September Threat Thursday
September 26, 2019
Phil Richards | Chief Security Officer | Ivanti
Chris Goettl | Director, Product Management, Security | Ivanti
We're analyzing the biggest security threats currently impacting global IT teams. Join Phil and Chris as they share their insights and deliver the latest news on the cyber attacks making news as we push into October.
Chris: October, as many of you know, is Cybersecurity Awareness month. We wanted to bring that together with a number of other security vendors. We've got a guess speaker from Forester who will be joining us for this live event, as well.
Chris: Yeah, we're going to have Dr. Chase Cunningham. He's going to do a little bit of speaking about zero trust security. So a lot of research that he's been doing there. Looking forward to that keynote. Then again, we've got some great partners with CrowdStrike, Kenna Security, Morphisec, and Integral. There's going to be a number of...
Chris: But keep in mind, this is not a bunch of product pitches. These are industry topics. This is talking about the challenges of trying to secure your environment and the way that threat actors are changing their tactics and adapting to and coming at us, so we can better defend against those types of attacks.
Phil: This is really cool, because we're talking about right at the cutting edge of technology, in terms of how we address threats, how we identify threats, and how we provide better information and intelligence around threat gathering and threat categorization and things like that. That way, as a consumer of that kind of stuff, you can really get focused in on the threats that your organization is facing, rather than just the splatter approach, I guess.
Chris: It is on October 23. It's 100% free, 100% online. Again, this is not a series of product pitches. This is security experts from a variety of different security vendors and Forester coming together to talk to you about cybersecurity and the challenges that we face, and approaches that you can take.
Chris: Now, if you find any of these particular angles interesting, there will be additional opportunities to reach out to these vendors, if you want to get the product pitch. But it is not a product pitch that you will get on the 23.
Phil: Absolutely. Right, yeah. Come for the learning, and if you find something that's real interesting, then you'll get some contacts and be able to drill in a little bit more deeply.
Chris: Absolutely. All right, so getting into what we're talking about today. We've got three core topics that we're going to talk about. For those of you who caught our Threat Thursday webinar last month, you know that this is going to be much more discussion than just going through PowerPoint.
Chris: The first topic, which is It's Drafty Down There.
Phil: It's Drafty Down There.
Chris: Yeah. Healthcare exposure.
Phil: I think that's play on the hospital gown.
Chris: It is, yeah.
Phil: If you've ever worn a hospital gown, sometimes there drafty.
Phil: First of all, we are going to cover healthcare exposures. I can think of nothing worse than first of all, you have to wear a hospital gown. Then after you put the hospital gown on, somebody gets your data. Fantastic.
Chris: The first one, this is actually, this was not one data breach. This was actually a series of data breaches. It's a trend that is continuing through this year. Now, for the month of October... I'm sorry, October. For the month of August, the month of August, there were 44 reported healthcare data breaches. These ranged anywhere from tens of thousands, up to the largest one that was reported was 187 thousand record, I believe it was.
Chris: These had a lot of similarities to them. A significant amount of the breaches that were happening in August, a lot of it came around to phishing, and a phishing, and a little bit around a third-party vendor that also was compromised as part of this.
Phil: Now 44 breaches, that's actually kind of a light month, isn't it? I mean, oftentimes, we've seen a lot more.
Chris: Yeah. We've got a couple of stats on that that we'll talk about next. Actually, for the year, August was actually a little bit of a dip in data breaches for the year so far.
Phil: Dip in the data breaches. I suppose that's not to bad of a thing. The thing that's maybe one of the more key components here is that when healthcare organizations get breached, oftentimes they are losing PHI and PII. PII sounds like pie, which is delicious.
Chris: Yes, but in this case-
Phil: It's not that?
Chris: This pie is not so delicious.
Phil: It's not that? I see. PHI is private healthcare information.
Chris: Yes, and PII is your personal...
Phil: Personally identifiable information.
Chris: Personally identifiable information. The difference between those is that your healthcare information has more about diagnosis that you've had, which might have references to either medical equipment or drugs that you might be needing to take.
Phil: Right, yeah.
Chris: That comes with a whole different value than somebody just being able to get your credit card information, or social security number, or different things like that.
Phil: That's right. Some of that healthcare information becomes valuable for different kinds of exposure, different kinds of breaches. Right?
Phil: Healthcare information, the way that gets monetized is by things like individuals can order refill prescriptions in your name, and change the address and have prescriptions sent to their address, rather than your local. If you happen to be taking oxycodone or something like that for example, then the criminal could order a refill of that oxycodone.
Chris: Which then they can turn around and sell, and it's worth-
Phil: A lot of money.
Chris: Exactly. Again, there were 44 data breach incidents in the month of October, or August. I said October again.
Chris: We wanted to talk about some of the similarities between many of these. A lot of the attacks that we saw in this go-round were actually using phishing tactics. They were targeting the users within these organizations that had access to these healthcare systems, convincing them to give up their credential. Then using that credential, they then turned around and attacked that healthcare system in a valid way.
Phil: We have all probably been exposed to phishing attacks of some sort or another. Whether it is, you know, an email that pretends to come from your credit card agency saying your credit card is no longer valid, you need to hurry up and sign in so that your credit card purchases will go through, or something like that. This month I believe it was in the neighborhood of 70% of the successful data breaches in August, were originated through phishing attacks.
Chris: Right. With that, let's talk a little bit about what these attackers did. They phished a user. With that, they convinced them to give up a credential in one way or another. With that, they then basically got access to that healthcare system, used that credential then to gain access to either email system or the healthcare system itself, and then extracted records from that. Combining that. There's a number of things that could have been very effect in thwarting those 70% of those attacks this last month.
Phil: One of the things that we do at Ivanti, and that we recommend that all companies do, is the top recommendation here, which is anti-phishing training. My team, we actually have a process whereby on once every eight weeks, we'll send out a phishing email to the entire organization.
Phil: We do that for the express purpose of having people get practice and get better at not responding to, or not clicking on an email that has links in it. Sometimes those emails will look like they're coming from an outside service provider. Sometimes they'll look like they're coming from somebody inside.
Phil: As it turns out, the attackers will use the same tactics. So we try hard to make sure that our staff stays on their toes when it comes to identifying both malicious emails. Even if you're not sure, or even if you're mildly concerned that something might be the case, the best advise is always to not click on links in email.
Phil: If you're concerned that your credit card actually will get denied next time you use it, open a browser and go to your credit card company's website directly, rather than clicking on the link. The link is where the problem is.
Chris: Yep. You know, there's a lot of good phishing training software that's out there, that can very effectively give you very canned, very effective training modules for people to take, so they can understand how those attacks work.
Phil: Right, we currently, here we use Wombat. KnowBe4 is another one of the providers in that space.
Phil: Yeah, PhishMe is another one. There's a number of vendors in that space.
Chris: This type of training does work. On a personal note, I have a 13 year-old-daughter. Recently, some of her friends got scammed into a SnapChat phishing attempt that basically gave up people's credentials there. My daughter was smart enough to not click on it.
Chris: Then she actually screen-shotted what it looked like, and sent that around to all of her friends saying, "If you see this... " She didn't sent the actual thing, she sent only an image of it, "If you see this, don't click on it."
Phil: Don't click on it. Fantastic.
Chris: She caught that all on her own. That's just from her listening to me drone on about security about their phones and social media and other stuff like that. My wife, too, has actually gotten pretty good at spotting and questioning phishing scams.
Chris: There's several, looks like an Amazon order. The link in there is going to take you to somewhere bad. What they're trying to do is to get you to react to that $700 furniture purchase that you know you didn't do.
Phil: You didn't do, yeah.
Phil: The psychology of this is so fascinating to me. What happens is, the criminals try to put an email in front of you that looks like it's urgent, something you have to take care of immediately. What happens in our brains, is when there's an urgent task in front of us, it shuts down a lot of the blockers.
Phil: We know we're not supposed to click on something, but if it's urgent, some of those defense mechanisms kind of get shut down. We just start to go through and do the task. We kind of mindlessly do that, and follow it through.
Jared: Bill wants to know if this is related the WannaCry at all?
Phil: That's a good question. This particular attack, or this particular series of attacks, the ones that we looked at do not have any WannaCry ransomware associated with them. That's not to say that that's not part of this discussion.
Phil: Typically, however, a ransomware, and especially WannaCry, would lock files up and offer a ransom, rather than being an actual breach of the data. We would categorize that differently.
Chris: Yeah, these were actual data records that were compromised. Another thing that really could have stopped a lot of these different breaches in their tracks would have been used of two-factor authentication. They were able to convince the user to give up their credential.
Chris: If that attacker then tries to access their email system or another system at that organization, if that required a second factor to authenticate-
Phil: Then knowing the credential wouldn't-
Chris: ... it still would not have been successful, right.
Phil: You know, there has been an awful lot of progress in the last 18 months or so, or two years, in the whole authentication landscape space. NIST, the National Institute for Science and Technology, or Standards and Technology, has identified, or made a change to some of the requirements around email strength. Or, I'm sorry, password strength.
Phil: The most current expectations, actually, removed things like upper case, and lower case, and numbers, and special characters, in favor of longer passwords that are easier to remember. One of the big problems of having a bunch of those funky characters in passwords is they're difficult to remember.
Phil: What do we people do when something is hard to remember? You write it down. Writing down a password is worse than having a weak password, in a lot of ways.
Chris: Right. So having a string of words that it's not a common phrase that you could go and Google like top ten phrases that somebody would think of in this space, don't use something like that.
Chris: There was actually a really cool article I read. This was a little over a year ago, maybe two years ago, of a girl that she was just helping people to build a random password. All she would do is go into the dictionary and help them to select a random assortment of words.
Phil: Yeah, three or four words that are random.
Chris: Yep. Get into three or four, five-character words. Make it words that expert, trust, left. That right there, you might be able to remember very easily, but the length of that password is now going to be beyond what rainbow tables and other type of brute force password guessing would be able to achieve.
Phil: You get the power of exponentiation when you do that. Just as kind of a quick view of that, in the English language, the average word is around five characters in length. In English, the average word contains 11.8 bits of randomness, in that word.
Chris: Which is interesting, yeah.
Phil: Eight characters, five letters... Or, I'm sorry, eight bits, five letters, that forty bits. Of those forty bits, only about just a little bit under 12 of those actually participate or contribute to the randomness of English words.
Phil: So you string three of those words together, and you have a password that, based on current technology, can't get cracked for nine months. Now, here's the interesting thing, you go from three to four, you have expanded the amount of time that it takes to crack that password from nine months to 2700 years.
Chris: Right, now in this case, if they convince the user to type their password into some place where they could capture that, even that won't help you much. Again, the two-factor, that makes it so even if I get your credentials, I go try to log in, boom, it hits me with the second-factor that I don't have.
Chris: Whether it's you're going to get a notification to your phone, or like Google authenticator-style authenticator where you have an additional code you have to enter in that is something you take with you. Having that second factor, again, would have... Those are very effective ways to fight the types of breaches that we're seeing the trend right now, for this particular series of [crosstalk 00:18:39].
Phil: Yep. Multi-factor authentication, two-factor authentication is an extremely important capability in this space. Let's talk a little bit about factor, by the way, when it comes to two-factor authentication. We're not talking about two passwords, because that's two instances of the same factor.
Phil: So if one factor, one of them is a password, a password is something you know, and that's a factor. You can't use as another factor another thing that you know.
Chris: So wait a second, when it asks me what the model of my first car was, that's still something I know.
Phil: That's all the first factor.
Chris: Right, that's all still the same factor, so that isn't actual two-factor, your password and a random assortment of four to six other questions that you know the answer to.
Phil: Now if you happen to have an authenticator application on your smartphone, for example, that will generate a list of random numbers, maybe six numbers or something like that. What the factor is, what's being depended on is the fact that you have a phone in front of you. That's the second factor. Now we're talking about something you have, which is a phone.
Chris: So for an attacker to... For that, then, they would not only have to steal your credentials, they would also have to steal your phone.
Phil: Right, yeah.
Chris: Much more difficult. One of the other things that I think we want to touch on here, there were several of these breaches were found to be part of a larger breach regarding AMCA earlier this year.
Chris: This was a service provider that was providing payment portal services for a variety of healthcare vendors. That got compromised and a bunch of records were stolen from there. There were several during the month of August that were found to also have been included into that, as well.
Chris: We talked about this a little bit last month, but vendor risk management. Can't stress this enough. If you rely-
Phil: Holy cow. It's becoming a bigger deal now than in the past.
Chris: Absolutely. Our other showcase today also talks about that. If I put trust in a vendor, they're my payment portal, I have to understand how they're securing their environment, as much as how I'm securing my own. If I've got an HVAC vendor that has remote access to my network, I have to understand how they're securing their environment, versus how we're securing our own, as well.
Phil: Exactly. The bad guys, one of the things they will do, if it's easier to get into our... We're picking on HVAC vendors, which is probably not fair, but we're going to do that anyway.
Chris: Sorry guys. Yep, any HVAC vendors out there.
Phil: Exactly. If it's easier for a criminal to get into an HVAC vendor, they could then pivot that access and get into your system. Because it's going to be easier to get into you from that vector than it would be for them to try to penetrate directly into your environment.
Chris: Yeah. The other breach that we're going to talk about today... Actually, I don't know if this means that there's something wrong with me, but the way they went about this, to me, is a very exciting way to execute an attack. I'm actually interested. I'm excited to talk about that one. [crosstalk 00:21:35]
Phil: I am, as well. It kind of says something about our personality, I think, Chris, that we find that kind of thing fascinating and exciting.
Phil: But it is pretty cool.
Chris: Yep. Another one, as we're going to go through a couple of other slides here, talking about a few of these topics more. First one is talking about the different types of records that are out there and what they are worth. So credit cards.
Phil: Let's talk a little bit about credit cards. Generally, you need to think about credit card data as a couple of different things. There's just a bunch of raw numbers of credit cards. The value from $1 to $10 typically is arrived at based on how recently it was determined that that credit card number is valid and is still open.
Phil: If a credit card was determined to have been opened six months ago, that might be worth $1. If the credit card was determined three days ago that it was still and valid, that's going to be a lot more valuable as a credit card. On the black market, we're talking.
Chris: Right. Now, interestingly enough, if the credit limit is established as part of the information that was gathered, this could really up the value of that credit card beyond even that $10 limit.
Phil: Exactly. We're seeing instances where credit cards of a known credit value of $5000 or $10 thousand or $15 thousand can vary in cost up to 6% to 8% of the value of the spending limit on the credit card. If you lost a credit card that has a $15 thousand credit limit, that credit card could sell for as much as a thousand or more on the black market. So there's quite a bit of variability in the credit card black market business, depending a lot on what's known about that credit card, and how recently that information was determined.
Chris: Right. Driver's license. This one is getting quite a bit of important information. Driver's license is often used as another form of identification to do a lot of important things.
Chris: That one being worth a bit more definitely, definitely makes sense. Loyalty accounts. I actually had one of my loyalty accounts stolen at one point.
Phil: Is that right?
Chris: Yeah. I mean, within minutes of them gaining access, they had bought an iPad... Not an iPad, an iPod.
Phil: Okay, this was a couple of years ago.
Phil: This isn't like month and a half ago or something like that?
Chris: No, years ago. This one, it all happened very quickly. The overall impact was pretty significant. At that point, that loyalty account was attached to other accounts. At that point, I had to go change a whole lot of things.
Phil: The reason we put this on here is because we know that there's a number of retail organizations that will be listening to this cast. We want to make sure that those folks are aware that they need to be real careful and safeguard those loyalty accounts, because they are being targeted.
Chris: Oh yeah. You can get a lot of cool stuff with those loyalty points.
Chris: Medical records, again the-
Phil: This is one of the big kahunas in this particular space.
Chris: Right. The interesting thing about what they're looking for. Credit cards, yeah, you know, you can get a bunch of credit cards and probably make your average credit card record sell for a buck. But medical records-
Phil: Yeah. They might even make a couple hundred bucks on a bundle or credit cards.
Chris: Right. With medical records, it's not that every medical record's going to be something of value. Like my medical records would probably not be of much value, because I don't have any diagnosis that would get to an interesting pharmaceutical, some type of drug that would be worth something on the market. Or medical equipment, actually is the other one.
Phil: Durable medical equipment.
Chris: They're looking for the diagnosis codes.
Phil: Codes. Not any diagnosis codes, but key diagnosis codes that give them access to high-cost or high-price medical, either devices or prescription pharmaceuticals.
Chris: Right. If I can go and find a record that lets me duplicate that record and go and request a brand new piece of very expensive medical equipment for home use, and then I can turn around and sell that piece of equipment for even half it's price on the black market, they can make a whole of money-
Phil: They can make hundreds of dollars on each one of those.
Chris: Yeah, very quickly-
Phil: Here's the other thing. Medical records, from a criminal perspective, is the gift that keeps on giving. As it turns out, your diagnosis code isn't likely to change over time. It's not like you can un-diagnose yourself and thereby make that record worthless. That's the unfortunate thing.
Phil: It's kind of interesting to see the variability in prices for these different types of records. Medical records, in addition to the information they provide, oftentimes medical records will include things like a national identifier number and insurance information, which can be used for identity theft purposes. But those diagnosis codes allow an absolute revenue stream for the criminals.
Chris: All right, let's go onto the next slide, Jared. Another interesting angle about this, think about what vertical you're all working in, everybody who's attending today. What is it going to cost on average for a data breach if those records are stolen?
Chris: There's been enough breaches that have occurred, and the cost of those breaches, the number of records stolen, everything involved in that, they've gotten down to a pretty accurate science for determining the cost-per-record of data breach. If you look here, the healthcare space, they're looking at twice the cost per record of data breach incident, $408 per record.
Phil: I think the positive side of so many breaches right now is we're starting to get some very good data around how much it costs. What we're seeing here, what this graph says, as Chris mentioned, is the cost per record for an organization to correct a data breach.
Phil: From a risk perspective, this is where I get kind of excited, because from a risk perspective, I can take this data. There's plenty of information about how frequently breaches might occur. Let's say in my organization, let's just pretend I have a million records.
Phil: Ivanti, we're a services organization. We got a million records. Let's say we find some data that says an organization like ours will get breached on an average once every ten years. That's pretty far out there. That's kind of a long time.
Phil: Now I've got enough information, I can actually turn that into a cost, today. A million records that cost $181 per record to restore. If I lose a million records, that means it's going to cost me $181 million. [crosstalk 00:28:32] I'd have to pay that once every ten years. If I divide that by ten years, I now know that my breach is going to cost me $18.1 per year.
Chris: Now you can start to back into how much do you want to possibly spend to defend against these types of things and reduce the potential impact on that.
Chris: You know the economic involved, and you can start to make a lot more intelligent decisions about how much you want to put in for effort to defend against that.
Phil: The beauty is, those are the kind of numbers that will work well with executives and with the board of directors. What I'm basically saying is, "Yeah, this is only going to happen once every ten years. I don't know when it's going to happen, but when it does, the average cost to this organization is $18 million per year. The fact that I'm telling you we need to spend $800 thousand to mitigate that issue... "
Chris: It's a drop in the bucket.
Phil: It's a drop in the bucket.
Chris: Absolutely. The economics of this are becoming a much more tangible conversation as data like this becomes available.
Phil: Right. It's fascinating information. Great data. All right, so Chris, let's talk about this. Data breaches are on the rise. We've decided to say that we've up our data breaches, so up yours.
Chris: The first one here, so far this year, we are trending 54% ahead of the number of data breach incidents last year.
Phil: So that's an annualized number, we're 54% ahead of all of 2018.
Chris: This one is... actually, it's a good question. I think it's 54% ahead of this time last year. So it's trending 54% higher than by the time we hit-
Phil: Got you.
Chris: September, end of September 2018.
Phil: Still, the amount of data that is leaving corporate servers is significant, huge.
Chris: 4.1 billion. That's with a B.
Phil: Billion, with a B.
Chris: Billions of records that have been exposed in the first half of this year from data breaches.
Phil: That is a staggering number.
Chris: That's a whole lot of records. Now again, if you go back to that previous slide of what's the cost per record? If you break down into all those different areas, how many of these were healthcare records? $08 per record is what the economic costs were for those healthcare organizations. In the retail space, $206 per record. Yeah, 4.1 billion records, that's a whole lot of money that was [crosstalk 00:31:12].
Phil: It's a huge number of records. What it means on an individual basis, was that for every one that is a first-world country that has records online, like all of us do, you can absolutely expect that at least some of your records have been breached this year, not including breaches that have occurred in the past. That's kind of frightening.
Chris: Yeah. 70% of compromised dat so far this year stems from emails, according to the report that this was pulled from. 70% of the compromises in some way related back to emails, whether that was a phishing attempt that got the first step into the environment, or records were lost because somebody had access to email systems that they shouldn't have had.
Chris: There's a variety of different ways, but again, going back to email security, phishing training, and two-factor authentication. Those three things definitely are something that if you don't have those covered already, you want to look into them.
Phil: You know, we did talk a little bit about phishing training. Another area that we should probably talk about in mitigation of email threats is actual products and services that provide email filtering and email assessment and analysis. Those products are getting to be very, very good. Many of them, now days, including the offering for Microsoft on Office 365, as well as Proofpoint and others, Mimecast comes to mind, offer what is known as click-time assessment of a website.
Phil: If you've got a website that is embedded in an email and you click on it, I know you're not supposed to but people do. If you click on it, what these tools do is they will actually asses that website at click time, whether or not it's a site that the system is going to allow you to go to.
Phil: We talked about exploit kits. Oftentimes, exploit kits are on a website for a very short period of time. They're either put on as part of an add, or they might be put on a website and then taken off, and put on and taken off. To avoid this kind of permanent blocking of websites, this click-time analysis is actually very important.
Chris: Right. All right, Jared, let's move onto the next slide. One other thing that I think is interesting to look at here-
Phil: Jared, I think we do two. I think we moved-
Chris: Oh, he didn't have the order-
Phil: Okay [crosstalk 00:33:42].
Chris: No, we don't have the order that we changed. We actually had this in a slightly different order that we were planning to talk about it. This is fine, as well.
Chris: When a breach occurs, the next two slides here are talking about the activities that you do that could either mitigate the cost of that data breach, or increase the cost of that data breach. These are activities that every organization should be prepared for and possibly be doing to reduce the cost of a data breach.
Chris: Now, from this report, from the Ponemon Institute within IBM, they had an average data breach for the US market was averaging out to $3.92 million. Now with that, these series of activities can reduce... This set here are mitigators. They can reduce the cost of that data breach incident.
Phil: You'll see that the first item is the formation of an incident response team. The third thing is extensive testing of your incident response plan. So having and using an incident response team and plan mitigates as much as $700 thousand out of that $4 million, in terms of breach cost.
Chris: Yeah. I mean this is the same thing as you always want to have an emergency plan for anything. Whether it's fire, or you're up in the Midwest, tornadoes. I mean, these days, they probably have some drills for school-aged kids and things like that. What do you do if a hurricanes coming? Well, they're probably not at the school.
Phil: This is kind of lays out the rules for setting that up.
Chris: Yeah, it's making sure that people are prepared for and understand if an incident like this occurs, what is my role? The last thing you want is to have all of your team scrambling as an incident is occurring, and everybody is under tremendous strain. That's the last time you want to plan for these things.
Phil: I can tell you from experience. You want to actually make those decisions before everybody's hair is on fire. There's going to be enough pressure when an incident occurs, and bad things happen when people make snap decisions in a hurry because they haven't thought it through in the past.
Phil: Another part of your incident response program that's very important is you need to make sure that the incident response capability includes or encompasses all of your departments within the organization. We're talking about marketing, and legal, and HR, and facilities, and production, and research and development, as well as executives.
Phil: You want to make sure that all those groups are incorporated. That they know their role. That they know the responsibilities that they have. And that they're kind of thinking around how they handle incidents and how they handle threats.
Phil: Part of the extensive testing of your incident response plan is what we call tabletop exercises in that space. You give those individuals a scenario. Let's pretend that this is happening to our company. How would we respond? It helps everybody kind of learn their jobs. [inaudible 00:36:48].
Chris: Absolutely. With those two activities alone, the first and the third one there, you can reduce the cost of that $3.92 million incident, by that's close to $700 thousand right there. That's nearly a quarter of my costs of that particular incident reduced by just doing effective planning.
Chris: Let's go to the next slide. Talking about what are the things that would increase that cost in breach. These are things where if you rush into the process of responding to the breach, that could increase the cost there.
Chris: If there's a third-party vendor that's a part of the data breach, like if that's how they got through. That's something where shouldn't you, in that incident response planning, know how you engage with third-party vendors that you engage with, as well?
Phil: Oh, absolutely. Part of your incident response needs to be what do you do when your vendors stop being compliant with your own processes and that kind of thing. You need to have a plan for how you deal with those vendors. That's absolutely true.
Phil: Have a strong third-party process around how you vet third-parties, how you occasionally go through and reassess how third-parties are handling data. How third-parties are creating accounts and how they're removing accounts, and all that kind of stuff, and whether or not they patch their own internal systems. All that is critical to making sure that third-parties are not the reason why you're failing.
Chris: Several of the ones on here look to be, this is something that as companies are going through this era of digital transformation, a lot of these seem to be very common in that. Things like extensive use of cloud migration.
Chris: Well, if I'm trying to make a mass exodus from on-premises technologies and infrastructure to the cloud, if an incident occurs during that timeframe, I've got things in both places. I've got potential for misconfigurations and other issues like that. There could be a significant increase in cost, just because of that extensive...
Chris: As you're going through those things, make sure that the next one in line there, system complexity. As you're going through a complex migration, it's easy to overextend and bite off more than you can chew. If an incident occurs during that timeframe, it could really complicate the incident response plan for that timeframe.
Phil: Extensive use of mobile platforms is another big problem. With the proliferation, everybody's got a smart device. Everybody wants to look at their email from their smartphone. You need to make sure that employees have guest access to your network from their own devices, rather than direct access.
Phil: It's bad enough if somebody were to click on a link from their smartphone. But if that smartphone also allows them to pivot into controlled systems in your network, that's really, really bad.
Chris: Yeah. That along with the lost or stolen devices. One of the mitigators on the previous slide was actually extensive use of encryption. Making sure that laptops, and phones, and other technologies, anything that can touch data, especially email. Again, email's a prime target right now. A lost device with access to the email system can really give a lot of data to a threat actor.
Phil: Exactly. If you're going to have company data walk out the door on laptops or phones or pads or something like that, make sure that it's encrypted before it walks out the door.
Phil: Let's move on, Jared. We're going to talk about our second set of breaches. This is all about dentists offices. Think about this, I mean how bad is it when you have to go to a dentist's office and you get your tooth reamed out because you're getting a root canal. Then you leave and you find out that you got reamed out in a different way because your data got stolen. That's pretty harsh.
Chris: Right. Now this one's kind of interesting. Again, I mentioned before that the way this attack was executed was really an intriguing way. Now, if a threat actor were going... As you can see here in the impacts square there, over 400 dental offices were hit as part of this broad ransomware attack. This was a single, coordinated attack. But 400 dental offices got hit. Now-
Phil: So you can't really hit 400 dental offices at the same time, orchestrating that kind of thing. I mean that requires some significant resources.
Chris: Seems like it'd be really hard to do. Right. Also, how many people do you know, Phil, who know how to go and buy Bitcoin?
Phil: I think I know about three people, and I'm in security industry.
Chris: Right. They most likely came across it because, maybe one of them because they actually wanted to buy it themselves. The other one's-
Phil: One of them is a Bitcoin nerd, and so he has his own server running. He knows how to do that, but that's about it.
Chris: The other... How many dentists do you know would know how to go and buy a Bitcoin and be able to unransom-
Phil: Oh, very, very few.
Chris: ... a system. They might have trouble just getting logged in in the morning in some cases.
Phil: Exactly, yeah.
Chris: So to try to expect 400 dental offices to be able to go in and expect any of them to be able to pay up easily in a ransomware attack, that's a pretty tall order.
Phil: Right. It's a support nightmare. As it turns out, a lot of these criminals actually do offer customer support.
Chris: They do.
Phil: That's a real problem.
Chris: There's a cost with that. That's an overhead that this particular threat actor didn't want to have to try to achieve. What they did was they actually went and they targeted a service provider. In fact, there was two service providers involved in this, two third-parties. There was the cloud hosting provider. Then there was the digital record's provider that all 400 plus of these dental offices-
Phil: These aren't just the providers to the dental offices. These are organizations that actually warehouse the customers' data records. These are critical components.
Phil: It's really interesting. Dental offices, their records are extremely important. If you walk into a dentist's office, there's no way they can even treat you if they don't have access to your records. If they don't know when your last checkups were or where your cavities are or any of that kind of stuff.
Chris: If I'm coming in for a root canal, you can bet that the things that led up to that are going to be records that were from previous visits. If they don't have access to that-
Phil: They can't do it.
Chris: ... they can't take care of my appointment right now.
Phil: The problem, from a bad guy perspective, with hitting a dental office is a dentist might have a thousand, maybe a couple thousand patients that are active at any one time. You have to hit 400 dental offices in order to really make an impact, or make a splash.
Chris: Now, these guys, they attacked the service provider. They distributed their ransomware through that. From there, they simultaneously launched that attack across an encrypted files across all these different dental offices.
Phil: So they effectively shut the door at over 400 dental offices, and they made it so they only had one throat to choke, only one company that they had to deal with.
Chris: Right. The payout for these guys was going after that service provider, not 400 individual offices, individual companies, basically.
Phil: Unfortunately, Chris and I are grinning right now because we just think that's one of the cooler things to have done from a criminal perspective.
Chris: Don't judge us.
Phil: No, sorry.
Chris: That's really cool tactics involved here. That's what we're excited about, not supporting cyber crime in general.
Phil: Of course. Yes.
Chris: It's these threat actors, they're thinking through and they are executing attacks in ways that is making it more and more effective. Instead of extorting 400 individual payouts, where maybe a fraction of those are actually going to pay up, they only had to worry about one payout, and that payout did happen.
Phil: It absolutely did. When you think about it, the service provider who is guaranteeing service to these 400 dental offices, is now effectively, either I pay up or I'm out of business. Those are my two options. Not because I'm worried about individual customers not showing up, but because I'm offering a guarantee of service, which I am not even close to being able to meet my obligations on.
Chris: Even after paying up, there were several... Some of the dentists' offices got access to their data again. Some of them got partial access to their data again. Some of them still had not received access to their data yet, as of the updates that we had seen on several of the articles about this.
Chris: Remind me again, Phil, what's the average frequency of gaining access back to your data if you do the payout?
Phil: A couple of years ago it was down to 30%. The interesting thing about that number is it goes down every year. As it turns out, there's a lot of ransomware, a lot of old ransomware, that nobody is watching the hotline for anymore.
Chris: Right, but it still happens.
Phil: But it still happens. You can get locked up with something that showed up three years ago. There's nobody answering the phone anymore. Even if you wanted to pay, there's nobody who's going to give you access to your data again. You can get locked up in a lot of different ways, so that number keeps going down.
Chris: If you pay the ransom, you, at best, get one to three or one to four odds of getting your data back.
Phil: Right, yeah.
Chris: That's pretty disappointing odds, especially when you're talking about like last month when we talked about the Texas ransomware attack. The 23 different agencies in Texas. $2.5 million. If you paid $2.5 million and you've got a one in four chance of actually getting your data back, that's a pretty high... I'm a pretty conservative gambler. That's well beyond my-
Phil: But the reality is, it costs tens or hundreds of millions of dollars to recover all that data. Paying $2.5 million for early access to it certainly looks like or feels like a descent return on investment.
Chris: Right. A couple of things about this one, especially if you are a service provider providing a, like in this case, digital record services, or in the case of the AMCA breach, payment portal services, you-
Phil: You're being targeted right now.
Chris: You are being targeted. A tactic like this is exactly why you got to make sure that you're stepping up your game as much as your customers are stepping up their game. This is the ecosystem we play in.
Chris: As we trust other vendors with part of our overall business, whether it's payment processing or storage of records, or whatever the case may be. The guys who are just handling physical services within my environment, they need remote access to do it. Whatever that case may be, we've got to get better at that vendor risk management.
Phil: If you're not the vendor who's providing those service, you also need to think about the actual risk, or residual risk that you're continuing to take on. You're trying to ensure that risk away by giving that work to a third-party processor. You need to think about what if that processor gets locked up with ransomware or something like that. What does that do to my business? That's the residual risk that you continue to own.
Phil: We talk about the second recommendation here is don't pay the ransom. Really, the message is you need to go into these situations with that as a mindset. You need to realize that you're not going to pay the ransom. If you do, you stand a very poor chance of getting your records returned to you anyway.
Chris: And you also-
Phil: Put structures in place, so you can recover without paying that ransom.
Chris: You're also propagating the behavior. The more collectively pay up ransoms, the more threat actors are going to be incentivized to keep going. It's kind of a losing proposition. You get a low chance of actually getting your data back, and you still are a potential repeat target, because they know that they got into you once and they can probably do it again easily. And the fact that now you've encouraged that threat actor to continue their behavior.
Phil: The top recommendation here is backup and recovery. We can't stress this enough. If you backup, make sure you can recover. Make sure you can recover, and make sure you know how long it will take you to recover.
Phil: Just having a backup, that just doesn't do it. If your files are gone, it takes more than zero amount of time to recover them. You need to know how long that is and how long you can live without those files if you're going to have to restore from backup.
Chris: Right. This kind of goes back to a little bit of that trust kind of security. You've got to worry more about your backups and where your core data is stored then an end-user machine. You still worry about the end-user machine, try to defend that as well. But if an incident occurs, you need to be able to isolate and protect those things that matter most. If you don't have a good backup, if you don't have a good way to recover, you're going to find that the cost of that incident will significantly increase.
Phil: Let's talk real briefly about restricted administrative privileges. I know that we've heard all about it. I know that every organization knows that they're supposed to it. Most of our organizations don't do a very good job with that.
Phil: Chris, what is the reason... I'm asking you specifically, because I know this is in your, this is actually in your business unit. What's the big deal? Why do I have to restrict admin privileges in this kind of a scenario? Why is ransomware such a problem for unrestricted admin privileges?
Chris: In this case, depending on how the attacker gets in, one of the first things they're going to do is they're going to try to get access to a credential, a valid administrative credential in your environment. If they come in and every user is a full admin, they've got access to a whole bunch of tools, and it's very easy for them to move around.
Chris: What they're going to do is they're going to get into one system. They're going to get a foothold. They're going to execute some level of persistence there, putting in some type of a backdoor, remote access Trojan kind of thing. From there, though, they're going to start to run other tools to be able to get at other things.
Phil: Privilege escalation kind of tools.
Chris: Yep. If I don't have full admin rights, I need to find a privilege escalation so I can get full admin rights. With that, I'm going to try to do things like running tools like mimic ads, where I can grab other credentials. From there, I'm going to use your own system tools against you.
Chris: Then, I can move throughout your environment undetected. It's a credential you expect and system tools that your own administrators are commonly using.
Phil: The other component here is admin privileges equals access to more data.
Phil: That's the other key. I can move around silently. I have freedom of movement in an environment, and I have access to more files when I have admin privileges.
Chris: Some of you came across from one of our other webinars this morning, it's the first of a four-part bootcamp series on our security controls product. One of the series that's coming up for that is going to be about privileged management. If you're trying to go and take back all of the admin rights you've given out-
Phil: Good luck.
Chris: I've talked to companies where nine months, 18 months, 24 months, it could be a long, drawn out project to figure out what everybody needs and try to do that. Then reacting all the incidents that occur from that. But you don't have to wait that long to take the teeth out of those non-admin admins.
Chris: We've got a... There's six particular things that we're going to talk about in that webinar that we recommend going and taking away from your non-admin admins right now, without even reducing them down to a regular user.
Chris: You can avoid a lot of the economic impact, the support cost impact of trying to take that all back, by just doing a handful of things that threat actors are most likely to use against you.
Phil: Yeah, we kind of talked about admin privileges as binary, right? It's either on or it's off. Turns out it's not a binary. There's a lot of different kinds of privileges that going into being an administrator. By removing certain key privileges, you really reduce the attack surface, I guess.
Chris: Yeah. One unique thing about our app control technology within Ivanti, is it is combined with privilege management capabilities, as well. That is where we have the ability to go in and take back a number of those admin capabilities that you don't want a regular user to have. You don't have to reduce them down to a regular user to take that away. We can block those things, at run-time, so that at threat actor would not be able to use them against you.
Phil: Let's move on. The next thing really is, Jared do we have questions that we need to walk through? You can go ahead and put the commercial up, Jared. We'll talk about that at the end. Do we have any questions that we need to go through.
Jared: Yeah. Just browsing through the chat, getting caught up here because I was sharing the presentation. I don't really see much of anything. If all of you on the presentation have a question, throw it in the chat right now. We'll get to it.
Jared: I guess we have one, Phil. Going back to the incident response plan, what's you're key elements to have in an incident response plan?
Phil: That's a really good question. A couple of things that are really critical. Number one is making sure that you have a process for how you handle breach notifications.
Phil: What you want is to have a pretty good front doorway for individuals, or organizations, or vendors, or customers, or employees, to relate into your group. What kind of information you need to collect if they're trying to notify you of a breach. Having a breach notification process is really important.
Phil: The other area that I tend to focus on, I think I mentioned this before, is making sure that you have representation across your entire organization in your incident response plan. There are incident response templates available, both from the US federal government, as well as a lot of other sources, that can walk you through the complete list of activities and items that should be in those incident response policies and procedures.
Phil: Those are two things, I think, that are really critical. Making sure you have an open pathway for identifying breaches, and making sure you've got a lot of representation throughout your organization.
Jared: Thanks Phil. This one's from Keith. It's a bit of a scenario. So with limited admin credentials, my last company had a script or application that elevated admin rights for an hour run from SECM. They had to make a request before they were allowed to run the script. Do you know of anything that we can handle that with Ivanti tools?
Chris: Yeah. That goes back to that, if you look at our application control technology, we have the ability to replace that run as with an elevate. Again, at runtime, it will elevate. But again, it's not going to...
Chris: One of the dangers of a run as is that credential is stored. Encrypted, but stored.
Phil: Cached on your machine.
Chris: It's cached on that machine. So a tool like [MimicApps 00:56:34]. If I get on a system and I get the level of access I need to run a tool like MimicApps, I can capture a bunch of those, and then I've got access to them.
Chris: The way that we're doing it is elevating it not using a run-as credential, so there's no cache credential there. We can elevate that privilege and let the user run it as-
Phil: [crosstalk 00:56:52].
Chris: Yep, exactly. So what you're looking for, Keith, then is the Ivanti application control feature set. Traditionally that was the technology that came from AppSense. We have that, the traditional AppSense version of that, which is part of our UWM user workspace management suite. It can be bought standalone.
Chris: We also have since brought that module into our Security Controls product, and into the latest version of our EPM products. So if you're on one of those two product lines, where we've got more of a suite of features coming together, we have brought those capabilities in.
Chris: Again, depending on which product you're on right now, or if you're looking net new at that. I would say there's a couple options of how to get to that functionality within our stack, depending on what your overall needs are.
Phil: That's really important. Doing this the way Keith is describing is good, but basically it leaves those cache credentials in the SAM database. SAM database management is another capability that our tool set does provide, and it's really important because if somebody has access to your machine, it's simply a matter of time, usually, before those passwords get cracked. Now-
Jared: We've got a quick followup with that. How would that apply to an application that one user needed in a one-off? Would I need to build a package around it? Or a home printer install?
Chris: No. There are contextual rules within that engine, where you can grant a specific user the ability to elevate rights for something very specific, or a group of users. There's a few different ways that you can do that at.
Chris: Again, that contextual engine is pretty flexible. We can handle quite a variety of cases, down to very specific users. You can even make it so that user when they're on-network versus off-network have different behaviors of what they're allowed to do.
Chris: You could make it so that on-network, they have access to a critical system. Off-network, or if they go to China or something like that, they would have that access blocked. That contextual rules engine allows you a broad flexibility to customize those rules to a variety of different needs.
Jared: One last question, probably our last since we're over the top of the hour. What additional preventative methods are available in addition to backup and recovery? I'm assuming this is going back to the dentists' office one.
Phil: From a ransomware perspective, there's a number of things that are from a preventative perspective that really help out. Ransomware... Every ransomware is different. Let's start there. Most ransomware, however, goes through an exploit process.
Phil: One of the things that most ransomware is doing is looking for unpatched systems. Sometimes they're zero-days, but oftentimes they're existing patches that they can use to exploit to get access to your machine. So patching becomes a strong prevention capability against a lot of ransomware.
Chris: Yeah. Then detect and response capabilities, as well. Prevention's going to help you mitigate a lot of the risk. There's never 100% in security, so you want the ability to detect an incident as it's occurring and be able to isolate it quickly.
Chris: Again, back to that cybersecurity event towards the end of this month, CrowdStrike and Morphisec are both vendors where they're focusing on trying to handle those incidents as they occur.
Chris: CrowdStrike's EDR capabilities. If somebody were trying to ransom a system, if they detect that, they can basically stop it, break the process chain that's occurring. Basically kill that chain and isolate the incident from progressing further.
Chris: Morphisec do what's called moving target defense. So most of what threat actors are after are things like processes, or things running in memory. What they have is an interesting way to basically duplicate what's happening there with a fake memory space that the threat actor ends up in.
Phil: It's like a memory sandbox.
Chris: Yeah, it's like a skeleton vault is I think is what they call it. Basically, they go in there thinking they found what they're looking for, and they end up in a process that's contained and has nothing really of value for them. The threat's detected and prevented, and reported up so you know what's going on.
Chris: A couple of technologies there. They're going to be talking a lot about those types of tactics and how we need to get better at breaking, basically executing that kill chain to stop these types of threats when they occur. Prevention and detect and response are both necessary.
Chris: This is one of the things that as an industry, we've gone back and forth. Prevention, prevention, prevention. Detect and response, detect and response.
Phil: Yeah, you've got to do both of them. You really do have to.
Chris: The detect and response, actually, is a significantly higher cost type of protection for your environment, so having a good balance between those can make it so you can mitigate or eliminate 85% of the threat with just a patch, app control, device control, or privilege management. Those types of preventative cyber hygiene things can mitigate the majority of the risks to your environment.
Chris: Now, when something does still happen, because statistically at some point it will, you have a solution like an EDR solution or something like that that can protect you and respond to those incidents as they occur.
Phil: So that you can minimize the damage that it causes to your environment.
Chris: A lot of companies struggle to have a team that can actually manage a solution like that, as well. One of the other things that vendors like CrowdStrike do provide is managed threat hunting, as well. You can actually have them be a tier one threat hunting service for your environment.
Chris: A number of other vendors like that exist where they've got, "Here's the technology if you want to do it yourself. Here's if you want us to help you manage that, or if you want us to fully manage that."
Phil: Well, the reality is for a lot of organizations, they're just not big enough to be able to justify or be able to have an active threat-hunting organization or component to their company. It requires a significant amount of volume just to be able to have that.
Chris: You need people with the right skillset.
Phil: You need to be able to practice that skillset, so there got to be a lot of threats coming.
Chris: Right, right. It could be very difficult to get into that. Again, I would suggest if you're interested in a little bit of that type of technology, come and check out the cybersecurity event and look in at a couple of the other vendors that we've got on there.
Chris: Again, you're going to see less product pitch and more industry-level, this is why these things are important. From there, you'll have other materials and things available and be able to get to a product-level discussion if you want to proceed that way.
Chris: Yeah, there's definitely more than just backup and recovery to look at.
Jared: Yep, awesome. Phil, Phillip's already laying down the gauntlet for next month. He wants us to look at mobile device management. He's got a couple of really specific suggestions that are great. Should you allow BYOD, talking about Android, iOS apps that leach data from contacts? Wondering if the risk is too high.
Jared: Phil, we'll look into that. Interesting to see what Chris and Phil come up with for the next session.
Jared: Follow along with the fun. Ivanti.com/threatthursday. Obviously, I put the link in the chat for the virtual event. Go ahead and register. That's coming up on October 23. Of course, Threat Thursday, last Thursday of the month, that's coming up in October as well. We're excited about that.
Jared: Chris, Phil, thank you guys so much. Thanks everybody for the great questions. We'll see you on the next webinar.
Phil: Thanks everyone. Bye.