How to Think Like a Hacker and Secure Your Data

Anna: Hi everyone. Thank you for joining today's event on Thinking Like a Hacker and Securing Your Data. Over the next hour, we'll explore some of the biggest data breaches to date, look into the techniques hackers can use to breach an organization, and end with a look at prevention tips and best practices. We'll send you a copy of the recording after the event, if you'd like to re-watch anything. As we go, if you have questions, please submit them through your control panel in the questions pane. If we don't get to your questions, we'll make sure to follow up after the presentation. I'm here today with my co-host, Dan Freeman. Dan, are you all set?

Dan: I sure am. Thank you.

Anna: Wonderful. To give you all a quick introduction to Dan, he has spent the last 10 years of his career in various security roles, ranging from systems engineer to security officer, and he currently serves as Senior Solutions Consultant at HelpSystems, for the GoAnywhere product line. Looking at our agenda for today, we'll start by discussing cyber security statistics, define basic hacking terminology, dissect common hacking techniques and recent data breaches, explore advanced persistent threats, and then dive into what you can do in your organization to secure your data. We'll finish with a quick Q&A session if we have time. Okay. Let's get going. Take it away Dan.

Dan: All right. I appreciate it. Welcome all and thank you for joining. Usually, much to my boss' dismay, I like to kick things off light hearted with a joke, of maybe a funny anecdote of some kind, but today, I just wanted to give my condolences and prayers for all those suffering from the devastating floods that have struck the Midwest. In fact, even some of our own staff here, GoAnywhere here in Ashland, have been affected. Godspeed and quick recovery, hopefully.

All right. With that, let's get rolling on our topic. First couple of slides here, like Anna mentioned, we're going to talk about some cyber security statistics, specifically with cost. Some of these things here, just to look at, just to give you an idea of what we're looking at when we do have large data breaches. According to the Ponemon Institute, is where I'm going to get a lot of these references from, you can see that the average per cost for all kind of data breaches was $148 in 2018, as compared to $141 in 2017. They vary from year to year. It totally depends upon who was actually breached, the actual costs that they put into after the breach, to make sure that they bolstered their security. Things like that. That's one indicator to look at that.

Second thing looking at, the United States, Canada, and Germany, continue to have the highest per capita cost at $233, $202, and $188 per record, respectively. Probably because we are a ... I guess when we say we, United States, Canada, and Germany, being those high targeted areas, will probably get the most traffic when it comes to some of the major organizations that are being targeted for whatever reason. We'll look at some of the industries that are getting targeted as well.

On the lower end, Turkey, India, Brazil, have much lower per capital cost at 105, 68, and 67 per record respectively. Moving on here, looking at the frequency of these data breaches, I don't think it's very surprising. This slide might be ... Hopefully you guys can read that. The one on the far left there being the financial services industry. I think when most people think about data breaches, they do think of financial industries. Getting credit card information, bank account information, things like that. I don't think that's a big surprise.

Services. Any kind of point of sale services areas, manufacturing technology. One of the ones that we see on the lower end, on the third column there, healthcare. Doesn't seem to be as far as the frequency of data breaches by industry, but as we all know, or at least I think most of us here, and one of the actual breaches that we're going to later on, anthem, definitely points to the healthcare information, although it's not a very high frequency.

You'll look at that second part of that slide, the per capital cost per industry. You see that healthcare being by far the number one cost by industry. Now, what is it special about healthcare of what we call PHI, or Protected Health Information? Definitely the quantity, not quality on this ... Sorry, quality, not quantity. But why is PHI so valuable? When you think of the financial industry, credit cards, account information, they really do have a limited shelf life. So if somebody gets something hacked, or they get their credit card stolen, it's pretty simply as to just cancel that card and move on.

Now, with your health records, that information doesn't change. Even after you've been hacked, that kind of information's not going to change. In fact, one of the resources I was looking at, the sale price of a credit card number by itself, is around a dollar on the dark web. If you add PHI to that, it jumps all the way to $20 per record. Now, if you get a full profile with everything, a lot of PII, PHI credit cards numbers and things like that, it can be all the way up to $500. So you see, PHI can really, really escalate those costs.

Also, healthcare costs by the way, and I'm sure everybody feels this pain point, have really gone up. Th way to do healthcare fraud, by getting other people's healthcare information, that can be a big cost savings as well. So we can definitely see PHI being a big reason why folks are targeting that type of information. This stat here, I really like this one actually. There's a lot more too, within this Ponemon Institute chart, but this one's pretty cool. On the right hand side, with the black bar codes up at the top, we have the certain types of action items, we'll say, that actually help you save money per breach.

If you look at those top four, we've got incident response team, we've got extensive use of encryption, business continuity involvement, and employee training. Three of the top four are really dealing with human practices. Training the human, having humans do certain processes to make things better for preventing or at least in the case of these data breaches, to make them less costly, with the exception of the extensive use of encryption, which we'll talk about later. But it's really important because when we talk about user training, I think that goes to the wayside, and a lot of people like to try and rely on technology because technology is getting great and everything, but it really, really comes down to the weakest link.

As we all know, and we'll see, going through this presentation, the weak link is still going to be that human, at some point, some way. It's interesting to note, those are the things if you really, really hone on those, if you train that human for whatever reason, whether it's incident response team, business continuity, employee training, it will help you save money. On the other end, the other spectrum down at the bottom there, we look at that third party involvement and extensive cloud migration.

Third party involvement, I would say think of any time you have contractors or anybody that you're dealing with, that's not a part of your organization, obviously that's really hard to keep track of the adhering to your security policies. A great example, we actually probably won't ... Actually, we're not going to dive into it, but target. When they got hit, pretty popular breach, the reason they did get hit is because one of their third party vendors I believe was an HVAC company. Actually, that's how the hackers got in through their back door.

Their bad security practices with on of their third party vendors cost them a huge breach and obviously a lot of money. Cloud migrations I think are pretty straight forward. If you're having a cloud migration, that's going to involve a lot of IT resources. If you get hacked during that type of migration, you're going to have people from networking, from the cloud experts, from maybe exchange if you're moving things up there. Lot of different IT resources are definitely going to have to be leveraged from that standpoint, so the cost can definitely increase in that scenario.

This next slide here, pretty straight forward. Looking at the root causes of a lot of cyber security breaches. Don't think it's any huge surprise. 48, almost half of all breaches, are from a malicious or insider criminal attack. On the flip side, we have 27 or almost a quarter of human error, and about a quarter of system glitches. Now, one thing I think to point out from this slide here, is the cost per incident is one thing that we don't see on here. The cost per incident on the malicious or insider user attack, is averaged at about $157 dollars per record.

Now, if you look at the human error, and the system glitch respectively, will be $131 to $128 per incident. I think that's pretty ... Maybe not completely obvious, but if it's a human error, usually, obviously that person's going to know that they did something, so they can report it right away. What we'll see here in just a little bit, and I think actually the next slide, that mean time to identify and that mean time to contain the breach, is going to really affect on how much cost goes into what is actually lost.

The other thing, I think, to note here, is even though it says 27% is root causes or by human error, there's a chunk of that, with that malicious or criminal attack, and we'll talk about phishing in a little bit phishing in a little bit. A lot of that chunk is going to deal with the fact that humans were the weakest link, to actually have these malicious and insider texts actually work. So, although it gives you good overview of what's going on, I think there's a lot more on the human side, than that 27% that we're showing there.

Okay. Let's go through some key findings here, that we just went through. We'll flow through these pretty quick. Global cost of data breach increased in 2018, from 2017, and again, resource here was he 2018 Ponemon Institute Report, as well as the Verizon data breach investigative report. We had 6.4% total costs increase, 4.8% per capita, and 2.2 size, as far as the number of records. The United States and Middle East had the most costly data breaches. Hackers and insider threats comprised of 48% of total breaches, like we just saw. Again, it is important to note, although that is the case, I think a lot of it has to do with those human errors or lack of processes, which we'll talk about a little bit later in the presentation here.

The faster the breach can be identified, the lower the cost. I think that makes sense. But when we look at mean time to identify, in 2018, it was 187 days. Now, I don't know about you, but think about that. Let that settle in here. You get breached, and this is something we ll talk about again, when we talk about advanced persistent threats ane people taking their time to exfiltrate data, but this is 197 days after you have been exfiltrated, or you've been actually hacked, or you've been compromised in some way. That's the time it takes you to identify that breach.

After that, the meantime to contain that is 69 days. Those are quite a bit of time between the time that somebody actually gets in your network, to the time you actually identify and actually contain that, or at least mitigate what actually happened. Both the MTTI and MTTC, or the mean time to identify and contain, were the highest for malicious criminal attacks versus human error. Again, I think that point's back to if it is human error, hopefully people don't put their head in the sand and don't mention it for fear of their job or whatever other consequences might come, but I can see that's the reason why.

Malicious and criminal intent, we might take a while to figure it out. People might not be monitoring log files like they should be. Maybe they don't even have some sort of sim or some sort of detective or preventative measures, even alerting on these things. I can see that being the case, whereas human error, usually it's a, "Oh boy. I've got to tell my boss," and go from there. You can see where there correlates.

The third party involvement cost did increase by 13% for compromised record. Again, that's just having more folks that you're having as contractors coming into your organization, and it's really tough to enforce or maintain the same security policies that you have, to extent that out to your third party vendors. Maybe they have a specific skill and they don't adhere to whatever you have to adhere to, even though you're responsible for doing that. There can be some either lag time, that they actually get to that level, or maybe some miscommunication, or dragging their feet types of things. Dealing with third parties can definitely be an issue and causing those to increase.

Same thing with the cloud migration as we talked about just a second ago. The big thing is, on the key findings, and this is something where it gets to subjective costs. We talk a lot about, when we look at the finds that people get, when we talk about Target, or Yahoo, or Facebook, or Anthem, and all these big costs, and they throw out these huge numbers like 250 million they had to pay out to people to do service or credit monitoring services and bolster their security and all those things. Those are objective type costs.

But the subjective costs, that I don't think we can really even measure, is that loss of customer trust, which I think is probably one of the most devastating things, depending on your industry. I think we'll point this out. I think Facebook is a unique example. We'll point out in a second. Depending upon your industry and what your service is, that loss of customer trust can definitely equal loss of customers, and then obviously loss of bottom line. You can really get some huge hits there as well. From a subjective cost, to totally can hit you really, really hard.

Okay. Let's look at some basic terms. Again, I apologize that this is very rudimentary for the folks on the phone here, but I just want to get a couple of things out here, and these aren't all of them by any means. Just a couple that we'll definitely cover when we're going through this. First, actually, I'm going to jump down. I apologize. I'm going to go out of order here. I want to jump down to reconnaissance first. This is going to be when whoever it is, if it's an individual, if it's a nation state, and we'll talk about advanced persistent threats, if it's an organized group, a well funded group, whoever it is, it doesn't matter, most likely, they're going to do some sort of reconnaissance.

If they pick a target, they're going to do some reconnaissance. Now, that reconnaissance can be a couple of different, as we see, passive and active. Passive's going to be the initial information gathering. Whether you're Googling, or if you're a Binger, like myself. I like Bing. Or social engineering is a huge one. Going out to your social presence. LinkedIn, Facebook, Instagram, Pinterest, whatever. Whatever social media you can grab. I think LinkedIn's a great one. We'll probably hit more on that in a little bit. But that's where you can see, and people have absolutely no problem putting out who they work for, what their actual position. Maybe even contact information. All those types of things.

So now, people can go out there and find out, "Okay, who's the CTO? Who's the CEO? Who's the CFO? So that I can start doing some phishing or spear phishing campaigns directed to them." We'll talk again more about the phishing in specific later. But that's where they can really get that foothold on a lot of ... Not sensitive by any means, but a lot of public information that will make things like these phishing attempts or emails actually look very legitimate, to where they can actually have people fall for them.

The dumpster diving one, during this ... Obviously we're doing this via GoToMeeting, and I was told that that video doesn't display very well. It might be choppy. What I really wanted to show you guys is a scene out of ... I think it's a movie called 'Who am I?'. If you guys have seen this, I think it's a fantastic movie. I think there was a German movie, back in 2014, again, called 'Who am I?'. I'm not trying to sell the movie. I just saw it. It really did a good job of showing realistic ways to do information gathering, and some certain hacking techniques.

One of the themes, they had these group of guys go to the dumpster site of a certain company. They went through there ans they were phishing through a lot of things, and they found a personal birthday card. They saw that it was to a certain individual. She might have had escalated privileges. Maybe she had some certain title. It was known that she really likes cats, in her birthday card. Okay. That seems super simple and silly, but they used that information.

Now they had her email address, they've got other names that worked there. They can go on LinkedIn and find out their email addresses. Now they can spoof that email address to come from somebody that actually works there. It could be a nice little attachment that says, "Hey, look at this kitty. Isn't this great? They're playing together." Well, she clicks on it thinking, "Oh, this is totally legitimate, and then malware gets installed in her computer. That can be our attack pivot, to where we can now do some other things. We'll talk about that in a second.

The active probing or reconnaissance is going to be probing for the network host, IP address to services, etc. This being a little bit more risky, because you're actually into networks and actually actively probing certain common protocols, certain port numbers, things like that, to actually probe the actual network, so you can get a little bit of idea to decide, and I'm going to flip up to that top there, that first thing, that attacks surface.

Attack surface is going to be that threat vector or sum of all the possible attack points. This is where we're going to look at a certain organization. If we pick an organization, we're going to do our reconnaissance. We're going to do our due diligence. We're going to find out who the key people are. We're going to see, by doing some probing, if they do have some CVEs or some Common Vulnerability Exploits. All the different types of things. We're going to try and find every way that we can get in there. That's going to be our attack surface, and we'll start hitting it from all different angles.

The attack pivot, usually this is going to be targeting a lower security host. Get in maybe via that lady that loves cats. We'll throw her that email and she'll click on it. We'll get our Trojan information, or whatever malware, on her machine, and then we can actually take that and move what we call laterally, throughout the network, to try and find other areas that have a little bit higher privileges, so we can keep probing and increasing that span throughout that network. That's going to be our attack pivot.

The attack escalation is going off of that. Let's evolve that attack from that low to higher critical value. Taking Sally's machine, that loves kitties, she doesn't have a whole lot of access to a lot of things, but we can at least do some now probing from there, to find out where the databases are held, or another user that has more escalated privileges. Things like that. We want to find out what's actually going to be our CVD, in the next bullet point, that Critical Value Data, or prized organizational data, the crown jewels.

Whether this is Coca Cola's secret ingredient, or proprietary formulas, or manufacturing processes, anything, if this is going to be something that you want to steal from maybe a competitor's standpoint, you're competing with this certain organization and you hire people, or an organization, a nation state or a well-funded organization to do these types of things. To pull out that type of information.

A couple of things I skipped down there. The RAT, or Remote Access Trojan, and command and control, once you do get in there, that pivot point, and you start escalating out, one thing that definitely want to do, and when I say they, the hacker or hackers, whoever that is, they want to plant things within your network, as back doors. So that if you do find out where you initially came and they get wind of that, and they close if down, they definitely want to install back doors in multiple areas, multiple check points, so that they can have different ways to get back in.

Not to mention, the command and control, once they do find that CVD or that Critical Value Data, they're going to want to exfiltrate that, however they're going to do it, whether it's a database query to pull information out to maybe a CSV file and throw it back out to them. That command and control is going to be their machine, outside the network that they're communicating back to, or exfiltrating that data back out to.

All right. Moving forward, we'll look at some of the hacking techniques, and I'll try and cover these pretty quickly. Again, you'll see a list of here. We'll kind of go through these. I don't need to read these here. We'll go through a few of these. The one that's not on here, because I guess this is really not a technique but it's more of a method, is the advanced persistent threat. We'll talk about the encompassing everything that we talk about here, to target a certain organization.

So, first one, the fake WAP. Again, I go back to that 'Who Am I?' movie. I really love it. I think it's great. You guys should actually watch it. Again, I have no ties to that movie. I just thought it was a really good depiction of hacking and certain techniques. But in the movie, the fake WAP, this is where one of the scenes, one of the guys took an actual remote router, he stuck it to the bottom of a desk in a library, to where he could actually put basically a remote access point.

Now, a couple caveats with that. Looking at this here, we talk about the keys to having legitimate naming convention. So if I do go to a public library, or if I go to Starbucks and MacDonald's or whoever, you probably want to know what their actual naming convention is. Maybe do something very, very similar. Maybe replace Ls with ones. Things like that. Os with zeros, so it looks like ... Physically, it looks like the same network, to where you can actually put that, so it would be very easy for someone to mistake that. To go and do that as well.

You probably want to make sure that it's definitely an open and non secure network, with no password, which is very common in public places, like your Starbucks, MacDonald's airports, things like that. A lot of them don't have passwords on them. They just want people to be able to connect to them and maybe send off a couple of emails. Or whatever it is they do. It's extremely easy to set up and extremely easy to fall for. Same kind of thing. It doesn't have to be a cool device they stick underneath a table. It could be just me, with my laptop, going out there and sitting at my laptop, to be an actual access point. As long as I know that information before, I can set that stuff up.

It doesn't take much. This is the other thing by the way. An over thing we talk about any of these, it doesn't take but one person to fall for something, for you to get access to something. That's when we talk about phishing, phishing is rudimentary, I guess, as you look at it. It's not the cool ... You have to be super smart, the Mission Impossible frantically typing away on the keyboard to hack into the outer network. No. Phishing is just throwing things out there, like the kitty email, for someone to click on, to get your malware installed in the network, and then ... Yeah, you have to be pretty skilled to do network lateral probing and things like that, but it's usually just getting someone to fall for something, for you to get inside the door, and then you can take off from there.

In any case, getting back to this, the fake WAP here, once you're connected, you can have all that traffic. Instead of going through Starbucks or MacDonald's or whoever's router, to go out to the internet, it can traverse your rogue access point and do inspection on all that traffic. Whether it's key logger, or you're just inspecting all the traffic. So, a couple of things you can do, my advice, that I used to tell all my employees was don't connect to them. If it's free and it's open, no password, please don't connect to it. Just wait. Do something offline and wait so you can connect it somewhere else.

If you have to, for whatever reason, make sure that you get the network name and password from the provider. Hotel, great example. They usually will give you the network name and password, and stuff like that. Or have a host VPN to encrypt that data traffic. That's also a decent idea to do as well. Cookie theft. Cookie theft is going to be also known as side jacking or system jacking. For the most part, some metadata is going to be sent from the website and stored in your browser. This information or cookie, as they call it, can be sent to the website, to notify previous activity. Customizing or making the session more convenient for you.

The problem is, if you have an unsecured connection, this can allow theft. Now, what's not going to happen is, or most likely is not going to happen, is somebody steals "your cookie". This can have them gain access to your account so that they can actually log into whatever account you're in. Now, it doesn't necessarily mean they're getting access to your login credentials. In fact, most likely, they probably aren't. But what they can do is they can log in as you, without having that password, by stealing that cookie or that session ID, and then they can actually change settings while they're in there, so that they can change the password to whatever they want. Totally up to them.

Couple examples of this is like if you want to use like Google has an API transparency report. Transparency report is the website. To plug in the website, see if it's safe, things like that. Those are some of the ways that you can get away from having these things happen. Definitely always visit, and this goes for not just cookie theft, but for any kind of browsing, make sure you are going to an ACDPS website. I think most, all the major ones, if you just type in google.com, it's going to force you to go to ACDPS google.com. Most to them are doing that anyway. Then always a good practices, use the host VPN to encrypt that traffic from your local machine.

Bait and switch. This one's pretty straight forward though. Leverage the internet, click, ask to divert malicious sites. This is super annoying, as you guys probably agree with me. If you don't browse in incognito mode or some other, take those security settings off. Browsing the internet nowadays is super annoying. You get popups of ... If I was on Amazon, searching for diapers, I get diaper ads constantly, in every website I go. It really depends on which sites you're at. It largely depends on, again, the host site, like your advertiser. Things like Facebook and Google, they should have pretty good safeguards, so they shouldn't get any of these malicious click or bait and switch type ads that get thrown in there.

If you're going to less popular sites, and you're clicking on ads in there, you definitely have a possibility or chance of actually getting redirected to a malicious site to gain whether it's credentials or anything that you're doing when you're browsing there. In fact, clicking on certain things might even install or download some sort of Trojan or malware under your machine to give them access to your computer.

Again, what can you do? My big things is don't click on ads while you're browsing. This goes for almost anything. Anything that gets solicited to you, and you didn't initiate it, this goes for phishing too, which we'll talk about in a second, especially an email, don't ever click on things like that. Don't ever call numbers that get sent to you. Don't click on links that get sent to you. If it is solicited to you or people are asking you for certain things, especially if it's personal information, and you didn't ask for them to do that, don't do it. Make the initial connection. Know that you're connecting up to your bank site. Know that you're connecting up to whoever else before actually any kind of information like that. Absolutely.

Click-jacking. This one's otherwise known as UI redress. This one here, it kind of lays an invisible ... Not kind of, it does, lay an invisible frame over the site that you're seeing. Basically, invisible buttons. It's even creepy enough as has the buttons that follow your mouse or any click. Some of the common ones that I saw, or that we have seen, how that happened, using a click-jacking technique, Facebook. There was a click-jacking problem where it was abusing the "like" functionality, to where it was actually pushing or promoting people, unbeknownst to them, that they were actually liking the page that they were on. So people were getting more likes, so I guess more from a not terribly malicious standpoint, but just falsely having pages being liked or certain articles being liked.

Twitter had a click-jacking problem where there was retweeting locations of malicious pages, unbeknownst to the users. Probably one of the most notable examples of click-jacking is the Adobe Flash physical settings. Sorry, the plugin security settings. It could go in and actually change those security settings to utilize either your microphone and/or camera. So actually turn that on. That could be a little creepy, I think. People actually looking at you via your camera or hearing everything that you're saying. It could be a bad deal. Again, couple of things to do. Update your security browser, built in defenses, ad blocker type software, host solution that that listed known click-jacking sites. Things like that.

This one here, I put in here. I don't know if I've seen this very often lately. I did see this a couple of years ago, quite a bit. In fact, my dad fell for one of these. God bless his soul. But he got one where, if you guys remember this one, the FBI popped up ... I mean, it wasn't the FBI, but it popped a little screen that says, "Hey, you need to pay $500 for ... " I can't remember what it said. Gave a number. My dad actually fell for it. Or these here, the browser lockers, where it actually pulls up a screen like this one here and it tells you, "Hey, click on that back to safety," or, "Hey, do you want to fix this? Click on this button," but it really wasn't fixing anything. It was actually installing something. So it was doing the exact opposite of what you thought it was going to do.

These are really annoying, but in any case, the point is when these things pop up ... This is another great example, you'll see that they have a technical support line down there. 844 507 whatever. Don't ever ... Again, if it's unsolicited information being sent to you, don't ever use that information. Even if it's legit. Maybe it is legit. Make sure that you are initiating that contact, whether it's via email, whether it's via phone number, however. Don't ever take that unsolicited information and think you can actually go into somebody who is legitimate.

One of the things that I saw too by the way, not just this browser lock, it was a different one, people were actually calling our staff, at my last job, and they were claiming to be a Microsoft representative. They even went so far to say their Microsoft ID, all these things. They said, "Hey, we've noticed you're having problems with your computer. You just need to go to this website so that I can remote into your machine and I can fix these things for you right now, free of charge. No big deal."

Well, most of our users ... Well, actually, all of them did. We never got hit with that one, but I can see a lot of folks that maybe didn't have a security and privacy awareness training course, where they'd be like, "Oh my gosh. This is terrible. I don't want my boss to know that I'm not keeping up to date or whatever," and they do. They go out to the website and they go and they log in. It's not logging in or it's not Team Viewer, but it's something like that.

They get in there and they install malicious software. They say everything's fixed. They leave, and unbeknownst to you, now you've got malware on your machine, and that's going to be their attack pivot point and where they're going to start actually doing some lateral searching on your network, to actually, hopefully, in their case, exfiltrate some valuable data. Again, here, a couple of things, the host solution blocking those online sites. Again, do not call any numbers provided, or click on any links within that message. Anything unsolicited, I think that's the golden rule, don't deal with it. Don't click, don't call, don't do anything.

Okay. A couple more here. IoT attacks. I think in a society with, "I must have the latest and greatest gadget out there," it's caused a lot of problems in the last few years. You've got the exciting new products and features. Everybody wants them. But there is definitely a general public disconnect with the security risk they pose. Your TV, your refrigerator, things like that. People are not even thinking about the fact that those can get hacked or those can be compromised. Even not so much hacked, but actually be controlled to where they're now actually part of a bot network that's actually doing further hacking, so that they can be used as a bot to do other types of things.

These are things that people most likely don't even think about. Again, AC, refrigerator, TV, those types of things. Most people with these types of devices, those passwords, usernames, defaults, those are all left the same. So with anything, not just IoT devices, you're routers, whatever the case may be, cameras that you installed to watch your babies at night time, whatever, make sure you're changing, at the very least, the default user name passwords. That's the very least. It's the first thing to get out, because that is the super simplest way, because that stuff is available on the internet. No big deal. If you leave in default, you're just opening yourself wide open.

Place on different V-Lane if possible. That's definitely something you can do as well. Don't leave it on the default V-lane that you currently have. Anything that you're dealing with, those devices, whether it's through your router or wi-fi, use that strong encryption. I put in there at least 15 characters password. I would say use pass phrases. This is always going to be an argument. I might have people groaning right now on the phone. I definitely prefer pass phrases over passwords, for a lot of reasons.

Pass phrases are easier to remember for folks. They can be in sentence format, they can have spaces, they can have capital letters, they can have punctuation. Those types of things. Anything over 10 to 12 digits, brute-force is going to have a big problem with that. That's why I put in at least 15 characters. Not to mention the traditional way that people administer passwords. They make them so convoluted. You have to have a special character, capital, number, and it's really hard for people to remember those. So, huge fan of pass phrases. At the very least make them over 10 characters.

Then things like keeping your software up to date so you can avoid those CVEs or Common [inaudible 00:36:15], or hopefully zero-day attacks as best as you can. This is another standpoint that I will probably reiterate at the end. Two things. Encrypting your data at arrest and in transfer, and leveraging two-factor authentication. Those are two cheap and easy ways to really mitigate a lot of ... Making it a lot more difficult for those hackers to actually get into those networks

Credential re-use. I hear this one a lot, and I like this one. Usually, after following a data breach, they had a bunch of login information that got stolen. In the wake of all that, people will us ... They'll blow it off like, "Okay, that's done and over with." But that credential re-use is very, very important. So, in the case of Yahoo, in this case, it got hacked in all three billion, or whatever it was, and I think we'll look at it in a second. User accounts got hacked. So everyone's like, "Oh, okay. Whatever. Let's change my Yahoo username and password.

But the problem is, what people do is, they'll take all that information still, and it's not invaluable because how many people, and you guys can raise your hands because no one can see you, how many people use the same password for multiple sites? I would guess probably 50% of you guys are raising your hand. I was definitely a victim of it until just a few years ago. I leveraged something like key pass, or actually, it's last pass, to generate all kinds of random passwords for me, because I did the same thing. I was super guilty of the exact same thing.

That's exactly what these folks are going to do. They're going to get that information. Okay, granted, you changed your Yahoo password, whatever. They're going to use those same credentials to go to your banking sites and all the different places. A lot of times, they're going to be very successful to pull those in. Again, you may not be concerned because, "Oh, it's just my yahoo account, but again, they'll use those same credentials to hack into other sites, which is, again, most likely the case. A lot of people do that.

Obviously what you do, let's not use the same ones. Get something like key pass, last pass, one pass, whatever, or if you can change all your passwords and keep a mental note of your secure place, I would definitely inform or do that. Keep informed of what sites or companies have been breached. Make sure you subscribe to certain sites that will give you that information so you know that ahead of time. Then use a password application.

One of these things here as well. If you ever want to see if your credentials, at least from like in this case Yahoo, if that email address has been compromised, things like these, haveIbeenpwned.com, you can put in your email address and it will let you know if it's been used other places. Things like that. Think of it this way too. It's not just going to be your Yahoo account. Well, Yahoo is a bad example.

But when we go to Facebook, if you use that Facebook, it will be an email address account to sign into Facebook, most people, you know that when you sign into other things, it will give you an option, "Hey, do you want to use your Gmail account, or do you want to sign in with your Facebook account?" most people do that. Not only are you compromising your Facebook account, but also any site that you're logging in and using those accounts. It's a good time to use that website right there.

All right. Phishing, and this one I'm going to try and keep brief because I can talk about this for probably an entire hour. It's subjective, but a lot od security professionals think 90-95% of all major hack start with phishing. In some sense or some way, that's how they get their foot in the door. Phishing is very successful because it's easy to do. It's easy to mass do tens of thousands of emails. Like I mentioned earlier, it just takes one to get in, and we'll see what that happened in the case of Anthem here in just a second.

But this is the type of social engineering ... We're going to attack the user instead of the device. It's a lot easier for me to go to the bank teller and say, "Hey, by the way, what's your code? And actually give it to me, than rather having some James Bond thing putting up there, put my ear to the dial, and try and hear clicks. Which I don't understand how that's even possible, but I'm not a safe cracker. But it's much easier to ask for the keys, and that's essentially what they're doing.

AOL, way back in the day, in the 90s, if you guys remember that, I'm sure most of you guys on the phone call do, the way they were doing it is was they were calling people saying, "Hey, by the way, I'm an AOL technician. I need your credentials. We're going to do some changes. They gave it to them, they got free internet. It was that simple. They just gave them the keys. Microsoft technicians calling users. The example I just gave you, saying, "Hey, go to this website and go ahead and log in.

Spoofed email from CEO to CFO, asking for money transfer transaction. I put that one in there specifically because that actually happened at my last job. Thank goodness my CFO actually went to the security and privacy awareness training, because he got an email from the CEO, it was spoofed, that said, "Hey, I need you to transfer $10,000 to this. I know we haven't gone the approval process, but this is a deal that we need to get done today." The CFO, and they must have known this, was literally there for about three weeks.

So imagine you, as a CFO, your CEO sends you an email from what it looks like that, and she's asking you specifically, "I need this right now." That puts you in a really weird position like, "Okay. Yeah. That sounds great." But thank goodness this person actually emailed me and said, "Hey, this looks kind of goofy. She's never asked for anything like this." Sure enough, if you just hit reply and look at the email addresses going back to, it wasn't going back to the CEO. It was going to some random email address in the Bahamas or something like that.

But those things happen, and that's a very low level spear phishing attack that can get very, very sophisticated. But that's just an idea of how they do those things. I guarantee it, they went on LinkedIn, found out who the CEO was, found out who the CFO was, and did that spear phishing attack, and pointed directly to that person. We got a couple of ones too.

This one was a job applicant with a PDF resume attached. We saw that a lot. We were supposed to get the PDF resumes from ... It was either ADP or something. I can't remember. We had a few people, that again, they must have been going on LinkedIn, they were sending resumes to managers, who were making decisions on jobs. Even though it wasn't going through the right process, these people could have easily clicked on that email just to view and be like, "Oh, let me take a look and see this person." Thank goodness they didn't. They sent it to me again, and we got it to the right people, and it was a completely spoofed and malicious email.

Tons of things from a phishing standpoint, and these are just electronic. It can be phone calls. It's any kind of social engineering that can really get those keys to the kingdom just by simply asking. Granted, they masked the way they do it, and it's not as easy as the AOL examples back on the day, but that's how they get in. We'll talk about how that happened in Anthem as well. What to do? User training. You've got to train the humans. You've got to train your employees.

Okay. I want to go through this quick. I just noticed the time. We're getting short on time here, so we'll flow through some of these fairly quickly. Facebook, as you may or may not have remembered, we had about 90 million user accounts hacked. Mark Zuckerberg, his account was actually hacked. One of the biggest things was vulnerability in the code in the 'view as' tool. Say you block somebody, and you wanted to actually view ... Like your dad. You don't want your dad viewing your profile. So you hit the view as tool, and you could select your dad, so you could see what your dad would actually see.

Well, that tool was actually passing, and I won't get too detailed, basically the OAuth token to that user, so that they could actually steal that OAuth token. Think of an OAuth token as the keys to your house or your car. Your house or your car doesn't care at all, who's holding those keys. If you have them, you're going to get in the house and you're going to get in the car. That's essentially what was happening here. Facebook had to come out. The had to say, "Hey, this happened."

That bullet point where it says stock price tumbling ever since, that's pretty subjective. I threw that in there because it did for a few days after it happened, but this is also one of those examples where it really depends on the services that gets hacked, whether you have that subjective reputation hurt. Because as much as I don't like it, things and services like Facebook and social media, I think people's memories are really short, not to mention their vanities, and they just love Facebook, so they really didn't care. That's a disclaimer for that bullet point there.

But GDPR implications, if anybody's overseas ... It doesn't need to be overseas. Anybody dealing with Facebook, dealing with folks in the EU, that can be a big deal. Those types of things can be up to 4% of global annual revenue, which 1.63 billion in the case of Facebook. So, those are huge concerns for global organizations.

This one will be real quick. Equifax, 143 million users [inaudible 00:45:16]. Had a lot of PII information in there. Their stock price did fall pretty significantly after that happened. Again, I think it depends on the actual service that's being offered. This is kind of shady. I don't know if you heard this in the news. Three executives sold shared before disclosure. Unbelievably shady. That reminds me of Enron or things like that. That's disgusting. But anyway, things like those types of things happen as well. This was because of the website or patchy struts. The common vulnerabilities. They were not patched, so they leveraged some vulnerabilities in the actual web software.

Yahoo. Yahoo was a little different. It seemed like it was two different timelines. They had an initial disclosure, I believe in 2016. Actually 2014. The 2016 disclosure said 500 million users. Increased to one billion by the end of 2016. Then by 2017, they said, "You know what? All three billion users accounts were affected." They required everyone to change their passwords. All these things. This one was a spear phishing ... Well, most like, as the experts say, spear phishing. Most likely that they sent to a semi-privileged user.

This user opened up that email. They got in on their computer and then started doing their lateral movements across the networks. What they were looking for? They were looking for Yahoo user database and the admin tool called account manager tool. Once they got in there, they installed back doors to keep access open, in case they got locked down on the initial attack vector. Then they exfiltrated that user database to their command and control computer that was sitting outside.

This one also used or did use generate cookies to log in with no passwords required. Again, once they got into that and they leveraged those cookies to log in, they didn't have their credentials, but once they could log in, they could change those things, get those different tokens, and then pull out that entire user database, then use it obviously at their will. Whether they changed passwords, whatever the case might be.

Okay. In the interest of time, we'll go through the Anthem data breach. A couple od quick things. I think you guys probably remember this one. Back in 2015, 79 million users. I think it was more along the lines of 80, something around there, million users. All their PII and some PHI data was taken. Very detailed records, as we talk about there. They valued at approximately $150 to $250 of record. This bullet point here, the 115 million settlement just this year, that's skewed just a smidge. That was mostly for security improvements. Overall, they had about 260 million in their handling of that whole situation.

Breakdown, 2.5 million went to expert consultants, to see what happened, to dig up all the causes. 115 million went to security improvements, to bolster the security after. 31 million went to initial notification to the public, and then 112 million went to providing that credit protection for one or two years, if I remember right. Which, I don't know, you guys have opinions on that, whether or not credit protections is really that awesome anyway, after you get that type of information stolen. But it does cost, in any sense, Anthem, a lot of money.

Not to mention, Korea's been at risk. There's other things that we don't see about people who actually were involved with this, probably because before the attack, their procedures were inadequate before. I won't say because the attack happened, because those things happen, but it's either lack of preparation, or the way that they handled it after it happened.

So quickly, let's look at Anthem. The timeline here started somewhere around March 2014. Again, this speculates, but I think the latest one I saw was February 18th, specifically, 2014. It was discovered January 27th, 2015, by Anthem and their sys admins. We'll talk about how that happened. Two days later, they actually alerted the federal authorities, on January 29th, and then February 4th of 2015 is when they actually announced it out to the public. So it did take a little bit of time there, but at least after they found it, they only took a couple of days to notify the actual authorities.

This one here, and again, I'll try and be as quick as I can here, to get the main points, this one is a good example of what we're going to talk about, advanced persistent threats, which it doesn't look like I'm going to have a whole lot of time to talk about, but this one goes through a multitude of ways that they attacked. They took their time. They did a lot of lateral scoping, pulled out information, made sure that they had custom software to have things installed on the network, to pull information, and at the end point, exfiltrate 80 million records out of the database on the internal network.

These were not [inaudible 00:50:18]. This is most likely a nation state. In fact, most people point to a organization. Actually, we'll talk about Top Sec and Deep Panda, which is going to be a Chinese sponsor organization, is what most people point to. But this is stuff where they went to LinkedIn looking for job posts and what systems they have. That's another thing. You're going to see job posting so they can see what kind of databases they have. Programming languages, things like that. All that information is key. Using that information to find out what kind of vulnerabilities they possibly could have.

Reading press releases, as goofy as that sounds. Knowing the name changes, which comes into a very important point on this next one. They knew that that they were called Wellpoint, before they went to Anthem in 2014. We'll see in this next slide here coming up, you'll see DNS records of somebody, and it looks like somebody from China, who actually obfuscates and changes it to the Cayman Islands, about 10 minutes after it was created, which we'll see in a second. They registered a website called Wellpoint, but you'll notice it's W-E-1-1-P-O-IN-T.com, instead of W-E-L-L. But to the naked eye, whatever, when you look at it, it looks pretty legit.

These people not only registered that domain name, but then things like MyHr, HR Solutions, External Citrix, which by the way, this was one where the people were launching and logging in to Citrix to access certain applications. But the point is, this was something that they were using, so that they could take and send emails to folks using myhr.wellpoint.com, or what looked like wellpoint.com. HR Solutions IT type things, with Citrix. So it really confused people to actually click on things to download software or type in credentials, because maybe they said, "Hey, you know what? Your credentials have expired. Please do this." Things like that. "Your mailbox is full. Go ahead and click on this to increase the size of your mailbox."

They did a lot of things like that, but the initial part, that reconnaissance was doing a lot of social engineering gathering, what systems they had. Who was in what positions. Who they could attack. Who actually had escalated privileges to actually send that spear phishing email to. In essence, what they did, and this is a goofy little DNS entry here, but point is, if you can see, and I can barely even see it, but you'll see that the Wellpoint domain got created, and about eight minutes later, they changed it from China to the Cayman islands.

One of the users, it ends up being a professor called Song Yubo, I believe, which is weird because he was actually conducting a security competition sponsored by a company called Top Sec Information Security Research Center of South East University, back by the Chinese government, and was well known to have ties to Deep Panda. That's where this all came in to just being a nation state attack on Anthem, specifically to get this information out. Again, this could be a completely different webinar, diving into the exact Anthem breach.

This here is a over-arching diagram, showing how this little network card down here, this is their command and control center where they're coming in from. This little [inaudible 00:53:35], this is going to be the malware that they send in there from the ... What happened originally is that they send an email to one of the data base users. They actually clicked on it. They had that computer as their command and control or their pivot point, and they were going around and finding out where the databases were.

Eventually, they used his credentials to do database queries, and that's how they actually extracted those 80 million records out of the database, to then exfiltrate out to their command and control center. Again, this is a super high level rundown of what we're doing. What was neat about this malware though, and this is another thing with advanced persistent threats, you're going to have custom malware, it really masked itself to look like Adobe Reader or Microsoft ActiveX applications, to really further look innocent. So when people saw these things, they didn't think anything of it. No big deal.

These things are infiltrating through their entire network to get to the ultimate goal of that actual database, to exfiltrate that information, using legitimate credentials. Even if that data was encrypted at rest, which is a very, very important point, if they get legitimate credentials like these guys did, it doesn't matter. That's going to go ahead and decrypt it for them and then send it out to here. What was crazy was, and again, this goes through what we just talked about, there's a phishing email asking for user information, escalated privileges for attack pivots, there were some known vulnerabilities, and that custom tool. That was that [inaudible 00:55:02] custom tool.

They took their time. That's another thing again, with advanced persistent threats, which I know we're running out of time. I probably won't get a whole lot of time to talk about that. This is something they took a really long time. You'll notice the timeline was February of 2014. It didn't get noticed until months later, and it really didn't get anything cleaned up until even months later after that. They definitely took their time getting this information out of there.

Oh, that's the same one. The way they discovered it, by the way, inadvertently and probably a bit lucky. The guy or the ... Yeah, it was a guy. The individual that got hacked or actually clicked on the phishing email originally, he did start noticing accounts that already had logged in, and he started noticing a lot of queries going on, that weren't him. That he wasn't doing. He actually took notice, and did some digging, and then actually reported it. That's a good thing, I guess.

Then you have the human being element actually saw the activity going on and actually reported it. It wasn't so much a technical solution, per se. Like an IPS or something giving you an alert. It was just the technical solution as far as the log files are concerned, but actually the human diligence and awareness to actually take action. Again, getting back to the human training and things like that is very, very important.

I've got like three slides left and I just looked at the time. We're going to run through these really quick. Advanced persistent threat isn't really a technique. We went through a lot of different techniques that people can use. Advanced persistent threats, I think, in the beginning, were really, really honed in on nation states like your China Deep Pandas, or your Russian Fancy Bear, or those types of organizations out there, but there also can be just highly funded organizations.

What's really scary about advanced persistent threats is think of it like ... Or just think or China backing certain people, or Russia, or whoever it is. These folks are going to be fully employed to do hacking for you, and they're protected by these organizations, so there's really no threat for them to go to jail, to get caught, to do anything. Think of that from your perspective. If you had a full time job that you got paid for, and you probably got paid pretty well, depending upon how good you did, and you had no threat of really getting any ramifications for the "illegal activity" that you were doing.

It's scary, these different organizations out there, doing things like advanced persistent threats. Which is just a methodology of leveraging everything that we just talked about and more, probably a lot of things that I don't know about, especially custom malware applications. Just hone in on a specific target, still at data for, like I mentioned, political espionage, financial gain. Not to get political, but the hacking of the DNC or the office of personnel management pulling out federal contractor information. That's huge. That can be leveraged for blackmail. There's a lot of different things on those. Those can get really, really scary, as far as that's concerned.

Very quickly, reconnaissance, I think we talked about that. They're going to go very, very in-depth on reconnaissance. How they get in there, how they gain that access to the network, and again, phishing, I think is a huge part of this. Then they're going to stick it in. They're going to probe the network to find out where the actual CVD is; that Critical Value Data. They're going to establish multiple entry points, whether the remote access Trojans or just back doors, so they can get back in.

Even if they find out about things, they've got way to get back in. They're going to gather that target data and then exfiltrate that data. Usually in a very, very slow time, slow manner, so they don't raise any flags. These aren't the types of hacks that people get in and get out, and leave. These are the types of hacks that they sit in there for months and years.

Then quick five signs, and I know again I'm going very, very quick. Elevated late logins. I think most people think, and I don't know if this is completely true, that people from across the nations or across the globe, are going to be doing hacks on the other side of the globe. That's why you're seeing the elevated late night logins, widespread backdoor Trojans ... Well, that's obvious. Hopefully, your systems are seeing that. Unexpected information flows, data bundles, and the focused spear phishing campaigns. If you really start seeing your executives or people in high level positions getting these emails, you probably need to pay attention to what's going on. See what's really going on.

Again, what you can do, these are quick ones as well, get your C-level folks involved so you can get the funding, the backing, because no one ... You can have your security guy on staff, and I've seen this how many times, blue in the face, telling you everything that I'm telling you and even more, but the C-level guys, they don't care. They don't really see the value of it. It's just more money out the door and they don't want to deal with it. Definitely get them involved.

The CIS top 20 controls, pull those down. Take an unbiased look. That's your network. It's a good starting point. Encrypted data, arrest and transfer. I think this is a very simple and easy way to do things, as well as activate two factor authentication, but as we saw in the case of Anthem, if they get legitimate credentials, that data arrest really isn't going to make any difference.

Identify any CVDs. Take a risk based management approach. Any contractors vendors. Vet out that chain supply. We saw this was the number one way that we can save money. That instant response plan, absolutely important. Unbelievably important actually, to make sure that you guys have staff or somebody that knows what to do in case this does happen, and immediately. I think this one's huge.

I was a trainer at one point, so I'm really special at this one. Educate your staff. Again, a lot of people think phishing is the main way to get in, and two, it only takes one person to screw up. That's the hardest part about this. You can have defense in-depth. You can have the coolest technologies. You can have everything. But if you have this, it's tough. It's really tough.

My quick lasting thought, anything ... The computer chip can technically be hacked. Think of it from your cars. We've seen that from the videos of the jeep getting hacked and breaking, and steering, and doing all that goofy stuff. Hospital equipment infrastructure. It could go from record data breaches to record number of lives lost and latest hospital techs. It could get really ugly. I think these things are really important.

I apologize for taking up the entire time, and I know it was rushed. Maybe in a future webinar, we can hone down more specifically on things. It was a lot of stuff to cover. I absolutely appreciate you guys time today. Hopefully you learned at least something today, or at least something to think about, as far as your security and practices are going. With that, Anna, I'll pass the mic back to you.

Anna: Perfect. Thank you Dan. So, before we wrap up, I just want to let everybody know that there will be survey that pops up after the webinar. Please let us know what you thought of today's presentation, and if you have any questions we weren't able to answer. Also, if you liked today's presentation, I also want to let you know about our next webinar which is scheduled for April 17th. This webinar is preventing data breaches with GoAnywhere, and it's a great follow up to what we covered today.

We'll explore how our secure managed file transfer solution can help prevent successful breaches by encrypting data in transit and at arrest, following compliance requirements and more. Be sure to save your spots since the event is less than three weeks away. We will stay on the line for a couple more minutes, to answer any questions you have, but it does look like all of our questions have already been answered throughout the webinar, so we'll let you go. Thank you for joining us and have a great day.