Watch to learn cybersecurity lessons from 2022 breaches and get cybersecurity predictions for 2023 and beyond.
Watch SecurityMetrics VP of Investigations, David Ellis, Senior Forensic Analyst Aaron Willis, and Deputy CISO Matt Heffelfinger discuss:
This webinar was given on February 27, 2023.
Good morning. Or for those East Coasters, good afternoon.
We're happy to have, have you with us today, and we're glad to be here. This is this year's installation of cyber cybersecurity lessons that we really, really need to learn, from what we observed in twenty twenty two.
And we're also gonna get into a little bit more than that. But, I wanted to introduce who's here with me and and myself, your panelists today. I'm I'm gonna pretty much moderate it. My name is Dave Ellis.
I'm the vice president of forensic investigations here at Security Metrics. And with me is, Matt Heffelfinger, affectionately known as Heff to all of us here. Matt's the head of our SOC, our security operations center. And, with me also is, Aaron Willis.
Aaron is the the senior director of forensic research here at Security Metrics. And, both of these guys have untold amounts of experience.
Aaron Willis, for example, has a master's degree in in forensics investigations or forensic Digital forensics.
Digital forensics. Hef, I know Pepperdine.
Yeah. Villanova, Pepperdine, a couple big schools. And, you know, what's really cool about our our webinar today is that we get two different perspectives from the audience. Yeah. You get the forensic side with your team and then my side with the security operations center looking at the bad guys before they get in, and then your team is looking at the bad guys after they've been in. So it's pretty cool for the audience.
Yep. So we've got a lot of really important information, but, I wanted to to give a couple of just a little housekeeping things. After this is over, we will be providing all of the slides to everyone so you can, reference, go back and and pick up and reference. And if you have any questions, feel free to always, you know, reach back out to us, and, and we can, you know if not one of our ourselves, a member of our team will get back to you and answer those questions for you. To give you kind of an overview of what we're gonna be doing today, we're gonna start on, on a little more of a lighthearted note to break the, break the ice, an IT trivia contest. And I I wanna tell you, we have huge, huge prices worth up to dollars.
No. Actually, what we've given away in the past have usually been along the lines of windbreaker or blanket or or something along that line.
After that, we're gonna get into predictions that we made a year ago of what we thought we were going to be seeing, on the cybersecurity landscape for twenty twenty two.
We're gonna cover over that. We're gonna get right into the twenty twenty three predictions because the this year, the the two kind of overlap. Previously, we had a middle section of saying, hey. These are the things that we missed, but we didn't miss that much last year.
So Yeah. But, anyway, anyway, we're gonna have a lot to talk to. And then we're gonna finish it off with, security tips that will help you, keep your company off of the front page of the newspapers, off of the Krebs reports, and, you know, hopefully not falling victim to a data, data breach incident. The last housekeeping thing is that the information we're gonna provide today largely comes from either forensic investigations or data that we saw in the SOC during twenty twenty two.
Some of the anecdotal stories might come from a a previous year, but most of the information is extremely current, and and totally relevant.
So that gets us into our first trivia question.
What was the purpose behind the world's first documented webcam? And the and the picture that you're seeing here is the actual camera that they modified for this use.
That's a tough one to answer. I mean, when you think about it, what could it possibly be? Maybe security? I would have thought security. Yeah.
Yeah. Well and and you'll notice the parenthetical statement. No. It had nothing to do with adult content. So just want to put that out there right from the beginning. So that's question number one. While you're quickly googling that one, question number two, it's a two part question.
How did the term bug get associated with computer anomalies?
And when was the first computer bug documented?
Another tough question. I I would have thought probably the seventies or eighties, but I'm probably wrong on that one.
Well, I mean, regarding bug and this this type of thing, Thomas Edison actually talked about bugs in his work, you know, and he and he used that for for anomalies. But this question specifically is when was it first attached to computers.
And, you know, right here we have that, like, the Jeopardy music going Yes. Dun dun dun.
Oh oh, and lastly, we're going to select from all the all of the correct responses, and and and we have time sync. And so we'll figure out who answered before or who answered after we actually gave you the answers.
And then we'll do a just a random drawing for, you know, the the winner.
This was the only one that I actually got right, but I knew it because I taught my students at at Utah at Huddl University that the same example, so I kinda already knew the answer to this one.
And this is on if you take any cybersecurity exams like the GFAC, this is a question, computer history one zero one right here.
Oh, on the on the bug.
Yeah. On the bug questions. Yeah.
So Okay.
Alright. So we'll get to the the first one. The first webcam was not used for security.
It was not used for adult content.
Wow. The first one was used to monitor a coffee pot inside of a lab at Cambridge University.
They they said that they did it for time saving purposes so that the person who was responsible to fill the coffee could look over at the, the the image and and see if the pot was empty. And it would also save all the, you know, the people working in that department from going down into the lab to get a cup of coffee and finding that the pot was empty.
So sneaker net. It was to avoid sneaker net. See, that's the great thing about the coffee pot camera here. I can go down to the coffee pot and give my floppy disk to my coworker and get the coffee at the same time.
So Well, you know, an interesting thing too, this coffee pot became famous.
It after they finally shut it down, they realized that the coffee pot was being monitored by people all over the world. And the coffee pot ended up auctioning for thirty five thousand dollars.
Oh, what a great this image though, I mean, this is the actual coffee pot. I thought this image was for, like, a Windows three point one screenshot, and it turned out to be correct. Right?
Yeah.
Yeah. That's amazing that I mean, it's crazy to think that they were they just wanted it for coffee.
Yeah. They were essentially taking a still every twenty seconds. Wow. So alright. So question number two, the answer.
The bug. In nineteen forty seven, Harvard's Mark two computer began delivering very consistent but very erroneous, information, And they couldn't figure out what the problem was. They thought initially it was programming. They finally took it apart, and they found that a moth had gotten into the computer and shorted out a relay.
And, and and this picture right here are the actual notes, from the the technician that that, you know, went in in trouble to troubleshoot the situation. And he writes right in there, this might be the first actual case of a bug being found in a computer.
Wow. And this actual image is actually, I believe, in one of the computer history museums. It's pretty phenomenal that they kept this bug and these these notes all these years later.
Yeah.
Yeah. Wow.
Alright. So good luck to everybody who, entered on that. We look forward to shipping out something really cool to you. Alright. So from there, we're gonna get right into our forensic predictions from twenty twenty two.
The first prediction that we had was payment iframe breach via browser vulnerability or zero day attacks. Let me, toss that over the fence. Why don't why don't you start with that, Aaron?
Well, this is one of the predictions that I made based on on what we were seeing, and we did see a significant number of rise. Specifically, I was looking for anything, that would allow an attacker to get directly into a payment iframe.
You know, the reason why we use those iframes is they add that extra layer of security around that credit card content to prevent the attackers from from getting in by just getting a script into proximity.
However, in this, past year, we saw a significant increase where the attackers were getting in directly into that iframe.
A story from early last year, Korean attackers were able to get through a zero day exploit in in Chrome's JavaScript engine and and directly access, the internal workings of of JavaScript to to access the content of those iframes.
It's pretty phenomenal that, you know, we we talked about in the past that this was a two step approach. You you all could see the notes on the screen there. And now it's so much faster. The the the threat actor can get in there. The sophistication of this type of attack, It sounds simple, but yet so effective for the bad guy.
Yeah. And we're not we don't want to scare anybody away from using iframes. We want people using those iframes. However, the lesson learned.
Yeah. It's that sophistication. And and that that type of attack where they're able to get in there so much quicker just by bypassing in one one step. You know, when we talk about the bad guys getting on the dark web and being able to just collaborate and say, hey.
I found this new tactic. You guys need to to think about this tactic. And what's even crazier about that dark web, that collaboration is it's not just the threat actors going on there and selling compromised store access much easier. Developer kits being sold, the profit sharing agreements now where these threat actors can get together and say, hey, I found this this new tactic.
And then even just monetizing the card data, it's it's pretty phenomenal that you you guys are spot on with this prediction last year.
That that's the one we hit right on the nose.
The attackers can really get in and change a URL with a single line of JavaScript. Wow. And they've got the credit card data.
And it's cool that you guys have the evidence to back it up.
Well, you know, and it and it really drives home the point too. You you can't look at an iframe as a panacea, a a security. You know, it's like, hey. I've got an iframe. I'm good. You know? You you've really gotta pay attention to the security around your environment.
And and then do some of the those subtle little checks. Make sure that the iframe is not being drawn on your own server. You know, that that that should be a hint. And that's one of the things that the attackers have done is if they get that access, they'll redraw it onto the the merchant's own server. And no no one is the wiser for it. The the card still gets processed the the same way, but the attacker has access to.
Yeah. And those are really hard to spot from a forensic, investigation perspective because, you know, you're not looking for a URL that's, you know, a a known bad URL.
In many instances, it's the merchant's own URL that's been compromised.
K. Number two, mobile devices will become a primary target of credit card skimmers.
Wow. It's not, you know, the the heart of the issue here, Dave, is the large surface area that these bad guys can use. I mean, on a desktop, fishing and getting in and skimming is vastly different from a cell phone, and it's so efficient to do e skimming on a mobile device. And that's not gonna change.
It's it's just gonna keep growing bigger and bigger when you when you talk about how large is that attack surface on a mobile device. You got those banking apps, retail apps, social media apps, messaging apps, productivity, gaming, educational, lifestyle. Right? Entertainment, IoT, MDM, all those.
It's just gonna keep getting larger.
Yeah. And the way they're doing it really is, if you think about it, all these different apps that we have on our mobile phones, they all have this thing called mobile view that all that's really a browser, an in app browser that, allows that app to call up a URL. If that URL is a is a payment page, any compromise to that in app browser, allows the attacker to get in and and harvest that data via an overlay attack or injecting JavaScript into the web view. Yeah.
And and so, you know, if you see something that says open this into mobile Safari browser, click on that one and get out of that in app browser so that, you know, TikTok is really bad at this. They won't let you click out of TikTok to do something. Enclosed ecosystem. Yeah.
They they they locked that down. You know, Twitter and and and other ones, they're pretty good about letting you open it up in mobile Safari or whatever.
Yeah.
And you wanna do that because mobile Safari has those extra protections built in if you're gonna go shopping online or or something like that. Yeah. Or a lot of these in app browsers don't have that built in security.
And, you know, I think for the audience too, every in our industry, they have this Verizon mobile security index. Mhmm. And they put out some statistics.
And one of the stats they said is that fifteen percent of all mobile attacks are caused by phishing.
So what what's the other eighty five percent? Right? And the other eighty five percent is other attack vectors. So what we're learning here in this prediction is that the threat actor literally has all these other doorways onto your device. And it's not just all those apps, it's and I I kinda summarized it in three different areas and I'd I'd love to just share this real quick with everybody.
You've got you've got this attack surface that's gigantic. You've got people not doing the updates on their apps. I mean, I know I have friends with, like, hundreds of apps on their phone, and they're not doing any updates whatsoever. But number two on this list of why this is such a big deal and such a real prediction is that you'd very few users have any sort of filtration, spam detection natively present on their device.
Right? And then on top of that, it's not enabled. So they may have it, but they don't even know they have it and they don't even have it enabled. So you have all these incoming messages, you have SMS texts, which kinda leads us into my my third reason here.
If you have all these SMS and MMSS applications, I mean, how many times have we got a text message? And, you know, you're going throughout your day and this is, hey, your your Netflix account is expiring or, I got your insurance policy. It needs more information. You need to click in the app for your insurance.
Right? Or you get, oh, I need you to update your Amazon credit card information. So you have all these messages, these short messages, these call to actions, these malicious URLs, and you're in that hurry, just click on it. Yeah, this is just gonna keep getting even bigger.
So excellent. You guys are spot on on this prediction.
And this is another one that's so hard to spot in a forensic investigation. You know, this this prediction comes from a case we had a couple years ago where we examined everything on the web server.
Mhmm.
We couldn't find anything.
And so we started looking at the customer data and found something in common with all of these customers. They were all using a mobile app.
Massive attack surface for such a small device. Huge attack surface.
Yeah. And we're gonna drill down a little bit deeper on a couple of these points, when we get into the remediation steps. So our third prediction last year was, an increase in use of anti forensic techniques, credit card scammers.
This this is one that we really nailed.
Earlier In in in some cases, in a way that we didn't expect.
In yeah. We we did not see it coming in the way we thought we would.
Last year, we noticed, more cases where there was, you know, multiple forensic investigations from different PFI companies that said there's nothing wrong with this website.
And so, we got one of these cases that came to us. We were the third PFI on the case.
We started looking around, found the same, you know The same nothing.
The same nothing. Yeah. Yeah. And so I decided to go start just really trying to think outside of the box of what the attackers could be doing. And this was a very popular website, huge audience.
And so I just wanted to see where are they selling all their products? I started Googling, their products, looking for any place of selling their products, found all kinds of websites that were selling their products. And I made a list of them, sent it back to the merchant, said, hey. You you know, have you looked at your resellers or these guys all legit? Two of them were legit resellers. The rest of them were not authorized resellers at all. So I started running, you know, forensics on these other websites, putting in our test credit card data and found out that my test card, which should decline, was being accepted.
And and, so they were just collecting the credit card information and running it back through to the merchant's website.
Legitimate order would go through.
Customer gets their product. Merchant gets the the gets paid, and the attacker gets away with credit card. And the crazy thing about this is there is no compromise on the merchant's website.
Yeah. It it is But yet they get hit with the common point of purchase indication that there's a problem. They they end up having to pay all the fees for forensic services, investigations, and, you know, hopefully not fines because they're they're not, you know, they weren't responsible. They weren't vulnerable.
But nonetheless And did you guys also have a use case?
I think it was one of your your pen testers where the, you know, talking about anti forensic evidence here where the the shopping cart, all the malware, all the, the malicious code completely disappeared at the very end.
Yeah. That's out of our pen test team. Yeah.
Yeah. Phenomenal type of attack where the bad guy is able to go in, steal the credit card information, then upon checkout completely erase all evidence.
Yeah. So the problem with that one, unless you're actually monitoring that individual transaction when that occurs because that gets into into the next, anti forensic area, which is, iterative attacks. And and iterative attack is where they're not going after every single credit card transaction as it occurs, but they're just hitting every seventh or eleventh or every seventy fifth or something like that. I mean, it's it it is so difficult at that point if they're just, like, cherry picking here and there and there, and and oftentimes, it's a random pattern. It's not every seventh. It's every prime number or what whatever.
So not every transaction is stolen. The time based variation. And then I've also been told that you have seen evidence of location based where the threat actor is not just targeting skips the United States, but then goes after only countries in South America.
Yeah. South America or Canada or Europe or whatever. But, yeah, certain regions.
That's phenomenal. I know, in in this area of anti forensics and by the way, this is my favorite prediction that you guys all came up with. And it's because it's such a growing category and there are so many tactics that the bad guys using. And you kinda see some of the tactics on the screen, but this area is just continuing to grow and the sophistication in this area, we have the geolocation base, the time base, the mimification, piggybacking tactics.
I I'm just always amazed at your tools too. And I guess when when you talk about security metrics and our shopping cart monitor, shopping cart inspect products that find these types of attacks, I love our approach. And our approach has always been, we're gonna go in from the front side. We're gonna mimic exactly what a customer goes through to try to find a bad guy. And our competitors don't do that. They go in from the back end after the attacks already happened and you miss things. You're you're not gonna experience, like you you guys said, you're you have to kind of think outside the box to find with these different anti forensic tactics.
Yeah. Last year, we actually had a case where the merchant called us up. It was the first call we'd have with them. And so while we're on the phone with them, I went through and and set up our shopping cart inspect on on the website.
And in that one instance, I saw a URL that that looked strange. And so I asked the merchant, hey. Are you guys operating from this location?
Yeah.
You know, they kinda went silent for a moment, and they were like, no.
Okay. And so I I, you know, I copied the the the code, that I had in front of me.
And once we engaged with that merchant, we never saw it again. It it completely disappeared. And so that one instance, we caught it right at the right at the exact time. And for the rest of the investigation, we never saw it again.
Wow. You know, before we get off this prediction, Dave, you know, with your forensic tools and the team's forensic tools, you you have these persistent data tools and then you have these volatile data tools. And the persistent data is the stuff that's stored data that, you know, the data is there when the device remains off, that kind of stuff. But what's fascinating is going to be the evolution of their forensic tools for volatile, The Volatile tools. So we're talking about things like data that's transitionatory that could potentially disappear after the credit card transaction has been done.
I mean, that to me is fascinating, and I'm I'm really excited to see how that evolves in the next year.
And sometimes that's really the only data that we can grab. You know, that that packet data that that happens when a credit card is is put into the system. You know, if we can get in there and just watch those packets that happen, a lot of times, you know, some just one little connection will open up and some packets will fly off, and you never see it again. Wow.
Okay. So our fourth prediction last year was, that we would see a rise in the use of ransomware, but not in the traditional sense, not where they encrypt all of your your data and they they, you know, are are demanding a ransom in order to give you the the decryption keys, but ransomware without encryption.
In in the cases that we've seen, with this one, attackers would come in, and they wouldn't even bother with the encryption. The data was valuable enough that, you know, the threat of just having it exposed out there on the Internet or or up for auction really was all the motivation the merchant needed to to hand over some Bitcoin. Right?
Yeah. Why screw around the cryptography? Why waste the time, the keys, trying to buy the kits on the dark web, or even just develop your own kit? I mean, it's just pointless when I don't even need to worry about encryption. I'll just steal the data.
Are the are the hackers just getting lazy or are are That's what I thought, sir.
Yeah. I mean, just for the ransomware gangs to decide that, you know, it isn't worth their time to encrypt the data and just go down the extortion route. I I just find that so brazen and lazy. Yeah. Unbelievable. But we do know that there are there are several gangs that have been identified that we've also identified for some of our clients.
Carrick but these gangs are something else that don't even worry about bothering encrypting the data. Just steal it.
Yeah. The lesson we can learn here is that, you know, if you've got sensitive data on your website, encrypt it. Get that. And then get those encryption keys off of your website. You know, make sure that that that your valuable data is the stuff being encrypted.
So that if if, you know, heaven forbid, an attacker gets in and they steal your data and they want to publish it out there, all of the sensitive data is encrypted and and it's really worthless without those keys.
Hef, you mentioned Karakurt.
Why don't you tell us a little bit about them?
Boy, they are something else, folks. I gotta tell you. We we know that they came around around twenty twenty one, I believe, late twenty twenty one. They primarily go after businesses, usually medium to large sized enterprises, and also health care organizations.
That is their huge area of, target. But they mostly focus on data exfiltration. And they come in there, they try to steal, they try to get that sense of information, and their main tactic is phishing attacks. And really what they're trying to do is gain the VPN credentials.
From there, they try to breach the system. It's a it's a fascinating tactic in that they're not just focusing on emails. They're using also phones. They're using mirrored versions of your website. They'll create a fake website and do typo squatting.
But what was crazy is last year, in between June and, like, September, they hit four different health care organizations with the same tactic, and it was all because of they did their homework. They did their research. They knew that there were staffing sort shortages in these health care organizations that they could prey upon that weakness to get into that doorway.
And amazingly enough, again, they get in there, they copy the information, they exfiltrate it out. No encryption whatsoever, and now they're selling it on the dark web if you refuse to, to pay. So, fascinating. This this organization, this gang, and also the other one, RansomHouse, is gonna keep growing and getting larger and larger.
Yeah.
So in in summary, the four predictions last last year are giving us a a reminder of the importance of understanding our attack surface, understanding where our vulnerabilities are, and and essential understanding that one level of security is not gonna be enough. You know, just having antivirus out there is just not not gonna do it. You have to be monitoring transactions, and you have to be looking at the developing threats that are out there and understand your system and know what which threats you're gonna be vulnerable to. Okay. So this brings us to what we think is going to get worse in twenty twenty three. We've got three predictions that we'd like to discuss a little bit, and let's go ahead and start in on that.
First is an an increase in the sophistication of of fishing Yeah.
Essentially. Hef, you wanna start us off on?
This was a hard one, folks, especially when you talk about lapses. Lapsus was a rage last year in the news. Remember those sixteen year old kids? It just seemed like every week in the news, we heard about a huge company.
And this wasn't like some small little business that they were going after or some small health care. This was Uber, they got Microsoft, they got Apple, Meta, T Mobile, Uber, with Ubisoft. Right? The video game company, Rockstar.
No. Nvidia, Samsung, Okta. And the list keeps going and going.
It it really broke my heart to see how the tactics were and how these kids were able to just really get into these organizations.
Okta was the big one because that is you're talking about credential theft, keys of the kingdom, all these companies.
They've got they've got everything on everybody.
Right. Yeah. And these guys, Lapsus, they did this, like, third party pivot where a twenty five minute attack and they were able to get in through a third party and then into Okta itself. And then we had NVIDIA attack, which was just a crazy plot twist, folks. I mean, right out of a movie, you you already have seventy one thousand employee hashes stolen. I believe they got in through a discord server or something like that. And then they said, NVIDIA, we're demanding that you open source your graphic drivers, make it free.
Yeah. And then, Samsung, the the source code, the phone source code for Samsung was stolen.
All that PII, all those IMEI numbers, advertising IDs, serial numbers on devices.
It just the sophistication was unreal. And it's just crazy.
There's so many examples, folks. I mean, I can I can do an hour just on the examples? And if you don't mind, I'd love to just share two of them, of the sophistication.
The the one sophistication that we most recently saw was DocuSign. You guys know what DocuSign is? You get that phishing email and it's from DocuSign. You think, oh, I I don't know. Did I did I get something from DocuSign? You're not thinking and you click on it and it takes you to a blank image.
Very odd. Right? And that blank image that was attached to the DocuSign phishing email actually had malware embedded into it, had the command and control.
Is that steganography? Right. Yeah. Yeah.
Okay. So bad guys are using some insane tactics. And now that we know Microsoft, they blocked all those macros in Office. So the bad guys have to pivot and the fact that they can't use macros to try to phish people, they're now using other types of attacks and even using AI to craft phishing emails.
It's insane the amount of tactics and sophistication. We saw a use case, another one, a real quick one, where the bad guy impersonated a customer and called up the, the call center for the business. And they said, hey, I'm so and so and I'm trying to set up my new account. Again, the bad guy's calling into the call center and he said, you know, I did a screenshot and I I uploaded it to Dropbox and your support agent at your business says, okay, yeah, let me open it up. And then next thing you know is the bad guy has a doorway into your environment. And it wasn't just Dropbox. It was Gmail, Google Drive, all those storage companies.
So And there's a new term that people are gonna start hearing a lot more of called smishing Or SMS phishing.
And that's where, you know, your text messages are being used against you. You know, lots of it lots of, invites to click on this, you know, coming right up in your text messaging.
Think about it. You know, attackers are gonna go after those automatic, two factor authentication codes that come up in your text messages. You know, you you get the code, it pops it pops up, right there, and you click on it and auto populates your your two factor or multi factor authentication boxes.
Unbelievable.
If your phone gets compromised via one of these things we talked about, they're grabbing that code right there, you know, as you tap on it, you know, they grab it, put it in, and if it doesn't work, you've got a problem.
Right. Because if it doesn't work, the attackers probably used it, you know, two seconds right before you did.
Yeah. Okay. So our second prediction for next year is the and and we alluded to this a little bit earlier. The mobile attack surface is going to greatly increase.
Who wants to start that one?
Again, it, it goes back to that plethora of apps that are just all over our phone.
The banking apps, the retail apps, the social media apps, all of those things have that embedded web view capability in there that, if an attacker can launch some JavaScript and hit that, they can tell that web view to do all kinds of crazy things. You know, if it pulls up a URL, they can do those overlay attacks, where they're gonna mimic your bank's login portal or create a form that goes right over the top of your website's checkout form. And Yeah. As the customer types in that information, they're gonna grab that data and run with it.
And so much of this is the attack surface itself where you, you know, you have such all these these apps, but then you don't have the filtering or the spam detection either turned on or natively enabled, natively present. You also have incoming messages being displayed regardless if the well, the content on the mobile phones. So this area, I'm telling you folks, you really have to focus on your user awareness and that due diligence. Because even with all the technical controls in place, you're still potentially that doorway, that phone becomes a doorway into your business, that user's phone that that employee's phone. It's it's crazy.
On the forensic side, we kind of ignored mobile for a while.
Yeah.
Because, you know, the way, you know, these mobile browsers worked, everything was put in a nice sandbox and and, you couldn't really get, you know, third party code injecting anything into these into these sandboxed apps. But now with with the web view and, you know, attackers looking at that more, they're gonna get in and and, you know, hit that web view browser. Yeah.
I tell you folks, if you don't need an app on your phone, then get rid of it. Or if you do have the app on your phone, you use it regularly, you gotta update it. I mean, there are two basic tenants of protecting yourself against this area. Yeah.
Okay. So number three. And, Hef, I'm gonna give the this one to you directly. This this is one that you came up with and it's regarding the the dev environment.
This is the one prediction that really grinds my gears, folks. It really gets me upset because, you know, a lot of companies have their own dev environment. They have developers on staff. They're making apps.
They're writing code for the website. And that security posture, we saw continually in twenty twenty two getting popped. And we know that we had a lot of great evidence out there. We had SolarWinds attack.
We had the Mercedes Benz attack. LastPass, remember how many times they've been in the news?
T Mobile? That was from their dev environment, wasn't it?
Yeah. One of the time. Yeah. The first time. The first time, folks, their go to environment.
Microsoft dozens of breaches in twenty twenty two caused by a dev environment cyber hygiene. And that posture is so critical because you got these developers, Dave. And these developers, they want faster. They want more auto my automated ways to develop.
They wanna build, they wanna test, they wanna deploy their software, their code fast. But it comes at a cost. And a lot of times they'll skip the security part of it, just to get the the code out there. So the dev attack surface is only going to grow.
And bad guys are figuring out right now what they've been doing the past year is looking for those doorways, and they know a lot of them.
Now in in in defense of some of the individual developers themselves, they're under a lot of pressure from the companies that they work for. You know, they're working hard. They're probably trying to troubleshoot it the best they can. But at some point, that product's gotta go to market, and they're getting a lot of pressure to to push it out the door.
And where it gets crazy is the the type of attacks that can happen in that dev environment. Because it's not just backdoors.
It's not just deactivating former dev ops, accounts. It's the contractors that may not be on prem. It's the impersonation attacks. Compromising the dev tools and the code libraries was a huge issue. In fact, just last week, we put out a notification from our team about one of the code libraries. There was four hundred fifty one libraries that were potentially maliciously compromised by the bad guys.
And they were deploy they were deploying Clipper malware.
Yeah.
And Clipper malware is pretty nasty stuff. So but again, that that thing about the LastPass one is the one that really caught me. Because it was a compromised developer's endpoint that got breached. Yeah. So unbelievable. Yeah. This will only keep keep growing.
Well, and, Aaron, you've seen cases where dev tools were exposed to the, to the outside.
And Yeah.
Yeah. Yeah.
In one case, we looked, and they had completely protected their their card data environment, using end to end encryption.
However, the attackers left the, development environment open that had access to all of the internal cameras at all the stores.
Yeah. And so I was able to go in from a browser, say, what store would you like to look at? And some of those stores had the had the cameras pointed right at registers and and and right at computer screens.
And Yeah.
Alright. So now, you know, we've we've talked about a lot of the bad things that are going on out there, and and really, we're just kind of scratching the surface on on how bad and how tedious some of these things are. We wanna give you some some helpful hints.
We've got ten ish, tips. And the reason I say ish, we've we've technically got eleven, but there's some overlap there of of things that you really need to be aware of. And let's go ahead and and jump right into that. And the first is is being aware of what your attack surface is, the actual breadth of it.
And for most organizations, I think it's safe to say it's a lot bigger than than a lot of the company thinks it is.
Yeah. And you know, in our area in the security operations center, we always start with the asset inventory. You gotta know what's in your environment in order to protect it. So often that's get that's that part gets skipped.
But then once you know your assets, then you gotta know what your data is. What what's the that most important data that you gotta protect? What are your crown jewels? So those are really the two critical areas to start, and then from there, you can build out.
Second and and this one's critical. It it applies to so many areas, but you need to make an investment in the security awareness throughout your organization, top to bottom. Yeah. And really nobody can be left out of this. It it can be right down to your your folks who are in building maintenance, certainly all of your technicians, anybody who puts fingers on a keyboard in your company, including the c suite, the CEO, you you've got to get training out.
And I I would I would compliment that and say that it's that security awareness training, if you're doing it just one time a year, that's not enough. I mean, we just talked about some of these tactics that change literally every week to week, and they're so advanced that chances are your security awareness training is not covering some of these latest tactics, the sophistication and the speed, but it's really meant to complement your technical security controls. So if you have email filtering and spam detection, then you also layer in that awareness training to help it be that much more impactful.
Yeah. And some of these attacks have gotten so good that, you know, even people on our forensics team have almost been taken a time or two.
Well, our our ops department, they will periodically throw out a phishing email internally within the company. And and they're really great about it. They they don't come and excoriate the people who who actually click on it. They just use it for for training and education.
So Yeah.
And and, yes, people on our team have bitten on that. So, number three, patch management. Aaron, do you wanna start on that one?
Well, you've gotta get your patches into place.
There there's no excuse not to.
However, not all patches are equal. Right, Jeff? Yeah.
That's a challenge too because you have these high we call them CVSS scores. And the criticality of some of these CVSS scores are gonna be different for everyone's environment. I mean, everyone's environment is different. So what may be an important patch in my environment may not be as critical to your environment.
So because the other environment's not as susceptible to it. Right. Is what you're saying? Yeah. Okay.
So I mean, if you're not doing consistent patch management, then you got some issues. But then if you're able to automate it at some point, it becomes that much more powerful because it's it's hard. I mean, just the other day, I think it was like seventy one patches came out from Microsoft. In the same day, we had thirty patches from Intel, twenty eight patches from Adobe, and all these other companies, SAP, Citrix, AMD, they all came out with patches all in the same day.
It's just an overload for your IT folks to try to patch all that.
Yeah. It becomes critical, especially for for shopping carts.
A lot of times, you know, a patch will get announced, and we see attackers hit those hit those vulnerabilities within hours of those things coming out. And so if you think you can wait around for a week to go patch your shopping cart, that that could have been been the week that destroyed you. Yeah.
So our our fourth recommendation is very closely related to this, and it's vulnerability management. Guys, why don't why don't you go ahead and describe the the the nuance difference between vulnerability management and then patch management?
Well, you know, I I I would say it's hard for these businesses because you have this dynamic ever changing network. You've got business your business folks are saying, well, we need this app or we need this tool, and they're trying to roll it out, yet you may not have the right inventory management and all this stuff. So being able to schedule consistent regular scans of your environment is the critical piece here. It's not just patching, it's also looking for things outside of the world of patching.
When your environment changes and you add all these new tools that the business says we need, we need to have this new marketing tool, well, you've gotta be you gotta be on top of that. And then you have to you have to have that married with your penetration testing. So hopefully, you are out there trying to schedule that and get something going on. Ideally, with a with a vendor that maybe is not familiar with your environment, so they'll see things that you didn't see in previous scans.
And and then it's important to think about vulnerabilities that are not on your environment. You know, things like, you know, authorized versus unauthorized resellers.
Yeah. That's a good one. Yeah.
Number five is log management. And, I mean, log sounds kind of kind of dull and boring. It's not a sexy version of of security. But where it really comes in into play, and and I I I wanna share an anecdote on that one, is we were doing a forensic investigation of a level one merchant, hundreds and hundreds of stores. They've been breached for about nine months.
And the sad part about it is as we're doing the forensic, we realized they've got a really robust IDS system and intrusion detection system.
And it's it's throwing alerts from day one, and nobody was watching. Wow. They could have stemmed that entire breach on the very day that it happened, and just be nobody had the job assignment to to look over those logs, and so there there were and it ended up costing them tens of millions of dollars.
And that is where, you know, knowing that baseline from the start. So you got all these alerts coming in and hopefully you've got a partner or somebody that can look at those alerts. This is this is kind of what my team does every single day is we're looking at logs and we're trying to develop an idea of what normal looks like in an environment.
Trying to be able to recognize the errors, the anomalies, the suspicious activity, and then trying to come in and say, okay, this is what normal looks like.
Now let's move forward in time and and start to look for that malicious stuff.
And establishing that baseline is so important. And I was just looking at a a set of logs, and the logs looked pretty good. Yeah.
But I noticed that there were gaps in the timeline. And I'm not talking about just, you know, a few minutes.
Inactivity. Yeah. Yeah.
There was hours and hours where nothing was being recorded in the logs. And when I pulled the logs up in in an editor, I noticed there's, like, white space, massive white space. You know?
You'd have a a login at the top, and then you'd have to travel, you know, far, far, far down the the page to see the next It's it's an additional service we're gonna offer in the future is to to train companies on how they can doctor their logs more and more effectively.
He's kidding, folks. Yeah. We're not offering that service.
But so you have to know what your what normal looks like for your logs.
Yeah. Next is, credential management.
And this is this is part of our our coaching. I mean, we're constantly coaching our clients. You gotta have two FA turned on. I mean, that's just like the minimum anymore.
You know, a few years ago, it's like, oh, it'd be nice day if you had two factor authentication turned on. But now we've evolved and it's not just the password, best practices, and default usernames. But that, you know, the probably the area that I see the most common issue in this credential management, besides two factor authentication, it's the ghost accounts where an employee has left the company and you've left their credentials still active in the system, or you left the contractor's credentials still active in the system. And then, of course, employees reusing passwords. They're using their Netflix password for their work password. It's like, what are you guys doing? Stop doing that.
Again, we are seeing two factor being attacked too. So you can't you can't just assume because you're using two factor that you don't have anything to worry about anymore. Yeah. Because attackers are you know, if your phone gets compromised and your passcode pops up there, it could be compromised.
And the bad guy will pivot from your phone into your work environment.
We we see so many cases where people were just like, no. We're using two factor authentication.
And then they go, wait. You know, if I put my code in and it doesn't take it, you know, and I just put it in again, is that okay? It's like, no. That's not okay. You have to stop the process.
Stop the process there and let somebody know that some that your code did not work.
What what what are your thoughts on password vaults and password management tools?
Wow. That that's the number one question we get from our clients. Is, well, what's a safe password manager? Because LastPass got popped.
Not once, twice. Right? And then well, what about KeePass? Because and they have all these vulnerabilities.
So, you know, our position is always you gotta do what's best for the business. K? My opinion is always gonna be the kind of the police department. We gotta lock this place down, but that's not always the right position.
And you've gotta you gotta know what's what's the right pathway for the business to take, and then they have to start their due diligence and research and and come up with a solution. Because really a password manager is a password manager. Right? But then when you start to see stories in the news of LastPass getting breached, you know, you you question your sanity folks.
I gotta tell you, we questioned our sanity a lot this year with LastPass and this breach.
K. Next, network and firewall management. Aaron, do you wanna start us off on that one?
This was just one of the back to the basics. Mhmm. Right?
You wanna be making sure your your functionality is is as separate as possible.
In the ecommerce environment, we still see databases where they don't belong, you know, databases that are sitting in the DMZ.
Wow. And, you know, if you're not separating your network like that, you're just giving the attacker so much more opportunity to to get in and and attack areas like your database where so much valuable information is stored.
And so separate out everything that you can. Get get those databases, behind a firewall where they belong, and limit your scope as much as possible.
Yeah. The big question that we kept also in this area, the one the area that we kept getting questions on was firewall rules. We have so many firewall rules. We don't know which ones are working or not.
So having regular cadence of conversation around governance, firewall governance, do we really need all these rules or are we okay? You know, that part of it is critical. And then also consider, once the bad guys into your environment, the area of obfuscation is really critical, folks. You know, one of the things that we one of our best recommend is changing the names of your servers to different colors.
So don't call it the print server. Call it the green server. And the bad guy will have a much more difficult time figuring it out.
So next, data management.
And really, for data management, folks, it's about your data at rest, data in transit, making sure you have technical controls in place, encryption, third party governance on that stuff.
So Yeah.
Backup management. Aaron?
Backups are critical, you know, especially for, you know, the ransomware attacks that we see out there. Most important, have a backup policy that is tested.
Test those backups. So many times, you know, we go into a company and they're like, yeah, we got backups or we're gonna restore from backups, and the backups fell. Yeah.
So it's so important.
Or they realize it's harder to do because they've never practiced it, and it takes them three days.
Exactly. So you gotta test those backups and make sure you can restore from them.
Incident response management.
That's that's your guys. That's your wheelhouse.
We see this as a common deficiency even even among, you know, our big merchants.
We we wanna see their security policy, and a lot of times, we just get the blanks there. It's part of just like the backup plan, have a regularly scheduled plan to test all the things that could happen if you experience a data breach.
So you're talking about, like, a tabletop exercise?
Tabletop exercises are great. Ops teams that send, you know, phishing email to your own employees to see where your own vulnerabilities are.
Yeah. The importance of a tabletop exercise or an incident response plan, in and of itself is in order to test your security measures when your assets are not actually at risk.
The the time that you don't wanna see how good your security measures are is is when you're actually under an attack. The last one I wanna spend a minute on because this is Take time. This one is huge, and it's security around that shopping cart and understanding what the exposure is. So, Aaron, why don't you start us off on this one? Because I know you have a a case that you worked on that that had a really interesting level of exposure.
Recently, we, had a shopping cart inspect case that we ran.
And, in that process, we identify all of the JavaScript, all of the outbound, inbound communication that's happening during that checkout process. What's going on right at the moment the customer is typing in their credit card data?
In this case, it broke a new record.
Typically, we might see thirty, forty scripts running in that card data environment.
These can be things like analytics, you know, different ROI tools, traffic exchange tools, those type of things. And and customers merchants wanna use those because, you know, they they are very helpful in converting into sales.
And And it can be a revenue source for them too if it's absolutely These are scripts that are running during the shopping cart checkout process.
Yeah.
Right on that checkout page, right when the customer is typing Mhmm.
The credit card data in. Mhmm.
What we saw was over four hundred scripts were embedded on that checkout page.
Four hundred.
Say that louder for the audience in the back.
Four hundred scripts. Third party scripts.
Just everything you could possibly imagine That's crazy.
Was running on that checkout process. This is something we never would have ever put up with in in, you know, card present, transactions on on point of sale systems. If you wanted to get something in the point of sale systems, it had to be vetted, it had to be approved. Yeah. You know, you had to sign three waivers.
But now because we have all of these tools and it's so easy to implement, they just click of a button. You can have a third party tool get injected onto that checkout process.
Are all these third party scripts really necessary to run the shopping cart?
No. Most most of them are not necessary at all. Wow.
And especially when they're in proximity to that credit card. Yeah. There's there are much better ways to implement that. You can do those things just on a previous page. You know, if you need to separate your your data collection efforts where, you know, you're collecting all the address information on a separate page. And then when you go to collect the credit card information, only do that and eliminate as many scripts as as possible.
Yeah. One of the suggestions I I would make to all the companies out there is if you're running advertising in it in the shopping cart environment, don't. I I know it's a revenue source, but, you know, that that advertising can run on all of your other pages, but try to sterilize that shopping cart because we've had a lot of cases. We affectionately call it malvertising because, you know, it's like one ad in in the scroll of things that are running has in in embedded code.
So whenever that particular ad is present during the shopping cart, it captures the code. And it it becomes an iterative attack that is extremely difficult to detect because there might be a hundred ads on the on this role, but just when that one bad one, you know, kicks in there. So if you can convince your marketing folks to not run ads, you know, that's just one. But, you know, in the case that Aaron was talking about where he found four hundred plus scripts running.
It's kind of a generational thing because you'll you'll have you won't see all four hundred at at, you know, initially. You'll see, you know, several dozen, but several of those are calling additional scripts.
They just say they can't all the way down.
Yeah.
And so, yeah, you get third and fourth generation, you know, scripts that are running.
And a lot of times where we find the breaches, it's these JavaScripts.
Yeah. So I know on this on this last, recommendation, we've actually posed it more as as another problem.
It's more we're getting down into the dirt of of the problem.
The the recommendation here is that you've got to have something monitoring the transaction. So it's something that is looking at the transaction as it occurs, and it's measuring it against a a sanitary baseline.
It's looking for anomalies. And and this is an upcoming requirement, eleven dot six in PCI, DSS four dot o.
If you've if you've got a bunch of scripts in your in your shopping cart environment, PCI four point o is going to tell you you've got to manage all those scripts. You have to know if they change, you know, know what the hashes are.
Can you imagine the the complexity of trying to monitor four hundred different scripts and and know if anything changes in any of those?
That that's the last recommendation is make sure you have something that is monitoring your your credit card transactions.
Alright. So it looks like we're getting a couple of questions. I I wanted to mention, if we don't get to your particular question, we will reach out to you after the fact. We don't want anyone to go away with with a question on their mind that, we weren't able to cover during this time. Okay. So the first question is, if I follow PCI or a similar standard, will my organization be completely secure?
Or are there additional security measures you'd recommend?
PCI is the floor. That's the minimum standard you need to meet, especially with the new attacks that we're seeing out there. You know, we mentioned the unauthorized resellers.
In in that case, the merchant was completely secure. You know, they've gone through two previous PFI investigations, which, you know, does an assessment on PCI compliance. And so they'd had two shots at getting absolutely as compliant as as they possibly could, and yet they were still losing credit card data.
Yeah. Well, I I like how you said, PCI DSS is is the floor. Now it's a it's a very, very good standard. But if you understand, they had to generalize it because it has to really fit, you know, innumerable types of of environments. And so you have to take that PCI, and then you have to apply it to your environment and look where where you're strong and where you're weak.
And And like what he said, you really have to know your environment.
Yeah. Know what your specific vulnerabilities are. Know how PCI applies, but maybe have something, in your environment that PCI is not touching yet.
Yeah. Okay. Next question. How can an online store best protect themselves against all of these threats?
One of the best setups that we see is getting that those payment fields, put behind a secure third party hosted iframe, you know, with your with your, payment gateway.
Again, that's not a panacea.
It's no reason not to lock your front door. And so if you can get your if you can get your payment data behind an iframe, then you can concentrate on protecting your website itself. You know, I always use the analogy of it's like putting a safe in your house with those iframes. You can put the safe in your house, but if you leave your doors and windows unlocked and the hacker can get in, they can see the safe and it might present some difficulties. But if they have if they're there long enough, they're gonna figure out how to crack into that safe.
Yeah. I'm a big fan of shopping cart governance. I'm a huge fan of knowing what scripts are running in your environment, and that means getting a catalog list together and consistently assigning it someone to update that list as those third third party scripts change. So that's a huge area of focus.
Okay. This question, how often are small organizations actually getting hacked?
And is this a security myth? Well, if if your question is is because you're small, are you less likely to be hacked? And I'd say probably not. I I would say if anything, it's the inverse. Yeah.
The small merchants typically present an easier target for sophisticated attackers and even less sophisticated, your script kiddies, along those lines. So, yeah, the size of your business isn't gonna say that, you know, oh, because I'm small, no one's gonna pay attention to me. Yeah. Okay. And I think the last question we can get to today is where can we get more information about the latest cybersecurity threats?
Sounds like a job for a security operations center.
That's the best question anybody could ask. We actually put together a weekly list of the top cybersecurity threats that happen, the top vulnerabilities that you need to know about. We also include, the top malware ransomware trends and we try to just put together a real simple list of links. And you can subscribe to that on our website. We'll we'll include the that link to subscribe.
And we try to focus a lot on small to medium sized business news that happens too. So it's a really cool it's a lot of work to put together that list, but we know our our customers get value from it.
So Well, thank you for joining us today.
It's been a a real pleasure.
If, as I mentioned before, if we didn't get to your question, please send it to us. We will have someone reach out to you. And and even if a question occurs to you later on, you know, please reach out to us. We're we're more than happy to, to, chat with you.
An additional reminder, this recording will be provided to everyone for future reference.
Outside of that, on behalf of, Aaron and and Heff, I'm Dave Ellis at Security Metrics. It's been a real pleasure.
Have a great day.
.svg)
