Listen to learn the most common breach types in 2022 and how to respond to a data breach.
"In 2021, we had tracked about 5.9M accounts were targeted through data breaches. It's expected that at the end of 2022, we will surpass that number."
Matthew Heffelfinger (Deputy CISO, GSTRT, CyRP (Pepperdine), GRCP, SSAP, ITIL4-F, GISF, PECB) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to give you the TOP data breaches of 2022. This list includes breaches caused by leaks, phishing, and poor cyber hygiene.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Here with me today, I face a lot of you recognize, Heff. Hey. How are you doing?
Thank you for the, annual invite back. It feels so good to be back home here with you.
So good to so a lot of our listeners actually know who you are, but some people might be new. Welcome. If this is your first time, so happy that you joined us. If you are a regular listener, thank you. I really appreciate all of the people who reach out and tell me how much they appreciate that we do this. I appreciate that you listen and have tell them about you, what you do, because if you're not listening to Heff's show, you might enjoy that as well.
Well, Jen, first of all, you put together a great show every week, you and Hunter and the entire team here. I thank you for the invite. I am the deputy CISO for SecurityMetrics. And my job is to manage a lot of the threat hunters that we have here and find the bad guys and notify our clients when we find those bad guys in the environment.
Do you know that's awesome that you're here today because our last episode, we actually had one of the threat hunters, Noah, on. If you haven't listened to that one yet, it was a great great episode. Noah has a lot of knowledge, and you he's the one of the people on your team.
Yeah. He does a great job, and and I'm excited about this week's topic. This episode, finding the top breaches, talking about the top breaches.
Okay. There's always that little bit of a what is it about humans? We have that that thing where we kind of enjoy other people's what's there's a word for it?
Schadenfreude?
Schadenfreude. Yeah. Yes. This is the time of year where we enjoy our schadenfreude and and talk about top breaches of twenty and we don't enjoy it at all, actually.
But it's good to know what happened because then we can maybe plan for and prevent things in in our within our own sphere of influence for next year. So we were like, okay. How are we gonna group this? Yeah.
Is it by month? Is it by impact? Or is it but you know what we decided to go with?
Themes.
Yeah. Yeah. Yeah. Yeah. It's the perfect time type of conversation, because there have been major themes that have carried through many of these breaches, Jen, that have happened in this past year, twenty twenty two.
Yeah. And a lot of breaches. We don't have time to talk about all of them. No.
But there are a few that just knocked our socks off.
Yes. And and they they follow along a few themes that we'll we'll introduce them as we go. Yeah. And and I I think it's it's worth starting out, though, with a little bit of a little bit of a preface. Let's help people kind of get a little context starting with data breach, data leak, cyber attack. What can you kind of help us understand similarities and differences there? Yeah.
And for the purpose of today's talk, what we're gonna do is we're gonna talk about both data breaches, data leaks Mhmm. And all of these kind of fall under a cyber attack type of banner. So and data breaches where you talk about a threat actor gets into a company or a business, and they try to just get that sensitive data. They try to get that PII.
They try to find something of value and extract it from the system. Yeah. Leaks, on the other hand, are kind of the opposite where you just have unknowingly exposed data. And Yeah.
And sometimes it's purposeful where you have an insider threat. And we had a couple of those this year. Yeah. Yeah.
So we got we got some of those happening. But, you know, what's amazing is the amount of data and the amount of accounts that have been just breached this past year.
How many were there?
Well, we know that in twenty twenty one, we had about, in total, we tracked about five point nine million accounts were targeted through data breaches.
That is so many.
And it's expected that at the end of twenty twenty two, that we will surpass that number. That's amazing that we can have that many breaches.
That that is a lot of breaches. Yeah. A lot of data. Well, it affects affects so many people individually and expect and it affects so many organizations, their their company, their reputation, their bottom line.
Yeah. And there's been a couple times where, you know, for us in the security operation center at SecurityMetrics, we take it really personal. When when kids are attacked, when elderly Mhmm. You know, people that just are not aware sometimes of all these different types of social engineering campaigns. So that that really impacts our, you know, emotional status sometimes. And we try not to get too emotional about it. But, yeah, there's been so many insane breaches this year and a lot of themes that that we definitely can talk about.
Let's start with theme number one, which is the lapses breaches. And people might be going, the what?
The what? Yeah. Lapsus. Do you remember these guys? They were these young kids, these teenagers from Great Britain.
Yeah.
Remember that seventeen year olds that were just going out, and they were just causing havoc. Mhmm. And they had popped a lot of big name companies. And the one kid got actually arrested, and that was really cool to see that happen after the fact.
Mhmm. But there were some really big companies in there, and it kinda started off in January of this past year with Okta. And for the audience, Okta is a really big vendor. I mean, like, a lot of companies use Okta.
Yep. A lot of people are probably familiar at least with the name because they know their companies use it. They might not be really familiar with what Okta does. Yeah.
But because of its its where it's where it is situated in that business model Yeah.
A lot of groups use it.
And what happened in this case well, with Okta is by the way, if you're not familiar with Okta, it's it's kinda like a single sign on type company Yeah. Where they offer those kind of services to businesses. So a lot of big businesses use them. But with what happened is this Lapsus group is they went in and they socially engineered a contractor, a third party vendor from this company named Sitel, who was contracted through Okta to to handle some of their business.
Mhmm.
And that's where it went off the rails. And the crazy thing about that breach is the Lapsus, these teams, it only took them twenty five minutes to basically hit just two customers. And then from there, they just went in and started doing configuration changes, password resets, you know, changing people's MFA, impersonating.
It just went crazy for them.
How much they were able to do in a very short time.
And that's the kind of the the keys to the kingdom type of attack. Yeah. You think about it. Like, if you get into Okta's environment and you get in past somebody's single sign on, you could now do whatever you want, steal whatever you want, and that's exactly what Lapsus did here. But then they pivoted. And as soon as they get done with that attack in January, they went into their next big breach, which was the NVIDIA thing.
Yeah. And that was a that was a pretty significant, attack that they did. NVIDIA, again, massive company. Probably everybody's heard of them. So, they make it's those those are the chips. Right?
Yeah. Yeah. Yeah. For the, for the the video cards.
Mhmm.
And they were upset, and Lapsus was upset that NVIDIA was putting these limiters on the video cards that were used for crypto mining. And a lot of people were using NVIDIA video cards Mhmm. To mine cryptocurrency.
Yeah. And the NVIDIA folks said, oh, no. We don't want our cards to be used to mine crypto. Please stop.
So they put these limiters in place. And, of course, Lapsus said, no. No. No. That's not allowed.
We are gonna we're gonna pop you guys. And they went in there, and they just man, you wanna talk about brand damage time?
Yeah.
Like and and Nvidia handled this so poorly. You talk about lessons learned. They came out, and they initially, they said, oh, no. No.
We weren't we weren't breached at all. Nothing to see here, folks. Move along. Move along. Yeah.
Then some information is there.
Yeah. And then Laps has got real smart about it. They're like, yeah. We're gonna we're gonna put some stuff out there.
And then then NVIDIA is like, oh, no. No. Please. Please.
They went I mean, LASUS went into, like, beast mode on this attack. They they something like one terabyte of NVIDIA source code was taken.
Credentials, seventy one thousand employees' passwords Mhmm.
Of that the just incredible. And then to make matters worse, Jen, the website, How How You Been Pwned, they came out and they reported, these credentials being stolen. And now NVIDIA is like, okay.
Yeah.
Now we gotta backtrack.
Yeah.
And now we gotta we gotta own up to it. Yeah.
I mean, you can lie about it, but then if the people who are breaching you are like, we don't like it when you lie.
So now we're gonna tell everybody that you did. And, oh, by the way, we still don't like you, and so we're gonna do more things to you.
Yeah. And now, you know, to stay with this theme of lapses, like, it's not done, folks. We're gonna keep going Yep. Here. You know, you fast forward to, like, September of this past year. Lapsus was behind the Samsung data breach, allegedly.
Allegedly. Yeah.
And this is where this one didn't get a lot of play in the news, and it really bothered me, Jen, because this is where we're talking about the source code for Samsung phones.
Okay? And, you know, when you talk about private keys and login data and their AWS, their GitHub, their Google keys all being stolen, and then Samsung's like, oh, it's no big deal. Not and, again, one of those, say, NVIDIA type things where, nothing to worry about, folks.
It it was crazy to to us that work in the industry Yeah.
How simple yet effective Lapsus tactics were. I mean, you're talking some basic simple social engineering type work that's done, and then lapses is in the environment, and they do their homework. I mean, these seventeen year old kids, they knew what they were looking for, what they were going for. As soon as they found it, they got out. Mhmm. And, you know, they this I believe that it wasn't published till September, but this actual this this breach happened back in July. Mhmm.
And here it was, you know, a month and a half later, two months later, that we're finally getting word of the hundred and ninety gigabytes of data that's been stolen from Samsung, which is a tremendous amount of And and you know what's kind of heartbreaking about this size of data breach is that people are getting almost used to hearing about it.
And I start hearing about this from people.
I've my data's already been breached. So, you know, what what can you do about it? Like, people are almost getting, kinda nihilistic about it, which is not good.
No. No. Not at all. I had a bunch of friends that tell that told me, I'll never buy a Samsung phone ever again.
Just like that. Alright? And I said, well, you know, you gotta do what's best for you. But the way it was handled by both of these companies, Samsung and Nvidia, just, you know, big hardware based companies that are getting their source code leaked.
Yeah. Just heartbreaking. And then stop.
And, you know, you can tell a lot about a company, and whether you will continue to do business with them based on their reaction to a breach. Yeah. So, just because somebody's had a breach doesn't mean you never do business with them again. Really, the answer is, how do they communicate it?
How quickly? What did they put in place after? What are your reassurances going forward? Because, just throwing otherwise, you're kinda throwing out the baby with the bathwater.
Right?
Yeah. Yeah. And, you know, that's a great point to bring up too, the arrogance and gall of some of these companies and the way they handle the breaches. But, you know, we do have a good shining light in all of this situation. One of the breaches that hit was, Lapsus actually went after Microsoft.
Yeah.
And that happened I wanna say it it was kinda March twenty second, around that time frame this year Mhmm. That Microsoft got hacked.
And this one was really unique in that the way that Microsoft handled this breach, they they have a very excellent cybersecurity team. And they came out right away, and they said, hey. Our security team is on it. We're handling it.
Mhmm.
We they had this incredible response. The the PR was just handled excellent from start to finish.
And and this is a really important point that you're making because a lot of organizations, part of their breach response is all about, what are we going to do from a technical perspective. But they don't think about the communication piece. The communication piece is extremely important, not just internally to the to whatever organization has been experiencing the breach, but externally. Who is allowed to talk to law enforcement?
Who is allowed to talk to Mhmm. The news? Who is allowed to post about it? And who is responsible?
Who is supposed to? Like, at what point do they do these things? How does this communication happen? When you're under the stress of an actual breach that's happening in real time Yeah.
We these are not easy decisions to make. It's the worst time to make those decisions. But if you have a team that's already thought about it and done these kind of, wargaming aspects Yeah.
The tabletop exercise. Microsoft you could tell Microsoft was ready for this this type of attack. And they had the processes in place. They had the playbooks. They knew how to respond. Everybody knew their role and executed the the role to perfection.
Mhmm.
And this was not an, a simple breach, by the way, of Microsoft. We're talking about compromising Lapsus compromised Cortana, Bing, several products that Microsoft owns. And, again, they handled it really marvelously in how they were able to to come out and say, hey. Only one account was compromised. We took care of it, and and they they overly shared some things from this breach and their lessons learned with the public. Again, really marvelous way to to respond.
And I think that's that's a really, that's not only is it generous of some of these really prepared companies to help other people learn, but it shows the level of confidence they have in themselves to be able to to, meet and respond to some of these things.
Yeah. And, you know, we kinda pivot from that Microsoft breach. Now some people would argue that Apple and the Meta, Meta owned by Facebook, Facebook Meta, whatever you wanna call it, they got breached this year. Both of those companies got breached. Huge company. Right? Apple and Meta.
Allegedly, what happened was we're talking, apparently, like, March of twenty twenty two is when this went down. And, again, two of the world's largest tech companies, allegedly, Lapsus was behind this. And and what was unique about it is they were pretending to be law enforcement officials.
Mhmm.
And they would send out announcements. Hey, we need information about these these particular customers.
We need their addresses, their phone numbers Right.
Their IP address.
And they were able to really get in there and use these fake law enforcement announcements Right.
To to get access to, to to this, data.
Right. And and I often say that people who are going to respond to phishing attacks typically are the people who are trying to do the right thing.
Yeah.
And so when it's fake law enforcement and and you're trying to respond, you know, the right way, there's still you can be you can be that helpful, you know, person that's doing the the right things in the right way. But also in your companies, if there is a way to access critical information that only one person can give that access to, you need to change your processes.
Right. And that's where the the the question came in with this one. And thematically, folks, we could have probably made this its own category.
You're talking about law enforcement being tricked, being socially engineered, ISPs Yeah.
Being socially engineered to getting these fake announcements saying you need you need, this information. And I thought what was really cool is this year, Krebs on Security, the website. Krebs on Security.
If you're not following Krebs, got just definitely recommend.
He was all over this, folks. I mean, he was on top of, like, how this actually works, how it goes down, the technical aspects Yeah. Of this type of social engineering. But there there has been discussion, and I have seen, information about how law enforcement now are putting in processes to stop this type of trickery Right. This type of social engineering. But, again, lapses allegedly behind the Apple breach, the meta breach, and a bunch of ISPs also got hit by these types of breaches.
But that is really the theme number one is that Is Lapsus.
Lapsus. This episode is brought to you by SecurityMetrics shopping cart monitor inspect. It's a revolutionary new product that can help you detect any problems with your shopping cart security, allowing you to effectively improve your ecommerce security. Here's what I know about it.
A lot of times people say, well, hey, I am PCI compliant because I passed my SAQA. Great. You're missing most of the things that people are actually stealing information from right now. Shopping Cart Monitor was created to actually close those gaps and help you against things like Magecart and other known ecommerce issues.
To learn more about this shopping cart monitor, head to our website www.securitymetrics.com/shopping-cart-monitor. But it kind of that last conversation kind of fades us into the second theme Yeah. Which is that social engineering phishing, theme.
It doesn't stop.
It doesn't stop. And it it is Tactics. Because it's so effective.
Oh my gosh. The tactics. Jen, the tactics have been so unreal this year.
We we actually do a weekly threat briefing for all of our employees, and we always kick it off with the latest phishing tactics Love it.
For the employees. And I gotta tell you folks, if you're only doing phishing training one time per year, it's not enough. Alright?
You have to I mean, literally, you have to have somebody on top of this that that is seeing the news Yeah.
And grabbing the latest types of phishing lures, these phishing emails, and is just ready to share it with employees. Yeah. Because it's that changing, that fast of a changing tactic.
Yep. That's out there. And I have colleagues that that even from their personal email will send it to me and say, this looks like phishing to me. What do you think?
And and I'll say, yes. It is. Right. Right. Because they're right. But also, sometimes you can't tell.
And then you have to say, alright. If you can't tell if it's phishing, then you can't risk that. Find another way to verify the information. Yeah.
So it it it creates that conversation in what's out there, how do you recognize it, and one time a year certainly is not enough.
No. No. And, you know, we talk about the different phishing breaches that have happened this past year. The one that really popped the news big, it blew up in September, but it was Grand Theft Auto, the video game Grand Theft Auto.
Yeah. The new one's coming out at some point. Mhmm. And the company's called Rockstar that makes it.
Yep. And they got breached. And it was so fascinating how this breach went down with social engineering. They didn't send a phishing email, folks.
What they did is they went on and they figured out that they had, basically, third party people that work for the company that were using Slack. Slack is, like, that messaging platform.
And the threat actor went in and said, I'm just gonna compromise the Slack account. And then from there, pivot into Rockstar's environment and then steal whatever I find of value. Sneaky. And you know what they stole? The video game source code for the newest game, Grand Theft Auto.
Yeah. And they put out the video clips of it, what the new game looks like.
Yeah.
They put out some of the source code.
This this type of attack, I tell you know, you talk about cyber awareness training. I mean, constant for third parties. If you have contractors in your environment, you need to make sure they're also going through Right. Cyber awareness training.
Yeah. Absolutely. And and also, it brings to more awareness to communication, platforms, communication tools that people are using. They might not think, oh, well, this can't you can't use this to log in to that.
It doesn't matter. You know, you the communication is there and you can leverage it because it is a trusted source of communication. Yes. And so people say, oh, well, it must be I can talk through here.
But but because they may not have thought of how it could be used in order to breach other places in their organization.
And and that was crazy too. You know, again, the the bad guy is pivoting through Slack, a third party communication tool that the environment the business probably said, well, everybody else is using it, so it's gotta be fine. They probably didn't do their cyber due diligence on it and figure out that it is maybe it's not the best tool, but they allowed it anyway in their environment.
And here it is, social engineering. But the bad guys didn't stop with Rockstar. Yeah. They actually went after Uber too.
And Uber is on our bad list of some of the worst breaches that have happened this past year. And I'll tell you why, folks. The same tactics as the rock star. They they basically figured out that they can get in.
They call this these type of breaches a total compromise.
The Uber one was so bad.
The entire code repository Mhmm.
Their cloud storage at Uber, all of that, again and the way it was done through a staff member at Uber, their Slack account got breached through social engineering, and then the, threat actors got into Uber's environment.
Right. And I think this brings up, again, that point that if you have social engineering phishing training, if you have that training, it doesn't matter. No. You have to look at what is each individual role. What could they, as an individual, do if they get tricked?
Yeah.
Or if they get compromised? What if what if suddenly they get offered a whole lot of money? Like, there's a lot of reasons why somebody might give up their credentials, not just being tricked. And so you have to think, alright. What other tools are in place that prevents either through process or through, multifactor or through other, alerting means. How do you prevent any single individual from in some way compromising that environment?
Yeah. And I think Uber and a bunch of the other companies that did get breached this year, they went out and they said, well, we're gonna look at other methods of authentication.
And going beyond use of password managers and, single sign on and multifactor authentication, they had talked about doing things like biometric authentication and implementing that kind of stuff Yeah. To give them more more less opportunities for the bad guys to get in.
Right. And it's it's driving people more towards the zero trust Yeah. Architecture where just because you have privileged credentials doesn't mean you have access to everything at all times.
Yeah. And it's a, you know, access least privileged access.
Mhmm.
Only get access to what you actually need to perform your job Yeah. In support of the business.
So Exactly.
And it's gotta be a priority. It's gotta be a mindset to evolve companies' cyber posture. And Yeah. For some companies, they're still not there yet.
But But the Uber breach wasn't just a total compromise.
We they're not on our good list for other reasons.
Yeah. And I don't know if many of you recall in the audience, but back in November of twenty seventeen, Uber got breached. Yeah. Okay? But it wasn't until July twenty twenty two where Uber finally had to come out and make an announcement about this.
And we're talking That's five years.
Five years.
A cover up. It was a cover up, folks. Yeah. And the CISO was the one doing the cover up. And and, essentially, what happened was their CISO is this guy, former CISO now, Joe Sullivan. What?
He had to go to trial. And it finally made it to trial in of this past year from back in November seven of of twenty seventeen.
And it's really the first instance that we know of where a executive, a CISO, is being brought on charges for failure to do his responsibility for this data breach.
He's going to jail.
And he's going to jail. Yeah. And, boy, you know, that is the one thing this this kinda kinda just blew my mind in how they covered it up. Because they get breached, and then the CISO says, well, let's just pay them, but let's pay them through the bug bounty program.
So that's how we hit it. Right? And he said That's so audacious. Yes.
He said, hey. You know, these bug this is a bug bounty program. We'll use it to be the cover up tool that, yeah, we did get breached, but it wasn't really a breach. It was these guys found some bugs in our environment, and we'll just pay them out through that way.
Mhmm. Yeah. But and then the audacity of the CSO, Joe Sullivan, he leaves Uber, and he goes work for another big tech company as a CSO. And then again, he goes back on trial this past year, and, yeah, he's going to jail.
Did he just not think he was going to get caught? Did he not think it was a big deal? Was he what was oh, I'll just leave this company and then that, oh, wipes the state slate clean and I go to the next company.
It's surreal. I mean, this story is one of those things where you go, wow.
Probably my top cyber story of the year Yeah. If I had to summarize the top ten, just the way this all went down.
Unbelievable.
Yeah. And, I think it was, like, fifty seven million Uber users were impacted by this breach, by the way.
Well but the but Uber wasn't the only.
No. And, you know, there are so many social engineering type things. Dropbox, this past week, this past month of November, they they got breached, a phishing attack. Again, you know, the phishing attacks are unreal.
The tactics are unreal. This particular data breach was pretty severe, Jen. Hundred and thirty GitHub repositories, all that code Yeah. For Dropbox was copied, including their API credentials, were also stolen.
Yeah. And when they originally happened, they said, oh, nobody's information got breached, but it feels like that's not the important part of this story.
No. And if I had to say what is the most important part of the story, it comes down to cyber awareness and cyber training. And the way this went down is the threat actor created a fake login page and then tricked the, Dropbox employee to be clicking on it. And then I, yeah, I did not like the way that Dropbox responded to this.
No. They they put out one of these statements, these blanket statements. No one's content, no one's passwords, no one's payment information was accessed. So weak.
I I don't like those kind of statements. I want them to change the statements.
I want But they take your security real very seriously.
Yeah.
I I by the way, you're getting, two free years of Yeah.
I mean, so what are you what else can you ask for?
Their investigation found that it was the API keys mostly used by Dropbox developers. Okay. I get that. But that's, again, a keys to the kingdom type of attack.
It is.
Where now you have lost the API key, you have lost all that code, and it's out there in the wild. And I'll tell you, Jen, I wish, I wish this was taken a little bit more seriously. Mhmm. Because this is the kind of stuff this should never have happened.
Alright? These these fake login pages that we see all the time, the big one that's in the news right now is LinkedIn being used. There's a there's a fake email saying, hey. You need to verify your credentials.
Yeah. Or you'll lose your account.
Or you'll lose your account.
Yeah. Which is ridiculous. Anytime there's something that makes you worked up or anxious or or fearful or or like a call to action in that moment Don't don't click. Don't do it. Yeah.
And, you know, Twitter's another one right now. You know, Twitter just got sold to Elon Musk. They're taking it private. And now they're talking about having to verify your account, and all these fish these threat actors are doing the same thing.
They're saying, hey. I'm gonna send out a bunch of fake phishing emails that requiring Twitter users to verify their account. Yeah. Same thing done with this Dropbox.
Don't do it. You verify your account. And and look how effective that is. There's a lot of chaos.
There's a lot of uncertainty. There's a lot of, emotion around that whole Twitter space right now. Yeah. Yeah.
And so people are going to be overreactive, and they're not gonna be thinking well. And that's when phishing really works.
Yeah.
So my advice to people is don't do anything for a minute. Just just hang be patient. Hang on. If you really love the Twittersphere and wanna be part of that, don't react to anything that's coming to you for a minute.
Another thing that's interesting about the Dropbox breach is their their response. And one of the responses, we're gonna change some of our processes, and we're gonna require employees now to use hardware authentication, keys in order to access their accounts, which I think is really cool. I mean, they can obviously afford it to get everybody a a key.
But that it's a really cool the way when breaches happen, the responses, and the changing of the tactics by the employees and how we're gonna change make things different.
You're very kind because my response was you weren't already doing that?
Yeah.
I When when you have access to everyone's all of their information in Dropbox, I never use Dropbox because I've I just have never had a good feeling about it. Had a good feeling.
I never used it either.
So Yeah. Okay.
Never in the same boat.
High five. Very nice.
Yes.
Well, so in addition to Dropbox, let's move on to another one that's also a phishing. And and this one kinda hurts because, you know, airlines.
Yeah. I'd never like to see an airline get popped.
Oh.
And it bothers me a lot. And I I don't even use American Airlines, and they did get breached this past year. I believe it was in September where they made this big announcement. A lot of breaches happened in, like, the early part of the year, like, January, February, March.
And then it really was, like, around September, August, June, where now these companies, these incident response teams, they have a chance to investigate. Now they make their announcements. Yeah. And it always seems to follow in line with when the the financials get announced.
Right? We'll wait we'll wait till after the after the the stock and the stock announcements get announced.
Feels like that that almost feels like lying.
It does, doesn't it? But it's interesting with the American Airlines breach. Again, it was another phishing attack. And this time, it was really one of the more advanced tactics was used. What's fascinating, Jen, is about phishing attacks. You know, seventy percent I've heard this number. Seventy percent of cyber attacks target business email accounts.
Mhmm.
That makes sense. Right? I mean, you're gonna go after a business. You're gonna probably go after their employees and their employee business account.
Yeah.
And that's where staff needs to be so vigilant and and aware.
And, again, we keep the harping on this cyber awareness training, but that understanding the the phishing tactics are changing so rapidly and fast, you can't wait a year to do another round of phishing training for your team.
Exactly. And not only that, you know, the the, the fact that you could break in just by just just from a phishing thing. You know? What what other tools were in place to prevent and detect and stop these attacks? Yeah. Probably insufficient insufficient attack.
And I want you to I want all the people in the audience to put yourself in the in the zone of an airline employee. You're rushing to your gate. Mhmm. You're you're getting into the office.
You don't have much downtime. Right? And you're maybe you're checking your email on your phone. These folks are the ones that are gonna be prime targets Yeah.
Because there are sense of urgency to get the job done.
Mhmm.
I'm just gonna click on this email. I'm gonna see where it takes me. Uh-oh. And now I have given access.
And it's critical infrastructure. We're talking airlines are critical. You've got a have a plane that gets compromised. Boy, that's real bad stuff.
It it is bad stuff. You know what else is is, I I don't know if you're, just to to side note it, you know, CISA is now there's a new law saying, hey. If you're part of critical infrastructure, you have to now be reporting these breaches in certain ways. And, yes, it was very, very recent.
And we should probably do some kind of a episode on it. Yeah. But because and I think it's going to encourage some of these, like airlines to to be more aware because when you have to report something, you don't wanna do that. Yeah.
Right? So it's one thing to prevent it, but also I wanna prevent and not report it to somebody. Health care industry is also considered critical in infrastructure. So hopefully, the the new reporting, guidelines are going to to encourage people to think that far ahead.
You know, what if a phishing attack happens? Who do I have to talk to about it? It's pretty important that peep the right people know.
There have been a lot of breaches that have hit critical infrastructure that we're not gonna talk about today.
We just we just don't have time.
Yeah. There's so many.
The one that caught me in the news was last week, there was a Denmark train system that went down. And it was the the the thing about this attack was a lot of times when critical infrastructure gets hit, it's usually like the scheduling system.
Mhmm.
It's the things the the stuff behind the scenes Mhmm. Not so much the operational technology Mhmm. That keeps the trains running or the planes running. In the Denmark case last week, the Denmark breach, the train systems operational technology went down.
Literally, the software that controls the trains. Yeah. And that is that's the kind of stuff you fear with, like, American Airline breach. You don't want the software that runs the airlines to go down.
You don't want the train systems to go down. Trains and planes, you want them running.
You would actually yeah. Especially if you're on them.
Yeah. Right?
But there were other breaches, and we don't wanna Oh, yeah.
Hey. Before we leave fishing, I I wanna talk about I don't know if this is my favorite or my least favorite, the Verizon data breach.
Yeah. That was a big one too. And, you know, Verizon, they're big in our industry folks. They put out this annual report called the DDIR report.
The and and they're one of those kind of companies. We they don't just do cell phones. A lot of people have it misconstrued. Oh, they just do cell phones.
Yeah. Nope. No. They do more than that, folks. They do cybersecurity as well.
That's huge.
So for them to get breached, and this was, again, another social engineering scam where an employee was convinced to give remote access Yep. To to, the the threat actor. And in this situation, a database full of names, email addresses, phone numbers, a large number of Verizon employees, were caught up in this breach. Mhmm. Again, bad stuff, folks. And, again, it all comes down to social engineering. And that really is there's been a lot more social engineering breaches, but that is really the highlight reel of the top ones that have happened.
And, you know, there's so many that we could go through, but I wanna hit another theme Yeah.
Before we before we spend all our time on social engineering, and that is dev environment security.
Yeah. We never talk about this.
Oh, yeah.
And, you know, I don't know how it is with your clients, but I always seem my perception is a lot of clients overlook this part of their environment.
So so to be you know, I'm gonna be quite frank here, and and software development is something that in, when it affects the security of the data that we're looking at from from a from a third party perspective, what are you trying to protect? And if if they have third party or if they have, social software development that they're doing, that is definitely one of the things we looked at. And sorry, development teams, please don't be mad at me for saying this. These tend to be some of the most kind of arrogant people.
Woah. Yeah. They don't Wow. Yeah. And it's very difficult to say, hey. Not the good ones are great, and we'll talk to you about security all day long.
Yeah.
But on the other side of that spectrum, it's almost like a polar thing where the they they are quite good at what they do. And sometimes that brings a sense of of arrogance to people. And the ones who don't understand their potential effect on security can really cause problems. And they'll say things like it's just the dev environment.
Yeah. Yeah. And, you know, historically, though, with a dev environment, a lot of these these folks are under pressure. They're under the gun. Yeah. I gotta get the code done. I gotta get a push out.
And so I'm not trying to be critical of them as a as an entire group, but this is kind of a theme that I have encountered on quite a few occasions. And so I really wanna warn people if you really wanna be great at development, but security is part of it. It just is.
Yeah.
You know, and the good the good teams who bring security into the conversation, they're doing it the right way.
They do. They are. They are. And, you know, to our colleagues in the world in the dev world, I think it's important that we understand that it's a third party environment, oftentimes. And the threat actors realize that if they can pivot from the dev environment, through your third party, into your environment, they're gonna try to do that. So it's not just the dev environment, though. And this theme Yeah.
That we're talking about here is bad cyber hygiene, bad security posturing, not knowing your environment Yeah.
And not scanning your environment, not knowing what assets are in that environment.
Right.
That's huge. Yep. So we had a couple examples. And the one that caught my eye the most I actually had a friend at LastPass that it was was there when this breach went down in August.
Oh, no.
Yeah. And, you know, he called me up and he said, you know, I think I'm leaving them. And he literally put in his notice the next day. He says, I'm gonna I'm gonna go away from this company. So this, this happened in that the password manager, LastPass, if you ever used it, it's very popular. A lot of people love LastPass.
The threat actor gained access to their dev environment, using a developer's compromised endpoint.
And that's how they got in.
And this method really I mean, once once the threat actor gets in, it's persistent access, impersonate the developer Mhmm. And then find whatever keys to the kingdom they want Right. And exfiltrate and get it out of there.
Do you know this is one of the reasons that we look so carefully at the, separation of duties. Not just am I allowed to be in the production environment, am I allowed to be in the database environment, but can my credentials that I use in my dev environment also be used in these other environments? They shouldn't be. Because that's one of the ways that you can shut down an attack that comes through the dev environment, is that your credentials actually cannot be used outside of the dev environment.
And you know what's neat about this is we talk about bad cyber hygiene, and that is, you know, we have employees sometimes that like to reuse passwords.
Yeah. Right?
And if you have that problem in your company, you need to really come up with a solution, policies, and require the password changes. But so often that that happens, where employees will reuse their Netflix password for their work password. And, you know, threat actors know that. They go online, on the dark web, they buy the network Netflix compromised passwords.
And do you know what's agonizing is when so Netflix gets compromised. I don't know if they did, but you know what I'm saying. And then and they send out a thing and say change your password.
Okay. But but we'd I don't care if you change your network Netflix password. It's already been breached. What I care about is are you using that password someplace else?
And they are. That's the reality.
The one you should be changing.
Yeah. And, I mean, how many times we keep talking about? Saber hygiene.
You gotta know also your security posture of your dev environment. And I see that so often where these third parties, and you may not even have a dev environment in your business.
But the reality is you probably have a contract or a vendor that you're using that maybe does not have a secure dev environment.
So that's one of those type of things where you can ask those questions right upfront. Before you do business with this vendor or this third party, hey, how do you secure your dev environment? You know? And ask those kind of questions upfront.
Yeah. I'll bet, I'll bet Australian Telecom wish they had asked those questions. Yeah.
They're another one that got popped. And, you know, it wasn't just one of the companies. It wasn't just Singtel that got popped. It was also Optus.
Yeah. And and it was weird the way this one went down because it was, like, back to back. It was like the threat actor knew, I get in to Optus. I I breached them in October, and that was something like nine point seven million subscribers.
And by the way, this Australian telecom company was, like, the largest ever across the entire this is, like, their version of AT and T and Verizon.
Mhmm.
And then their their subsidiary, Singtel, got breached in October.
Mhmm.
You know, a hundred and twenty nine cuss a hundred and twenty nine thousand customers, twenty three businesses.
We don't have a lot of details yet on this breach. It's still being investigated.
We know that it was potentially a state sponsored group Yeah.
That went in there trying to get the sensitive information. What I found interesting about this breach in Australia, these two breaches in Australia, is what's coming out of it. And the Australians, they love cybersecurity.
The government of Australia, they put forth effort and energy Yes.
Enact new laws. Mhmm. You know, they they they were talking about some kind of maybe national passport system, I believe it was called.
Yeah. They're trying to do different things to protect the businesses that run and operate within Australia. So this is gonna be really interesting, the lessons learned that come out of this breach.
Well, what else have we got in this dev related breach set?
Yeah. The Twitter data breach was kinda weird. You know, some people are saying it didn't happen. Some people are saying it did happen. Five point four million accounts. This was back, I believe, in July is when it hit the news.
I think if there's anything that we can learn from Twitter from this year is that it is weird and chaotic.
It is. And, you know, that's a huge footprint. I mean, you won't talk about a gigantic a gigantic footprint that needs to be protected. Yeah.
Huge a lot of patching has to be done there. And in this case, it was a vulnerability that a threat actor was able to take advantage of. Again, that's what threat actors do. They find open doorways.
We had a couple situations this year where the threat actor folks, they're always out there scanning environments. They're always looking for doorways in. And we had a situation where we had a client that had left a firewall port open. And the client or the the threat actor got in within thirty minutes.
And the customer was like, oh, I I was just gonna leave it open for you know, just to work on it for a few Just a minute.
Yeah. Just a couple minutes. And the threat actor got in that fast, within thirty minutes.
Yeah.
Same same thing here with Twitter. You gotta be doing the the patching. You gotta be doing the vuln management. You've gotta be on top of that cyber hygiene type stuff. And when you have a huge footprint like Twitter does, whoo.
Okay. So here's another one. Giant. Yeah. Mega. Huge VPN breach.
People love their VPNs.
Yes.
And and there were three big VPNs that got popped. We you and I, I think we had done an episode last year where we talked about VPNs being breached, and it's still going. The theme is still there. Threat actors know that people love their VPNs.
They know that if they can get in there, they can They make them feel secure.
Yeah. Make them feel, you know, like they can not be observed in that.
And this is this is really not the first time. I mean, this this type of stuff is gonna keep happening. If you love your VPN, that's great. Be aware who you choose as your vendor.
And here's the thing, is is if it's free Yeah.
It's not so good. And, you know, Super VPN, Gekko VPN, Chat VPN, all of these companies are being breached. Talking twenty one million users.
Now I'm not saying that you shouldn't use a VPN. I actually think you should use a VPN, especially if you're on an insecure network.
But do your due diligence on who you choose.
Exactly.
Sometimes free is not always free. And this this one was huge when you talk about all the data stolen. Damage is done now, folks. I mean, your password's out there. Your information's out there.
Make sure you're not using that same password to other places.
Yeah. I I thought the, the other breach that caught my eye and attention, switching gears, Jen, is the cache Send breach.
Yeah.
This was an insider threat. And you you don't hear a lot about these insider threat breaches, but we did.
Uh-huh.
And that's why I wanna talk about it too because Cash App, very, very popular app.
It's one of those things where they treat their employees, allegedly treat their employees, not that well. And an employee said, I'm not gonna stand for this. I am going to take customer names. I'm gonna take the stock trading information. I'm gonna take account numbers, portfolio values.
Eight million customers were impacted by this type of breach.
And it's all about treating your employees well.
Mhmm.
You know?
And the employee did not feel like that. They felt like they were disrespected.
You gotta have good cyber hygiene, though, with ex employees.
But, you know, the other thing is you can you can actually be treating people well, and they can take it wrong.
They could.
And and so it's it's it is I think you should be treating your employees well anyway. Yeah. But also assume that no matter what you do, somebody on the inside is going to try and hurt you. And so what kind of tooling do you have in place to know that it's happening Yep. To prevent it from happening and to limit its reach when it does happen?
And in this case, with cyber hygiene, we're talking about here deactivating old employee credentials. And so so often, we think that, oh, well, we deactivated their master login account, but then they forgot that the employee has access to all these other tool sets that nobody went in and deactivated, and that's exactly what this employee did. So Right. You gotta know what the back doors are that employees have access to. We gotta you gotta have a good digital asset to know to deactivate those accounts.
So Well, man, we could just go on and on, but this is we've covered a lot of data breaches.
Is there is there any, like, favorite one you wanna cover before we close?
I think I do. I wanna make sure that we understand the lessons learned. There's some overarching themes.
And what you can take away from all these breaches is the same consistent things that we've been talking about for decades. Mhmm. And that's where I wanna leave the audience with. I think that you gotta realize that human error is a major part of most of these breaches, where the employees, again, not trained, or maybe they are, but there it's only one time a year.
The cyber awareness training is not there. The teaching of the latest advanced tactics in phishing Mhmm. Is not ongoing. Again, seventy percent of all email compromises are done to the business email account.
So the employee has to be able to recognize the danger, has to have that vigilance that always on you're always on.
Mhmm.
Right? It's not just the cybersecurity team's responsibility.
It's Exactly.
Everyone has a part to play in this. I think that's an important part of it. I think also there has to be a business priority Mhmm. Of the weak passwords has to go away.
Definitely.
Reusing passwords has to stop. Those kind of behaviors has to be prioritized at the business level. Mhmm. You know, we talk also about the executive in the boardroom.
And we haven't really talked too much about that today. But if those folks are not prioritizing cybersecurity decision making at the board level Right. And they're not asking the right questions, you're gonna continue to see this kind of stuff. We also see a trend, folks, of so many third parties getting popped and breached.
And then that doorway is how the bad guy is getting into your environment. Yeah. You gotta know what third parties are in your environment.
And how they're affecting it.
Yeah. And do you really need that many doorways? Mhmm.
You know, maybe there's one company out there that can do three or four or five of those things that you need done.
SecurityMetrics is a great example of that. You know, we don't just do audits and compliance. We do pen testing. We do security operations. We can find the bad guy too.
And, you know, a lot of people know about our our our audit teams, our and our, pen test teams, that those types of things. But since the security operation center, is is one of the things that we haven't talked about as much Right. I I talk to a lot of organizations that are like, hey. We're looking for third party SOC. Do you know anybody that that does that? Call me. I'm like, all of half has the answer.
So, and I and I know that you you're you and your team do such a great job because I I get to hear that weekly briefing briefing that you do. And it's so well, first of all, it's really fun hearing how you stop the bad guys. That is my favorite part. But also, you know, all the lessons learned. And and so, I think that's really, something that I hope more people understand that that that this company really does offer that as something to look into.
But also another thing is that sometimes people can get overwhelmed by all these breaches. Is.
And it yeah. With these small teams, if you have a small IT team Yeah.
You're you're you're already up against a wall.
Yeah. It is a lot. And so if you're looking at, well, how do we manage this twenty four seven? Most organizations, small organizations, small and even medium companies, they just can't staff that. No. And and so looking for a third party is a good idea.
Yeah.
The other thing to remember is that not every organization is going to be hit in the same way as other organizations. So, yes, there are lessons that can be learned. But if you haven't done a risk assessment on your on the specifics of your environment, what is allowed in? What is allowed out? What is the business that you do? What is the information that you actually hold?
If that risk assessment hasn't been done, that you're not gonna put the right security controls in place because you don't even know what you're protecting.
Yeah. You gotta know your crown jewels. Now absolutely. What keeps the business lights on every day?
And if you don't know your crown jewels, it's hard to put a a plan in place to get that security posture up up in the level.
Well, thank you so much for coming and talking to me. That's awesome. Any last words before we close?
You know, I just thank you for everyone that joins us and and be and is part of this, your podcast. I I you do such a great job.
Well, thank I have such a fun time doing it.
It's fun.
It's great being able to talk to people who are really smart and excited about cybersecurity because it is a great industry, and I love being part of it. Thank you. Yeah.
Thank you for the work.
Thanks again for joining me.
So Thank you again for joining us here at the SecurityMetrics podcast.
I hope that you have taken in all of the last three years of our catalog. It's getting pretty huge now. Looking forward to, season four of this next year. In the meantime, be make sure to take a take a minute to look at the security of your organization.
Take a minute to do some some risk assessment. Maybe ask yourself, what are the known gaps? And and address those. This is the right time of year to do it.
And, and then you can go into the next year with kind of a cleaner cybersecurity posture and and looking forward to a better year for all and fewer breaches. Alright. You take care.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
