Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Find 401 Access Denied on your favorite podcast channel or listen here.
Apple | Spotify | Google Podcasts

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 4

The 2020 Verizon Data Breach Investigations Report

EPISODE SUMMARY

We’ve read the 2020 Verizon Data Breach Investigations Report so you don’t have to! Join Joseph Carson from Thycotic and Mike Gruen from Cybrary to get the skinny on the good and bad news in the industry.

In this podcast, we’ll share lessons from the Report including how hacks differ between cloud and on-premise targets, how many steps it takes a hacker to gain access to a network, and even the types of threats that have been most successful this year. You’ll also learn the industries that are currently their primary targets. But most importantly, in this podcast we’ll share the actions every organization should be taking to be sure Verizon’s warnings are heeded.

PAM Experts Guide

Take your Privileged Access Management to the Next Level

Free Download: Expert's Guide to Privileged Access Management (PAM) Success

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Joseph Carson:Welcome to the 401 Access Denied Podcast. My name is Joseph Carson, Chief Security Scientist at Thycotic and co-host of the show. This podcast is all about making cyber security easy, usable, and fun. Come back every two weeks to listen in and learn about what's the latest news or even submit your own questions via the community.

Joseph Carson:Hey, Mike. Welcome to another 401 Access Denied Podcast. This is really a fun discussion. I'm really enjoying a lot of the information we're sharing. This time, we're going to be looking at the recently released Verizon data breach investigations report. For me, as a researcher, I'm doing a lot of reading of reports throughout the year. It's definitely one that I really am excited about because it's very thoroughly researched, it's good details, it provides you good thermometer, a good indication of trend of what's really happening in the industry. In most cases that when you're reading it, I think it's the 13th year now that this report is being released, and it's on everyone's calendar. We're usually waiting between the April and May timeframes. Everyone's sitting around with their cups of coffee ready and when the report comes out, spending... and then you get a lot of people like myself writing blogs and analyzing it and interpreting it.

Joseph Carson:But one thing that I find is that every time, over the last many years and reporting on it and sharing my thoughts is you're always in this face and your hand moment where you're just like... or it's doom and gloom. It's always about it's how bad we're getting and everything we've been investing in security and the technologies and the hard work that goes through. It's like you're always seeing the doom and gloom that's getting worse. More people are clicking on crap. More people are clicking on malware. Malware's increasing. Incidents are increasing. Breaches are happening time and time again. This report, I was so happy this year. I don't know if you got to go through it in as much detail, but for me, I think this report indicates that finally we're starting to see results, that finally-

Mike Gruen:No, I was just going to say no, I rely on people like you to give me the synopsis rather than dig through all of the details of the report. I look forward to everybody else's takes on it and I can pull that together and take in a more summarized view than poring through all the details so I appreciate your hard work in going through and doing that work for me.

Joseph Carson:You're definitely the smart one of doing this. Going and reading other people's interpretations is probably the easiest thing and it's definitely the... because they're smartest and quickest and you get a lot of different views and viewpoints. For me, I like to compare it with my research that I do and compare notes. Also a lot of peers of mine also contribute to the report as well, which is always interesting to see their feedback and results too. But I'm still looking. You're right. Sometimes read my report, read my report, which-

Mike Gruen:Yeah, I'll give you a plug rather-

Joseph Carson:... is a quick summary.

Mike Gruen:Yeah, go read Joe's synopsis. It's awesome.

Joseph Carson:Yeah. But this time, I mean, really for me, I was actually sitting up. I was like, "Whoa, this is positive." Malware's decreasing. People are clicking on less rubbish. Things are improving. There's been less data breaches. It was one of those moments in time where I started getting my hand and I started trying to pat myself on the back. I think also it can be… around the world. This is a report to show that their hard work is actually paying off. Cyber security warners training, getting security culture into the employees and all the messaging and all the hard things and sleepless nights and research around the clock. Also in it as well was an indicator that a lot of security research is... We always talk about hackers being used in the bad terms and I always disagree with that because I see myself as a hacker-

Mike Gruen:As do I.

Joseph Carson:... and I'm ethical. Sometimes the news and media make us out to be the villains. Also even security researchers that do responsible disclosure sometimes can also turn out to be villains because they're sharing with the world these vulnerabilities and organizations sometimes basically will victimize them or even try to sue them for the work and for making people aware that they have insecure products. So I think for me, this report was a highlight that actually security researchers, most organizations will find out about breaches from security researchers, which was a great indicator that there's a collaboration between companies and security researchers happening and that security researchers are friends and really working with you to make the world a safer place. Those security researchers, they are hackers. They are basically fundamental... that is what their primary focus is on.

Joseph Carson:So the report was great. As it says, it might not be a champagne moment. It's not time to break out the bubbly and say we've won and great and-

Mike Gruen:I don't think there's ever winning. It's just doing better.

Joseph Carson:No, there's never winning. It's just, yeah, it's about surviving in many cases. You deploy the champagne just to show that we survived. But I think it's definitely a moment, security researchers and hackers around the world who do spend the time in working for good focus and helping organizations, this is a moment to celebrate. This is a moment to-

Mike Gruen:Yeah, no, I agree. I mean, we really do use... We have a responsible disclosure program that there's a link to it right from our site. We rely on it. Our community is filled with security researchers. We want to take advantage of that. In fact, when filling out those annoying security questionnaires for various companies, they ask what do you do from a security perspective? It's one of the first things I list is we have this program. It's actually turned up more things than some of the audits we've done. I really appreciate it. It never occurred to me this is somehow... How can this be a negative thing to get this information about my platform and what we're doing and the vulnerabilities in it from someone who clearly cares and is sort of a partner and it's crowdsourced? It's similar to spreading out the number of attacks and how all the different people who could be attacking your system, now you're using that crowd to test your system and give you that feedback. I super appreciate that program that we have.

Joseph Carson:I mean, this is a community effort. This is working together in bringing experts and various different views and specializations to really help. Then that was one of the important things. One of the things the report did say was that if you do become a victim, that you're more likely to hear from third parties, your customer partners and security researchers, where actually the top third party, basically, individuals or people or teams or companies that will inform you of those.

Joseph Carson:So the report itself, not a champagne moment. Not time to break out the bubbly. But definitely time to celebrate. Definitely time to bring out the barbecue, maybe have a couple of good beers and whatever your preference of drinking, right? For some people it might be water. In Estonia here, definitely vodka is the common tabletop drink. But definitely, it's a time to reflect, looking at security professionals like yourself and me and others that we work with and our peers, to really say thank you for the work that they've done to really reduce the threats and make the world safer. Because this is a report to indicate that the world is a little bit safer this year. Maybe from computer viruses and ransomware, but not other types of viruses that we can't deal with. But definitely an indication that there was improvements that have been made. There's-

Mike Gruen:Yeah, and I think there's a couple underlying causes that might be moving us forward in that way. I think those responsible disclosure programs, there's a few of them out there. They're more collaborative. I think that they're sort of picking up in speed, which means... For us, one of the vulnerabilities that was pointed out to us was actually in a third party SAAS that we use. So sure enough, I took this person's report and passed it on to them so they could fix it. We patched it and we came up with a solution, but it was really their problem. So I think that that sharing of information and making that so easy to do, it turned out that this provider was also on the exact same platform we were on for the disclosure program, so it made it really easy to submit it to them as well. So I think that that collaboration's really helping and I look at...

Mike Gruen:Security awareness is good, but I think really pushing it out more beyond just the typical awareness stuff of what links to click on and it's really about enabling your entire staff to really think about security and implications. I think we're doing a much better job of security enablement. That's one of the cyber ideas that we push a lot on is everybody in our organization that can touch technology has to understand the implications of their actions because you can really affect the security posture of your whole company even if you're in sales or in marketing or whatever because you're using this platform and you have the ability to do a thing. So I think we're doing a much better job of getting everybody involved and it's not these siloed... like this is the security team within the company. I think we're doing a much better job.

Joseph Carson:Yeah, security's becoming a cross-departmental function. You still have those who are responsible for technology, but it's becoming much more across the departments. Absolutely-

Mike Gruen:It's like health and safety. I mean, I think it's that same sort of shared responsibility. We don't see it any... Right. I'm not going to clean up every mess I see, but also if I make a mess, it's my responsibility to clean it up so that somebody doesn't slip and fall and-

Joseph Carson:Yeah, absolutely. It's risk reduction. Yeah, you're right. It's a health and safety across and that's how it should be viewed. It's not IT's problem all the time or it's not this other person's responsibility. It's that people are now starting to see that we are together. I have a shared responsibility to do the right thing. And you're right, it's about empowering employees to be basically better secure work, better culture. I think that's definitely one thing that is probably reduced down the click rate on malicious links as well, so that's definitely a positive is that people are becoming much more aware and better at actually being able to identify as well and report. Technology's definitely helping as well.

Joseph Carson:But I think another important area is that companies are starting to take security more seriously. I also do think that regulation compliance is helping force the boards and organizations to really take security more seriously. Seeing companies having a CSO report to the board as well, not just into the executive staff, but into the board, actually shows that now they're starting to get a voice. They're starting to get much more... I think they're getting ears and people listening. Some may not be getting as much action or support out of it, but they're definitely getting a voice in the table. On top of that-

Mike Gruen:I think that one of the things that's driving that though, I mean, in addition to taking it more seriously, like why do you take it more seriously? I think part of it is the financial implications of a breach and the cost in cleaning up, the cost to reputation, the cost, all these various costs are just building up. So in the past, it might not have been as big of a deal, but now you're seeing larger fines. You're seeing all sorts of financial implications. I mean, I think it's what's lacking in the IOT world to drive those companies to make more secure IOT devices, and we can save that for a different day. But that same stuff is what is driving, I think the CSO reporting into the board and it being seen as a much more important function of the company because it does directly... you can draw a line to the bottom line. It directly impacts the company.

Joseph Carson:I agree. One of the things, I mentioned it before with you, that when me and the CSO reported to the board to try and get budget and the board came back and says, "Oh, you're talking basically cost, cost, cost, fear, fear, fear." The interesting thing was, going back to that point, was that it's the cost of doing nothing versus the cost of doing something. If that cost of doing nothing is a big cost, the board will listen about how are we going to reduce this, how are we going to offset that. What I really think as well is that companies are now investing more. They're investing more in a balanced approach, not just saying...

Joseph Carson:I remember somebody who, was it one of the peers at a conference years ago, turned around and said... They took a position into being the cyber awareness strategy person in the company about rolling out security. The executive team said to her, "You go and solve all this cyber security stuff." It's like going to boil the ocean. It's like you can solve it all. You've got our support, but you've got zero budget. So go solve all of this.

Mike Gruen:Go solve this, but we can't give you any money and we can't give you any people. Good luck with that.

Joseph Carson:Yeah. But I think that that is changing over time and I think more people are saying that you do have to invest in it and it's a balanced approach. It's not just a technology. It's about balance between skilled people in the organization, good technology, and having those work together definitely helps reduce and helps ultimately what we're seeing here from the rising data breach investigations report in 2020 is the results of those efforts. We can't be complacent as well. We can't just turn around and say, "Enough is enough." We have to keep pushing. We have to keep making sure that CSOs are getting the resources and budget that they need and that security professionals are getting support in order to help actually invest in the right areas to roll out the right technologies.

Joseph Carson:One of the things that was interesting in the report as well was that we're starting to see a lot more where the balance... I think it was around 23% of the Cloud was targeted and around 70% of On-Premise areas as well. But out of the Cloud, that 23% or so of Cloud instance, that actually around 70% of those was actually from brute force stolen credentials attempted. So that shows that the differences. But whereas On-Premise where criminals are trying to take in much more maybe vulnerabilities or unpacked systems or exploits or facing scams. So those techniques that are being used directly at the On-Premise perimeter, which is kind of still traditional, to the Cloud side seems to be much more of an access control issue. This means that yes, if you're an organization and you're looking at Cloud, then you ought to make sure your password and your username is the only thing protecting it.

Joseph Carson:This got to your point though, right? I started thinking as I was reading through the report is we really need to consider about should we allow humans to create passwords. Should we start thinking that humans, we're not very good at creating unique, long passwords. This means that we really need, from a Cloud perspective, that we really need to consider are unrhymed, better access controls, better authorization controls, and authentication mechanisms rather than just having password being the control there. So potentially I think some of those-

Mike Gruen:Yeah, and I think that when it comes to Cloud that I think I see or pay the most attention to is those unsecured environments where the developers are like, "Hey, we just need an environment to do a thing. It's a test environment." So maybe it's not as rigorous in terms of who should have access and who shouldn't. Next thing you know, you've sort of over-privileged a dev. They don't understand the implication of what they did. Next thing you know, you have some cluster that maybe it's an elastic search cluster that's now open to the public and it has a bunch of data. Maybe it has sample data. Maybe it's not your full database, but it still has some copy of production or whatever.

Mike Gruen:Those are the things that always worry me and I think how do you come up with the right controls when you're talking about Cloud that you allow that development group to do the innovation they need to do? You don't want to get in their way. You want to be able to say yes. You don't want to be the guy who always says no. But at the same time, how do you do it in a way that protects your users, your company, and your reputation and making that as seamless as possible as well?

Joseph Carson:Yeah, and to your point, one of the things that was interesting in the report itself was that as a lot of things were declining, such as malware and phishing attempts and other types of techniques, the one thing that was on the increase was misconfigurations and errors. That's to your point is that one of the biggest problems is self-inflicted data breaches where people were putting databases open to the public by misconfiguring them. I think this is the point where many organizations are expected to run fast, but sometimes you do have to take those moments of you are running, you're doing it fast, but you want to take a moment to sit back and think, "Am I doing it secure by design? Am I doing it by privacy? Am I putting the right security controls in place?" So we do have to make sure that as we're running fast, it's more like a relay or you take phases that we have to stop, reflect, make sure we've done the right thing to make sure we haven't configured something incorrectly. So yeah, errors was the biggest thing that was on the increase. So those are areas.

Joseph Carson:And Mike, to your point, that organizations might be trial and erroring. They're doing their digital transformation. They might not be bringing the right people in. They might be learning as they're doing and they might be doing bad practices, which ends up not putting security in place. So that's an interesting thing that we need to think about.

Mike Gruen:I think also when you're doing those Cloud transformations, and I just had this discussion with a couple people the other day, which is we're taking these systems that were designed for that OnPrem. You have the servers, you have this, you have that. Cloud is a completely different thing. It's just so different that my recommendation in general is to go and find someone who's gone through it to help guide you through that process of how do you take this system and transform it or how do you start? Maybe it's not even transforming what you already have. Maybe it's we're going to start down the road with new projects. We're not going to try and take legacy systems and put it on the Cloud, but we're going to start this new thing. But again, you still need that educational piece of this is a different world and these are the implications.

Mike Gruen:I think about with the Cloud how easy is it to spin up what used to be a data center that would cost me millions of dollars and take months to build? I can now spin it up with... I can write a config file and spin it up in minutes. So I think there's a lot that goes into the Cloud architecture and security and saying, "I don't know," and reaching out for help and looking for companies to partner with or consultants is, I think, the best approach to not make those mistakes and not go through the trial and error.

Joseph Carson:And your point, I've got a great metaphor for the comparison.

Mike Gruen:Okay, please.

Joseph Carson:Okay, so one answer is… So I had this long discussion about this. We went into depth with it with a journalist months ago on this. It was like the difference between On-Premise and Cloud and even getting into SAAS and other types of differences. The things that you need to think differently is the security approaches are very different. So you think about On-Premise, it's just like your car garage. You park your car. Your car is that system. You might have a bicycle. You might have a motorbike. You might have some... You got different things in your garage. Those basically, when they're in there and that garage door is protecting the access, that's the one door and this only door, you might have another side entrance door, but that's the one door that's protecting it. As long as that door's closed, then you don't need to worry about locking your car door or your windows or where you leave the keys. You don't need to worry about putting a chain around your bicycle in stuff.

Joseph Carson:So in those cases that you're really reliant on that perimeter security. That might be a key. You might have a wireless sensor. You might have a security guard. You're maybe Jay Leno and you've got lots of cars. You want to protect your garage because you've got lots of valuables in that garage. So when you think about it, that's what On-Premise traditional security is, really focused around those entry points and when you're inside, people can open the doors, can get in. You're less worried about the controls inside, but it's that door you're protecting.

Joseph Carson:When you move to Cloud, it's like taking all of your cars and your bicycles and motorbikes and whatever from your cars and your valuables and then driving it across the street and putting it in a shared parking lot. Now all your cars and everything else is with everyone else's cars. Now you've got to think about, well, okay, I'm now dependent on the security controls that that parking garage is actually sharing and providing. Now you start needing to think, "Well, I need to lock the car doors. I need to make sure the windows are closed. The boot and the trunk of the car is closed." I might need to think about additional security controls and access. So you now have to think about those devices' components and infrastructure pieces themselves. That's where you start getting into that sort of garage.

Joseph Carson:Then you start thinking about, "Well, maybe I don't own the car. Maybe I'm using a service like an Uber," and now it's more about you then thinking about the data and how that data gets saved and moved around. So this is where those metaphors can really transition into you need to think about, as you move to Cloud and you move to SAAS, you need to think about security from a very different perspective. You need to think about it from the actual device or the system or the operating environment or the infrastructure that you're providing, the access controls becomes so critical and encryption as well. It's no longer about that traditional firewall perimeter and the security guard, it's all about basically making sure it's about access, authentication, security controls, identities, and the encryption of the data itself and how it flows. That changes the way you need to look at it from that perspective.

Mike Gruen:Yeah, I love that car analogy and the garage analogy because the first thing that popped to my mind was, as you were talking about it, was if my car is in my garage and I need to work on it, I can take things out, I can leave them over here. As long as that garage door is closed, I mean, as long as the engine's not running, I can do what I need to do and I can take things out and I don't have to worry. But if I was going into a shared space, now I have to be way more conscious of what am I taking out of my car as I work on it and from that developer perspective. So making sure that there's some way for us to do that work in the shared garage without worrying about who... Maybe it's more like rather than a shared garage you're bringing your car to the racetrack so you don't want competitors to know what tweaks you're making to your engine. How do you do this in a secure way so that others can't see what you're doing versus when you're working on it in the private garage?

Joseph Carson:It's to that point where it gets... the configuration becomes important. Because remember, I think I mentioned before, I was at a large bank in Scotland where they said to me the worst worry that they have is that changing security is not a problem. It's when the moment that you've taken the security off and there's no security in place to putting the next security element in place is that that gap is basically the risk. It's not whether you've got security product A or B, it's the gap that there's nothing on the door. That was the biggest area. And Cloud, that becomes so much more demanding. In the garage, as long as you mentioned, you can take the car door off and you've got some security controlling, but in the Cloud, you can take that car door off. As you say, other people can see inside. They're seeing what we may not want them to see. It's the same thing as public access.

Joseph Carson:Another big thing in the report as well which I want to highlight is there was an indication as well that dwell time is significantly decreasing. A huge decrease in the dwell time, which is the time in order to detect breaches too. Many indications that from most organizations are getting in towards days where it used to be months. So almost a year before you determine the breach. One of the things that indicated what was helping that was more managed security service providers. More companies who are providing more specialized skills and becoming more of a specialized kind of extension to companies. They are running tools that they specialize in and are now able to detect the breaches and instances much earlier. So-

Mike Gruen:They also have the scale factor that works in their favor, right?

Joseph Carson:Correct.

Mike Gruen:Because if you're a small company, you can't afford that team. You can't afford all the tools and all the technology that they're using. Right, it's the typical hey, let's hire that specialist that now they can do it all right and they can afford it because they're doing this for... They get that economy of scale.

Joseph Carson:Yeah, absolutely. For me, that was a major thing. It really shows that organizations, you can't do everything yourselves. You have to work with best practices out there or get the right skills. You don't have to have them internally permanently on your staff, depending on the size of your organization, the business that you do, of course. But if you're a small business or a medium business that you can afford that or it's not your focus, actually working with a managed service provider on those areas will definitely help, especially reduce that dwell time. Which is significant because it's the dwell time which can be days, can be millions for companies in regards to the impact cost from data breaches. So for me, that was a significant one that was very, very interesting.

Joseph Carson:Another piece to note as well, which wasn't in the report because, of course, this report's always a lightning indicator. There's something that you're always going to... You're seeing the results, but there's always a period of time where it doesn't include certain impacts. The one thing for me I think is ransomware is evolving again. This is, for me, is probably the biggest thing that organizations should be worried about or fearful of is ransomware. The techniques now that ransomware is not just about poisoning or making data unavailable. What it's also doing is doxxing as well, is it's stealing the data and threatening to disclose it. We're seeing the recent incident with the law firm, which is now starting to also, from governments and presidents and other things that are now being disclosed from data, that we have to really look at, that ransomware is starting to evolve.

Joseph Carson:It might be that it's not just making data unavailable and if you don't pay the ransom, that you do have a good backup. That's not what you need to worry about now. You need to worry about is that data got something sensitive in the content and therefore the criminal is now threatening to disclose it, make it publicly available, unless you pay the ransom. So I think that's something that the report, it does indicate that it does include that and that there is new evolutions and changes in ransomware. So it does highlight that, but for me, actually that is one thing that I did note, is that ransomware is changing and evolving.

Mike Gruen:That's sort of extortion. It's not ransom, right, it's extortionware now because they're-

Joseph Carson:Correct.

Mike Gruen:Yeah. That's an interesting trend. I don't know that I was aware that it was really picking up that much, so I appreciate you-

Joseph Carson:Yeah, there's been cases. I think we looked through... There's been a number of cases already this year. High profile cases that have been victims of this from currency exchanges to par stations and now, of course, law firms. They all have serious implications. What else comes out of that? Remember the Panama Papers years ago. What would that disclose? So law firms definitely are a major target also from a security perspective and their setup is very decentralized because you have lots of lawyers working many different things. So they've become definitely a prime target from criminals and definitely something that they should be looking because they do deal with a lot of significant types of sensitive data.

Mike Gruen:Yeah, and I think also when I think about law firms, at least in the U.S., the really large ones that come to mind and the decentralized and the so on, so forth, but there's also plenty of small law firm practices that do have to rely on how are they going to secure their stuff and IT isn't really a line item budget that they want to put a lot into. It's not. So again, it's that what's going to force them to put more money into it is not just oh, now we have a backup so if we get ransomware, it's not that big a deal, we can restore from backup now. It's like oh, no, again there's this new financial threat that's going to cause them to have to evolve yet again to deal with the no, we don't even want to have to deal with the chance of this getting out. So it's interesting.

Joseph Carson:Yeah. It's quite directional. Eventually-

Mike Gruen:What was that?

Joseph Carson:Eventually what happens is that it's bi-directional, is that essentially now choosing your law firm is you want to make sure that they actually have the right security in place. So you start auditing the law firm. So that, of course, introduces multiple law firms, which is probably not a good thing or whatever.

Joseph Carson:Another thing in the report as well, which for me is that a lot of the techniques that are used, what seems to be definitely continuous on the increase in the report as well is credential stuffing, is another major name. I always hear time and time again about how sophisticated breaches are and how they are maybe nation-state backed. They've been doing this for a long time. I find that probably sophisticated is sometimes overrated and overstated or which sometimes ends up being a simple one click in a phishing email or a credential stuffing or somebody's used the same password in multiple systems. Definitely report does indicate now credential stuffing is on the increase and that most of the types of techniques which tends to happen and the number of steps is usually, it's more than four steps, two to four steps is the optimum number of steps that an attacker uses to gain full access. Between two to four steps. That for me is like...

Joseph Carson:Even what I know, probably one thing that's missing in the report side of things is... There's a couple things that's missing from my perspective. Is one is they don't talk enough about the success and the positive side. I think that's something they should so really highlight better is this report is an indicator of positive direction and trend. There is successes out there and we have to highlight that better. I think because otherwise, people are feeling the doom and gloom side of things. But what's missing in this report is, and this is probably the most difficult thing you can't get, is the passive side of things that's done in a data breach, is the work that the hacker did prior to gaining access or the active attack.

Mike Gruen:That's interesting.

Joseph Carson:Actually, my experience when you're doing penetration testing of ethical hacking, that's a large amount of time. It's 80, 90% of your time is actually doing passive recon, is that you're learning about the target, you're looking at the resume sites, you're looking at archived web pages, you're looking at supply chain. You're looking at all the details about the organization. That's always missing. So you don't know how much... From this report, it's from the knock on the door, that first time they knocked on the door or the first time that you saw an IP address and it's the number of steps to that point. So we are missing the passive piece. That is always a large portion of the preparation and planning an attack path that goes into a lot of criminals' work. But yeah, once that knock on the door comes, it's between two to four steps that they gain access to what they need. Some, of course, go further and beyond that.

Joseph Carson:But that's an indicator is that, in many cases, that the security control's in place and with credential stuffing and stolen passwords still continuing to be a primary technique. We really have to look, and that's one of my points to even the Cloud side where it was a large portion of Cloud breaches were attribution of those areas, that we really need to consider definitely better security techniques at the front door. To make those steps, that if your data's only two steps away from the front door, the principle of least privilege is probably an area that needs to be probably raised and enforced again and that's something that our listeners can listen on another podcast when we go into that in detail. But I think-

Mike Gruen:Did the report get into things about, because I already admitted I didn't read the full report, what techniques are really... like what's working or why we think things are going the direction they are? Because when I think about things, right, I want to take advantage of other people's lessons and I want to be able to say, "Okay, well, this seems to be working, so let's continue down this path." Because I-

Joseph Carson:I think one of the things in the report itself, just kind of... So the techniques that were actually the top techniques... Of course, one of the things, organized crime is still your largest attacker and by large on might. So organized crime is definitely the one that we need to be worrying about. Errors and misconfigurations are one that was on the increase. The delivery methods continues to be the same delivery method where it's using things like... So the three top techniques was credential theft and phishing was the top two techniques that was used.

Mike Gruen:What I meant by-

Joseph Carson:Ultimately-

Mike Gruen:... what's working is not so much what's working for the criminals as much as what's working for the people on the other side of it.

Joseph Carson:The defenders.

Mike Gruen:What techniques could we be using... Yeah, the defender side of it. Do they get into details there?

Joseph Carson:Yeah, the defenders side.

Mike Gruen:Because yeah, from the report, I do know that yes, they went into the various details of what's successful that way.

Joseph Carson:So the best things is that making sure that a password is not the only security control. I mean, this is a fundamental and getting it to make sure that we use passphrases, longer, better protected and using multifactor authentication in addition to passwords. Especially for things like web applications, using Cloud access controls, is that it should be, if you move to just basically being more than just the password and having things like multifactor authentication, especially for privileged access, for things like remote desktop or access to databases, where you have access to more sensitive infrastructure, then you have, of course, privileged access becomes fundamental in that as well. So it's segregation of the access controls. Those are bringing in MSSP providers in order to help you basically provide much more level of expertise, especially detection, intrusion prevention, and all of those areas and maybe even shared management of some aspects, and good cyber security awareness training, having employees mark the date, and then having more controls and checks on when you're doing basically sense of configuration changes of infrastructure, database, and application roll-outs.

Joseph Carson:So if you really get into having a very consistent process at your deployment installation configuration, that you use more than just a password to protect those infrastructure with things like multifactor and privileged access, and your employees are more aware, more responsibility, those are the things that work. That's what reduces the risk. It's not going to completely fix everything, but you will actually see a significant improvement. The other side of things as well, which is important, is that that's the preventive side. You still need to invest in instant response. Again, to the firefighter side is that you need to make sure that when it does happen, that you're able to get... again, that dwell time is significant, that reducing of that dwell time. The more you can respond quickly, the more you can get back up, the more you can eradicate the attackers, the less cost it is for the organization.

Joseph Carson:So those are the things. Phishing and pretexting is on the increase through social sites. Web applications are the target. Don't let it just be a username and password protecting it. Cloud is definitely from credential stuffing, so we need to make sure. The top industries that are still targeted is professional industries, are still largely up there. Public entities. Information technology companies and finance. Manufacturing, education, healthcare, those are all the top primary targets and they're both consistent in both the incidents and breaches side because they do separate them into incidents and breaches. Another thing, ransomware was moved from incidents to becoming breaches in the future because of that technique change of stealing information-

Mike Gruen:Oh, interesting.

Joseph Carson:... that changes it from just being an incident to being also a data breach. Then another major area was the motivation. For me, this was always a primary thing, is that the motivation continues to be financial. The large portion of all of these incidents is money, is money that ultimately determines whether it being ransomware or whether it being stolen IP, intellectual property, extortion, or copying other people's technologies or finding ways of espionage. Purely a lot of it ends up being motivation of money.

Joseph Carson:Also, the report get into finally, I'll get into the last piece, is that it does say that size of the organization doesn't really matter. All organizations are targeted no matter what size they are. Being a large organization or a small organization doesn't mean that attackers won't target you. The report did get into recommendations into being the CIS, Center for Internet Security, the top 20 controls is basically your best friend at mitigating the risks. So getting into the CIS top 20 controls, if you're able to have those as part of your IT security strategy, it will actually help you address those risks.

Joseph Carson:So those are the things that are fundamentally... Summarizing the report up is that there's things that we can do. There's things that are becoming much more of a popular technique from attackers, but we are heading in the right direction. We just need to continue and getting the board support, getting the investment. Allowing CSOs to do what they need to be doing, having great CSOs like yourself being able to get the support, being able to make action and get the budget is all things that will actually help our organizations at least reduce the risk enough in order to make security work for us.

Mike Gruen:Yeah, and I appreciate, like on our board, security is an important piece of that as well. Our board members care a lot about security as well. So it starts there and it makes it a lot easier. It's not a confrontational conversation. It's a oh, yeah, that makes a lot of sense. That seems to be the right thing to do type of conversation. That's definitely helpful.

Joseph Carson:And security, it's not about a bottom-up approach and it's not a top-down approach. It's everyone's responsibility. That's how it works. There's no trying to here in security. I'm probably conflicting a lot of people's terms from the CIA triad and all these other types. Everyone likes a triangle. But cyber security's more like a square. It's everyone's responsibility. We're all accountable. It's a bottom-up approach. It's a top-down approach. If we work together, and not just from basically a single organizations, but as a community, and we make sure there's less places for cyber criminals to hide, and that means that it's not just about organizations and security researchers and hackers all working together, but it's also about governments as well. That's important is that this is a global initiative and a global perspective and this report definitely is a global view.

Joseph Carson:So my last thing before we finish up today is for the Verizon team. Awesome report as usual. Keep up the great work. Do read my blog if you see it out there. It will be summarizing up the discussions that we've just had. This is a time for break out the barbecues, have a good beer. It's time to celebrate. Let's continue the path we're on. Let's make sure we're reducing the risk. Awesome. Keep up the good work, guys.

Mike Gruen:Awesome. Always a pleasure to talk to you, Joe. I look forward to these.

Joseph Carson:Yeah, likewise.

Mike Gruen:Every time. All right. Take it easy.

Joseph Carson:Okay. Take care, everyone.

Mike Gruen:See you next time.

Joseph Carson:Stay safe. Thanks.

Speaker 3:Learn how your team can get a free trial of Cybrary for Business by going to www.cybrary.it/business. This podcast is also brought to you by Thycotic, the leader in privileged access management. To learn more, visit www.thycotic.com.