SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

DE:CODED – What Does a Breach Look Like?

“I always work on the assumption that you’ve been compromised”

SUBSCRIBE! Use one of the ‘Listen on’ links below to keep updated using your favourite podcast platform.

Listen on Apple Podcasts Listen on Spotify Listen on Google Podcasts Listen on Stitcher RSS Feed

Series 1 | Series 2 | YouTube

🥇 Winner of the Best Up & Coming Podcast 2021 award 🥇


Show notes for series 1, episode 7

What does a computer security breach look like? We talk about the things journalists don’t cover. And we examine some areas that people in the industry don’t like to talk about.

In this episode we’re going to look at what a computer breach, or hack, actually looks like. We take the view from both the attacker and defender’s positions, so you can get a full picture.

We welcome special guest St. John Harold, a cyber security veteran of 20 years experience. He has operated in the British armed forces, governmental organisations and commercial companies.

What Does a Breach Look Like?

How do attackers behave? Are ‘advanced’ attacks really advanced? Can you tell who is attacking you?

Simon and St. John discuss real-life security problems and solutions from the point of view of attackers and defenders. Both have vast experience in keeping networks safe, and in attacking them. Consequently their discuss is a valuable resource for any CISO.

This 100% vendor agnostic discussion provides a unique perspective and so gives a fantastic insight into what you need to know to secure your business.

Please subscribe and join the discussions.

Sign up to our newsletter!

Annual Report 2021

Topics

  • Introduction
  • Hollywood breaches vs. reality
  • Attacker view of breaches
  • Evolution of attack techniques
  • Phishing, social engineering and email security
  • (Ab)using credentials
  • AI and machine learning in breach detection
  • Hacker training grounds
  • Alert fatigue
  • Governance
  • The role of CERTs
  • Are attacks really ‘advanced’?
  • Subcontracting hackers and attribution
  • How to choose products and services
  • Security can make things *more* convenient
  • Assume they have compromised from
  • Personal privacy

Resources

Transcript

(Generated automatically)

Simon Edwards 0:01
Welcome to DE:CODED Series One, Episode Seven – your weekly podcast providing in-depth insight into cybersecurity. Show notes, including any links mentioned in the show, are available at DecodedCyber.com.

Simon Edwards 0:18
I’m Simon Edwards, CEO and founder of SE Labs, the leading security testing lab. I’ve been advising on security for over 20 years. In this episode, we’re going to look at what a computer breach or ‘hack’ actually looks like, from both the attacker and defender’s points of view. The IT security world is rocked by news of breach after breach, including the shocking disclosure of the Solar Winds attack, data stolen, deleted or corrupted and well, you know, it’s a total mess.

Simon Edwards 0:52
Journalists focus on basic outcomes. While technical blogs look at esoteric technical details, we’re going to look at what a breach looks like from an attacker’s point of view. And from the position of the defenders. We’ll be talking about things that journalists never cover. examine some areas that even people in the industry don’t like to talk about.

Simon Edwards 1:13
But you won’t have to dust off your hex editor – it’s not going to be super technical. If you are a CISO, a CTO, or even someone who cares about their personal security, we have you covered.

Simon Edwards 1:25
Well, let’s start with how popular media portrays a hack. Thanks to Hollywood, in the public imagination an attacker will work to break into a system tirelessly or casually. But either way, the end result will be a successful hack. This will likely look like some green text on a black background saying “Access granted”, or similar. Flashing green text is optional.

Simon Edwards 1:51
At that stage, the game is up and New York’s traffic lights, bank vaults and half the oil tankers in the world will be under the evil genius’ control. Where’s Bruce Willis when you need him? Now, if the defenders are lucky, a firewall will detect the attempt. A flashing red light will then announce a breach or intrusion. And remediating this usually requires some rapid typing on one or more keyboards, or pulling some plugs. sparks are optional.

Simon Edwards 2:20
This is not what a breach looks like in the real world. Before we explore what a breach looks like to a defender, let’s briefly look from the attackers side. The first stages of a breach are likely to be an unauthorized login using credentials like usernames and passwords, or a more technical attack using exploits that provide the attacker with a level of access.

Simon Edwards 2:45
Attackers like to use known stolen credentials because doing so is much less likely to trigger alerts from intrusion detection measures. After the very initial stages of the breach, an attacker will then interact with a compromised target either manually or using automated tools. This interaction may include installing malware, running commands built into the compromised system such as PowerShell.

Simon Edwards 3:12
That’s that’s known as living off the land or using the system as a hop off point to log into other systems. Running malware creates a higher risk of detection. But there are many ways to evade detection. credentials are generally valuable. So unless the attacker is being very focused and already has access to what they need, it is likely they will harvest usernames and passwords from one or more systems on the network as they work their way through. This activity will often involve running tools to either extract the passwords directly, or gather enough information to allow offline cracking.

Simon Edwards 3:50
At this stage, the attacker can take steps to ensure they retain access to the network still files immediately in store software that continues to steal information, damaged data, and even misconfigured systems on the network such as production machinery, or even other security systems like firewalls. They might also hide malware on systems ready to use later, you can actually hide malware on printers. printers are just another kind of computer. So how does all this look to a defender? Who doesn’t exactly know what attackers are doing every minute of the day? It’s tough.

Simon Edwards 4:24
To get a rounded perspective on what a successful attack looks like from the defense side. We spoke to St John Harold, a veteran of cyber security. So Singe, you’ve worked in the Forces, you’ve worked with the government and you’ve worked with commercial organisations, so you must have seen attacks or types of attacks that cover pretty much the full range.

St John Harold 4:47
I have seen the attacks. Certainly watching them grow in sophistication. And as I’m watching him, move up the stack As well, what I’m what I mean by the stack is starting at 20 years ago, we’re starting with the network layer where the network was not as secure as they are today. And then watching the move up the stack towards the application layer, and now you’re seeing a lot of attacks, which are occurring because of poor software development or incorrect implementations of software development and configurations.

Simon Edwards 5:28
That’s interesting. And not to drift too much off topic. But the IETF, you know, the people who come up with the, the protocols that run the internet, we work with them a bit. And there is an assumption from their side, that the endpoint is handled, and that the endpoints are secure. And they don’t need to worry about that.

St John Harold 5:48
And from their perspective, that’s, that’s a fair assumption. And that’s where a role like myself as a risk management professional, it is my responsibility on behalf of an organization to make sure that those endpoints are secured. and implementing the the IETF requirements as appropriate.

Simon Edwards 6:12
*** So you’ve seen from the old days, you’ve seen people hammering away at firewalls, for example. And now you’re seeing things moving towards attacking applications running on servers? Is that fair to say?

St John Harold 6:24
Yes. Yeah. And, of course, with the age of cloud, and that hybrid and SAS style implementations, of course, we have to now take into account with that shared responsibility as to who is responsible for maintaining the security of those different layers. I’m sure we’ll come on to that later.

Simon Edwards 6:45
Well, maybe yes. So we know what a breach looks like. You just have to watch Die Hard 4 or whatever, or the Matrix, you know, how computers are attacked. But in real life, what does a breach actually look like?

St John Harold 6:59
I suppose I would say the most common breaches at the moment are still at the email phishing sort of level. So that’s where people are sending suspicious or malicious emails to the end user. And the end user will see that email as perhaps coming from someone they would expect it to come from, and don’t pay too much attention.

Simon Edwards 7:25
So social engineering is still very key

St John Harold 7:28
In my experience it’s probably about 80% of all the problems that occur at the moment,

Simon Edwards 7:37
so that those phishing emails are coming in, they are the attackers attempting to gain some sort of foothold in an organization,

St John Harold 7:44
they’re trying to take on a persona, that is a legitimate persona within the organization.

Simon Edwards 7:51
So we test email security gateways, for example. And they’re not terribly good generally at stopping that kind of thing. So how do you combat the issue,

St John Harold 7:59
there are probably a multitude of ways or a multitude of tools that exist to try and provide controls that will mitigate the phishing attacks or the social engineering attacks. And they will range from technical controls, which would be a, you know, the email gateways that you’re mentioning, right through to the user training, and situational awareness training, and trying to get the end user to be a little bit more suspicious of emails that come in, and look for some hints or telltale signs that might suggest that this email is not as legitimate as it appears.

St John Harold 8:46
So that could be a spelling mistake, or it could be the URL part of the email address, that’s probably not the correct term. The domain part of the URL, is it coming from the location where you’re expected to come from? Or is it this? Or is it coming from something else? So there are certain key things to look for which you can then educate the end user to start to look for, and hopefully that will start to reduce the impact of these social engineering attacks.

Simon Edwards 9:16
Okay, so moving further down the chain of attack, you’ve got people sending phishing emails in order to start attempting to breach an organization. Let’s say that they succeed, let’s say that a user doesn’t realize and clicks on the thing at that stage is it detectable by the organization?

St John Harold 9:32
Sometimes, depending on how you’ve configured your, your security tools, so what we have seen is someone clicks on an email, enters in credentials mistakenly. And the systems then start to detect that a multitude of emails are being sent from that account, potentially more social engineering email attacks, but as the second stage of that attack. And if the tools are correctly configured to, to start to look for a particular threshold of emails being produced or issued, or emails being sent out like that, the gateway can actually block them from going externally. And if you’ve got it configured correctly, internally, you can also have it stopping internally. So that’s one potential way of trying to stop those attacks. But it is hard.

Simon Edwards 10:25
It’s interesting that you mentioned credentials, because, you know, according to many of the usual threat reports that we all consume on an annual basis, stolen credentials make up a large part of an attackers method of getting in and moving through systems. So from from a SOC point of view, how can you detect when attackers are using stolen credentials versus legitimate users just doing their work?

St John Harold 10:52
That’s very hard.

Simon Edwards 10:54
Which is probably why the bad guys are doing it. ***

St John Harold 10:56
Yes, and of course, it’s very hard to detect when a legitimate account is being used maliciously. And that’s where sort of the modern technologies using artificial intelligence with behavioral analysis can start to play a role. And it’s not just artificial intelligence, it’s also just looking for anomalous activity where you’re seeing a user who’s logging on from a normal location. And five minutes later, you see that same accounts being used from a very different location, maybe from a different country. And that will indicate potentially indicate that something might not be right. And and so you’re to the likes of the of the big organizations, which of which are providing these these mail services will be looking for that type of access, and will alert you if a particular threshold is crossed.

Simon Edwards 12:03
You’ve obviously got experience in AI, and it just occurs to me, and it’s bothered me for a while now, that when people use machine learning or AI to try and solve problems, is it always the case that we’re looking at… Say we’re looking at credentials being used or behavior of users. Is it being used to filter out the majority of the problems? Or is it good enough to spot every single bad thing without any false positives?

St John Harold 12:26
There’s two types of machine learning technology that I’ve used, which is around sort of the classification approach, or around the anomaly detection approach. So the classification approach is all around trying to identify if a particular event fits within the buckets of known or very similar patterns, which may or may not indicate malicious behavior or normal behavior. But by by trying to identify how they how they fit within that category, using what what is known as supervised machine learning, you’re able to sort of have a have a very good guess of whether it is a malicious event or not. The problem there is that your controls in your ability to detect all types of attacks by your training data. And that training data can provide a bias in one direction depending on where you’ve collected that data from. Or it can be very limited in its sort of reach, or coverage of the types of attacks that you’re looking for. And it’s quite intensive and trying to get a good set of training data in order to provide the coverage that you would need. So an attacker will all a good sophisticated attacker will always be trying to find the the the range that that classification system is working within and then try to push the boundaries and go outside of that classification system. Whereas with the sort of the, the the anomalous analysis, that’s where you’re trying to look for patterns which are not normal. But if a system has already been infected, and malicious traffic is in there, and then you come in afterwards, and then try and set up some behavioral analysis, that malicious traffic will be deemed normal. Yeah, if you’ve got a fully compromised network, then normal is is bad, but it’s normal. And so that will, you’re, you’re now struggling to try and detect it using that type of technology. They are very good. But they have a place and they cannot be used in isolation of all all the other existing security requirements in a security hygiene. That defense in depth approach. But they are they are a good tool to start to help.

Simon Edwards 15:03
I was talking to one of your colleagues from a four letter agency that we’re both very familiar with. And he’s a he was a pen tester. And he was called into an engagement where the company or the organization that was compromised, was riddled it was it was fully compromised and always had been pretty much as far as they could tell. And whenever they cleaned it out, it became compromised again. And their theory was that the opponents were using it as a training ground for their attackers, rather than there being any assets that they wanted to steal or damage.

St John Harold 15:37
Yeah, what a better way to define a probably a probably a low profile organization that would not think that they would be high on the threat on a sort of map threat

Simon Edwards 15:53
target, or possibly one that they knew would never be able to say anything about the breeches. Well, that

St John Harold 15:58
is that as well. I mean, there’s just so many scenarios that you can think of either way, no, it’s a cat and mouse.

Simon Edwards 16:09
Yes, it’s a Cold War running on the computer systems, again. So there are different ways, obviously, if detecting breaches, and I’m sure every AI based service available has got a dashboard that they’d say, would would help you. But they, you can get a lot of alerts currently,

St John Harold 16:28
you can be stopped by alerts. And that over the sort of the last 510 years, that has been a common issue with Sox security operating centers, where they have just been inundated with events that need to be investigated. And a lot of those events are false positives, they’re legitimate traffic. And that’s when sort of that, that machine learning can help you in in weeding out those false positives because it learns what a false positive is. But that doesn’t mean that a false false negative slipped through. And you don’t detect a malicious attack when it isn’t malicious. Again, that’s that’s a scenario that nobody really thought very few people openly talk about.

Simon Edwards 17:22
Yes. And also, some products really don’t help the situation. Because let’s say you have a ransomware infection on a computer on the network, you’ll often get multiple alerts on the same thing, so that that wall of alerts that you’re facing maybe quite a few of those will be false positives, but sometimes there’ll be duplicates, as well.

St John Harold 17:44
And if if an analyst is, is looking at each one manually, they may not even notice that it’s a correlate there is a correlation there. And just see one alerts that are that’s a false positive and see something that looks like it and just tick them all off as false positives when actually there’s a correlation there going on. And it might be because there’s something else going on in the background.

Simon Edwards 18:06
Yeah, you can select all and delete, but then you’ve lost maybe some significant information. Just Just because it looks like all the others, given given, let’s define a breach as a successful attack where something bad has happened, like, you know, information has been stolen or or something’s been damaged. In your experience, how when does that get noticed and how

Simon Edwards 18:28
sometimes it gets noticed straight away. Sometimes it could be weeks or months later, reading about it on the register?

St John Harold 18:35
There’s, there’s I’ve used that as a as a training example, I have seen that in practice as well.

Simon Edwards 18:43
What should an organization do when they see that they’ve been breached in the press,

St John Harold 18:47
I will probably take a step further back from the fact that the breach has occurred. And I’d start with the governance. And the governance is a very, very important part of making sure you know how to deal with a situation when it occurs. So that a good governance structure such as the ISO 27,035, or the NIST standards, they provide a framework on which an organization should consider implementing a a structure to deal with potential and actual incidents. The first part is having your your first responders, which could be services, or it could be the security analyst on security tool or the sock, that there’s a whole route or a whole host of different first responders, which need to sort of be made aware that when they’re dealing with technical events, they need to have in the back of their mind that this this may actually be more than the event. It could be malicious breach and so that you You need to train them, then you need to have the ability to be able to put people together an instant response team. If that is response team, that should have the skill set to look at the events that have been raised by the first responder to determine if it is actually a breach. And if it is a breach, then they need to have an established escalation path. And an ability to classify the level of that breach, you know, and by classifying the level of briefly then know what the escalation approach will be, whether it’s to top management to senior management, or whether they can actually resolve it there. And then,

Simon Edwards 20:38
let’s say you’ve been breached, and you realize that you’re part of a bigger problem. So I’m thinking of, of solar winds, specifically, but I’m sure it happens. In other cases, do you as an organization? Do you just deal with it solely as a unit? Or do you have to think about others as well,

St John Harold 20:54
the firt, the first thing is, you need to understand what the breach is you need to work out what data have I lost? Or what compromise has occurred? Or what is the impact of this breach, and who has been affected. And when you start to pull those pieces together, and you have access to perhaps a wider community out there where you can, informally or collectively, Chatham House Rules, be able to talk about what you’re seeing, might be able to pick up that other people are detecting that as well. Actually, that’s where a cert comes in. So if you can become part of a search for your if your organization is big enough to have his own search, then that will be the focal point being able to correlate all the different breaches that are going on. Can you explain what a cert is? it? It’s a computer emergency response team. cert is a lousy question. A cert is a basically computer computer emergency response team, which can either be dedicated to one organization, or be dedicated to an industry or sector. And they could also be part of a what they call a C cert, which is a computer security incident response team. And that is where the security side and security analysts and the security managers that they can start to formalize the framework around how incidents are to be dealt with. And that’s where you can start to see if there is sort of correlations between other organizations that could have been infected or affected by the same same attack

Simon Edwards 22:43
how big an organization would you need to be to have one of those Do

St John Harold 22:47
you think you’d need to be able to be an organization that either sees that the risks that it could experience necessitates having a search, or you’re a global organization, or you could actually set up a search for, as I said, for a sector or an industry, and then those sort of like minded organizations can then join together. And so the UK Government will have its own set, the US will have its own cert. In fact, it’s a mandated requirement for all EU countries to have a cert, so the the UK has a National Cyber Security Center. And that is where they provide that sort of overarching security organization for incident response for government bonds.

Simon Edwards 23:45
We were talking earlier about how you seen the attacks moving kind of up the up the stack, if you like. So starting at the network level and moving through. And there is an assumption that endpoints are, are sorted out, they’re fine. They’re locked down, which, you know, I don’t think is true. But if, if that is true, does that mean that antivirus is dead? that we don’t have to worry about that kind of thing?

St John Harold 24:08
No, because a attacker will always try to try to use the path of least resistance to get to their end goal. The final depending on what their motivation is to do with that. And if they discover that an endpoint can be compromised through a very basic malware attack, because the AV solution isn’t installed or turned on, then why are they going to try and do something sophisticated when they can do something very simple.

Simon Edwards 24:43
I think that’s a really interesting point as well, that when you respond to a breach, what we see generally in public responses is a claim that the attacker was sophisticated or advanced, but that’s not always the case is it?

St John Harold 24:57
I would say the To do a really sophisticated attack is very intensive has to be very well planned has to be executed with with such efficiency and control that the effort and the opportunity costs of delivering it can be very unrewarding unless the target is exceptionally high profile. And I would suggest the majority of tax are quite easily detectable, if you have a full defense in depth approach to, to delivering security

Simon Edwards 25:41
and the volume of attacks, you know, you’ve mentioned phishing earlier, you know, people can recruit other people and just send a day the age of phishing attacks and all sorts of places.

St John Harold 25:51
Yeah, yeah. And is that one too many, get get a foothold with one, they can then send that to their, to their list. And essentially, that’s a trusted email that’s coming out. Because it is it is a legitimate email in as much as it’s coming from a legitimate user. But the problem is, it has a malicious payload that the user didn’t know it was sending. So when, when, when you’re on that second stage attacking, you’re going out to a wider audience, and it appears to come from a trusted user. And to be fair, it does look like it’s coming from a trusted user, because it is actually your your life likely to become more susceptible to fall,

Simon Edwards 26:34
in turn, is a really hard thing to prove. I mean, in, in the physical world, if I if I go out, if I come around to your house, you’ve got a problem with your electrics, I bring a screwdriver with me, my intent is to use this sharp piece of metal to fix the problem. But if I’m a bad guy, and I then see an opportunity to, to use that tool to hurt somebody, it suddenly turned into a weapon. And similarly, you can set up websites and internet accounts, with the intention of doing one thing, say to play a joke on you, for example, and then it causes damage. It’s really hard for people and for technology to distinguish the difference between intent when the binary bits are all the same.

St John Harold 27:15
Yeah, it’s absolutely. So it’s intense. And it’s sort of accountability, identifying who who was behind the attack as well. quite quite often, they they’ll be new using deniable techniques to look like someone else. And therefore, because you don’t know the origin, you don’t know the motivation. And therefore you can’t assess the attempt.

Simon Edwards 27:47
This has come up a bit in the in the technical discussions online recently, where there have been some breaches, and people have been attributing them to certain nation states and others are pointing out that there’s nothing to stop a nation state, let’s say the Russians employing a penetration testing organization, the shady one, or be it in another country and getting them to do the work. And then all those flags that the working hours the the code and the malware all the rest of it doesn’t mean anything.

St John Harold 28:20
I forget the name of the company will be there was an Indian security company that had a pentesting team that was doing exactly that. It was both white and black, in terms of hats.

Simon Edwards 28:32
So they were legit, in some respects pentesting company but they were doing dodgy engagements. The Cowboys behind as well. This is Bell trucks we’re talking about.

St John Harold 28:44
And that goes back to the intent. So on one hand, you see chief profit someone who’s you think you’ve hired someone who is trying to do the right thing and provide a service to help you when in fact, then they using that service that we’re trying to help you to find backhaul so that they can then attack you later.

Simon Edwards 29:06
I suppose there’s even a potential that some of the employees wouldn’t know that they were doing bad work. It’s just hacking, isn’t it?

St John Harold 29:13
Yeah, absolutely. It’s just trying to find a weakness. And if you find that weakness and report on it, but if you’ve got such an organization where you have to where there’s a hierarchy and you find the attack and then report that up, it’s enough to write up, you don’t know if they’re gonna fully write it up or use it for malicious purposes.

Simon Edwards 29:39
There are many ways that attackers can gain access to a target network. But that initial access of a system is the beginning of an attackers journey is just one of many opportunities for defenders to detect and repel the breach. In fact, a breach is a successful attack that achieves and attackers goals. Usually if data Left or destruction, gaining access if only impotently might not count even though it’s not ideal. endpoint detection and response products vary in their design, but their general purpose is to track incoming threats and to allow defense teams to fix issues as and when they occur. The act of looking through logs and other data to find successful attacks is called threat hunting. This gives one view on what a breach looks like. Ideally, this would be an easy task, with only the most important details and clear calls to action being available to busy IT staff. The truth is far from this and security companies are racing to produce good ways to triage cyber attacks. Threat hunters may start their work with an EDR dashboard, but usually have to use additional detective work to get enough information together to execute an effective mitigation. For now, threat hunters genuinely have access to a dashboard that gives an overview of incidents on the network. The dashboard will often list each suspicious activity individually. And sometimes one attack can generate multiple detections of the same or similar actions. For example, installing ransomware should be one line and a list of detections. But in reality, it can be detected multiple times, this can be a right pain. EDR products can different a number of ways they might be more or less capable of detecting threats, they might present that information in more or less useful ways. And they might provide varying levels of useful actions, possibly including the ability to freeze affected systems, placing them into a sort of virtual quarantine. A good EDR solution makes detecting and remediating a breach easy, a poor one will not provide enough information, or could even be misleading. There’s also the issue of alert fatigue, where multiple alerts represent a single attack. administrators have the dashboard struggled to collate all of the alerts for one attack, while trying to ensure they don’t miss anything else important, that can hide in plain sight in the general noise generated by the detection tools. Sometimes what looks like an alert is just a record of valid system behavior. And sometimes an EDR dash will get things completely wrong. So how do you choose from the multitude of products and services available? We’ve already seen in the previous episode, how buying a good security product can be nearly as hard as keeping the bad guys out. quite like to finish by saying, you know, asking a question along the lines of you know, what can people do to be better prepared, but I think you’ve already said quite a lot of that. And but without being specific, what kinds of products or and or services do you think established large organizations might consider or even very new startup ones without the budget, really,

St John Harold 33:09
what I would say if you need to understand your risks first, before you start to go out there and buy the tools to mitigate those risks. If you’re just buying the tools, because everyone’s bought them, you may not actually have that risk. And it could be a redundant tool, I will always say understand what your risks are. And for larger organizations, it’s been shown that as you become more high profile, so you become a higher target. And therefore you have to have a stronger layered defense in depth approach to security. And it’s not just about tools, but it’s about culture. It’s about putting in place a security. And let’s not forget the privacy aspects as well as security and privacy organization, which has a set where the risks lie and then put appropriate controls in place. And one of those controls could be could just be security awareness training.

Simon Edwards 34:09
Does it always involve a drop in convenience?

St John Harold 34:14
Now, sometimes it can actually improve convenience. Now, obviously things like implementing MFA does does feel like it’s an inconvenience. But that’s possibly due to the fact that you’re over the years we’ve been used to just using a username and password. And that password has been very similar across all the accounts he’s been using a multi factor

Simon Edwards 34:43
authentication has become a lot easier to use in the last few years, isn’t it?

St John Harold 34:47
Yeah, yeah. And actually, Sun nfas which use biometrics is very easy to use.

Simon Edwards 34:55
Although I find that I find it harder to unlock my phone. Now I have to wear a face mask when I’m trying To buy something. Yes, the there are apps now as well. And I remember, in the old days of it, you would have to the output producer code, and then you’d have to type it in within 1015 seconds or whatever. But now the phones can just pop up and say, do you want to allow this Yes or no?

St John Harold 35:21
Yeah, this. And so actually, it’s now becoming a lot easier to to log in. Sometimes when I’m trying to log into a website, I find it easier now to do it from my phone than I do from the laptop. Just because it’s all integrated into my thumbprint.

Simon Edwards 35:42
I mean, even I’m thinking about office 365, the multi factor authentication system there, it may be better now, but five years ago, it was really hard just to find the settings. Yeah.

St John Harold 35:55
But that they really improved in leaps and bounds and their security, sort of offering over that period of time, as a native product. If you’re if you’re using the native security tools, it’s gonna be okay, for the majority of people.

Simon Edwards 36:16
Given You know, I’m thinking about Microsoft was involved in some respects with the solar winds, business. And you’ve got this sense that there’s an awful lot of compromising going on, and the services that we all rely on, they make us feel secure, because they have an FAA and all the rest of it. But do you think there’s any sense in assuming some level of compromise with everything that we do online these days? Yeah, you, you have to work on the assumption that you’re about to be compromised, or you are compromised. And

St John Harold 36:52
you then have to start to think how you design architectures with that in mind. So that starts to sort of move towards the, the the encryption of data throughout its lifecycle of how it’s being used. So encryption at rest, encryption and transit and encryption, when being accessed via sort of third parties.

Simon Edwards 37:19
I went into an organization once and asked a question, I said, Do you think you’re compromised or haven’t been compromised? What do you think? And there are three individuals there. One was the IT manager, he was ex Royal Navy, and therefore, let’s just say he’s very confident. And he said, he said, No, we’re not compromised, and we never have been. And his his subordinate said, Well, I don’t think we have been that I can’t be sure. And the chief financial officer sounds like a joke, doesn’t it? The CFO said, so dumb. I don’t know, when does it matter? I think we’re a media company. So if someone’s stolen some advertising that they’re producing, who cares? It’s not life or death, in that respect, is financial impact. Yes. And that’s why I was shocked at the time, but actually, you know, listening to you talking about assessing the risks, he’s probably thinking quite sensibly.

St John Harold 38:18
Yeah. Which also means he’s not going to put much money towards protecting the organization. Yes, yeah, I would work on the assumption that you’d be compromised. Now, let’s put tools in place to assume that compromised. And now let’s try and find out where they are. But only you got to take into account that actually, sometimes it’s okay, that it’s compromised, because the information that you have is publicly available. And it’s publicly available, but you’re just processing it. And integrity isn’t the issue, then does it does it? Does it really matter?

Simon Edwards 38:59
Well, let’s think about personal privacy. So you know, ba gets breached, and all our email addresses and phone numbers end up everywhere. Well, I, during lockdown, I was trying to get a bit fitter. And I used one of these fitness apps, I think it was called Strava. And I looked into it using my email address, and it said, Oh, you’ve got at least two friends on Strava. Do you want to kind of connect with them and monitor each other’s performance? And what that meant was these two inverted commas friends had joined Strava and click the button to upload their contacts to the service and share all of my personal data and yours and everybody else’s with the company. And it made me cross but it also made me think well do should we now consider our email addresses and personal mobile numbers as private or do we just assume that everybody’s got it and and worry about how to handle that later.

St John Harold 39:53
I think it’s the ability to correlate all that information. In a way that starts to reveal more information about you, and you really wanted them to be able to do the previous is a lot longer that brings us around. I just don’t want that organization to know that. Or I don’t want the users who are part of that organization to know that I’m here. Yeah.

Simon Edwards 40:22
Yeah. So I mean, in this case, it’s health and fitness. But it might be something more sensitive. Martin said,

St John Harold 40:29
well, even even with the health, you know, you’re showing you could share all sorts of information, which you wouldn’t want people to know, weight, blood pressure, temperature for the day, there’s so many things that you can collect about you. And when pulled all together, can reveal more than than the then the sort of the individual elements.

Simon Edwards 40:58
Yeah. And maybe even just from a personal security point of view. You know, when we think about resetting internet accounts, which obviously might include banks and things as well, it’s the mobile number and the email address that tend to be quite critical to that process.

St John Harold 41:14
Yeah, especially if you’re getting the multifactor text alerts, or numbers in order to beat in, and the phone jack, Sim, jacking sim swapping of the of that phone number, and then they got access to your bank again,

Simon Edwards 41:31
the journalist Brian Krebs recently covered this, there’s a another way of doing it. Now that doesn’t even require you to take someone Sim. So you can use certain Voice over IP services. And if I want to get your text messages singe, apparently I can and all that you’ll notice as you don’t get text messages for 20 minutes, 30 minutes, and then service resumes for you. But meanwhile, I’ve been collecting them myself. Yeah. So I think my message to any friends and colleagues listening is please don’t share your address books without getting the consent of everybody in your address book. I agree with that.

St John Harold 42:10
But it comes down to, again, educational lens.

Simon Edwards 42:20
And the companies know what they’re doing. They make it easy, don’t they? They don’t say give us all your friends data. They say how do you want to connect up with all your friends? And of course you do. And so that’s when you press the button?

St John Harold 42:31
Absolutely. The Psychology of it is all about being connected being being together.

Simon Edwards 42:37
Yeah. Which is what makes us humans a successful kind of creature on this planet.

St John Harold 42:44
Yeah, absolutely. And yes, that the bad guys can can use that to their advantage. We might have a podcast about that earlier in the series.

Simon Edwards 42:57
Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. If you want to join the DE:CODED community, and access private content, including our monthly executive briefings, apply at DecodedCyber.com/circle. And that’s it. Thank you for listening. And we hope to see you again soon.

Peek further behind the curtain with DE:CODED Circle.

If you would like access to exclusive, private content from the security testers at SE Labs, please consider applying to join DE:CODED Circle.

DE:CODED Circle is a moderated, vetted community built with the goal of sharing threat intelligence and business-focussed security knowledge to responsible peers.

Apply to DE:CODED Circle now.

Feedback

Please send your comments, questions and concerns to info@decodedcyber.com.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press