Ever wonder how to prepare for a data breach and How To Best Handle A Data Breach, once BOOM hits? We discuss how to prepare for a ransomware attack, how to best prepare for a data breach and types of data that small businesses and organizations are keeping that cause great risk. In learning how best to prepare for a data breach you can limit the damage to your organization.
EVP and CTO of Solis Security joins us. Connect with him on Linkedin to learn more: https://www.linkedin.com/in/chrisloehr/ and at Solis Security https://www.solissecurity.com/en-us/ where he oversees a team of cybersecurity professionals addressing the firm’s Incident Response efforts.
Learn how to best handle a data breach.
Thanks for listening & watching!
-David, Mark, Kylie and Team @CCJ
Support the show
Want EXCLUSIVE Content? For only $4 SUBSCRIBE to Cyber Crime Junkies PRIME
Please consider subscribing to our YouTube Channel for ALL Video episodes.
It's FREE. It helps us help others.
Our YouTube Channel @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg
How To Prepare For A Data Breach -Chris Loehr
PROMO VIDEO: https://youtu.be/1z8tDufcjI4
VIDEO Full EPISODE: Goes Live: https://youtu.be/EQP-sImE0cA
Ever wonder how to prepare for a data breach and How To Best Handle A Data Breach, once BOOM hits? We discuss how to prepare for a ransomware attack, how to best prepare for a data breach and types of data that small businesses and organizations are keeping that cause great risk. In learning how best to prepare for a data breach you can limit the damage to your organization.
[00:00:00] Lucky to work for a great group of people you really believe in. Find yourself making an impact. Technology is a river that flows through every aspect of an organization, and today is different. We put ourselves and our organizations literally at risk of complete destruction every single timewe get online.
[00:00:23] One click, one distraction is all it takes. Hi, Cyber Crime Junkies this is your host david Mauro, along with co-host Mark Mosher. Come join us as we explore our research into these blockbuster true cyber crime stories, along with interviews of leaders who built and protect great brands.
[00:00:46] And now the show.
[00:00:58] Hey, welcome everybody. I am David Mauro host of Cyber Crime Junkies. Welcome to the show. , I am joined in the studio today with my fantastic, always positive co-host, Mark Mosher. Mark, how are you today, man? Good. Good. How are you, David? Doing well. So we're, I'm excited about today's, topic. In today's, , discussion, we're gonna be talking about how to prepare for a data breach and incident response, , from one of the leaders in the industry.
[00:01:26] , we're joined by executive Vice President, CTO at Solace Security. Chris LOEHR chris is a brilliant human and a solid guy, who also currently serves as, in the role at at, at solace Security, CFFC Response, which is a division of CFFC underwriting. We'll get into that. He oversees a team of cybersecurity professionals where they handle the firm's incident response, and as a whole host of, mentoring collaboration with small, mid-size businesses and enterprise organizations across the country.
[00:01:57] Chris, welcome sir. [00:02:00] Hey, I appreciate you being here. It's a fantastic, opportunity to talk to you guys and your. Yeah, no, we're really excited. We can follow you around and do that same introduction every time you walk in a room, so Yeah, I can, I, I can walk into every remote meeting. You can just have me on Zoom.
[00:02:15] I'll just pop in, do that and go. And now Chris Loehr and I just need some theme music to go with that, right? Yeah, I know. I've got, we've got, we've got it. It's on a button right here, so it's fine. So, so, for, so our audience is mixed, right? We've got, , business owners, we've got people in cybersecurity field it, we've got, , people that are a lot of entrepreneurs, a lot of brand specialists.
[00:02:38] . So our audience is all over the place. So what I like to do is kind of explain your role and when you need to use acronyms and things like that, I'm just gonna ask you just explain it in English for us, right? Oh, that fair? No, that's the way I do it anyway, so it should be, yeah, I figured.
[00:02:53] I figured. So tell us about your current role. What do you do? And then let's back into kind of how you got there. Yeah, so my current role is I wear a number of hats with solace. So just to case I saw that. Yeah. So solace, you know, half our secure, half our business is incident response and half our business is.
[00:03:12] Cybersecurity. So we started doing cybersecurity for banks 20 years ago, and that's all we did. You know, back then it was information security and a lot of the terms that we used today, fancy terms we didn't have back then. But back then the banks were kind of forced to do, security. Right. They actually had regulations, hadn't they?
[00:03:31] Yeah, I mean they, in terms of all the verticals, right? We see healthcare catching up. Legal is still way behind in a lot of spots, but. Definitely. But, , but the banks have been leading the way and I've always told people, Hey, if, even if you're not a bank, if you wanna reference an industry that's had to do it and do it for a long time, reference the banks, their regulations are, are, and guidance is really good.
[00:03:52] So anyway. . So our instant response business, you know, it's about four to five years. , we did that. We just kind of stepped into it. I [00:04:00] had a, was at a peer group meeting. There was a friend of mine, , they had a particular case, ransomware case. Somebody just called him out of the blue and he said, Hey, we don't do this, can you?
[00:04:08] And we said, sure. And, we worked that case and, , it just happened that, , Particular case had an insurance policy, and behind that insurance policy was a company called C ffc. And they let us do the work and, , they liked And the relationship grew. Oh yeah, yeah, exactly. Very quickly. So they were like, Hey, you wanna take on everything?
[00:04:30] And we said, sure. And so we quickly did that. And so since then I. Had a lot of focus on the incident response side. The team that reports to me is the business resumption team. And in layman's terms, it's the first responders when somebody gets hit. And usually it's a ransomware attack.
[00:04:47] So that's what we do. And that's work around the clock seven days a week. It's crazy. Yeah. And so in a typical scenario now an organization gets struck live by ransomware. You know, we recently spoke with Robert Cioffi who was telling us about his massive ransomware attack. He was part of the massive Kaseya attack. He owns an MSP, as you know.
[00:05:07] Mm-hmm. , you know him and, and Yeah, exactly. And, and he was telling us how literally he was trying to communicate with some clients during the attack and saw his files be encrypted and go. Like live. Yeah. And so when, when that happens, you, solar security is somebody that they can call. Now generally when they call their insurer, they will have somebody that either has so security or somebody like you guys, right?
[00:05:36] That is, that is usually correct. Yeah. So most can, there's two ways it kind of works. The carriers themselves, they usually have some method of contacting them. You know, it could be through a website, it could be through a web app or a phone number. Sometimes your first call may be a lawyer. Then that law firm will engage an incident response firm that they have a relationship with, that the insurance carrier is approved.
[00:05:57] Or like in our case, in other carriers, the [00:06:00] incident response firm calls you first determines whether or not you know what's going on, you know, what the, what the impact is, what kind of degree, and then we bring the law firm in. So that's, that's pretty much the two use cases that can happen. And if you have cyber insurance, it's a good idea to find out how that works at a high level because you don't want to find it.
[00:06:20] in the middle of fire. Well, yeah, that's exactly right. We were talking to Lester Chang who is in head of security over at B M O Bank and he was saying how like to build operational resilience. There's like practice that right roll, like go through least annually. Go through and, because if you have policies that's great, but.
[00:06:42] It hits the fan, you're not going to be able, you're not gonna know. It's almost like a living racy document, right? You're not gonna know who needs to be aware of something. You're gonna make errors. Right. And it could really cost you. And so doing that, yeah, it is, is important and, and when I talk about this or when I.
[00:07:01] Conduct or facilitate tests as well. What we try to do is instead of just running through like a, you know, a monotone script of scenario and getting it done in 15 minutes, you know, we try to add as many elements into that to determine whether or not the people that are filling those roles. are the right people during that time.
[00:07:19] I mean, you could have a person that's perfectly cool, calm, you know, during the normal workday, but when they're put in a pressure situation, you may have never seen how that person reacts. And the last thing you want to do is put somebody like that in a critical role, in a disaster or instant response situation, and they just flake out or get upset or.
[00:07:38] You know, teamwork is super key at that point. Yeah. So really going through the rehearsals more than just not knowing the stats, but just knowing the people and knowing, hey, do I have the right people in the right seats during an incident situation? Well, that's, that's a great point cuz I think a lot of times organizations overlook that aspect, like the person can be completely qualified, have the right skill set.
[00:07:59] [00:08:00] but you don't know how they're gonna execute, giving the scenario that they're in until you put 'em in that scenario. So that's a really great piece. I'm glad you shared that, Chris. Yeah. And especially not to I, I mean, pick on 'em is if you have, so especially in the small business world, you have you know, usually single owners and those people, their business life.
[00:08:20] Their life flashes before their eyes when these things happen. I mean, they immediately see the bad that could happen out of this, their business could close down. They may have to lay off employees. I mean, there's a number of different things that could be the outcome of one of these attacks. And, and they usually are the ones that freak out the most.
[00:08:37] It's amazing. And you know what I usually say is the first 24 hours after one of these events, it's pretty. People are pretty cool, but it's, it's after that first day kind of, they things set in and that's where you start to really see those emotions pull up. And, and they, a lot of times they take it out on, you know, the lawyers or ourselves, which, you know, unfor, we didn't put them in that situation.
[00:08:57] We're trying to help them get out of this situation. So it's. It gets really, really difficult in certain times. I mean, I'm not gonna say it's every time, but in certain times you really have to deal more with emotions than you ever thought you would have to in these types of situations. Yeah, and and it's, and it's a, a tricky scenario if you want to test how somebody does under the time of crisis and severe pressure.
[00:09:21] Right. If, if you don't practice that ahead of time, Right. You're really not gonna know. Are you finding, when you get in that scenario, are you finding organizations that are well-equipped and prepared? So it's interesting because they've heard of ransomware, but they've never really practiced..
[00:09:41] What do we actually do? I have a lawyer. I have an insurance policy. I'll find that in my file drawer on my PC and call them whoever I'm supposed to call. If that ever happens, they won't hit me. I work in Kansas. Don't worry about it, I'm too small. Right. That's exactly is absolutely not true. No, it [00:10:00] is absolutely not true.
[00:10:01] Or, you know, I would say a couple years ago, the, the attitude overall was it'll never happen to me. Mm-hmm. , I would say these days that more people now know of someone that has been hit. Correct. So at least it's a little better, but they ha they, you know, so they, they are somewhat prepared. But it, it's interesting because, you know, we talked about knowing if you have one of these situations, who to call and how that kind of process.
[00:10:25] We do have policy holders that will call us ahead of time and go, Hey, you know, we really kind of want to understand this. Do you mind getting in on the phone and talking us through this? You know, so we can update our plan. Definitely. You know, we'll spend 15 to 30 minutes to do that and guess what? Those people never call claim cuz they're incredibly prepared and it's the sign of their maturity.
[00:10:45] Right, right. And so that, that, but most of the time it's not the case. This is their, their first you. Scent of a cyber incident. And usually it's a bad one. Typically they're not a minor, it's full blown. You're down, dead in the water. What are you gonna do type situation? And they, they, they're not prepared at all.
[00:11:04] And if we do find somebody with a plan, , that plan is not reflective of anything that you would do in reality. My personal experience Chris has been that ransomware has got, and, and I'm basing this based on conversations with organizations that have gone through ransomware attacks, that the extent and harm that it causes.
[00:11:27] In the last year or two is exponentially worse than it was five years ago. Is that, is, is that because of the evolution of the ransomware gangs? There was lock bit 1.0 now there's lock bit 3.0, like it's getting more harmful Or are you not seeing that it's always been bad? No, it is definitely worse, in my opinion.
[00:11:46] In in different degrees. Right? You're seeing more. So when we first started this. There wasn't necessarily a, a particular type of victim. I mean back, even back then, small, medium [00:12:00] size, large, didn't matter. Nonprofit profit. They could care less what business or whatever you're in, if you were a charity and just basically doing everything you can to stay afloat to, you know, to.
[00:12:11] Do the things that you're supposed to do from a charity perspective, they didn't care. So we've already, we've always seen that kind of attitude. I think what we have seen is more organization around these groups, kind of behind this more sophistication just with their processes and tools. I mean, these groups recruit people.
[00:12:28] They, they, yep. They, they buy tools. They, you know, they do a, a number of different things, but I think the marketplace, if you want to call it that, that's this criminal marketplace behind all these things where people are going out stealing credentials. and then trying to figure out if they can access a particular network and then turning around packaging that up and selling it to these groups and they're buying it and going and doing their thing with it.
[00:12:51] Whether it's just going in and stealing data, or stealing data and encrypting or, or whatever, whatever attack they're doing. There's just a ton of money and I. You know, the phrase I always use, it's the highest reward, lowest risk business you can be in from a criminal perspective, because absolutely the chances of them actually figuring out who, who you are and then finding you and then extraditing you, and then indicting you, and you serve in any kind of meaningful time with the way the laws are written.
[00:13:15] I mean, why not? If you can make six, seven figures in an. And now get caught. Hey, keep it up. It's easier and better than robbing a convenience store. Right. And yeah, and, and speaking with people that are affiliates in those ransomware gangs on the dark web like we've done, or speaking with people that are regular contact with them, it's, there are rules of engagement, right?
[00:13:39] If they live in a country that doesn't really have extradition in the United States, so long as they don't go after organizations that are tied to that country, they're left. Yeah, and it's just about making money. And when we talk money, we're not talking a new. Or a new house even. Right. We're talking by an island type thing.
[00:13:56] Yeah. You're exactly, it's, I mean, the people behind those groups are [00:14:00] amassing a lot of money, and I've always said it even before the Russian Ukraine conflict, and people ask about this. Mm-hmm. , it's like, if you're Russia, let's just, you know, not all these mm-hmm. people emanate outta Russia. But let's just say for the, for the arguments sake, they do, for the, the majority of 'em do.
[00:14:15] I mean, if you're. , you have this massive amount of money being transferred out of the United States in other western countries into Russia. I mean, why aren't you gonna, why are you gonna upset that, right. You're gonna Right. That's great. I mean, that's revenue coming into my country. That's turning into tax revenue usually somehow, someway.
[00:14:32] Yeah. And so there's, there's really no motivation with law enforcement over there to do much about it. They'll do it, in my opinion. They'll, they, you know, in the past, prior to the conflict, I believe that there were some busts that were, I would. Primarily symbolic like the ar evil, like the ar evil take down lights.
[00:14:52] They had a, you know, the microphone and the guy's face it, it was like a 60 minute episode. Like they called 60 minutes ahead of time. Right, exactly. Right. And who knows that that person was low level, medium level. I mean that, that, you never hear anything from that perspective. So Yeah, it's, but you're right, they do.
[00:15:08] But I'll say that's a change. I will say. In the past, the rules of engagement were better, like they were. Mm-hmm. like you there, you know, I don't know if that's in, in today's segment, but there was there was that children's, I think it was Children's Hospital or whatever Yes. The kids up in, up, up in Canada and it was lock bit 3.0.
[00:15:28] Yes. That's an example where they're like, Hey, our bad, here's the decryptor. And they, you know, supposedly fired that affiliate. That was, and for most, what are, what is an affiliate? Think of an affiliate as. Contractor. Yeah. It's, it's like an independent contractor, salesperson. You go exactly right. You go, you eat what you kill.
[00:15:46] We'll give you a generous portion and they can make millions of dollars. Right. And we don't know you, you don't know us. We, so even if you get taken down, you don't even know who we are. And it's, it's, it's a phenomenal organized. [00:16:00] model. Right, right. I mean, in terms of efficiency ex, oh, it's, you know, some people get kind of chills at their back when I kind of talk about this.
[00:16:08] Cause they think that I'm actually kind of giving these guys props and I'm not really giving 'em props. Not at all. When we use the term organized, they are incredibly organized. I mean, they have structure, organizational structure. They have a hierarchy, like I mentioned earlier. They recruit people, they have campaigns to recruit people.
[00:16:26] . It's very similar court contest I tried to participate in. Yeah, right. Lock, lock. But 3.0 has got the tattoo contest. I had to hold Mark back from participating. Hey, you got a thousand dollars and you got to become an affiliate . Yeah. Like he, he was like, think of the cool hat I can get, man. It would be like, and the story I could tell, I'm like, don't, don't even get off the dark web and let's go to, let's go back to work.
[00:16:49] That's exactly close the laptop and back. So let's back up a little bit, Chris. Where, how did you get to where you are? Like when you were a kid there? There wasn't cybersecurity, like, at least when I was a kid, there wasn't, that's pretty funny. There wasn't, you know what I mean, kid, there wasn't a, how did you, how did you first get the taste for it?
[00:17:07] Like, well, when I was a kid, I, so I, you know, back then you had modems and you could dial into places and, and mess with things. Mm-hmm. , so you might be able to dial into. Back then sophistication was if their environmental controls were, be able to be remote access from a, a modem. So you could dial in and turn the air conditioner way down or turn the up and do that type of stuff, right?
[00:17:29] And you could only do so much with the modem. And that was the thing. I mean, there were people doing other things like getting free long distance and all that kind of cool stuff, right? So Oh yeah. The, the freakers we've, we've spoken with, with a lot people that got started doing that black box, blue box.
[00:17:42] I mean, all those. Right, exactly. Yep. So, so I, I actually did, I had a BS and all that kind of stuff and we was getting software, you know, and that was, you know, zero day wearers was the term man, if you got that day came out right, it might take you at seven hours to download it, but you got it and then, you know, [00:18:00] really I kind of.
[00:18:01] In high school, I didn't do anything from a computer perspective that much, right? Mm-hmm. , I, I had a job and girlfriend and all that kind of crazy stuff, right? And so when I got to college though, I was a business major and I, there was a fraternity brother of mine that was two years older, that's was in a degree called Management of Information Systems in the business school.
[00:18:19] Mm-hmm. . And he told me about that cause I didn't want to program. And I said, all right, I'll do that. That looks pretty cool. So I did that and then when I got outta college, I went to work for a private company that's big at the time. The largest privately held collections company, debt collections company started doing real estate collections and guy credit cards.
[00:18:37] Massive growth, but the, the he has now passed away. But the founder and c e o of that company, he was incredibly paranoid about security. and I mean, to the point where there were bug sweeps our head of security. Oh, oh wow. Yeah. The head of security was a guy who was retired from the security, physical security paranoia.
[00:18:55] That's, yeah. He was incredibly paranoid. He didn't trust anybody. Literally. That was, I mean, you learned that in onboarding, like, you know, he didn't trust, it's a great experience for going into the banking industry. Right? That's exactly right. That thing shut down. The, there's a whole history lesson probably, but anyway, then I got into the banking world.
[00:19:11] He, he wasn't the guy down in Kansas City. No, he was in Tulsa. Oh, Tulsa, okay. Yeah, so he was Tulsa. So and so it's kind of weird cause that company was cfs and so there's Oh wow. Interesting. Three, three litter CF acronyms were killing me. But yeah, . So then I got into banking and that's where I got my taste of reg regulations, right?
[00:19:31] But when I went to that bank, that bank had recently been acquired by a group that took it public. And at the same time, this group the small group, Going to then flip it and it was kind of their retirement plan. They'd been in banking a long time, a number of them, and they said, we're gonna get together.
[00:19:47] We're gonna take this bank. There's a hundred year old bank, we're gonna flip it. And it took a little bit longer, but during that process, we changed out everything in that bank, every application, pretty much everything infrastructure wise. We did some acquisitions ourselves [00:20:00] and everything, but then we got acquired by a larger regional bank.
[00:20:03] But, but anyway, that whole point set me up for security. . When I was at that bank, I met a gentleman by the name of Terry Oring, who worked for a company at the time called S one. And S one is an online banking software company in ivr phone response. Right? Hmm. And they had started a managed security.
[00:20:21] service practice in M S S B for bank. Interesting. And but then the.com bus kind of hit. They sold that book of business off to what it is today, SecureWorks. And Terry decided, Hey, I'm gonna form my own company. And he came to me and, and helped, actually helped him come up with his name. And from there, We became a client and I was a client of his from that bank prior to being acquired.
[00:20:45] And then after acquisition, we were a client. And then I worked at that bank for a while went over and worked over at U S A A. So people that know of U S A A, if you've been a member, are even seen the commercials. Of course, those crop commercials, I'm not gonna comment, they're terrible. But anyway, . But from a U S A A perspective, it's based in San Antonio, where I'm at, that is one of the most secure culture.
[00:21:08] Companies that you're ever gonna be a part of. Like, it's amazing. Interesting. But it, but you walk in there, so everything, like even getting on campus, you gotta show your driver's license. There's a sticker getting in the door. I mean, they have, I mean, you can't tailgate anybody the way the system's worked there, I mean, it's incredibly secure, but when, but it's incredibly open once you get in there, meaning like, it's a very positive.
[00:21:30] But from a security perspective, you know what you're supposed to do and you're not supposed to do. And so what was interesting about the bank is the bank was very audit focused, regulatory, just all the time. You know, by the time I was done at the bank, I think 70 to 80% of my time, I was reviewing reports and signing off on stuff instead of actually doing what I'd signed up to do, which was it, right?
[00:21:51] But then when I got to U S A A, I kind of saw the other side of it, how you can still get work. and then in, in a very secure culture. And, and [00:22:00] it was, it was an amazing place. I'm not gonna underscore how amazing, and I learned a lot there. But then a, it was a good time to come over at Solace and we were, we're going through a period where banking was flat the economy and, and changes shifts in the administration kind of.
[00:22:15] Put the end to people starting up banks and merging and acquisitions, all that kind of fun stuff. And so then I, I, I went to work for Solace and, and I told you the rest of how we got an ir Yeah, so it's, it's a, it's a cool ride. It wasn't one of these things where I decided one day I was gonna go get a. a book assert and study it and switch careers.
[00:22:33] It's, it's, it's always kind of been part of what I did. And now it's more, cuz we don't do any type of it work. We used to have an msp but when we were acquired by C FFC a few years ago we spun that off and then they then got acquired and rolled up until a larger msp. So yes, we don't do any of that work anymore.
[00:22:51] So it's just security all the time. So it. Excellent. Excellent. That's a phenomenal background. So in the banking industry, compliance obviously is key, right? Yes. And the federal regulations, et cetera. So how does, there's always a discussion around how does compliance relate? To security because they're not the same whatsoever.
[00:23:13] They're interrelated. But what's your take on that? Like how do you explain the difference? Yeah. So you can be secure and when I, when I always tell people, And I was speaking to a number of agricultural consultants earlier this week about this. I said, okay, one, one rule about security is, is if you put something in place, you need to make sure you have evidence and an audit trail behind it to prove that you have it in place.
[00:23:39] Okay? So, so if you kind of think of it that way from a secure, you're making sure the place is secure, your assets are secure, data, secure, whatever, and then kind of the compliance part is the evidence that you have it in place. Now it gets a little bit. Depending on the industry you're in is from a compliance perspective.
[00:23:58] You may have to [00:24:00] to articulate the way you do things in very specific terms. So if you're in healthcare, you're gonna want to make sure that your policies and the things that you're doing and the things that you're writing, fall in line and use the verbiage and vernacular that are in, in, in regulations around healthcare.
[00:24:17] Same thing goes with banks. You're gonna use banking terminology and that stuff and, and often you may get into companies that fall in different industries. So you may have to have one report that looks is the same data, but is presented two or three different ways to appease whatever you need from a compliance perspective.
[00:24:35] So that's the big deal. But the other thing, the thing about compliance, is that you security may, security may have its own compliance. At the same time, you may have other areas of the business that have compliance requirements that security is a part of. , right? So you may have, right, hr. Yeah, HR or whatever that has a security component of it, right?
[00:24:57] So the bigger you get and the more complex your business gets, if you, you know, obviously if you have one focus that's easy, but when you start to have multiple focus focal areas, then you need to, then you may need to kind of. Change up your policies and stuff, but the real ru rule is, is just be able to prove, do what you say you're gonna do and be able to prove that you're doing it.
[00:25:18] And I mean, that's an incredibly important lesson. I learned that when I was at the bank. We got into, you know just when you, when you get to a certain size you start to have patent trolls come after you. . And one of the things that really helped us was with, with policies and when, when, when you would have the other parties, attorneys question you about policies and you could show those policies, you could show a history of those policies being reviewed and you could show the evidence that you were doing what you said you were doing with the policies.
[00:25:46] It was very hard for them. And believe me, they're gonna try to find out. A crease, a crack, or whatever they can. Oh, sure. So that's the real rule, man. You can do all the right stuff in the world, but if you just don't have the paper trail behind it it's p when it, when [00:26:00] it comes time to prove it, you're going to face a losing battle.
[00:26:03] Absolutely. So, so compliance is the proof that you are implementing security policies and systems and tools, right? And you, and you may do a lot more than what compliance requires. So you rarely, because you can be, is it fair to say you can be s you can be compliant, but still not be securing your organization's?
[00:26:24] Oh, exactly Right. Yeah. If, if, yeah, that's exactly right. I mean, you can take I'll give you an example. When NIST 853 came. for, and you know, that's the n for for the people that the d o d contractors that handled controlled unclassified information. That was a compliance deal. There was, it was, it was written from a security perspective.
[00:26:45] But if you, if you. , I knew people that were in that space and they could do things to check those boxes. And then from a security perspective, you go, eh, that's not really a matter , you know, but from a compliance perspective, they could check they, they could check the boxes, right? Yeah. So it's rare that you could say, Hey, I'm this compliant.
[00:27:07] and I am secure with a, with a industry regulation or something like that. I mean, so yeah. And, and then really, and, and of course that you're seeing it over there with C M M C now is you want to be audited because you want to be proven. You, you want to be able to pass an audit time and time again. Mm-hmm.
[00:27:27] And if you have a good auditor, they're usually gonna bring some benefits to the table and say, Hey, maybe you should do this, do that. You know, maybe next time you do this test, you should bring this other person in. That type of, . Good. And so that's really where you're at when it comes to your compliance, is doing the right thing, being able to continue to improve that going forward and continue to be audited.
[00:27:50] Yep. So when you guys are doing ir, and that's incident response coming in right of boom, right? Meaning after the incident has happened, [00:28:00] What are you finding in terms of how long the criminal adversary, what a lot of people just deem and they call hackers, right? But not all hackers are are criminal adversaries.
[00:28:12] Yeah. Yeah. And we kinda, how long are they inside? Yeah. Threat actors. How long are they usually inside a network undetected, before people start noticing or they're detecting and it's gonna vary, I'm sure, based on what it, it is gonna vary, but what systems they have in place. . Mm-hmm. . The, the groups that are going after the big dollars usually are in there longer amounts of time.
[00:28:40] Okay. So it could be two weeks, it could be a month, you know, you could see it going longer, and sometimes you even see indications of maybe a prior smaller attack. That was kind of what. Whatever knowledge was gained there was then turned over and sold to whomever. That's doing the larger attack, right?
[00:28:59] Selling the access to precipitate another attack. A bigger attack. Yeah, like iab, like initial access brokers. People that go in, they don't intend or know how or want or have interest in executing the attack. They just wanted to. Crack in and they have that, they'll go and sell that on the dark web. We have access to ABC corporations.
[00:29:18] That's exactly right. And for those out there, they actually have money back guarantees in a way. So if that access doesn't work right, then they then have to return whatever funds were transferred to them, you know by the person that bought them. So again, kind of back to this kind of marketplace and the objective, the.
[00:29:37] The, the, the, the, the thing about time though is we do see some groups that get in there very quickly, right? They get in on a weekend and they flip it pretty quickly, and we see those types of attacks are like . We've seen these attacks where they just go in and encrypt hard drives. They might use BitLocker.
[00:29:52] They, they, right. In the past there was a tool lead and they never developed their own tool. They would use some off the shelf disc encryption tool through [00:30:00] ransomware as a service. Right, right. Yeah. But they would just go in and encrypt your, encrypt, your hard drives. You can't get in into Jack squat. They, you then have to buy whatever the BitLocker keys they set for you.
[00:30:10] Mm-hmm. , those guys, that's all they're after. They're just after to lock you up, get paid and get out. But these other guys, the lock bits and, and. You know, play and all these other ransomware groups that are out there today, there, there,
[00:30:27] the amount of data they're taking, right? So, used to be they might take, you know, you know, some a hundred, 200 hundred megs, then it got to a couple of gigs. But you're starting to see in the, you know, a terabyte. Plus, I mean even cases after 10 plus terabytes of data. So that's gonna take some time. So they're going after because they're gonna not only just, yeah.
[00:30:46] So they're going after not only the intellectual property, but as much customer information, employee data, everything so that they could blackmail. The the, that's exactly what it is. The, the more, and, and, and what's interesting about Lock Bit, and this, this was this main news probably a month or two months ago maybe.
[00:31:06] And so, so when you're dealing with these threat actors, one of the things that you try to do is you say, okay, hey, they go, we took your data. You're like, prove it. Proof of life, right? And they would provide you samples of what they took or maybe a, a snapshot of a directory structure or something of that nature.
[00:31:20] but they came out and said, Hey, we're not gonna do that anymore. Because they ran the statistics, you know, they probably had their numbers guy in the back. Mm-hmm. , and they were crunching numbers and they found out that the people who ask for the file listings and the proof are the ones that are least likely to pay.
[00:31:36] So they've taken the stance that we're no longer gonna get proof of life. So you, so now you're not used to be a big, big deal for people to say, well, you know, I'm in this situation. What data do they get? Oh, that's meaningless data. Or Oh my God, that's embarrassing data or whatever. Cause a lot of people miss out on, hey, it's not just about credit card numbers and social security numbers.
[00:31:54] It's about data that can potentially embarrass you, embarrass you as a company, maybe as an individual. It [00:32:00] could create strife between. Customers or vendors or whatever you have contracts with. So there's, you know, there's a lot of leverage that these guys use. And so having that proof of life helped make those decisions.
[00:32:12] But without it, now people are like, they have to kind of do their best to guess. Because you know, back to the earlier, like, what do you see how well people are prepared, right? We rarely get into an organization that's been hacked where they have like good logging in place. Because if you have good logging in place, we can, you're able to spot anomalies, right?
[00:32:33] Yeah. You're able to see weird stuff. People moving around the network that are unauthorized. Exactly. We can say, oh man, somebody was in your network last Friday and they were in there for the last week and they were doing this stuff and this is exactly what server they were on. So we know, well, most of the time that doesn't exist, so we have to use, we have to go with a more of A more difficult and arduous journey through forensics, and that takes time.
[00:32:55] There's no magic button. There's, you know, there's not something you just cut and paste and Google and gives you an answer. It just doesn't work that way. So, . That's the point is, is it takes some time. So if you're in these situations you're not going to get a quick answer anymore. Especially depending on what group that's hacked you.
[00:33:11] You're not gonna get a quick answer of what they took, and then you just have to do it. And so my point to people is one thing that people seem to still not focus on enough is data security. People just keep too much. Yep. And then, and then and ad hoc locations, right? Yeah. They stored in a bunch of different places all over the place and all, we don't know all the vulnerabilities, their shadow it, where people are bringing in devices, connecting 'em to the network that the IT team doesn't even know about.
[00:33:42] Yeah. And it's, yeah, they, or they, you know, somebody exports a list. I mean, this one comes up a lot. We're like, oh, you know, our HR system, it's hosted. We use, you know, service or whatever. But then you just ask a simple question, well, what about 401K stuff? And they're and you're like, do you guys [00:34:00] have like a, a spreadsheet that has everybody's information for 401k enrollment purposes?
[00:34:04] Oh yeah, we do have that. Boom. Done. And then a lot of times you're, and then they're like, well, we only have 35 employees. Well, how many of employees have you had over the last 10 years where that data's in there? Oh, that's, that's hundreds. And that's in the small company. You get into other situations and they find out they might have a spreadsheet there.
[00:34:20] Thousands of records, tens of thousands of records in one spreadsheet. And so back to your point, was. Either it's, you know, we can argue shadow it, or we can argue just capabilities in these platforms. You've made it real easy for people to export data and to crunch data, and pull in and excel and do all that kind of stuff.
[00:34:39] Well, there's no management around that data. That data's gonna come to bite you if those guys get a hold of it. . Yeah. And what are you finding in smaller organizations? Are you finding is there an issue that you see after the fact, after you guys get involved on how they were offboarding former employees?
[00:34:57] Because when, when we are engaging with clients, especially in the SMB space, we find that there are, there are hundreds of clients or of former employees, we find that there are hundreds of former employee. That their access still hasn't been turned off even after they've been terminated or left voluntarily.
[00:35:18] Are you guys seeing that too? Yeah. You definitely see that's one of the first things when you get in there and if you just do like a quick, just glance at active director as an example. Mm-hmm. , I mean, just the nu, usually the number of counts that haven't logged in in the last 90 days is greater. Yeah.
[00:35:35] Than number of accounts that have logged in. Right? And, and that's just employee stuff. And then you have just a bunch of other like system or service accounts that have been there forever and, and, and no one knows why that is. Right. I mean, we've, you know, and, and it's no different whether you're just a ordinary Joe business or a technology business.
[00:35:53] I mean, we've seen it with technology providers too, where there's accounts set up and they know it was set up for some particular reason. [00:36:00] Five. plus years ago, they just never did anything about it. They just left it alone. You know, maybe somebody glanced across it. That kind of comes back to that compliance piece, right?
[00:36:09] If you have pieces in place that you have normal reviews and you ensure that those reviews are done, you should be able to catch those things and deal with them. But no, I mean, it's interesting though, you those, number of those stale accounts, we don't see those stale account, and I don't want to say they're not a risk, they're a huge risk, don't get me wrong.
[00:36:25] But we, but obviously the bad guys. a, an account of an active persons through phishing or whatever, and they grab those credentials. Then once they get in, then they take advantage of maybe some of those other credentials that are in there that have admin access. And the same thing goes with you know, platforms like Microsoft Office or Office 365, Microsoft 365, whatever you wanna call it.
[00:36:47] Small organizations have the tendency to give everybody, or a majority of people, global admin access. It's, it's incredible. And for whatever reason, oh yeah, we wanna make sure they can reset a password or do whatever, and oh my gosh, that's, that's brutal because all it takes is one mailbox to get popped and then the whole tenant is popped and so yeah, it's, it's, yeah.
[00:37:07] Small business and account control, whether it's, well, they're all in a related. Yeah. And they're all interrelated, aren't they? Because we see, you know, poor security awareness training happen across the board, and then users have terrible password policies. So when they become a former employee, right, being able to compromise and they're in a couple other data breaches because of some app that they logged into or whatever, and they used the same password right then.
[00:37:35] Those former employees, those, those passwords, those usernames, et cetera, could be used to get right into your organization. Yeah. And then, and then once they have that, I mean, it's, it's just too easy for them to move around the network. I mean, that's the other thing we see is, and I mean, look, small companies, you can get too small where this doesn't make any sense, but there's a point where, you know, the access is one thing, just cleaning [00:38:00] up your data, getting rid of old data that you don't need.
[00:38:02] But the other part of it, , you need to other look at your network and understand if there's areas where you can segment things off, right? Yep. I mean, it's amazing how many networks, even larger ones, I mean in the thousands where it's just one big giant, what we call a flat network. So once an attacker gets in there, it's easy for you.
[00:38:20] They're able to go everywhere. , they just run a, a discovery tool that everybody, you know, it's just a open source download type discovery tool. They're not using anything fancy. They look around the network, they see, they see exactly a server that's called File Server or files or FS or whatever. They know that's where they're gonna focus and, and it makes it easy when you segment things, it makes that much, when you segment things correctly, it, it makes things a lot more difficult for them to do discovery and look around and poke around and that type of stuff.
[00:38:48] I mean, virtualization's a great. We see where people have what, you know, the hypervisors, which is kind of the, the command or the management for all of your servers that just sits on the same network as everything else. So the attackers find that they get into those, they lock all the people that need access out of those hypervisors.
[00:39:09] So you can't even get into that. To shut down a server, restart a server, whatever you need to do. And so, yeah, it's just people, you know, I think when phone systems came out, people segmented for phone systems, they just left it alone and 20 years later, no one's in the small side of things. Enterprise, they're taking it to the micro segmentation degree.
[00:39:29] Right. But, so yes, and segmentation incredibly important. Today's world, people would just do that. It would be in a lot, make it a lot more difficult for these bad guys. Yeah, absolutely. And so, outside of ransomware, are you seeing that when the attack doesn't involve ransomware, that threat actors are inside a network for longer or, or for less?
[00:39:52] So if you take one, I'm just curious if you see any difference. Well, n not so there are some, there are some groups [00:40:00] that just go in and take data. So I would say it's pretty and just sell. Sell or whatever, right? Yeah. They just sell it. So they might be in there a little bit shorter of a time cause they're not worrying about the encryption part of the deal, but it's negligible.
[00:40:09] It's not that big of a difference, you know? I would say the majority of the stuff. Ransomware and email compromise cases, and obviously email compromise cases. Those guys are just lean and mean. They get in there and they make their connection and they pull down email and they're off to the races, so they're usually not in there that long.
[00:40:26] But, but we also see a number of website breaches where they, you know, either take over a website or they access a website to get into the backend. We've seen it where they're accessing website and they pull everything down to then go create a fictitious. Form of that website to try to redirect people there.
[00:40:45] Yeah. And so it's on those particular situations, it's, it's, it's a little bit more difficult to ascertain what we call that dwell time, which is the time that they were in there for mm-hmm. uh, But, but answer have done the best about being in the longest, especially when focus on data exfiltration and trying to stay under the radar.
[00:41:06] And so, There. The more you know that data, you can kind of slowly leak out and see no one's gonna be on their computer. Go, man, the Internet's slow right now. He goes, oh my gosh, somebody's actually trading data. Those guys are, are much better trained that, and so that's why they're in there for longer periods of time.
[00:41:22] So they can sit under the radar, do what they need to do, and then when they're done, flip the switch and you're dead in the. . That's great. Hey, as we wrap up, Chris, and I really appreciate this talk, give us some insight on the cybersecurity insurance industry right now. Is it, you know, we've, we've spoken to people that have said that unlike several years ago, it has really hardened, it has gotten very difficult for small and mid-sized businesses to even obtain cybersecurity insurance.
[00:41:50] What, what are you. . Yeah, I, I would say that, you know, there was a period of time depending on a particular industry you're in. It really, you know, [00:42:00] size wasn't as important. I mean, size is important, but you, that's a certain, and I'm not a insurance underwriter or anything of that, but I know enough of it to kind of speak to it to a certain extent.
[00:42:09] You know, a lot of it was really kind of came down to the industry that you're in, you know, the size, right? So if you're a certain, you know, because there was sometimes where you might be. Bigger than they wanna write. Right? Yeah. Your revenue size might be to a certain degree where you're too big to write, you're too small to write, so you fit in the sweet spot in the middle.
[00:42:29] Yeah. And, and the, the insurance side for, for, you know, before all this stuff really started popping, I mean, they were selling policies and things were going good, claims were there, but. The premiums get being paid, you know that it's a, it's a business, right? And everybody was happy when you start seeing these larger scale attacks and the damages, and then you also have seen laws kick in that require even more legal work and notifications.
[00:42:54] And there's a lot of expense with notifying people that have been compromised. Yep. Yeah. You started to see the insurance carriers say, Hey, We're going to, we're going to dig deeper now, and we're gonna look at things a little bit more closely. And we are going to not just be so lax when we're writing policies and then, hey, we're gonna have certain requirements.
[00:43:14] And, you know, I've seen 'em all over the board. I mean, I've seen carriers out there that have. Four or five pages worth of questions that you have to answer. Some of those questions, I'm like, I don't even understand why that, what that question means, but you put it on there. Okay. Whatever. You probably found some security guy in the corner that had nothing better.
[00:43:29] Yeah. Wanted to throw a bunch of acronyms at Yeah. Something that's even applied to somebody that's got 10 employees. But anyway, and then you have other, other carriers that don't have as many questions that that, but are still trying to ascertain. But I think the other key is, is that hey, They're, you could still get it right.
[00:43:47] I, I think what I've heard is cyber insurance, yes, the pricing has gone up, but other forms of insurance have gone up as well. Right. And it's still overall an affordable thing to get. And so you just, [00:44:00] if you're not getting anywhere with a particular broker you may talk to another broker to see if they have an another carrier out there that's willing to write you.
[00:44:08] There's different ways of doing it, but usually when I hear somebody that can't get policy, it's just cuz they're like either in some kind of super high critical industry right? Or they just don't have the things in place that they need to have in place. So they just, you know, multifactor authentication on 365 and admin accounts, they just Right.
[00:44:30] Aren't willing to do that. Right. They don't get written. I don't blame the karaoke walker saying no. So, given your experience at Solace, and, and we'll have for the listeners, we will have the link to solace security in, in, in the show notes. And where you can reach out, we'll, we'll have your LinkedIn profile as well, Chris, so that people can reach out to you, connect with you because Sure.
[00:44:49] The uh, insight you've got is just phenomenal. What, what advice, what are the, some of the. Five, three, whatever things based on your engagement. After the fact, after a massive data breach occurs for a small mid-size business, what are the things you're finding that they should have done? Like what would be your top recommendations for best practices?
[00:45:14] Yeah, the number one would be just what we talked about with passwords and multi-factor authentication. I mean, that's not the silver bullet, but that is so, so important. And, and it's a baseline, right? And it's, it's such a baseline and, and Microsoft has come up. Different ways to implement M MFA from a policy perspective.
[00:45:32] So I would say if you're gonna do, you need to do mfa, but you, when you do it, look into it some more. And if you have a technology provider involved, then let them give you some guidance around that. Right? Say, Hey, this is better. Like, you know, for example, with Microsoft, you can do multifactor. Just pass up on your screen, says approve or decline.
[00:45:51] Right? Well, the problem is, is it's real easy for somebody to say approve and they then they go off and do whatever they do at nine o'clock at night on a Saturday, [00:46:00] hit approve. I didn't think anything about it. Next thing you know, you come in Monday morning, your account was compromised cuz you weren't paying attention.
[00:46:05] So there are things to that. So I'd say that's, that's number one. Number two is remote access is incredibly important. And so when I'm talking about remote access, I'm talking about for employees. I'm talking third parties. and that type of thing. We've seen, you know, a number of situations where a business has a piece of software and that vendor supports that.
[00:46:22] That software's installed on the server there. Yeah. It's the vendor security, right? They're just not, yeah, they're not paying attention to it, or they just have a bunch of tools that just have sat around forever. Mm-hmm. , when we get into cases, one of the things we get in there we're like, Hey, we see this.
[00:46:36] Do you know what this is for? No. So we have to figure out was it installed there for a legitimate purpose and deleted, or it should have been deleted, or did the bad guys get in there and install that because that's what they do. They just install that normal remote access that everybody else does. Yeah, and so that's another big thing to be on top side.
[00:46:51] That would be number two on the, the remote access. Number three is really, You need to be very active about being on top of your data, where it goes, where it sits, why it's there, why it needs to be there. A lot of people goes, well, we need that for research purposes. Well, it doesn't need to be there for everybody to access all the time.
[00:47:09] Exactly. Who needs access to it, right? Yeah. Stored away somewhere. Archiving, get it, get it away. You know, if you have to have it, but really you should be convincing yourself to delete it. And that's, that's really. . Absolutely. I'd say fourth. I, I would say fourth would be just you know, we talked about that.
[00:47:25] Remote access. I'd say just more around vendor management, right? Mm-hmm. Even if you have, you know, there's great, great IT providers out there, but you should just, not you, you should question them. You shouldn't find out what they're doing. You should find out that if they're all the things that they're telling you to do from a security perspective.
[00:47:41] They're doing themselves Well, I seen some of the largest breaches and when you look at the target breach, they weren't breached directly. They were breached through their H V A C vendor. That's exactly right. And they were doing a lot of things great. But they were, was, they didn't, they didn't have any evidence.
[00:47:55] So they got, actually got hammered even worse because they couldn't prove it. Back to [00:48:00] that earlier point. Get back to that gets back to the compliance piece, right? Exactly, exactly right. Showing the evidence, documenting that you have those things. . All right. And the fifth one would be incident response readiness is what we're calling this now.
[00:48:14] And so it's a very important term. Mm-hmm. versus just incident like operational resilience. Right, exactly. Like it's, it's the practice annually of if this happens, who knows what, who says what to whom? Who is on first, who's on second? What do we do next? Right. . You're right. And don't just think of it as a technical exercise.
[00:48:33] If you just have it doing it, you're missing the boat. It needs, no, it's gotta involve hr, right? Am am I right? It's gotta involve hr. It's gotta involve legal, it's gotta involve anybody handling social media, pr. Like who's gonna communicate, who's gonna be, if you have a board, you know? Right. We see a lot of time where stake.
[00:48:51] Yeah, especially with nonprofits, the way things are written, they can't get approval to do jack squat unless they have a board meeting. And so those are the things you have to take into account. Cause you get an instant response situation. You gotta make decisions quickly, but you're like, oh man, we legally cannot make that decision.
[00:49:06] We have to have an emergency board meeting and we gotta call board members and they gotta have 72 hours. Notice all that stuff. That's the kind of stuff you need. Feed in and, and take into account when you're doing your incident response. So yes, plan, instant response, operational resiliency great term there, as well as just being able to test it and not only just test it annually, that's good, but if you have some material changes in your environment, you.
[00:49:30] Acquire somebody. You change out some infrastructure, you move to the cloud. That should trigger you to revise your incident response plan and test it again. So you may find yourself testing it multiple times a year just because of the rate of changing your, your organization. requires it. Absolutely. So I'm gonna, as my last question to you, I'm I'm, I want to ask you this cuz I think there should be a number six, I'm just gonna throw it in there.
[00:49:55] How many, here's my question for you. How many of the organizations, when you get brought in [00:50:00] after a massive breach and you guys get engaged at Solace Security, how many of those do you find had adequate security awareness? Integrated into their culture ahead of time. What percentage, just roughly? Well, so I think the term adequate is there, we see a lot of people, they have some, they have their, their employees go through some form of training, but I don't think it's.
[00:50:26] It's enough, if that makes sense. It's not focused on what they should do. It's very generalized. So that, I mean, there's some great general security awareness training, but that should be more of just kind of a reinforcement in my opinion. You really need to look at having something that's specific to your policies, specific to your industry, and specific to your culture.
[00:50:44] And ongoing, right? Like so many organizations, especially in the small midsize space, well, when we onboard, they have a video that they watch and they sign this form. Okay. I would say a lot of them don't. 40 years ago, they've been here for three years. What are you and oh, they get an email on Tech Tuesday on how to spot a fish.
[00:51:01] I'm like, how do we know if they read it? How do we know that they have absorbed it, understood it, and then modified their behavior. We don. , right? So send in that email. While it's important, it's not, we don't know that it's, again, the compliance versus security, right? We don't have the evidence that it, it actually sunk in.
[00:51:22] So having it ongoing test phishing them, testing them, like it gets it, it's the security awareness. Aspect of operational resilience, you should integrate. Do you agree? I I, I completely agree and I also agree when you interview people, you should probably ask 'em some cybersecurity stuff in there to see no.
[00:51:38] Know who you're getting. Good point. You hire on, right? Yeah. It's fair. Great point. Yeah. You know, you're right. I think you're assuming that a lot of people do training on when they on onboard employees. First of all, you gotta assume that small companies are actually have some kind of onboarding process and they're just like, Hey, go sit with Nancy over there and see what she does.
[00:51:54] Right. But even if they do, I don't think they're. The cybersecurity awareness training on during a [00:52:00] onboarding thing. So, yeah, but you're right, for those that do that, they never see it again. Or they see the same thing year after year, that's not going to be appealing. They're not gonna register, not gonna be that.
[00:52:09] When I, when I do training, I try to relate personal stuff as well. So I say absolutely it applies to you in the business world, but it's also gonna help you in your personal life as well when you're on, when you're online. And I think that, Absolutely. And, and when we do it, we always focus on what's new and what's relatable to that specific organization.
[00:52:30] Right? And we do it in a bunch of different ways. We do it interactively, we show video, and then we speak with them. Engaged because people learn different ways. We kind of look at it like it's a professional development, right? Well, as such, these employees are students and students learn in different ways.
[00:52:49] Some are audit, auditory, some are visual. Some need to write stuff down. So we do it all those ways and we do it regularly. Right? So that it becomes kinda part, part of the. Yeah, you gotta, interactive is a big deal. I think Covid kind of destroyed a lot of that, but you gotta give it the ability for people to ask questions and absolutely say, well, I saw this or I heard this, or I read this.
[00:53:12] That's right. That's important in an educational situation as well. That's phenomenal. Hey Chris Lair. Thank you so much man. Great discussion. So everybody Chris is gonna be at Rite of Boom over in Texas in the coming weeks and we'll have a link to that and then we'll have a link to solid security.
[00:53:30] Check them out. These guys are the best around, so we're really excited. Thank you so much, man. Really appreciate it. Hey, appreciate it. It was awesome. Good contact. It won't be the last time we talked. Yeah, we're just getting started, so All right. Thanks everybody. Bye. Cybercrime Junkies. Thanks for listening and watching.
[00:53:50] Got a question you want us to address on an episode, reach out to firstname.lastname@example.org. If you enjoy our content, then please consider subscribing to our YouTube channel [00:54:00] at Cybercrime Junkies. Connect with us on all social media like LinkedIn, Facebook, and Instagram, and check out our website. It's cybercrime junkies.com.
[00:54:10] That's cybercrime junkies.com, and thanks for being a cybercrime.