Matt Helling: Security is so important, moving forward, it's the difference between making or breaking your organisation. If you're not doing the right things you're going to get in trouble and it's going to cause you impact.
Daniel Wiley: We’ve had a couple of companies call us and say, “Hey Dan, we found something in our data centre, it's making this god-awful noise, what is this thing?” and it ends up being an antminer or some other cryptocoin mining device that someone had put in their data centre, now that's actually making some coin.
Michael Bird: Hello and welcome to Explain IT, brought you by Softcat. The show for IT professionals, by IT professionals that aims to simplify the complex and often over complicated bits of Enterprise IT without compromising on detail. In this episode we're going to take a look at the big security trends from the last 12 months and with me to help is Matt Helling who is Softcat’s head of cyber security services, Matt thanks for joining us. Just give me a brief explanation about what being the head of cyber security services at Softcat means.
Matt Helling: Softcat as an organisation are investing quite heavily into our cyber security services organisations. We’ve been running a security services practice about eight years now with our Checkpoint managed firewall. What we’re doing now is we’re investing heavily into other areas of cyber security services to help customers mitigate risk and produce a security maturity model.
Michael Bird: And for every guest that we now have on the show, we are asking them to bring an interesting fact. So Matt, what is your interesting fact?
Matt Helling: I only ever take cold showers and cold baths.
Michael Bird: Why would you only ever take cold showers and cold baths?
Matt Helling: Because I’m partly sadistic and I also think that we’ve just become a bit soft. Living in nice air-conditioned offices, with nice warm baths so I like to try and push myself and also, side benefit, it wakes me up in the morning which is quite a feat. I'm like a bear.
Michael Bird: Fair enough! And also to help us we've got Dan Wiley who is Checkpoint Software’s head of incident response. Dan, thank you so much for joining us today. Dan can you just give us a brief explanation about what you do at Checkpoint?
Daniel Wiley: I run the incident response team globally for Checkpoint and we help customers deal with any cyber event that they might have. So things like ransomware, DDoS, hacking, extortion kind of events, and we do this in a real-time mode, so if you call us right now the boys will answer and start helping customers immediately to deal with their incident.
Michael Bird: Awesome. Dan, we ask all of our guests to come with an interesting fact, so what is your interesting fact?
Daniel Wiley: I love building things, specifically LEGO sets - taking a week off and putting together one of these amazing sets and then taking it all apart and giving it away and doing it all over again.
Michael Bird: What is the most interesting thing you've ever built?
Daniel Wiley: I definitely like a number of the sets right now. I just built the Porsche 911 Turbo GT3 I think it was, and also the Sydney Opera House. I am looking forward to the new Millennium Falcon.
Michael Bird: Does the Porsche drive?
Daniel Wiley: Not quite, but it does... the doors open and the hood opens.
Michael Bird: So let’s crack on with the podcast. Dan I’m going to start with you - what have been some of the big security trends that you’ve seen over the last 12 months?
Daniel Wiley: Well specifically we’ve seen a number, and they’re all big impact kind of events. We’re seeing advanced ransomware attacks that are very targeted, very advanced, that are targeting customers to extort money from them. We’re seeing application cloud attacks that are attacking things like Office 365, or Salesforce. We’re also seeing things, specifically attacks against infrastructure, so things like AWS or Azure. We’re seeing a very large amount of phishing attacks, mostly going after credentials, but then also using that elevated permissions to send man-in-the-email attacks. And then we're also seeing RDP - remote desktop compromises across customers’ environments.
Michael Bird: So the first thing that you talked about was the advanced ransomware, social media ransom targeting, that kind of thing. Can you just give us some examples, some recent examples of where that’s happened and what the organisation that happened to - what did they do in that situation?
Daniel Wiley: We just recently worked a case for a manufacturer in the United States. They make plastic widgets - lots of them. This company has a global footprint, they have manufacturing in the United States, in the Netherlands, France, a couple of other places around the world. They called our incident response hotline and basically said, “Hey, my entire infrastructure has been encrypted.”
Michael Bird: Oh my goodness. What do you do in that situation?!
Daniel Wiley: Well the first thing to do is try to remain calm.
Michael Bird: Don’t panic!
Daniel Wiley: Don’t panic! Mind the gap. Psychologically, if you think about it, if you’re the head of IT and you walk in one morning and everything’s encrypted, you panic, in a lot of ways. So one of the first things that our team does is actually talk the customer down from the ledge and we’ll say, “Look guys, it’s going to be tough, it’s a long road, but we’ll get through it.”
Matt Helling: How many people just pay it? On the assumption the nice hackers are going to give everything back?
Daniel Wiley: So there’s an interesting trend that’s going on around paying the ransom. The company itself typically does not want to pay the ransom. And I actually agree with them, I don’t think it’s a wise move, right? You’re just encouraging bad behaviour, in a lot of ways, it’s an economic model that you’re just perpetuating. But in a lot of cases, the customer doesn’t have a choice.
Matt Helling: It’s a cost of downtime to your business as well, right so it’s specific to the organisation that’s been hit.
Daniel Wiley: Well that’s one angle, but the other angle is, they’re not the ones making the decision. It’s now the insurance companies.
Matt Helling: Sure.
Daniel Wiley: So now, if you have an insurance policy and you call the insurance policy holder, or the company and say, “Hey, I have a ransomware event.” One of the first things the insurance company will do is negotiate with the attacker to pay the ransom, because it’s cheaper to pay the ransom than it is to actually restore the infrastructure.
Michael Bird: As you said, that encourages the wrong behaviour, doesn’t it?
Daniel Wiley: Amen baby.
Matt Helling: But then I suppose once you’ve got your infrastructure back, you can understand how they got in, you can mitigate that risk, moving forward.
Daniel Wiley: And that’s where the insurance company will say, “Ok, we’ve paid the ransom, you’re up and running, now you need to go evolve your security infrastructure. And that’s one of the areas that our team at the Checkpoint incident response team actually prides itself on is the ability to actually rapidly restore and introduce new controls to mitigate it from ever happening again. Because we do know that most of the infrastructures that have these kind of events do not have any security controls that could actually protect against it, so there’s a number. And let me go through a couple of those. The first thing is, you need some decent email protection. So that includes sandboxing. Emulate those files, clean them, scrub them, do something with the files before you deliver them. That’s one of the key things. The other thing to really consider is an advanced EDR type solution, advanced endpoint technology that isn’t based on signatures alone, but is also based on behavioural controls.
Michael Bird: So that’s just like the traditional antivirus, but better?
Matt Helling: It’s looking for the unknown stuff as well. And behaviour of the end point.
Michael Bird: So rather than the signatures, the old school way of doing it, which is - these are all the viruses that are out there - something that can actually figure out what’s going on, and do it intelligently.
Daniel Wiley: Most of the things that we see are polymorphic, so signatures are completely useless
Michael Bird: Cool word!
Daniel Wiley: It is, it’s very cool! From a technical point of view, polymorphic code is actually really cool, it just changes on every single delivery.
Michael Bird: How does it do that?
Daniel Wiley: Programmatically, so when it’s delivered through phishing emails, the file attachment will be unique every single time, based on some iteration, some sort of code that modifies it in some way, so that way, any signature-based technology…
Matt Helling: You can never write a signature for it, literally.
Daniel Wiley: You have to study it. You have to actually see it in a sandbox, or see how it executes to determine if it looks funky or not.
Michael Bird: And you talked about social media ransom. How does that work? How does that differ to traditional ransomware?
Daniel Wiley: So just recently we’ve seen a really interesting trend. One of our customers called us and said, “We just got a ransom email, basically indicating that they would mess with our social media footprint,” but specifically, this company was selling widgets on Amazon. And the attacker was threatening to start manipulating the reviews and the rating of the product, which in Amazon world, if you don’t have five stars, it’s a big deal, and they proved it, they actually introduced a 1% variance in their ratings, through the email they said, “Hey look, we just manipulated it by 1%, if you don’t pay us the ransom, we’re going to manipulate it by 99%.”
Michael Bird: Comparing that to a traditional ransomware attack where it’s your own infrastructure, so essentially you have the control over that, don’t you, as you said, you can put protection in place, you could even have a duplicate copy of your environment that just spins up, whatever, you could spend tonnes and tonnes of money to try and protect yourself against it, but this social media or ecommerce ransomware attack where it’s someone else’s platform, there’s basically nothing you can do about it. You can’t buy products, necessarily, can you?
Daniel Wiley: So the funny thing is, is that we now live in a world of bots versus bots. So now we have bots fighting bots, with some more bots, have some more bots.
Michael Bird: It’s a bit Terminator, isn’t it?!
Daniel Wiley: Yeah, it is, it’s a little Terminatory! But what we’ve done is, for this case in particular there was a component of this that was related to Twitter, and we’re actually working with a number of smaller companies that have the ability to actually track bots that have been programmed to attack you and actually identify them and take them down at an astonishing rate. We also have seen other companies, we haven’t quite done this yet, that would actually do the opposite of what the bad guy’s doing, but add more positive reviews, instead of negative reviews, so you can get to this world of…
Matt Helling: Equalling yourself out?
Daniel Wiley: Exactly. So you’re bots versus bots.
Michael Bird: And are the social networks or platforms, are they doing anything about it? Do they know that it’s happening?
Daniel Wiley: Yeah, they are. Facebook and Twitter, in particular have been both mandated by EU and US authorities that they need to go look at this problem. They’re looking at it. They are taking down a lot of the more social activist side of the bots. I think there’s whole other layers of bots that need to have a bigger dialogue. I know companies that monitor Twitter feeds, for example, for customer service satisfaction, for example - a lot of those are bots. Are those good or bad bots?
Matt Helling: How do you identify between the two?
Daniel Wiley: Exactly. So maybe at some point we’ll need to have a little friendly bot icon, but we do need to have a bigger dialogue around what we want to accept as reality and not, and that’s an interesting conversation.
Michael Bird: The next thing on the list that you talked about was the application cloud attacks. Give us some examples of when that’s happened to organisations that you’ve worked with.
Daniel Wiley: A few weeks ago we had a customer call us and said, “Hey Dan, we’ve all of a sudden lost all our customers.” And I’m like, “What do you mean, you’ve lost all of your customers? Where did they go?” and he’s like, “No, they’ve all moved to a competitor.” And I’m like, “Ok, that’s interesting, let’s dive into this and start looking at what’s going on,” and we start talking to the customer and we ended up putting together a really interesting conversation. The victim organisation had, about a year and half ago, had moved to Salesforce. And in their haste to move to Salesforce, they basically just used their normal AD credentials. We identified a number of accounts that had been compromised inside of their Active Directory infrastructure that had been used to log in to the Salesforce website. One of those accounts in particular was an executive sales person and we’d noticed that everything from Salesforce was downloaded by that executive, multiple times over the year. We then started looking within the organisation’s footprint, inside of the deep and dark web, and I’ll be damned, we found a posting that someone was selling all of their infrastructure on the deep and dark web. We interface with the bad guy and find out what he was selling, after a couple of conversations and a couple of virtual beers, as I call them…
Michael Bird: Hang on, what’s a virtual beer…?!
Matt Helling: Less fun than a real beer.
Michael Bird: You can’t just drop that one in! What’s a virtual beer?!
Daniel Wiley: Well it’s our little acronym to try to get someone on your side. Just to try to befriend them to a level where they trust you, for example. Usually after a couple of pints you are more willing to share things. So in this case, one of our analysts was able to, after many conversations, convince the person, to spill the beans a little bit, and come to find out he sold that information to a company. We didn’t know exactly which company, but then we mapped all of this out, and we were able to identify that the victim’s biggest competitor had bought all of that information off the deep and dark web and was starting to use that to gain market share by going to their customers and targeting them.
Matt Helling: What’s the legal standpoint on that? Surely that’s when you get the blue lights flashing and the police knocking on your door?
Daniel Wiley: Sure! If you’re in the right country. And they weren’t in the right countries. So if it’s the UK versus China, what are you going to do?
Matt Helling: Sure.
Daniel Wiley: Nothing. Because you have no legal recourse whatsoever.
Matt Helling: Absolutely.
Michael Bird: Can we just talk about then, the mechanics of that attack? Why in particular is it the fact there’s a cloud platform? Why is there a specific vulnerability around that?
Daniel Wiley: I call it the golden egg syndrome. You use these cloud platforms and you don’t realise you’re putting all your golden eggs into those platforms. So with Office 365, it is, if you gave me access to your Office 365 infrastructure for just a day, I’d be able to wreck your entire organisation. But that’s the point is that you’ve now put all your golden eggs into things like Salesforce or Office 365, and with great power comes great great great responsibility to secure it, and they are not equal.
Michael Bird: But presumably, these platforms are so useful to organisations, aren’t they? So is the answer to not go to these platforms? Or is there something that an organisation can do to protect themselves, or to mitigate as much of this risk as possible?
Daniel Wiley: There absolutely is additional that you can do on those platforms. The problem and the disconnect is, is that you don’t realise that you need to add some of the traditional security controls that you’ve just tried to give up because you’ve moved…
Matt Helling: It’s the same as the DevOps conversation, isn’t it, it’s about going in there with a bit of awareness and a plan.
Daniel Wiley: Amen. Specifically, do you guys see, Google now has USB fobs and NFC fobs that they handed out to all of the people that are doing large cloud deployments inside of Google? You know why? Because people were stealing those credentials and spinning up infrastructure without permission! So Google is even now offering a fifty dollar fob that you can buy. You can get two factor for O365, you can get two factor for AWS, but there’s expense and cost, both in operational component and technical components when you deploy these things, and most companies don’t realise that the security you get at the baseline is only so good, you need to add on additional security components into those infrastructures. And they usually learn those lessons too late.
Michael Bird: You talked about two factor authentication. Is that something that is undefeatable?
Daniel Wiley: Oh, it absolutely is defeatbale. Everything’s defeatable.
Matt Helling: I think that’s the problem, isn’t it?! There isn’t a silver bullet to this stuff.
Daniel Wiley: No there is not. But it brings the level of effort up a notch and especially when it comes to two factor, it actually levels it up maybe two or three notches. And there’s a lot of effort involved to be able to get that second factor. I will make some recommendations when it comes to two factor. They need to be wholly isolated from each other. So using your mobile phone with your banking app that SMS’s you your second factor is not going to cut it.
Matt Helling: It’s not a second factor.
Daniel Wiley: That is not a second factor. That’s like a 1.5 factor. What you really need to do is separate the two devices completely. And either that’s a physical device, something that you are, or something that you have that’s separate from the connection you are making.
Matt Helling: Like those old school tokens.
Daniel Wiley: Yeah.
Matt Helling: Do you not think with biometric, stuff like that, retina reading is going to get better? Because it’s harder to fabricate that sort of stuff.
Daniel Wiley: The biggest problem is usability. You’ve got to go to your Grandma, if she can use it, then you’ve won. If she can’t use it, then you might as well give up.
Matt Helling: Yeah, fair. We certainly see people’s reluctance to roll out tokens is getting higher and higher, people would rather leverage software services that are available on their phone.
Daniel Wiley: And again, I think it’s not completely, not unfortunate to use your phone, but you have to keep it separate. “Keep it separated…” You know, I think there’s a song round there..!!
Michael Bird: Ok, so we talked application cloud attacks. Let’s talk infrastructure cloud attacks then. So can you give some examples of where organisations have been susceptible to infrastructure cloud attacks?
Daniel Wiley: This actually goes right back to our DevOps conversation, too. A very large company in the United States was starting an advertisement campaign and one of their executives decided that they wanted to use AWS to do this advertisement campaign - this was a number of years ago - and they worked with their internal IT team and said, “Hey guys, I want to replicate our web infrastructure inside of AWS, and I want to host our advertising campaign out there, make it happen, make it so.” So the IT team goes to AWS, they get everything up and running, they do S3 buckets, they do elastic load balancing, they do all kinds of cool stuff, they get the most bang for their buck out of AWS and they hit go. The advertisement is a great success. Initial deployment everything is great. The guy who was operating the infrastructure on day two logs in and he looks at the console and he sees that it’s grown. And specifically they had turned on the elasticity of the environment, so as to be able to spin up new instances. The third day he logs in and it doubles in size. And he’s like, “Ok, we had a great advertisement campaign. I don’t know what the AWS infrastructure really, performance-wise, what it’s all about, it’s probably fine.” The next day it was 32x, so now it’s grown massively. At this point he’s like, “Yeah, I don’t know if this is ok or not,” and…
Matt Helling: Also costing a fortune.
Daniel Wiley: It’s costing a pretty penny! But anyway, he finally gives us a call after he looked at the process tables of his Linux servers and he found a binary that he had no clue what it was. So he sent us the binary and we called him back and we said, “Yeah, this sucker is crypto mining right now, and it’s also configured to be able to do an external DDoS attack. And oh, by the way, it sure looks like the bad guy was about to change your gif with a piece of malware.”
Matt Helling: Triple whammy.
Daniel Wiley: Oh. Oh bummer dude. So then we started looking at, so what was the source of the attack. Well in their haste, the very key component of this is they basically just copied their infrastructure from their traditional data centre into AWS which included, by default, that the admin interface to Apache was open. And they had forgotten that since they moved inside of AWS there was no firewall, there was just some access lists and they had forgotten how to configure those access lists because it wasn’t the security guys that were configuring it, it was the web dude. And it was exposed directly to the internet. So all the bad guy had to do was a quick port scan for 8080 or whatever port it was sitting on, found that vulnerable port, found that there was a Java library buffer overflow, popped it, loaded the binary and went on his merry way. He kept doing it! And since the infrastructure was automatically replicating…
Matt Helling: He’d got unlimited CPU until they spotted it.
Daniel Wiley: It basically just spawned itself, and away it went.
Michael Bird: All his Christmases came at once.
Matt Helling: But that’s so common, I mean we talk to a lot of customers at the moment - crypto mining doesn’t really fall that high on their risk register or their concerns, until it is a problem. And with a lot of crypto mining, these things try to be quite quiet, they try to spread themselves so thinly, it’s only in these instances that they get carte blanche access that they will grow and grow and it gets to a point where it’s obviously noticeable that something’s gone wrong. And people identify it then they understand what the issue is, but a lot of the time they just spread themselves over, so they eating away and they just start gathering a bit more power, bit more power, bit more power, but they almost want to go under the radar because they don’t want you to notice it, because the minute you notice it you kick them off and they have to go somewhere else to get that back. They just want to get as much of these little bits everywhere as humanly possible.
Michael Bird: This may sound like a really stupid question, but the cost of Bitcoin has plummeted recently, so does that affect this, will people go, “Oh it’s not really worth it any more, we’ll try different types of attacks,” or is it still a really good money spinner?
Daniel Wiley: It has decreased significantly.
Michael Bird: Because of the cost of Bitcoin plummeting.
Daniel Wiley: You’ve got to go somewhere else to make the coin. Literally in this case. I still see it…
Matt Helling: There’s more than one crypto currency though, there’s tonnes of them
Daniel Wiley: Yeah, look I think it’s ebb and flow. So right this millisecond, yeah, there’s still some crypto mining events out there, but the overwhelming events that we see are the ransomware events, because they actually pay. But what we do see, and we’ve had a number of these conversations is, we’ve had a couple of companies call us and say, “Hey Dan, we’ve found something in our data centre, it’s making this god-awful noise, what is this thing?!” And they take a picture and they send it to us and it ends up being an antminer or some other crypto coin mining device that someone had put in their data centre. Now that’s actually making some coin!
Michael Bird: Hang on a second, so they snuck into said data centre, put in… so they’re getting free power, free connectivity, and I guess power and connectivity are the two most expensive things. And you’re then, putting this device in.
Daniel Wiley: We were working a case here in Europe - the customer that called us didn’t notify us the moment they identified these devices, so they found these devices and they took them out of the rack. And then they called us and said, “Hey, what are these things?” And in their haste, they’d removed them for a couple of days, so being able to identify the person that actually did it was going to be a little bit of a challenge for us, but what we were able to do was reverse engineer the account that was used to upload the coins that this coin miner had created and we were able to identify the password that they’d used, and the password was like, ‘Mazda6Xtx…’ whatever, some very… sorry, it was ‘RedMazda’ and a very specific…
Matt Helling: Just look out the window in the car park!!!
Daniel Wiley: Exactly! So we sent the IT guy and we just told him, walk around the parking lot until you find a red Mazda 6 with, you know, this specific kind and, I’ll be damned, there it was. And he just waited there for a few hours for someone to turn up and it was their head, the IT guy.
Matt Helling: Well he was doing nothing malicious, he was just taking a bit of power, a bit of connectivity…
Daniel Wiley: $250,000 worth of power over a three month period.
Matt Helling: I take that back.
Daniel Wiley: These suckers use up some serious juice.
Matt Helling: Wow.
Michael Bird: But if they had password and the wallet, did they just take the Bitcoins back?
Daniel Wiley: So I, at that point…
Matt Helling: Just disappear into thin air…
Daniel Wiley: We basically stepped aside. So in the country we were working in, if you have possession of someone's username and password and you still use it without permission, you’re still going to get in trouble, so, short answer is we recommended they didn’t log in and take the Bitcoins for payment, because it actually wouldn’t be enough to pay for the power. Because at the time, the price had plummeted already again.
Michael Bird: So for these infrastructure cloud attacks, what can an organisation do to protect themselves?
Daniel Wiley: DevSecOps and the traditional IT guys need to get a room and make some babies. Essentially they need to add their security controls that you don’t typically think you need, but you still need… duh. Layer seven, IPS, I know it’s old school, I know I sound like an old fuddy duddy. Look, it has its place. I don’t care which SecOps mantra you are praying to, if you don’t update your Apache web server within milliseconds of a vulnerability, you’re going to get screwed. So you still need some level of protection in front of that, that you can actually engage while you’re waiting for your DevSecOps or DevOps cycle to kick in. It’s not going to be instantaneous.
Michael Bird: And so with the cloud infrastructure, is there anything in particular that singles it out over ‘traditional’ infrastructure, that means that actually, it’s a lot more vulnerable?
Daniel Wiley: Well yeah, it’s not inside of your perimeter any more, right? Traditionally you had this huge, monolithic security infrastructure, but once it’s out in the cloud, you don’t have the same thing anymore. Unless you deploy a traditional gateway, like ourselves or someone else, if you don’t deploy them, they don’t exist there.
Michael Bird: So a gateway is where the traffic will go through a box in your data centre before it goes to AWS or cloud infrastructures.
Daniel Wiley: Or you have a traditional gateway in front of your cloud infrastructure. So instead of just having a load balancer with access lists, and if anyone knows, access lists are pretty much useless, that’s not enough these days, you need additional capabilities that give you a full firewall, a full IPS, application awareness, user awareness - without it you don't have any ability to segment, or micro segment inside of those cloud infrastructures. And that’s a problem.
Matt Helling: What about segmentation?
Daniel Wiley: I think it’s vital! I mean, you don’t want to have everything available to attacker and have no lateral movement protection whatsoever. I will say it really depends on what architecture you’re talking about. So segmentation’s great in a Unix environment, Linux or something like that, but in a Windows environment when you’re still tied to AD, AD is your single largest threat factor. Ever. Period.
Matt Helling: Do you think that there’s a general perception that public cloud is more secure?
Daniel Wiley: I think that’s going away. I think the reality is yes, they can run a data centre better than you, but that’s about it.
Matt Helling: Yep.
Michael Bird: Ok, and so the fourth thing on the list is phishing. Can you give us some examples recently where there have been some phishing attacks?
Daniel Wiley: Again, we see hundreds of these each year. I kind of separate them into a couple of camps, there’s the ‘using phishing to be able to get as many victims, or as many fish as you can into your net’, those are still prevalent, but they’re not quite as successful as they used to be because we’re now able to block them at a much higher rate. And users can identify them very quickly. But the very targeted phishing attacks are still very very effective. And most of the time what we find is, usually when you’re having email conversations with a third party, the third parties are now a victim of these kind of attacks. I have actually a really good story about a partner of ours - not you guys!
Daniel Wiley: Matt Helling: I was getting a bit nervous there!
Our finance department called us and said, “Hey, one of our partners is arguing that they paid us, but we never got the payment.” And we looked into it a little bit more carefully and we were able to determine that the partner had outsourced their email services to Office 365. And their finance person had their account compromised, and basically the attacker was able to convince the customer of the partner to send their payment to a different location, and… you get the idea. And we see that over and over again, where the conversation gets twisted, a new ABA number, bank routing number is introduced and money goes bye-bye.
Matt Helling: It’s big business though isn’t it, if you put it into the context of organised crime and ways to make money, you could go through the dirty process of manufacturing drugs and shipping and selling and everything else, or you could sit in a nice comfy air conditioned room with probably some quite mild mannered people and make millions.
Daniel Wiley: Yep.
Michael Bird: So what can organisations do to protect themselves?
Daniel Wiley: Again, you need to evolve your security controls. I mean, everything I say to the victims I see, they’ve made some similar mistakes. Number one, they have not evolved their security controls. So that means adding additional controls around phishing, education around phishing is also a big one, endpoint protection, again. All of these things combined give you a fighting chance, and if you don’t have them you don’t have a chance.
Matt Helling: Interestingly, we went to see a customer recently who had gone through a programme of security improvement and maturity and as part of that, because they had been hit by a number of phishing attacks, and even post being hit, and even awareness perceivably had been raised, because it had been published amongst the organisation, the IT director then in turn emailed the whole IT department, not outside of IT, his 60/70 IT people in his department and asked for all their usernames and passwords because he was changing a load of login credentials for stuff. 40% of them responded. Then of that 40%, so many passwords that they were using were adminadmin, hadn’t been changed, hadn’t been moved, he kind of just sat in this meeting and he was just flabbergasted by the fact that even post an incident, and a phishing attack being so deeply hitting an organisation, his IT department, the people that were perceived to be leading the way in improving security and everything else, were the ones that were so willing to share, when somebody viewed as an authoritative figure in the department asked for all of their details. 40% of them were willing to give it over.
Michael Bird: There must be some psychology behind this.
Matt Helling: A hundred percent, but that’s what people leverage.
Daniel Wiley: So you’re a thousand percent right, that the psychology, and the society that you’re in actually dictate the prevalence of certain attacks. So in the UK where you have a very stiff upper lip around your executive…
Michael Bird: Excuse me…
Matt Helling: I’ve no idea what you’re talking about…!
Daniel Wiley: ...around your executive ‘class’ I’ll call them, and a hierarchy.
Michael Bird: It’s Mr Executive Class to you.
Daniel Wiley: Exactly! Ok, whatever.
Michael Bird: Sorry, carry on…!
Dan Wiley: But you understand, right? If there is a hierarchy of authority and it is very stiff and very rigid, so Germany, the UK, other areas, Japan, where if it comes directly from the CEO or from a C level person or VP or it’s like the hand of God has anointed you, you must do it now!
Matt Helling: With a sense of urgency…
Daniel Wiley: Well the best thing you could do is say, “Hey, double check that, right? You want me to wire two million bucks on an email? Let’s double check that.”
Matt Helling: But that comes with the awareness as well, and going back to your example a second ago is with the supply chain piece, people seem more reluctant to pick up the phone and ask a question nowadays than they have been, the reliance on email is so high. We notice it at work when phones go down, everybody’s fine, they can keep working, they’ve got mobile. When email goes down, it’s almost like people sit back and put their feet up. Because there’s such a reliance on email as a communication method. I guess the easy and obvious thing to do would be to ring a contact, ring someone you know, just verify it at a second level. But you’re absolutely right, they leverage that social angle, and they put that urgency on it, that it’s coming down from an authoritative figure, you have to do it now, if you don’t do it now your job’s in jeopardy, you’re going to lose it, people just wet themselves, and they just go for it.
Michael Bird: Why has somebody not developed email version 2 where you can build these controls into it, or there’s some sort of encryption built into it or…
Matt Helling: It’s more of a policy process than a control thing.
Michael Bird: Ok.
Matt Helling: If you’ve, perhaps anything over a certain amount, you have… I don’t know, there’s a number of… the minute you get that social bit into it, it’s so easy to compromise and what you do is you then lower the level of, instead of it being a million dollars, you lower it down to £50,000. Anything over £50,000, if it needs authentication or a call, you just do loads of $50,000s, and you just lower that level. And there’s always ways to get it, or you lower it down to $10,000, you do 100 10,000s, and it goes so under the radar, they just keep, because it’s such easy money, and once it’s out, it’s out, there’s no way of getting it back because it’s jumped everywhere.
Michael Bird: So the last thing on the list was the RDP compromises, so can you give me an example of when an organisation has been compromised?
Daniel Wiley: Yeah, so City of Atlanta. This is public - we actually didn’t work this case, it’s very indicative of all the other cases that are involved with RDP. Essentially it becomes a very simple conversation. An IT administrator wants to have remote access into the infrastructure and one of the easiest ways you can do that is to spin up an RDP connection to the internet and all that requires is to open up the right specific port, and you’ve got access remotely. I mean, it couldn’t get any simpler than that. A couple of key things to remember with RDP is that it’s usually joined to a domain, right? And a domain usually has a username and password associated with it, and that username and password, the username in particular is usually their email address, right? So, [email protected] - that’s not my email…! That’s another Dan, but he might be getting a lot of emails now! And all the attacker has to do is obtain that email address, load it into a botnet, it brute force login attacks that account and most infrastructures don’t turn on accounting, and so on and so forth, and the attacker brute force logs into that device and then he has pretty much unfettered access into the environment because it’s usually one flat network that hasn’t been segmented and then they move laterally, and they plant ransomware, and they hit go! And they encrypt a whole bunch of drives and then you have a bad day. And either you have to restore from backup or pay somebody.
Michael Bird: And so how would an organisation protect themselves against this?
Daniel Wiley: Don’t expose RDP to the internet! Dumbass! I mean, look, it’s not that hard, right? You can add additional security controls, right? First thing, two factor, second thing, watch for repeated logins - if you have more than x, block the account, and email somebody. I mean most of this is just simple awareness, just open your eyes to it, there might be someone breaking into something.
Michael Bird: So with RDP, could you quite feasibly just start scanning the internet for open RDPs?
Daniel Wiley: Your favourite tool of today is Shodan.
Michael Bird: So you can just search the internet for it?
Daniel Wiley: All I do is.. just type in Softcat right now, see what you get!
Michael Bird: Please don’t, please don’t!
Daniel Wiley: Do! I mean, this is the thing, please do, please do, because if the bad guys are going to do it, that’s the first thing I’m going to do is see what’s available on the internet. That’s actually one of the things I tell my guys to do when a customer calls and says, “Hey, what’s our external profile to the internet, because that’s usually our entry point to start investigating. So if they had RDP exposed and they just had a ransomware event, well that saves me a heck of a lot of time having to reverse engineer everything, if I can see that RDP’s compromised, well maybe we’ll start looking there first because it’ll save us a huge amount of time. I would recommend, everyone that’s listening, go there and check your domains every week. Like religion. And see what you see.
Michael Bird: Excellent. We’ll put a link in the show notes for that, it’s really interesting. So, looking ahead over the next 12 or so months, are there any security trends that we expect to see, or anything coming, that we think’s going to happen?
Daniel Wiley: So one thing I’ll say is it’s very very difficult to give you ‘what if’ scenarios for the guy that’s sitting on the front line every single day. But what I will say is that I think the current things that are hot, are going to remain hot, cause I don’t see any massive changes overnight. I am concerned about a couple of things. It’s definitely time to beat up Intel, when it comes to all of their vulnerabilities at the moment. My concern is that this will just be a continual thing that we’re going to have to deal with, around all the vulnerabilities that are being found in the CPU protections. That worries me a little bit. Why? Because I think this is Pandora’s box, and it’s just going to get worse before it gets better. And it’s great that people are really starting to look at it, and that’s not what I’m trying to say, what I’m trying to say is how the hell are we going to mitigate any of that? Because it’s really difficult to swap CPUs in a cycle that makes any sense and to get real security it’s concerning. Where it really has me concerned is the VM worlds, cause it all comes down to CPU at the end of the day and both Google and AWS and Microsoft in particular are spending a huge amount of resources to ensure their VMs are protected against some of these CPU level attacks. But someday, sometime soon, maybe they won’t be able to and maybe it’ll be really difficult to actually implement a control inside a hypervisor to actually be able to protect against this stuff. That worries me. Because then it’s dominos real quick.
Michael Bird: Cause there have been, what, two? Three?
Daniel Wiley: Six.
Michael Bird: Oh, six?!
Daniel Wiley: Six or so variations. So that worries me. I think we’ll see more cloud infrastructure attacks.
Matt Helling: Yeah, I agree with that.
Daniel Wiley: And I think we’ll also see more of the application cloud attacks, you know? We’ve seen Office 365 attacks, we’ve seen them trying to go after infrastructure inside of 365. We’ll see more of that.
Michael Bird: And what about IoT?
Daniel Wiley: Yeah! One of the interesting attacks is, bad guys breaking into home routers, right? And using home routers as a vehicle to hide their ops, right? So there’s at least one or two nation states that have been using home routers as a giant VPN proxy, or a TOR proxy, and no one noticed for a while! So using home routers that no one actually is monitoring becomes really really interesting. Because it’s not inside of your net, it’s right outside of your net, if you will. And very hidden, because it’s all the masses of users out there. And we’ll see more of that. I’m less worried about the TV sprouting arms and starting to attack you, but it will spy on you, it already is.
Michael Bird: Yeah there’s one with cameras in it.
Matt Helling: You don’t even need to spy on people any more, if you think about how much information people are willing to put on social media these days, around Facebook, LinkedIn, not LinkedIn, probably less of a route, but Facebook and Instagram. People are so willing to publicise how well they’re doing in life, all those fancy holidays and all the stuff that’s going on, but there’s so much contextual information in the information that people are putting onto social media these days. And all it takes is somebody quite clever, and a lot of these profiles are open, and even if you don’t have them open, and you have a privacy setting, you can still see mostly what people are doing. I guess if you boil it down to a really basic level, if you’re a local robber around a certain district, all you’ve got to look around is people that you know that live in the area, they post they’re in Heathrow airport going on holiday for two weeks, and you go and rob their house.
Michael Bird: It’s the olden days of sitting outside their house waiting to see if the lights turn on or off, don’t need that, just do it from home.
Daniel Wiley: I will say one other thing about Internet of Things that I think is important is that we are finding more and more things being connected, I am quite concerned about automotive, healthcare… those two in particular. And we’re actually spending a lot of time investigating those two worlds. Why? Because there’s a direct impact to life. If the car all of a sudden turns itself off, or does something funky, puts itself in reverse or heads right for the barrier - these are things that could do some damage, right? Or if your insulin pump decides to give you 100% more insulin than you need, that’s a bad thing, right? So these are the things that worry us, especially around life.
Michael Bird: So you’re both users, you may be IT professionals, but you’re both users. What do you do to protect yourselves? Away from work, how do you protect yourselves?
Daniel Wiley: I don’t even know where to start, I have… remember the movie Rain Man where he has like, little procedures for absolutely everything in his life? Yeah, that’s me. There’s a whole bunch of stuff I do for specific types of information, like banking, finance, for example, I have a full ritual that I follow that is pretty rigid. Number one, I have a separate machine, I have separate VMs, I have two factor on absolutely everything, I validate every single transaction, I ensure that all my tax information is protected at a physical, analogical level. I monitor my social security information routinely, any time anyone queries any of my social security information, I get notified, I change my credit cards routinely, I don’t use the same numbers very often, and I mix them up. I don’t travel to specific countries, and when I travel to those countries, I don’t bring electronics, specifically borders I know that if they confiscate my information, that I don’t lose it. I never take my finance information overseas, I always leave it back in the United States. I do a lot of rigorous things. My social media footprint is very very small. I keep it that way specifically.
Matt Helling: Out of everything you’ve just said, that’s bit I only do, really. My security at home is just, I generally don’t advertise myself externally very much. Even if the bank rings me, I’ll ask them for a number and I’ll ring them back, or I’ll ring them back on the main number and ask to be put through. But my social footprint is next to nothing, I don’t want people to know where I am, what I’m doing, where I live, all of that sort of stuff.
Michael Bird: What about day to day? What do you use to store passwords and things like that? Do you have a password manager? Do you think they’re rubbish?
Daniel Wiley: I mean, I don’t think they’re rubbish, they’re useful, to some degree. We use something called PassVault with some of the IT stuff we do, and we mostly only do two factor. So we get rid of all the passwords.
Michael Bird: What about when you sign up for something on a website where you have to create a username and password? How do you keep hold of that information?
Daniel Wiley: I don’t, typically.
Matt Helling: Same.
Daniel Wiley: One time, or a mnemonic, depending on what you’re using.
Matt Helling: Yeah, I’m the same. If I’m purchasing something, I’ll do a one time account, even if I’m purchasing regularly, I’ll just create a one time purchase.
Michael Brid: Dan, I do think you win the award for most likely to be a spy. “I don’t carry financial information over borders.”
Daniel Wiley: That’s really funny!
Michael Bird: “I have seven passports.”
Daniel Wiley: I sadly only have one.
Michael Bird: Fair enough. Ok, Matt, do you want to give us a bit of a summary?
Matt Helling: Yeah, for sure. I think from a really high level, the things that I would take away from this is the importance to talk to people. If you’re ever receiving any information, if you’re ever receiving any requests from anybody within your organisation, irrespective of how urgent it is, I would always just clarify that is true, and as Dan said, don’t trust anybody. The other thing I definitely have taken away from this is the importance to break down barriers between different silos within an organisation. Again, as we said at the beginning, we speak to a lot of customers that are going through, or are discussing transformation and adoption of cloud strategies, and I think it’s important to ensure that the two elements of the business that are going to be central to enabling that are talking and they’re engaging together, so DevOps, the cool funky young lot, and IT, the old, more perceived draconian lot, especially in security, are talking, and it’s forms central to what you’re trying to do. Security is so important, moving forward, it’s the difference between making or breaking your organisation, whether it’s from a ransomware perspective or, I guess even from a legislation perspective, and if you’re not doing the right things to protect the information that you hold on people, you’re going to get in trouble, and it’s going to cause you impact. And I suppose one of the areas we haven’t really discussed today is around, I guess, the business impact of being hacked, and what that’ll have on people’s confidence in you as an organisation to protect the information that they’re giving you, because it’s such a high area and if people believe that you’re not doing the right things by them, they won’t give you their information, they won’t be placing orders with you, they won’t be doing business with you, and I think that’s hugely important. So again, making security central to everything you’re trying to do as a business. Irrespective of how agile you’re trying to be, security is central to all of it.
Michael Bird: Well Dan, Matt, thank you so much for your time, thanks for coming down and having a conversation about the big security trends. Listeners, if there’s anything is this show that has piqued your interest, or if you’d like to talk to someone at Softcat about anything that we’ve talked about on this episode, we’ll put some contact details in the show notes. We’ll also include some links about some of the stuff that we’ve talked about on the show, and please make sure you click subscribe, wherever you get your podcast. So you’ve been listening to Explain IT from Softcat. Thanks for listening and goodbye.