Watch David Ellis and Aaron Willis discuss common security failures, 2021 forensic investigation findings and 2022 forensic predictions.
SecurityMetrics VP of Investigations, David Ellis (GCIH, CISSP, QSA, PFI) and Senior Forensic Analyst Aaron Willis (CISSP, QSA, PFI) discuss:
Watch the Shopping Cart Monitor Demo
Request a Shopping Cart Monitor Quote
Learn more about Ecommerce Solutions
Good morning, and welcome to our webinar. My name is Sarah Kemple, and I'm marketing events manager here at Security Metrics. Today's webinar, twenty twenty two forensic predictions and what happened in twenty twenty one, will be given by David Ellis and Aaron Willis.
David Ellis is VP of investigations here at SecurityMetrics.
He's a former commander with the Oakland Police Department, and he has over thirty years of criminal investigative experience.
He's also a PFI, GCIEH, QSA, and CISSP.
Aaron Willis is senior forensic analyst here at SecurityMetrics, and he has over fifteen years of diverse experience in all aspects of IT security, business intelligence, data mining, SAS consulting, and programming.
He also has a master's degree in digital forensics and is a CISSP, QSA, and PFI.
A little housekeeping item, and we get asked this often. We will be sending the slides and the recording of this webinar out tomorrow.
Also, throughout the webinar, if you have any questions, please chat them in. We will address as many as we can. And if we don't get to your question, we will reach out to you on an individual basis.
Now let's get on to the presentation.
Well, thank you, Sarah, for that introduction. We will do our best to live up to it and provide some useful content for you today. Okay. So let's go ahead and get into why we were here today.
As you know, we like to begin begin and end our our discussions with our predictions.
And so last year, our our predictions for twenty twenty now let's go ahead and and start where we left off.
Alright. One of our first predictions was that hackers will increasingly target payment iframes.
I also speculate that SAQA, might be deprecated.
And so how did that work out?
Well, SAQ, in fact, was not deprecated.
SAQ, as you know, basically says that you've outsourced a lot of your cons your security concerns to a third party. And and so, you're sort of washing your hands of your security there and and and putting the responsibility elsewhere.
Well, tell them why you thought that the SAQ a would be deprecated.
Well, with with iframes, there was kind of this idea that if you put an iframe in place, that that was enough of a security enhancement that you literally could say our our car data is now secure. It's locked away. If we look at the slides here, I've kind of put together three things that, kind of give the perception of what's going on. SAQA kind of treats these iframes like it's a big strong safe.
In that first image there, you can see everything's been destroyed all the way around that safe, but that safe is standing there nice and strong.
But to a hacker, that just means opportunity. Right? So if we look at that second image, if you don't protect that iframe, the hacker can have basically unlock unlimited opportunity to try to crack that safe. If we use iframes, we wanna make sure that we're not, just sticking it there and and washing our hands of the security.
That third picture there is is more like what iframe should be, where you've got that iframe on your website and you're building layers of security around that iframe, you know, putting it in a safe room, so to speak.
And now how forensic investigators would look at it at the iframe?
Yeah. We we saw all kinds of iframe attacks, including complete bypass, of the iframe.
So if we look at this funny little cartoon, you know, these dogs waltz into the dance studio, grab the cat, and waltz right back out. Yeah. That's kind of how we saw a lot of iframe attacks where the attackers would come in posing as just regular customers, grab the card data, and waltz right back out with it.
Now now don't get us wrong. I iframes are still, a very important part of of your layered security.
Yeah. Yeah. We we are not discouraging use of iframes. In fact, we encourage you to use iframes.
They they can be very secure if your website is secure. It's kinda like, you know, putting a safe in your house, but not locking your front door. Yeah. Yeah.
You wanna you still wanna make sure your front door is locked.
Yeah. Alright. So our next prediction, domain name obfuscation attacks in the wild. And this is where we describe that instead of using the the normal characters that you would, you know, have on your keyboard, that attackers would create, look like domains, look like, you know, URLs, substituting ASCII or or Unicode, excuse me, for the the traditional code. Probably the best way to see how this has played out is, you know, I went online and and found tools, and and a cottage industry has sprung up from this.
I think you had far too much fun with this one.
Well, so a couple of the the things that I found early on is, on the left of the image, you can see a a manual that was created, Hacking the Web with Unicode.
That's pretty direct.
And and and it's a great tutorial. It's it's done in a very dumbed down language. It's easy to follow. But the one that captured my my real attention was the one on the right, which it's not a manual. It's actually a tool where you will simply cut and paste the URL that you want to copy.
You put it in there, and then it's going to generate all sorts of options for you to choose from.
It'll go find the characters. It can easily be converted to Unicode characters.
Yeah. And so what what you get at the end of this is a a URL that looks exactly like the original URL visually, but the computer's gonna see it completely differently because it has Unicode characters in it.
That's not where this one stops, though.
This one then goes on and gives you options to register the domain and and and set you up completely to be able to then, you know, use phishing techniques or whatever to, to, you know They offer hosting as well?
No. I didn't I I did not see any hosting options. But, but, anyway, so, yeah, this attack methodology is, nefarious. Alright. Our third prediction.
Oh, on this one, we predicted that we'd see an increase in in slim skimming.
Yeah. Or, as it's also called, shimming. Mhmm. And this is the idea where, attackers, instead of putting a old school bulky skimmer Mhmm. Onto a, like, a gas pump or an ATM, they can create just a little small electronic device that slips right in between the reader and the credit card.
And surprisingly, we we nailed this one.
Shimming is a perfect example where the solution created a new hacking opportunity.
And that's the EMV chip, to use those EMV chips. When you slide that card into a reader, it actually powers up the chip wirelessly.
Previously, if you're going to install a skimmer, you had to get a power supply to your skimmer.
And so you had to run wires and cords and tie into the tie into the power supply somewhere, or you had to use batteries and come back frequently to change the batteries. In this case, these new shimmers or or slim skimmers, use the same power source that powers the chip on your credit card. And so we saw a a number of attacks, even one close to home, you know, down in Saint George.
Credit card skimmers were found down there. And, reading through the articles on there, we can see that, you know, the police had a lot to say about these things. They say there's little you can do since the skimmers can't be seen on the outside of the machine. There's no hint that there's anything wrong there because these devices are so small. As you can see in the picture, they're just a few centimeters, across. And so they can slip right in there.
Yeah. So the defense on this one is really on the on the part of the merchant. Yeah. You know, the the owners of the gas station, owners of the ATMs, things like that to have monitoring so that, you know, people who walk up to the the ATM or to the the gas pump at night are gonna be caught on video. Yeah. Something like that.
Skimming is more rare than than other forms of attacks. But, you know, as we can see, you know, thousands of bank customers, were getting hit with these.
And, you know, some police departments are kind of pulling their hair out Yeah. You know, because these things are so easy to create now.
Yeah. Okay. So our fourth prediction last year was an uptick in cryptocurrency thefts, which I I don't think that was a a big stretch for anybody until you see just how big that uptick was.
Crypto scammers last year were able to garner fourteen billion dollars illicitly. That's incredible. Yeah. It's it's just amazing. That's that's a seventy nine percent increase over twenty twenty. Now it it to look at the picture more accurately, of that fourteen billion, only three point two billion was stolen directly from, like, a crypto exchange where they actually got in and, you know, physically, mechanically stole crypto from someone's account.
The remaining, what's that, twelve point eight billion was actually stolen by way of scams, phishing scams, where people voluntarily, if you all gave up their Yeah.
Sort of stuff. There's some engineering going on. Yeah. I I noticed, you know, on YouTube especially, a lot of the people giving crypto advice there.
Scammers go in and create fake accounts like they were the the expert giving the advice, and they would contact people and and get them to, you know, send crypto to the, you know, hacker's account.
Yeah. Now I I don't wanna downplay, though, when I said only three point two billion was stolen directly from exchanges.
That's three point two b billion dollars.
That's still a lot of money.
So, yeah. So I I I think we saw that one come to fruition as well.
Moving ahead, looking at at what we are seeing, currently going on today that is affecting, websites, that's affecting point of sale merchants, that's affecting you and me as we make purchases.
Why don't we start with Aaron on that?
One of the ones we we do we have to mention this one because it's so huge. That's the Log four j zero day exploit, also known as Log four j shell Mhmm. Or Log four Shell.
And this was actually first detected, in a video game. The Minecraft servers were were hit with this.
And what we mean by zero day exploit is that the bad actors knew about it before the security experts did, and so they were able to exploit this flaw, for quite a while before the security experts knew about it.
By the time security experts knew about it, there had already were millions of of exploit attempts by the attackers. Yeah. This was so severe that it got a CVE rating of ten out of ten.
Now that's the the common vulnerabilities and exposure rating.
This thing was hard to patch. They've already released four patches to try to fix this.
But it's an extremely simple vulnerability to exploit, and it allows for remote code execution by sending just string commands, basically.
And it's affecting just about everybody.
Amazon, Apple, CloudFlare, Google, Azure, Twitter, Steam. All of them are getting ahead.
Now when you say Amazon, for example, so, you know, like most people, I shop a lot on Amazon. Are are my personal credentials at risk?
It could be. It depends on on the, you know, the website you're hitting.
But different services on Amazon, like Elasticsearch and things like that, definitely, have have struggled with this issue.
Okay.
The next one we'll talk about is Chrome. This one, you know, we we didn't really see this one coming. Mhmm. But in in twenty twenty one, there was at least sixteen zero day vulnerabilities that hit Chrome. And these were pretty, amazing zero day attacks.
These were attacks against the browser itself.
Things like the JavaScript v eight engine were actually exploited, and there's exploits in the wild.
Things like memory leaks or, you know, what they call use after free.
And that's where, memory space in the browser, you know, it's shut down, but the data still remains there. And other applications running inside of the V eight engine can actually go grab that memory space and steal data out of there. So if you were running something like one of those browser extensions that finds you a discount Mhmm.
That can read the data on the page that you're shopping on.
Is there anything that a user or a business needs to know about this or needs to to be able to do to defend themselves?
Or Well, Chrome has billions of users.
Right? Yeah.
What you have to do is is make sure your website is not allowing the attackers to get in and mess with the JavaScripts on your website, even if you have a secure iframe.
You know, if if an attacker can get in and run JavaScript on your website, your customer's browser, maybe they didn't update their browser with a security patch. And so, an attacker running JavaScript on your website can use a zero day attack and possibly steal your customers credit card data right out of their browser.
The next one is WordPress. You know, this one, you know, due to its open source nature, it's always been a struggle to to keep the WordPress site secure. But they were just hit with with numerous plug in exploits.
All kinds of backdoor exploits were being inserted, supply chain attacks where people supplying WordPress themes. I think we saw, you know, dozens of those, were exploited.
And has has it been patched?
Well, it's really important to make sure you've got those patches.
You know, as soon as an exploit goes out, attackers start hitting WordPress sites just as fast as they can trying to get ahead of any patches that get applied. So, you know, we encourage our customers to, get those websites patched within at least twenty four hours of a of a patch notification.
Okay.
Alright. So this next one has been, on the on the radar for quite some time. But the reason we put it into current trends is, for one, it's still there, and and that's ransomware.
Twenty twenty one saw a fifty five percent increase in ransomware attacks over twenty twenty with a total of twenty six hundred and eighty six recorded successful attacks. That's over fifty per week. Yeah.
Attackers' ransom demands also increased. They increased by thirty six percent. In twenty twenty one, the average ransom demand was six point one million dollars.
HIPAA related ransom attacks also increased sixty one percent.
But what's kind of interesting is their market share of of the total attacks went down.
They were number six, as on the list as far as the most targeted, environment, which is down from they were number four last year.
So I guess that's good news.
Anyway, one of the most startling cases, however, in twenty twenty one, was the attack against public infrastructure with, the ransomware attack against the Colonial Pipeline. That was back in April. It it appears that the attackers were able to discover login credentials for the employee VPN at Colonial after they had captured or or bought or whatever from the dark web, one of the Colonial employees, you know, login credentials. And those credentials had probably been captured outside of the Colonial environment.
So what it meant or what they suspect is that this particular employee was using the same login credentials for some other type of application, some other environment that they were using for the employee VPN at Colonial. Anyway, it enabled the attackers to log in to the VPN and and take control, and, you know, launch this ransomware attack.
Colonial immediately fearing what the that gave the attackers the capacity to do, they completely shut down the entire pipeline, which they had never done in the fifty seven years that the pipeline had been running.
They ended up paying the four point four million dollar ransom. They paid it to a criminal organization in Russia.
And, That sounds like a good argument for not reusing passwords or changing your passwords Yeah.
Rather frequently.
Yeah. Yeah. I think that definitely, strengthens that argument. So ransomware, you know, it it's a current trend, and it's also been hanging around forever. But the reason it it's there is is twofold.
One, they haven't fixed it, and two, they're still making a lot of money off of it.
Yeah. And we've got a future prediction too around some rounds. Am I right?
That we do. Yeah. Yeah. I'm glad glad you teased that one.
So Alright.
This is one we saw quite a bit this year. It has to do with tokenization.
When tokenization is set up and configured correctly, it's fantastic. It's really great, especially when it's combined with a secure iframe.
It reduces any chance of skimming that credit card number.
It reduces it down to exactly one. You know, a bad actor has one shot at getting that credit card number and that's right when the customer is typing it in. So they have to get on the page and be there at exactly the right time.
When tokenization is set up correctly, we should only ever see that credit card get transmitted once.
Yeah.
And when that happens, it's it's a really secure, way of setting up your payment data if it's posting directly where it's supposed to go. But what we saw was even though merchants were making use of tokenization, we would see that the card number get tokenized in real time. But then we'd see something odd happen. We'd see another post usually back to the merchant's own web server where the card data was posted in plain text again.
Then you go, how did that get there?
It's like, wait a second. That kind of defeats the whole point of having tokenization.
And and, you know, some merchants say, well, yeah, we're doing that because we need to do these things with it.
But, you know, you're missing the point of tokenization. Tokenization lets you post that card number once and then never have to use that card number again, reducing the surface area that can be attacked. So if you're posting the data back to your server after it's already tokenized, you know, a plain text credit card number, that's another opportunity for the attacker to get it and and, defeats the purpose of tokenization.
Okay. So let's move from there into our predictions for twenty twenty two. I mean, And and and when we say twenty twenty two, we're talking like from today, the twelve months out, the things that that we haven't seen, just yet.
So first up Oh, back to these zero day attacks.
Yeah.
I think we're going to see some pretty severe payment iframe breaches with payment completion. So all the way through via some of these zero day attacks.
Now when he says payment completion, what what that means is is iframe breaches have been around for a little while. But, typically, what you would see on that is if you're on an ecommerce site and you make a purchase and all of a sudden you get a a note that says, oh, you know, please reenter your card data. You know, it didn't capture the first time. Well, what's happening on the back end is the attacker got it the first time, and the second time you enter it, then that that's forwarded to the processor.
However, in the the more sophisticated environment is you enter it once and the attacker gets it, and then it goes off to the processor.
Yeah. With some of these zero attacks zero day attacks, especially the ones using JavaScript, you know, where they have access to the JavaScript engine.
You know, there are all kinds of things going on with things like Node. Js and Angular. Js, Where attackers are really working hard at exploiting some of those vulnerabilities. And I think we're going to see iframes broken that way. Where you know, they're using the browser itself to to capture the credit card data.
Okay. Our second prediction for next year is that you're going to begin seeing mobile devices become primary targets of of skimmers or other, you know, form of data breach.
You know, in the past, it it's been where you had, Square and and, you know, Stripe and some of these other, you know, mobile device processing that, they're they they appeared immune, to data breaches. That's not so much the case anymore.
Especially, on the consumer side.
In the past, there was a hacker tool out there called Enter, that was designed to get a a skimmer inserted on the checkout page inside of a desktop browser.
Recently, we've seen that reconfigured or or remade into something called mobile enter, which is specifically designed to not run on a desktop, but to run on your phone.
And, you know, with the increase of of people shopping using their phone, that's going to be a big problem. I think we're going to see a lot more attacks where it's exploiting things on on the on mobile devices, especially your cell phone.
Yeah. So our next prediction.
An increase in use of anti forensic techniques of credit card skimmers.
And at at first blush, it look it would seem like this affects forensic analysts. Right? You know, people that are trying to solve Yeah.
We'd be the only ones that would really notice.
Yeah. But it's actually very, impactful to the merchants as well because the harder it is for a forensic analyst to detect an attack, the longer that attack goes on and more card data is lost. So we put up a chart here that has a number of the different, anti forensic techniques that that hackers are using. And we're going to see a lot more of those, especially again on the mobile platform.
Yep. And and this is also another reason that you're going going to wanna keep things like your antivirus and and your other defensive tools as up to date as you possibly can because they're going to try to, identify some of these things to the best of their ability. Yeah.
Okay. And our our last prediction for this coming year has to do with one of my favorite topics, and that's ransomware.
Aaron mentioned a minute ago that, we we believe that you're gonna see a change. And that's traditionally ransomware. You know, you you come in, you open up your computer, and you get that lovely note that says, oh, gosh. You know, we've we've locked up your computer. And if you wanna get access to your files again, you've gotta pay the ransom.
However, I I I think what we're going to see is less of the encrypting of your files and more holding the confidential confidentiality of your files at ransom, meaning that they're not going to encrypt your data.
They're going to say, we have captured your data.
And if you don't want us to provide it to your competitors or, you know, put it out into the public environment in some way or in in some other way, exploit this Sell it on the dark web?
Yeah. Sell it all on on the dark web or whatever. Some other form of exploitation, you then need to pay us the ransom. And the reason that that you're seeing this is actually, a nod to people doing or businesses doing some things correctly.
One of the best defenses, if not the best defense, in for ransomware attacks in the past, have been to ensure that you have backups that are are current and not connected to your network that could they then themselves become, encrypted.
And businesses have been hearing the the need for doing that. And and so when a ransom attack comes in and they go, we got hit. Alright. We need to scrub this, and, you know, they, you know, it's time to rebuild. They rebuild their their system. They're up and running again and never pay the ransom.
The downside of that one, is they still got your data. Yeah. Yeah. One case that I'm personally familiar with, the company paid to to have their data unlocked.
They paid the attackers not to publish it. But then six months later, the attackers came back to him and said, that six months has gone by. We still have your data. We're gonna need, you know, another x amount of Bitcoin Yeah. To to keep it confidential. So if they've got that data, they can just keep, you know, double dipping all they want.
Yeah. Yeah. It's it's the proverbial. You know, you are dealing with thieves. Yes. And, there is little honor amongst thieves.
So, hopefully, nobody hearing this is going to fall victim to any of this. So we're going to transition now into, tips to help you avoid having the misery of any of the things that we've been talking to up to this point. We're going to go through it kind of, kind of, succinctly or fairly quickly.
There are a lot of points to it. As Sarah said before, we are going to share these slides.
This is not a complete panacea of everything that you need to do to secure your sites, but these are, in our in our estimation, the most critical things you should be focusing on. It's important to understand that your security is is layered, kind of like an onion. You know?
So these are many of those layers, but you also need to look at the individuality of your particular environment. Every business is a little bit different, and so these aren't going to necessarily fit perfectly into every scenario, but they are things that that you need to be aware of and and cognizant of of employing the security principles behind them.
So first, if you, studying NIST, for example, employees continue to be the number one, weakest link, if you will, for introducing vulnerabilities in into your system.
You know, employees are necessary, but what it means is it's going to speak to the importance of ensuring that that we, train our employees. And we'll we'll get to some of the specifics that we need to train them.
A lot of that also comes from the change in environment that we've seen with COVID where so many more people are working from home. You know, their home network becomes your network.
Yeah. Absolutely.
Yeah. And that that brings up, like, the last bullet point right there, the the BYOD, you know, bringing your own devices.
You've got, these company computers that are on the home network, and then on those occasional times when they're back in the office, and they now, are on the, you know, the business network and with the potential of migrating any problems that occurred at home.
Yeah. I mean, I just did a an audit of my own home network and noticed that my piano, it connects to the Internet. I found people trying to hack in to my piano using the the default username and password. Luckily, I changed it, but I didn't even know my piano had a username and password.
I I have a dehumidifier in my home that has a, a Wi Fi connection and and a potential avenue in into our network as well. So so talking going to to the security awareness training for your employees, I mentioned NIST a second ago. It's actually five out of the top seven, attack vectors that NIST identified are all employee related.
So holding regular employee training is is critical. And and this includes the upper management and the c suite. We've seen situations where senior vice president say, you know, yeah. I need to have access to the entire, you know, company environment.
And and and the one that comes to mind, you know, a, a senior VP visiting sites that his grandmother probably would not have approved of.
That's a that's a good way to get malware on your machine.
Yeah. And then he goes, you know, logs in at his office, in the corporate environment and introduced problems into the corporate. So training your employees on on do's and don'ts and and how to keep your environment, safe at work, very specifically training them on how to identify phishing attacks, spear phishing attacks.
They've got to they've got to learn to recognize those subtle little details in emails, lookalike domains, those type of things.
Right. You know, and and truly, phishing attacks a few years ago were a lot easier to, identify than they are now. And I'm not just talking about the email that you get that says, you know, the deposed prince of Nigeria wants, you know, you know, give you money or whatever. But the ones where you could look at the, the URL, or, you know, the the email address that it came in from, and it's clearly, you know, not, you know, coming from Amazon. It's coming from, you know, ACME, Acme, whatever.
You would see things that were misspelled, unsolicited attachments.
The company name didn't match or or it didn't it started with dear sir, dear madam, you know, something like that.
Yeah. There's also a lot of account takeover attacks happening where, people will send you a code that you're supposed to send back to them. What you don't realize is that, you know, is your two factor authentication code to to get into your company network.
Yeah.
Yeah. So one of the things that well, that we have seen is that attackers will get into networks, and they will monitor email traffic within the company so that they can get the flavor of what a legitimate email from the CEO or the or the CFO looks like, and then they will mimic that. There's some a few things that should stand out to you if an email is asking you to transfer funds.
No matter what is your written policy in your company, that should trigger the necessity to pick up the phone and to call that person and directly get their verbal authorization from the voice that you recognize.
We have done, sadly, more than one case where we have seen millions of dollars transferred from one account out to what they thought was a client, and it was now going to, you know, an attacker's.
You know?
Yeah. And and don't don't call the phone number in the in the signature of the email.
Yeah. Use the number that's stored in your contacts.
Yeah. Yeah.
Don't just click return, you know, you know, or return the email or anything like that.
Use use trusted contact, methods and and teach this to your employees.
Have them make it a habit that when they get an email that requests any type of potentially, sensitive information to to reply to a a previously known legitimate form of of communication.
And and like I said before, if if it's asking to transfer funds or transfer, w two information, you know, we've seen that one, make sure that there's a verbal verification.
The next thing to train to train your employees on is to spot social engineering. And social engineering can come in through a phone call. It could come in through an email. It could come in through somebody walking through your door. So you need to create a culture within your company that your employees are willing to challenge.
They're willing to challenge people who are wandering around their building that look lost or might not look lost, but they recognize They might look like they know exactly what they're doing.
Yeah.
And, you know, have them challenge them. Ask for credentials.
You know, there's the old attitude trust but verify. And I would add to that, don't trust very much.
Verify a lot.
When we go on-site, it's really easy to kinda see what the security posture of a company is, you know, even from a top down approach. I I remember going on-site once. We met with a small business that had suffered a data breach, and the, the owner of the company was just, you know, really upset with his employees that just didn't follow the rules or whatever. And we ended up finding the breach on his own computer Yeah. For not following his own rules. Yeah.
You know, and I and I like it too because when I when I show up on-site, typically, the people the first people I talk to have no idea I'm coming. And I'll just say, hey. Did they let you know I was coming to work on the computers? And sometimes they'll say, oh, which ones do you have to see, or, where do you wanna start? And then, you know, they haven't asked for any credentials or anything. I'm just, you know, a guy holding a a a bag and and, they show me back to the computer. I say thank you.
So next, go ahead with this one.
This one is so important, and it's it's so easy to miss. This is just make sure you're consistently updating and applying those security patches and hotfixes, you know, OS patches, antivirus patches, updating the firmware on your firewalls, your intrusion detection systems, the file integrity monitoring.
Just because you're up to date though, don't assume that your customers are. Yeah. Again, we go back to these zero day browser attacks.
You've got to make sure that you're not the weak link in that chain where, you know, a security vulnerability on your own website can allow an attacker to exploit a vulnerability on your customer side.
Vulnerability scans and and pen testing.
Vulnerability scans will point out some of the most glaring things, you know, configuration issues, open ports.
But, really, you should be running a a pen test fairly regularly to to get your money's worth to to make sure you're testing those areas that an ASV scan simply can't get to.
And I know a really good tool that pen testers can use now to check for a Unicode being That's a great one. Used.
So next, logs. Now you might wonder how how can a log or absence of a log, be involved in a data breach. What it really means is if you have, good logging going on and somebody has the task to be reviewing your security logs, it can greatly reduce the window that your company is exposed to a data breach or the effects of a data breach. We've, were involved in a a very large scale investigation that involved just shy of a thousand retail locations.
And as we are pouring through the data on this and and this breach had gone on for about nine months.
As we poured through all of the the data, we ended up discovering that they had IDS logs that were throwing alerts on day one of the attack, and nobody was watching. If if they had had anybody tasked with the responsibility to review the security logs, they would have caught it on day one, shut it down, and it would have never been an issue for them.
And it's important to make sure that person is qualified to to know what those alerts mean. You know, sometimes you get, you know, a bunch of stuff looks like just random data coming through your logs. But, if you know what you're looking at, you would be able to say, oh, that's actually an attack.
Yeah. Yeah. Absolutely. So next, passwords, passwords are are still an important level of security.
They should never be used well, you shouldn't ever rely on a password as an independent level of security. It should always be accompanied with multifactor authentication. So after you enter your password, you have to enter some other type of, authenticating in information to identify you. And remember all the things that we have been touting for years on the complexity.
It it should be a very complex, not found in in a dictionary, utilizing a lot of special characters.
And an important part is when you go to change that password, don't just add or chain add a single character or add an exclamation point at the end.
We saw something about that last time. Yeah. AI stuff. Yeah. Getting those passwords.
That's right. Yeah. So there was an AI tool that, in twenty six percent of the cases where people modified their password, the AI the attacker's AI tool was able to identify the new password. So, again, multifactor authentication. Don't use defaults in your usernames, such as admin, administrator, guest, or anything. Get rid of those accounts because that, you know, just gives the, the attacker a a leg up. He starts with admin, and now all he has to do is is try to brute force your your password.
You mentioned the benefits of of third party checkout. Mhmm. That's one of the best things you can do, especially if you're starting out as a as a new merchant, or you're having security issues, you're having trouble securing your website.
You can move that checkout process to third party hosting. This is where your payment processor actually hosts the specific checkout process or even just the the credit card fields themselves, on an iframe on your website. So it's seamlessly integrated. Your customers aren't going to feel like they're leaving your website, but you can move those high risk moments in that checkout process to a third party.
Again, you know, you don't want to leave that exposed. You still want to make sure your website is as secure as you can get it. But if you move that checkout process and use one of those tokenization schemes, you make it extremely tough for the attacker to get in and actually get that credit card number right as the customer is typing it in. Also, you want to make sure you're hiding sensitive data. You know, make sure you're protecting all of the extra data that goes along with those credit cards, your customer's address, telephone number, email. That's all valuable data. We we often see, attackers harvesting that data as well.
So if you are grabbing that data, you want to encrypt it.
Make sure you're storing it in a secure manner.
Make sure you're not storing credit cards if if that's not a a critical part of your business processes.
Yep.
So the next is, backups.
And when we've talked about the importance, and it was illustrated by the attackers recognizing that their ability to ransom a company, on their encrypted files has gone down because businesses across the country are getting better at backing up their data and backing it up in a manner where they can quickly restore from those backups and that those backups aren't at risk of being encrypted. So the the keys to your backups are that they're disconnected or they're only intermittently on your system, so disconnected.
And, also, you need to test restoring from your backups.
We've seen cases where businesses settle. Yeah. Not a problem. I you know, we have backups. We, you know, we back up every day.
And then they pull out these tapes, and they go, okay. Have you ever restored from tape backups before? It it's doable.
But in in one case, a large chain, up in Eastern Canada, they had eight hundred stores that got hit with ransomware. And they had backups, but it took them four days to restore from the the backups. That was four days where they could only accept cash.
Another important point. You know, in this day and age, you may wanna even back up your backups.
Sure.
We saw a case, earlier this year where the attackers simply waited for the backups to be plugged in. And this the moment the moment the backup devices were plugged in, they ran their their, encryption tool and locked up their backups, and they did not have backups of their backups.
Yeah. So what's your thought on cloud backups now?
Cloud backups are great, but make sure you've got backups of your backups going on. A lot of them do have those. But if if your keys are stolen, the attackers can go in and just delete those backups.
Yeah. Okay. Incident response plan.
This is this is important, not as a defense, but, as a a tool to strengthen.
Not not as a direct defense of attackers being able to get into your system, but it's a tool to help you identify, strengths and weaknesses in your your defense posture for your company. So, the importance of an incident response plan is to identify the resources that are needed and and the individual responsibilities that have to be carried out during a suspected data breach.
You also want to take the attitude that it's when you have a breach, not if.
Right. That's a great point. And then after you have your incident response plan in place, you need to test that response plan. So at least once a year, you you know, you wanna have your whole team, your incident response team come together and work through, some tabletop exercises.
You can find some of those on your own or if you need help or businesses, we we do it, and others can help facilitate incident response exercises for your company. And and the importance here is that you can practice and test your response to an incident when there's no actual company or client, assets at risk. This is really the time to find, where you have holes in your plan, and then you plug those holes and you build on it. And then the next year, you do it again, you know, going through these incidents. And the most important part is is what didn't we get right in this exercise?
Also, depending on the the nature of the business that you do, you might be under the obligation to hold these. FedRAMP, for example, if it, if if you are looking for FedRAMP compliance, you're required to hold tabletop exercises every year.
And, of course, when it comes to your own programming, you've got to make sure you're sanitizing and validating your code.
We still see SQL injection happening all over the place.
Be wary of any third party code you're bringing into your card data environment.
We did a great job in protecting point of sale environments.
You know, we we if you wanted to bring something into a point of sale environment, it had to be vetted.
You know, you had to be on the approved list.
But with websites, there's so many third party scripts that are so powerful and and provide such a huge return on investment that the need to plug those in to to earn more revenue or whatever often bypasses best security practices.
And we end up with, you know, ad networks present when credit card data is being typed in. And it's really difficult to want to shut those down because they provide such a great return on on that investment. However, if those ad networks have a malvertising that that scrolls through, that's, you know, a customer that loses card data. Yeah.
I'll tell you. If if you have an ecommerce website, it's important for you to understand how much activity is occurring during the checkout process. You know, it used to be, you know, your customer would go to your, shopping cart, enter their credit card data, and that credit card data would go off to the processor. And that was about all that was occurring. But now you have data analytics, as you mentioned, advertising, and and we have seen cases where there are literally hundreds of connections being made during that shopping cart process, these connections from third parties. And so I I would strongly recommend that you look for a tool that will perform website monitoring, shopping cart monitoring inspections, shopping cart, you know, that that's evaluating all of this activity that is occurring during the shopping cart experience.
If you're not doing that, there's just so many ways that the attackers can get through to your customer's card data.
Unfortunately, don't we have a tool like that?
I I think I've seen one.
So that brings us to the point where we can entertain a couple of questions. I know a few have been chatted in. We don't have a lot of time left. So if if we don't get to your question, I I think what we can do is is probably answer you directly, you know, via email or something along that line. We'll we'll make sure and and and get an answer to you.
What is the best way to set a new ecommerce site site up for success with cybersecurity?
So other than the last twelve or fourteen slides that we just show, you know, I I I would say, yeah, just focus on on those and and don't miss the point we made at the end.
Yeah. That that point being, if you can get set up with third party services, especially if you're a new merchant and you're you're working on getting a a revenue stream coming in, you know, outsource as much of that risk as you can, but never think your website is absolutely secure. Yeah. Even even if you're using, you know, third complete third party checkout services.
Make sure your website has, security in place.
Yeah. And make sure you you employ a tool that is evaluating the checkout process.
In the future, can AI become a threat for data safety and security? If so, how do we secure against AI?
I think it's already a a threat.
How prevalent it is is a matter of timing.
And and what he means by it's already a threat is attackers are already using AI to go in and look for vulnerabilities in your system. And then when it alerts the attacker, then the attacker will take a more hands on approach.
You know, if we look at the more sophisticated answer, yeah, AI is getting highly advanced, and and they're cracking things that that, normally would would have been out of scope. But to battle that, we're gonna have to have our own AI Yeah. That that's gonna counter that.
Yeah.
That it's going to sense that there's something, you know, going on in your system where you have an evaluative process, you know, occurring that the AI is And we are we are seeing some of that already in in, you know, really well put together intrusion detection systems and and intrusion prevention systems.
There are there there's some AI going on there as well that that's looking at at heuristic things.
What is the biggest security concern that keeps you up at night?
Do you want me to take this one?
Yeah. Go ahead. I I think I know what it is.
For me personally, it's those websites where there's just a trickle of card data loss each month, you know, just above the baseline enough to make you think that there is probably something happening, but you've torn that website apart and you just cannot find anything wrong with that website. And, you know, just month after month, that card loss keeps happening.
Yeah. A lot of times that's occurring because the attacker was was brilliant in in their approach, and the malware that they're employing is iterative to where it's only occurring every and and and we've seen it spread out, like, every seventeenth transaction Yeah. Gets captured.
And, you know, it can be further complicated by, you know you know, minimal logging in place. So we just don't have visibility that we would need to get in there and really figure out what's going on. Yeah. Especially with with new, cloud services, you know, we see, headless web servers running, Docker containers that that that are are not logging Yeah. Transactions the way they should.
For me, the the things that keep me up at night are the zero days. And and that's where you don't know what you don't know. Yeah.
And and you don't find out about the vulnerability and and We saw so many of those last year and and this year even starting out, you know, so many of these big companies.
You know, we've already got, you know, ten, twenty, vulnerabilities, zero day vulnerabilities on some major pieces of software out there.
Yeah. And the reason these happen, developers, you know, they can do a very good job at trying to scour their product before it goes to market for any security vulnerabilities.
But, eventually, that product has to go to market. And once it's out there, the attackers now have an unlimited opportunity to an unlimited amount of time to to try to leverage it.
Especially on a a number of these open source platforms. Yeah.
What frequency do you recommend simulated phishing testing and other incident response testing be conducted?
Should I take that one? Sure. Okay.
So I there there's kind of two answers on that one. For your team to come together to do a tabletop exercise, minimally, you should be doing that, every twelve months, you know, once once a year. But in the background, I think ongoing testing of your employees on phishing and social engineering should be taking place.
Here at Security Metrics, our IT group, they will periodically send out a phishing email to the, you know, the company data, or the company base to see which employees will bite on it. And and then, you know, they handle it great. It it's not a a matter of shaming or anything like that. If if, you know, if you bite on the the phishing email, then, you know, it becomes a training thing.
That's a really good environment for your company to to have so that you know, once they see these a couple of times, it it raises their awareness and their awareness to it. And so, hopefully, they will scrutinize the incoming emails.
In forensics, we open them all the time anyway.
Well, yeah.
In a sandbox environment. Like, oh, what's this? Yeah. This looks interesting.
But, yeah. So the two answers, do the tabletop exercises at least once a year. But, you know, feel free to to, send out phishing emails, social engineering on a regular intermittent basis to your employees so that it will raise their their awareness of it.
Of course, we've got our monitor tool that it'll monitor your checkout process twenty four seven. Yeah. Yeah. It'll it'll do those simulated transactions, repeatedly all day long looking for anything that's, you know, a miss in that checkout process or anything that, you know, mysteriously shows up.
Yeah. That that's a good point because I was speaking mostly to, like, you know, company emails and things like that. So that's a really good point. Well, thank you for your time today. We we appreciate it. And, as mentioned before, please, if you have any other kinds of questions, don't don't hesitate to reach out. We'll get back to you as soon as we can.
.svg)
