Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio

Voted "Best Cybersecurity Podcast" in the 2021 Cybersecurity Excellence Awards
Cyber Security Excellence Awards 2021

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 34

2021 Verizon Data Breach Investigations Report Top Takeaways

EPISODE SUMMARY

How has security changed in the post-pandemic landscape? Joseph Carson is joined by Jonathan Meyers to discuss the highlights from the 2021 Verizon Data Breach Investigations Report, including most common causes of data breaches, Ransomware as a Service, the FBI’s addition to the report, and how organizations can take action today.

powered by Sounder

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at ThycoticCentrify
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Host of award-winning podcast, 401 Access Denied
  • Speaker at conferences globally

Joseph Carson:
Hello everyone. Welcome back to another episode of 401 Access Denied, the biweekly podcast that brings you the latest news updates, trends and really brings great discussions, a lot of security and industry topics that really helps educate you, keep you informed and just make sure that you're able to get a really good understanding of what's really happening the industry. I'm the co-host of the show, Joseph Carson, chief security scientist at Thycotic, and I'm joined here by another fantastic returning guest to the show. So Jonathan, welcome back. It's great to have you. Could you tell us just, for the audience again, a little bit about yourself and what you do?

Jonathan Meyers:
Yeah. Sure. So I work at Cybrary and my current role is the principle infrastructure engineer. So what that means is I own everything from when a dev hits commit to when it's live and the user's interacting with on the site. So that goes with everything from the cloud to cybersecurity, to everything in between. So I'm the cyber security guy-

Joseph Carson:
Sounds complicated.

Jonathan Meyers:
... at a cyber security company. Yeah. Yeah.

Joseph Carson:
It's great to have you back and today we're basically going to get digging into really, we've had... There's always great reports comes out each year and always there's some really fantastic reports that really gives the industry kind of a point check and how we're progressing. And one of those reports that I'm always waiting for is the Verizon Data Breach Investigations Report. And always kind of... You get the news coming out about late April and then in early May, sometimes in the first two weeks it drops and the whole industry then takes a pause and takes a look at the report just to see what the past year has told us. And of course we've had major data breaches in the past year that were quite significant.

Joseph Carson:
And the report itself, I'm always looking at, I try to analyze it for my audience. I create a blog, I do a couple of podcasts and I do webinars that really help kind of analyze it. So this for me. What does the report mean for you when it comes out? How do you perceive the report and is this something that you find very valuable?

Jonathan Meyers:
Yeah, I use it as kind of the temperature gauge of what I've been seeing throughout the year. I mean, it kind of helps confirm or deny some thoughts I've had interviewing and talking with a bunch of people throughout the year. And then I think one of the really good things I use about it is it's easy enough to have like executive summaries and things like that, so I can provide that to other people and kind of educate them. I can educate like our internal team on what's happening in the industry since we all work in cybersecurity and it kind of takes that off my plate. So I'm not the one for coming up with like, here's what's happening in the industry. Because that takes me out of the fight for a week, two weeks maybe to make a presentation similar to that and kind of...

Jonathan Meyers:
So I use it on a couple fronts, one from me and then hopefully sharing it out to fellow coworkers and other people in the industry that kind of have an interest that don't typically know about these types of things, their executive summaries are pretty good, a pretty good cover for kind of what's happening.

Joseph Carson:
Absolutely. It kind of also confirms that a lot of the strategies and investments that organizers are making, directions, the threat landscape, and really just makes sure it's a point in time where I do this as well to check to make sure we're doing the right things and going in the right direction. Because it's important to have a trend, it's important to see where things are going. And so we want to see which types of threats are on the increase, which ones are being successful. And this was the 14th edition of the report. So it's been going on for 14 years now. I'm just looking at some of the statistics, include 88 countries. So it is a truly global report. It's a report that includes many countries around the world. It had 83 different contributors. So these are organizations who deal with ins response, who deal with investigations, agencies.

Joseph Carson:
So they're really engaged in a lot of the analysis into what's happening in all of these incidents. The total incidents was 7... Just under 80,000. 79,635 incidents, which also had about 5,258 data breaches. So it's always important that the report does separate the incidents versus data breaches. And one thing that was in this report, it actually showed a quite significant increase over the previous year where it actually showed that the number of data breaches had a massive increase. It went up from 3,950 in 2020 to over 5,258 in 2021. For me, when I looked at that number, that was me, I think it was just the resetting of correctly categorizing ransomware now as a data breach where previously it was a security incident. They didn't classify it. And even in 2020 report, they actually had a footnote saying this doesn't represent the change in late 2019 when ransomware started to become exfiltrating data. What's your thoughts around those numbers? What did it tell you?

Jonathan Meyers:
Yeah, so I think the numbers like that, that correction definitely helped, but I also think... I mean, with the last year that we've had a lot of people had a lot of free time on their hands. And so I think a lot of people that might've normally just been working like 9:00 to 5:00 at a factory that were doing this stuff from the moonlight now had full time to be... Stuck at home. I'm getting bored, like, oh, maybe I'll start researching more and then... I'm sure many of our listeners are familiar. You go down these rabbit hole sometimes when you see a new technique and you'll spend three, four days just trying to completely understand that. And then you're like, "Oh cool. Now let's go out and test it."

Jonathan Meyers:
And since you have nothing else to do because everything's closed, you can't visit friends, families. I think that had a lot to kind of start to creep in there and people that we wouldn't have normally seen actively try to start exploiting and making money this way, kind of finally got in the game.

Joseph Carson:
Yeah, absolutely. Some countries their cyber criminals had a lot more focus and time in order to engage in their techniques rather than kept busy doing other things. So their always became their social entertainment in order to keep active. And also at the same time, as well as not only was that the threat actors and cyber criminals got more involved, but also the change in the threat landscape for organizations having to go and work remotely also meant that... I seen a lot of organizations who opened up RDP ports, public facing internet so that employees could continue accessing servers. And of course, within a couple of seconds, those machines get brute-force attacks to gain access. And then they sell it on to other cybercriminals who will then abuse it and deploy things like ransomware.

Joseph Carson:
So it really meant that organizations were facing this hard, tough decision about, do we stay secure or do we stay productive? And they're faced with those tough choices and not all organizations can do everything. They can open up services to the public internet, but at the same time, maybe they're not skilled enough or don't have the people or the people aren't just in the office in order to turn on the security, so they have to face those tough choices about balance. And do you think also the pandemic has also opened up a lot of doors for criminals to be successful?

Jonathan Meyers:
Yeah. I mean, it's a tough conversation when you're sitting at a table and your entire business is just tanking because you don't have stuff, you don't have like sales coming in. And so it's like, well, how do we keep enabling salespeople to keep making the sales that pays for keeping the lights on, securing these things? And so I think it's a very difficult situation that I don't envy any CSO or CTOs or VPs of engineering that had to sit at that table and basically get told, make it work. We're going to accept the risk. I think also people having cyber insurance is more common these days. So I think that helps a lot. People are like, "Okay, cool. At least we have some sort of cover if something were to happen, but we need to make money. We don't have our traditional ways. We don't have people on the road going face to face with people. We need to make this work and we need to make it work now."

Jonathan Meyers:
Especially as it started drawing on.

Joseph Carson:
It's a tough choice-

Jonathan Meyers:
Yeah.

Joseph Carson:
It's a really tough decision because ultimately organization's business need to make money and they have to prioritize that, because if they're not of course then security is just being wasted. One of the thing is security and productivity is sometimes a double-edged sword and it's finding the right balance between those. And I think one of the things, as I mentioned before, even, the ransomware evolution has changed as well. That has also impacted the figures within the Verizon Data Breach Investigation Report with that, evolving late 2019 to becoming data exfiltration and that's become significant. And also started seeing it turning into ransomware as a service. We have affiliate programs where you've got organized crime who basically have a production line. They're hiring different parts of the chain. They've got people who specialize in access, just for pinging access and that's their main goal is to gain access and get credentials and get entry points in the organizations.

Joseph Carson:
And then you've got the other specialist that they hire, which is the encrypters, those who specialize in encryption and topology and be able to then create these ransomware payloads that are very efficient, very effective, very well maintained and updated and new variants coming out frequently. And then they've got those who are willing to use it and abuse it and will pay sometimes as part of the affiliate program. And this is where it gets into some of those, a bit of the affiliate programs where those who create it and make it available and sell it for, let's say joint rewards or loyalty programs, they lose control over who the targets are. What's also we're seeing causing a lot of disruptions where some targets were not the ones that they would liked and painted a big target on the organized crimes back.

Joseph Carson:
And then you've got also the help desk side. They hire help desk to really help organizations plan how to pay cryptocurrency Bitcoins and ultimately help them decrypt the data which we also seen in the, I think it was the Irish health service, which was majorly impacted by that. And one flaw we've seen in the cryptos is that the decryption process is not very efficient, so I think that's where a lot of this ransomware payments is going to go into investment thus making the decryption much better. But with that, what's your thoughts around the reports indication of the whole ransomware as a service and being classified as now a data breach and not just a security incident?

Jonathan Meyers:
Yeah. I think it's an interesting way of thinking about it and I'm glad that it brings it to people's attention. So the way I like to kind of phrase this was, so I have a history in the military. And so with certain conflicts, recently, people tend to assume that the adversary's not as smart as you or not as entrepreneurial as you. And they start to assume all these things like, "Oh, it's just a guy in a basement, or it's a government sponsored group of people doing things." And they don't tend to think that no, these people also are human beings. They also probably have entrepreneurial skills, like they're out there trying to advance the thing. And so a lot of people underestimate your adversary in a lot of these situations.

Jonathan Meyers:
And so I think this report starts to kind of bring that up and highlight it as like, no, these people are not just a guy in a basement or a state sponsored. There's actually people out there trying to make money and make a service just like everybody else in Silicon valley and across the world, like software as a service started getting big a couple of years ago and now it's finally... Somebody found a product market fit and it works and they're exploiting it and it's... I think that's a good thing to kind of raise attention to that. So I'm super excited that they started acknowledging that.

Joseph Carson:
I agree. And for me, when I look at it, it shows you that these organized crime, they see it as a business, it's a business for them. We're providing a service. It's just a service you don't like. You don't have to like it, but they see it as that they're exposing security vulnerabilities, but they're abusing it for financial profit. And that's ultimately kind of like it's a business model for them and they are doing it very successfully. So I'm hoping that we do find a way to get a step ahead as well.

Joseph Carson:
Another major thing in the report, and this actually was introduced in last year's, but it was further enhanced this year, is that it was more aligned to the regulations. So for example, we have the CIS security controls. We have got things like SANS. We have NIST framework. So it really started to tie more into the controls themselves and showing that map off, for example, the attack framework, the MITRE ATT&CK framework, and really mapping into which ones are being abused more, which ones that are coming a bit more... the common techniques. Because ultimately what I see is a lot of organizations, it's the privilege escalation side of things. It's using stolen credentials, having local administrator rights in order to gain access and move. Organizations for your backup strategies, their backing up strategy is not actually designed for ransomware, it's designed for fault tolerance, it's designed for availability. So their backup's online with the same credentials to both production, same network, flat network.

Joseph Carson:
So ultimately it's really... I think the report itself is great to show that alignment, to show how it aligns to regulations and compliance. Any thoughts around those that... I guess that's more the help to get the budget to pay for things. I think that's the goal.

Jonathan Meyers:
Yeah, exactly. I think it fits in well with the managers and the people that are out there actually like fighting for dollars, right? Like they can use it to prove like, "Oh, here's the certifications we have and things like that. Here's what the industry is showing like where things are getting hit. Like this control, this control that control." Like it's not necessarily for the end user sitting down, working in a SOC trying to defend and do all this stuff. I think that guy could really care less what CIS control is being attacked.

Joseph Carson:
Correct.

Jonathan Meyers:
He's just there trying to defend it, but for the people that are trying to get more budget and get more butts in seats for more personnel and things like that, I think it's super helpful because it actually provides visual data, like, nope, this is this. Because I think a lot of people as a security person trying to make the sale at the C-suite or the VP level, it's very difficult to explain CIS controls. People's eyes glaze over and they're like, "Okay. Yeah, sure. It's a control. Great." But if you can point and be like, "Nope, 900 organizations in this specific industry were hit with CIS control." Whatever. And so it's like, that's where they're attacking. Like this is what we need. And I think it just provides more ammo and makes it easier to kind of get those dollars that you need back into the SOCs that have traditionally been understaffed and under-

Joseph Carson:
Yeah, absolutely. That's the kind of where my takeaway was as well. It was that they need... You don't want them just to report on fear because the biggest review reports years ago was all about fear. It was all about, I'm scared and how everyone... There's so many instances that make it look like it's so easy. But the more recent reports have really thought about that we need to show how it can be usable, how they can make sure that they can actually present back to the business to get the budget they need to harden, strengthen the security, become more resilient. And so for me, that was a very positive move. And of course it means that you've got a broader audience. So it's not just about security professionals. This has expanded to for example, IT audit as well. So when they're looking at doing auditing of compliances regulation, they've got more information to support those requirements. So one of the-

Jonathan Meyers:
There's a couple of other things though I'd like to... I would hope next year if they listen to this and anybody figures it out, I hope they start to talk more about risk. I think that has really helped talking about like at the C-suite and the VP level, if they could start to tie this all back to how much risk and things like that, because ultimately that's what it comes down to when you're fighting for dollars. And I think they have all the data to be able to prove that. And so I think that would be a very interesting kind of twist to kind of help do that sell a little bit further.

Joseph Carson:
They did introduce an impact category this time. And I thought that was really... I think that's the beginning. I think they realized they need to go down the risk path. So this impact side of things that it kind of brought a new visualization, meaning that there was an actual financial impact, but for some companies who respond really well they're financially resulting can actually be a positive. So there was certainly... If they show these organizations do become victims and they show that they are resilient, they can recover quickly, then actually it brings confidence to that service. So they did actually bring that impact category, but I agree it needs it. And that actually should probably become the focus is how do we turn this into usable business...

Joseph Carson:
Because ultimately at the end of the day, my job, I agree, when I look at it, my skills is security. That's my skills and my knowledge and my background. But when I look at what my job is, role is to help in businesses is to analyze and understand risk and reduce it and find ways to maybe use my security knowledge to help reduce the risk. It might be training, it might be documentation, it might be... It might be something else. It might be technology, it might be human based, but ultimately trying to reduce that risk is ultimately our goal. I think the report needs to start kind of moving more into that direction for sure.

Jonathan Meyers:
Yeah. And I think it'd be interesting if they could start to bring in like... Me personally would love to see the data on the amount of money that a security... like an organization spends on security. And then I want to see how much money if they got attack, they spent on ransom and I want to see if there's like some correlation that can prove and be like, "Hey, we spent zero money on cybersecurity, but our ransom was $40 million." And so I think that's super interesting and not necessarily just ransoms, but the resulting amount of money that it costs to clean up said mess. I think that would be interesting, especially because they have access.

Joseph Carson:
What was the balance? What was the balance? Was it a positive or negative at the end of the year?

Jonathan Meyers:
Because I think even if it goes the other way, like if they come out and they say there's no correlation between cybersecurity spend and protection levels or like ability to get hacked, I think that's a very interesting thing and I think it helps us practitioners because when vendors come in and want to charge us a ton of money, we can be like, "Hey, it doesn't necessarily correlate that your software is very expensive, that it's actually going to prevent these attacks." And so I think that's a powerful tool coming from the not vendor side.

Joseph Carson:
I mean, it'd be interesting any organization that stockpile Bitcoins preparing for ransomware have probably made a nice profit.

Jonathan Meyers:
Oh yeah.

Joseph Carson:
So anyone from the not ... times says we need to buy a couple of grand in Bitcoins and the now they're probably sitting on a couple hundred thousand or several million of Bitcoins just in that preparation-

Jonathan Meyers:
That's their cyber insurance, right there.

Joseph Carson:
Exactly. That's the cyber captive. So next thing that I really find interesting as well was that, the report really highlights another major area for me was that cyber attacks don't care about who the target is. They have no ethics whatsoever and everyone is a potential target, that it doesn't matter if you're hospital, it doesn't matter if you're in government or financial, public services or even just the citizen sitting at home basically streaming entertainment or playing games. Everyone is a potential target and it really shows that... We look at some of the summaries that the 85% of the data breaches involved the human element of it. It's not to say they were responsible or they caused it, but they were part of the attack path. That means that the human side of things is becoming the easier path for success for cybercriminals.

Joseph Carson:
13% was non DDoS incidents involved ransomware. And also only 3% of the breaches involved vulnerability exploitation, which is a significant one for me showing that they are less targeted. It used to be all about application or server or less fundability that was kind of that main entry point. And it seems that moved away, they decided that it's much easier and also easier to disguise themselves as authentic employees. So what does this kind of tell you in regards to where we need to spend the time, our energy or focus?

Jonathan Meyers:
Yeah, I think it's interesting, especially... I think there might be a correlation too with what's happened the last year with the pandemic and people being at home and not being in an office. And so everything is virtual. It's an email. It's a phone call that comes in. It's not necessarily like it used to be where you're sitting face-to-face and you're having conversation with HR or the IT help desk. It's very easy to verify that in real life, but as we start to move away, I don't think we necessarily were prepared with like training our employees of phishing phone calls and phishing not necessarily the traditional phishing emails, but a lot around like a Zoom coming in and things like that. It's very difficult to kind of predict that that was going to happen and I think... I mean maybe somebody out there train their people to do phishing phone calls, I'm assuming very large financial corporations and things like that have kind of done some training around that, but from experience I know that that training is very dry and boring and I don't know how many people paid attention.

Jonathan Meyers:
And so I think that's kind of an interesting thing that we probably need to consider, but at the end of the day, it's still people, like people have always been the weakest link and I think sometimes security professionals forget just how layman the average person is when it comes to like a lot of these things. I remember recently dealing with my parents. They're in their seventies and they have to go on to a government website to renew some government entry forms or passport or something like that. And these government websites now have like multifactor, but this was his first time experiencing the idea of multifactor. And he was absolutely frustrated with the entire process of how to do this. And so I think that just highlights that yes, security is moving, but people are still... they just don't necessarily innately understand like a lot of these controls and what they're for. And I think it's something that we sometimes forget about a lot on this side of the fence.

Joseph Carson:
Yeah. One of the things I... I mean, we have to realize in the past year, a lot of people have had to learn a lot of new tools, learn new techniques. They've had to move the communications to online, so they're using a lot of social communication tools. They've had to move to video conferencing, so they had to learn things like Zoom and Teams and GoToWebinar and whatever. There's tons of applications they've had to accelerate and learn. And on top of that, trying to get them to use it safely and securely, especially when the security in some cases is complex. It really slows down their ability to perform and be successful and do their job. The last thing you want to be doing is really creating friction with the users. So this is for me is that we have to understand, we have to start understanding it, but we had to really move towards a much more usable security approach, meaning security must move into the background.

Joseph Carson:
And when an employee's faced... Like your parents, when an employee is faced with tough choices where it's either I get my job done, or security stops me from doing my job, when they're faced with that tough choice, they're going to choose the easy path and say, "I'm going to do my job. I need to get it done. That's what I get paid for and I'll take the risk, the security risk in doing so." And this is the challenge, we have to start looking at when they have that choice is that the choice and path is always the easy choice is the secure path. Security has to make it easier, not more difficult and that's always the balance that we have to find when we're going down that path.

Joseph Carson:
And I think that, also getting into one of the things you mentioned about awareness training. I think awareness training has been working. There is emphasis around phishing attempts and emails and indicators of compromise. So employees are learning more about being more cautious with links and more cautious about what attachments they open and so forth. But I think the problem is, is that now people think that that's the only threat, that's the priority, that's the one that they must watch for. But then that means that they become more lax about the other threats. That basically entering their credentials into malicious websites, how they didn't tell the difference. Saving their passwords on browsers, accessing corporate services in public wifi. These start to become much more less on the focus point because a lot of organizations have prioritized phishing right up to the top, and now all employees that's the only threat that they're aware of and less of the others. And there's been that lack of balance I think. I think there's been a lack...

Joseph Carson:
I think the report really kind of... It shows that awareness training is working, that people are clicking in less things, but ultimately it only takes one person in the organization clicking something. You're never going to get a hundred percent success at training people not to clicking things because their job is to do that. So for me, I think that's really important. We need to make sure that it's how we prevent it after the click, after the person does that click or opens the attachment, how do we stop it after that from becoming a major incident? Rather than saying, don't do it, don't click on it. And we have to accept people will click on it. How do we prevent the actually once they click and the harm happening, laterally moving and elevating and encrypting, moving on and getting access to other credentials, how do we stop that from happening? I think that's where we need to probably emphasize a lot of the training and time on.

Jonathan Meyers:
Right. And this reminds me of a story that my buddy who works for a very large investment bank. And so your security awareness training and all this stuff can be great up until somebody at management decides it'd be best if everybody had standardized Zoom backgrounds. And so then they put these standardized Zoom backgrounds on the public website so that all employees can make their virtual background, an approved company virtual background. And it's like, oh, it's the guy that's going to do a phishing Zoom call. I'm just going to set that background to the company's approved background because you put it on your public website and now I probably just disarmed 20% of your entire workforce because they're like, "Oh, I'm used to seeing this. This is normal. This is habit. This guy definitely works for this company."

Jonathan Meyers:
And so it's like all the security training in the world until somebody higher up is like, nah, we're going to standardize on this thing and just unravel everything and so... I think employees are trying, but it's still, we got to keep going with it and kind of make sure we're not...

Joseph Carson:
Even the more sophisticated ones can actually even change their face and their voice on the Zoom call as well then to looking like a celebrity or let's say an executive at the organization. So it really gets into it... Even changing the background and simple things can make people look like they should be there. Even if you put on the shirt of the company, if you can just find out what they typically wear or dress to look like you should be there. No one pays attention to that. They just assume that you're on there so you're authenticated and approved person. We've seen a lot of, and last year, it's been probably on the news quite often about the Zoom bombers, that people joined on unsuspectedly. Even, I think it was some major countries like... Was it? I think it was UK and several other governments had someone join because they basically took a picture of the password and posted it on social media and somebody joined it.

Joseph Carson:
I think that person, they did go through some type of prosecution for the person, but it just showed that... I think they tried to sue because it was not an approved access, but I don't know what the result of was, but when you post it on social media, you have to expect that somebody is going to try and join and get firsthand information.

Joseph Carson:
The next thing that really, for me, what really highlighted in the report itself, so in the data breach investigation report, another key takeaway for me was around that misuse of credentials. Just before I get into that. One thing I did notice that also one thing that was very concerning was cloud assets started overtaking on-premise assets as the top target. So basically what happened was that typically they're targeting your direct infrastructure. The report indicated that cloud assets became actually overtook that in the number of incidents. So meaning that the criminals are now not just targeting your on-premise, but they're actually prioritizing and targeting the cloud infrastructure more. What's your thoughts around that, the criminals are now moving more to focus in the cloud assets?

Jonathan Meyers:
I think it makes sense, especially if you think they're trying to productize and do the easiest software as a service hacking tools they can provide, cloud access... I mean, cloud assets are there, like you know the end points, you know the IPs, like you know where these things sit. It's very publicly available. You can go in and spin up your own cloud environment and test and do all these things and not have to know anything about the layout of a corporate environment. Because most of these people's spending up cloud environments they don't most of the time know how to architect it securely. And so there's very limited numbers of ways that these things can be configured and once you know that it's very easy to write a tool that just rinse and repeat every time.

Jonathan Meyers:
And then I think we're finally starting to see people catch up and realize... One of the things I've been saying for a couple of years now is you can't just move physical into the cloud. Like your whole idea of how to lay out infrastructure and networks and all of that basic, basic fundamentals of security, like just do not apply. Like they're just not set up the same way. A lot of people talk about like, "Oh, well we still have DMZs and all these different types of things." And it's like, yeah, that's great on a physical network, but as you started moving in the cloud, there are much better ways to start to do those types of things and there are different ways of thinking about how it works. Like if you think about exposing your service publicly to the internet, it's right. Most people don't think like, "Oh, well I could just use a public cloud service load balancer." So that way, that's the thing that has to get defended and I'm pretty sure AWS, Azure, Google, they're all very good at defending their cloud load balancers.

Jonathan Meyers:
Me in no matter what organization I'm in, probably 99% of them, AWS, Google, are going to do a better job defending that load balancer. Because they're handling the firewalls, they're handling all this other thing. It's when people are like, "No, we need to do it our same way and we're going to run this firewall appliance and do all this other stuff." It's like, you're basically eliminating all the security measures that these people basically built their cloud around. And so I think that's starting to highlight a lot of the fact that these traditional on-prem infrastructure guys are kind of trying to copy paste when they move stuff to the cloud without rethinking really we're moving into a new medium almost.

Joseph Carson:
Yeah. I always try to... when people are looking at doing cloud migrations and digital transformation, I always try to make... I use a metaphor to try and explain it to them, to try and simplify it so they understand it better. Because to your point, you cannot just take what you do on-premise and just plug it in the cloud and expect the same results. You can't do that with the lower cost, that just doesn't happen. So I always try to explain is that the difference between having a traditional on-premise and in cloud infrastructure is that it's the difference between you have your house and a garage and your car is parked inside your garage and you're locking the door and your security is the garage door and maybe window, maybe a door to the side, that's your security, you control it. So it means that you don't have to worry about when your car's inside the garage whether the doors are locked, the windows are closed, the boot's opened, whatever. You have just focus on the perimeter.

Joseph Carson:
But what happens is though when organizations try to move their assets to cloud computing resources, it's like taking your car out of the garage where you're controlling that perimeter and you're now deciding whether you put it into a paid parking lot that has much more security around it such as using native cloud security, some of the hosting providers provide, or you're deciding to park it on the street and then now you need to think about, "Well, now I need to close the doors. I need to close the window. Maybe I need the blacken the windows out so no one can see in. I need to close the... I need to add additional security. But if you simply just take that car and park in the street or in a shared parking lot, then you have to understand that now you have to think security differently because before you just focused on the perimeter, you focused on that internet access point and you want to make sure only good things got in and prevent the bad things from getting in.

Joseph Carson:
Which always meant that if attackers did get in, they had full access to the entire environment. Or that means that when you move to cloud, you do need to take a different approach. You do really need to prioritize things like identities and access and privileges and encryption, and then understand that as well about making sure you've got redundancies in place as well. Because if attackers ever gain access to your cloud, they can completely lock you up.

Jonathan Meyers:
Totally. It's crazy.

Joseph Carson:
On premise, you have redundancy, you know you can run into the lab, you can physically-

Jonathan Meyers:
Unplug it.

Joseph Carson:
... unplug it and you can get access again ... but if it was in the cloud and they lock you out, you're out. And you want to hope that you do have some type of, at least backup that you can work with the hosting provider to restore and that the attackers don't have access to, or you have an offline on-premise a backup copy as well. So it's always important to understand that when you do move the cloud. And absolutely cloud assets, they're online 24/7 and a lot of times that-

Jonathan Meyers:
They don't have to be.

Joseph Carson:
They don't have to be, but what happens is that you end up... That means that attackers can use them all they run and a lot of organizations have lost the auditability or visibility of what's happening as well because when they moved, now may have multi clouds. They may have SaaS, they may have virtual, they may have hosted, they may have infrastructure as a service and now trying to get just visibility of what's happening in all of those, means that they have multiple interfaces, multiple portals, multiple ports, and getting that correlated becomes a bit of a challenge. For me, I think attackers are taking advantage of that lack of visibility and transparency right now, and organizations really need to make sure that when they have a cloud strategy, they need to think from the basics ground up by building a new security strategy for cloud specifically, or take advantage of the services that's already built in.

Jonathan Meyers:
Right. Yeah. I think people... Especially, I do a lot of cloud migrations and stuff and I tend to not ask what their stuff looks like. I don't ask about their existing network. I just ask like, what service do you have? What does it do and how does it run? I just want to know your services. I don't care that you have a firewall here. I don't care that you have an IDS, IPS. I just want to know what service you have and that'll allow me to kind of architect in the new world and then we'll go from there. We're not going to try to be like, "Oh, well I need this network to be on this router, and this network to be on this router and separate physically. It's like, it's not worth it. You're just basically crippling the built-in securities that exist.

Jonathan Meyers:
And then I think a lot of the issues is it varies wildly between cloud providers. So certain ones like Googles of the world, it's very easy to get logging from your entire project in one place. It's going to suck it all in and put in one dashboard whereas something like the AWSes of the world, it's more up to you to kind of connect these pipes. Like a log from an AWS service isn't going anywhere, unless you told it to go somewhere. And so I think a lot of that stuff people don't kind of understand how it works. Some providers kind of give you that whole like it's effectively like it was when you were on-prem, you got a SIS log I think where you got to put a log stash agent on it and ship it somewhere versus like the Googles of the world that are kind of like, "No, we're just going to grab the logs. We have the logs. We're going to put them all here for you."

Joseph Carson:
We'll use it as well for our own and sell it... we'll also sell that activity on to others, the telemetrics and stuff. Telemetry. So one of the-

Jonathan Meyers:
I think that would be a good report to read. The Google report on like what errors they see and how misconfigured things are and their top... Like this is where attackers got in, right? Because they run their own NOx and SOx and stuff. And so it's like-

Joseph Carson:
You expect Google now to start doing the patching for you and configuring things for you, getting that analytics.

Jonathan Meyers:
Gets me in to a source subject, which was the inclusion of the FBI comment in the Verizon report. I don't know if you notice there was a page from the FBI and it was like, "Oh, are we going to..."

Joseph Carson:
I actually have that right in front of me. Yeah. The FBI comments.

Jonathan Meyers:
And they left out about how they're just going to go in and patch your systems for you. They clearly left that out.

Joseph Carson:
Yeah, we had a... I mean, myself and just Josh Espinosa and Mike we did have an episode on that about now why I don't need to patch my machines. The FBI's doing it for me. But I mean, it's always a balance, so they might have the right intentions, but I think their way of communicating it has a lot of work to go.

Jonathan Meyers:
Where's their breach report?

Joseph Carson:
The communication was a bit lacking and going in, but the intention, I think the intentions were good, but communications there's a lot to be said about it. Because they were talking-

Jonathan Meyers:
Hopefully that information drove some input into this report and they kind of filled out like here's the data we have from these people that got breached. Hopefully those people were involved and that data is included in this report.

Joseph Carson:
So one of the other things as well that I took... some of the key takeaways as well was privilege abuse. Over privileged users is a big issue. Local administrators, people have too many rights, they have access to everything, they can change security, make configuration changes. And a lot of the abuse of that all comes down to... A lot of the incidents are financially motivated. This is a cyber crime, as we mentioned, it's a business. There's very few that's focused on espionage or... There's probably a few that is nation states. But when the nation state one do attack, they are typically big and big companies and a lot of downstream impact of it from a privacy and infrastructure and exploitation side. But when you look at it, most of the crime either is financially motivated. It's all about money. It's about making money and that's what the cybercrimes are looking to do. But we're kind into the top common causes of data breaches.

Joseph Carson:
When you pull that out and you start looking, what is the top causes and it comes down to these are the lists that comes out of the report is poor access management. Is not making sure the access controls are right, correctly configured. Misconfiguration of cloud storage, which I think the attribute in last year's report, the previous one was about human error was our biggest mistake, our biggest increase in threats was ourselves. And again, to over-privileged users, sharing of credentials, passwords being the only security control. So the only thing that's keeping cybercriminals out is password. And we know how poor we as humans are at selecting and creating smart passwords that we only use them one system one time.

Joseph Carson:
Also, third-party access is becoming... We're seeing also with things like MSSP breaches, we've seen major vendors with their patch updates, supply chain, which we've talked about before. Employees being remote. And also in the past year, we've seen a large increase in shadow IT. Employees going out and shopping around for their own solutions using their own employee credentials to sign up for those services and connecting them, sometimes to a lot of things, will it be email or your calendar and so forth. What's your thoughts around those common causes? And it's something that, are we prioritizing them correctly? Can we do better? What does that tell you?

Jonathan Meyers:
Yeah, I mean, we can always do better, but I think what people... Some people just don't I think seem to think through this, but IAM is hard. It's not easy. If you take away people's local admin access on a box or a local administrator fixing that box now becomes infinitely harder. And if you take them away from the office and put them at home, it's like, "Oh, how am I going to fix anything now?" Because then you're talking to somebody over the phone, telling them what keystrokes to type. That's no fun, right? Maybe you have a remote session with them and you can kind of type things, but if there's no local administrator on the box and all these types of things, it's very difficult. And so, one, you need the budget to pay for the people that are going to then not necessarily be experts IAM but manage and help end users that are trying to do things.

Jonathan Meyers:
I think the passwords, the shared passwords and the things like that, there's so many services that it's just... it's either financially prohibitive, more they just haven't built it into their software yet and sales needs it now and they want to use that software. And so great. We're sharing a password. I don't think password managers are as prevalent as some people might think. There's some people trying to make it easier and more convenient. I think people understand that like Google, the browser has a password manager, which I guess they're trying to productize now and make it easier and things like that, but that doesn't natively have like a sharing thing and so you're going to have to find a separate solution and then train users how to use that separate solution to share passwords. That's the way to go because it never tells the user the password, but you now have to train them and configure it and manage it and so more software to kind of manage that now and so the complexity level jumps just to kind of fix a simple problem. And yeah, I think IAM is a very, very tough situation-

Joseph Carson:
It is.

Jonathan Meyers:
... to handle. It's because you never... I think one of the biggest things is it creates so much friction, even for security professionals. As you're trying to go through your daily job, it's like, "Okay, cool. Now I have to assume this role and do this thing and do this thing and keep jumping through these hoops just to change one setting or to review one log file." And I get it and I think in my opinion is we should have just more logging and more audit logs and more kind of built in alerting around things like that to kind of catch it quick. I'm all for a prompt for a second factor, anytime anything's wrong I will give you that second factor, make it a security key.

Jonathan Meyers:
As far as the shadow IT, I think Google... Well, we use Google apps and stuff and they have some advanced controls now. I think they call it their advanced security protection, which is great. It will not allow you to use your OAuth or your OIDC authentication into Google. It will not let you share any roles outside of like your email address. And so you can't connect it to your email inbox. You can't connect it to other calendars. You can't use third-party email clients. And I think that's kind of a great step moving forward and I wish they would bring it from an all or nothing to something a little bit more manageable where I can basically approve apps and scopes that that app can take at the company or security level and then kind of push that down. So, yeah. It's...

Joseph Carson:
Just going one of your points, one of the things I... Because I dealt with a lot of digital incident response and forensics and what I've seen it went from storing the passwords in clear texts on the desktop in a text file to storing them in the browser with no additional security. So even if the attackers can access to your laptop, they simply open up the browser and click in passwords, and there's all your passwords accessible in clear text anyway. So by saving in the browser is definitely not... it's not a password manager. It's just a... Unless you enable security, it's just another clear text password file that's on the browser. That's all it is. And we really need to make sure-

Jonathan Meyers:
I think it's a good step though.

Joseph Carson:
It's a good step to making unique passwords. And actually-

Jonathan Meyers:
Well, I think it's a good step just to get people to store them somewhere. Like it's an automated tool and it's very easy once you've trained users that are using this to add one layer of technology. As long as they were like, "Oh, you have to multifactor before you can access your passwords." Easy switch. Easy training users to do that.

Joseph Carson:
But I wish it was on by default. I wish it was the default option. Once you start using it, then you have to... The best thing is that one is you would get a discount for using it, for using security. And that's one other thing that we've had these discussions before, but I really would love organizations to say is that if you're not going to use the security, it's going to cost you more. So try and push people into making that... Security should be a return on investment and should be discounted for using it and turning it on.

Jonathan Meyers:
Well, yeah especially if you think about risk, the company that you're not using the security on their platform, like their reputation is going to take a hit if you leave your accounts open and it finds out that like, "Oh, this company was hacked and they were on AWS." It's like AWS is going to take a hit on that. AWS is probably big enough to come back from that, but some of these smaller software vendors probably aren't. And so I think that's an actual reasonable idea.

Jonathan Meyers:
Going back to your on by default in the browser, I think it's a fine line there because if it creates too much friction, then nobody's going to use it to begin with. And so if out the gate you're already asking for multifactors, they're just like, "Nah, I'm just going to use the same password, so I don't have to use this thing." But if you kind of trick them into it. Get them using it for like three, four years and then just flip the switch and be like, "Oh, hey."

Joseph Carson:
No other choice. One thing I want to get into in the report, kind of bring it up into summary and level up is that here's some additional statistics out of the data breach investigations report itself was the increase in the attack actions. So these were the actions that occurred within the incidents and breaches. So one was that the human element had an increase of 85%. Credential theft and credential abuse was 61% increase year over year. Phishing was up 11% and ransomware was only up 10%, but I think it was becoming more successful. I think that was one thing is that increased, but also success. And then we look at one thing we talked about-

Jonathan Meyers:
We under report it.

Joseph Carson:
Yeah. Or that you have... We only hear about it and they just didn't go ahead and-

Jonathan Meyers:
We don't know it yet. I think organizations just don't know about a lot of these yet, so it's... Yeah.

Joseph Carson:
So the other thing is, well, we talked a little bit about the risk and I mentioned that they introduced this new impact piece of the data breach and this where they brought in the mean costs of different types of attacks. So the one that was a business email compromise which was 95% of those incidents were costing between $250 and upwards of just under one million. So that was for business email compromise. So significant costs of that. When you look at CDB, which was 95% costing between $148 and up to 1.6 million. So a significant cost. The next thing was around things like, well, you've got the forensics costs of those coming in and cleaning up and responding and gathering. 95% of that cost was between two and a half thousand dollars and upwards of just under 350,000. Legal costs as well, because of course when you have an incident, you have to involve your legal team because of potential regulations and compliance and audit failures. 95% of those costs are between $800 upwards of 53,000.

Joseph Carson:
And then ransomware, 95% of the ransomware costs was between $69 and 1.15 million. So that's kind of where they're looking at this really financial portion, which I thought was quite interesting because it really shows you, well, these are the average mean cost of those incidents and to your point earlier is it cheaper or more than the security cost? And this is something that we'll find in that balance. Of course, I don't think these are the absolute costs because I think there's other impacts to it, but they were trying to give you an indication about what was the, at least the direct impact costs of those. Any thoughts around the numbers that they introduced or are reflected there in that... Was it surprisingly low or high given that you get one company that gets maybe 40 million or 70 million in regards to ransomware versus the average company?

Jonathan Meyers:
Yeah, I think it makes sense if we think about how a lot of these software as a service hacking tools and stuff kind of now operate. They're getting smarter and they know exactly how much you're willing to pay and how much you're not willing to pay before you kind of just say... Like I think there was recently a breach at some hospital and they were like, "Okay, fine, we're going back to paper." And so I think them being able to gauge what the willingness to pay is, and start to fine tune those financial models that they're using I think that's going to start driving down prices, especially as we see like the... It's not always the big corporations that are getting hit now. Now they don't discriminate. So it could be a random person at home and it's like, well, I can get $50 out of this person. I'll take the $50 because I clicked a button on a website and it did all the work. And so $50 is $50, and I can do a hundred of those a day starts to add up.

Jonathan Meyers:
And I think they're just... their financial models are starting to get tuned a little bit. And so I think we'll see a lot of the costs start to drop except for the very, very large companies that are willing to pay.

Joseph Carson:
Yeah...

Jonathan Meyers:
Keystone pipeline.

Joseph Carson:
Once you're locked out and your business has stopped and millions has been lost a day, then they're going to take advantage of that. And I think really when you look at it, it's becoming more commercialized. There's a lot of people that's doing it. As we mentioned, in the past year, there's a lot of organized criminal gangs who's now looking at this as a good business entrepreneurship to get into. Unfortunately they are from countries which don't see these as crimes, or they will pay a blind eye for them if they will do some work on behalf of the nation states as well. So unfortunately some countries are providing safe havens for these cybercriminal gangs to operate and to cause disruptions.

Joseph Carson:
With that, I think to your point is absolutely spot on. One thing I want to get to is the report itself. I find that one... The report's great, and I think it's evolving and getting much better over year. And one thing is always about is that when we look at the... The report shows that we are getting better, even though there's a lot of major incidents. We do see a lot of security data breaches in the past year. It does show that there is improvements. We are getting better. So for me, I think as we work together as a community, that it's important and I think the transparency in this report really shows that.

Joseph Carson:
One thing that I'd hope is that... I do find that the actual graphs have got a little bit more complex. So my note to the Verizon team it needs to stay simple. I don't want to spend a lot of time trying to understand. I don't want to have to watch two to three webinars just to understand how to read the graph.

Jonathan Meyers:
I wish they would give us like a playground, like you just pick the data sources, not see any of the underlying data, but then build my own charts so I can overlay certain industries that I care about and certain types and start to see trends specifically for my industry and things like that.

Joseph Carson:
Absolutely. So I think, for me, the report's awesome. Any final thoughts that you wanted to kind of... from the report itself?

Jonathan Meyers:
Yeah, no, I think the reports are great. I think a lot of the listeners, it's great to just kind of maybe grab the executive summary and kind of share it up the flag pole, if you will. Because it's good to get people to start thinking about this and show that there's other organizations and there's very real costs and these incidences that are happening are not just the ones you hear on the news, there's a lot of stuff that's going on at minor levels that could still impact your business to a significant extent especially if you're at the smaller levels, like some of these could be crippling. And so to kind of start to raise awareness and kind of prove out like your job worth, not that you have to prove it out, but it gives you more ammunition to ask for more hires, more software, more tooling to make you better at your job.

Joseph Carson:
Absolutely. Great advice. And for the Verizon team, definitely keep up the great work. I am always looking forward to the next report, but keep the graphs a bit simpler or at least... For the executive side of things, keep it for the audience, the majority of the audience, not just those data nerds. Been a pleasure, Jonathan, having you on.

Jonathan Meyers:
Welcome.

Joseph Carson:
It's great talking with you and I think for the-

Jonathan Meyers:
Thanks for having me.

Joseph Carson:
... audience, really kind of breaking down the Verizon Data Breach Investigation Report taking some of our key takeaways and feedback and hopefully people will tune in again, keep listening and stay safe and it's been a pleasure having you on the show, Jonathan, so all the best and to the next episode.

Jonathan Meyers:
Awesome. Thanks.