[MUSIC] Greetings everyone., I'd love to be able to tell you that all things online are safe, happy and doing well, but I can't. The numbers are in and it's still a mess out there, despite a short drop back in October, cyber attacks are on the rise again. Cybercrime, espionage and hacktivism are still the top motivations behind these attacks. Let's try to make some sense about how we can deal with these threats, shall we? Today we have the pleasure of speaking with Christopher Edwards, a respected cybersecurity expert. Christopher, as we just saw these types of threats have existed for years, why is that? And what makes their prevention such a tough challenge for companies today? >> Well, the volume and sophistication of cyber threats has grown in recent years, making it difficult for security teams to keep up. Beyond managing the risk associated with a relatively known set of core applications that are authorized and supported in the enterprise. Security teams must now really manage the risk associated with practically infinite number of unknown personal technologies and applications and apps that have to be used in the organization. >> So are you saying that the threats are moving targets and we users are compounding the problem by bringing our devices to work with us. >> Yes, exactly. Devices now are used for both work and non work activities, meaning they must be tolerated, but not completely trusted. The challenge now is to not only allow work related application traffic while blocking non work related ones, it also has become increasingly difficult to classify applications as either good, which would be allowed, or bad, which is what we'd want to block in a clear and consistent method. So many applications are clearly good, low risk, high reward or they're clearly bad, which would be a high risk and low reward. But most of them are somewhere just right in between depending on how the application is being used. For example, many organizations use social networking applications such as Facebook. They use it for important business functions such as recruiting, research, development, HR, marketing, consumer advocacy. However, those same applications can be used to leak sensitive information or cause damage to an organization's public image, whether inadvertently or maliciously. >> I see. So the devices must be tolerated and certain apps need to be allowed for sanctioned purposes, but blocking non sanctioned apps for the people not authorized to use them shouldn't be that hard with a firewall, right? >> Well, sadly, no. Many applications are designed to circumvent traditional port based firewalls, so that they can be easily installed and exist on any device anywhere and anytime using techniques such as port hopping. >> Port hopping? What is that? It sounds like a game. [LAUGH] >> Yeah, well port hopping is a tactic many applications use to make them harder to restrict. Every computer has 65,535 ports for TCP and another 65,535 ports for UDP, which is a lot of doors and windows for applications and programs to use. So some of the security problems start when ports and protocols are randomly changed during a session. Then there's the use of non standard ports such as running Yahoo Messenger over TCP port 80 which is HTTP instead of a standard TCP port for Yahoo Messenger of 50 50. >> So do most applications have dedicated ports they use for communication? >> Well, some still do, yes. However, years ago, a shift started in the industry because legacy firewalls would block the applications on their standard port. So the industry started evolving and many lately reuse the same ports other applications use. This is because developers of those other applications want to use or was using their apps and they didn't want them blocked by security teams, which is why legacy firewalls no longer are effective for stopping the attacks and malicious software. >> Gosh, so that's tough then. There's more than just the attackers challenging security teams, everyday application developers are too? >> Yes, exactly. So on top of that next we have tunneling within commonly used services such as DNS packets getting stuff, trying to sneak malicious software exploits into the network or when peer to peer file sharing or instant messenger clients like Meebo are running over HTTP. >> Now, remind me again, what is HTTP? >> That's hypertext transfer protocol, which is the way you would view web pages. >> Okay, so I heard once that's called Port 80 traffic, how how is that then different than port hopping? >> Well, if an application reuses the common port like 80 for their traffic, the firewall could still see the traffic as what it really is, just a different port than normal. So tunneling is dangerous because it hides the unwanted traffic within the common HTTP protocol. It's like having a special straw or a pipe that cuts across the Internet and you're sending all your traffic through it. Security teams can't block HTTP without blocking all access to regular web pages. And finally there was hiding traffic within SSL encrypted sessions, which Massey application traffic for example, TCP over Port 443 which is HTTPS. >> Well how how is that HTTPS or the encrypted stuff different than just HTTP tunneling? >> Well, the tunneling part is the same. The difference is now that the traffic you are passing through that tunnel is SSL encrypted. It's all scrambled up, making it even harder to distinguish from normal Internet traffic. >> Wow, so, so each of these tactics are used by attackers and even well meaning application developers to sneak traffic past a firewall? >> Well, it's not that black and white. Those tactics make it harder for firewalls to identify traffic, yes. But nowadays, many traditional client server business applications are being redesigned for increased web usage. To do so, they employ these same techniques for simplicity and reliability reasons. For example, Microsoft, RPC, remote procedure call, and SharePoint, both use port hopping because it is critical to how the protocol or application functions, rather than to evade detection. I see, so, so we should just accept that port hopping and tunneling and encryption are just part of life now and we can't or shouldn't even block them or and just live with them. >> Okay, so, well again, yes and no, it really depends. Businesses need to determine for themselves what is a risk to them on a per technology and even really a per application basis, anything can be twisted by an attacker and weaponized, such as what was done with Skype users in Syria. There is a malware called flame, the flame malware discovered in 2012 that had components that would literally reprogram a portion of the Skype application, enabling a third party to spy on individuals that would otherwise appear to be a legitimate Skype install. And as applications become increasingly web enabled, browser based http and https now account for approximately two thirds of all enterprise network traffic. Traditional port based firewalls and other security infrastructure are just unable to distinguish whether these applications riding on http and https are being used for legitimate business purposes. Thus, applications including malware, have become predominant attack vectors to infiltrate networks and systems and they're very effective. >> Okay, so so the problem is just very big then. Certainly explains why the attacks continue despite a massive industry working to prevent them. Network traffic isn't anymore what it may appear to be and even our applications can be tunneled or turned against us. So could this be a reason why companies are moving portions of their operations to the cloud? >> Well, now, cloud certainly has its benefits, however, there is also turbulence in the cloud. >> [LAUGH] Turbulence, why do you say that? >> Well, cloud computing technologies enable organizations to evolve their data centers from hardware centric architecture where applications run on dedicated servers. To dynamic and automated environment where pools of computing resources are available on demand to support application workloads that can be accessed anywhere anytime from any device. However, and many organizations have been forced to you significant compromises or have significant compromise with regard to their public and private cloud environments and they end up trading function and visibility. And security for simplicity or efficiency and agility. If an application is hosted in the cloud isn't available or or responsive network security controls which all too often introduce delays and outages are typically streamlined out of the cloud design, thereby making it more vulnerable. >> Wow, it seems the cloud is a focus on up time then as opposed to security, right? Well, yeah, cloud can include security but cloud security often comes with some trade offs, such as simplicity or function or efficiency or visibility or agility or security. So essentially you are correct, many of the features that make cloud computing attractive to organizations run contrary to network security best practices. >> Interesting, so what are some of these best practices you mentioned? >> Well, first, cloud computing doesn't mitigate existing network security risk. The security risks that threaten your network today don't go away when you move to the cloud. In some ways the security risk you face when you move to the cloud even become more significant and many data center applications. And because they use a wide range of ports rendering traditional security ineffective, the Attackers are creating sophisticated, poor agnostic attacks that use multiple vectors to compromise their target and then hiding place inside using common applications to achieve their objectives. Then second, separation and segmentation are fundamental to security. The cloud relies on shared resources. >> How does separation make things more secure? >> Well, the security best practices dictate that mission critical applications and data be separated in secure segments on the network based on zero trust principles. On a physical network zero trust is relatively straightforward using firewalls and policies based upon application and user identity and a cloud environment. Direct communication between virtual machines, also known as VMs within a server host occurs constantly in some cases across varied levels of trust, making segmentation a real challenge. Mixed levels of trust combined with a lack of intra host visibility by virtualized port based security operatives may weaken your security posture and then finally, security deployments are process oriented and cloud computing environments are dynamic. The creation or modification of your virtual workloads can often be done in minutes yet the security configuration for this workload may take hours, days or weeks, so security delays aren't designed to be burdensome. However, the result of a process that is designed to maintain a strong security posture. The thing is the policy changes need to be approved, the appropriate firewalls need to be identified, the relevant policy updates, determined. In contrast, virtualization teams operating a highly dynamic environment with workloads being added removed and change rapidly constantly. And the result is a disconnect between security policy and virtualized workload deployment leading to a weakened security policy. So I mean you have your. >> It sounds a lot like you just hate cloud. >> Well, absolutely not, absolutely not, I don't hate the cloud, I love the cloud. The cloud is just newer and thus less understood to most security teams. Security in the cloud is catching up and businesses need to approach cloud with their eyes open because only recently has it become possible to implement proper security for data in the cloud, that's all I'm saying. It's like we've got to make sure that security is there appropriately. >> Okay, fair enough, against that backdrop of modern computing environments, BYOD. And popular technology trends like cloud, thousands of cyber trucks or cyber attacks are perpetrated against enterprise networks every day. >> Yeah, that's absolutely true. Unfortunately, many of these attacks succeed than are typically reported in the mass media. Some recent high profile examples, such as. The attacks Target in the late 2013. Target discovered that credit and debit card data from 40 million of its customers and the personal information of an additional 70 million of its customers have been stolen over a period of 19 days. From November 27 to December 15 in 2013. >> [LAUGH] I remember that one, I got a new credit card thanks to that attack. How exactly did that attack happen? >> Well, the Attackers were able to infiltrate Targets point of sale systems by installing malware. Believed to be a variant of the Zoo's financial botnet, actually an affiliate company that did business with a heating, ventilation and air conditioning contractor that did business with them. Their system connected to Targets and credentials from an online portal that targets vendors use. And then in February 14, the estimated costs associated with the Target data breach had already exceeded over 200 million in US and Lawsuit settlements in 2015 also totaling another 116 million more. >> So they attacked or they snuck in through a non-employee computer system and stole my credit card information. That's amazing, I had to get a credit card replaced several more times after the Target breach. Did did anyone else get hacked someone else that I shop with or that I use? >> Well I don't know where you shop, do you go to hardware stores or any place like that? >> Yeah. >> Okay. >> Yeah, I shop at the like Home Depot and a bunch of places like that. >> Well, okay, so in September of 2014, Home Depot suffered a data breach that went unnoticed for about five months or so. And very much like the Target data breach the Attacker used a vendor's credentials and exploited a zero day threat based on a Windows vulnerability to gain access to the Home Depot network. And it's called memory scraping malware was then installed on 7500 self service point of sale terminals to collect 56 million customer credit card numbers in the US and Canada. >> 56 million people, wow, that must have really hurt Home Depot's reputation. >> Yeah, as of October 2015, the data breach had caused Home Depot over 232 million and was expected ultimately cost the retailer much much more. >> Okay, so are these Attackers just out to steal credit card info? Surely if that were the case, we would just stop using credit cards. >> Well, you'd be surprised to know that Attackers can make money from having virtually any piece of information about a lot of people. I tell people all data is money, just some data is worth a lot of money. And other data is worth not so much, but personal information or credit card money is worth quite a bit. And in February of 2015, The Health Insurance Company Anthem disclosed that its servers had been breached. And PII, Personally Identifiable Information which would include names, Social Security numbers, birth dates, addresses, income information and even your mother's maiden name or approximately. That was approximately for 80 million customers had been stolen. >> That's incredible, so they just sell that info on the black market or something. >> Exactly, exactly. >> Wow, just my luck. How the Attackers still the state of from Anthem then? >> Well, that breach occurred on December 10 of 2014 when the Attackers successfully compromised an Anthem database using a database administrator's credentials. The breach wasn't discovered until January 27 of 2015, when the database administrator discovered a questionable query was being run with his credentials. And the cost of the breach is expected to reach 31 billion dollars. >> Wow, this sounds a lot like a plot from a Hollywood movie. Are there any other big breaches that you want to scare us about? >> Well, sure, I'll give you one more. The last one, I want to share you is with our own beloved government, the US Office of Personnel Management. The OPM for short, they have had two separate data breach discovered in April in June of 2015 that resulted in personal information including names and birthdates, social security numbers and other sensitive information of approximately 24 million. Current and prospective federal employees, including their spouses and partners being compromised. So the breaches are believed to have been linked to the Anthem data reach and may have originated in China as early as March of 2014. >> Hey Christopher, each of those you mentioned has affected me and millions of others in significant ways. So the situation right now is cyberwar, right? The Attackers versus businesses and even governments, how have our prevention tactics changed as a result of these big breaches? >> Well, some important lessons to be learned from these attacks really include how the methodology has changed over the years. Now, it's a low and slow cyberattack can go undetected for weeks, months or even years where the Attacker just gets in there and hide the boroughs in. An Attacker doesn't necessarily need to run a sophisticated exploit against the hardened system to infiltrate a targeted organization. Often they'll just target an auxiliary system or an affiliate vulnerable in point then do what we call a pivot and then the attack will move towards the primary target. And the direct and indirect financial cost of a breach can be devastating for the target organization. And the individuals whose personal and financial information is stolen are compromised. >> Don't know I know it. [LAUGH] It's amazing the lengths the Attackers go to and the hoops they jumped through to pull off these attacks. Are they all just trying to make a quick buck or score some mega millions? I mean, who are these Attackers and what's driving them to ruin the lives of so many other people? >> So in a book called The Art of War by Sun Tzu's there is a statement that hackers live by or security professionals live by which is know thy enemy, know thy self. A thousands battles, a thousand victories. So to instill the importance of understanding your strengths and your weaknesses and strategies and tactics of your adversary as well as your own. It reminds me of the Godfather saying, where he says, keep your family close, but keep your enemies closer, right? So it's all about knowing. What the other guy is going to to do? So, in modern cyber warfare, a thousand battles can happen in a matter of seconds and in a single victory by your enemy, they can impair your entire, entire organization. So knowing your enemies and what they can do, their means, their motivations, that's extremely important nowadays. So the relatively innocuous, good old days of hackers and script kitties, where the primary motivation of a cyber attack was just too gained notoriety or mess up your website or, or cause some kind of little embarrassment for inconvenience to the victim. Those are gone. Now it's all about trying to get out there for, free for all of collecting all your information and I'm selling it on the dark web. So, however modern cyber attacks are perpetrated by far more sophisticated and dangerous adversaries. They're motivated by more sinister purposes. >> Okay, so, so what do we call these modern adversaries? And why are they causing all this happening? >> Well, there are many, or at least several motivations out there, But the four main motivated groups are, well, the first would be cybercriminals which typically act independently or as part of a criminal organization. Cyber criminals commit acts obviously, to drive revenue, but of data theft, embezzlement fraud, or extortion for financial gain. And according to the rand corporation in certain aspects, the black market for cyber, cyber crime can be way more profitable than the illegal drug trade. And by many estimates, cybercrime is now a $1 trillion dollar industry, holy cow! >> So essentially digital thugs out to make money. No surprise that that's the top motivation. What else is there? >> Well, second, we have what we call state affiliated group or state sponsored groups, where we have nation states, where they, these are organizations that literally have the resources to launch various sophisticated persistent attacks. They recruit various talented people with technical skills and they have great depth and focus their well funded usually have ties to the military and they're very strategic and their objectives. And they will have the ability to disable or destroy critical infrastructure including like power grids or water supplies, transportation systems, emergency response, medical and industrial systems. The Center for Strategic and International Studies reports that at the nation state level Russia, Iran and North Korea are using coercive cyber attacks to increase their sphere of influence. While China, Russia and Iran have conducted a lot of reconnaissance of networks critical to the operation of the US. Power grid and other critical infrastructures without any penalty or report right now. >> Wow. So the US government or military would fall into that same group? Right? I mean last year was all over the news how the US. Didn't want to call out China for cyber attacks because the CIA and NSA we're doing the same attacking right back, weren't they? >> Yes, that's very true. >> So we have cybercriminals, nation state groups. Is there anyone else? >> Yes. Another one that can be just as dangerous would be called Hacktivists. >> Hacktivist, like a hacker activist, hacktivist? >> Yes exactly. And the reason why they're so dangerous is because the hacktivist is motivated by political or social causes, activist groups such as anonymous. They typically execute denial of service attacks against a targeted organization or they defaced their websites or flood their networks with traffic rendering them and able to operate. >> Interesting. >> Yes. Then also I guess the fourth group would be the cyber terrorists. The terrorist organizations used the internet to recruit train instruct and communicate as well as to spread fear and panic in order to advance their ideologies. And unlike other threat actors, cyber terrorists are largely indiscriminate in their attacks and their objectives including physical harm, death and destruction. >> Like we saw ISIS to these past few years. Right? >> Yes, correct. Exactly. >> So those four groups are the majority of attackers out there. >> Yes, those four groups are what we call the external threat actors. The external threat actors also include former former employees and other unaffiliated or otherwise unknown actors. External threat actors have accounting for the majority of data breaches over the past five years. >> Okay, So because you mentioned external threat actors, I have to assume there are other maybe internal threat actors. Right? >> Spot on. So internal threat actors, over that same period were responsible for about 10 to 20 percent of the reported data breaches. >> That's not an insignificant percentage either. What's the difference between internal versus external threat actors? >> Well, with the external threat actors, there's no trust or privilege that previously existed. While with the internal or partner actor, some level of trust the privilege has previously existed. The actor, maybe an individual or an organization. The incident could be intentional or accidental and its purpose militias or benign, in its origin. >> So an internal employee can accidentally cause a breach? >> Yes, they can. And that was the case that we saw in with the anthem breach. >> That's right. Yeah, that is scary stuff indeed. Well, thank you Christopher for taking the time to speak with us about these cyber threats. I know our viewers appreciate your time and the efforts, your efforts and helping keep us all safer in this modern and digital battleground. >> Hey, it was my pleasure, really have a great day. >> Thank you
