Learning Center
Data Security Trends
Cybersecurity Lessons from 2024 and 2025 Forensic Predictions

Cybersecurity Lessons from 2024 and 2025 Forensic Predictions

Watch this to learn cybersecurity lessons from 2024 breaches and cybersecurity predictions for 2025 and beyond.

In this webinar, SecurityMetrics' VP of Forensic Investigations Aaron Willis and Deputy CISO Matt Heffelfinger discuss:

  • 2024 forensic investigation findings
  • Cybersecurity lessons from 2024 breaches
  • Cybersecurity predictions for 2025 and beyond

    • Transcript of Cybersecurity Lessons from 2024 and 2025 Forensic Predictions

    Heff: Hey Aaron, great to see you again!

    Aaron: Good to be back, Heff!

    Heff: We've got another exciting edition of our threat predictions, diving into the trends from 2024. We're not afraid to look back at our predictions and see how we did. What did we get right, Aaron, and what did we get wrong? That's what we're doing today. Analyzing trends is tough. I sometimes struggle to predict the future.

    Aaron: Well, we got a few right, and a few wrong.

    Heff: 2024 was just bonkers from a news perspective. We're constantly analyzing the news, the fieldwork we do hunting bad guys, and then trying to explain it all to you. It was insane!

    Aaron: Yeah, lots of big cases, crazy hacks. We'll talk about some of those.

    Heff: Change Healthcare, National Public Data, e-commerce attacks, SolarWinds, the LockBit takedown, CDK Global, those Ivanti zero-days, and seven telecom attacks! We'll try to make sense of it all for you today. We'll start with ransomware, which mostly targeted service providers and supply chains. The downstream effects of supply chain attacks are huge. Remember those East Coast supermarkets, Aaron?

    Aaron: Yeah, that really messed things up. 2,000 stores, wasn't it?

    Heff: Around 2,000 stores across multiple chains: Stop & Shop, Hannaford, Food Lion, Giant. Friends on the East Coast were telling me they couldn't even buy vegetables. Ahold Delhaize (I hope I'm saying that right) had their online grocery delivery, websites, and even pharmacy services knocked offline for days.

    Aaron: Yeah.

    Heff: In 2024, it took businesses an average of 194 days to identify a data breach, and then another 64 days to contain it! Insane! This highlights the fragility of the supply chain.

    Aaron: How is the supply chain even holding up?

    Heff: It's wild. Planning is key, and we'll talk more about that. But first, let's look back at our 2024 predictions. How did we do?

    Aaron: We had several, mostly about AI. We predicted increased AI use in hacking. I think we even undershot that one.

    Heff: Just a bit!

    Aaron: Yeah, we nailed that one. We predicted more sophisticated, iterative attacks, which we even demoed last year.

    Heff: And they definitely increased.

    Aaron: They got more sophisticated. We've seen some hiding even in merchant website logos, with code disguised as image code.

    Heff: Wow.

    Aaron: We also predicted deep fake exploits.

    Heff: We'll definitely talk about those. And Node.js vulnerabilities. What is Node.js, anyway?

    Aaron: It lets developers make JavaScript portable for server-side and application use. It makes JavaScript, a web-based language, usable anywhere. We predicted an increase in Node.js attacks and vulnerabilities.

    Heff: And we were right!

    Aaron: Just last December, they announced a huge vulnerability allowing remote code execution and command injection.

    Heff: Wow. What about e-commerce host breaches?

    Aaron: We actually got that one wrong.

    Heff: Really? We're actually admitting a mistake?

    Aaron: In 2023, we saw an increase. We predicted it would continue, but it actually went down. E-commerce hosts did better.

    Heff: So, more e-commerce breaches are happening in the browser, not at the host level. We also whiffed on crypto. Aaron, what was that prediction?

    Aaron: Another miss from 2023. We predicted crypto attacks would rise, but they fell. We thought that was the trend, but in 2024, they just skyrocketed. Huge losses. A company in Japan had $300 million stolen! By July 2024, there were already more breaches and bigger losses than all of 2023 combined.

    Heff: And it's not stopping. We should also talk about the biggest 2024 breaches. Before we get to the top two, there were record ransomware payouts and a record number of active ransomware gangs. They're not going away anytime soon. In February 2024, that was announced. But the shocking statistic came in October: the highest number of active ransomware groups ever recorded! That's how dangerous it is right now. We did have some good news with LockBit.

    Aaron: Yeah, LockBit got taken down!

    Heff: A global takedown by law enforcement. But taking down the big dog creates a vacuum and opportunities for smaller groups. Then you add AI, which is lowering the barrier to entry for these ransomware groups and widening the pool of bad guys, plus recruitment of young people…

    Aaron: And ransomware-as-a-service.

    Heff: And phishing-as-a-service was very popular this year. We'll discuss big-name companies involved in ransomware events—we call it big game hunting. You'll definitely continue to see these attacks.

    Aaron: Yeah, ransoms over $1 million.

    Heff: But small and medium businesses aren't off the hook. AI is still going to be involved in all of this.

    Aaron: Definitely. One of our 2025 predictions is AI-assisted malware, especially in ransomware. AI can analyze leaked data on the dark web.

    Heff: Yeah.

    Aaron: It used to take someone manually sifting through that data to find exploits. Now AI can do it, analyzing huge datasets and finding exploitable vulnerabilities, producing thousands of potential targets.

    Heff: So they have scalability.

    Aaron: Yes.

    Heff: Not very pleasant news. Two breaches really stand out. The largest, based on records lost, was…

    Aaron: National Public Data.

    Heff: NPD. 2.9 billion records!

    Aaron: Staggering.

    Heff: Lots of PII, Social Security numbers. Everyone in the country is probably affected. I was personally ticked off by this one because of how National Public Data operates.

    Aaron: They're data scrapers.

    Heff: Yeah, a background check company. They scrape public data. It's not illegal, but it's shady. They scraped, allegedly, 2.9 billion records. They blamed a third-party attacker who supposedly hacked them back in December 2023, but we didn't even know about it until August 2024. The fallout was shockingly low. It was kind of glossed over in the news.

    Aaron: I mean, who isn't used to having their data stolen at this point?

    Heff: Yeah, right. So, National Public Data, probably the largest 2024 breach based on records taken. The second breach I want to call your attention to is…

    Aaron: UnitedHealthCare.

    Heff: Yes. They have a subsidiary named Change Healthcare, and Change had over 100 million records lost. We're talking PHI, folks. Protected health information. How it happened was interesting—stolen credentials.

    Aaron: Yeah. No MFA in place. No multi-factor authentication.

    Heff: A big company like that not having multi-factor authentication is a huge disappointment. Stolen credentials from an employee allowed the threat actor to pivot into the environment and steal so many records.

    Aaron: One-third of all Americans, I heard.

    Heff: Oh my gosh. I know this personally impacted me. I had family that were going to the pharmacy and they couldn't get their prescriptions filled. Doctors were like, "Well, we'll just write out your prescription on paper." This was really all about business continuity more than anything.

    Aaron: There was a ransom on this one that they had to pay out, right?

    Heff: It was about $22 million.

    Aaron: Yeah, $22 million, something insane like that.

    Heff: The fallout from this, Aaron… I'm not just talking about breach notifications. You may have gotten one back in October.

    Aaron: That's still ongoing.

    Heff: Yeah. And the fallout about, you know, "Are you hip to HIPAA?" because the rules are changing, folks. HIPAA new rules were introduced. We have to talk more about that here in a minute. But it's all about really understanding business continuity and having those protections in place. Just a lot of news happening and a lot of changes. Speaking of change, health care, a lot of changes coming down the pipeline, especially from a legal standpoint, the new laws, new regulations, new privacy laws from all the states…

    Aaron: The new administration coming in, some heads have rolled there.

    Heff: Yeah. The new administration is already taking action and firing an entire board of investigators that are investigating Salt Typhoon, which is a hacker. And what's interesting about that story is the people that serve on the board. It's like a who's who.

    Aaron: Yeah, big names.

    Heff: All told, they're no longer needed. Their services are no longer needed. So we have so much to get into, though. And I know folks are dying to know what are the rule changes? What's the new stuff happening with PCI and HIPAA and PHI and of course PII? We got to talk about all that stuff, the fallout from United HealthCare. Unreal. What is going on in the world of regulations? Because I know there's a lot that you're in tune with and there's some that I'm in tune with.

    Aaron: Yeah, there's a lot coming out from the FTC. New stuff from the DOJ. SEC is a big one. Yeah. Especially in how crypto is being regulated. You know, typically in the past it's kind of been regulation by enforcement.

    Heff: Yes.

    Aaron: Some of that stuff is changing now.

    Heff: You're seeing really an increase, Aaron, of aggressive… going after…aggressive enforcement of all these cybersecurity regulations and data privacy rights. And I always thought it was interesting, you know, at one point in time the government agencies would go after the CISO or they would go after the CEO. And now you're actually hearing about them holding the corporate entity liable for mishandling data, not responding to cyber attacks in time, not having internal technical controls in place, and just violating consumer privacy and consumer trust. So you're hearing a lot more about these agencies getting more and more active.

    Aaron: 19 states passed additional regulation and comprehensive data privacy laws. So there's a lot to take in there.

    Heff: Oh, wow! And imagine, I mean, if you're a business owner watching right now, or maybe you're on the IT team, you're wondering to yourself, "19 states have passed and enacted new privacy laws." I'll tell you what. Getting a handle and knowledge of that is critical to protect your business. But most of these laws that are getting passed, they're a patchwork of legislation. They don't match each other. You know, one state operates differently when it comes to handling privacy. So for you at home, knowing what the privacy laws are that are relevant to your business and the state you operate in, or if you have customers that operate in those states, you really have to be in tune. What's going on? Lots of things are changing fast.

    Aaron: Yeah. And, you know, lots of changes in HIPAA and new HIPAA requirements. First major overhaul in over a decade.

    Heff: Yeah. And I'll tell you, it's a very noble attempt. Obviously the Change healthcare breach impacted a lot of people, affected a lot of people's lives. But the way that this is being rolled out, you know, it affects every… if you're in health care, if you're in that space, you're operating in the health care space, you're really impacted by it. And knowing how that impacts you and knowing what the new rules are, there are things in there, folks, that are… It does not matter if you are a $1 billion health care entity or you're just a small mom and pop office somewhere, you have to know the rules and the changes that are happening.

    Aaron: You're going to have to know about encryption. You're going to have to know about multi-factor authentication, regular security audits.

    Heff: Yep, yep. Restoring everything within 72 hours is another part of this. Again, there is so much going on in there. And just getting to know what's happening is important. If you're not clear on and you're not hip to the new HIPAA rules, give us a call, pick up the phone. This is one of the areas that we specialize in here at SecurityMetrics. But we are also specializing in PCI and, you know, we've been doing that for a long time here. We have over 20 years of experience in PCI. I know there's a lot of changes. Can you kind of summarize for the audience if they're not aware of what's happening, the latest stuff?

    Aaron: Yeah, so we've got PCI DSS 4.0 coming out. And this really addresses those iterative attacks that we were talking about last year. Where attackers can come in, they can inject something on the host page of the checkout, that checkout process in the browser. A lot of merchants have moved over to iframes, which is what we want, right? IFrames are fantastic. However, if a bad guy can get into the periphery around that iframe, they can inject code in there and do stuff to mess with that iframe and eventually pull data out—credit card name, address, phone, all that stuff that your customer is typing in is vulnerable, and iframes aren't protecting that. So, two major requirements have changes, notably 6.4.3. That's the requirement that basically says you have to know what is going on in your checkout process. You have to know what scripts are running. You have to make an inventory, show what's authorized. And basically have a good understanding of what's going on there. Couple that with 11.6.1, which is monitoring. Not only do you have to know what's there, you have to monitor it to make sure nothing has changed. So, if something happens, you're going to catch it like that and mitigate any damage done. If somebody is able to get a third-party script in or break into the website and put a script that's going to alter the iframe source. So you've got to monitor that so it catches it right away.

    Heff: Wow. What is the deadline for implementation of these two new requirements?

    Aaron: It's coming up. It's coming up fast. March 31st of this year.

    Heff: Wow. It is coming fast. So what you're essentially saying is if you're not in the know, start becoming educated. And the way you can do that is if you visit our YouTube channel, we have tons of excellent free content to help you get in the know about these new PCI changes. In addition, we have a fantastic guide that you're welcome to follow and download completely free. The amount of changes that are happening in the security of the e-commerce cart is absolutely bonkers. I know that there are a lot of interesting questions, things that are happening in the world of Magecart. Who's the bad guy? E-skimmers. Can you give me some stats? Maybe around what's happening out there?

    Aaron: Well, we continue to see Magecart e-skimmers appearing everywhere. You know, this is a very active group. Really kind of an umbrella. You know, we, a lot of people, are operating under the Magecart umbrella. But infections are surging and reaching nearly 11,000 unique e-commerce domains.

    Heff: Wow. So I heard something like in 2024, there were something like 269 million card records, credit card records being sold on the dark web right now. And that's not going away anytime soon. It just seems like it's getting bigger.

    Aaron: Yeah, that's a threefold increase over 2023.

    Heff: Goodness. This is insane. The number of threat actors that are targeting e-commerce platforms. And I think what's really cool is our work in that space. I know we have a product called Shopping Cart Monitor. It's one of those kinds of tools, folks, that can really try to identify the threat actor that is inside your shopping cart and potentially doing these digital skimmers. So…

    Aaron: Yeah, the Shopping Cart Monitor is a fantastic tool that we've come out with that's going to help people with those requirements like 6.4.3 and 11.6.1. Shopping Cart Monitor is so easy to set up, too. We basically need your URL, and we will simulate your checkout process and find out if there's any weird things going on that run against your baseline. We start with a baseline so we know you've got some good code there, and then we're going to go in like a secret shopper, almost, and go in and check all of those scripts, take an inventory of what's there to help you meet those requirements. And then we're going to run that over and over again. And if anything changes or anything weird happens, we're going to let you know right away.

    Heff: It's a fantastic tool. We have some predictions, though, when it comes to e-commerce. And we have to share at least three of these predictions. What are some of the things you're seeing changing in our industry right now when it comes to the shopping cart?

    Aaron: One of the things that we predict is that a lot of merchants are going to scramble…

    Heff: Scramble last minute.

    Aaron: Yeah, especially smaller merchants that, you know, haven't been working on it or don't have a team that's been working on it. This date is coming up fast. And so our prediction is that as that deadline approaches, a lot of people are going to be scrambling to get that in place. Lots more digital skimming is going to happen. And so we've got to have Shopping Cart Monitor, Shopping Cart Inspect, which goes hand in hand with Shopping Cart Monitor. That's real people. Eyes on glass. People on my team. They go in and look at your shopping cart. We also know that there's going to be an increase in companies working on good solutions to try to harden those iframes because we do like iframes. IFrames provide a huge benefit. We're going to see something called armored iframes coming out.

    Heff: Armored iframes! I love that term. That is fantastic. Can we just call it Sherman tank iframes? What's armored iframes?

    Aaron: It's… there are different ways people are using that term. But it's the basic idea that there are going to be extra layers of security around the iframe that are going to try to stop attackers from changing that source or trying to get an overlay over the top of it, things like that.

    Heff: Very cool, very cool.

    Aaron: Some merchants are going to say that's just too complicated. They're going to give up, and they're going to say, you know, we're just going to switch over to full payment redirects where we just send our customer off to somebody else's website.

    Heff: Pretty good prediction. It's too complicated, I'm going to move on. I'm just going to have the merchant handle it. What else can we talk about in terms of predictions here? I know planning is important. We mentioned that deadline, March 31st, is coming up. What is the secret to success? What's the secret sauce here of getting a handle on all these changes?

    Aaron: The earlier you begin prepping and planning for the PCI compliant stuff, the better.

    Heff: That's a great way to say, hey, pick up the phone and give us a ring. There are some other things happening in the world of trends, predictions. I, you know, we mentioned so much about planning and preparing. I just think this past year, when you look at it, there was so much bad business continuity planning and companies that had poor due diligence. Just overall, you look at it, you scratch your head, Aaron, and it's like, how did this even get to this point where it's in the news every day talking about this company dealing with an issue?

    Aaron: Yeah, we saw companies go bankrupt. We saw companies lose tons of market share.

    Heff: Insane! CrowdStrike… It was in the news. You probably have heard about it because it involved an airline called Delta. This happened back in July of 2024. About 8.5 million Windows devices were disabled worldwide. And originally, we had thought, well, this is a Microsoft problem. So a Windows issue, and that wasn't the case.

    Aaron: Yeah, I mean, it even affected me on my home systems where I was running CrowdStrike.

    Heff: The blue screen of death.

    Aaron: Yeah. I came in and had a blue screen there. You know, luckily I knew how to get around it, but if you didn't, you were calling somebody. That was costing you money.

    Heff: So this is about CrowdStrike pushing out a bad update. And then all of these companies that use CrowdStrike as their vendor, they ended up having problems. And Delta was the one. And this thing really set in fast. It was amazing how many companies, just one after another, just kept going down. And I thought it was kind of interesting. You know, we try not to make light of situations like this because a lot of people were stranded in airports, a lot of people had problems, but they actually got an award at…

    Aaron: Epic Fail.

    Heff: Yeah, they got the Epic Fail award, folks, at Blackhat, and the CEO of CrowdStrike came up on stage and accepted it very humbly, getting the Epic Fail award at Blackhat. So this shows the importance of business continuity planning…

    Aaron: And checking! And test, test, test any changes first!

    Heff: Yeah, you have to test the updates before you deploy them. And one company, in particular, we mentioned, Delta, did not have that business continuity planning in place. And boy, the impact on them again, painful, absolutely painful. You know, and the way this all went down, Delta then starts to blame CrowdStrike. CrowdStrike said, nope, we have an SLA. We have a service level agreement with you that absolves us from being in trouble. And we're not responsible for you, Delta, not testing the patch before you deployed it. And of course, now it's in the court system, and you have a lot of slinging back and forth. CrowdStrike, the airline Delta, is accusing CrowdStrike of misrepresentation, gross negligence, computer trespass. It's just a really messy situation.

    Aaron: Lessons learned. It's not if, it's when.

    Heff: Yeah. So for you as a business owner, it's about ramping up your due diligence. It's really about, you know, before you bring a vendor into your environment, spend some time researching that vendor, understanding what the SLA is. It doesn't hurt to redline parts of that contract that you do not agree with, but you've got to understand. 2025, these outages will continue. In fact, I'm predicting you're going to see even more outages, IT outages. Plan for it. It will happen.

    Aaron: What's that old saying? You can't plan never to fall, right? You know, you have to plan to fail gracefully.

    Heff: I think it's also important here to talk about, you know, I realize a lot of our clients have maybe one IT person to handle all of that patching that has to get done. Or maybe you have a managed service provider. Maybe you're lucky enough to afford that. But, you know, getting on top of that and knowing everything that's happening in your environment, every piece of hardware, every piece of software, knowing what is running the latest version or not, this is something that we're specializing in here at SecurityMetrics. We've got a platform called Pulse, and that's the division that I head up. I head up the division that looks at security operations, services, and they're very inexpensive. And it's one of those things that will get you a baseline of all the hardware and software in your environment. And then it helps your IT person, your one IT person, start patching and getting a handle on it before bad stuff like this can happen.

    So there was some other stuff in the news. And more trends, more things happening. Aaron, we keep seeing the same types of attacks. The bad guys are finding the same doorways.

    Aaron: Yep. Spear phishing. Still going on.

    Heff: Exhausting. And that, my friends, there are two types of attacks in particular. The first one Aaron mentioned is spear phishing, and the big dog on the planet, Microsoft, got impacted by a spear phishing attack. What do we mean, though, when we say spear phishing?

    Aaron: Well, phishing, in general, can mean just tossing out a bunch of emails, seeing who bites, right? Spear phishing is targeted. You're looking for a specific individual or person in a company that has critical knowledge, that has the keys to the kingdom, has the right credentials, something like that. And you're going to dig in and really try to work a specific person.

    Heff: So I know you have a good example from your personal life, and I want to share that with you all. But I want to mention Microsoft. In November of 2023, Microsoft discovered this spear phishing against their company, but they didn't actually announce it until January. We know that the threat actor was called Midnight Blizzard. And what ended up happening is Midnight Blizzard basically did some spear phishing. They were able to access some Microsoft corporate email accounts and documents, and then from there, they were able to access source code depositories and internal systems. And then they pivot and they start doing this password spray attack, and they start basically brute-forcing passwords to try to get access to a legacy tenant account. And then from there, there was no multi-factor authentication.

    Aaron: Imagine that! No MFA.

    Heff: Microsoft with no MFA on that, allegedly. Allegedly from the report. So we do know that this group, Midnight Blizzard, this is their primary thing, and they love to spear phish, but this is not going away. I mean, with AI, you're able to, you know, make it even more deadly.

    Aaron: Now, you mentioned a personal one. My wife, she is a power seller on eBay, sells thousands and thousands of products every year. She recently got a text on her phone that identified the product she had just sold on eBay. Within hours, it had identified that product, where it was going, and said, "There is a shipping problem, click here." And, you know, luckily, you know, she almost clicked on it, but she was like, wait a second, this isn't the phone number that is associated with this. This, you know, if I get something wrong with shipping, it comes to this email, and there's nothing there. Oh my God, that's how she had me look at it. And I was like, this is a crazy good phish. You know, this is spear phishing. It had her name. It had the specific item she just sold. And it was

    Heff: ...It was just somebody mining that data off of eBay.

    Aaron: So using AI to mine the data to craft individual phishes specifically targeting the business owner. Again, folks, the stuff is so complex. We're going to spend some time talking about it. But I do want to mention, obviously, starting with security awareness is important. So training once a year is not enough anymore. Right. And we do have some fantastic training products here. But at the end of the day, if you're doing that phishing training just once a year, you need to really expand that a little bit. And "expand that" means in your startup meetings, take a minute or two and show your staff the latest phishing examples that are happening in the news. One thing that I recommend you do is sign up for our Threat Intelligence News email. It goes out every Wednesday or so, and it shows the latest examples. And you can take those and within a minute, just show your staff once a week, every, or in every staff meeting, or post the example in your employee break room. Again, it just gets them more engaged and more talking about it.

    Aaron: But these spear phishing attacks are going to get so much better and so targeted. We made this prediction last year.

    Heff: Yes, we did!

    Aaron: That we'd see deepfake attacks, AI-driven deepfake attacks. Yeah. It's funny, just after our presentation last year, there was a Hong Kong attack where the bad guys literally spoofed a video conference with the CFO being spoofed. They had a fake video person…

    Heff: So it looked like the CEO.

    Aaron: CFO. Yeah. And they had a specific person in the company that they were targeting, and they got that person to send $25 million out of the company with a fake video conference. Can you imagine how brazen that is?

    Heff: It is absolutely brazen! And I think that's a huge, important piece about phishing, is understanding the attack surface is no longer a simple email. It's no longer a simple text. Those days, folks, are long gone. Now, what you're looking at is going beyond business email compromise to include audio deepfakes, where your voice, the business owner, or your supervisor's voice is used. The bad guys go out, they grab a snippet of audio, they replicate your voice, and then they make phone calls to your employees. For example, maybe they call the accounting person, "I need you to send a payment right now." Okay? No problem. It sounds like you. So you really have to be on top of having policies in place and having checks and balances like, well, how do I know this is you? What's our secret word? Right? I mean, that's one way you can do it, but you've got to show your staff these examples that are happening.

    Aaron: There's such a huge data set to where the attackers are gleaning all of your information. You've got social media, you know, your Facebook accounts, your Instagram accounts, all that data that you're putting out with your kids and your family life or maybe stuff that you post on LinkedIn. All these things are just data sources that people can use to really manipulate AI to create these deepfakes.

    Heff: And I will also share this with you. An interesting statistic from 2024. We know that 68% of all data breaches in 2024 involve some sort of human error.

    Aaron: Like social engineering.

    Heff: Social engineering. Yeah. So just imagine you're putting out all this content on your social media profiles. Bad guys are using AI to mine all that data and then to craft a spear phish that specifically targets you, either through a phishing email or through a deepfake. Again, you just have to really be on guard. And it means teaching your staff on as many opportunities as you can to identify these types of things that are happening out there. So there was an interesting, or the second type of most common attack…

    Aaron: Credentials.

    Heff: ...was credential theft and compromising credentials. And that caused another very popular breach in the news called Snowflake.

    Aaron: A cloud data hosting company.

    Heff: Which is a cloud data hosting company. And now this was probably one of the most interesting attacks because Snowflake has a lot of big-name companies that use their services.

    Aaron: 165 company accounts hacked.

    Heff: 165. So Ticketmaster was caught up in this. And, you know, again, Snowflake was interesting in that they had this info stealer that was used against them. The legitimate credentials were stolen. The threat actors log in, they start stealing data of the clients they help and serve. And that's where it went off the rails because you have companies like Ticketmaster and these banks that are using Snowflake's tools and products, and it's not just about compromised data, it's really about the impact of how these supply chain vulnerabilities go and how deep it goes. This happened in June of this past year. And I'll tell you what. What I found fascinating is how Snowflake tried to pass the blame. Did you see anything about that in the news?

    Aaron: Yeah, more blame game going on.

    Heff: Yeah, it's not our fault. It's Ticketmaster's fault. They didn't have this turned on. They didn't have this activated. They didn't have this policy or technical control in place. So again, more of these vendors are passing the buck, pushing the blame back onto you, the business owner, and you really have to be on top of this. You've got to have the most basic cyber protections in place, too.

    Aaron: Gotta have MFA.

    Heff: Yes. All right. We've got to talk also about another password leak. This was another big one. I want to call it RockYou. But it went by a variety of names. Aaron, back in June of 2021 was the initial data set. Then fast forward in time, and we see the second set of data, and it was about 9.9 billion…

    Aaron: 9.9 billion passwords.

    Heff: That's a lot of passwords, folks. And this was released in July of this past year. Now there's a lot of controversy and all this because people are saying it's just garbage data. It's just passwords from years and years ago all put together. But regardless, Aaron, I mean, if you're reusing passwords…

    Aaron: Oh yeah. Not good. Well, it gives the attackers a data point. If they've got a base password that you've ever used, with AI now they can come up with some derivatives based off of that one password that you used ten years ago. And they just make, you know, so many really good derivatives that are probably ones that you're going to be using.

    Heff: And I see so often with our clients where they have a lot of staff, and the staff is reusing their passwords from work and at home. And again, that's just a best practice. You need to have a policy in place that says, do not do that. All right. Do not reuse the same passwords. But there were some other stories that caught our eye, caught our attention, Aaron. The vulnerabilities and zero days… The numbers just keep going up.

    Aaron: These numbers are staggering, Heff.

    Heff: Staggering. And you know what? Trying to get good data to share with you all is tough. How many vulnerabilities would you say there were in 2024? Do you know?

    Aaron: 52,000?

    Heff: I heard 52,000. I've heard some people say less than that. But the reality is it's not just the, it's not just the vulnerabilities. Then it's the zero days that happen. And could you kind of just explain what a zero day is? Because some of us may not know.

    Aaron: A zero day is when attackers find an exploit and nobody knows about it.

    Heff: So there's a window of time. The bad guy has to use that vulnerability against all of us.

    Aaron: Yeah. And they may get in and be in the systems and just running amok before anybody knows. And I happen to remember that timeframe we mentioned earlier, 192 days…

    Heff: 194 days in your system, snooping around.

    Aaron: Those were likely zero-day attacks, ones that there were no patches issued. Nobody knew about it. Somebody just found some way to get in. And they came in and did all kinds of damage before anybody detected it.

    Heff: So allegedly, in last year, there was about, I want to say there were about 29,000 vulnerabilities. And this year there's 52,000. Let that number sink in. We're going from 29,000 to like 52,000 vulnerabilities. And if you have a small IT staff, imagine you're having to do all that patching, all that work to try to get and make your business safe. But there were these zero days, and we know in 2024 the official numbers have not come out yet. We estimate there were about 90 or so zero days in 2024. That's a lot

    can you continue again

    Heff: ...That's a lot of zero days. That's a lot of opportunities for threat actors.

    Aaron: And a lot of these threat actors are coming from China and Russia. You know, these are big nation-states that have, you know, what chance does your business have against China, right?

    Heff: 14% of all attacks involved security exploits in 2024. And that's three times the number in 2023. So there's a lot of work to be done. There's a lot of patching to be done. I will tell you this to a lot of people. A lot of business owners have a misconception. "I own a Mac, I can't be hacked. There's no hacking of Macs," but there were like six zero days just for Macs in 2024. So it's not going away. The widespread exploitation is getting to dangerous, unprecedented levels.

    Aaron: And the truth is, businesses of all sizes need help.

    Heff: And they do. They do. So really get a handle on that. Have that conversation with your IT person. And again, we have this product here, SecurityMetrics Pulse platform. We identify the vulnerabilities. We give your IT person a proactive patch management tool. And we also have a fantastic pentesting team that will get in there and help you identify some of those hidden doorways that you may not be aware of. Again, pick up the phone, give us a ring.

    Aaron: I will tell you, though, there's some disturbing stuff, Heff. This is the disturbing portion of the presentation. I actually got a little tongue-tied, you know, trying to think about this, how complex these cyber attacks are happening. You had mentioned the complexity with the e-commerce platform. It's just the attacks are so pervasive, so intricate, the amount of time it takes to contain this stuff. Now, an average of 64 days, folks, 194 days just to identify it, and then another 64 to contain it. It's a challenge. A lot of vulnerabilities, a lot of stuff to patch. My prediction is we will have more zero days in 2025. We will smash the record for 2024. So should we switch gears for a moment? There were some other things happening in the world. I know you love talking about AI, and so do I. We can't get out of not talking about it. What's the impact that we're seeing? Some of the AI news that happened.

    Aaron: Well, we're seeing lots of companies throwing AI labels on everything, right? Yeah, but AI is starting to mature. We had a very interesting case just this last year where a merchant wanted to save a few bucks, decided to create their shopping cart using AI.

    Heff: What?

    Aaron: And so from start to finish, they used AI. They generated all the code, and they tested it to make sure it worked. And it worked.

    Heff: Wow.

    Aaron: But then they were calling us because they got a data breach. And when we went in and started, you know, doing the forensic analysis, looking at the code, we found all kinds of code libraries and things that really didn't make any sense. And we asked the programmer, and he didn't know. And we found out that it was all generated by AI. And while it worked, it did not have any of the security mechanisms in place necessary to prevent, you know, things like code injection, SQL injection. Those types of things. So AI is really at a point where it can help a good programmer be a lot more efficient and effective and get that job done quickly and cheaply, yet still maintain the quality. Yeah, it's not at a point where you can just say, give me some code, and I'll go throw it out on my production server.

    Heff: Imagine if that customer would have called you ahead of time before they deployed that. Imagine the savings.

    Aaron: If we'd had 30 minutes in there, we kind of said, you know, this looks great. Where are you doing all of your data sanitation and validation? Yeah, because there's none of that going on.

    Heff: I feel like, Aaron, they're throwing the AI label on everything. I mean, it seems like every app now has AI, and I've read something like 5,900 apps currently have AI built into it, which then you think, okay, what's the trickle-down downstream effect where you have employees that are using AI, and perhaps you don't have an AI acceptable use policy. It's not like you can stop it at this point, right? I mean, there's just so much AI on everything.

    Aaron: Oh, our kids are using AI for everything, too.

    Heff: Yeah.

    Aaron: Their teachers are pulling their hair out at school.

    Heff: So I guess, you know what it comes down to is not being able to stop AI, but at least you can put some guide rails, some maybe some policies in place. And, you know, this is one of the things you can call us here at SecurityMetrics. We'll give you a complimentary policy that you can adjust and modify for your business. But at the end of the day, it's really about giving your employees that guide rail to say, okay, this is what's acceptable for using AI. We're not going to take sensitive employee business data, sensitive business data, customer data. We're not going to put that in the AI because…

    Aaron: It goes out on the cloud. And who knows who's going to view it from there.

    Heff: And who knows if they're training their AI models, their large learning models on your data. Imagine that, right? You don't want that to happen. So really get a handle on that because I'll tell you, folks, these large learning module models, they're maturing, but they're not at the point where they're perfect. There's a lot of noise in there. There's a lot of problems with risks and privacy concerns. Bad code, bad policy.

    Aaron: Wasn't there that case where AI was doing the resumes? What was that?

    Heff: Yeah. So there was a vendor that was using AI to screen their candidates, and they realized that it was doing, it was rejecting qualified candidates, and then it was inserting age bias into it. And then there were instances where they're not able to tell whether or not the candidate was a real person or not. They ended up sending a laptop, and again, this is a working remote position. So they sent the laptop to the employee who was actually an AI-generated person. And it ended up being, I believe, a North Korean threat actor.

    Aaron: AI got the job?

    Heff: AI got the job, right. Yeah. So again, a lot of risk here with AI-powered disinformation and deepfakes, you know, spoofing job candidates and so much, a lot of third-party risk, really understanding AI before you bring it into your businesses. I think it's critical understanding the technology before you make that decision. There's a lot of changes coming to AI, by the way, and that is regulations, crackdowns. The SEC is working on some of that stuff. The EU has these new AI rules. It's a really big impact on GDPR. Having an understanding of all that stuff is important. I will tell you that the amount of new technology that's out there that you could possibly bring into your business, you've got to do that due diligence before you do that, know the risks before you bring it in. So, there are a couple of other things happening in the world of AI trends, and a lot of it revolves around training users and knowing, like, is this the right thing? Is this the exact thing you want your employees to do when it comes to using AI?

    Aaron: AI is a powerful tool.

    Heff: Very powerful.

    Aaron: And I think it's a losing battle if you're trying to ban it. Your employees are going to figure out how to use it because it saves so much time, and it is getting better. And so we need to implement policies and procedures in our organizations rather than seeking to ban it, train our people to use it correctly so that it's not getting us in more trouble and that it actually proves to be an asset and, you know, more beneficial instead of hurtful.

    Heff: Yeah, yeah, I'll tell you that. We have a couple of AI predictions around here, and I think some of these are pretty darn good. Aaron, if you don't mind sharing a couple of them, you did mention the stuff about ransomware being used, AI being embedded into ransomware and AI being embedded into phishing. But what else is there going on?

    Aaron: Malicious AI specifically identifying and targeting key employees. We talked about that, major poisoning attacks of data sets.

    Heff: Ooh.

    Aaron: That's one I think that we're going to see if not this year, soon after. This is where the models used to train the AI, the machine learning algorithms, those data sets are going to get poisoned so that the AI shares misinformation or…

    Heff: Disinformation.

    Aaron: ...incorrect things or has bias in it or even tells people to do dangerous things.

    Heff: ...That'd be terrible. Well, besides all the stuff that's going on in the world of AI, I know you're probably also wondering, well, you mentioned crypto. You have a prediction about crypto? You're a big crypto guy.

    Aaron: Yeah. Blockchain forensics is going to take a major role now. We're seeing all kinds of scams going on in crypto. And there's not a whole lot of companies out there that have the expertise necessary to go look at those ledgers and really see what's going on. So I think crypto forensics is going to have a much bigger role as more adoption takes place. Now we've got this new administration coming in. It seems to be a lot more crypto-friendly. I think that's going to lead to mass adoption. And with mass adoption comes a whole new area that hackers and even script kiddies can now target.

    Heff: And a lot better security. So we have one very important… I know we have a lot of questions from the audience. We will get to your questions in just a minute. If you kind of had to summarize, Aaron, you know, what are some things, you know, in a big picture? What are some things that have you concerned or our clients should be aware of? Big picture.

    Aaron: Big picture, e-commerce sites, call us before problems arise. It's going to save you so much headache just to get a little bit of expertise looking at your e-commerce platform, letting you know what your vulnerabilities and weaknesses are. It's, you know, if you do have a compromise, you can call us, and we'll do our best to assist you. But if you call us first, that's going to save you so much time and money in the long run. Yeah. We are going to see an increase in iterative attacks. And those are those stealth attacks that we talked about last year that are so difficult to detect, even for your programmers that build your site. You know, these attacks are becoming so sophisticated, they can lay low under the radar and only grab an occasional card here and there, and that's going to show up with your acquirer pestering you, saying, "Hey, every month you're losing three or four cards." And, you know, you investigate, you look at it, and it just never goes away.

    Heff: It's pretty fascinating how we try to help identify and close those vulnerabilities on those e-commerce websites. We do so much more than that, though, and I would say that for the audience at home, my thoughts for all of you is don't be afraid to leverage our knowledge, leverage our experience. Use, try out some of our tools that we're using here like the Shopping Cart Monitor, our world-class pentesting team, all of those things. Our PCI auditors can help you stay more secure, including our inexpensive SOC services. So pick up the phone. Call us today. Let us be a part of your planning and preparing before the bad guys show up. We do have some questions, though. Aaron and I want to get to, you know, spend some time answering our audience questions. If we don't get to your question, we will have somebody absolutely reach out to you. You are welcome to email us or call us, and we will get your questions answered as quickly as we can. Let's go with our first question here. Aaron, how can I better convince my executive team or my business owner to increase our cybersecurity budget?

    Aaron: A highly effective strategy is to let them know how much a data breach costs. Yeah. If you can go in and say, "This is the budget you gave me, and I can do this much with it. If it fails, this is how much it's going to cost. If we spend this much extra, we can get these measures in place and have a much better chance of avoiding these really expensive data breaches."

    Heff: Yeah, I'll tell you. It's kind of hard to get people on the bus when they, you know, you have to… I always say I put myself, Aaron, in the business owner's shoes, and a lot of our folks here do that. You know, if I put myself in your shoes, I realize that you're trying to spin a lot of plates at the circus, right? You're trying to handle payroll, handle inventory handling, accounts payable, and, you know, managing the shopping cart and keeping the lights on and the doors open. So if you can get your IT person on the bus to help you do a risk assessment or partner with somebody like SecurityMetrics and do that risk assessment, you can really start to attach real-world numbers and risk scores to the damage that it could potentially cause your business. And then from there, you can translate that and say, "Can we carve out just this amount of portion of the budget from the IT budget and handle this little bit of cybersecurity?" And that is step one. And there you can say, "Well, we're going to work on other areas too. But right now, the most important issue is…" and you answer that question. And if you're a brick-and-mortar business, then maybe it's about identifying all the hardware and all the assets in your environment. If you're an online shopping platform, maybe that is where you put all your energy and effort. So that is one little tip. There's a lot to dive deep on that question.

    Aaron: That's its own webinar there.

    Heff: Yeah, it's a full webinar. What other questions, Aaron, do you think we should answer here? What about this one here? What for a company that has a fairly robust security measure, what are some potential weaknesses that get overlooked?

    Aaron: That's a really good question. In this instance, no company is 100% secure. Given enough time, attackers will get through whatever your security layers are. What you want to do is set up a security in-depth policy so that if somebody breaches one of your outer layers, they're going to run smack into a brick wall that they've got to get through again. You want to give them more brick walls over and over and over so they just get frustrated trying to get through all the layers of your security. And weaknesses on the e-commerce side, never assume that just because you have an iframe that somebody can't get in and steal your customer's data. We still continue to have lots of merchants that are leaking credit card data. They say, "How can it be our fault when we don't get the card number? We never see the card number. We don't store the card number." And yet, you know, the brands are coming after us and saying we're leaking the card data. That is a tough spot to be in. That is because, you know, you've hired your third party that is putting the payment iframe on. But again, if an attacker gets in your house, well, it doesn't matter how secure your safe is. If they can get in your house and they've got some time that they can spend with that safe, they're going to figure out how to crack it. And that's exactly what we're seeing. These bad guys are getting into the website, and with enough time, even though that iframe is great, they're going to figure out some way to get the data out of it.

    Heff: I know when I try to answer this question, you know, what are some potential weaknesses? I want to go to the basic answer and say, well, I see a lot of companies that don't have a baseline of understanding of what their foundational problems are. What do they need to fix? I see them oftentimes not having policies in place, especially a business continuity plan or incident response plan. But you know what? The number one thing is, I would say I know that PricewaterhouseCoopers, they put out a report, that's the auditing firm Pricewaterhouse, and they said 50% of all breaches happen internally, and they happen because of employees. And it might be an employee that accidentally did something. They left a firewall door open, or they potentially did it intentionally, right, where they're like, "I'm disgruntled. I don't like my manager, my boss. I'm going to try to completely destroy your business." And the reality is that most small to medium-sized businesses within six months go out of business when they get breached. So the amount of time and energy you spend on this will give you an immense amount of dividends to protect your business and keep it open. I know we have a couple of questions about e-commerce security. I want to get to at least one or two of them. Well, let's go to this one right here. How can you tell if a solution actually meets the new PCI requirements? How do you know?

    Aaron: That's a really great question. 6.4.3, 11.6.1, it's tough to tell, especially since we don't yet have clear guidelines on it. However, if you're concerned about it, you can look at things like CSP, SRI, web monitoring, web page monitoring tools. All of those are going to be part of a complex solution, or a complete solution or a robust solution that's going to handle those issues. QSAs still need to look at it and make sure that it's meeting all of the requirements. So it's kind of, it's still kind of an individual thing right now. But, you know, if anybody is struggling with this issue, I've put together a chart that I give to all of my clients. I'm happy to speak with anybody and show them what we're doing.

    Heff: Excellent. I know we've time for one last question, and a lot of our questions lately have been hot and heavy about PCI, the new requirements. What are the top things that I should focus on for my e-commerce security this year, 2025? And keep in mind, a lot of folks have a smaller budget. They have a limited window of time. They have limited staff. Where should they place their efforts, energy, and focus?

    Aaron: That needs to be a comprehensive solution that starts all the way at the top, with the attitude toward security, all the way at the top, you know, from the CEO down. Yeah. Training people again, you know, with this complex AI getting lots of training has to happen to be able to spot, you know, deepfakes and spear-phishing emails, things like that. Again, we love to see iframes on payment pages, but that has to be coupled now with, you know, web page monitoring. And tools like that, they're going to make sure that the scripts in the browser have their security in place, their integrity in place, that they're not getting messed with and changed.

    Heff: Well, I want to say thank you, and thank you to the audience for giving us those great questions. There were so many more that we just do not have time to get to today. And Aaron, thank you for being here. Thank you for taking the time to talk to our audience, and I hope you got some value from it today. And of course, if we did not get to your question, feel free to pick up the phone, call us, or email us. And on behalf of everyone here at SecurityMetrics, thank you. Thank you for being here. Thank you for being a part of our clientele. And if you'd like to watch this, this will be available for review, and you can share it with your staff and your team. And again, have a great one and enjoy the rest of your week.

    Webinar
    Episode
    Get the Latest Trends
    View Learning Center
    Stay up to date
    Subscribe to our blog.
    Subscribe Now
    Data Security
    Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart InspectShopping Cart Monitor (PCI 6.4.3 & 11.6.1)SecurityMetrics Pulse
    Compliance
    GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
    Company Info
    About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
    Contact
    Contact UsReport a Vulnerability
    SecurityMetrics podcast logoLinkedIn logoFacebook logo
    © 2025 SecurityMetrics, Inc. All rights reserved.
    Privacy PolicyTerms and Conditions
    Your IP Address is:
    YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
    Subscribe to our blog
    Subscribe Now
    © 2025 SecurityMetrics, Inc. All rights reserved.
    Privacy Policy
    |
    Terms and Conditions
    |
    Your IP Address is:
    000.000.000.000