1 00:00:08,090 --> 00:00:12,780 good morning everybody 2 00:00:10,830 --> 00:00:15,509 thank you for coming to my presentation 3 00:00:12,780 --> 00:00:20,460 there's actually a lot more of you out 4 00:00:15,509 --> 00:00:24,448 there than I was anticipating so I will 5 00:00:20,460 --> 00:00:27,539 admit I am a tad bit nervous so my name 6 00:00:24,449 --> 00:00:32,430 is chase Palmer I am a security engineer 7 00:00:27,539 --> 00:00:34,020 for lucid software so just want to 8 00:00:32,430 --> 00:00:38,940 introduce myself a little bit and tell 9 00:00:34,020 --> 00:00:40,890 you a little bit about Who I am for 10 00:00:38,940 --> 00:00:42,930 about 10 years I worked in a PCI field I 11 00:00:40,890 --> 00:00:47,640 worked for security metrics a local 12 00:00:42,930 --> 00:00:49,410 company here in the Utah County area I 13 00:00:47,640 --> 00:00:53,309 did spend a brief time working for the 14 00:00:49,410 --> 00:00:56,849 government as a security analyst it 15 00:00:53,309 --> 00:01:01,339 sounds really cool but it really wasn't 16 00:00:56,850 --> 00:01:04,110 that great I do have a bit of an 17 00:01:01,340 --> 00:01:06,540 entrepreneurial spirit I like to start 18 00:01:04,110 --> 00:01:10,409 businesses that fail and then start up 19 00:01:06,540 --> 00:01:13,380 new businesses my most recent adventure 20 00:01:10,409 --> 00:01:16,049 is starting up a non-profit and I 21 00:01:13,380 --> 00:01:18,360 currently sit as the board of president 22 00:01:16,049 --> 00:01:20,880 of the board of directors on on that for 23 00:01:18,360 --> 00:01:23,670 that nonprofit which also means that I 24 00:01:20,880 --> 00:01:26,839 have to take care of all of the ins and 25 00:01:23,670 --> 00:01:29,460 outs including all technology for that 26 00:01:26,840 --> 00:01:31,380 organization and as I stated I currently 27 00:01:29,460 --> 00:01:35,880 work as a security security engineer for 28 00:01:31,380 --> 00:01:39,270 lucid software the creators of a product 29 00:01:35,880 --> 00:01:40,770 called lucid chart you should go check 30 00:01:39,270 --> 00:01:43,100 it out that would be the only plug that 31 00:01:40,770 --> 00:01:46,439 I'll give for the for the company there 32 00:01:43,100 --> 00:01:48,929 and I am a CI SP but there is a bit of a 33 00:01:46,439 --> 00:01:51,320 caveat there just because I have my 34 00:01:48,930 --> 00:01:55,409 cissp does not mean that I am a hacker 35 00:01:51,320 --> 00:01:59,100 so I'm gonna admit that right up front 36 00:01:55,409 --> 00:02:03,240 I'm sorry this microphone is some 37 00:01:59,100 --> 00:02:05,339 problems so a lot of the things that I'm 38 00:02:03,240 --> 00:02:07,439 going to discuss today really have to 39 00:02:05,340 --> 00:02:10,800 deal with defending ourselves on a very 40 00:02:07,439 --> 00:02:12,390 basic level against attackers and like I 41 00:02:10,800 --> 00:02:14,270 said just because I have my se SSP does 42 00:02:12,390 --> 00:02:16,730 not mean that I have a hack 43 00:02:14,270 --> 00:02:19,750 I am speaking strictly from the point of 44 00:02:16,730 --> 00:02:23,780 a defender more closely Blue team here 45 00:02:19,750 --> 00:02:25,340 and I remember coming to my first 46 00:02:23,780 --> 00:02:28,370 security conference and feeling 47 00:02:25,340 --> 00:02:30,349 completely overwhelmed and I felt like 48 00:02:28,370 --> 00:02:32,540 everything was going over my head I 49 00:02:30,349 --> 00:02:37,640 would find presentations that were 50 00:02:32,540 --> 00:02:39,349 really cool and very technical but they 51 00:02:37,640 --> 00:02:43,540 didn't have much applicability to my job 52 00:02:39,349 --> 00:02:47,540 and then I would find presentations that 53 00:02:43,540 --> 00:02:49,010 applied to my job but then I just didn't 54 00:02:47,540 --> 00:02:52,578 understand what's going on because I was 55 00:02:49,010 --> 00:02:58,880 so new and so I really felt dumb like D 56 00:02:52,579 --> 00:03:00,380 um dumb and so I decided to create this 57 00:02:58,880 --> 00:03:04,660 presentation to kind of bring things 58 00:03:00,380 --> 00:03:07,940 back to home base kind of security 101 59 00:03:04,660 --> 00:03:09,859 and so I really wanted to reach out to 60 00:03:07,940 --> 00:03:15,650 those people who kind of felt like I did 61 00:03:09,860 --> 00:03:18,410 and who felt lost and let everybody know 62 00:03:15,650 --> 00:03:22,459 that we all have a place to start we 63 00:03:18,410 --> 00:03:23,720 have to start learning somewhere and as 64 00:03:22,459 --> 00:03:26,090 I said this is my first time presenting 65 00:03:23,720 --> 00:03:28,790 so I'm hoping that this will also help 66 00:03:26,090 --> 00:03:31,579 me gain some confidence and speak in the 67 00:03:28,790 --> 00:03:35,569 future maybe on some more complicated 68 00:03:31,579 --> 00:03:37,400 topics but primarily I think sometimes 69 00:03:35,569 --> 00:03:39,500 we get caught up in all of the great and 70 00:03:37,400 --> 00:03:44,329 awesome things that we hear about at 71 00:03:39,500 --> 00:03:46,370 these conferences and and if we forget 72 00:03:44,329 --> 00:03:47,389 about some of these basics everything 73 00:03:46,370 --> 00:03:50,630 that we've learned at these conferences 74 00:03:47,389 --> 00:03:53,350 can be for naught and we just really end 75 00:03:50,630 --> 00:03:56,120 up spinning or wasting a lot of our time 76 00:03:53,350 --> 00:03:59,840 so I want to start off with just a list 77 00:03:56,120 --> 00:04:01,819 of company any companies that we 78 00:03:59,840 --> 00:04:05,359 probably have all heard of because these 79 00:04:01,819 --> 00:04:09,738 guys make the news these are some of the 80 00:04:05,359 --> 00:04:11,889 top breaches compromises that have that 81 00:04:09,739 --> 00:04:14,810 have occurred in the last ten years and 82 00:04:11,889 --> 00:04:16,579 some of these or at least one of these 83 00:04:14,810 --> 00:04:18,228 is still ongoing because we continue to 84 00:04:16,579 --> 00:04:20,510 hear about him in the news that the 85 00:04:18,228 --> 00:04:23,150 initial reported breach was actually 86 00:04:20,510 --> 00:04:27,659 larger than it was actually initially 87 00:04:23,150 --> 00:04:29,370 reported but what about these guys 88 00:04:27,660 --> 00:04:33,120 by raise of hand has anybody heard of 89 00:04:29,370 --> 00:04:36,780 any of these companies I didn't think so 90 00:04:33,120 --> 00:04:40,740 there are no hands out there these guys 91 00:04:36,780 --> 00:04:44,690 aren't the newsworthy type but these all 92 00:04:40,740 --> 00:04:47,070 suffered significant breaches of data 93 00:04:44,690 --> 00:04:50,670 but that doesn't mean that they were any 94 00:04:47,070 --> 00:04:53,010 less damaging each of these companies 95 00:04:50,670 --> 00:04:55,080 have fewer than 250 employees which 96 00:04:53,010 --> 00:04:56,969 classifies them according to us 97 00:04:55,080 --> 00:04:59,940 definition as a small company or a small 98 00:04:56,970 --> 00:05:02,130 business by raise of hand how many out 99 00:04:59,940 --> 00:05:05,280 there are work for a company with fewer 100 00:05:02,130 --> 00:05:10,320 than 250 employees see a few hands out 101 00:05:05,280 --> 00:05:12,859 there how about less than 500 okay we 102 00:05:10,320 --> 00:05:16,590 must work some big companies out there 103 00:05:12,860 --> 00:05:18,150 so each of these companies lost 104 00:05:16,590 --> 00:05:21,359 thousands and thousands of dollars 105 00:05:18,150 --> 00:05:23,789 either in fines and fees or lawsuits 106 00:05:21,360 --> 00:05:27,330 lost revenue or just flat-out stolen 107 00:05:23,790 --> 00:05:30,240 money and the efficient services new 108 00:05:27,330 --> 00:05:32,460 escrow group they actually collapsed 109 00:05:30,240 --> 00:05:33,960 under the pressure but that was 110 00:05:32,460 --> 00:05:35,310 primarily because everybody and their 111 00:05:33,960 --> 00:05:40,890 dog was suing them for losing their 112 00:05:35,310 --> 00:05:43,800 money so we have a tendency because of 113 00:05:40,890 --> 00:05:49,680 the way that the media portrays hacking 114 00:05:43,800 --> 00:05:53,160 and breaches as being big and kind of 115 00:05:49,680 --> 00:05:57,000 very targeted type approaches that it's 116 00:05:53,160 --> 00:05:58,950 easy for a small business to say well 117 00:05:57,000 --> 00:06:03,060 I'm not a target I don't need to really 118 00:05:58,950 --> 00:06:05,190 focus on this kind of thing why why 119 00:06:03,060 --> 00:06:09,030 would anybody want to to hack my website 120 00:06:05,190 --> 00:06:12,030 and so this is what a lot of people 121 00:06:09,030 --> 00:06:13,500 would imagine hacking to be like and I 122 00:06:12,030 --> 00:06:15,090 pretty sure there's a lot of us out 123 00:06:13,500 --> 00:06:17,730 there that also wish that this is what 124 00:06:15,090 --> 00:06:23,609 it hacking looked like but in reality 125 00:06:17,730 --> 00:06:26,910 this is more like what it is I've had my 126 00:06:23,610 --> 00:06:29,910 I've dabbled with Metasploit and that 127 00:06:26,910 --> 00:06:32,190 kind of stuff and I can attest that this 128 00:06:29,910 --> 00:06:33,990 is pretty much it sitting in a bedroom 129 00:06:32,190 --> 00:06:35,969 we're out of just at a desk and you're 130 00:06:33,990 --> 00:06:39,690 in your home it's it's not all that 131 00:06:35,970 --> 00:06:40,529 fancy so when we're talking about 132 00:06:39,690 --> 00:06:42,419 hackers you 133 00:06:40,529 --> 00:06:44,159 have to realize that there are different 134 00:06:42,419 --> 00:06:45,479 breeds out there and they're gonna take 135 00:06:44,159 --> 00:06:49,199 different a slightly different 136 00:06:45,479 --> 00:06:51,808 approaches and if you do a search on the 137 00:06:49,199 --> 00:06:53,759 internet for threat actors you'll find 138 00:06:51,809 --> 00:06:56,669 various different lists and groupings 139 00:06:53,759 --> 00:06:58,499 that people will put threat actors into 140 00:06:56,669 --> 00:07:01,289 this is the one this is the list that I 141 00:06:58,499 --> 00:07:04,349 like to - this is how I like to 142 00:07:01,289 --> 00:07:06,659 categorize them and if you can see on 143 00:07:04,349 --> 00:07:07,558 the the chart down of the bar the graph 144 00:07:06,659 --> 00:07:11,669 at the bottom 145 00:07:07,559 --> 00:07:16,799 it shows kind of how the how broad and 146 00:07:11,669 --> 00:07:19,529 untargeted attacks are - how focus they 147 00:07:16,799 --> 00:07:24,049 can be based on the type of threat actor 148 00:07:19,529 --> 00:07:27,739 and so you can see at the beginning that 149 00:07:24,049 --> 00:07:30,748 with hobbyists or our script kiddies 150 00:07:27,739 --> 00:07:32,698 these they're very untargeted they're 151 00:07:30,749 --> 00:07:38,579 just kind of taking the shotgun method 152 00:07:32,699 --> 00:07:41,189 and they're just just seeing what's out 153 00:07:38,579 --> 00:07:43,049 there but the further down the line you 154 00:07:41,189 --> 00:07:44,849 go you get down to disgruntled employees 155 00:07:43,049 --> 00:07:47,998 who may have a vendetta out for a very 156 00:07:44,849 --> 00:07:50,639 specific person you hear a lot about the 157 00:07:47,999 --> 00:07:52,709 hacktivists and even then well a lot of 158 00:07:50,639 --> 00:07:56,729 their stuff may be targeted towards 159 00:07:52,709 --> 00:07:59,639 companies that they want to make a point 160 00:07:56,729 --> 00:08:03,628 with they do still also make some pretty 161 00:07:59,639 --> 00:08:07,409 broad attempts out there so the question 162 00:08:03,629 --> 00:08:10,829 is is are you a target yep you better 163 00:08:07,409 --> 00:08:13,589 believe it according to the Verizon 164 00:08:10,829 --> 00:08:15,839 breach report or the breach 165 00:08:13,589 --> 00:08:17,639 investigation report 58 percent of all 166 00:08:15,839 --> 00:08:21,539 the breaches that occurred in 2017 167 00:08:17,639 --> 00:08:23,099 occurred from a small business and in 168 00:08:21,539 --> 00:08:25,259 the last 10 years that I've been in the 169 00:08:23,099 --> 00:08:28,049 industry that this really hasn't changed 170 00:08:25,259 --> 00:08:31,769 the number maybe has gone up maybe 1 or 171 00:08:28,049 --> 00:08:33,478 2 percent in the last 10 years but by 172 00:08:31,769 --> 00:08:37,469 and large the majority of attacks and 173 00:08:33,479 --> 00:08:41,519 breaches are against small businesses so 174 00:08:37,469 --> 00:08:43,259 why are small businesses targets well if 175 00:08:41,519 --> 00:08:44,730 any of you boo if any of you have played 176 00:08:43,259 --> 00:08:51,990 hide and seek with the two-year-olds 177 00:08:44,730 --> 00:08:54,029 this is why hackers are lazy and but 178 00:08:51,990 --> 00:08:54,630 they're really smart and so they're 179 00:08:54,029 --> 00:08:56,720 going to go 180 00:08:54,630 --> 00:08:59,730 for what's called the low-hanging fruit 181 00:08:56,720 --> 00:09:04,470 and so they want to do as little work as 182 00:08:59,730 --> 00:09:07,560 possible and number two small businesses 183 00:09:04,470 --> 00:09:07,740 generally can't support or sorry excuse 184 00:09:07,560 --> 00:09:09,449 me 185 00:09:07,740 --> 00:09:10,830 small businesses support larger 186 00:09:09,450 --> 00:09:14,490 companies and so they end up being a 187 00:09:10,830 --> 00:09:16,830 platform into larger companies for 188 00:09:14,490 --> 00:09:19,740 example with the Home Depot breach it 189 00:09:16,830 --> 00:09:22,440 was actually the HVAC company that was 190 00:09:19,740 --> 00:09:24,090 actually the entry point for the attack 191 00:09:22,440 --> 00:09:29,660 and then they piggybacked off of them 192 00:09:24,090 --> 00:09:33,570 into Home Depot's environment and then 193 00:09:29,660 --> 00:09:35,219 last but certainly not least small 194 00:09:33,570 --> 00:09:37,290 businesses just and generally don't have 195 00:09:35,220 --> 00:09:40,440 the resources to be able to pay for the 196 00:09:37,290 --> 00:09:42,089 staff or they just simply don't have the 197 00:09:40,440 --> 00:09:47,700 manpower to be able to keep up with 198 00:09:42,090 --> 00:09:50,070 what's going on and then really it's 199 00:09:47,700 --> 00:09:51,390 it's all random small businesses and 200 00:09:50,070 --> 00:09:54,930 large businesses businesses well I'll 201 00:09:51,390 --> 00:09:57,230 get it may end up being a target at some 202 00:09:54,930 --> 00:09:59,729 point we'll get to that in a little bit 203 00:09:57,230 --> 00:10:01,500 so in order for us to be able to protect 204 00:09:59,730 --> 00:10:03,270 ourselves we just need to be able to 205 00:10:01,500 --> 00:10:07,590 understand things from the outside 206 00:10:03,270 --> 00:10:10,319 perspective to help us realize how much 207 00:10:07,590 --> 00:10:14,760 of a an actual how much we're actually 208 00:10:10,320 --> 00:10:16,860 exposed to those threats so the cyber 209 00:10:14,760 --> 00:10:18,420 killed chain was actually the first 210 00:10:16,860 --> 00:10:19,680 thing I learned about at the very first 211 00:10:18,420 --> 00:10:21,170 conference that I attended to and I 212 00:10:19,680 --> 00:10:23,819 thought it was the coolest thing ever 213 00:10:21,170 --> 00:10:26,250 and so I just kind of want to share that 214 00:10:23,820 --> 00:10:29,190 with you because it really helps you get 215 00:10:26,250 --> 00:10:30,870 into the mind of the hacker and the 216 00:10:29,190 --> 00:10:37,140 methodologies are the ideas that they're 217 00:10:30,870 --> 00:10:38,580 using to get into your system and I'll 218 00:10:37,140 --> 00:10:40,350 take it step by step I'm going to break 219 00:10:38,580 --> 00:10:41,610 it into three sections going to focus on 220 00:10:40,350 --> 00:10:43,650 the different types of things that the 221 00:10:41,610 --> 00:10:47,390 hackers are going to do at that stage 222 00:10:43,650 --> 00:10:49,680 and then the things that we can do to 223 00:10:47,390 --> 00:10:52,230 keep us from being that low-hanging 224 00:10:49,680 --> 00:10:54,300 fruit and so we'll cover protect 225 00:10:52,230 --> 00:10:57,660 protective controls detective controls 226 00:10:54,300 --> 00:10:59,339 and corrective controls so at the very 227 00:10:57,660 --> 00:11:01,410 beginning we're gonna have initial recon 228 00:10:59,340 --> 00:11:02,790 the hackers going to be doing some 229 00:11:01,410 --> 00:11:06,959 reconnaissance trying to figure out 230 00:11:02,790 --> 00:11:08,490 what's out there to see what they can 231 00:11:06,960 --> 00:11:10,589 possibly 232 00:11:08,490 --> 00:11:12,930 exploit and so they're going to run 233 00:11:10,589 --> 00:11:16,709 things such as port scans and 234 00:11:12,930 --> 00:11:18,540 vulnerability scans and at some point if 235 00:11:16,709 --> 00:11:20,099 they feel that they need to they will go 236 00:11:18,540 --> 00:11:22,250 and actually do some manual testing your 237 00:11:20,100 --> 00:11:26,700 website testing for stuff like 238 00:11:22,250 --> 00:11:30,690 cross-site scripting and session 239 00:11:26,700 --> 00:11:32,520 management so if anybody if any of you 240 00:11:30,690 --> 00:11:36,149 have ever checked out fire your firewall 241 00:11:32,520 --> 00:11:37,380 logs you will notice that that this 242 00:11:36,149 --> 00:11:40,470 happens all the time 243 00:11:37,380 --> 00:11:41,850 doesn't matter who you are just because 244 00:11:40,470 --> 00:11:44,730 you're getting a port scan doesn't mean 245 00:11:41,850 --> 00:11:46,890 that you're a target it just means that 246 00:11:44,730 --> 00:11:51,480 the hacker has decided to scan an IP 247 00:11:46,890 --> 00:11:52,740 range that includes your IP if you're 248 00:11:51,480 --> 00:11:55,980 getting hit with a vulnerability scan 249 00:11:52,740 --> 00:11:58,709 there's a good chance that a port scan 250 00:11:55,980 --> 00:12:01,260 has discovered something that the hacker 251 00:11:58,709 --> 00:12:03,329 is interested in and they're going to 252 00:12:01,260 --> 00:12:07,620 check to see if that could possibly be 253 00:12:03,330 --> 00:12:11,209 exploited and at that point you may have 254 00:12:07,620 --> 00:12:13,440 become a target so what can we do to 255 00:12:11,209 --> 00:12:15,989 stop them in this point this is actually 256 00:12:13,440 --> 00:12:17,250 the best place to stop attackers since 257 00:12:15,990 --> 00:12:21,540 they actually haven't gotten into your 258 00:12:17,250 --> 00:12:22,680 network yet so the attackers are just 259 00:12:21,540 --> 00:12:25,589 sniffing around to see what's out there 260 00:12:22,680 --> 00:12:28,349 and so the idea is to make yourself as 261 00:12:25,589 --> 00:12:30,420 small of the target as possible and so 262 00:12:28,350 --> 00:12:34,700 practice it practices such as closing 263 00:12:30,420 --> 00:12:37,920 unused ports and filtering traffic 264 00:12:34,700 --> 00:12:40,560 filtering your traffic with firewall 265 00:12:37,920 --> 00:12:44,040 rules and training your securities 266 00:12:40,560 --> 00:12:49,020 trading sorry excuse me training your 267 00:12:44,040 --> 00:12:52,680 staff for security awareness and robust 268 00:12:49,020 --> 00:12:53,970 password policies and then my favorite 269 00:12:52,680 --> 00:12:56,310 is actually to perform your own form 270 00:12:53,970 --> 00:12:57,870 vulnerability scans vulnerability scans 271 00:12:56,310 --> 00:13:00,829 will help you see what the attacker is 272 00:12:57,870 --> 00:13:03,690 going to see hopefully before they do 273 00:13:00,829 --> 00:13:06,540 and then other things such as risk 274 00:13:03,690 --> 00:13:09,450 assessment so you can determine where 275 00:13:06,540 --> 00:13:12,390 you want to put your effort and your 276 00:13:09,450 --> 00:13:15,300 focus on I'm protecting I don't think we 277 00:13:12,390 --> 00:13:16,850 all need to protect our cat pictures 278 00:13:15,300 --> 00:13:20,390 that are stored on our hard drives but 279 00:13:16,850 --> 00:13:20,390 some people think so 280 00:13:21,150 --> 00:13:25,650 so the second port at that part of the 281 00:13:23,170 --> 00:13:29,410 kill chain the hackers have gotten in 282 00:13:25,650 --> 00:13:33,310 and they they found a vulnerability and 283 00:13:29,410 --> 00:13:35,290 they've exploited it at this point they 284 00:13:33,310 --> 00:13:37,359 are they have some access to your 285 00:13:35,290 --> 00:13:39,010 network into your environment and 286 00:13:37,360 --> 00:13:40,420 they're going to want to try to stay in 287 00:13:39,010 --> 00:13:43,839 there so they're going to stall stuff 288 00:13:40,420 --> 00:13:45,670 such as backdoors to be able to get in 289 00:13:43,839 --> 00:13:47,980 even if you've changed change stuff on 290 00:13:45,670 --> 00:13:50,020 your network they're going to try to 291 00:13:47,980 --> 00:13:52,000 find other computers on your network so 292 00:13:50,020 --> 00:13:55,510 they're going to do some additional 293 00:13:52,000 --> 00:13:57,850 reconnaissance to see if there's any web 294 00:13:55,510 --> 00:14:00,220 servers or databases or things like that 295 00:13:57,850 --> 00:14:02,290 and then they're going to try to 296 00:14:00,220 --> 00:14:03,760 escalate their privilege they're trying 297 00:14:02,290 --> 00:14:08,740 to get into route they're trying to get 298 00:14:03,760 --> 00:14:10,180 to admin or even to this system this 299 00:14:08,740 --> 00:14:12,580 part of the kill chain can take some 300 00:14:10,180 --> 00:14:15,370 time and so if you have the proper 301 00:14:12,580 --> 00:14:17,020 measures in place you can really slow 302 00:14:15,370 --> 00:14:20,880 down an attacker at this point or even 303 00:14:17,020 --> 00:14:20,880 stop them before too much damage is done 304 00:14:23,290 --> 00:14:28,569 so when you have the proper detective 305 00:14:26,260 --> 00:14:31,180 controls in place it should notify you 306 00:14:28,570 --> 00:14:32,680 when some unauthorized or malicious 307 00:14:31,180 --> 00:14:35,380 activity is occurring so that you can 308 00:14:32,680 --> 00:14:37,660 take action so some of those activities 309 00:14:35,380 --> 00:14:40,060 may be trying to access or copy the 310 00:14:37,660 --> 00:14:46,060 Oetzi shadow file or trying to access 311 00:14:40,060 --> 00:14:48,339 your web root or database commands being 312 00:14:46,060 --> 00:14:52,000 executed from an unprivileged user or an 313 00:14:48,339 --> 00:14:56,529 unauthorized account or even as much as 314 00:14:52,000 --> 00:14:59,800 applications being installed so these 315 00:14:56,529 --> 00:15:03,010 notifications should go to key personnel 316 00:14:59,800 --> 00:15:05,949 so that they can review them and then 317 00:15:03,010 --> 00:15:10,709 they can take proper action whether that 318 00:15:05,950 --> 00:15:14,140 is to close the hole that they are in or 319 00:15:10,709 --> 00:15:18,609 or determine if any sort of data was 320 00:15:14,140 --> 00:15:20,100 compromised at this point and the third 321 00:15:18,610 --> 00:15:22,240 part of the kill chain it's too late 322 00:15:20,100 --> 00:15:24,070 attackers in they've actually grabbed 323 00:15:22,240 --> 00:15:27,370 your data they've exfiltrated it and 324 00:15:24,070 --> 00:15:30,700 they're out they've bounced and if they 325 00:15:27,370 --> 00:15:31,870 are a good hacker they will have tried 326 00:15:30,700 --> 00:15:33,580 to clean up their tracks as much as 327 00:15:31,870 --> 00:15:35,649 possible 328 00:15:33,580 --> 00:15:37,810 there's really an endless possibility of 329 00:15:35,649 --> 00:15:39,910 what could have happened here to your 330 00:15:37,810 --> 00:15:41,979 system and so the amount of effort that 331 00:15:39,910 --> 00:15:44,350 it's going to take to recover from this 332 00:15:41,980 --> 00:15:46,990 attack is going to be dependent on what 333 00:15:44,350 --> 00:15:50,140 kind of corrective controls you have in 334 00:15:46,990 --> 00:15:54,250 place at this point I'm since I have the 335 00:15:50,140 --> 00:15:56,470 Bitcoin image on there this kind of a 336 00:15:54,250 --> 00:16:00,880 word advice or is my boss but it's a pro 337 00:15:56,470 --> 00:16:03,940 tip never pay a ransom for ransomware 338 00:16:00,880 --> 00:16:06,160 and never pay hush money to a hacker 339 00:16:03,940 --> 00:16:08,470 there's no guarantee that a hacker will 340 00:16:06,160 --> 00:16:12,100 actually decrypt your data after you've 341 00:16:08,470 --> 00:16:16,810 paid the ransom and if you've read the 342 00:16:12,100 --> 00:16:18,490 news uber has decided to pay out a 343 00:16:16,810 --> 00:16:20,260 hundred and forty eight million dollars 344 00:16:18,490 --> 00:16:21,790 in a settlement for paying hush money to 345 00:16:20,260 --> 00:16:25,930 a hacker to try to keep their their 346 00:16:21,790 --> 00:16:29,529 breach from reaching the news which is 347 00:16:25,930 --> 00:16:31,510 still reach the news so oh well 348 00:16:29,529 --> 00:16:32,890 and if you're really interested you can 349 00:16:31,510 --> 00:16:34,779 go check out Reddit and find out about 350 00:16:32,890 --> 00:16:35,980 the guy who socially engineered the 351 00:16:34,779 --> 00:16:37,570 hacker to actually give up the 352 00:16:35,980 --> 00:16:39,930 decryption key that was a good read that 353 00:16:37,570 --> 00:16:39,930 was fun 354 00:16:40,570 --> 00:16:44,500 so some of the corrective controls that 355 00:16:42,250 --> 00:16:48,250 you can have in place are having your 356 00:16:44,500 --> 00:16:51,880 system and data backups and having 357 00:16:48,250 --> 00:16:54,339 server images and having a disaster 358 00:16:51,880 --> 00:16:55,360 recovery plan and backups are really 359 00:16:54,339 --> 00:16:57,160 going to be your best friend when it 360 00:16:55,360 --> 00:17:01,420 comes to be able to recover from lost 361 00:16:57,160 --> 00:17:03,219 data or corruption or ransomware you 362 00:17:01,420 --> 00:17:07,050 just want to make sure that your backups 363 00:17:03,220 --> 00:17:10,449 are as frequent as the data that is that 364 00:17:07,050 --> 00:17:14,109 that as frequent as the data is changing 365 00:17:10,449 --> 00:17:16,240 and so at lucid are our data is changing 366 00:17:14,109 --> 00:17:19,510 by the minute and so we have a recovery 367 00:17:16,240 --> 00:17:21,880 point of just of a couple minutes your 368 00:17:19,510 --> 00:17:24,150 data may not change very frequently it 369 00:17:21,880 --> 00:17:27,220 could be hours or days and so your 370 00:17:24,150 --> 00:17:29,170 backup strategy could be very different 371 00:17:27,220 --> 00:17:31,480 but you just want to try to get your 372 00:17:29,170 --> 00:17:33,940 data is back as close as possible to the 373 00:17:31,480 --> 00:17:36,100 time when before the breach without 374 00:17:33,940 --> 00:17:38,670 losing as much without losing as much 375 00:17:36,100 --> 00:17:38,669 data as possible 376 00:17:40,690 --> 00:17:44,299 so I want to tell you guys a little bit 377 00:17:42,620 --> 00:17:46,189 of a story of when I ran into a hacker 378 00:17:44,299 --> 00:17:48,410 in real life so what happens when you 379 00:17:46,190 --> 00:17:53,210 run into a hacker in the wild very much 380 00:17:48,410 --> 00:17:55,880 like most wildlife don't panic if you've 381 00:17:53,210 --> 00:17:58,580 prepared well enough and you have a 382 00:17:55,880 --> 00:17:59,720 really good chance of surviving and if 383 00:17:58,580 --> 00:18:04,250 you use your training you play your 384 00:17:59,720 --> 00:18:06,919 cards right they will go away so I run a 385 00:18:04,250 --> 00:18:09,110 wordpress site and WordPress is a really 386 00:18:06,919 --> 00:18:12,200 effective platform for small businesses 387 00:18:09,110 --> 00:18:15,949 who may not have the hoofers to be able 388 00:18:12,200 --> 00:18:17,870 to develop a website but WordPress has a 389 00:18:15,950 --> 00:18:20,059 lot of defaults and so if it's 390 00:18:17,870 --> 00:18:24,049 misconfigured or if you don't do the 391 00:18:20,059 --> 00:18:25,428 proper things there's a lot of exploits 392 00:18:24,049 --> 00:18:28,190 or a lot of vulnerabilities that can be 393 00:18:25,429 --> 00:18:29,830 exploited within WordPress and one of 394 00:18:28,190 --> 00:18:33,230 those things is actually the login page 395 00:18:29,830 --> 00:18:37,149 all WordPress sites come by default with 396 00:18:33,230 --> 00:18:39,590 your domain slash WP login dot PHP and 397 00:18:37,150 --> 00:18:42,049 so what I had noticed when I logged into 398 00:18:39,590 --> 00:18:44,600 my web site and looked at my firewall 399 00:18:42,049 --> 00:18:49,539 was that I was getting a lot of attempts 400 00:18:44,600 --> 00:18:53,059 to access the WP dash login dot PHP page 401 00:18:49,539 --> 00:18:56,240 and I was getting about 10 to 20 logins 402 00:18:53,059 --> 00:18:57,770 per second and looking at those logs I 403 00:18:56,240 --> 00:19:03,100 could see that they were using very 404 00:18:57,770 --> 00:19:05,240 common pass or common usernames and a 405 00:19:03,100 --> 00:19:07,189 lot of other things so I know they were 406 00:19:05,240 --> 00:19:09,409 doing a dictionary attack but you can 407 00:19:07,190 --> 00:19:13,159 also see that the target or where the 408 00:19:09,409 --> 00:19:14,659 the origin the origination country of 409 00:19:13,159 --> 00:19:17,210 all of these attacks was very spread out 410 00:19:14,659 --> 00:19:21,230 there was no pattern to it and so I knew 411 00:19:17,210 --> 00:19:24,559 it was a botnet and so I needed to do 412 00:19:21,230 --> 00:19:26,570 what I could to in order to prevent this 413 00:19:24,559 --> 00:19:33,320 dictionary brute-force attack from 414 00:19:26,570 --> 00:19:35,030 getting into our website and so we 415 00:19:33,320 --> 00:19:38,629 actually survived which is you know 416 00:19:35,030 --> 00:19:41,720 really exciting for me that I had 417 00:19:38,630 --> 00:19:43,130 actually had survived a live attack the 418 00:19:41,720 --> 00:19:47,270 main thing that I did was I changed the 419 00:19:43,130 --> 00:19:52,640 default URL for the log in from WP login 420 00:19:47,270 --> 00:19:53,540 dot PHP to something else I did have the 421 00:19:52,640 --> 00:19:56,360 web application 422 00:19:53,540 --> 00:19:58,370 well and so as those IPS were making 423 00:19:56,360 --> 00:20:02,120 those attempts the firewall was actually 424 00:19:58,370 --> 00:20:05,060 blocking those attempts as an added 425 00:20:02,120 --> 00:20:08,719 measure the Neto measure I had I 426 00:20:05,060 --> 00:20:13,370 installed fail to ban on the on the host 427 00:20:08,720 --> 00:20:15,200 so that those log those IP addresses 428 00:20:13,370 --> 00:20:18,219 would continue to be blocked even after 429 00:20:15,200 --> 00:20:20,960 the firewall had unblocked them with the 430 00:20:18,220 --> 00:20:23,030 timeout 431 00:20:20,960 --> 00:20:25,520 I do run regular vulnerability scanning 432 00:20:23,030 --> 00:20:27,350 on the web or on the website so I knew 433 00:20:25,520 --> 00:20:31,070 that's the plugins and stuff that I had 434 00:20:27,350 --> 00:20:32,510 installed on there were didn't have any 435 00:20:31,070 --> 00:20:35,179 vulnerabilities that could be exploited 436 00:20:32,510 --> 00:20:37,970 that I was aware of and I had a robust 437 00:20:35,180 --> 00:20:40,520 secure password policy so that that 438 00:20:37,970 --> 00:20:42,790 dictionary attack couldn't use common 439 00:20:40,520 --> 00:20:51,650 passwords and usernames to be able to 440 00:20:42,790 --> 00:20:53,540 get in so at this point just want to 441 00:20:51,650 --> 00:20:55,640 kind of run over a few things kind of my 442 00:20:53,540 --> 00:20:58,129 speed round of I think I believe it's 443 00:20:55,640 --> 00:21:03,860 five different items to be able to 444 00:20:58,130 --> 00:21:07,010 reduce your target number one is defense 445 00:21:03,860 --> 00:21:09,409 in depth it's it's not so much it's not 446 00:21:07,010 --> 00:21:11,150 it's not good and it's not good security 447 00:21:09,410 --> 00:21:12,590 practice to have just one security 448 00:21:11,150 --> 00:21:14,630 measure in place to try to protect data 449 00:21:12,590 --> 00:21:19,159 you want to layer those protections 450 00:21:14,630 --> 00:21:22,280 which is why it's called defense in 451 00:21:19,160 --> 00:21:25,760 depth and so items such as multi-factor 452 00:21:22,280 --> 00:21:27,670 I think authentication having a firewall 453 00:21:25,760 --> 00:21:29,629 in conjunction with a host firewall or 454 00:21:27,670 --> 00:21:31,610 if we really want to get into the 455 00:21:29,630 --> 00:21:33,080 details here having access to a 456 00:21:31,610 --> 00:21:35,929 corporate database is predicted by 457 00:21:33,080 --> 00:21:39,439 access control on a subnet access by a 458 00:21:35,930 --> 00:21:40,760 VPN and also requiring MFA so if one of 459 00:21:39,440 --> 00:21:42,800 these items fails there's other 460 00:21:40,760 --> 00:21:45,770 protections in place in order to try to 461 00:21:42,800 --> 00:21:48,050 protect that data on the other side of 462 00:21:45,770 --> 00:21:49,129 that spectrum we have security through 463 00:21:48,050 --> 00:21:53,000 obscurity and there's a bit of 464 00:21:49,130 --> 00:21:54,830 controversy whether or not security 465 00:21:53,000 --> 00:21:58,730 through obscurity is actually a security 466 00:21:54,830 --> 00:22:02,060 layer security through obscurity is 467 00:21:58,730 --> 00:22:03,710 basically thinking that you're going to 468 00:22:02,060 --> 00:22:04,940 be hiding something you're that the 469 00:22:03,710 --> 00:22:07,160 hackers not going to be fine even though 470 00:22:04,940 --> 00:22:09,410 it's kind of out plain sight 471 00:22:07,160 --> 00:22:11,870 the main example that that's easy to 472 00:22:09,410 --> 00:22:14,120 really point out here is like hiding the 473 00:22:11,870 --> 00:22:15,260 key under the doormat they're not going 474 00:22:14,120 --> 00:22:18,709 to know what's there I'll know it's 475 00:22:15,260 --> 00:22:20,360 there it's easy to get to but things 476 00:22:18,710 --> 00:22:22,580 such as renaming files or folders to 477 00:22:20,360 --> 00:22:26,750 something that doesn't indicate that 478 00:22:22,580 --> 00:22:28,639 what the contents are or making a file 479 00:22:26,750 --> 00:22:34,340 accessible through URL but it's not 480 00:22:28,640 --> 00:22:37,910 being published so other examples is is 481 00:22:34,340 --> 00:22:39,889 obscuring some of your code so that you 482 00:22:37,910 --> 00:22:44,150 can't see exactly what that code is 483 00:22:39,890 --> 00:22:45,980 doing and so obscurity is a valid 484 00:22:44,150 --> 00:22:47,750 security layer or at least I believe 485 00:22:45,980 --> 00:22:50,150 security is obscurity as a valid 486 00:22:47,750 --> 00:22:52,280 security layer layer but it cannot be 487 00:22:50,150 --> 00:22:54,050 relied on by itself it should be an item 488 00:22:52,280 --> 00:22:59,660 that is included in your defense and 489 00:22:54,050 --> 00:23:02,720 depth the second item is security 490 00:22:59,660 --> 00:23:04,340 training your employees are going to be 491 00:23:02,720 --> 00:23:08,870 your number one weakness and so you want 492 00:23:04,340 --> 00:23:10,909 to want to try to boost that and you 493 00:23:08,870 --> 00:23:14,030 want to make sure that your employees 494 00:23:10,910 --> 00:23:15,680 are turned into your your frontline your 495 00:23:14,030 --> 00:23:18,710 your greatest asset to being able to 496 00:23:15,680 --> 00:23:20,960 protect your environment and so you want 497 00:23:18,710 --> 00:23:23,800 to make sure that your employees are 498 00:23:20,960 --> 00:23:27,190 trained regularly regularly on not only 499 00:23:23,800 --> 00:23:31,700 security basics but also on role-based 500 00:23:27,190 --> 00:23:33,140 items so items such as PCI compliance or 501 00:23:31,700 --> 00:23:34,820 gdpr 502 00:23:33,140 --> 00:23:38,320 things like that can apply to different 503 00:23:34,820 --> 00:23:41,419 groups and they should be aware of that 504 00:23:38,320 --> 00:23:44,240 firewall configurations you want to 505 00:23:41,420 --> 00:23:46,190 start with a deny all rules if possible 506 00:23:44,240 --> 00:23:48,170 or is it close to it just make sure you 507 00:23:46,190 --> 00:23:50,390 don't lock yourself out of your firewall 508 00:23:48,170 --> 00:23:52,010 I have can't tell you how many times 509 00:23:50,390 --> 00:23:53,480 I've had to do a factory reset on a 510 00:23:52,010 --> 00:23:57,410 firewall because I've accidentally 511 00:23:53,480 --> 00:24:00,620 locked myself out never use any any any 512 00:23:57,410 --> 00:24:02,330 rules that's a mouthful meaning we're 513 00:24:00,620 --> 00:24:05,780 not just gonna let all traffic from all 514 00:24:02,330 --> 00:24:07,189 sources come in to any ports we want to 515 00:24:05,780 --> 00:24:08,540 make sure that you're regularly looking 516 00:24:07,190 --> 00:24:10,670 at your rules as you add new 517 00:24:08,540 --> 00:24:13,280 applications and services to your 518 00:24:10,670 --> 00:24:14,810 network you may open up new firewall 519 00:24:13,280 --> 00:24:16,670 rules and if you're not careful 520 00:24:14,810 --> 00:24:21,220 those rules may actually end up 521 00:24:16,670 --> 00:24:25,780 contradicting rules or earlier rules 522 00:24:21,220 --> 00:24:25,780 opening up your network and advertently 523 00:24:25,870 --> 00:24:30,639 the other thing is you also want to make 524 00:24:28,250 --> 00:24:33,290 sure that the rule order is is proper 525 00:24:30,640 --> 00:24:35,090 firewall rules typically go from the top 526 00:24:33,290 --> 00:24:38,060 bottom and whatever hits whatever rule 527 00:24:35,090 --> 00:24:42,350 matches first the firewall will take 528 00:24:38,060 --> 00:24:45,740 that and the one that I've seen a lot 529 00:24:42,350 --> 00:24:47,149 and I actually we need to make sure that 530 00:24:45,740 --> 00:24:49,520 doesn't happen is making sure that you 531 00:24:47,150 --> 00:24:53,000 don't have remote access to your 532 00:24:49,520 --> 00:24:55,190 firewalls configuration if you need to 533 00:24:53,000 --> 00:24:58,730 have it make sure that it's tucked 534 00:24:55,190 --> 00:25:00,080 behind a VPN as I stated earlier 535 00:24:58,730 --> 00:25:02,330 vulnerability scanning is one of my 536 00:25:00,080 --> 00:25:03,800 favorite things so you want to learn 537 00:25:02,330 --> 00:25:04,220 what the hackers going to be able to see 538 00:25:03,800 --> 00:25:07,250 before 539 00:25:04,220 --> 00:25:11,450 they do you want to run both internal 540 00:25:07,250 --> 00:25:13,040 and external vulnerability scans because 541 00:25:11,450 --> 00:25:14,210 once once the hacker is inside your 542 00:25:13,040 --> 00:25:17,450 network they're also going to do 543 00:25:14,210 --> 00:25:18,800 additional recon and so you'll want to 544 00:25:17,450 --> 00:25:21,770 see what other vulnerabilities are on 545 00:25:18,800 --> 00:25:24,200 and the internal side of your network if 546 00:25:21,770 --> 00:25:26,750 you're developing applications you want 547 00:25:24,200 --> 00:25:28,490 to run some dependency checks we all use 548 00:25:26,750 --> 00:25:30,140 third-party libraries and so you want to 549 00:25:28,490 --> 00:25:31,910 make sure that those open-source 550 00:25:30,140 --> 00:25:35,150 third-party libraries don't have any 551 00:25:31,910 --> 00:25:37,160 vulnerabilities on them and then you 552 00:25:35,150 --> 00:25:40,010 also want to take care of those highs 553 00:25:37,160 --> 00:25:42,380 and critical vulnerabilities asap most 554 00:25:40,010 --> 00:25:45,560 should be your highest priority at Lucid 555 00:25:42,380 --> 00:25:47,980 we use open Voss and the OWASP 556 00:25:45,560 --> 00:25:51,770 dependency checker for our internal 557 00:25:47,980 --> 00:25:52,600 internal scans and for our dependency 558 00:25:51,770 --> 00:25:55,160 checker 559 00:25:52,600 --> 00:26:00,230 externally we use security metrics for 560 00:25:55,160 --> 00:26:03,800 our scans and finally we have our 561 00:26:00,230 --> 00:26:08,060 keeping our software up-to-date we want 562 00:26:03,800 --> 00:26:10,520 to patch regularly patching will help 563 00:26:08,060 --> 00:26:13,129 plug those holes that software may have 564 00:26:10,520 --> 00:26:17,180 accidentally left open or as new attacks 565 00:26:13,130 --> 00:26:19,370 start to become prevalent we can stop 566 00:26:17,180 --> 00:26:20,930 those from happening we don't want to 567 00:26:19,370 --> 00:26:22,370 use software that's no longer supported 568 00:26:20,930 --> 00:26:25,100 by the vendor 569 00:26:22,370 --> 00:26:27,399 it's called sunsetting we may have heard 570 00:26:25,100 --> 00:26:30,379 that with Windows XP and Windows Vista 571 00:26:27,400 --> 00:26:32,360 but just as a heads up Windows 7 will be 572 00:26:30,380 --> 00:26:34,280 sunsetted no longer be supported meaning 573 00:26:32,360 --> 00:26:36,979 that there's not going to be anymore 574 00:26:34,280 --> 00:26:40,430 patches for Windows 7 starting in 575 00:26:36,980 --> 00:26:44,140 January 2020 so you want to be prepared 576 00:26:40,430 --> 00:26:47,060 for that I was trying to look for when 577 00:26:44,140 --> 00:26:49,610 Windows Server 2012 was actually gonna 578 00:26:47,060 --> 00:26:53,210 be sunsetted but I couldn't find a date 579 00:26:49,610 --> 00:26:54,620 that really meant anything but probably 580 00:26:53,210 --> 00:26:58,460 one of the bigger things is using 581 00:26:54,620 --> 00:27:01,459 outdated software like Office Office is 582 00:26:58,460 --> 00:27:03,530 littered with vulnerabilities I think I 583 00:27:01,460 --> 00:27:08,420 get updates for office maybe twice a 584 00:27:03,530 --> 00:27:09,980 week and so using old old outdated 585 00:27:08,420 --> 00:27:14,480 versions of office will leave you 586 00:27:09,980 --> 00:27:16,310 vulnerable to malware type attacks and 587 00:27:14,480 --> 00:27:17,780 then you also want to make sure that you 588 00:27:16,310 --> 00:27:22,730 want keep track of the software that's 589 00:27:17,780 --> 00:27:23,180 being used in your environment and now 590 00:27:22,730 --> 00:27:24,800 it's over 591 00:27:23,180 --> 00:27:29,810 you guys made it through my presentation 592 00:27:24,800 --> 00:27:35,560 so are there any questions out there for 593 00:27:29,810 --> 00:27:35,560 me great well thank you