401 Access Denied Ep.04 | The 2020 Verizon Data Breach Investigations Report

401 Access Denied Podcast Icon

Join Joseph Carson from Thycotic and Mike Gruen from Cybrary as they deep dive into Verizon’s 2020 Data Breach Investigations Report. We’ll share the good news of what the industry has been doing well this year and we’ll also share the not-so-good news. Ransomware, malware, credential stuffing, employee cyber education, and much more will be discussed. Plus, we’ll give a rundown of the measures you should have in place to protect your organization against these threats starting today.

Topic: Verizon’s 2020 Data Breach Investigations Report and more
Hosted by: Mike Gruen, Joseph Carson
Length: 41 minutes
Released on: June 17th, 2020
Listen to the Audio
Enjoyed this podcast?
Share it with friends now!

In this podcast we join Joseph Carson from Thycotic and Mike Gruen from Cybrary as they deep dive into Verizon’s 2020 Data Breach Investigations Report.

As they critically analyse the observations and outcomes of the investigation we are familiarised with ongoing trends in information security. The duo discusses existing threats and how security engineers over the years have affected the ways attackers are targeting systems. Also discussed how threats have evolved over time, with increase in Internet reach to more and more people.

The good news for us is that the ever going fight between security engineers and attackers is slowly starting to tilt in our favour, thanks to herculean efforts to bring about Security awareness en masse. The attackers have to use more complicated attacks to achieve objectives which used to be easier with simpler techniques like Phishing. This alone reduces the number of possible attacks as the resources are now kept further away from reach of script kiddies.

Just as a check to avoid getting high on the recent victories, we do have some not-so-good news. Ransomwares are now not just limited to making data inaccessible, the attackers are now stealing data as well to juice more money out of victims. Malwares, are now targeting not only the resources, but also the backups to inflict more damage, costing corporates several times more.

Employee cyber education, and protection is also discussed. Since poor security awareness among employees is one of the largest reasons for compromised credentials, it has become seemingly more important to have a well trained and aware workforce. Also as a brownie point, we are familiarised with the measures you should have in place to protect your organization against these threats.

To know more about security functions take our CIS Top 20 Critical Security Functions now!


Joseph: Hey, Mike, welcome to another 401 access denied podcasts where you know, this is a really fun discussion and I'm really enjoying, you know, all, a lot of the information we're sharing and this time we're going to be looking at the recently released, Verizon data breach investigations report. It's definitely, you know, for me as a researcher and doing a lot of, you know, kind of reading of reports throughout the year, it's definitely one that I really get excited about because it's very thorough, you know, research. That's good details. It provides you with a good can.let's say the Monera can be a good indication or trend to what's really happening in the industry. And in most cases that when you're reading it, you know, I think it's the 13th year now that this record is being released. And, you know, it's on everyone's calendar where we're usually waiting between the April and May timeframes. You know, everyone's sitting around with their cups of coffee ready, and when the report comes out, you know, spending, and then you get a lot of people like myself writing blogs and, you know, analyzing it and interpreting it. But. One thing that I find is that, you know, every time, you know, over the last many years I've been reading this and, and, and reporting on it and sharing my thoughts is you're always in this, you know, you know, face and Japan moment where you're just like, Oh, it's doom and gloom. And there's always a point in, you know, yeah, it's how bad we're getting older than everything we've been investing and security and the, you know, technologies and the hard work that goes through. And it's like, You're always saying the doom and gloom, that's getting worse. More people are clicking and crap. More people are clicking a malware. Malware's increasing incidents are increasing breaches, happening time and time again. And this report, you know, I was so happy this year. I don't know if you got to go through it in as much detail. but for me, I think this report indicates that, you know, finally we're starting to see results. Yeah. Finally

Mike: I just can't say, no, I rely on people like you to sort of give me the synopsis rather than dig through all of the details of the report. I look forward to everybody else's take on it and I can sort of pull that together and take in more of a marized view of them than pouring through all the details. So I appreciate your hard work in going through and doing that work for me.

Joseph: You're definitely the smart one of doing this. So, you know, going in and reading other people's interpretations is probably the easiest thing, and it's definitely the smartest and quickest and you get a lot of different views and viewpoints for me. I like to, you know, I like to compare with my research that I do and compare notes. And also a lot of, a lot of peers of mine also contribute to the report as well. Which is always interesting to see, you know, their, their feedback and results too. But I'm still looking, you know, you're writing the home sometimes, you know, read my report.

Mike: yeah, we'll give you a blog. You can read Joe's synopsis. That's awesome.

Joseph: Yeah. So, but this time, I mean, what I really kind of, for me, it was actually, I was actually sitting up and I was like, Whoa, this is, this is positive. You know, followers decreasing. People are clicking and less rubbish. you know, things proving there's been less data breaches. you know, it was one of those moments in time when I started getting my hand and I sort of turned that, you know, put myself in the back and I think also can be professionals around the world. This is a report showing that their hard work is actually paying off, you know, cybersecurity awareness, training, you know, getting security culture into the employees and all the messages and all the hard things, you know, and sleepless nights and restart to run the clock. And a lot of, you know, also in a, as well as an indicator that a lot of security researchers, you know, we always talk about hackers being used in bad terms. And I always disagree with that. Because I see myself as a hacker and ethical. Yeah. And you know, sometimes, you know, the news and media make us out to be the bad, you know, the villains and also even security research, you know, that do responsible disclosure. Sometimes it can also turn out to be villains because you know, they're sharing with the world. These vulnerabilities and organizations sometimes basically will victimize them or even try to Sue them for, for the work and for, for right. Making people aware that they have insecure products. So I think for me, this report was a highlight that actually, you know, security researchers, most organizations will find out about breaches from security researchers. That, which was a great indicator that, you know, there's a collaboration between companies. And security researchers happening. And that security researchers are your friends who, you know, are really working with you to make the world a safer place. So, and those are security researchers, you know, they are hackers, they are basically fundamental, that's what their primary focus is on. So the report was great. it might, you know, As it says it might not be a champagne moment. It's not, I miss all the time to break up the bubble and say we won and great. And I don't think there's ever winning we're winning it's it's, it's just, yeah. It's about surviving in many cases, you know, pain just to show that, you know, we are supposed to survive. but I think, you know, it's definitely a moment, you know, it could be researchers and hackers are in the world. Who, who does, you know, spend the time working for Google, you know, Focusing and helping organizations. This is a moment to, to, you know, was it, you know, celebrate, this is the line.

Mike: I agree. I mean, the, we really do use, we have a responsible disclosure program that we, you know, there's a link to it, right from our site. We sort of rely on it. We have, you know, our community filled with security researchers. We want to take advantage of that. And in fact, one filling out, you know, those annoying security questionnaires for various companies. They ask, like, what do you do from a security perspective? It's one of the first things I list is we have this program, it's actually turned up more things than you know, some of the audits that we've done. you know, and, and, I really appreciate it. I don't, you know, I, it never occurred to me like, This is somehow like a, how could this be a negative thing to get this information about my platform and what we're doing and the vulnerabilities in it, from someone who clearly cares, and is going, you know, sort of a partner, and it's crowdsourced, it's going to be Similar to spreading out the, the, the number of attacks and how all the different people who could be attacking your system. Now, you're, you're using that crowd to test your system and give you that feedback. I, I super appreciate that for our group that we have.

Joseph: Yup. Completely. I mean, this is a community. I mean, this is a community effort. This is working together, you know, and, and bringing experts in various different views and, and specializations to really help. And that was one of the important things. You know, one of the things that the report did say is that if you do become a victim, That you're more likely to hear from third parties, your customers, partners, and security researchers. What are they actually the top third party, you know, basically individuals or people or teams or companies that will inform you of those. So the report itself, no champagne moment. Not time to break up the bubbly, but definitely time to celebrate. you know, definitely time to bring up the barbecue, you know, so maybe have a couple of good beers and, and whatever, whatever your preference of drinking, maybe for some people might be water in a Stony here Definitely vodkas is the common tabletop drink, but, but definitely, you know, it's a time to, to reflect and, and, and, you know, looking at security professionals like yourself and me and others that we work with, know peers to really say, you know, thank you for the work that they've done. To really reduce the threats and make the world safer, because this is a report to indicate that the world is a little bit safer this year. Maybe from computer viruses and ransomware, but not other types of viruses that we can't deal with, but definitely an indication that, you know, the resident improvements has been made.

Mike: Yeah, I agree. And I think, I think there's a couple of underlying causes that might be moving us forward in that way. I think those responsible disclosure programs there's. A few of them out there they're more collaborative. I think that they've picked up on speed, which means, you know, for us, one of the vulnerabilities that was pointed out to us was actually in a third party, SAS that we use. And sure enough, like I took this person's report and passed it on to them so that they could sort of fix it. You know, we, we patched it and we came up with a solution, but it was really their problem. And so, I think that that sort of sharing of information and making that so easy to do it turned out that the, the, this provider was also on the exact same platform we were on, for, for the disclosure program. So it made it really easy to sort of submit that, submit it to them as well. and so I think that that collaboration is really helping. And I look at, you know, security awareness is good, but like, I think really pushing it out more beyond just the typical awareness stuff of what, like what links to click on. And it's really about enabling your entire staff to really think about security and implications. I think we're doing a much better job of sort of security enablement. it's, you know, that's one of the cyber idea, you know, ideas that we push a lot on is, you know, everybody, an organization that can touch technology has to understand the implications of their actions, because you can, you can really affect the security posture of your whole company, even if you're, you know, in sales or in marketing or whatever, because you're using this platform and you have the ability to do a thing. So I think we're doing a much better job of getting everybody involved. And it's not these siloed, like this is the security team within the company. I think we're doing a much better job.

Joseph: Yeah. Security is becoming a cross departmental function, right? It's no longer just, you know, you, you still have those who respond. For technology, but it's becoming much more across the departments.

Mike: You know, it's like health and safety. I mean, I think it's that same sort of shared responsibility. We don't see it any, you know, it's, you know, I'm not going to clean up every mess. I see. But I'm also, if I make a mess, it's my responsibility to clean it up so that somebody doesn't slip and fall

Joseph: it's a risk reduction. It's good to safety across in it. And that's how it should be viewed. It's not, you know, its problem all the time or it's not this other person's responsibility is that people aren't always starting to see that we are together. You know, I have a shared responsibility to do the right thing and you're right. It's about empowering employees to be physically better secure we're, you know, better culture. I think, you know, that's definitely one thing that you know, is, is probably reduced on the click rate on malicious links as well. So that's definitely a positive is that. People are becoming much more over and better at it. I should be able to identify as well and report. So there's no deck technology that is definitely helping as well, but I think another important area is that companies are starting to execute more seriously. I also do think that regulation and compliance is helping force the boards and organizations to really take security more seriously and seeing companies, you know, having a sizzle report to the board. As well, not just into the executive staff, but into the board actually shows that now they're starting to get a voice. They're starting to get much more, you know, I think they're getting ears and people listening. Some may not be getting as much action or support out of it, but they're definitely getting a voice in the table.

Mike: And I think one of the things that's driving that though, I mean, in addition to taking it more seriously, like why do you take it more seriously? I think part of it is the financial implications of a breach and the costs and cleaning up the cost of reputation, the costs, all these various costs. Are just building up, And so in the past, it might not have been as big of a deal, but now, you know, you know, you see, you're seeing larger fines. You're seeing all sorts of financial implications. I mean, I think it's what's lacking in the IOT world to drive those companies to make more secure IOT devices. We can save that for a different day, but like, but that's what that same stuff is. What is driving. I think the CISO is reporting into the board and it is being seen. You know, as a much more important function of the company, because it does directly, you can draw a line to the bottom line. it directly impacts the company.

Joseph: I agree. One of the things, you know, I mentioned that before with you that, you know, when I report it to this, me and this is a report to the board to try and get budget and the board came back, says all, you know, you're talking, you know, you're talking basically cost, cost, cost, fear, fear, fear. Right. And the interesting thing was, you know, going back to that point is that it's the cost of doing nothing versus the cost of doing something. And if that cost of doing nothing is a big cost, right. The board, but how, how are we going to reduce this? How are we going to offset that? And what I really think as well is that, you know, companies are not investing more. They're investing more in a balanced approach, not just saying, you know, I remember, somebody who was, was it one of the peers at a conference years ago? When they, they took a position into being like the cyber awareness, you know, strategy person in the company about ruling out security and the executive team center, you go and solve all the cyber security stuff. It's like going to boil the ocean and it's like, exactly solve it all. You know, you've got all, you know, you've got our support, but you know, you've got zero budget. So go to exactly right.

Mike: Go solve this, but we can't give you any money and we can't give you any people. Good luck with that. Yeah.

Joseph: So, but I think that that is changing over time, but I think more people are saying that you do have the investment in it, and it's a balanced approach. It's not just technology, you know, it's a fine balance between, you know, skilled people, and the organization and new technology. And having those work together definitely helps reduce and helps. You know, ultimately what we're seeing here from the verizon database investigations report 2020 is the, the results of those efforts. And we can't be complacent as well. We can't just turn and say right. Enough is enough. We have to keep pushing. We have to keep making sure that scissors are getting the resources and budget. They didn't need it. That's why good professionals are getting the support in order to help actually, you know, invest in the right areas to rule out the right technologies. one of the things that was interesting in the report as well, We're starting to see a lot more, you know, where the, the balanced, I think it was only 23% of the cloud was targeted and around 70% of on premise, early as well. So there is critical, but out of the cloud, that 23% or so of cloud instances that actually run 70% of those were actually from brute force stolen credentials attempted. So that shows, you know, the differences, but where it's on premise, where they're trying to, you know, criminals are trying to take a lot more maybe vulnerabilities or, you know, on pet systems or exploits or, you know, facing scams. Okay. so those techniques that are been used directly at, at the, on premise, perimeter, which is kind of still traditional, to the, the cloud side, seems to be much more of an access control issue. and this means that yes, you know, if you're an organization and you're looking at cloud, then you, you, you want to make sure your password and username is the only thing is protecting it. and this got to a point where I, I started thinking as I'm reading through the report, As we really need to consider about, should we allow humans to create passwords If that, you know, should we start thinking that h ans, you know, we're, we're not very good at being crazy unique, long passwords. Right? and this means that we really need from a cloud perspective.that we really need to consider, you know, outlined better access controls, better authorization controls and authentication mechanisms, rather than just having a password, being a control there. So some of those

Mike: when it comes to cloud that, I think I see or pay the most attention to is those unsecured environments where the developers are like, Hey, we just need an environment to do a thing. It's a test environment. Maybe the, you know, it's not as rigorous in terms of who should have access and who shouldn't next thing, you know, you've sort of overcome the dev. they don't understand the implication of what they did. And yeah. So, you know, you have, you know, your, your, some. Some cluster that's, maybe it's an elastic search cluster. That's now open to the public and it has a bunch of, you know, data maybe has sample data. Maybe it's not your full database, but it still has some copy of production or whatever. Those are the things that always worry me. And I think, you know, how do you come up with the right controls when you're talking about cloud to that, you allow that group, that, that development group to do the innovation they need to do, give them, you know, give them, you don't want to get in their way. You want to be able to say yes, you don't want to be the guy who always says no, but at the same time, how do you do it in a way that. Protects, you know, your users, your company, your reputation, and, and making that as seamless as possible as well.

Joseph: Yeah. And to your point, one of the things that was interesting in the report itself was that a lot of things were declining, such as, you know, malware and phishing attempts, and other types of techniques. The one thing that was on the increase was misconfigurations and errors. And it's to your point, is that. One of the biggest problems is, is that it is self-inflicted incidents, self-inflicted data breaches, where people are putting you know, databases open to the public by misconfiguring them. I think this is the point where, you know, money organizations expect us to run fast, but sometimes you do have to take those moments off. Oh, you are running. You're doing a fast, but you want to take a moment to sit back and think, you know, what is, am I doing it secure by design? Am I doing it by privacy? Am I putting the right security controls in place? So we do have to make sure, you know, as we're running fast, it's more like a relay. Oh, you take phases that we have to stop, reflect, make sure we've done the right thing to make sure we haven't configured something incorrectly. And so, yeah, error was, was, was the biggest thing was on the increase. So those are areas and it might do to your point that organizations might be trial and earning that this is, or they're doing the digital transformation. They might not be bringing the right people and they might be, you know, learning as they're doing. and they might be doing bad practices, which ends up not putting security in place. So, so that's an interesting, you know, kind of thing that we need to think about

Mike: also when you're doing those cloud transformations. And I just had this discussion with a couple of people the other day, which is, we're taking these systems that were designed for that. you have the servers, you have this, you have that cloud is a completely different thing. It's a, it's a, it's just so different that. You know, my recommendation in general is to go and find someone who's gone through it to help guide you through that, that process of how do you take this system and transform it, or how do you start? You know, maybe it's not even transforming what you already have. Maybe it's like, We're going to start down the road with new projects. We're not going to try and take legacy systems and put it on the cloud, but we're going to start this new thing. But again, you still need that educational piece of like, this is a different world and these are the implications. you know, I think about what the cloud is. like, How easy is it to spin up? What used to be a data center that would cost me millions of dollars and take, you know, months to build. I can now spin it up with like, I can write a config file and spin it up in minutes. and so I think there's, There's a lot that goes into the sort of cloud architecture and security and, you know, getting the saying, I don't know, and reaching out for help and looking for companies to partner with her consultants is I think the best approach to not make those mistakes and not go through the trial and error.

Joseph: Yeah. And your point I've got, I've got a great metaphor for the comparison. It's so, so, so I had a long discussion about this. We went into depth with it, with a journalist, like a month ago on this. And it was like, you know, the difference between on premise and cloud and even getting into SAS and all the types of differences and the things that you need to think differently is the security approaches are very different. So you think about on-premise is just like your car garage, you park your car, your car is that system. You might have a bicycle, you might have a motorbike, you might have some, you've got different things in your garage. And those basically when they're in there and that guards doors protecting the access, that's the one door and there's only one door. You might have another site entrance door. Right. But that's the one door's protecting it. And as long as that door is closed, then you don't need to worry about locking your car door or your windows, or, you know, will you leave the keys, right? You don't need to worry about, you know, putting a chain around your bicycle. So, so, and those cases that you're really reliant on that perimeter security, you know, that might be a key. It might have, you know, a wireless sensor. You might have a security guard, you know, if you're maybe Jay Leno and you've got lots of cars. You want to protect your garage because you've got a lot of valuables in that, in that garage. So when you think about it, that's what, you know, on premise, traditional security is really focused around those entry points. And when you're inside, you know, people can open the doors, get getting, you know, you're, you're less worried about the controls inside, but it's that door you're protecting. Right. And when you move to cloud, it's like taking all of your cars and your bicycles and motorbikes or whatever from your calories and your vegetables, and then driving out across the street and putting it in a shared parking lot. No all your, your, your cars and everything else is with everyone else's cars. And now you've got to think about, well, okay. I'm not, depending on the security controls, the parking garage is actually sharing and providing, and now you start needing to think, well, I need to lock the car doors. I need to make sure the windows are closed. The boot in the trunk of the car is closed. I might need to think about it. Digital security controls and access. So you'd always have to think about each of those devices and components and infrastructure pieces themselves. And that's where you start getting into that sort of Gatorades. And then you start thinking about, well, No, maybe I don't own the car. Maybe I'm using a service like an Uber. And now it's more about you then thinking about the data and how that data gets saved and moved around. So this is kind of where those metaphors, it really can transition into. Really. You need to think about as you move to cloud and you move to SAS, you need to think about security, a very different perspective. You need to think about it from the actual.the device or the, the, the, the system or the operating environment or the infrastructure that you're providing the access controls becomes. So, you know, kind of critical and encryption as well. So those things, all, you know, it's no longer about that traditional perimeter and the security guard. It's all about basically making sure it's about access. Authentication security controls about identities and the encryption of the data itself and how it flows. And that's changed as you need to look at it from that perspective. Yeah. I'd love,

Mike: I love that car analogy and the garage analogy, because like the first thing that popped in my mind was, as you were talking about, it was. If my car is in my garage and I need to work on it, I can take things out. I can leave them over here. Like I can, as long as that garage doors closed, I mean, as long as the engine's not running, you know, I can, I can do what I need to do and I can take things out and I don't have to worry, but if I was going into a shared space, now I have to be way more conscious of one of my taking out of my car, what I'm, you know, as I work on it. and you know, from that developer perspective. And so making sure that, you know, there's some way for us to do that work in the shared garage. Without worrying about who, you know, maybe it's more like, rather than a shared garage, you're going, you're bringing your car to the racetrack. So you don't want, you know, competitors to know what tweaks you're making to your engine. How do you do this in a secure way so that others can't see what you're doing versus when you're working on it in your, you know, the private garage.

Joseph: Yeah. It's, it's a, it's a point where it gets the configuration becomes important to remember. I think I mentioned before, and I was a large blanket scholar and certainly, you know, They were the, they said to me, the worst worry that they have is that when the secure changing security is not a problem, it's one, the moment that you've taken the security off and there's no security in place to putting the next security element in place is that that gap is the, basically the risk. It's not whether you've got security product a or B it's the gap. That's, there's nothing on the door. and that was the biggest arena and cloud that becomes so much more demanding because if you can't, you know, and the garbage, as long as you mentioned, you know, you can take the car door off. And not stole it. You've got some security controlling, but in the climate, you can take that car door off. You know, I was just saying other people can see, you might not want them to see. And especially if it's public access and another big thing in the report as well. What you want to highlight is that. It was an indication as well that dwell time is significantly decreasing, huge decrease in the dwell time, which is the time in order to detect breaches, too many cases that, you know, for most organizations is getting into wards days where it used to be months. It'd be like, you know, almost a year before you determine a beach and. One of the things that indicated what was helping, that was more managed security, service providers, more companies who are providing more specialized skills and becoming more of a specialized known extension to companies. And they are running tools that they specialize in and are not able to detect breaches and instances much earlier.

Mike: So, how is the scale factor that works in their favor, right? Cause they, they can, you know, if you're a small company, you can't. Afford that team, you can't afford all the tools and all the technology that they're using. Right. It's the typical like, Hey, you know, let's hire a specialist who now they can spread, you know, they can, they can do it all right. And they can afford it because they're doing this for, you know, they sort of get that economy of scale. Yeah, absolutely.

Joseph: And for me that was it. That was a major thing that really shows that organizations, you can't do everything yourself. You have to work with, you know, best practices out there, get the right skills, you know, you don't have to have them internally, you know, permanently on your staff, depending on size, your organization of the business you do, of course. Right. But you know, if you're a small business or media business that, you know, you, you can't afford that, or it's not your focus. Absolutely. Working with the many service providers on those orders will definitely help, especially, you know, reduce that dwell time, which is significant because it's the dwell time which can be, you know, days can be millions for companies in regards to the impact, costs from, from databases. So, for me, that was a significant one. That was very, very interesting. and another piece of note as well, which wasn't in the report. And then because of course this reports, I was a lagging indicator. So it was something that your role was, can not, you know, you're seeing the results, but there's always a period of time where it doesn't include a certain impact. And then one thing for me, I think is ransomware. Is evolving again. And this for me is probably the biggest thing that organizations should be worried about or fear for the wall is ransomware. And the techniques now that run where it's not just the bite, you know, poisoning or making data unavailable, what is also doing is doxing and as well as it's stealing the data. And threaten to disclose it. And we've seen, you know, the recent incident with a law firm, which is, you know, is now starting to, to also from, you know, governments and presidents and other things that are not being, you know, disclose some data that we have to really look at. You know, we're not, some are starting to evolve and it might be that, you know, it's, it's also not just that we are convicted and available. And if you don't pay the ransom and you do have a good backup. That's not what you need to worry about. Now, you need to worry about whether that data got something sensitive in, in the, you know, in the content. And therefore, you know, that, you know, over the criminal AEs is not threatening to disclose and make it publicly available unless you pay the ransom. Right. So I think that's something that the report doesn't, it does indicate that it doesn't include that and that there's new evolutions and changes in ransomware. And so it does highlight that. But, for me, absolutely, that was one thing I did note is that, you know,

Mike: That's a sort of extortion it's, you know, it's not ransom, right. It's extortion where now it's like rank cause they're correct. Yeah. That's a, that's an interesting trend. I don't know that I was aware that it was really picking up that much. I appreciate you.

Joseph: Yeah. There's been cases, you know, I think we look through, there's been a n ber of cases already this year, you know, high profile cases that have been victims of this from, you know, Currency exchanges to, par stations, and the, of course law firms and they all have serious implications. you know, you know, what else comes out of that? You know, we remember the Panama papers years ago, what would that be disclosed? Right. So, law firms definitely are a major target and also from a security perspective, and their setup is very decentralized because you have lots of lawyers working many different things. So they become definitely a prime target from criminals and definitely something that they should be looking for because they, they deal, you know, deal with a lot of, significant types of sensitive data.

Mike: Yeah. And I think also you think, I think about law firms, at least in the U S there's. the really large ones that come to mind and the decentralized and so and so forth, but there's also plenty of small, small law firm practices that, you know, you know, do have to rely on, you know, how are they going to secure their stuff? And, you know, it isn't the, you know, isn't really a line item budget that they want to, you know, put a lot into. It's not, you know, and so, again, It's that what's going to force them to put more money into it as my, not just, Oh, now we have the backup. So if we get ransomware, like it's not that big a deal we can restore from backup. Now it's like, Oh no, we have to, you know, again, there's this new financial threat that's going to cause them to have to evolve yet again, to deal with the like, no, we don't even want to have to deal with the, the, the chance of this, getting out it's by direction.

Joseph: Eventually. What actually happens is that, you know, it's by directional is, you know, choosing your law firm. Do you want to make sure that they actually have the right security in place. Right? Right. So you start auditing the law firm. so that of course introduces multiple law firms. Probably not a good thing. And another thing, another thing in the report as well, you know, which for me is that, you know, a lot of the techniques that are used, what seems to be, you know, definitely, you know, continuous on that, on the, on the increase of report, as well as, you know, credential stuffing is another major. I, I always hear time and time again about, you know, our sophisticated breaches are and, and you know, how, you know, they are maybe nation state backed. you know, they've been doing this for a long time and I find that, you know, probably sophisticated is sometimes overrated and overstated, which, you know, ends up sometimes being. you know, a simple, you know, one click in a phishing email or a credential stuffing, or somebody used the same password and multiple systems and definitely the report does indicate credential sniffing is on the increase and that most of the types of techniques which tends to happen in, you know, the number of steps is usually it's run four steps to two to four steps is the optimum number of steps that a attacker uses to get for access. Wow, you know, between two to four steps. And that for me is like, no. And even when I know, you know, probably one thing that's missing in the report side of things is there's a couple of a couple of things that's missing from my perspective. It is one is. They don't talk enough about the success of the positive side. I think that's something they should so really highlight better is, you know, this report is an indicator of positive direction and trend. There are successes out there and we have to highlight that better. I think, you know, cause otherwise people are feeling the doom and gloom side of things. but what's missing in this report is, you know, and, and this is probably the most difficult thing you can't get is the passive work passive side of things it's done in a, instant or database is the work that the attacker did prior to getting access or the active attack.

Mike: That's interesting.

Joseph: And actually, you know, my experience when you're doing penetration testing and I feel like ethical hacking. That's a large amount of the time. It's 80, 90% of your time is actually doing passive recon. Is that you're learning about the target. You're looking at the res e sites. You're looking at, you know, archives web pages. You're looking at a supply chain. You're looking at all the details about the organization and that's what was missing. So you don't know how much from this report. It's, it's from the knock on the door. that first time then they opt in the door, or the first time you saw an IP address, and it's the number of steps at that point. So there's a, there we do, we are missing the past peace and that is always a large portion of the preparation and planning and attack path that goes into a lot of criminals will work. But yeah, once that knock on the door, it's between two to four steps, right? The annex as to what they need, some of course go further and beyond that, but that's an indicator that, you know, in many cases that the security controls are in place and with credential stuffing and stolen passwords, still continuing to be a primary technique. We really have to look. And that's one of my points. Even the cloud side, where it was a large portion of cloud breaches were contributor attribution of those areas. We really need to consider, you know, definitely better security techniques, you know, the front door, and to make those steps, you know, that if, if your data's only two steps away from, from the front door.we're probably, you know, the principle of least privilege is probably an area, that needs to be probably raised and enforced. again, and that's something that, you know, our listeners can listen to another podcast where we go into that in detail.

Mike: But did the reports like things about like, cause I already admitted, I didn't read the full what techniques are really like what's working or why we think things are going in the direction they are, because I think. When I think about things, right. I want to know, I want to take advantage of other people's lessons and I want to be able to say like, okay, well this seems to be working. So let's, let's continue down this path.

Joseph: I think one of the things in the report itself just kind of. So the techniques, that were actually the top techniques, of course, one of the things that, you know, organized crime is still, you know, you're your largest attacker. you know, and by a large amount, so organized crime is definitely the one that we need to be aware that worrying about AIRism misconfigurations or, you know, that one of the one that was on the increase, the delivery methods continues to be the same delivery method, where it's using things like, top techniques was, credential theft and phishing, was the top two techniques that was used.

Mike: what I meant is what's working is not so much what's working for the criminals as much as what's working for the people on the other side of it. What, what take the defendant may be is yeah. The defender's side of it. What did they get into the details there? Cause yeah, I know from the report, I do know that yes, they went into the various details of what. It's successful that way.

Joseph: So the best thing is that, is making sure that a password is not the only security control. I mean, this is fundamental and, and, you know, getting it to make sure that we use passphrases longer, you know, better protected and using multifactor authentication and additional two passwords. especially for things like web applications, using cloud access controls is that it should be, if you move to. Just basically being more than just the password and having things like multifactor authentication, doing, especially for privileged access, you know, for things like remote desktop or access to databases, where you have access to more sensitive infrastructure than you have, of course, privilege access becomes fundamental in that as well. So the segregation of. Oh, the access controls. Those are, you know, bringing in MSSP providers in order to help you basically provide much more level of expertise, especially detection, intrusion prevention, all of those areas. And, and maybe even it was shared management of some, some aspects, and good cyber security awareness training, and having your employees more up to date. And then having more controls and checks on when you're doing basically sense of configuration changes of infrastructure, database, and application rollouts. So if you really get into having a very consistent process at your deployment installation configuration that you use more than just a password to protect those infrastructure with things like multifactor privilege access and your employees are more aware, more responsibility, those are the things that work. That's what reduces the risk. it's not going to completely fix everything, right. But you will actually see a signal improvement and the other side of things as well, what's important is that that's the preventative side. You still need to invest in, in response. You know, I get into the firefighter side is that you need to make sure that when it does happen, That you're able to get again, that dwell time is significant, that by reducing dwell time, the more you can respond quickly and more, you can get back up and more. You can eradicate the attackers, the less cost it is for the organization. So those are the things, you know, you know, phishing and pretexting is on the increase, through social sites, web applications at a target. Don't let it be just that username and password protecting it. Cloud is definitely from credential stuffing, so we need to make sure.the top industries that are still targeted are professional industries, or are still largely up there. public entities, information technology companies and finance and, you know, manufacturing, education, healthcare. Those are all the top primary targets. And they're both consistent in both the incidents and breaches side because they do separate them into instant breaches. Another thing that ransomware has moved from incidents to becoming breaches in the future because of that technique change of stealing data. Okay. That changes it from just being an incident to being also a data breach. Right. And then the other major early it was the motivation for me is this is always a primary thing, is that the motivation continues to be financial. You know, the large force of all of these things is, money. What ultimately determines whether being ransomware, whether it being stolen, IP, intellectual property, you know, extortion, or, you know, you know, copying other people's technologies or finding ways of espionage. Purely a lot of it ends up being motivation money and also the report gets into finally, I'll get into Last pieces. does say that, you know, the size of the organization doesn't really matter. You know, all organizations are targeted no matter what size they are. And you being a large organization or smaller organization doesn't mean that attackers won't target you write the report, dig it into recommendations into being the CIS, center of internet security. The top 20 controls are basically your best friend at mitigating the risks. So getting into the CIS top 20 controls are you're able to, you know, have those part of it, security strategy. It will actually help you address those risks. So those are the things that fundamentally, you know, summarizing the report up, is that there's things that we can do. There's things, you know, that, are becoming much more of a, you know, a popular technique, from attackers and, but. We are cutting the right direction. We just need to continue and go and yeah. You know, getting the board support, getting the investment along scissors to do what they need to be doing. you know, yeah. Great is like yourself being able to get the support, being able to take action, then we'll, you know, get the budget, are all things that will help me help our organizations at least reduce the risk enough. in order to, to, you know, make security work for us.

Mike: Yeah. And I appreciate like, on our board, security is an important piece of that as well. We have, you know, our board members care a lot about security as well, so it sort of starts there and is able to, it makes it a lot easier. There's not, it's not a confrontational conversation. It's, Oh yeah, definitely. No, that makes a lot of sense. That seems like the right thing to do. Which is definitely insecurity.

Joseph: It's not a bottom up approach and it's not a top down approach. Right. It's everyone's responsibility. Absolutely. And that's how it works. It's it's, there's no train. There's no triangle here in security. I'm probably conflicted. Yeah, a lot of people's terms on the CIA Troid and all these other types of, they would like to triangle.but so cybersecurity's more like a square, right? It's everyone's responsibility, we're all accountable. It's a bottom up approach. It's a top down approach. We all are gonna, you know, if we work together, and not just from basically single organizations, but as a community and we, you know, make sure there's less places for cyber criminals to hide.and that means that. So that's just by organization and security researchers and Packers working together, but it's also by governments as well. And you know, that's important is that we have to, this is a global initiative global perspective. and this report definitely is, you know, it's definitely a global, a global view. Yeah. So my last thing before we finish up today is, you know, for the Verizon team also report as usual, keep up the great work, you know, do read my blog abuse, get out there, right. We'll be a, you know, summarizing the discussions we've just had. And, you know, this is a time for it, you know? Bring up the barbecues, have a good beer time to celebrate. and, let's continue the path we're on. Let's make sure what risk we worry about. The risks and that's awesome.

Mike: Awesome. Always a pleasure to talk to you, Joe. I look forward to these every time.

Joseph: Alright,

Mike: take it easy. Take care.

Joseph: Everyone. Stay safe. Thanks.