Watch to learn the trends of cybersecurity–where it’s been, where it’s going, and what SecurityMetrics is doing to support and protect it.
Having issues accessing the video above? Watch the video here.
Our keynote is led by CEO Brad Caldwell, VP of Technology JB Bartholomew, and features VP of Forensics Dave Ellis, SIEM Operations Director Matt “Heff” Hefflefinger, Senior Director of Penetration Testing Chad Horton, and Director of Assessments Matt Halbleib.
“Twenty years ago I experienced my own data breach. It was painful, it was awful, and I never wanted to experience it again. So I created SecurityMetrics to protect businesses from the same pain,” says CEO Brad Caldwell.
He outlines the mission of SecurityMetrics from its very beginnings as an ASV-certified scanning vendor until now: a full-service cybersecurity and PCI DSS compliance firm with an on-site security operations center (SOC), and award-winning technology patents that protect the payments ecosystem from malicious attacks.
The Keynote panel also spends a good deal of time discussing the current cyber threat landscape which SIEM Operations Director Heff describes as, “broader and wider than it’s ever been . . . just massive. The threat landscape is evolving at such a velocity that it’s difficult for anyone in the industry to keep up with.” The sheer number of types of hackers set against the background of motivation–money, thrill, political gain–make fighting cybercrime a huge undertaking. However, there are so many things organizations can do to prevent compromise.
With around a century of experience in the tech and security industries between them, the panel member shared their viewpoints and insights of the security and compliance industry–where it’s been, where it’s going, and what SecurityMetrics is doing to support and protect it.
This webinar was hosted on September 23rd, as part of SecurityMetrics Summit 2020.
From all of us here at SecurityMetrics, welcome to the SecurityMetrics 2020 Summit. We are all excited for the summit to begin today.
This is the keynote presentation.
Of the two days of presentations, there will be seventeen additional presentations, made available through the next two days. Emails will come out the after this presentation and, tomorrow for the rest of the content.
Today's keynote presentation, For today's presentation, we have with us a panel of experts.
All of these gentlemen here represent key security teams at SecurityMetrics, and they all represent groups that have years and years of experience in their related, specialties.
So we'll be hearing insights and advice from each of them as we go through our discussion today. But to kick things off today, let's start by having our CEO and founder, Brad Caldwell, explain to us a little bit about what we're all about here at SecurityMetrics.
Thanks, JB. I'd like to welcome everyone for attending, for taking time out of your busy schedules to be with us today.
Twenty two years ago, I experienced a breach of my own. It was painful. It was awful. It took a lot of time, and I never want to experience it again. So twenty years ago, I founded SecurityMetrics to protect businesses.
We started as an ASV, and we are in the very first ASV group certified by the PCI Council.
Based on customer feedback, we added many more products and services.
Professional services like auditing, pen testing, forensics.
And we now have a security operations center that monitors attacks on customers in real time. Our challenge is to make our expertise easily available to you. We want it to be easy to maintain data security and compliance.
We wanna protect you from the pain of compromise.
We're very excited for SecurityMetrics Summit twenty twenty where we can show you our great products and introduce you to some of our great security teams. Thanks for joining us today.
Thanks, Brad. So, Brad started the business back in two thousand, and I joined in in o two. And I was very excited to be a part of an organization that's whole focus and purpose was to protect other organizations.
And things have changed a little bit since those days, and some things haven't changed.
The core issues that contribute to security challenges are the same. Technology continues to grow, but all technology usually comes with a few vulnerabilities.
Humans are also subject to error and omission.
And so between the humans and the technology, they continue to facilitate, if you will, or, have have issues that contribute to success in the hacking community.
The other thing that has changed, though, is that the diversity and the different ways that hackers are monetizing what they're stealing and what they're interfering with and the different attack things and the the different impacts that they can have have expanded. They're bigger today. There are more options today than ever in the history of technology. So today with our panel of experts, we'd like to explore and get, insights and advice from each of them. And let me introduce them, briefly. We'll start. Dave Ellis, is our head of forensics.
I should mention that all of these gentlemen have minimum of ten years in their pretty much their current role and sometimes much more than that.
And their experience in cyber and technology is really a lifetime and a career that, that they've been working. So they're all very experienced, very seasoned there, and they all also head up the teams that, from which, that with and that they work with. So Dave heads up forensics.
Matt Halblaib, is one of our, heads up our assessors, the the audits that we perform.
Matt Heffelfinger, affectionately known as Heff, runs our SOC, which protects us and our customers.
And we'll start today in our commentaries with Chad Horton. Chad has a a a wide range of experience in and he heads up our penetration testing group. And these are geeks geeks, really. And it's it's a it's a really fun group.
I should mention before we get going that they that if we could if we were to tell stories from each of these groups, we wouldn't have enough time. It would take four to five hours to get through all the good stories, and bad stories. I should you know, the the stories of good and bad that we've experienced through the years. But let's start off with Chad.
Chad, as the head of, penetration testing, what insights and advice do you have for us today?
Yeah. One of the most astonishing insights that most people find when they look into security is that the velocity at which a vulnerability can be identified, weaponized, and mass exploited.
And the reason why I'm bringing this one up is because a card a mage bleed that just occurred about ten days ago. So earlier this month on the dark web, a attacker posted an exploit for made for Magento version one dot o, which if you're not aware, was end of life earlier this year. And he posted it on there for bid to allow people to buy the exploit.
Within ten days or the following weekend of that post, two thousand Magento websites were compromised, and it just took a matter of hours for all of them to be exploited. So it went from a exploit being identified in the software to hundred or thousands of websites being exploited. That velocity is just insane, especially at this time of the year where with COVID, everyone's running nonstandard processes.
And so it's important that we keep in mind the velocity at which the industry moves.
Now Magebleed was bad, but I think Drupal Geddon was probably the worst I've ever heard of.
Drupal is a Python web framework.
And in two thousand fifteen, the developers emailed out on a Wednesday and said, hey. Everyone running Drupal, we've got a patch coming Friday morning. Be prepared to install it. And when they rolled out the patch Friday morning, it was reverse engineered by attackers, and the developers emailed out eight hours after posting the patch. If you don't have the patch installed, consider your website compromised.
Oh.
That's just the velocity at which they go. It's eight hours from reverse engineering the patch to exploitation massive website. So the velocity is just insane when you look at how fast these attackers are organizing themselves and exploiting victim websites.
Crazy.
So from your perspective in pen testing, what what key points of advice would you so, obviously, the first advice you would give them is patch.
Yes. No worries. Be on top of it. Be vigilant.
Keep on with your your normal processes. Make sure that this, you know, these abnormal times don't impact your normal processes.
Okay.
So in the world of penetration testing, what other items of advice? You've a lot of your work is around PCI, but what, and so what advice might you have for us today, Chad?
Yeah. So one of the observations that we've, as penetration testers have noticed is that PCI has been fantastic, and most organizations have it ingrained in their minds that this is the minimum bar that they need to hit. Unfortunately, one of the side effects that we've also noticed from that is that they're allowing PCI to perform their own risk assessments and to define what the jewels of their kingdom are, to define what needs to be protected.
And what we've observed is that, because PCI allows you to isolate your segment isolate your network segments and to minimize your penetration test scope down to what your card processing data environment is, we've noticed that people have, minimized or will only keep that in mind when it comes to a penetration tester. So for example, earlier this year, we engaged with an organization that had dozens of websites, and those websites have loads of functionality that allows individuals to interact with, probably representing millions of lines of code. But when it came time for their penetration test, they took a compliance only perspective to their penetration test, and they only opted to test the shopping cart, which probably represented thousands of lines of those millions of lines of code.
And all organizations have to make business decisions. Just my recommendation would be don't allow your compliance focus to, blindside you on your risk assessment. Make sure that you keep it into mind.
Great advice.
Now few years ago, we all know that in the PCI world, they standardized the ASV scan, meaning they set a minimum bar for the ASV scan. And when penetration testing was first announced as a requirement, and it had been a requirement for other industries for many years, we noticed that the bar didn't exist for what a penetration testing was, and you your team helped write the document that the PCI Council uses.
Can you give us any kind of commentary on on what we've observed in the PCI industry from minimum standard of what the of of the possible benefit of of a penetration test?
Yeah. There's there's many aspects to speak to towards that document. You know, our hopes were pretty ambitious. We got together dozens of different penetration testing firms together on those calls, and we really set out with ambitious goals. We wanted to help all organizations understand what the minimum or standardized penetration test was gonna be. Not that penetration testing is always prescribed, but to give them principles that they could use in evaluating penetration tests. And we really hoped to see that that would normalize the industry.
Unfortunately, we we quite we haven't seen the impact that we had hoped to see. So, for example, I was driving home the other day from, work, and I happened to hear over our new our local radio station an ad for a penetration testing firm that said they will do a free penetration test for you. But if they find something, then they're gonna charge you. And this is one of the tactics we've seen for probably over a decade. And really what they're doing is they're saying, we're gonna run some automated tools, and if we find something, then we charge you, but they don't invest manual time to it. And so what we see is that we still see automation being used as a penetration test and, the classic if I manually push a button, is that a manual penetration test mentality? So we quite haven't seen the the impact that we are hoping with the document, but at penetrate but at SecurityMetrics, we've tried to maintain that level across all of our penetration tests.
Well, and you have a great history of success. I, personally, I still remember the case where, you we had a customer, and they basically came in boastful that, they didn't store any credit card data, and they were rock solid.
And not only did you break in, but you found, how was it, hundreds of thousands of records of information unencrypted on their system?
Yeah. That call is specifically interesting because it was the CEO on the call that made that comment. And he was the original developer, and it was his coding flaws. He ended up going and doing a diff to see who had made the issue, so he was the one that caused the issue.
So, yeah, that was unfortunate, but really important that that the penetration testing was able to help them identify that.
So, Chad, thanks so much for your insights and advice. Let's move on to the security operations center. Matt, you're or, Hef, you're the you're the guy on the wall. Right? What advice and advice do you have for us today?
I like to think of us as the as the Smokey the Bears, and then you have your firefighters, and we're the Smokey and the Bear the Smokey the Bears. So, it's a huge problem. You know, JB, the the threat landscape, it it's a bigger problem. It's broader. It's wider than it's ever been.
The threat landscape is just massive. And, you know, Chad mentioned the it's evolving at such a velocity at such a fast pace. It's even a challenge for for anyone in the industry to try to keep up with it, and it's accelerating. And you think about what's going on right now from the pandemic with this remote worker exploitation, and you have all these businesses with this huge geographic footprint that they have to protect, and then you add in VPN security and all the large number of patches being released this past year, the the increase and this sense of urgency found in the latest social engineering attacks, it really is massive.
And then you you have this backdrop of this pandemic. In addition to all the normal threats that we typically see in a in a business, those advanced persistent threats, those APTs, the Trojans, the botnets, the worms, the viruses, the ransomware, the spyware. I mean, all that stuff is still happening. In addition to, you have it it's a massive number of threat actors out there.
And you you think about not just the state sponsored threat actors, but these organized crime groups and your your run of the mill cyber criminals that are out there, the the hacktivist, the insider threats, all of that stuff going on set against the backdrop of motives. You mentioned monetization, and the monetization piece is huge. Obviously, making profit off of what they steal, but you have their their own political agenda, their economic agenda.
For many organizations, it's also about protecting their brand, intellectual property damage, protecting that. And for a lot of motives, it's sometimes just the thrill of the kill, the notoriety piece. So, you know, in summarizing your question, it's just it's a it's a massive undertaking right now, and it's really there's a lot of avenues that organizations and businesses can take, and there's a lot of different things going on out there that they can do to protect themselves.
Wow. So SOC is a relatively new component to security. Back in the early days, it was just an IDS and IPS.
We actually, you know, had an early product there as well.
And but the the security operation center is much, much more. So as organizations are considering now, trying either maybe building their own SOC or or doing SOC as and getting SOC as a service, what, what advice do you have for those people who are or or in you know, what introduction would you give to them, Hef?
Well, I think Chad did a did a solid job of mentioning the crown jewels, and that's really if I if I had to talk to any client, any business out there, I would say start with knowing your business, knowing what drives the business, what makes them successful, and then you begin to identify what are the crown jewels. Now what's the most important pieces of data or hardware or devices on in your network, in your environment?
And in the SOC, we actually have a saying that we live and die by here, which is he who defends everything, defends nothing. So knowing what's important to the business is critical, and then prioritizing a strategic and a tactical plan, that that helps the business and doesn't really hinder them. So when you know really, when you know what your most important information assets are, what has the greatest value, then you can kinda build a plan to to minimize and keep that business continuity going and that resiliency, keep it going. So I would you know, JB, I would add to, besides the crown jewels, we we also talk about coverage and visibility a lot.
And, you know, for for someone out there that's first time on the call that's never heard anything like this, what is coverage? We we like to call it, it's really about depending on the business needs in your crown jewels and having enough coverage to protect the business yet not over burgeoning burgeoning them with with too much security because that could be a problem too. You know, you wanna kind of surgically apply those security controls. So when you're looking at your logs and your endpoints and you're having that coverage across the entire environment of your environment, it helps us, at SecurityMetrics then kinda dive into what is malicious, what does that traffic look like, look at the logs, what do we find, looking at those sensors, looking at the tools across the entire kill chain.
So make sure that, the areas that need to protect it all have sensors data that's coming back to you in the security operations center from all those different places.
Yeah. Because the one point that you don't get data from is the one that's gonna get the problem. Murphy's law. Right?
Right. Right.
And, you know, you think about that when you have all those tools and you have the people and you have the processes in place, the the people is the most important element because for from our perspective, it's having competent people, JB. If you don't have the right people looking at the right areas in your environment and being able to parse the data, having that supportive relationship to add context to what's happening in the logs, and telling you that story. What is the threat actor doing in their environment, in your environment? Are are they looking are they doing reconnaissance?
Are they moving laterally across the whole kill chain? Or are they data exfiltrating your crown jewels right off your network? So it's it's having that relationship is very helpful.
So let me see if I can summarize then. You're basically saying, if you're gonna get into the SOC business, you need to understand what you're trying to protect, and you need to make sure you get sensors and technology that can gather information out of all the key components in the network.
And you need to make sure that the people who are looking at this from the security operations center are competent because Absolutely. Yes.
One, you could protect the wrong thing and then your business gets hit. Two, you you you might not get the data from the right place and you would miss something that came in. And three, they got all the right data but didn't know what to do with it because they weren't that competent. So how does it make you feel, Hef, when, all that's in play and you find the needle in the haystack that's gonna shut them down if they're not immediately taking action on it. You get right back with them, and you get crickets.
It is a challenge. I you know, and it's tough too because our team is very passionate about what we do. We're very passionate about finding the bad guys. We're very passionate about finding the story, telling the story, and then getting remediation and trying to fix it. So when when a client struggles with that and and needs help developing a very, secure posture, that's we we like helping them do that. So but, yes, it's absolutely a challenge.
So but the last point we wanna make sure people get is that if you're gonna get so, if you're gonna do security, leave time and make sure you have the resources to respond when something comes up because it doesn't do a whole lot of good other than maybe increasing your liability if you find out about the bad guys and then do nothing to stop them.
Yeah. Well said. Well said.
Kev, thanks so much for your insights and advice. Welcome.
Matt, you're on the wall doing audits. You you have a full spectrum of audits that you do. You have, three different, at least three different, mandates that you support.
And in in PCI, you go deep and and across the board in all different types of things. What types of advice and insights do you have for us today?
Yeah. Jamie, thanks for asking.
You know, kind of the elephant in the room that everybody's talked about a little bit today is, COVID nineteen.
You know, who would have ever thought we'd be doing remote assessments? Right?
That just really hadn't wasn't something that had entered into our thoughts for a long time. And then, you know, spring of this year, wow, COVID and, all of a sudden things change. And, so, you know, not only are we now doing remote assessments, but COVID's had some impacts too into people's environments because all of a sudden, you're people who'd never considered remote workers before and things are looking at how how people can work remotely so that they can be distant from each other.
Physically distant.
You don't care for the term socially distance quite so much, but, physically distant is is better. I still have friends.
So, you know, changes in the remote workforce, which, of course, causes changes in the scope of the environment, and then that causes business process changes and things. So that's probably been the biggest change that we've seen for this year is, you know, COVID had an impact across the board in all different aspects of the business and, the assessments and everything else that we do.
But this is just another drop in the bucket on change, I guess, because you guys I mean, we all have this this stereotypical view of the auditor who comes in with the same checklist every year. It's like, ho Alright. Whatever. Let's go through your checklist again because, you know, it's only been the same thing for fifteen years.
I'm guessing COVID's just another new thing that you had to deal with all along or not.
Yeah. You know, it is.
Like you say, the while while the PCI standard has itself evolved over a few years, you know, good security practices have have changed a bit. But in reality, you know, good security has been good security for a long time. So COVID nineteen, yes, it's it's created changes in how we do assessments and things.
But, in reality, it's just business as usual in a in a certain respect. We have to make sure that any remote assessment, meets the same rigor as being in person. We have to make sure that, we don't compromise the integrity of the assessment in any way just because we're doing something remotely.
And as far as, you know, change, you know, change is constant, especially in the assessor world.
You know, fifteen years ago, who really would have thought much about the virtual data centers and everything? And and now we're into virtual data centers, and everybody had their own machines, and and now they're containers. And there's always new technology for us as assessors to be learning and coming up to speed on and, figuring out how to both apply the security and ask the proper the proper questions as an assessor.
So what are the top, advice that you give organizations in general about having to go through an audit process?
Yeah. Great question.
You know, some of it, I guess, would mirror what's been said before. The number one thing that people have to do is they have to know their environment.
We see this often with new people. They don't fully understand their environment. They don't know the systems. They don't know the people. They don't know the processes. They don't understand where the data resides, how they receive it in, where it, you know, where it's stored, who they send it to.
Those are all critical things as Hef talked about and even, Chad a little bit there. You have to understand that so that you both apply the security controls in the proper places and in the proper way to protect, as we said, the crown jewels, but also then knowing that when there's a change to a particular system, that may have an impact to your compliance if you're not careful.
And, kind of, you know, Chad talked about knowing your environment when it comes to pen tests.
Same thing. You know, you should not be reusing credentials across different environments and things. If you don't know how those environments interact, then you can end up making bad security mistakes.
And I think one of the the critical things that you know, I've been in security for twenty plus years now and infosec itself, and, we used to kinda think we could absolutely keep people out, you know, the hard and crunchy on the outside, soft and chewy on the inside idea.
And, but, really, I think there's a shift over the last, I don't know, maybe, eight to ten year well, maybe about eight years of people realizing that it's almost impossible to keep somebody out. Chad mentioned there's millions of lines of code on some people's websites and stuff. There are you know, people are human. There will be vulnerabilities.
Sometimes it's the people. Sometimes it's the technology. Sometimes it's the the code. You know, we've seen, errors in hardware, flaws in hardware and things that, you know, cause vulnerabilities in systems.
Anyway, so keeping the bad guys out is nearly impossible. So it's really a case of trying to harden as best you can and then having a good process to react if somebody does get in so you can stop the damage before it gets very far. As Hef had kinda mentioned, the kill chain.
And I've heard you, and I had to bring it up because I've heard you guys get on your soapbox before about communication.
So give us your ten second, soapbox on communication.
Yeah. That's thanks.
COVID's another thing that's impacted communication both internally in companies.
You know, when you're all in the same room or working in the same area, it's easier to communicate with each other and and know what's going on. But now that people are working remotely, you have to increase your communications to make sure that the team is covering all the, you know, all the different requirements that you have to meet. There's a lot of things in in, any security, you know, good security process that are, done on a regular basis. So making sure that the people know who's responsible for each of those controls, documenting when it's done.
So, yeah, communications within teams is important, within the company as a whole. And then also communicate with your assessor, Because all these changes to the environment that you may have made with COVID have the potential to really increase your scope or dramatically, let's just say make it so you might not be compliant.
If you've made some changes to your environment, extending your extending your network out into other areas and you haven't talked to your assessor about how to do that securely, that could be problems for you. So communications internally and with your assessors.
Call us up and talk to us. We have clients do that quite often.
Fantastic, Matt. Thanks so much for those insights and advice.
Let's move on to forensics. Dave, you've been on, you're not necessarily on the wall. You get to come in with the, the magnifying glass and look at the the really how they did something in the end. What insights and advice do you have for us from the world of forensics?
Well, JB, thanks. So many things come to mind.
But, what's kind of on the forefront of my my thoughts right now is because of a a case that we're currently working, relating to ransomware.
Ransomware a couple of years ago seemed like it was starting to kinda wane a little bit, but, maybe it was with COVID or or, you know, maybe just new approaches to get it onto people's systems. But it it has really grown, new legs.
And and and it it's such a nefarious thing for people to do.
Chad said something that that kinda made me think about one of the cases that we worked a little while ago when he talked about limiting this the the scope or the the view, that, you take with your security.
It it was a case where auditors, go out to a company.
And I think that was our auditors in Yeah.
I think I think it might have been there.
Yeah. Yeah. So the auditors, who were familiar with this company, the company had recently employed, end to end encryption, which by by rule says that you can now narrow the scope to just the the CDE, the card data environment.
The auditor very astutely said, hey. You know, you might wanna expand your view, and have me take a look at this. I had a couple other things in the in the corporate environment.
And they no. They they they narrowed his his focus. All he was able to do was essentially validate that the end to end encryption was doing its job, and it was. It was protecting the card data.
Several months later, the company gives us a call and says, we have been locked up with ransomware.
It came in through a phishing email into the corporate environment, locks, up the corporate environment, propagates out through their system. And before they knew it, eight hundred locations were unable to process credit card data. Now now no personal credit card accounts were ever at risk, but this company could not process credit cards for about three days. They lost over ten million dollars in revenue.
So in their efforts to try to save a few thousand dollars in in in the cost of their audit, you know, it ended up really, really hurting them because they they so dramatically narrowed the scope.
You know, another story sorry. Forensics is kind of, like, all about, you know, war stories.
But, you know, another one that comes to mind is a case where we were investigating a a breach, and and it was a Magento one. So another another thing that Chad said that, popped into my head, a case where we're examining this this breach, and they had been breached for about nine months. The sad part was is they had IDS and IPS, intrusion detection, intrusion prevention systems that were completely doing their their job and and alerting, hey. There is a problem here. And the problem with this company is nobody was watching.
No one was tasked with the role to review these IDS and IPS logs. And and these logs have been throwing error or throwing alerts for months. And if anybody had been watching, they would have actually caught it on day one, and it would have never really been an issue to them.
Sadly, it it, resulted in the compromise of several hundred stores and millions of dollars later. Oh, yeah, up up oh, and and the furthermore, there was actually an existing patch for the the problem.
So that was another error that the company had made. They failed to apply the patch. Nobody was looking at the at the logs, alerting them. So that was a train wreck that never had to happen in the first place.
So Oh, hey. Before you go, can I say one more thing about ransomware?
Yeah. I I mentioned that it's grown new legs. Sorry to interrupt you. But there there's two areas where where companies really need to focus on with the ransomware. One, educating the employees to, recognize social engineering and phishing emails.
That's typically the the the way that ransomware gets delivered to a system.
So spend some some time on that. And then when those areas fail, the best defense against ransomware is having your backups, that you can easily restore from. And and keep in mind, if you're if you're one of those that say, oh, yeah. We've got tape backups, you know, in in an underground bunker under a mountain somewhere that we can restore from, just try restoring from those once.
You know, run it through the process, and you might see that it it's really, might not be as easy as you think. So it's a good exercise to go through, restore from your backups. The other thing with that is try to engineer it so your backups are not plugged into your network twenty four seven.
A a case that we're working currently, yeah, they had great backups. They were plugged into the network, and the backups got encrypted right along with the rest of their, you know, the rest of their environment.
So talk to us about the increase in, and focus on in in ecommerce with the bad guys.
Yeah. A lot has been going on with ecommerce. Ever since the, the EMV chip, you know, hit our cards in the US. A little bit overdue, but, it it it served its purpose. And the swing went from, the majority of our credit card related cases being point of sale.
It's one completely over to the ecommerce, and now more than eighty percent of the ecommerce investigations that we perform, are or excuse me. Eighty percent of the card data compromises are ecommerce.
And one of the things that we noticed was, we identified a pattern toward the end of twenty seventeen that the majority of our ecommerce cases, had basically the same indicators of compromise. It was malicious JavaScript injection, also kind of, known as mage card, attacks.
Form jacking is another term. It's a slightly, slight variation on it. But it was it was the same theme, same sort of method of entry.
The problem is is when this came onto the horizon, there was nothing that was indicating on it. There was nothing that was defending against it because it it executes in the browser. So the company has this great antivirus. It has file integrity monitor monitoring in place, but those are all on their system. And because this executes in the browser, I don't think your customers are going to be, you know, having their AV hit on something and then call up and say, hey, my antivirus just lit up and I think it the problem might be on your end.
So the other thing that makes the the malicious JavaScript injection really difficult to detect is that it can come into your system in so many different ways.
If you think about what occurs during the the checkout process in in the shopping cart, it it's a whole lot more than simply the customer entering their credit card information, you know, hitting enter and then it being sent off to the processor.
During that whole period of time, you have data analytics tools that are making requests and connections, SEO, adware, widgets, live chat services, CRM, and on and on and on. And and the truth is is the number of requests and connections that are occurring during the the shopping cart can number into the hundreds.
Well, this malicious JavaScript injection can be attached to any one of those third party services, and that's how it gets in into your system. Where this really came to life for us was, we had a case that that was referred to us after two other forensic, investigations companies had failed to be able to to find the problem. Yet the credit card companies continued to identify that they that this company was leaking data.
So when we got the information, we looked at it, and we saw the same thing that the other companies did, absolutely nothing.
And it wasn't until we analyzed specifically when the transactions that were later found to be compromised or the the cards that were compromised, we analyzed when those transactions occurred, and we found that they were clumped together very tightly. We would see, like, twenty minutes where every card that that was that came across their system got compromised and then nothing. And then hours later, another block of fifteen or twenty minutes or something along that line.
Jumping to the end of the story, what we found out is that there was an an automated, adware or, you know, advertising that was rolling or scrolling, on the margin during the shop shopping cart process.
And whenever a particular ad was running, everything that was entering their system was being compromised.
So the the malware was attached to that single ad, and it was in a scroll that would that would roll through. Brilliant on the part of the attackers because the attacker then doesn't need to engineer his his attack against this one website because his attack now is going out to every website that is running this ad these advertisements.
That my methodology has later been coined as malvertising.
But, it it it it it's a great example that through all of these third parties, which you then think, do I have to go out and am I responsible for the security of these potentially hundreds of of other businesses or other services that are now connecting during the shopping cart process? The answer is you gotta I guess you have to try to.
Wow. So that seems a little daunting.
The technology right now is really not I mean, FEM isn't gonna catch this. VA scans isn't gonna catch this.
So going forward, what recommendations if if there's gonna be something that's really gonna help in this area, what what will it need to be able to do, Dave?
Well, first, I I'm I'm glad you mentioned FIM, which is file integrity monitoring because it it's still a great tool. You you don't wanna throw, you know, say, okay. Because FIM isn't hitting on it and antivirus isn't hitting on it, you don't wanna toss those out because they're still going to alert you on, you know, on other types of attacks, and and you still need those in place.
But because it's it's a browser based attack, and and the focus is on the shopping cart experience, you need to be able to simulate and examine what is happening during the check checkout experience.
And and so if you can get a tool that has eyes on in into that, you know, that that's gonna give you the the the best potential for results. And our team, did kind of a deep dive into that and kind of started to to work something out.
Is it also important in that? And I I I think you're gonna answer yes because I'm setting you up for this question.
Exercising the form, exercising the checkout.
So just by scanning the checkout page, you're probably not going to possibly see the exploits.
But I I thought I had heard you mention on other discussions where once you enter data, let's say, like, into the CVV field Mhmm. That code might fire then that you would never have seen otherwise.
That that's absolutely correct. Yeah. There's there's triggers that the malware is is going to fire on. And and, yeah, like you said, you know, it it it's usually going to be before the CVV field because that's the last field that we're in an entry is where the the cardholder is entering data usually. It's going to be something probably like on a name field.
But there is there is going to be a trigger within the shopping cart experience. And if you don't have eyes on that, on the live experience happening, you are not going to be able to detect a a malicious JavaScript injection attack.
K. Well, we're gonna hope that somebody can develop something that might solve that problem. Actually, we're gonna talk about it later today, folks. So, Dave, thanks for your insights.
So, Brad, coming back, to you. You've got a great team here. You got and and all of these gentlemen represent, teams where you have a huge wealth of of experience, knowledge, understanding, and insight, about security and compliance. So if talk to us for a few minutes, if you would, about how SecurityMetrics is taking that knowledge and understanding it and applying it into our products so that we can help keep our customers secure and simplify their own compliance and security efforts.
Well, JB, we can all see from our panel today that we have a lot of expertise, a lot of disciplines under one roof. And these groups have to communicate internally. We talked earlier about communication, and that's important. Well, we have to do the same. We have to be communicating internally to ensure all of our customers, even our small businesses, stay safe. And here are a few examples of how we communicate.
Our security operations center is constantly monitoring proactive threats. So every week, Hef does and his team does a really great demonstration, showing us all the latest threats that he saw the last week. And that helps us all, create a threat awareness so we understand what's going on because of the velocity Chad was talking about. It can happen, you know, in a day almost. So we really have to be careful. So then then we go further, and all department managers are meeting every week to make sure that we can better protect our customers and service them better.
We also go to our customers directly and speak to them to ensure our products are meeting their needs. We listen to them in formal advisory councils. We review all customer feedback emails, and we engage our customers as design partners to make sure our products are doing what they should be doing for them. The net effect of combining our expertise with customer input is a comprehensive product solution or a set of solutions that are easy to use. We offer PCI, HIPAA, GDPR, and web portals. We offer security policies, security training, pen discovery software, internal scan hardware risk checks, and much more.
These products are all designed based on our data security expertise combined with customer input. So let me give you a recent example. We're kind of talking about it a little earlier, but let me give you a recent example of how this process works. A few years ago, our forensics team observed new attacks they'd never seen before.
They got on the phone with the card brand and verified that those threats were real, and they were seeing them with with lots of forensics groups.
We created an expert team of forensics, pen testers, developers, and advanced technology staff to create a solution to this threat because we know that it's it was a big a big threat. And today, I'm happy to introduce to you two new products that are completely unique to SecurityMetrics, shopping cart inspect and shopping cart monitor.
These products use technology from a new SecurityMetrics patent that guards against JavaScript skimming and major card attacks.
These products are the culmination of our teams working together to better protect our customers, and we're excited to get customer input to improve the products further. We now have a short video to introduce these new products to you.
Let's say you just got a new order from your ecommerce store. But as your customer's order is processing, their payment information is sent to criminals simultaneously.
How is this possible?
EMV chip technology and other card present security innovations are pushing data thieves to online credit card theft. Their MO, an attack on shopping cart web pages called e commerce skimming. If you're a victim of e commerce skimming, your customer's payment information is stolen as your customers check out using your shopping cart.
Ecommerce skimming affects thousands of websites, and traditional security tools like vulnerability scanning and file integrity monitoring do not detect it. This means for an ecommerce website using traditional security tools, a compromised site can go unnoticed for a long time.
SecurityMetrics shopping cart monitor detects if any new or malicious scripts are running on your shopping cart. Once a malicious script is discovered, you are immediately notified so that your customer's credit card data remains safe during checkout.
Fight ecommerce skimming with SecurityMetrics shopping cart monitor powered by SecurityMetrics web page integrity monitoring technology.
That's fine. As I've watched the process that, Brad is, over as managed with the security teams in development of, shopping cart monitor and shopping cart inspect, it's been it's been inspiring because no one perspective has really ruled the discussion.
Sure. Some perspectives were were got more respect or more, had more insights in how to deal with it, but, we're very, very excited.
The monitoring tool, for example, that you can imagine British Airways, what they would have been, how things would have been different if on the same day the injection occurred, they were alerted to something that was only visible in the browser on the on the on the on the purchasing experience. And that's exactly what, shopping cart monitor is going to be able to do for our customers. We're very excited about it. So, gentlemen, while we've been talking, there's been a few questions come in.
And I don't think we're gonna have time to get to all of them.
But, I'm gonna pick and choose and and and try and throw a few couple out here, and we'll see. If you feel like you need to add to one, feel free. I'm gonna choose the one that talks about governance. And and, Matt, Hal Blythe, if you'll question is, how can organizations establish a good security governance?
This kinda goes to the holistic issue. Right? And, governance is more of a holistic discussion. So the question is, how can organizations establish a good cybersecurity governance program? What what advice would you have for them?
Yeah.
That's a great question. So first thing is you need to it honestly has to start at the top.
From the CEO on down, they have to buy into the idea.
And once you have senior management buy in like that and commitment to actually do what, what it'll take to become more secure, That doesn't mean that you have to quit doing business. It just might mean that you have to do business a little differently.
So senior management buy in, first thing that has to be done. Then the next thing you have to really do is look at all the different laws and things you're subject to and determine which of those particular, governance ideas that, you know, you want to try and apply. There's some that are more general in scope, maybe from NIST and things.
If your main focus is somehow, you know, you're you're a merchant or whatever, then PCI is probably one that you're going to choose. Right? If you're into the privacy type data, whether it's health care or GDPR or whatever, then, you know, maybe it's a HIPAA or HITRUST or something. So, you know, management buy in first, look at what sort of laws and things you're subject to, and then choose your your governance model based on that sort of information.
And then start rolling it out, and it has to be it has to become part of your daily business operations. We've kind of all talked about that from Heff in the in the SOC and things. That's what he does. He monitors stuff every day.
We talked about, you know, IDS, IPS, and FIM. All those things, you have to monitor those alerts. So it becomes part of your daily business practices at that point.
Fantastic. Another question, Hef. Talks about certifications that you might recommend for your staff in the SOC.
I'm gonna go on record as saying that certifications are great, and this panel right here is full of them.
So you guys are full of it. But no.
But do you have I mean, if you go behind your all of you have, including Brad, maintained all kinds of certifications, which help establish baselines.
So what types of of, certifications help for SOC people?
Well, you know, the the thing to take away with certifications is it's always the practical application of the knowledge that you gained from the certification. So it's great that you go out and you get these certifications, but if you're not applying it or being able to take what you you learned and passed in the certification back to the job, it makes a little bit of a challenge.
You you know, that's another thing to take away too in terms of certifications.
It's a mile wide and an inch deep. You may have heard that term, and there's so many different domains in cybersecurity.
So depending on what your area of interest is and your focus, that kind of leads that pathway on which certifications you're going to go down towards. So if you think about it, if you're if you're going to go into the world of the SOC and security operations center, then having a really good foundational baseline, certifications like security plus and network plus and a plus, that really helps start the process of your knowledge.
If you're going into a different world, like you're going to go into the governance world or you're maybe thinking about going into the pen testing world or the forensics world, there's a whole other tracks of certifications that can add value, to your knowledge base. But at the end of the day, you know, it's it's a never ending process. I I'll tell you, the the bad guys, they don't stop, and the certifications help us look at things differently, help us gain that foundational knowledge, and then be able to speak to the threats. So when you have those certs like security plus, network plus, it helps. At some point, you you you work towards the granddaddy of them all. The granddaddy is the CISSP.
That obviously takes a little bit of time and knowledge, but there there's so many tracks and so many different domains. What I would encourage anyone to do is if they have questions on certifications, reach out to me on the SOC, reach out to my email.
Attend, we'll have our security summit briefing, and and my email will be in there as well.
And and I'll definitely contact you and help you guide you on that, on that journey. So Thanks, Hef. I'm gonna I'm gonna steal the next question, and, Brad, or anybody else, feel free to jump in. The question goes and this is an age old issue is because what we see in this group right here, most of the work that this team does is for larger entities except for Dave. Dave, the forensics we get, all sizes, large and small.
And, we've done had plenty of of stories where we've been on the phone with a very small merchant who had no idea they could be breached, had no idea their business could be shut down, and we had to talk them off the cliff and and get them to understand the fundamentals and and proceed.
The the question is, how do you suggest approaching PCI compliance for smaller merchants, especially for merchants who don't want to spend money for compliance?
And the potential threats just seem outlandish to them, of course, because they're not familiar, or they may never have heard of PCI compliance.
So in my role through the years at SecurityMetrics, I've been on the front lines in helping organizations promote PCI compliance.
There's two real key things if you really wanna pursue the smaller, less knowledgeable organizations.
One is, empathy, communication, and education. And you just you can't say enough about those three things, and you have to repeat them.
People are busy with their business. They're just trying to make a buck, trying to stay in business.
And so repetition is needed occasionally to get their attention.
And that communication needs to be empathetic and education so that to whatever extent they are willing to take real steps to protect themselves, that they are supported in that effort.
And I'm gonna go on record as saying that, it's interesting because most of the acquirers all of the acquirers are tricking trying to put technology in place to reduce the risk for their merchants.
And yet at the same time, they all maintain call centers because they understand that that while the technology may be some of the best technology they could provide, merchants are gonna need to talk to somebody occasionally.
And while they may have a huge q and a on their website and all kinds of well thought answers, business owners just occasionally need to talk to somebody.
So that's why here at Securitymetrics, we've put tremendous amount of, insight or or effort into our call center who's not represented here today.
And, it turned out we had a little growing experience twenty years ago when we did this because we focused on accuracy, and then we later had to focus they had to break bring empathy in as an equal weighing principle to work with these small merchants. So now I think you find when you talk to our staff that you'll see a great deal of empathy, a great deal of technical understanding and competence, and the ability to convey that to these small merchants.
JV, can I chime in on that topic? Sure. Yeah.
Thinking about that that small merchant and, you know, I I recognize that their margins sometimes financial margins are very thin. And I one thing I would say is maybe resist the temptation to have, you know, your uncle Bob who has a CS degree to come in and and and custom build your your shopping cart for you.
You know, it the the homegrown code so often is it it, you know, leaves openings for attackers. And so, you know, I'd kinda resist that, maybe go with a a shopping cart that is, you know, tested, proven, trusted, and then, you know, layer on top of that, you know, some of the the things. If you can, you know, get end to end encryption in there, sometimes that that can be, you know, simple for you, just getting a a, you know, the proper devices from your acquirer.
But, you know yeah.
I got it.
Yeah.
Layering in jump in real quick on dates.
Thanks.
Well, you mentioned, you know, like, having somebody you know build the code for you.
I'm sure they're a competent developer and everything else. That's not the point. But when it comes to updating it and fixing it and patching it and everything, if you're gonna if you get a commercial off the shelf thing and you've done your due diligence in that respect, then you will get the patches and things. You know, we all talked about, major cart and things like that.
You know, some of those things were, some of the vulnerabilities and things were, patchable. And so making it yourself, that's kind of the hard way to go. I know it seems cheap at first, but ultimately, it may cost you in the long run. And, JB, you mentioned education.
You know, so so did heff for that matter. Right? I mean, really, he's talking about certs. That's about being educated in what you're you're trying to do.
Small merchants have the advantage and that their environment is simpler. So what they really need to learn about may be less than what a very large environment needs to learn about. But, you know, if you're gonna take credit cards, you kinda can't get away from being or at least learning and understanding something about PCI and then simplify your environment as Dave said too.
So between, Chad and Dave, this other question talks about, if from a development perspective, you've ensured reviewing the OS OS top ten issues before pushing your code out. Shouldn't that automatically protect you against shopping cart bugs?
So I'm assuming oh, OWASP. Is that what they meant? Yeah. Excuse me. Okay. Excuse me.
Mine with my OWASP. You're fine.
If you've got all the top ten issues in there Do you wanna start chatting or should I you can go ahead, and I'll follow-up.
Okay. So what comes to mind for me is, you know, OWASP is is great. And but you gotta understand this is one thing that speaks to infinite number of environments.
And so you have to take all of the counsel that that you can can glean from OWASP and apply it to your individual environment, which, you know, it the OWASP, while it is it it it is as thorough as you can be for a single set of standards, it it's impossible for it to cover the individuality that you're gonna find in in every network. So I would consider using that as a baseline and then examining your environment and and and building and layering on top of that.
Well, part of the problem too is that you're not just talking your own code. OWASP may cover your own code. Let's say you were super great and you built everything exactly right for your own code. Dave, some of the attacks you mentioned were really the includes that you have that are from third parties as advertising this. If they're if your third party's compromised, but you've included that ad on your page, that's actually what's skimming your data. It's not your own code.
Yep.
And going along with what you're saying is, what we often see customers say is, hey. We code review our own tool our own code, and we have OWASP training. So we know what we're looking for. And to that, what comes to mind is, like, OpenSSL had a heart bleed, was actually in the code base for two and a half years before it was discovered, and that code is code reviewed.
The Linux kernel had vulnerabilities released in May of this year that had been in there for thirty years, and that code, I guarantee you, had many, many eyes on it, and people have just overlooked it. And so, yeah, OWASP top ten, being aware of those, doing code reviews, that's always a good piece to it. I just think that there there you need more beyond just that. It's a good starting point.
Great answers. We're not gonna have time for all the questions, but I'm gonna we'll let Brad jump in on one question because it's it's more it's, I will say it's kinda fun.
Brad, what's the secret to keeping everybody for more than ten years?
Why are these guys still here?
I think we we we are always learning, and it's it's a fun space to be in. And we try to give people the opportunity to grow and continue to learn. So one of the things that I try to make sure is that people get the ability to continue to learn.
We try to, set the boundaries properly so people can can do their jobs without, having the executive team, you know, getting in the way, if that's the right way to say it. I shouldn't say that probably.
But, really, we have a really good team, and and that's what's fun is we've got good people. And and so it's fun to, kind of show off the team and and how good they are. And, I think this team likes working with other professionals, that are that are doing a good job. So it it's really fun to kinda watch this all happen and to see, our our group do so well. So so I I don't know what the secret is. Maybe these guys can tell you what the secret is.
Brad's a great guy to work for.
Yep. It it's a great culture that you've built here, Brad, and, we're all proud to be a part of this. And we actually enjoy our ability to contribute to the cause, which is, protecting our customers. And that that's a pretty satisfying, work to be involved in.
So, with that, we've we've we've burned through an hour already. We appreciate all of you who have spent your time with us today. So you will be receiving emails shortly. Everybody who registered will be receiving an email today and tomorrow for the additional sessions that will be on demand and that will be available for the questions that we were unable to answer today.
Many of them may actually be addressed in the content that has already been provided depending on the topic.
And anything that doesn't get addressed, we'll certainly, look at them and and try and get an email out to those people who posted those questions.
Thank you very much for your participation.
Thank you from all of us at SecurityMetrics, and have a great day.
Thank you. Thank you.
.svg)
