Learn how to discover attack surfaces that you might not know about, secure your known attack surfaces, and how to best utilize SOC and SIEM resources.
Having issues accessing the video above? Watch the video here.
In this webinar, you'll receive a break down common attack surfaces and how to improve your cybersecurity program.
Watch this webinar as Matthew Heffelfinger, SecurityMetrics Director of SIEM Operations (GSTRT, CyRP (Pepperdine), GRCP, SSAP, ITIL4-F, GISF), and Forrest Barth, SecurityMetrics SOC Analyst (CISSP, CMNO, Security+) discusses:
This webinar was hosted on February 25th, 2021.
Good morning. My name is Sarah Kemple, and I'm part of the marketing team here at SecurityMetrics. Thank you for joining us. Today's webinar is going to try and address that age old question, what is the modern digital attack surface, and what can you do to protect and control your attack surface?
Depending on who you talk to, some would say it's everything outside the firewall.
Others may say only the client facing assets.
So we're excited. Today's presenters will be giving a little high energy, high octane webinar to help you control take control of your attack surface.
Let me introduce you to our presenters. This is Heath. He's the director of SIM operations.
He directs the security operations team inside our threat intelligence center here at SecurityMetrics.
Working inside the SOC, the team attempts to find threats, analyze the threats, add context, and then notify our clients of the malicious activity in their environment to ultimately help them remediate threats across the entire attack surface.
Helping us with the webinar tag team assist, providing the color commentary and technical insights on the attack surface, Forrest is the person who lives and breathes on the attack surface daily.
He is our SOC analyst, which means he is the frontline threat hunter looking for malicious activity on behalf of our clients.
One quick little housekeeping item. We get asked this question often often. We'll be sending the slides and a recording of this webinar out tomorrow.
And, also, throughout the webinar, if you have any questions, please chat them in. We will address as many as we can, and if we don't get to your question, we'll reach out to you on an individual basis.
So without further ado, I'll hand the time over to Heath and Forrest.
Hi, everyone. We're so glad you joined us here today. And I am Heath, and I you know, part of our job we have a fun job here at SecurityMetrics, threat hunting, finding the bad guys on behalf of all the clients. And and if I guess, if you like hanging out with us today and you like Forrest and you like, please after the webinar is over, we'd love for you to join us.
We have a biweekly cyber news, a little threat analysis TV show that we do. Please join us. We're on YouTube, Spotify, all the all the big channels, but we're fairly accessible too. If you have a question that comes up after the webinar ends, please get a hold of us and and we'll absolutely just reach out, do our best to try to answer the question today.
So the best analogy that I could give you, the best analogy for today's webinar is it's like baking a cake, Alright? We're gonna try to bake this cake in layers. And, really, what it starts with on this agenda is the fundamentals.
From the fundamentals, we're gonna move a lot a little bit into what is that modern digital attack surface that the threat actors are looking at, and then from there we're gonna add in more ingredients to our cake, and we're gonna try to review some of the problems, the challenges of that modern attack surface, especially for your environment based on your business and and what industry you operate in, it may be vastly different from other industries. So we're gonna wrap up the presentation today by adding some toppings on our cake. Yeah. Disney I think you should all be getting hungry for us. Are you getting hungry?
Very, very hungry.
And then we're gonna wrap it up. We're gonna put that cake in a box, and we'll talk about some steps to help you protect.
Pretty much the the most important thing that you should get value from today is the unknown attack surfaces. And we're gonna spend a significant amount of time today talking about the unknowns when it comes to the attack surface. So without any further ado, let's go on to the next slide there, Sarah, if you don't mind. And let's talk about attack surface fundamental force The audience, let's put a a your baker's hat on. Let's get rolling get that rolling pin out. Right? Let's get ready for the show.
When you think about that attack surface, Forrest, when you think about a definition, if you had to put together a definition of an attack surface, on the next slide, what what would you call that definition in your mind? Because your definition is probably gonna be different than mine.
I'm I'm definitely a, much more of a tinfoil hat than, a lot of people. So my my definition is any area of potential exposure. So, I mean, that's that's insanely broad, but, that's you know, there's there's a lot that goes into it. And, once you you start really digging into it and seeing how the sausage is made, it it can be kinda terrifying.
Yeah. And, you know, for us and everyone in the audience, we like to start off with the shallow end of the pool and start real simple explanations before we get too complex. But, you you need to realize that the definition of an attack surface is gonna change based on the business or the industry that you're in. And, you know, for an example, the health care organization, if you're a health care industry, your attack surface is going to be vastly different than, say, a retail establishment or a bank or a hotel.
And, Forrest, why why is it like that?
I mean, it's it's not gonna be one size fits all by any mean. I it definitely requires specialization.
You know what it is that, you're you're operating under, what data you're collecting, how you handle things.
So it's it's definitely gonna have to be, custom suited for, your organization. There's there's not, unfortunately, just a, you know, one click set and forget, walk away kind of solution to these sort of things.
Now the good thing is today, we're gonna leave you with a lot of free tools to help you on this journey, of identifying your attack surface. The really awesome thing is there's a lot of industry bodies out there. These industry bodies like OWASP and COVID and ISACA and IS2 and the Center for Internet Security Control. I mean, the list goes on and on.
We don't have time really to go too in-depth on defining who these organizations are. We'll make sure they're in the show notes for you, in the presentation notes. But understand that these organizations have a lot of frameworks out there, and these frameworks can really help you get started on this journey of identifying your attack surface. And, you know, one example is OWASP, and I mentioned OWASP, and they have a very different definition of the attack surface than, say, Forrest and I might have, and that's because their focus is a lot on the the software development side of the house.
So they actually have free tools. So that that's part of the challenge with this is starting this journey, like, knowing where to start, you know, and you can't really know where to start unless you have some guidance. So hopefully we could provide that to you today. But before we move on to the next slide, the the end game here is this, keep your attack surface small and keep what is visible to the threat actors at an absolute minimum.
And that's that's really the key takeaway here on on this slide. So let's kinda, you know, give a story for us. Right? I think the audience would love a story.
It's story time. I love stories. Let's let's take me back, Forrest, back in the old days. Back in the old days when IT controlled the realms.
What was it like back then, Forrest?
I mean, you know, it it used to be that, if you wanted to to get anything done, start up a a service, you know, spin up a new application, whatever, you you needed to have hardware to do that. And hardware costs money. You can't just pull it out of thin air. And, usually, along with that, there is some kind of requisition process.
It has to go through proper channels, you know, needs multiple signatures, approval, so on and so forth. So there were a lot of lot of controls inherent in the way that those things were obtained.
So you could make sure that, security standards were being applied, you know, following proper processes and procedures. Now is nowadays, it's, it it's a lot more of a Wild West kind of thing. Anybody can, you know, hop online and, go to a website and and spin up a a virtual server in a a matter of seconds. I mean, whether it's AWS, DigitalOcean, Google Cloud, whoever, the the the process for having a machine to to start doing development on, you know, it it's literally within a few clicks. So, all of that previous, you know, those checks and balances to keep that stuff in line, has essentially kinda gone out the window.
Yeah. And that is a huge issue. When you talk about how your tax service can expand really quickly, when any department and if your if your company doesn't have, you know, policies in place and and people aren't following those policies and there's no no checks or balances, then what ends up happening is, you know, a department says, oh, we're gonna move everything to the cloud, we go on Amazon, we enter our credit card number, and they get a server spun up in in literally seconds. So by extension here, you know, IT and your cybersecurity teams and anybody that's in your organization, they may lack visibility.
And because there's no more checkpoints in the process, there could be serious issues with your attack surface being really much larger than you actually realize, and that that really is where this ball starts falling apart and this cake can really fall apart on you really fast if we don't have the right ingredients. So the challenge, of course, is finding the right ingredients, and as we move on to the next slide for us, this attack surface nowadays, this modern digital attack surface is absolutely massive. I mean, what pops into your mind when you hear that word expanded attack surface?
Yeah. Yeah. When I when I think, expanded attack surface, it's the the the the two things that come to mind are, scope creep, and it's turtles all the way down. That's the the when you start digging into it, it's it's like a sweater. You start pulling into a string, and the whole thing unravels. So it's, it's easy to get really overwhelmed in, just how broad and vast it can be.
Yeah. And not only when you think about this, folks, you have your own business that you're worried about, you're worried about the the attack surface on your own business and what's happening on premise, but then now you have people potentially working from home, remote workers, so you have to worry about that space as part of your attack surface and then on top of all that you might have third parties, you might have, clients, you know people helping you out making your business run and then on top of all that then you might have the employees private network.
What makes this a challenge folks is a lot of times what the threat actors will do is they will pivot from the employees home life and they will pivot into their work life and that's because so many employees will use the same login, the same password over and over again and and that's the real challenge folks, it's it's about gaining inventory of all of these areas of your attack surface and then trying to gain some sort of visibility into all these areas to really try to keep the business operating and keep the lights on.
Yeah. Yeah. And as you start to investigate how how vast that is, it it it becomes, pretty apparent that trying to harden and secure every single one of these things and everything that they touch, can quickly become an impossible task. So, a lot of it comes down to focusing your efforts. Otherwise, you're you're likely to just end up chasing shadows or getting overwhelmed and giving up and, you know, just just walking away from the whole thing.
My gosh. And that's the challenge too. You have so many different workloads, devices, hardware, software instances. The list can go on and on, and trying to get some sort of visibility and inventory of all this, it just quickly adds up.
And as you see on the next slide, you know, answering that age old question, where do I begin in trying to understand my attack surface? And you could talk to a hundred people and they'll give you a hundred different answers. We put up a sample list of some of the questions that we would potentially ask when we're trying to model our our attack surface. But, Forrest, what questions would go into your mind?
I mean, there's there's any number of of different ways you can approach this. You can you can look at it from, what services you're offering, you know, what, what, users are doing.
You can focus on, like, network side of things. You there there's any number of of different approaches, but a lot of it is, trying to determine, you know, what is what it is that you're you're trying to protect there.
Yeah. And and, again, we provided some example questions here. This list is by no means complete, a hundred percent. I mean, these are just a sample list of the kind of questions that we ask.
And we, you know, the bottom line is this, what does the business need fundamentally to try to keep the lights on? And from there, you can start to build up your questions. So the one question that I do want to highlight is the very last one on this slide, do you perform any threat modeling or attack surface analysis? And that that's gonna just be discussed a little bit further on here in the webinar but we could honestly, we could spend two weeks just talking about threat modeling and attack surface analysis.
So, we're gonna move on here to the next slide on slide eleven though, is the usual suspects. And this is probably the slide that most of you, you are familiar with a lot of these terms because they are your traditional IT components. The stuff like your websites, your firewalls, your databases, your physical, your virtual serve servers. But for us, you know, we have to talk about these and because these are really the ones that keep coming up in the news all the time when you hear about breaches.
Yeah. Yeah. It's it's, it's pretty crazy that, a lot of the breaches that we see have, you know, the the same sort of elements as, you know, those of yesteryear.
You know, the the various servers were configured improperly or, sharing credentials or, things like that where, you know, it's it's just, a lot of these these lessons haven't really, fully caught on yet.
Yeah. And it's the same stuff, it seems like. I mean, we just in the news about two weeks ago, many of you may remember the story about this Tampa water treatment plant that got breached, and and there was a lot of stuff going on with that breach, especially having their, remote desktop services open and available for any threat actor to come in and try to change the controls. Do you remember that story, Forrest?
Yeah. Yeah. That one, there was there was a lot of lot of problems going on there with their their remote access. Access. They had shared credentials, outdated operating systems, no firewall. I mean, it was just, you know, one thing after another with that system.
And that's and then we hope you'll take away on this slide is that the the usual suspects, the the traditional IT components are, for the most part, they're static. And because they're static, oftentimes they're easier to identify in in your environment.
And being able to keep this part of your attack surface up to date is a little bit easier. And that's because you have things like patches and automation and endpoints, and that's something that that SecurityMetrics now has, is endpoints available for clients. And and that's what we do here in the SOC too is the inbound and the outbound monitoring where we try to see the threat actor in the client's environment and try to notify them as quickly as we can. So these these again, your usual suspects.
But today, what I hope you're here for, today I hope you're here for the unusual stuff, And that's what we're gonna spend a little bit more time on here in just a moment. But before we get there, on the next slide, we need to talk about why this is so complicated. And these complicating these traditional attack surfaces is you have all these different verticals that you can collect data on, and that is a challenge for us here in the SOC is, well, what data do you collect on and which one which data will give us the most value in in doing our threat hunting?
Yeah. So it's it's, a lot of things you can get a lot of value from, our, network traffic logs, things like DNS requests, seeing, what what various requests your web servers are fulfilling, things like that.
Whereas, with things like like client side controls, you may not necessarily have, that level of insight particularly for anything that's a client or or a customer facing.
You may not necessarily, have any kind of of, insight into those environments. So a lot of this is is, focusing on what's within your your sphere of influence and control and trying to get visibility into that and drilling down, so that you can get as much usable information from those things as possible.
Yeah. And really, Forrest, though, I mean, you kinda hit the nail on the head here. You mentioned it it's it can be get it can get very complicated really quickly, especially if there's resource constraints or staff constraints or budget constraints or that technical knowledge to even know where to look and what vulnerabilities, what holes you need to plug in your environment. So it adds up real quickly and we don't wanna overwhelm people, but when you look at the nine, you see this pie chart and this pie chart really helps drive home here on the next slide how big of this system attack surface there is.
Forrest, can you help explain why this attack surface it keeps getting bigger and bigger, it seems, every year.
Yeah. Yeah. There's there's a a lot to keep track of for sure. I mean, for instance, trying to keep track of, like, a device inventory, you know, having a list of of all of your your hardware, having a list of all of your your servers or services that are that are being used, having a list of what software you use in those environments, knowing whether or not that software is actively being supported or if it's end of life.
Along with that, you know, being able to apply any patches that that get put out for security, you know, managing user accounts and, the credentials associated with that.
There's there's a a lot that that, you know, needs to there's there's need to be aware of those things, because you can't really secure what you don't know you're running.
Yeah. And, you know, on top of all that, not just not knowing is is part of the battle, but it's it's about having all these verticals that you need to consider as part of your threat modeling. And if you're not collecting data on it or maybe you need to, you know, that's the kind of questions that we need to figure out and and that's the kind of stuff you need to answer. So the the the nice thing I mentioned earlier in the presentation is there's a lot of organizational bodies out there, and I mentioned the CIS, which has a list of critical controls.
So it kinda gives you a little checklist to go down, and in just a moment, we're gonna talk about threat modeling and the tools that are available. Free tools that there's tons of free tools out there that can help you with this process. But that again, it's not just collecting the data, but then you have to have that element of monitoring, and it's something that we we do here at Forrest and I is being able to get in there and look at the logs and look for the malicious behavior. At any given time, there might be two hundred sixty different threats that Forrest and I have to look at at any given time, and that makes it even more a challenge because you have to know a little bit about what the threat actor may be doing in the environment based on any one of those threat vectors.
So multiple verticals to collect data on. I think now's a good time to stop and talk about a poll. We're giving away stuff today.
It's it's pretty cool to be able to give away free stuff. We're giving away a book called N is for Malware, and if you participate in our poll, you have a great opportunity and a chance to win. So let's go ahead and throw up that quick poll and and please participate. It's it's it's just something fun trying to understand your attack surface. You know, if you're a if you have a lot of locations, it can really add up really quickly your geographic footprint trying to get an understanding of your attack surface. The more locations you have it just means a lot more visibility and potential access points for the threat actor to get into your environment.
So definitely participate please again we're giving away that that copy of that book, m is for malware. It's a pretty cool book. I'm I definitely enjoyed it. I hope you will too.
We're all we're gonna do another poll here in just a little bit, and we are, we're gonna have two polls today. This will be the that's the first one that we're gonna do, and then we'll do one more. So let's get right back into this. Again, we're baking a cake, and you gotta have the right ingredients, Forrest.
My gosh, we should talk about the risks. And I you know, trying to sum up how big the attack surface is, you kinda need to start with some of those risks. We took five of them, and we just wanted to highlight five. We're not here again to overwhelm you, but we wanna get this on your radar because you need to be thinking at least in these five realms. Alright? These five areas. Forrest, can you, can you highlight some of the issues, some of the risks in these five?
Yeah. Most definitely. The, so the most prominent one, the first one that that comes to mind for me is typically network risks, you know, especially, Internet facing. You know, what what kind of exposure, does your organization have to the world at large?
You know, getting a a level of awareness of, things like what IP ranges that your organization may have, what DNS names you may have registered, any any services that are exposed to the Internet, what what ports are open and listening for, requests from from the Internet.
That that's that, huge potential, risk exposure, and then that things like systemic risks. So, this is you know, once once somebody has, identified one of your services, are they are they going to be able to, try and and tamper with that in any way? Are they are they, running processes that they shouldn't be? Are they able to to potentially capture any sensitive data on that service?
Is are there data leaks on that, service? So can somebody, you know, try and do some kind of injection attack, things like that?
Having that that awareness of, what's exposed and where it's exposed is is monumental in these kind of, endeavors.
And and, Forrest, the list goes on and on. And it can go a mile wide, it can go an inch deep, or it can go like the Mariana's trench, it can go seven miles deep.
The the challenge, of course, is knowing all these risks and and that's the nice thing. We mentioned that there's a lot of free organizational tools out there that you can reference to help you drill down into your network risks, into your system risks. Looking at these rogue operations that are going on in your environment, trying to get these exposed ports under control, and trying to understand what maybe some of your risks are in the registry. But there's others other risks that you need to be concerned about too, and these need to be on your radar from a big picture category. Let's look at the next slide, risks number three, four, and five.
And and these risks also kinda they have to be on that that back of your mind too when you're thinking about your environment.
Yeah. Yeah. So for instance, data risks. Any any risks to your data, is is, is that exposed in a way that it that it shouldn't be? Are you monitoring for things, like unauthorized changes?
So if somebody starts going through and changing files en masse, that could be a sign of potential ransomware.
Are are file permissions in place, limiting, access as it should be?
Can somebody inadvertently delete information that they shouldn't be able to? Not all not all risk is necessarily malicious.
There there are definitely a lot of accidental, kind of risks that can happen as well. One one example I I like to, underscore is, the use of backups. If if any of these things were to happen, is your backup, process in place, and is it working? Have you tested it recently? The last thing you want is, for disaster to strike and then try to recover from it only to realize that, the backups that you thought were there, are are not actually gonna be able to do you any good. So that's a a terrible situation to find yourself in.
What kind of your your background your backup's been corrupted with malware for us.
That's even worse yet.
It's like you you restore it and all of a sudden you realize, oh my gosh.
We have malware in our backup. We're really, we're really in trouble now.
Yep. Yep. And, kind of piggybacking on that, is is these user and group risks. So we we talked about permissions, but, are you are you controlling, users' credentials?
Are they using secure credentials?
You know, are you do you have group policies in place?
Are you accounting for things like, potential phishing?
Is there a level of security awareness in the organization and, giving giving users the the tools that they need to be able to identify, you know, things that are out of place and report that?
There there's there's all kinds of of, different things that go along with that that we'll we'll get into a little bit further here.
Yeah. And, again, this list is not meant to overwhelm you in any such way. I know it may seem like that, but the bottom line is you have to have these in the back of your mind as you begin to build out your attack surface analysis. And that kind of drives us into our our next slide and and we're talking about threat modeling and threat analysis and really we could spend, Forrest, we could probably do another hour webinar on just how to do threat modeling and the different free tools that are out there to help you do threat modeling. So if you wanna see a future webinar, please let the marketing team know and we'll definitely hop on the mic and we'll try to explain how we do threat modeling. But I think this is a fun slide for us, you know there's so many options, I at last count, when I look at the the different open source tools to help you with threat modeling, there's, like, at least twelve that I know of that could help you get that pathway to try to understand your attack surface.
Yeah. I and looking at these, you know, these lists, it can definitely be very overwhelming. The the thing that I like to boil it down to is two questions, and that is what are you trying to protect and what are you trying to protect it from?
Not everybody is going to be, trying to defend against, a nation state adversary.
So, trying to implement security controls as though you were is, is an exercise in futility. So, just trying to keep it simple, identify, you know, just what is it and what are we trying to protect it from.
The the answering those two questions will help you vastly simplify your threat modeling approach.
And, again, we mentioned today's webinar is not about threat modeling by itself and attack surface analysis by itself. We can do an entire presentation on it, but really what we wanna think about is starting with the business. What does the business need to keep its lights on? And if you can get in there and try to follow in the example on the slides here, we have seven different steps.
This is the real fundamental basic, process for threat analysis, but we need to mention that there are a lot of tools out there, and Microsoft has a free threat modeling tool. It's actually one of the oldest and most tested threat modeling tools on the market. It's completely free. It it is open source.
It follows their methodology.
It's a it's Windows based. It's it's really a a nice, easy tool, in my opinion, to try to get into the shallow end of the pool of trying to understand your threat modeling. There's another tool out there that's free called Keras, and I'm probably butchering the words, folks, I apologize. I have used this tool in the past.
It's another open source tool that's completely free. It does a really nice job of being able to help you, really understand the system information in your environment, and then create attacker personas, which is really cool stuff to be able to do. So you're able to see what the attacker would potentially do in your environment, what the attacker's goal might be, what their resources are, and then their possible pathways of attack in your environment. And then the last one I do wanna mention is Irias Risk, and I should probably spell these for you.
I'm terrible at spelling here, guys. Caris is spelled c a I r I s, c a I r I s, and I think we all know how to spell Microsoft. Iris is spelled I r I u s I r I u s. And Iris is pretty cool because you can it's really the next level up from Microsoft's free stuff.
So you could import, the MTM threat modeling stuff that you've created in Microsoft's threat modeling, and you can then import it into the area. So, again, all free tools to help you do threat modeling, even OWASP. I mentioned OWASP earlier. They have their own threat modeling tool called Threat Dragon, which is is pretty wicked stuff.
So with that in mind, Forrest, what do you think? Should we do, what do you think about another poll?
Yeah. Yeah.
Let's go for it.
Let's do it, guys. Let's let's hook this up. Folks, we're giving away that M for Malware book and we'd love to give you a copy, go ahead and please answer this question, what attack surface risks are you most concerned about?
And again everybody's business is different, everybody's environment's different, if your crown jewels are really all about data then maybe the focus is on data, if it's more about network risks then that becomes your focus.
So again we're really glad you could join us today folks and we hope you'll, you'll get some value. If you'd like to continue listening to us, we do have that crazy podcast TV show on YouTube, Heffin Forrest, the cyber news stuff. So alright. This is what you came here for.
This is the this is the cake. We're now gonna bake this sucker, we're gonna bake this cake, we're talking about the unknown stuff. And this is the stuff that Forrest, it drives us nuts. I'm talking from a security operations perspective, trying to identify some of this unknown stuff, it it is absolutely a madhouse and we always want to start with the unusual suspects.
The unusual suspects are the things like you may not have thought about these ones in your environment. So Forrest, help me understand on the next slide Sarah, please, if you can try to explain for us to the audience the difference between this OT and IT unknown services.
Yeah. Yeah. IT, I'd like to think of as, the stuff that's that's, pretty apparent. It's the things that you're you're interacting with.
You're there's there's a a a level of awareness because, it's it's very hands on. You're you're talking about, you know, services that people interact with, the systems that they use, whether that's hardware, networking, things that are that are, very apparent.
The the OT, the the operational technology, that that's, I I usually think of that more as the, processes or procedures behind things. If something, has been been stood up to to do, some kind of, data processing, you you shove something in and get a result out.
Usually, you you don't see what's going on behind the scenes with that. All, you know, all the user does is, you know, I do this thing and x result happens.
So that's that's, kind of the taking a look behind the curtain and and seeing, what those processes are.
Yeah. And some of you on the call probably heard that term shadow IT shadow IT. It's the stuff that IT doesn't know about that's running in the background. So we've we've classified OT as shadow OT.
So now you have shadow IT and shadow OT and these are those things that force mentioned are running in the environment that you don't know about and oftentimes what happens is the the business says, well we're gonna go out and buy this or we're gonna go and add this tool or hardware or software or this process into our environment and nobody knows about it. It's not on anybody's radar from an attack surface perspective, but I guarantee you the threat actor will probably end up finding it and the challenge with this, and here's an example, when you think about your environment, think about your your HVAC systems, your your boiler rooms, right, your your power plant, your cooling systems, perhaps you have your elevators and escalators.
Well, a lot of those things were designed a long time ago before the Internet and the and the capabilities of accessing those devices through through Ethernet cables and so on. And what makes it challenging is these things are being bolted on after the fact. So imagine for a moment you you buy this elevator a long time ago or this HVAC system and someone in maintenance or engineering says, we're gonna add in, we're gonna add on some Internet capabilities to it, but nobody knew about it. Right?
That's the kind of stuff that the shadow IT, if you're if you're not able to do your due diligence in your environment and map that on your attack surface, it can really come back to bite you. And it's sometimes sometimes it's not even those things, though. I Forrest, I remember a situation where I had a client that was running a Windows XP machine in their environment, and and that this was just recently. And when you you asked the client, well, why do you have Windows XP?
You know, it's no longer supported. And and the client said to me that, well, we have a piece of software that only runs on Windows XP. The business needs it, and we know it's no longer supported, but there was no due diligence done on this piece of software on this Windows XP and this this machine to say, hey, there might be some security risk here.
Might? There might. There are. And we need to talk about it. We need to get at least mapped out.
So OT versus IT. Forrest, let's, let's switch gears for a moment on this OT and IT and and talk about why. Why is it so difficult, though, to get this stuff identified?
There's a number of reasons. On the on the next slide here, it it it becomes apparent that, a lot of the time, you know, objectives, need to be met. Organizations are gonna have different goals and and, deadlines and things like that. And, a lot of the time, it's gonna be the the path of least resistance to try and get that stuff done.
You know, if there's, all these these, checks and balances in place that are adding overhead, a lot of the time, you know, somebody's just gonna, nah. I'm just gonna get this done. And that you know, a lot of the time, you you get things like, documentation is missed, things aren't added to inventories, nobody's aware that a a system exists. I mean, you you'll you'll have, something that that's running in a closet somewhere that was set up, you know, a decade ago that, you know, is nobody's has any idea what it is.
And, you know, it's this this weird esoteric tribal knowledge, that, you know, one one employee thinks back, oh, man. I think I remember doing something about that, like, fifteen years ago, but who knows? You know? And it's it's interesting as I've, in the past, I've I've done, you know, things like network inventories and doing system administration where, you know, trying to track down what a device is.
Is this our device or is this malicious?
What's its purpose? What's it doing? That sort of thing. It's, pretty interesting how, you know, time is is, in some ways our enemy in that regard.
Forrest, talk talk a moment. We we had a a use case where a client goes out and they they buy everybody wants security cameras in their environment.
And what ends up happening with those devices?
Nobody knew about it. We we have security cameras.
It's, yeah. Somebody wanted to to have, some cameras in their environment and, didn't wanna go through the proper channels of setting up a VPN and making sure that it was only accessible by, people that had credentials. So, you know, it was essentially just opened up to the Internet, and you still see that even today.
You can go on showdown and and do a search and find, thousands of these camera systems that have just been set up, with with no regard for security. And, big problem with that is, you know, as as time goes on, they're no longer being patched or supported, and exploits come out from for those devices, and that then becomes a a foot in the door.
Or worse yet, they left the default password on from the vendor, which was never changed, so that that adds up. Alright. I know you guys wanna hear more of these these unknown attack surfaces, and these again, the unusual suspects. They gotta be in your your your thought process. So let's move on to the next slide and talk about infrequent devices, drive by devices.
What is it? Sounds just like it sounds. Right?
Yeah. Yeah. This is this is something that isn't always going to be present. So it's it's usually temporary or or, transitional or, you know, for instance, like, you bring a a contractor on board for a a period of time.
Are are their devices, up to snuff? Are are you applying any sort of security policies with them? How do you handle the credentials for those those types of users?
It's, a lot of this comes down to, policies and enforcement of those policies and making sure that that those things are happening so that, you know, these these, measures that you're implementing, aren't just completely undone when, somebody cruises by with, a device on on the guest wireless and, you know, is then potentially opening up to all all kinds of badness.
The the nice thing about this area is there's a lot of autonomous systems that can be used for for data management. The challenge, of course, is your own data protection and and when devices go on and off again, and you're not seeing them as on on the network as as often as you need to, you having the latest patches and infrequent firmware updates, all of this adds up into a complete absolute mess for you in trying to map your attack surface. So as we move on to the next slide here, slide twenty, the next slide here, twenty two, we're gonna talk about data stores for a moment, and this, we're kinda wrapping it up here, and and the data store one is the one that a lot of people, they don't think about forest, and they don't think about it. Why?
It's it's in a lot of ways, it's kind of evolving. You're seeing a lot more of these massive, data lakes, data pools, if you will, where, you know, they're they're pulling together, millions of records into, you know, these these large indexable, searchable systems. And, we we've seen a lot of breaches over the last year and a half where, you know, somebody has, for instance, like a Kibana system that's been exposed to the Internet, and, all that data was then freely available to download.
So it's it's this desire to to make that data, actionable, and and, forgetting to include the security controls along with those.
Another example I like to use is, the the good intentioned, kind of backup. So say a user, is worried. They wanna make sure that, all their files are safe in the event that their computer dies. They're gonna be able to recover from that. You know? So they they go out. They grab, an external hard drive, plug it in, and copy all the files off.
Unfortunately, a lot of the time, they they don't have the security training to know that that external drive needs to be encrypted in some way.
So, you know, they they back up their files, go home.
Their car gets broken into that night and that drive gets stolen. Now all that data is potentially out there, just because they wanted to make sure that, you know, they they could continue to work in the event that something went awry. So, it's it's easy for these things to, go from from, a well intentioned, action to to something that ends up, you know, stepping on a rake, so to speak.
Yeah. And we mentioned again, we mentioned shadow IT, shadow OT, and I like to call this shadow storage. Because at the end of the day, you could have a lot of cyber governance and a lot of policies in place, but if people are willy nilly plugging in USB drives and transferring data without your knowledge, you've got a huge data leak problem here. And it's and it's bigger than that, beyond all that, it's these unknown repositories, you know, the employee leaves the company and you don't know that they had data stored on this particular server somewhere out there in the cloud.
And and you may even have administrators who have access to a particular data store and left the company or forgot about this particular data store. And the next thing you know, it's it's out there and it's never being looked at again. So these are a huge operational challenges. And Forrest, I know you have a good example.
We talk about the physical side of storage too.
Yeah. Yeah. A a good example is, you know, just wandering around the office and seeing what unclaimed print jobs have been left behind.
You can you can get some pretty interesting information that way. You know? Oh, so and so is going to a movie on Friday. That's neat.
Kind of associated with that is, how are you handling, you know, paper records? Are are you actually shredding those? You know? Dumpster diving is is starting to make a a bit of a comeback. So, you know, these old school, hacking techniques going back to the seventies and eighties are are, starting to come back a little bit more in vogue.
I gotta remind myself not to leave anything on the printer forest with you around playing printer bingo on us. Alright. So so that that again, data stores is one another one of those unknown surfaces that you've gotta get in your radar. And as we as we move into the next slide here with IAM, which of course is your identity and access management, and specifically though, I wanna target on API security, but before we do that, a lot of people might deem this as like low hanging fruit, but in my opinion, I classify the AIM stuff as very difficult to manage. And I do that for us because in the news, we're seeing more and more of these ghost attacks where the the employee is no longer with the company. Let's let's talk a little bit about that for a moment from an attack surface perspective.
Yeah. Yeah. There's, you know, you can have, comp employees that have that have left the company or or potentially been terminated.
You know, trying to keep track of all of the accounts that that person had can be quite a difficult endeavor.
They there could be credentials, to different services that are still being used.
Another instance that you see are, unfortunately, if, an employee passes away, are are those accounts being being handled as well?
There's there's other instances where you have things like process accounts where, they aren't necessarily tied to an individual.
So it's more just a a system account that is is doing things autonomously. This is more kind of a an OT kind of account, where, you know, you wanna make sure that the the permissions that that account is are properly scoped to, the needs.
If it's only reading data from a place and then doing stuff on that, is it doesn't really need right access or administrative privileges? Probably not.
Things with, like, API stuff, you start getting into, like, making sure that the API tokens are rotated regularly in the event of a compromise that's not going to then come back to bite you down the line.
There's there's all kinds of considerations there.
Yeah. Let's take a moment to talk about that API security stuff. So on the next slide, what we're referring to here is the complexity in this API stuff, and we saw this most recently in one of the breaches, and we'll talk about that here in just a second, but this stuff, Forrest, and if this is not part of your security hygiene and you're not able to automate some of these processes and keep these things up to date, this can make a real challenge for in your your attack surface.
Yeah. Definitely wanna make sure that, those types of credentials are getting, rotated regularly, and preferably in a way that's automated so that, you don't even, need to worry about it. And I think a a good example of this is, for instance, with TLS certificates and Let's Encrypt where when they create the certificate, it's only valid for ninety days. So, rather than having to go through and, manually roll this stuff all the time, it's it's pushing the the pressure toward, having it be short lived and having it automatically rotated out so that in the event, any one of those were to get compromised, that can then be used for future attacks beyond a certain time. I think it's a a great example.
Also, for instance, with the, SolarWinds stuff, you you see the organizations immediately, rolling things like SAML tokens, just making sure that, your your, credentials are are being, secured in that way.
There was a great lesson learned from that SolarWinds breach. And and for those of you that remember what happened there, you have this threat actor who was able to compromise the certificate. So as SolarWinds is pushing out their the update for their software, the updates compromised but also the certificate was compromised, so that challenge in there, thinking that you're getting a valid certificate and you're getting a valid update, really just made the whole SolarWind breach that much more complex from a threat analysis perspective. So, interesting stuff folks, and we have one final one, this is our final our final unknown attack surface, and it's really a known attack surface but on the next slide we're talking about third party risks, but I have to tell you folks, this is so gigantic and it's so massive, you can spend decades trying to get all of these different risks under control, and we could probably, again, do another webinar just on all these risks.
Gives you a headache just looking at this slide. But this area is huge for us, and trying to get a handle on all the third party stuff, I mean, the the legal risks that you have in your environment, you've got, you know, your your regulatory requirements, you've got the your business, your industry requirements. Forrest, this is massive.
Yeah. Yeah. It's it's pretty interesting. I like to do this in my my personal life where, I I go through and and look at, my email from years past and see, you know, what kind of sign up, confirmation things that I that I have, seeing where I have accounts across the web.
And it's it's pretty interesting. I mean, I I go back to, you know, email from two thousand five, and I'm finding stuff. And, you know, it's it's it's pretty interesting that, you see a lot of these these big data dumps and breaches, of, you know, tons of user accounts and passwords for various services. And, you see it pop up on, you know, things like have I been pwned or, what have you.
And those those old, ancient forgotten accounts could be a a source of information disclosure or potential credential leaks, things like that. So, making sure that you're aware of what services, you do have in your environment, is is very important there.
And I'll give you a quick example, folks. A use case that I I had where we had a a oh, everyone wanted the soda machine. They wanted it connected to the Internet. Well, the vendor did.
Excuse me, the vendor wanted the soda machine connected to the Internet so they could process credit card transactions, but did not tell anybody. So they ended up hooking up the the wireless access to it and the threat actor was able to pivot from the SOTA machine into the the environment very quickly. So that third party risk is something that has to be on your radar absolutely has to be under your consideration as well. So there you have it, there's our unknown attack surfaces, so what can you do about it is is really the last part of the equation here.
So we've made the cake, we've put all the ingredients in, we've got the topping on it, we baked it, we're gonna pull it out of the oven, and now we're gonna put it into a box and take it to the shop to sell it. So here's a great slide, let's let's go ahead, what do you do about it now on the next slide? And there's there's a lot of things you can do, you can get overwhelmed really quickly folks, but you don't have to get overwhelmed, and you don't have to because if you look at this, this slide here on the the next one please, if you see this defense in-depth, if you start at the very bottom, what is the most important critical asset, your crown jewels?
Start with that. Really think about what is the most important thing that keeps the business running, that keeps the lights on, that might it might be data, it might be something else. So and then what you can do is build out your threat analysis from there and you can start to look at all the other areas and then start to think about what does your defense in-depth posture look like going forward multiple years from now? So we wanted to leave you with a few quick bullet points.
I know, Forrest, you mentioned scope creep, you mentioned turtles all the way down, you mentioned, identifying and then trying to gain visibility into all these surfaces. You know, getting that inventory is a key part of it.
But on the next slide, here's some simple things, you start with the education piece, you're doing that now, which is great. You have all these different governing bodies out there like OWASP and ISO and COVID, they all have frameworks available, the CIS has a framework. The Center for Internet Security has a framework that can help you with this process. But at the end of the day, though, Forrest, I know you have your process too and and the way you approach it. What are your thoughts?
Yeah. My my thoughts are, typically, anytime you're you're approaching these sort of things, you're usually not the first person that's trying to do this. So this is this is a problem that is being addressed all over the the the planet by people everywhere. So, being able to find and leverage existing, efforts in that regard, is is just gonna be a a multiplier for, you you know, the the force that you're trying to apply to these things. You know? Don't try and reinvent the wheel.
It I'd definitely stand on the shoulders of giants. You know? That's that's how, a lot of these things are are gonna be able to be brought into control.
Yeah. And and from there, you know, trying to pick out a threat model, it can be again, many many options to different folks. There's a lot of different we mentioned a lot of those free different tools out there, free tools that can help you start this process. Getting started is the is the hard part of the journey, but as we see on the next slide, some some understanding is is part of this process.
You have to remember that your attack surface is huge. It's not just what happens on premise, it's a lot bigger than that. It's the stuff in the cloud, it's the databases, the data stores that you don't know about, it's the infrequent devices, it's the the folks that are working from home, and remember the threat actors like to pivot from your work from your home life into your personal life, so you have to keep that in the back of your mind. We always recommend you bring on a partner, but if you decide not to, then, you know, there's some options here for threat modeling and some of those tools and some of those tools like the the Microsoft's free threat modeling tool and Keras and ErisRisk and the OWASP, ThreatDragon, those free tools are great stuff, great starting points.
But as we see on the next slide, there's so many areas to collect data from and knowing what stuff adds the most value in finding those threat actors is critical because because it's, you know, you have these firewall settings, you have system settings and services, system logs and comm objects and and registry and network ports and, I mean, this whole crazy all these ingredients you could throw into this thing, so you gotta know where to start. And we hope that you got some value today from this, deck. Any final thoughts, parting thoughts here, Forrest?
Yeah. I I going back to the the whole cake analogy thing, I mean, when it came down to it for my wedding, I wasn't gonna bake the cake myself. That is for sure. So I I definitely tapped the the expertise of somebody else who who does this regularly. So, I think, you know, doing the same thing here is is very appropriate.
Yeah. We always wanted to open up the for questions. If you have questions, let's go ahead and, Sarah, if you're available here. We're we're fairly accessible for us tonight.
So if you do have a question after the webinar ends, please reach out to us. We'll do our best to try to answer for you. And like I said, if you wanna continue the fun journey with us, we do have that crazy cyber biweekly cyber news that we're doing on on on the YouTube and Spotify and Stitcher and all those crazy podcasts, so please join us. So we're here.
Sarah, if you'd like to open up any of the questions?
Yes. So we have one that says, can you tell about some weaknesses of TLS SSL certificates and not and network traffic in transition, not about the weak version below one point two, but something else if you have any such cases.
Oh, man. I I was I was gonna go for, the the the weak ciphers and and implementations.
That's that's the majority of the, the vulnerabilities that that I see in TLS implementations.
Thankfully, a lot of the libraries have done a really good job of, shoring things up, as far as the the level of scrutiny that they've received ever since, you know, heart bleeding in open SSL.
Some things that you could if if you're, particularly paranoid, I'd say, looking at at alternative SSL libraries, something like boring SSL or, Libre SSL, where they're they're, you know, specifically re rewritten to to kind of overhaul and minimize the attack surface, is is something that that is, pretty promising. I I think you're gonna see, some some interesting things going forward, with, for instance, like the the, zero response, session reestablishment.
Oh, I'm trying to remember the the name. I'm drawing a blank right now. But, I I think that'll be that'll be interesting to to see, and I think that's in, currently in spec for TLS one three.
Great. Thank you. Another question we had was, what is the biggest weakness for small businesses today?
I'll go with the I'll answer I'll answer one of his questions. I would start with, definitely it's user education, user awareness, just being aware is half the battle, you gotta think about your your employees are your first line of defense, they're your firewall, they're your human firewall, and you know if you start with that part of the equation that would be that would be the first step. The second step is we're seeing a lot of attacks where the threat actors pivoting from the workers home life and they're moving into I'm sorry, yeah, they're moving from the home life into the personal life and because employees are using the same logins and credentials for their Disney plus account, their Amazon account, they're using the same credentials for their Netflix account that they use at work and it's unbelievable to keep seeing this kind of stuff come up time and time again, but it really has to start with that education.
Please don't do that in your environment. From there, you can start to layer in some of the governance, the policies, and then you can layer in some of those technical controls. Boris, what are your thoughts?
I would say, that's that's excellent.
From a from a technical side, I would say probably two biggest things, use a password manager and make sure your stuff's up to date. You know? Install patches, install updates.
Nine I would say above ninety percent of the the vulnerabilities that I see on a day to day basis are originating from unpatched software.
Yeah. That's a huge one. You know where we real quick before we wrap this sucker up, we the comb the comb breach, which is a combination breach of breaches from twenty sixteen through twenty nineteen, a lot of on the dark web, these emails that were all in this comb breach are selling for about two dollars an email. And the reason why the price is so low, that's a that's a very low price for a hacked email as part of all these breaches, is because the the folks are not changing their passwords.
So the threat actors think we'll for two bucks and the fact is that they the probably some of the people have changed their password because they were notified by whatever company got breached. Again, it's a summary of all these breaches twenty sixteen to twenty nineteen. Well, some folks have not changed their password and that's what the threat actor's counting on, which is why they're selling it for for so cheap. So the folks have to be aware of that kind of stuff.
Anything else, Sarah?
Yes. Any location where user educational data can be found in search of trying to write training for users.
I I'm not sure as far as, like, from a a business environment per perspective. Typically, my, my experience with with, threat modeling at large has has been more in oriented in the privacy community, where we're advising people that are potentially working against, like, repressive regimes and things like that. But a a good a good resource, to kind of get started on these things and put it in in very simple terms, and it's it's not very wordy, not superfluous at all, is, the Electronic Frontier Foundation has something that they call the surveillance self defense guide. Some of those are are specific toward that kind of privacy aspect, but they do they do cover some things like threat modeling, and they they do have some guides and and, advisories as far as software, securing communications, things like that. Hef, do you know of of any better, more business oriented kind of resources?
Yes. And I would highly recommend you you all check out sans dot org. SANs is spelled s as in Sam, a as in Albert, n as in Nancy, s as in Sammy, dot org. SANs dot org.
They have a fantastic they have their own. They put together a monthly cyber awareness newsletter, they have a lot of free end user training, they put together activities for cyber awareness month that you can take into your environment. You know, little things like that make a big difference, and the fact that it's free, a lot of it is it's not specific towards each individual industry. So if you're looking for healthcare security awareness, it's gonna be a little bit different than, say, retail cyber awareness.
But the fact is there are a lot of really good things on there, and and it's a great great great starting point.
So sans dot org.
Great.
And with that, unfortunately, we're out of time. So those of you that we didn't get to answer, we'll be reaching out to you personally to answer your questions.
With that, we'd now like to play our, our pulse demo video for you.
So thank you for joining us today, and please hang around to watch this video.
Today I'm gonna give you a brief demo of the SecurityMetrics Pulse product and, walk you through some of the features and benefits of that product. It's really intended for CISOs, Directors of IT. They're trying to get additional visibility into their extended network, such as branch offices, remote offices, and, maybe franchise locations, that type of thing. Outside of your headquarters network, those kind of hard to see places that you have responsibility for.
Let's start off by looking at the Pulse dashboard.
The dashboard gives you a feel for, how much data, how much coverage you have of your extended network. This implies that there's a community of nine locations in this, medical group, and that, seven of the seven of them are registered, and seven of them are online.
And, so there's a map view here. It gives you a nice visual representation.
You can identify immediately those that are not participating and, maybe come up with some strategies to engage those. You can also see through the list view, those that are online and those that are not yet set up, and and then be able to sort this list to, to troubleshoot any situation where you're trying to get that data coming into these, SecurityMetrics, SIM tools, and be able to, get the feedback from SecurityMetrics Threat Intelligence Center. So that's the dashboard, the intent of the dashboard. Make sure your program's running well, and SecurityMetrics working with you to make sure that each of those locations understand the benefit, and help them get their external scan set up, and their endpoint software installed on their Windows and Macintosh computers.
Let's jump and take a look at the security report then. So monthly, there is a security report that is generated to give you a point in time understanding of how you're doing from a security standpoint. And you can go back and look at the history of those, be able to compare, your progress, and to be able to identify immediate needs that you have.
Next we're gonna take a look at the exposure tab. This gives you an indication of how exposed each of your locations are from an external vulnerability standpoint.
And then each of your locations are, are comparable here to be able to identify the set of critical, high, medium, and low exposures each of those locations have. This is a great way to maintain that security hygiene and to be able to spend your time where it can matter most. Let's take a look at the endpoint activity then. So, SecurityMetrics has partnered with Sophos to deliver, the top tier next generation, endpoint security. And, so we have that through Sophos. It installed locally on each of the computers within, that, installed locally within each of their networks to be able to provide real time protection at the endpoint. What you're seeing here is from the security report to give you an understanding of the amount of activity from each of the endpoints at each of those locations.
And then, additionally, to each of those, there's the ability to look into the details associated with each of those endpoints.
We'll jump now to the location report. The location report is intended to be given to that location or to highlight a specific location and identify the exposure and the endpoint activity associated at each location.
These reports can be sent to to a, an IT person at that location or an office manager or a third party. And, working with our support team, we can set up access for users to be able to sign in directly, to be able to look at these reports, and to run additional scans, which takes us to the Data Security Tools section. So this is where you could run additional external scans and manage the vulnerabilities that you have within those locations. So in the Scan Management, you can select a location and then look at the scanners associated with that location. In this case, we just have a single external IP, associated with this location, and we can look at the scans that are associated with that over time.
And we can also schedule a diff schedule additional scans to run or run a scan right away. This is great for troubleshooting to be able to, make modifications and to, to make the progress, against eliminating those exposures.
Here in the vulnerability management page, we're able to look at all of the vulnerabilities across all of the locations, get a feel for the number of occurrences that have taken place and the severity, the risk level of those, and also identify which ones might be a false positive, and to do that across the entire organization or per location.
Well, I hope you've enjoyed the brief overview of the SecurityMetrics Pulse product line. We're excited about the products that we can deliver based on the SecurityMetrics threat intelligence center that give you the ability to increase your visibility across your extended network and to improve your security overall.
We encourage you to visit the SecurityMetrics website, www.securitymetrics.com/pulse, for additional information or to request a quote.
Alright. With that, we look forward to having you participate in our next webinar. Thank you so much for your time today, and thank you, Forrest and Hecht.
Yeah. Thank you for having us.
.svg)
