Greetings everyone. I'd love to be able to tell you that all things online are safe, happy and doing well, but I can't. The numbers are in and it's still a mess out there despite a short dropped back in October. Cyber attacks are on the rise again. Cybercrime, espionage and hacktivism are still the top motivations behind these attacks. Let's try to make some sense about how we can deal with these threats, shall we? Today, we have the pleasure of speaking with Christopher Edwards, a respected cyber security expert. Christopher, as we just saw these types of threats have existed for years. Why is that and what makes their prevention such a tough challenge for companies today? Well, the volume and sophistication of cyber threats has grown in recent years making it difficult for security teams to keep up beyond managing the risk associated with a relatively known set of core applications that are authorized and supported in the enterprise. Security teams, must now really manage the risks associated with practically infinite number of unknown personal technologies and applications and apps that have to be used in the organization. So are you saying that the threats are moving targets and we users are compounding the problem by bringing our devices to work with us? Yes, exactly. Devices now are used for both work and non-work activities. Meaning they must be tolerated, but not completely trusted. The challenge now is to not only allow work related application traffic while blocking non-work related ones, it also has become increasingly difficult to classify applications as either good which should be allowed or bad which is what we want to block in a clear and consistent method. So, many applications are clearly good, low risk, high reward. Or they're clearly bad, which would be a high risk and low reward. But most of them are somewhere just right in between depending on how the application is being used. For example, many organizations use social networking applications such as Facebook. They use it for important business functions such as recruiting, research, development, HR, marketing, consumer advocacy. However, those same applications can be used to leak sensitive information or cause damage to an organization's public image whether inadvertently or maliciously. I see. So the devices must be tolerated and certain apps need to be allowed for sanction purposes. But blocking non-sanction apps for the people not authorized to use them shouldn't be that hard with a firewall right? Well, sadly, no. Many applications are designed to circumvent traditional port based firewalls so that they can be easily installed and accessed on any device anywhere and anytime using techniques such as port hopping. Port hopping? What is that? It sounds like a game. Yeah, well port hopping is a tactic many applications use to make them harder to restrict. Every computer has 65,535 ports for TCP and another 65,535 ports for UDP which is a lot of doors and windows for applications and programs to use. So, some of the security problems start when ports and protocols are randomly changed during a session. Then there's the use of nonstandard ports such as running Yahoo Messenger over TCP port 80 which is HTTP. Instead of a standard TCP port for Yahoo Messenger 50-50. So do most applications have dedicated ports they use for communication? Well, some still do, yes. However, years ago, a shift started in the industry because legacy firewalls would block the applications on their standard port. So the industry started evolving and many lately reuse the same ports. Other applications use this is because developers of those of their applications want to use or are using their apps and they didn't want them blocked by security teams, which is why legacy firewalls no longer are effective for stopping the attacks and malicious software. So that's tough then, there's more than just the attackers challenging security teams, everyday application developers are, too. Yes, exactly. So, top of that next we are tunneling within commonly used services such as DNS package getting stuff, trying to sneak malicious software, explores into the network, or when peer-to-peer file sharing or instant messenger clients like MeBot are running over HTTP. Now, remind me again. What is HTTP? That's HyperText Transfer Protocol which is the way you would view web pages. Okay. So I heard once that's called port 80 traffic. How is that been different than port hopping? Well, if an application reuses the common port like 80 for their traffic, the firewall could still see the traffic as what it really is just a different port than normal. So tunneling is dangerous because it hides the unwanted traffic within the common HTTP protocol. It's like having a special straw or pipe that cuts across the internet and you're sending all your traffic through it. Security teams can't block HTTP without blocking all access to regular webpages and finally there is hiding traffic within SSL encrypted session which massive application traffic, for example, TCP over port 443 which is HTTPS. Well, how is that HTTPS or the encrypted stuff different than just HTTP tunneling? Well, the tunneling part is the same. The difference is now that the traffic you are passing through that tunnel is SSL encrypted. It's all scrambled up making it even harder to distinguish from normal internet traffic. So each of these tactics are used by attackers and even well-meaning application developers to sneak traffic passed a firewall. Well, it's not that black and white. Those tactics make it harder for firewall to identify traffic, yes. But nowadays, many traditional client-server business applications are being redesigned for increased web usage. To do so, they employ the same techniques for simplicity and reliability reasons. For example, Microsoft RPC, Remote Procedure Call, and SharePoint, both use port hopping because it is critical to how the protocol or application functions, rather than to evade detection. I see. So we should just accept that port hopping, tunneling, and encryption are just part of life now and we can't or shouldn't even block them and just live with them? Okay. So, well, again, yes and no. It really depends. Businesses need to determine for themselves what is a risk to them on a per technology and even really a per application basis. Anything can be twisted by an attacker and weaponized. Such as what was done with Skype users in Syria. There's malware called Flame, the Flame malware discovered in 2012 that had components that would literally reprogram a portion of the Skype application, enabling a third party to spy on individuals that would otherwise appear to be a legitimate Skype install. As applications are becoming increasingly web-enabling and browser-based, HTTP and HTTPS now account for approximately two-thirds of all enterprise network traffic. Traditional port-based firewalls and other security infrastructure are just unable to distinguish whether these applications riding on HTTP and HTTPS are being used for legitimate business purposes. Thus, applications, including malware, have become predominant attack vectors to infiltrate networks and systems and they're very effective. Okay. So the problem is very big then, certainly it explains why the attacks continue despite a massive industry working to prevent them. Network traffic isn't anymore what it may appear to be and even our applications can be tunneled or turned against us. So could this be a reason why companies are moving portions of their operations to the cloud? Well, now, cloud certainly has its benefits. However, there's also turbulence in the cloud. Turbulence, why do you say that? Well, Cloud computing technologies enable organizations to evolve their data centers from hardware-centric architecture where applications run on dedicated servers to dynamic and automated environment where pooled of computing resources are available on demand to support application workloads that can be accessed anywhere, anytime from any device. However, many organizations have been forced to use significant compromises or have significant compromise with regard to their public and private cloud environments and they end up treading function and visibility and security for simplicity or efficiency and agility. If an application is hosted in the cloud, isn't available or responsive, network security controls which all too often introduce delays and outages are typically streamline out of the Cloud design thereby making it more vulnerable. It seems the cloud is a focus on up-time then as opposed to security, right? Well, yes. Cloud can include security but Cloud security often comes with some trade-offs such as simplicity or function or efficiency or visibility or agility or security. So, essentially you are correct, many of the features that make Cloud computing attractive to organizations run contrary to network security best practices. Interesting. So, what are some of these best practices you mentioned? Well, first Cloud computing doesn't mitigate existing network security risks. The security risks that threaten your network today don't go away when you move to the Cloud. In some ways, the security risks you face when you move to the Cloud even become more significant and many does in our applications because they use a wide range of codes rendering traditional security ineffective. The attackers are trained in sophisticated core agnostic attacks that use multiple vectors to compromise their target and then hide away inside using current application to achieve their objectives. Then second, separation and segmentation are fundamental to security. The Cloud relies on shared resources. Well, how does separation make things more secure? Well, security best practices dictate that mission-critical applications and data be separated in secure segments on the network based on zero trust principles. On a visible network, zero trust is relatively straightforward using firewalls and policies based upon application and user identity. In a Cloud environment, direct communication between virtual machines also known as VMs, within a server host occurs constantly. In some cases, the problem varied levels of trust making segmentation a real challenge. Mixed levels of trust combined with the lack of intra-host visibility by virtualized port based security operator may weaken your security posture. Then finally, security deployments are process oriented and Cloud computing environments are dynamic. The creation or modification of your virtual workloads can often be done in minutes yet the security configuration for this workload may take hours, days or weeks. So, security delays aren't designed to be burdensome however, the result of a process that is designed to maintain a strong security posture. The thing is the policy changes need to be approved, the appropriate firewalls need to be identified, the relevant policy updates determined. In contrast, virtualization teams operate in a highly dynamic environment with workloads being added, removed, change rapidly, constantly and the result is a disconnect between security policy and virtualized workload deployment leading to a weaken security pause. So, you have your problem there. Yes, it sounds a lot like you just hate Cloud. Well, absolutely not. Absolutely not. I don't hate the Cloud. I love the Cloud. The Cloud is newer and thus less understood to most security thing. Security in the Cloud is catching up and businesses need to approach Cloud with their eyes open because only recently, it has become possible to implement proper security for data in the Cloud. That's all I'm saying. It's like we've got to make sure the security is there appropriately. Okay. Fair enough. Against that backdrop of modern computing environments, BYOD and popular technology trends like Cloud, thousands of cyber attract or cyber attacks are perpetrated against enterprise networks every day. Yes. It's absolutely true. Unfortunately, many of these attacks succeed then are typically reported in the mass media. Some recent high profile examples such as the attacks like Target in late 2013, Target discovered that credit and debit card data from 40 million of its customers and peripheral information of an additional 70 million of its data had been stolen over a period of 19 days from November 2007 to December 15th in 2013. I remember that one. I got a new credit card, thanks to that attack. How exactly did that attack happened? Well, the attackers were able to infiltrate Target point of sale systems by installing malware believed to be a variant of the Zoo's financial botnet actually on affiliate company that did business with the heating, ventilation and air conditioning contractor that did business with them. Their system connected to Target's and harvested credentials from an online portal that Targets vendors view. Then in February 14th, the estimated cost associated with the Target data breach had already exceeded over 200 million in US in lawsuits settlements in 2015, also totaling another 116 million more. So, they attacked or they snack in through a non employee computer system and stole my credit card information, that's amazing. You know I had to get a credit card replaced several more times after the Target breach. Did anyone else get hacked? Someone else that I shop with or that I use? Well, I don't know where you shop. Do you go to hardware stores or invites like that? Yes. Okay. Yes. I shop at Home Depot and a bunch of places like that. Well, okay. So, in September of 2014, Home Depot suffered a data breach that went unnoticed for about five months or so and very much like the Target data breach. The hacker used a vendor's credentials and exploited a zero-day threat based on a Windows vulnerability to gain access to Home Depot network and it's called memory scraper and malware was being installed on 7,500 self-service point-of-sale terminals to collect 56 million customer credit card numbers in the US and Canada. Fifty six million people? That must have really hurt Home Depot's reputation. Yes. As of October 2015, the data breach had caused Home Depot over 232 million and was expected ultimately cost of retailer much, much more. Okay. So, are these attackers just out to steal credit card info? Surely, if that what the case, we would just stop using credit cards. Well, you'd be surprised to know that attackers can make money from having virtually any piece of information about a lot of people. I tell people that all data is money. Just some data is worth a lot of money and other data worth not so much but personal information or credit card money is worth quite a bit. In February of 2015, the health insurance company Anthem disclose that its servers had been breached and PII, personally identifiable information, which would include name,social security number, birth dates, addresses, income information and even your mother's maiden name, that was approximately for 80 million customers had been stolen. That's incredible. So they just sell that info on the black market or something? Exactly. Wow! Just my luck. How the attacker steal this data from Anthem then? Well, that breach occurred on December 10th of 2014, when the attacker successfully compromised an Anthem database using a database administrator credentials. The breach wasn't discovered until January 27th of 2015, when the database administrator discovered a questionable query was being run with his credentials, and the cost of the breach is expected to reach $31 billion. Wow. This sounds a lot like a plot from a Hollywood movie. Are there any other big breaches that you want to scare us about? Well, sure. I'll give you one more. The last one I want to share you is with our own beloved government, US Office of Personnel Management, the OPM for short. They have had two separate data breaches discovered in April and June of 2015 that resulted in personal information, including names and birth dates, Social Security Numbers, and other sensitive information of approximately 24 million current and prospective federal employees, including their spouses and partners being compromised. So, the breaches are believed to have been linked to the Anthem data breach and may have originated in China as early as March of 2014. Hey, Christopher, each of those you mentioned has affected me and millions of others in significant ways. So, the situation right now is cyber war, right? The attackers versus businesses and even governments. How have our prevention tactics changed as a result of these big breaches? Well, some important lessons to be learned from these attacks really include how the methodology has changed over the years. Now, it's a low and slow cyber attack and go undetected for weeks, months or even years, where the attacker just gets in there and hides. He boroughs in. An attacker doesn't necessarily need to run a sophisticated exploit against a hardened system to infiltrate a targeted organization. Often, they'll just target an auxiliary system or an affiliate vulnerable endpoint, then do what we call a "pivot", and then, the attack will move towards the primary target, and the direct and indirect financial cost of a breach can be devastating for the target organization and the individuals whose personal and financial information is stolen or compromised. Don't I know it? It's amazing the lengths the attackers go to and the hoops they jump through to pull off these attacks. Are they all just trying to make a quick buck or score some mega millions? I mean, who are these attackers and what's driving them to ruin the lives of so many other people? So, in a book called The Art of War by Sun Tzu, there is a statement that hackers live by or security professionals live by, which is, "Know thy enemy, know thyself, a thousand battles, a thousand victories." So, to instill the importance of understanding your strengths and your weaknesses and strategies and tactics of your adversary, as well as your own. It reminds me of The Godfather, where he says, "Keep your family close but keep your enemies closer." Right? So, it's all about knowing what the other guy's going to do. So, in modern cyber warfare, a thousand battles can happen in a matter of seconds, and in a single victory by your enemy, they can impair your entire organization. So, knowing your enemies and what they can do, their means, their motivations, that's extremely important nowadays. So, the relatively innocuous good old days of hackers' activities, where the primary motivation of a cyber attack was just to gain notoriety, or mess up your website, or cause some kind of little embarrassment or inconvenience, those are gone. Now, it's all about trying to get out there for a free-for-all of collecting all your information and selling it on the dark web. However, modern cyber attacks are perpetrated by far more sophisticated and dangerous adversaries. They're motivated by more sinister purposes. Okay. So, what do we call these modern adversaries and why are they causing all this hacking? Well, there are many or at least several motivations out there but the four main motivated groups are, well, the first would be cyber criminals, which typically act independently or as part of this criminal organization. Cyber criminals commit acts, obviously, to drive revenue of data theft, embezzlement, fraud or extortion for financial gain. According to the RAND Corporation, in certain aspects, the black market for cybercrime can be way more profitable than the illegal drug trade. By many estimates, cybercrime is now a one trillion dollar industry. Holy cow. So, essentially, digital thugs out to make money, no surprise that that's the top motivation. What else is there? Well, second, we have what we call state-affiliated group or state-sponsored groups, where we have nation states, where these are organizations that literally have the resources to launch various sophisticated, persistent attacks. They recruit various talented people with technical skills, and they have great depth and focus. They're well-funded. Usually have ties to the military. They're very strategic in their objectives, and they will have the ability to disable or destroy critical infrastructure, including power grids or water supplies, transportation systems, emergency response, medical and industrial systems. The Center for Strategic and International Studies reports that at the nation-state level, Russia, Iran, and North Korea are using coercive cyber attacks to increase their sphere of influence. While China, Russia, and Iran have conducted a lot of reconnaissance of networks critical to the operation of the US power grid and other critical infrastructures without any penalty or records right now. Wow. So, the US Government or military would fall into that same group, right? I mean, last year, it was all over the news how the US didn't want to call out China for cyber attacks because the CIA and NSA were doing the same attacking right back, weren't they? Yes, that's very true. So, we have cyber criminals, nation state groups. Is there anyone else? Yes. Another one that can be just as dangerous would be called hacktivist. Hacktivist? Like a hacker activist, hacktivist? Yes, exactly. The reason why they're so dangerous is because a hacktivists is motivated by political or social causes. Hacktivist groups such as Anonymous, they typically execute denial-of-service attacks against a target organization, or they de-face their websites, or flood their networks with traffic rendering them unable to operate. Interesting. Yes. Then, also, I guess, the fourth group would be the cyber terrorist. The terrorist organizations use the internet to recruit, train, instruct, and communicate, as well as to spread fear and panic in order to advance their ideologies. Unlike other threat actors, cyber terrorists are largely indiscriminate in their attacks and their objectives include visible harm, death and destruction. Like we saw ISIS do these past few years, right? Yes, correct. Exactly. So, those four groups are the majority of attackers out there? Yes. Those four groups are what we call the external threat actors. The external threat actors also include, former employees and other unaffiliated or otherwise unknown hackers. External threat actor have accounted for the majority of data breaches over the past five years. Okay, so because you mentioned external threat actors, I have to assume there are other maybe internal threat actors, right? Spot on. So, internal threat actors, over that same period, were responsible for about 10-20 percent of the reported data breaches. That's not an insignificant percentage either. What's the difference between internal versus external threat actors? Well, with the external threat actors, there's no trust or privilege that previously exist, while with the internal or partner actors, some level of trust or privilege has previously existed. The actor may be an individual or an organization. The incident could be intentional or accidental, and its purpose, malicious or benign in its origin. So, an internal employee can accidentally cause a breach? Yes, they can, and that was the case that we saw with the Anthem breach. That's right. Yeah. That is scary stuff indeed. Well, thank you, Christopher, for taking the time to speak with us about these cyber threats. I know our viewers appreciate your time and your efforts in helping keep us all safer in this modern and digital battleground. Hey, it was my pleasure, really. Have a great day. Thank you.
