. This is another one that we got right. If we look at the next slide, we can see that hackers are exploiting Zoom's newfound popularity amid coronavirus pandemic. So this was kind of boosted along by the pandemic when everybody, you know, got the work from home orders.
You know, hackers took advantage of that. And one of the first things they started doing and you can just look look at the chart right here. You know, it's it's got a baseline of look alike domain names being registered.
But then as we move into March, you know, the thing just hockey sticks. Yeah. And, you know, at this point in time, when this graphic was made, they were at seventeen hundred look alike domains registered.
Yeah.
And and when we talk about a look alike domain, what you're seeing with that is if in the domain name, for example, there's the letter l, they might substitute a capital I instead of the l. So at a glance, it's gonna appear to be the same domain name.
Yeah. One of the ones we saw in one of our own cases, an attacker had substituted the l in Google for, a capital I.
So it looked like it read Google Tag Manager Mhmm.
When in fact it was Googie Tag Manager.
And, you know, attackers didn't just hit, you know, Zoom and Google. They were doing it all across the board, just registering all kinds of lookalike domains.
You know, classroom dot Google got hit, hard in its attack last year.
And so, yeah, these lookalike domains, became a big problem and and are still a continuing problem.
Yeah. Yeah. And we're gonna get into that continuing problem a little bit more. So our last prediction last year, we had us a little bit more worried, whether we would see it coming to pass. And that was when we were talking about we call it spy versus spy, and that's the the increase in AI assisted security if it was going to be met with things like AI assisted attack vectors.
And we actually found where that was used, how hackers are weaponizing artificial intelligence.
Yeah. We didn't see any forensic investigations ourselves where we know that AI was involved.
But one of the things that that we did see going on in the community was a a password an artificial intelligence password cracker that didn't just use the passwords. They created derivatives of those passwords.
So are you saying because people like me, when my password expires, I add, like, an exclamation point at the end, or I go and change an o to a zero?
Exactly. And the the thing that was really startling about that is those derivative passwords are twenty eight percent successful. Yeah. And, and, you know, that's alarming, you know, it's not just brute force anymore.
It's, it's using artificial intelligence to say, Hey, what would a person change their password to if you know, they've got their base phrase and they might add a character here or there? Artificial intelligence is getting scary good at guessing what those might be.
Yeah. And, you know, and the truth is is I think we could throw this, this prediction in almost every year because I I think we're gonna see AI, be implemented more frequently by attackers, year after year than we are right now.
Yeah. That's probably gonna be a a good prediction, you know, moving forward.
So only being fair, you know, we we did hit our success stories where where we did call things, a few things right. We did miss a few things in in twenty twenty as well.
And so it's it's only right that we show what we missed in twenty twenty. Now the the truth is is we could have an endless list because, you know, every attack has its, individual distinctions from other attacks, but we're we're just gonna give you a couple of the the more interesting things.
Yeah. We we we have to be right a hundred percent of the time. Right? The attackers only need to be right once.
Yeah. So, the first thing that we missed last year okay. We missed predicting a worldwide pandemic.
How did you not see that coming, Dave?
Yeah. So, but what with the coming of the pandemic also came a a veritable flood of ways that attackers started going after, you know, attacking and stealing data.
Scammers are opportunistic. Right? You know, they're they're scavengers.
We saw just a massive increase in in the amount of scams going on that were related to the coronavirus pandemic.
Dangerous stuff on on this one. This is where a city's water supply in Florida, a hacker had hacked into it and was able to change the chemical levels treating the water, and they actually increased the, the amount of of, sodium hydroxide, which is lye. I mean, like, Drano. Yeah. They and and, apparently, there's a a need for Drano in Yeah. You never have anybody's drinking water. Yeah.
Did she get your Drano today, David?
Yeah. I I think it you know, it actually, you know, the intent is is at certain levels, it kills harmful bacteria. So it does help the water, but it's harmless to to people.
The normal level was one hundred parts per million. And in this situation, the hacker hacked in and changed it from one hundred parts per million to eleven thousand one hundred parts per million. Fortunately. Yeah.
It it was it was fortunately, an employee, actually observed the cursor moving around on on one of the computers that raised a red flag for him. And and they were able to catch it and and prevent, anything from, you know, harmful from going into the system. This really reminded me of the, Bruce Willis movie, Live Free or Die Hard. You know, when they send all that natural gas down the line, and and it was enough to blow up the power plant, This wasn't quite oh, maybe, you know, kind of like life imitating art.
But Yeah.
Yeah. I mean, if you think about the implications of that, that's scary. It could have really Yeah. Physically harm I mean, it's one thing to steal money out of somebody's crypto wallet. Right? But this is talking about, you know, giving real people a dose of Drano into their system.
Yeah. You know, and another scary part about this for me is that, the investigation did not reveal where it came from. They don't know if it was a domestic attack, if it was a a foreign entity.
They don't know if it was It was a terrorist based or anything like that.
If a terrorist or or just a, you know, a ticked off employee or former employee.
Yeah. No. They, as far as I know, they did not they they weren't able to narrow anything down. Wow. So next one should go ahead and take that one.
Late last year, we found out that the Tesla Model x could be hacked within minutes with basically a Bluetooth device that you can get off eBay for about twenty nine bucks.
Yeah.
And this, this is, this is a hack where you walk up to the car, run the Bluetooth hack, open the door, start it up and drive away.
Yeah. No. And the good thing is is, you know, Tesla released a patch almost immediately for it and and fixed it. But what it it brings to mind is potentially in the future, concerns that you might have with not only your electric car, but any keyless entry.
Yeah. And and not just Bluetooth either. I mean, these cars are up updating their software.
Mhmm.
You know, what could happen in the future when, you know, we're driving around in these cars or these cars are driving us around Okay. So and they can be hacked.
Would that be enough to prevent you from buying a Tesla?
That's a good question because I want a Tesla.
Okay. So yeah. Me neither.
But there there is a cool factor in in having the Tesla, but I'm not sure I wanna be the first one that that's, you know, being the guinea pig out there, letting the car drive around on its own.
Yeah. Aaron, I'm gonna give this one to you too.
This this sort of ties along ties into the same, attack that we saw with, the Zoom domains, the look alike domains. Yeah.
As we saw people shift away from being at work, physically present at work, there were a lot more Zoom meetings going on, a lot more online meetings.
Attackers being the opportunistic hyenas that they are, they went after these Zoom meetings as well.
New attack called Zoom bombing Mhmm.
Came into play.
This is where attackers get in and essentially make themselves a fly on the wall in private meetings. Yeah.
And there were a number of cases where embarrassing information was leaked out and, you know I heard of one case where there was a Zoom meeting for a church and pornographic material got Oh, yeah.
Fed into the the meetings.
Yeah. That's that's awkward at church. Yeah.
You know, in the example we give here in the slide, the US government itself had a Zoom bombing.
Luckily, it was just people coming in to interrupt the meeting and make a scene. But what if that had been, you know, top secret?
Mhmm.
Number of companies had, corporate secrets, you know, PI data leaked from attackers coming in. But, you know, we saw an increase of of meeting codes for sell on the dark web. You know, thousands of of of those little pin numbers that you have to put in were for sell on the dark web.
Yeah. And they were selling it for, like, virtually pennies.
Yeah. Yeah. You know, we'll talk about later, but there is one, you know, ten passcodes for a penny.
Yeah. Alright. So that takes us into, the what we're seeing is the current attack trends.
And and by current attack trends, that might mean something like and and well, this gets into why we delayed this a little bit because a couple of those attack trends just presented in January and February.
Some others we were seeing last year, but they have grown in their sophistication.
So we're also gonna cover a ransomware, why it just won't go away. You know, that's that's the the attack that won't die kind of thing.
Next gen, sophistication, skimmers, successful attacks against iframe. So that's one that, that that's really important to to hear because iframe, you know, was the that panacea that, oh, yeah. We don't have to worry about it because we've got all of our secret sauce, you know, protected within an iframe, and as well as an increase in the effectiveness of code injection in shopping carts. A couple others sprinkled in, but, let's go ahead and start with the ransom ransomware, you know, the the attack that just won't die.
These continue to be excessively, impactful in the HIPAA or health care industry.
In addition, though, we're we're also seeing those attacks, being waged against, credit card processors, third party service providers, and all the like. And there there's basically two reasons why ransomware won't go away.
One, nobody's fixed it yet. And two, people are still paying.
Yeah. If you think about it, it's it's one of the most devious attacks out there. It's not just walking into somebody's house and and stealing all their stuff. It's burning their house down if they refuse to pay.
Right. Yeah.
You know, as this slide shows, phishing problem in in health care is of, you know, just growing and the pandemic made it even worse. And then, you know, this slide shows now I'm not positive that the the the first part of the title of this slide was accurate when it says seventy nine percent of all successful breaches were against health care. You know, it might be it's not really those aren't numbers that our investigations would have supported, but the the fact is that health care is a huge target. I do believe the, the second statistic in that title is that attacks rose during twenty twenty forty five percent over, twenty nineteen.
Yeah. Attackers aren't just after credit card data. Yeah. You know, the ability to to get health care related records is, you know, just staggering in the implications, especially with the the mayhem that could be caused or that kind of information.
Well and and as well, if you capture, health care records, it it's not a matter of you now possessing one credit card account that you can, you know, do something with. You typically will have enough information in in a health care record to create a complete, you know, digital persona.
And if you look on the dark web, for example, a credit card could sell for a credit card account could sell for as little as a dollar or two up through about twenty bucks depending on, you know, what the value is, if it's an American Express gold or or whatever.
But a a full health care profile of an individual will typically sell for about two hundred dollars. Moving on, why don't you handle this one?
Well, this was gonna be one of our predictions, but, Krebs beat us to it. So we'll just talk about it in current trends. But this is a sophisticated skimming attack, that I think is probably going to, refocus, some more attacks on the point of cell environment.
And this goes back to the skimmers that used to be prevalent a number of years ago. But one of the problems with skimmers, you know, if you're gonna attach a skimmer to a gas pump or or to a payment terminal, you have to find a way to power up that skimmer.
But as we've moved away from point of sale, a lot of those attacks went away. Mhmm.
And it got a lot harder to run a power cord to your skimming device.
You know, you either had to put battery pack.
Yeah. You had to put a put a battery pack on there and disguise it somehow so people wouldn't say, hey.
What's this big old thing hanging off Right.
Off the end? Or you had to run some wires to to a power supply somewhere. With this new one, you know, the move to EMV actually makes skimming more viable again, believe it or not. And that's because there that chip has to be powered up.
When you when you dip your card into a a reader, it sends a wireless power signal that that powers up that chip. What attackers are doing now is they're they can make really really slim readers Mhmm. Or skimmers that are as thin as a piece of scotch tape. They do that just by putting some little tiny wires in there that make a little antenna that power up that skimmer.
Yeah. And so now that skimmer is never going to run out of batteries and it doesn't need any internal wiring to to make it a viable way to capture that credit card data. So I think we're gonna see, more of that. It just it makes it makes point of sale skimming viable again.
And and we can see how solving the the point of sale problem with EMV just opened up, you know, another vulnerability. Yeah.
Looking at the skimmer that Krebs talked about, it was, like you said, it was paper thin. They would actually slide it into that little space, and it did not impinge the card from being able to be introduced.
It it allows them to be even more stealthy.
Yeah. Okay. Moving on in the trends, iframe jacking.
I'm gonna give this to Aaron because Aaron's actually a pioneer in this industry.
Iframes, as I mentioned in in the introduction, were considered a a security by some mistakenly a security panacea.
We we don't want we don't wanna scare people away from iframes because if you implement an iframe on your website, and you configure it correctly, it's going to be a lot more secure than than not having anything around it. But you never want to be lax on perimeter security around that iframe. You You know, you can think of an iframe sort of as a safe room at the end of the hallway in your house.
Mhmm.
You know, if you implement it correctly, the customer's coming into your store or your house, walk through your shopping cart, get to the end of the hallway, and and check out.
They don't realize that they're not in your house anymore. They're in that safe room and and away from the prying eyes, and and the less secure portions of your website.
However, you know, attackers can come in as well. And, you know, they're going to try to get their malware into that safe room to to try to capture that transaction data.
Now if you set up everything correctly, it's gonna be really hard for them to do that. But, you know, attackers are smart. They they figured out that, well, let's just redirect the customer away from that safe room at the end of the hall and divert them into a side room that looks just like that safe room, but it belongs to the attacker. Mhmm.
And so that level of sophistication in these attacks are happening where an attacker can basically come in and just rewrite the code.
You think that your customers are safe. Your customer thinks that they're safe. They don't recognize that anything different has gone on.
Mhmm.
But that credit card data is leaking out, and you end up with a CPP report, in your email. And you're wondering, how could this have happened? We're using an iframe. It's perfectly secure, and we don't even touch or see any credit card data.
But the attackers are still getting it. So you can't rest on the inherent security in that iframe. You still have to do everything you can to protect it. Your website and your own security efforts are still the frontline defense to protect that iframe.
Right. So so the three points as we show on on the slide here, make sure that you configure it first correctly, that you pay particular attention to the source.
Yes.
You know, you want to make sure you've got that those same origin policies Mhmm.
In place so that attackers can actually get down and and steal the credit card directly out of it. But again, even if even if the credit card information is safe when your customers are putting it in the correct iframe, Attackers are gonna do everything they can to trick the customer into thinking that's what they're doing when actually they're doing something very different.
Okay. Don't disregard the security that's surrounding it and make sure that somebody's paying attention and watching. So go back and look, you know, on a regular basis to see if anything has changed.
Yeah. You've got to monitor that iframe. Don't don't sit there and let and just think that it's doing its job. You've got to watch and make sure it's doing its job. Right.
So, hackers have become adept at hiding JavaScript skimming, PHP, engines.
We're seeing code appear in all kinds of strange places. Yeah. And I actually put this graphic together on this slide. It looks like a monitor that's got some TV static on it, but it's it's actually one of those stereo graphic three d images.
If you let your eyes go wonky and stare at that image long enough, you'll see that it's actually King Kong in the middle of New York City, wreaking havoc, you know, swatting planes out of the sky. So there's actually meaningful data in, you know, in that noise. And hackers are kind of taking advantage of that. Our websites have become really noisy on the back end. There's all kinds of places where attackers and bad actors can insert or inject their code.
We're seeing it in images. We're seeing it in database includes third party scripts.
A lot of times it's it's obfuscated to look like it's validation code.
Yeah. Logos.
Logos of favicon dot ICO files, and drive by ads.
So all these all these ways of getting that code onto the website, we're seeing it. It's happening out there.
So this last one, I don't know if we could exactly call this a trend, but the guy gets style points for this one. Yeah.
URL phishing campaign hidden behind Morse code.
Yeah, and this one is crazy because if you look at it, if you actually look at the code used in the attack, it looks just like nonsense.
But, you know When you put it into a hex editor?
Yeah. Well, not even a hex editor. It's not gonna decode any of this stuff when you put it. Let's see. Because the the guy created the code not to return any of our con you know, when we see attacks, you know, we can put it into a hex editor or we can put it into, a base sixty four decoder. And we can, you know, we can see what they're doing. In this case, the code actually generated Morse code.
I wouldn't have even thought to say to look at that and say, wait. What is this? What is this code? This is just a bunch of dashes and dots.
Mhmm. But that was actually exfiltrating valuable data in in that Morse code.
And so, you know, as forensic analyst, we can't just dismiss stuff that looks like garbage anymore, because that could be some strange code or a throwback to something like Morse code. You know, how old is that?
But, you know, attackers are just finding all kinds of clever ways of getting that data out of the system, even writing it into Morse code.
Well, that that kind of brings up our trivia question from last year when we said when when was the first, electronic hack of of data? And, the first electronic hack was in nineteen o three, and it was a presentation that involved, you know, Morse code. Yeah. So that's awesome. Okay.
Predictions for this coming year, twenty twenty one.
This is what we've all been waiting for, Dave.
Yeah. We're on pins and needles.
Okay. Hackers are going to increasingly target, payment iframes. We we were just talking about that. And the one of the reasons that we wanted to put this in as a a future prediction is because it is such a new, element here. Aaron actually just finished writing a a white paper that has a little interactive, thing in it that's that's awesome. In fact, what's the URL they can go to? Anybody can go to and and and look at this right now.
If you go to iframejacking dot com, you can see a basic demo of, of what's going on.
It's not anything new or, or anything that's going to, to make people, you know, think that something incredible is going on. It's just hackers taking advantage of what's already there, what's available. Yeah. But what we're seeing, you know, as as EMV successfully re focused attackers' attention on the low hanging fruit, mainly ecommerce websites, merchants started responding with trying to secure their their payment checkout. And one of the things that they do is implement a payment iframe, that outsources a lot of the more esoteric PCI compliance requirements and lets, you know, let somebody else deal with that. And for that reason, as more merchants implement those payment iframes, they're gonna get targeted more by attackers.
More embarrassing, damaging, data leaks with virtual meetings. That that, you know, that that's a given.
There's the attackers that have all sorts of different motivations behind that. But one of the ones that that concerns us, we'll get into a little bit deeper, but that's, corporate espionage.
Yeah.
And, domain name obfuscation hacks, These are different than just the look alike domains.
These are actually taking Unicode type of characters and sticking them into a URL. You know, kind of like that graphic you had back in that earlier slide where you had the fish hooks in for the Jays.
Attacks that we've seen out there now will substitute Unicode characters, and it looks perfect in the URL. And a lot of times, you know, if somebody is is sensitive to what's going on, you'll look up at your address bar in your browser. Right? And say, okay. I'm gonna make sure that that this is the correct domain that I'm on.
Well, that URL address bar, in current browsers allows Unicode characters and some of those can look exactly the same as the correct letter. Sure. But you're on a completely different website.
Oh, devious.
Yeah. Number four, that ties back to to the Krebs article that we reviewed, slim skimming.
And this this again, it's it's just as the EMV, took hold, it also made skimming more effective by providing a power source to the skimmers. And that made skimming that much that much more effective.
Imagine how frustrating that would be. Let's say you you own a convenience store and you've just gotten around to updating your gas pumps.
You spent all that money to update your gas pumps and realized you just provided the attackers with a very convenient power supply.
Yeah. So our last prediction is an uptick in the cryptocurrency thefts. You know, one of the the biggest thefts that occurred in twenty twenty, were by three North Korean hackers that, indictments just went out from the United States against them, but they reportedly stole one point three billion dollars worth of cryptocurrency.
And and, you know, and I'm sitting here feeling like a victim because, all of my cryptocurrencies were were stolen from me. Oh, no. Wait. I I sold them before they became valuable.
It it happens to the best of us.
Yeah. Okay.
I put this one in because, it actually, I had a student in my one of my university courses, when we got started this semester. You know, I asked what field they were trying to get into in in forensics, and one of them wanted to specialize in cryptocurrency forensics.
Mhmm.
You know, I've been in forensics for over a decade now, and I'd never even really considered that there's a whole evolving emerging field of crypto forensics.
Yeah. Well, okay. I've got to tell on Aaron a little bit. So Aaron, in addition to everything you you know about him, he's also a university professor. And and, you know, as he just mentioned, you know, he has students in him. So a couple of years ago, probably more than a couple of years ago, but, one of the students in class asked, you know, how do you mine Bitcoin? Oh.
Can you share that with me?
You're really you're gonna make me share that.
This keeps me up at night still. Now back in in two thousand and nine, I think it was, I had some programming students and and you know they said, Hey Professor Willis, what's this Bitcoin stuff going on? How do how do we do it? And so I went figured it out and we went and set up a a little demonstration. I created the accounts to do it, and we let we let the, the mining software run on the school's computer for a week or so. And then we came back and looked what happened and and we mined something. I don't even remember what it was.
Oh, like ten or twenty Bitcoin.
We mined something. But at the time, I looked at it and I was just like, that's not even worth my time to go collect it.
Yeah.
And so, of course, all the keys and everything were stored on the school's computers. So, you know, school, if you can find those old computers, there's probably some good Bitcoin sitting out there.
That's, you know, and that's like the folks that, there there's been people that have mined them and then lost the password and they don't remember them.
And Two hundred and fifty million dollars worth of Bitcoin in an account you can't touch.
Yeah. That that's bitter.
Yeah. So we we don't wanna give you just problems today. We wanna talk to you briefly about how to prevent, hopefully, most of these, if not all.
So we're gonna go through tips to avoid the the breaches.
The first, I wanted to show you where we're seeing most of the problems. Unequivocally, number one, is employees, employee errors.
Most of the time, those errors are unintentional.
Occasionally, you might have the, you know, embedded employee that, you know, the James Bond kind of thing. Somebody goes to work with the intent of of finding corporate secrets, but those are rare. You know, that's the one thousandth of one percent kind of thing. Most of the time, it's just an employee who does something very innocent.
So number one, employees, third parties that you have a relationship with these businesses, they perform some function for or on behalf of your business, but, the interrelation between you and the third party or your company and the third party introduces some sort of a vulnerability into your company.
Yeah. That can be programmers doing things like unsecured coding. Yeah. But, you know, your website itself can be a vulnerability.
I recall one, case we had where, you know, the website was was unintentionally providing hackers with the exact data that they needed to pull off the attack, specifically targeting employees inside of that company. You know, he coined a term LWS leaky website syndrome.
Let's see if that takes on.
That, you know, it's not just credit card data that that attackers are after.
They can, find all kinds of data that you might not realize is revealing sensitive information about your company or employees inside of your company. Mhmm. Cloud services, you know, as that article mentioned in the beginning, you know, seventy percent of businesses out there were losing data out of their cloud services.
There's this idea that if you put something into the cloud that it's inherently secure.
You know, in my opinion, it's it's it's a little bit of a problem because, you know, the cloud service providers are saying, hey. These are just services and space.
It's your job to to secure it. Mhmm. And so if you're not keeping an eye on those cloud services that you're using and implementing your security, you know, attackers are gonna find the loopholes, you know, the gap between what the service providers are giving you and the gap in your own security.
So you've got to evaluate what security services are provided on the cloud and what you're doing with your own efforts to make sure those holes are plugged.
Okay. Another one, unpatched systems. And and, you know, this has been in past years. It's still a problem. In fact, we've even brought up Magento in the past because of, companies not implementing, patches that were actually in place. And Magenta one has now sunsetted completely. It's not supported any longer, and it did not take attackers any time whatsoever to to go out and and search for it.
And and so We still see so many Magenta one sites out there.
Yeah. And, you know, it's almost to the point where, if I see a Magento one site, I'm assuming you're hacked.
Yeah. Yeah. It's an assumption you you've gotta make at this point. So, insecure remote access. The good news on that one is we saw less of it, this this past year, but it is a vulnerability that is critical that you pay attention to.
And then, BYOD, this became huge in in, twenty twenty because of so many people operating, out of their homes.
You know, they're both employing the remote access problems as well as they're you oftentimes using their own personal devices.
They're using their own personal devices on their home Wi Fi networks.
Yeah. If you've got employees working from home, you inherited their home network.
Yeah.
And, you know, if their kids are playing video games and if they're on Discord and and all of these other places, if they're downloading online content video games.
Right.
So and BYOD for those who don't know, bring your own device. So it's personal devices being being introduced into the workplace.
Yeah. So you've got to you've got to be aware that your employees' vulnerabilities are your vulnerabilities.
Yeah. So we're gonna try to go through these. There's a handful of slides here. We wanna go through them a little bit faster. But one of the first things that that you need to do is to address the very biggest problem, and that's, the security awareness training for your employees. And it's it's very, very important that you include all of your employees on this.
Good luck, you know, harnessing the c suite folks on that one. But the truth is is they need that that that training as much as anybody as well as upper management because, you know, we have seen problems. You know, we we saw a problem, you know, a year or two ago with a senior vice president who was visiting sites that his grandmother probably would have deemed inappropriate, and would have been disappointed in them. But, anyway, he does that. He goes back to work and, and, you know, logs in on the corporate network And vulnerabilities that were introduced from on his home Wi Fi now made their way into the corporate environment.
With the training that you're giving your employees, you wanna focus on on identifying phishing attempts, social engineering attempts, identifying spoofed emails, spoofed domains, things along those lines.
And and so getting into the phishing and and spear phishing things, specifically, it was so much easier a few years ago when a phishing email started with hello. I am the deposed prince of Eastern Nigeria, and I want you to help me.
They have become so much more sophisticated.
Yeah. Really. It's getting hard to tell, with some of the attacks. We had a member of our own forensics team that almost fell for an attack when he was, when he was trying to sell on one of the online, classifieds.
Yeah. That's right. Yeah. Somebody calls him up. So they have his phone number. Yeah. They they call him up and they say, hey.
Yeah. I wanna wanna buy your your widget. And, but I need to know that you're not an attacker or, you know, a hacker because I hate scammers. He actually used that.
He put in the text. I hate scammers.
And so I'm gonna send you a code. All you have to do is turn around and send it back to me. But what he sent him was?
I think it was his his Google log on. Right?
His It was a Google authentication.
Yeah. His Google authentication code.
Yeah. And if he had typed it back in, he would have then given the guy the keys to his Google account.
Yeah. And I think he said that his his first instinct was to be helpful and let this guy know that he I'm not a scammer.
Yeah. But, fortunately, when it came to him, it also brought up the past times. You know, it it wasn't he saw that current Google authentication, but he also saw his past Google authentications.
And he went, oh, wait a minute. Wait. Wait.
This isn't as harmless as This is my Google authentication code.
What are you doing sending me my own code?
So so, you know, teaching your employees how to, you know, identify these these types of, you know, phishing and spoofing attempts is is critical.
Social engineering training is is important as well because, a a spear phishing or a phishing email could be followed up with a phone call and you know, where they're trying to get additional information. So it's important that that you teach your employees to challenge anything that doesn't quite feel right, if it, you know, if it causes any level of suspicion, whatsoever or if it looks just slightly out of the norm. You know, in in some cases, we will see, companies where an employee in the accounting division receives an email from, you know, somebody within the company, and it actually looks somewhat normal to them, but there might be just the the slightest thing off. That's that's where you you really need to pick up the phone and call and get a voice on the other end to validate what you're seeing.
If the email is coming from the outside, you know, don't click or respond to the links that are within the email.
Go back to an email that you know is trusted and and, you know, recontact that way. Or, again, pick up the phone and and talk to somebody in the company that you that, you know, that you know and trust.
It's not just employees as well. Hackers are social engineering your customers as well. You know, if you go out to that demo site that I put together, iframe jacking dot com, One of the last examples on the page is really a social engineering attack where the customer thinks that, you know, they failed to type the credit card correctly. The attackers actually already got the card, but they're returning your customer to the legitimate checkout process.
And so the customer retypes their card thinking that they mistyped it the first time, but they're actually just getting back into the system so that the transaction goes through normally. And so the, you know, the the the credit card company's happy. They got their transaction. The merchant's happy.
They got their money. The customer's order goes through, and they get their goods.
Everybody's happy, including the hacker.
You know, it's it's kinda funny. We can usually tell the, the security posture of a company, when we go on-site to do a forensic investigation. And a lot of times, it it could be a franchise.
And the franchisee, you know, may not know that that there has been a suspect a breach or they might not have been notified by corporate or anything. And, you know, and I'll walk in the door, and I've got a suitcase in my hand with with tools in it. And I'll typically say, you know, hey. I'm here to work on the computers. Did anybody tell you I'm coming?
And if the response is, no. Who are you? Where are you from?
That that's that's a good one.
But a lot of times, it's, yeah.
Okay. Where do you wanna start?
And, you know Here.
Go go into the back office.
Yeah. So, yeah, it's important to also, teach your employees to challenge anybody who comes on-site and and especially anybody who claims that they need to have access to your computer system.
And if they're legitimate, they're not going to, you know, the person that shows up on-site is more than happy to to show legitimate credentials. Yeah. In fact, they're probably even happy to do so and glad you asked.
I I honestly, when they do ask, I usually compliment them for doing that. So, another thing, incident response training. You should have policies and procedures for security in your company. In addition to that, you should have an incident response team that are trained, create scenarios, where you test your security policies. And and the beauty of doing this is you you can test your security and find gaps in it and then, you know, have it evolve, for the better. And you're doing it all at the time while your assets are not really at risk.
And one important point is it needs to be a formal written policy. You know, a lot of times we we show up, to respond to an incident.
And, you know, the question is, do you have a security policy? Yeah. Of course we have. Yeah. We of course, we've got a security policy. Yeah.
But it needs to be a formal document, something that can be reviewed annually.
Okay. Updates and patches. You know, I think we kinda covered off on this one, the the the importance of of providing security or implementing your security patches and updates in a timely manner.
And especially don't ever let anything get to a sunset date.
It it continues to be a, you know, a a big issue.
Vulnerability scans, pen tests, these are all things that will help you, hopefully, in in advance find a problem. Vulnerability scans, ASVs are required in the, credit card processing industries.
It's all part of that layered security approach. You don't wanna go lax on any of your any of the layers of security. Right.
Can you know, I almost left this one out because I I had always thought, you know, configuring and and reviewing logs, well, the presence or an absence of a log never caused a a data breach, but the failure to look at what's in those logs did. Yes.
And and, you know, we had a case where Or at least allowed it to to go on a lot longer than it should be.
Much better said. Yeah.
You know, we had a case where, they had a very sophisticated, IDS system, and the IDS system was working great.
It begins throwing up all these alerts, and nobody had the assignment in the company to look at them. And what should have been a one day breach that was very correctable for this company, it turned out to be a nine month long breach spread across eight hundred locations. Yeah. That I mean, that was tragic. So, have somebody in your company who has the responsibility to review security logs on a daily basis.
And, you know, there's the normalcy bias that comes into to play there too. A lot of times, that employee is gonna say, you know what? We never see anything in in the logs.
Right.
But you you have to keep looking at it.
And that person needs to be trained well enough that they know how to spot it. A lot of times, you know, we we look at logs and the evidence is there. Yeah. And we, you know, we presented to the company, and and they just did not have the skills necessary to identify an attack was happening from the evidence that was in the logs.
Yeah. So the next one I wanna go to is, and, you know, and, boy, we've hit this one hard, passwords and account credentials.
The thing I wanna say about passwords is we we all know. They they should be complex. They should be long. They should have special characters.
What I would say about passwords at this point is without multifactor authentication in addition to the password itself, a password alone should not be considered as an element of security whatsoever anymore.
The another thing to basic security practice, I I recommend getting away from the user credentials of simply admin or administrator. Rename it to something else because one of the first thing a hacker does when he gets into your account is he's going to create he's going to enter his username as being admin. And that now all he's gonna try to do is is break an admin password.
So if if you don't have a an account name as as admin, it it makes it a little bit harder for me.
Yeah. And we should throw out a shout out for multifactor authentication as well. Yeah. Even though hackers are finding ways around it, but it's still one of the best things you can do to to make sure that that, you know, the person is who they say they are.
Absolutely. Yeah.
So role based access. I, you know, I mentioned the the senior VP a a minute ago, and I I'm gonna hit on this poor guy again.
In in your company, a CEO or, you know, anybody in the c suite, they probably don't need the keys to the kingdom, in your company. They they probably don't need admin access, you know, throughout everything. They might ask for it. They might think they do, but they really, really probably don't.
And this is this is another tip where, we need to change kind of the thinking about role based access. Usually, we we think of role based accesses as, you know, some data stored in the system that that, you know, has to do with group policies and things like that.
But as we've shifted to online meetings, role based access has to have a much more organic meaning. And that's, you know, if somebody is in that meeting, are they supposed to be in that meeting? Are they allowed to be in that meeting? Are they in a role that that allows them to be in that meet in that meeting?
You've got to protect those meetings as if they were, you know, a secret spot, you know, on your admin website.
Yeah. So that's the role of the moderator in the meeting to go back and they they recognize that phone number and they go or they don't recognize Yeah.
Yeah. Who is us calling in?
Yeah. Exactly.
Yeah. Get that person to speak up and say, hey. Who are you?
Yeah. Okay.
Network segmentation. I I'm not gonna say a lot on this one. You know, we've mentioned it before, but the the days of having a moat around your castle and everything within the castle is considered security, those days are are pretty much gone.
There's, it's critical that you segment your your secret sauce or the, you know, the the the company jewels into the the smallest area possible, the smallest footprint that you can in order to to be able to provide, you know, more specialized security around it.
You know, their zero trust networks is kind of another up and coming thing where segmentation oftentimes is more, hardware based.
Zero trust networks are more of a policy or a software based, segmentation methodology.
And, you know, even if you're making use of cloud services, you've got to segment your part of the castle and and make sure, you know, if you've got sensitive files on the cloud, make sure they're encrypted.
Let's see. Hide the sensitive data. And Aaron just finished with the word encrypted. So if you have something, that is critical to you, encrypt it. Tokenize it. You know? Make it to where if an attacker gets into your system and he obtains it, it it's difficult, if not impossible, for him to, utilize that that information.
Be able to leverage that data against you.
Yep. It's already required, you know, with credit cards and things along those lines. Backups and encryption, this is critical, you know, in in all aspects of your business. It's especially important if you get hit with ransomware.
The the most important thing that you can have is a backup that was not connected to your network at the time you got the cord.
That's right. Yeah. Yeah. Unplug the the cord on your backups, except when they are actively performing the backup because I can't tell you the well, frankly, the majority of the time we're handling a ransomware case, we're looking for backups and we find out, oh, the backups got encrypted as well. The other thing to say about, backups that's that's critical is that you run an exercise and this might be something that your instant response team can, can mull over, but run an exercise where you have to restore from your backups.
You know, there's there's cases where companies say, oh, yeah. We've got all these backups. They're, you know, on tape in, you know, in under some mountain somewhere. And then they find out how difficult it is to restore from from a tape backup. I I don't mean to to really, you know, dog tape backups. They were, they were great when they were great.
But if you haven't restored from backups, you might find out how difficult that can be.
We performed in an investigation, for a company that got hit with ransomware a few years ago, and it took them three days to restore from their backups.
And the those three days cost them several tens of millions of dollars in lost revenue because all they could accept were were cash payments. Incident response plans, that you know, we we touched on those, the importance of an incident response plan and and test your plan.
The the tabletop exercise that that you can do is is great. I mean, that that's the time when you really, you know, want to push your, your incident response plan so that you can find the gaps.
You can find them. You want to push it to the point of failure. You want to find out where, you know, what didn't we cover? Where, where does this, where does this end? Yeah. You know, where are the holes in the system? And so push it to the point of failure.
So we are nearing the end of our security recommendations.
Before we get into the questions, we do have one last security recommendation, and it's specific to one of the trends that we talked about. And that was the increasing sophistication in code injection in the shopping cart environment.
There are very few tools on the market that that will help with this. And manually doing these types of searches can be extremely difficult. You know, when we were first going down this rabbit hole, we I remember one investigation we did where we found more than two hundred and fifty connections being made during the shopping cart, you know, checkout process. And those were the legitimate connections that were being made.
Most of them.
Most. Almost all of them.
So Ninety nine point nine percent.
Yeah. So what came out of that is, you know, we were kind of scratching our head at at the end of the year going, you know, what can we do on this? And our team you know, we put our heads together. And one of the traditional tools that had been used in the past was file integrity monitoring.
And and file integrity monitoring is a great tool. If you're not familiar with it, what it is designed to do is monitor your files. And if it detects the slightest change in the file, it is programmed to to notify you about it. And so you can get eyes on and say, oh, yeah.
Yeah. Our developers made this change or no. We didn't make that change. The problem is is that that has to be a a static file.
A shopping cart environment is a very dynamic environment. And so file integrity file integrity monitoring was never really a good tool or an effective tool in in that environment.
So we put our heads together, and by that, I'm taking far more credit than I should. We put Aaron's head, on it and, over several months, worked at developing a website integrity monitoring tool. And, Aaron, do you want to tell them just a little bit about that?
Yeah. So, as you mentioned, we we saw that there was a gap between what FIM was taking care of and what actually showed up in a customer's browser.
Again, it goes back to that slide where we we have the stereographic image where where the the data is hidden in plain sight.
Again, attackers got very good at injecting their scripts into places that aren't covered by WIM. Mhmm. Where WIM won't frankly never see them. That could be third party or, you know, in in JavaScript that are being dynamically compiled.
And they're doing things like changing the the iframe source. So we created a tool that basically looks at the data that your customer sees on checkout.
And we can monitor it in an ongoing basis, or if there's a problem, we can run that tool and and see if there's any malware running on the front end that we can see.
The monitoring tool is great because if something changes in your checkout process, we catch that in real time and, you know, we can stop the bleeding before it really even starts.
And so those type of tools, as far as I know, I think we're the only one that has that specific type of a tool.
Now Aaron's being, modest there. We've received at least one, if not two patents on on on that. Yeah. I think it is the only tool out there right now.
So, yeah. Yeah. Not forgetting about the spiffs. That's right. So if you, were able to send in your your correct answers on our trivia question, like I said, we'll have a drawing and and, you'll be contacted, on how we can get those out to you.
We wanna thank everyone for listening today. We hope it's it's been helpful. We wanna now open it up for a couple of minutes worth of questions. Go ahead and chat them in, and we'll take as many as we can.
Okay. So now we, went kind of long, but we're going to take two quick questions. Gentlemen, if you're ready.
Our first question is, what are some of the top attacks you are seeing for online businesses, and how can we protect against those attacks?
You know, I'll I'll I'll start with the first. We kind of, touched on that in the, the recommendations there.
When you talk about businesses, if we're talking commercial businesses that accept credit cards, probably the most prevalent that we're seeing right now involves, you know, manipulation of the checkout process, where they are injecting a malicious JavaScript into the shopping cart experience.
It's extremely difficult to detect, like I said, without the type of a tool that we described right at the end that monitors the security and validity of the checkout experience.
You know, the the typical AV that you're buying off the shelf isn't isn't picking it up. So that's becoming, you know, much more, prevalent.
The, the bad guys have have just figured out ways to get around, you know, most of the commercial security out there right now.
And what has made that so difficult is that there are a lot of things that are happening during the checkout experience in addition to the customer simply entering their credit card in information.
There are the metrics that are taking place that are monitoring the shopping habits and patterns. There's advertising and and, you know, and the list goes on. Because of all of the that extracurricular activity that's occurring in the checkout process, the antivirus tools that are out there, they they just don't see it. They don't know what is legitimate, you know, data that's coming in, what is, harmless noise, and and what's malicious. And the and, like, the way to protect against it is if you have, you know, the ability to, look at every one of those connections that are being made in the checkout process, evaluate every one of them to ensure that they are legitimate, and, and and in the ways in which we do it, is is is pretty effective.
In addition to to that, you know, if you if you have a customer that that calls in and and says, you know, their card was used fraudulently after they made a a person pay purchase at your location, take that take that, fairly seriously and and start looking at your checkout process.
Even if you've outsourced that payment checkout process to a third party, you've hosted it in in an iframe, and and, you know, you can tell the customer that, hey. We we never see your card. You know, it's all handled via a third party.
Still take a look at your checkout process. Make sure that your perimeter security around that iframe is doing what it's supposed to be doing to protect that iframe. A lot of times, once that checkout process has been outsourced to a third party, there's a natural tendency to say, oh, good. Okay. We we're we're not responsible for that checkout process anymore. You know, we're good to go.
That's that's iframe is still being hosted on your website, and and therefore, it's still your responsibility to protect that iframe with just as much, due diligence as you would if the card was being put right into your own website.
So, keep practicing best security on your website even if you've outsourced the checkout process.
Thank you, Aaron. Are there additional recommendations you have for companies keeping their employees remote?
Do you want me to take this one, David?
Yeah. I I can start and you can chime in.
The the very first and and critical element that you need to make sure that there there's a VPN in place when they're making the connection.
You need some, you know, something between them and and your corporate environment.
The, you know, and and ensure that, you know, that the remote access protocol is requiring multifactor authentication for them to get in.
Ensure also that your multi factor authentication is not in an always on state, so that, you know, when they are when they are done, that their session is terminated.
Yeah. This also gets into the area of of, who's responsible for what or or what I like to call gray area networks.
You know, where are your employees logging in from? Are they are they at the local Starbucks, doing work from there, or they are they home on on the same network that their kids are playing video games on?
Whatever network they're logging in from, you might be inheriting the vulnerabilities of that network.
So you've got to take into into account the security environment that your employees are gonna be logging in from.
A lot of times, one of the best things you can do is is make sure that they're not using their personal devices while they're working remotely, that they're using a company issued laptop or mobile device or whatever it is that they're using to remote in. And and that way, you can kind of, take responsibility, for that environment that remote environment and say, hey. You're on a company laptop. You will use a VPN. You you know, you will have antivirus installed on that where that's a little bit more difficult if an employee is using their own personal device and you don't have quite as much control over what software, they can be running on that device.
Yeah. And probably a policy that says that the device that you issue them can only be used for company purposes.
Right.
You know, and hopefully, that would prevent them from, you know, going out and visiting sites that, are are known to be rife with, with malware.
Well, thank you, guys. I think that's all the time we have for questions today.
So just a quick reminder, we will be sending out recording of the webinar within the next day or so. And for those of you who we were not able to answer your questions, we'll be reaching out to you. So thank you for coming today.
.svg)
