Erich Kron - Cyber Defense In The Modern Org: 6 Low-Cost Tips To Secure Your Organization

hello everyone and welcome to my session cyber defense in the modern age it was six but now you get a bonus low-cost tip to secure your organization so now it's seven low-cost tips uh i just want to thank the organizers of b-sides for having me here again this is my second year at b-sides columbus fantastic group always always love to support the b-sides uh conferences whenever i can wherever i can so and i want to thank you for for showing up to my session here um having said that let's get moving here we got a bit to cover today uh and always happy to have anyone reach out to me if you want afterwards i will have a

thank you slide at the end with my contact info uh this is my twitter handle down here at eric crone so a little bit about me let's start with that because i love to talk about myself right who doesn't uh anyways i've been in i.t and security since gosh mid 1990s now um so a long time i got all this gray stuff here i i kind of earned that um i've worked in uh geez uh manufacturing yeah i was manufacturing i was in uh medical i've been in the dod i was the security manager for the second regional cyber center western hemisphere for the us army that was a as a contractor i was with them for gosh about a decade

so long time with them saw some very interesting things back there uh i was also the director of member relations and services at isc squared so if you have a cissp and you have had one for about five or so years you may have received an email from me um and like i said i've been in gosh just so many different areas uh and and one of the things that's uh that's kind of got me over the years is um the fact that a lot of the fundamentals are not being done these days right i've seen this over and over throughout the years and it seems as we get more advanced in technology we tend to forget

the fundamentals even more and that's what i see happening a lot so a lot of these things that i'm going to talk about here these tips and tricks these are low-cost tips you can use existing hardware in most cases or software these aren't things that are going to require you to go out and buy a bunch of technology the thing that people don't think about with technology is many times not only do you have the expense of buying it but now you have to manage it and i mean that from a time standpoint it gets very costly in man hours or or you know human hours to be able to do this so what i'm looking at here though is um

is the low tech stuff in many ways but the stuff that is absolutely fundamental to have a good foundation within your organization and stuff that i just see overlooked that is the the reason that a lot of these attacks are as successful as they are whenever i see them so that's what we're going to share that's my background i work for know before we do a security awareness training and simulated phishing platform that's basically what we focus on we do have a compliance manager which is helpful if you're dealing with that but for the most part we deal with the human problem so i will talk about the human problem i think most people can agree that humans are a

problem uh in our organizations they're the targets etc etc now i say that but i also want to caveat it with it's not their fault they just happen to be the targets that are getting hit all the time right so that's kind of what we'll focus on with that not a problem moving on thanks okay so let's talk about the top of attack vectors this is the kind of stuff that we're up against these days i'm going to talk about psychology behind the attacks i'm going to talk about what we can do to be better prepared so moving into that top attack vectors well we're in 2020 folks um and it's kind of just feeling like this all around right

but breaches anymore we're kind of getting to where we just go ah yeah that stinks right um it used to be a big deal oh my gosh somebody got breached information's out there uh anymore it's you know it's just what's happening and i just love this meme i just do uh but you know we've gotten to the point that we're almost calloused to all of the breaches that are going on out there it's just it's unfortunate and and a side effect of that is the loss of credentials uh and we'll talk a little bit about some of that as we move into this but the fact that people are losing credentials like crazy in these breaches and then they're being

used against them is is pretty pretty bad frankly um so top attack vectors well number one attack vector is fishing um we've seen it now i remember man the first uh the first fishing attacks i remember seeing uh was way way way back early in the career um it was like the the i love you and melissa viruses were coming in through fishing um and i remember i got hit um i don't remember exactly which one it is anymore this is my old brain not working right but i do remember i worked for a manufacturing organization we were a big aerospace manufacturing thing and i was the it manager and i was out in the hallway with a

couple of people we were having one of those hallway executive meetings right we all had those flip open uh two-way pagers at the time we called them barbie laptops and there were i think four of us standing there and all four of our phones or all four of our pagers went off at the same time and that's always a little bit spooky if you've ever had that happen and you know i pulled it up looked at it saw that it was a message i want to say it was i love you but either way i was like oh snap and i beeline straight to the server room unplugged our exchange server and sure enough um somebody had fired that off

and it was uh just queuing up like crazy what took me about 20 i think about 26 hours to repair that me and my assistant uh were working diligently to uh to fix all of that stuff uh and what ended up happening um you know i thought this was like a big deal i was like oh my gosh it can't get any worse than this now looking back at that i'm like these days that's a minor inconvenience compared to what's going on out there absolutely a minor inconvenience but at the time it felt really really bad but this was back in this had to have been about 97 1997 98 i don't remember exactly when but it was

way back when and it just continues to go on why does it keep working it works because it's incredibly effective people are making money off this stuff hand and fist i mean if you look at this this is ceo fraud or business email compromise uh 26 billion in damages we see this all the time just the sheer volume of money that's going out the door based on um phishing and like business email compromise attacks and things like that is staggering right and they're getting creative uh some of them have the same mechanics and how they work but they're getting creative right um they're going after payroll redirection they're doing down payments on homes they're doing stuff like that so the

money is absolutely just you know flowing now the other top attack vector that i see is remote access portals so this is like rdp uh to the internet now here we are uh you know we're amidst pandemic time here um all this stuff going on with the covet 19 thing and we saw a big jump in what was happening with rdp you could look at showdown and see that the the numbers jumped in rdp well it makes sense i mean people all of a sudden had to work from home and so what did they do they fired up rdp uh published a port and you know sent to people home and i'm not saying you know i'm not beating up on

the people that did that because we got to keep the doors open on the business but what we did is we accumulated a lot of technical debt in that and what i mean is a lot of these were put up set out there and not configured well or properly because there just wasn't enough time to do it well now we either have to go back and fix that right because there's this stuff that we we kind of just got it working now we got to go back and fix it or we're running some pretty significant risks of getting hit now i'll tell you this if you put it out there and and you know you change the port to 33.88

or 3390 uh they're wise to you that's not really hiding rdp but what we're seeing here is we're seeing a lot of credential stuffing attacks especially on this so brute force type attacks now i don't hate rdp but what i do hate is when we're not securing it well so they're taking things from other breaches they're turning around with those password you know username password pairs and they're trying them all on all these rdp ones out there um assuming that they can you know try to get in if they if they have something related to you right so they're trying your other passwords on on your type of uh stuff and this is common this is called uh credential

stuffing we see it a lot the other thing that they'll do is they'll do password spraying which is essentially taking your username and then you know that top 100 list that we see every year or top 10 web you know password list they'll use those passwords and try to brute force it problem is that they've gotten really really good at getting in like this and so they get into rdp and then they just start cruising around for a while they look for vulnerabilities they look for how your stuff is laid out they look for high value targets because at that point they just kind of look like a user coming in there so that's some of the the top attack

vectors you know just in general on that now one of the things that they're doing with both of these we've all heard of it is ransomware and ransomware's just getting kind of stupid too so uh cost of ransomware breaches uh average cost this was sophos in a kaspersky on here i think average cost was 133 000 and this was a little bit older but it's still pretty interesting average cost of ransomware attack now 75 percent of companies had up to date endpoint protection so your antivirus didn't save you uh 34 were out for a week or more and that's pretty significant that's that's brutal on an organization to be out of work for a week or more especially those

that may just be kind of bouncing back from having to close down for covid or having to deal with you know the the losses that have happened in some industries due to that now it's not stopping there though um the average ransom number is going up quite a bit so 2018 to 2019 average ransom ran rose from 6 000 to 84 000 and a tax rose 40 so that was 2018 to 2019. that's a pretty significant jump in a year uh and then cove where um they did a study first quarter of 2020 and said the ransom was up to 11 605. that's a lot of money for a ransom and we keep seeing these uh these values go

up more and more on that now sofos did come out and say also uh the total cost of an average ransomware attack more than doubles if the victim pays the ransom why does that happen well because not only are you um having to go through and do the cleanup anyways but now you're also paying these absorbent ransoms on top of it so it doesn't necessarily always save money to pay the ransom and get back and running but unfortunately organizations are finding that sometimes they have to do that so just keep that in mind it still gets even more expensive if you pay the ransom most of the time you're not really saving money so how do they do this what's the

psychology behind these attacks um i'm a big fan of social engineering and that's where a lot of this stuff goes on we saw on the twitter you know in the twitter thing they they immediately went to hey you know we believe this was some sophisticated social engineering they were targeted by a social engineering attack um with the big twitter fiasco um it's just out there it's what works it's what happens you know far too often so let's talk about why this works well first of all attackers use psychology in the attacks it's more advanced than we sometimes give them credit for the thing is these attacks these social engineering attacks are essentially attacks on emotions or our human vulnerabilities

right our biases the things that we naturally and normally do um and the attackers these days so many of them these are actually you know these aren't you know kids in the basement drinking mountain dew these are organized groups and they actually treat things like marketing campaigns where they have what's called a b campaigns where they're looking for you know who clicks on what most often and they have finely tuned their processes and procedures it's really quite amazing so the psychology behind this is a lot a lot more further along than we oftentimes give them credit for so i'm gonna show you an example here a little bit fun uh example here of you know how our brain works

and and how it can be tricked a little bit so we're gonna do something you may have never seen before and that is a magic trick via powerpoint so let's start with it i want you to pick a card here pick any card i'm going to make your card disappear so make sure you have your card picked and here we go through the magic of a powerpoint transition right how cool is that i'll bet your card is gone right now so i guarantee your card is gone right now so how did we do that how do we do that in powerpoint um you know on a remote sort of session here well the way we did

it is this we started with this grouping of cards and we ended with this group of cards now look at those real quick and what do you see about these well if you spotted it they are two completely different sets of cards but they're set up in such a way that the patterns replicate so you don't notice that they're different cards because you're not looking at specifics right you're looking at the overall the other thing that we did is um you know not only is the pattern there but i got you to focus on your card that we're gonna make disappear that's a focus redirection thing so you're so tuned in on remembering that it was the

queen of hearts or the you know jack of diamonds or whatever that you're not paying attention to the ones around them and then boom you basically yank the tablecloth out from under the the you know the whole dishes there on the table it's it's one of the ways that our minds can be tricked through getting us to focus on one thing and then the pattern part is where it can get tricky now our brains are absolutely amazing things um we got to understand that when it comes to these attacks it's all about deception and the root of deception comes back to our brain again fantastic things i love our brains they do amazing things if you want to see

some pretty cool stuff check out this series uh brain games i want to say it's on hulu or one of those now but it's amazing the kind of stuff that that we don't even realize that our brain is doing but one of the things it does is our brain's job is to filter interpret and present reality so what does that mean well the things we smell the things we hear the things we taste the things we see these are all reality to us but they've actually gone through some filters right your brain does this and what's amazing about this is you can actually fool those filters sometimes or they get fooled and this is what attackers want

to do they want to kind of tweak those filters and that then kind of adjusts your reality now it sounds weird it really does uh there's a couple of interesting things um that i've seen that that people can possibly relate to like for example who remembers this what color is the dress right two people sitting in the same monitor same room same lighting conditions see two different colors there was the shoes also um also the audio the yanny or laurel that was another thing that happened the both of the sounds were in that audio file but you could only hear one and there are some physical things that take place in there you know characteristics

the thing is once you've seen one of them it is extremely hard to see the other okay or here in the case of the audio file because your brain has now locked onto that and it filters out the rest of what it considers the noise so even though both sounds are in the and laurel one you can't necessarily hear them here's another example if you're old like me you may remember some of these posters they're called audio stereograms i believe and it was basically a 3d poster had a bunch of weird shapes and if you stand there and you cross your eyes and you focus weird like a whale will jump out of this weird 3d picture thing right

now i was never very good at those i'll admit it but what's interesting about it is once you've seen that whale when you come back and look at it again it takes you far less time to see it again because your brain has already filtered it it understands where it is and it will actually pull it out of that much much faster than the first time you ever do it that's your brain filtering out that background stuff and making it happen faster you know for us so let's get into this what can we do to be prepared well a number of things frankly um you know we we wear so many hats as it is and i i

understand that um but there are again some of these core fundamental things that i really want to touch on here so these are the six no seven low-cost things to do to prepare well we're gonna go through these one at a time but you know these are them train your users backups segment uh principle lease privilege uh rdp we talked about that keeping up with patches and control outbound traffic that is your bonus seventh one right now and we'll talk about why so the first part training your users um again people are our problem in many many cases right it's unfortunate again it's not necessarily their fault they're getting targeted so much uh it is really hard for them so it's up

to us as security professionals to make sure that they're set up in a way that they can defend themselves against these attacks again i don't blame the users when something like this goes wrong i really don't because they're so good at this anymore this is not you know these are generally not your nigerian print scams these are some pretty complex sorts of things that are well thought out of and are well thought out and very very well refined that end up hitting these people so training your users again this is my number one suggestion what we want to do is we want to do a couple of things first of all when it comes to fishing we want to teach them

to spot and report phishing attacks i see a lot of people not do that that separate piece there's a lot of free tools out there we got one called the fish alert button you don't it's free don't have to be a customer or anything but have some sort of a reporting mechanism in there where they can do that we want to teach people about password reuse get password vaults going right get people involved in that um and keep them up to date on what they should be looking for now password reuse is obviously a huge huge deal and we'll talk about some of the different things here i'll get into it on the next slide but

we've got to do something to help them and give them the tools so they're not using the same passwords and then training's got to be interactive relevant and ongoing nobody wants to sit there and just stare at a powerpoint for an hour and and have it not make any sense to them right um we we kind of messed that up sometimes where we just oh but but i trained you well yeah but it was horrible and uh unfortunately it wasn't relevant to those people and one of the things i like to think about on this is like i'm a highly technical person that's that's where i live that's where i live and breathe is in highly technical stuff

when i try to train people from hr or marketing or one of those non-technical things i have to be very very careful that i'm not jumping down rabbit holes that are super interesting to me but go right over their heads it's a trait that we unfortunately have sometimes in this technology side and again this isn't i'm not beating up on anybody this is a human nature thing right we're used to speaking certain things we have certain interests that vary a lot from other people right what i found in my past is getting other groups involved in the training when you're a highly technical person like this have somebody from hr or have somebody from marketing actually look at the training

and give you feedback before you roll it out to everybody they're trained in and working every day in the world of changing human behavior so get some of their feedback make it interactive relevant and ongoing can't be once a year either so let's talk a little bit about the the password things here right so a couple couple big things that happen here is credential stuffing and password spring and i find that people sometimes don't understand the difference between the two which is why i wanted to bring it up here now credential theft is is bad obviously we see these breaches happen um so let's say your your knitting forum that you're on gets breached and they

end up pulling all the passwords uh you know the credentials out of that well credential stuffing is where they're going to take those usernames and password pairs and they're going to try them on everything from banking accounts to amazon to whatever to see where you've reused that credential pair and unfortunately they're often very successful in doing it so they'll use existing password and and username pairs credential pairs to do that that's credential stuffing now password spraying as i mentioned earlier is now they take that username that you may have there or that email address that you may have on your knitting form and they're going to pair it with that top 20 top 100 whatever they end up

wanting to do most used passwords you know the one two three four five six exclamation point types of stuff um and that is password spraying so they have a known or they think a known good username and now they're gonna be hammering it with those most commonly used passwords that's the key differences to this okay now passwords have always always always been a problem and they're going to continue to be a problem it's just kind of what happens we are not at a point yet in my opinion where biometrics is something that we should be using for authentication especially not real authentication um i believe the password or or biometrics are good for identification but not authentication i'll tell you how

this works the difference is i believe your thumbprint should be used to replace your username but not your password that makes sense to you the reason is what happens if your thumb work thumb print is breached you know if somebody gets a hold of this scan um you got a problem now you can't reset your thumb you can't reset your retina that's part of a problem there and it honestly it just fails too much and there's it's just not at the point yet where we want to do that for overall stuff but it is important to understand that we have to teach people how to do better with the passwords because they are here for now

we don't have something to replace them yet we've been trying to for years but we're not there yet so the flip side of this is when it comes to passwords we as security professionals are part of the problem right we tell these people to make these super long passwords we tell them to make them ultra complex they've got to be something that you absolutely don't reuse anywhere else and by the way don't write it down well how can we possibly expect them to to do that right we we really can't we need to give them the tools that they can use to do that and some of that there's some tricks to this right so password tips

um mnemonics here this is where they use a memorable phrase right i've actually honestly never been real good at this um but you see the example there score four and seven years ago our fathers you know those are some of the ways that you can do that um but uh it's it's this has never been one i'm great at it's just not the way my particular brain works but it does work for a lot of people so let's show them how to do that if it helps them past phrases are a whole lot better for me now you can make long complex ones you know the squirrel is wearing purple shoes that's something that i can remember

i love using password or past phrases as opposed to past words again the idea here is wherever possible randomize it so it's not like i really like pepperoni pizza right that's going to be one of the ones that's going to be easy to spot sort of thing um but last but not least one of my favorite things is password vaults so they're cheap i use lastpass we've used one pass i'm not a big fan of one over the other sort of thing there's keepass out there if you want to do it locally i love password vaults most of the times are inexpensive or free i think i paid two bucks a month for uh lastpass because i use a ub key with

it and so that's like the super premium version or whatever but for the most part they're free and i use one with my wife um she has her own one of my daughters has her own and we can share passwords like accounts um i don't always have the banking accounts but now she can do that and she can just share the password with me so i always have access to it it's great and honestly this is the only way we can really expect users to do really unique and complex passwords they will automatically generate a password for you and they're easy easy easy to save now i will say this if you're using a password vault all your keys to the

kingdom are in there they are very well encrypted you know lastpass had an incident but nobody could get anything it never turned into anything because they were all encrypted like the people at lastpass can't even see your stuff so that's good but you have to understand you have to remember use multi-factor authentication make sure that you have mfa in there as a uh um a way to protect this okay uh you don't wanna use just a regular password on this either make it long make it secure it's just remembering one now now that's a beauty if i you know under threat of death i probably would not be able to tell people what two-thirds of my

passwords are only because i've never seen them so password vaults huge huge huge thing as far as i'm concerned so the next one weapons grade backups well what does that mean well with ransomware big issue has been that backups get encrypted and the bad guys know to look for this right they get into a system and they look for your backups they look for shadow volume copies they look for whatever they can so what they're doing is they encrypt these things and then bam you're out of luck right so we have to have passwords that are off the network um so i highly recommend that three two one method three copies of the data two

different types of media one stored off site now something i've seen recently in some ransomware attacks uh there was an msp that got hit and they went through the msp and then attacked all of the msp customers and i want to say 70 percent of the customers ended up with their backups encrypted because it was done through the msp side and they had access to it the 30 percent that didn't the 30 percent that they didn't have to pay a ransom for were actually ones that uh they had backups off-site they were not connected so keep that in mind um the other thing to remember is when you do your backups test how long it takes to actually

restore the data a lot of times what i see is people go oh well i can restore a workstation in 20 minutes so if we get hit i can restore the 500 workstations in you know whatever 500 times 20 is i'm not doing the math but it doesn't work that way especially when you're talking about something from the cloud because your pipe in is only so big so far too often i see that happen where they end up doing that and you know they find out the hard way that it doesn't work my personal experience um i used to use a back before dropbox and all those i used to use a service to uh save data i think it was asus web

store or something like that and i would do backups offline and just for grins i decided to test it now my backups happen pretty quickly but when i went to restore i actually found that i couldn't restore most anything that i had because it would time out while building a zip file to download and or during the download and i'm talking about over the course of days it would fail on doing a simple restore so i've seen this happen i felt this happen personally now luckily i was testing but make sure you test so you understand these sorts of things now the next one is segmenting the network tell you a quick story i took a new job at a place uh here in

florida after isc squared um and i came on board and we started looking around now i i i was about 90 days after the new um uh it manager like head of i.t guy right i think he was a director or something anyways uh he looked around and went oh crap and then brought me in and i started there and we looked around oh crap the entire network is completely flat in other words the receptionist could actually get to a login screen on production sql boxes we fixed that it wasn't easy but far too often what i find is that organizations have this problem and they don't even think about it this is especially prevalent in areas where an

organization has grown from something smaller to something larger and so they just keep oh okay well we'll add we'll add we'll add will add and they never go back to actually think about network segmentation um i'll tell you this if your marketing computers can get to your you know sql server or production box you've got a problem right there's no reason for that and we need to do a better job of stopping it if you all remember when wannacry hit the nhs the national health system over in britain the reason it was so nasty is it just spread across that completely flat network so fast they just couldn't get ahead of it right had it been segmented better

the damage that was done would have been far far less now you can use vlans or different subnets and routing most of this stuff we already have you know if you have anything reasonable as far as a managed switch goes you already have vlan capabilities you know routing is easy these days it's not something that's incredibly expensive or hard to do it's probably built into what you got the key is we've got to look at what machines can communicate with each other and what they should be communicating on right so that's another thing that happened wannacry was smb right so if they don't need to have you know smb traffic or ftp traffic between each other don't let that happen

let's start blocking that stuff for real and only allow certain things to happen across there it's a matter of sitting down and actually doing the network now i'll tell you there's going to be a side thing that happens with this and that is if you sit down and you look at this and you do an inventory of your network which frankly a lot of places don't have you're going to find stuff on your network that you had no idea is there i've been there i've done that you know i'm sure there's a couple people out there that are nodding too you're going to find stuff you had no idea was on your network and it's important to find that stuff so

that's a a side thing it does take a lot of effort and frankly eventually you're probably gonna break something along the way so be careful with it but it is very very important to do this and it allows you places where you can look at this traffic now you can see when things are added to your network that you don't know about there's a lot of positives and pluses to segmenting the network again takes a bit of effort but man this will go a long ways towards helping secure your organization and containing not only malware but attackers if they do get in let's say uh again let's pick on the poor receptionist let's say the poor

receptionist ends up uh you know clicking a link and and dropping some sort of a remote access trojan on there well now the attackers get in they're on that machine well they can't get anywhere right they can't they can't get anywhere good that's the difference between that or they're able to get to something that actually has value so the next one is principle of least privilege yeah and i know these these are all kind of painful i get it we look at this and we groan really oh man but we understand the importance of this we just sometimes choose not to remember it okay but here's the deal about principle of least privilege not everyone should be

an admin we're in 2020 now there is no reason for everybody to be an admin on their machine there really isn't uh the less access the users have the less it can spread so i see this again in ransomware let's talk about that um your poor receptionist clicks on something launches ransomware well if they have access to say a shared drive right who here has an s drive or something that has all of the company's shared info on it if that receptionist can write to the accounting drive they are going to be able to encrypt that with the ransomware that launched in their uh you know as that user so this is why it's so important to

limit those permissions if they only need read then make it read now i thought this was interesting 74 percent of it decision maker surveyed uh whose organizations have been breached said it involved privileged access crunch credential abuse let's not let that happen right we want to protect those privileged accounts with multi-factor authentication if you do have you know high-end accounts use a ubi key or something i've done that in the past where i use smart cards in a domain admin situation so the domain admin slash enterprise admin schema admin those sorts of accounts that had those privileges i would actually protect with a smart card the day-to-day stuff you know not as big a deal

but for those high-end ones yeah that's definitely a problem and again um one of the ways that i've handled this in the past it was not fun and again you'll notice i said this is seven low-cost things to do to prepare not fun things to do okay let's be honest here uh but i rolled out um role-based authentication right so role-based uh access control it was not fun to do but essentially what we ended up doing was we ended up going in and figuring out who had what roles what permissions did they need in these roles and then we compared that to the permissions that they currently had and what i found is in a lot of cases

people especially those that have been in with the organization a lot had moved up through the organization and what happens is they get moved to different teams or they get promoted or whatever they end up retaining the permissions they had but they don't need it anymore you know they're part of a nested group that's a nested group and lord have mercy um but this happens far too often so when we did the r back uh look we found a lot of people that had permissions they didn't need to do and we were able to clean that up now you have to have good ways to deal with exceptions because that's going to happen but it's really really important

to be able to do that now the next one i've touched on remove rdp internet facing just bad and again i'm not being up on rdp it's the fact that it gets rolled out very quickly or without a lot of those prevention things in there such as monitoring for brute force especially over time my recommendation whenever possible vpn first vpn first and then do an rdp sort of thing um i use like here at the house i use an uh a raspberry pi for rdp using what is it a pi pi vpn i think it is you know a 30 thing i'm getting 50 60 megs per second out of that thing uh so it works very well it's very inexpensive

it's not hard to do that most of us at least at these days also have a vpn going after the whole covet thing right so make sure though whenever you're doing it make sure your remote access methods can like i said detect block and report things like credential brute force credential attacks right credential stuffing and things like that especially or even if it happens over an amount of time in other words don't just lock out accounts if it's three passwords in five minutes right you want to be logging and alerting on things that go over longer periods of time than that and i do like that you know do a vpn then go into a

jump box maybe that has some of the tools they need but actually limited access to the network so the next one also i'm hearing a collective groan i'm sure keep up with patches and we've beat this one to death but here's the deal we know that we need to patch things this is what ends up driving into stuff so often patching absolutely needs to happen now the deal is i know that it breaks things i've been in places where it breaks things i've broken things with patches so i totally get that the key thing is you're going to find machines sometimes that you can't patch and this was prevalent in the healthcare industry when i was playing in that area

where let's say an mri was built and it does fantastic imaging the doctors love it the images are fantastic they can you know spot anything with that um but the company that makes it has been acquired twice since it was purchased it's a five million dollar piece of gear and uh it only runs on windows 7 right this happens it does unfortunately so what do you do you can't patch that machine well the key thing is remember that machine segment it off make a micro segment really control what it can actually talk to what it can communicate with make sure that it's very very uh well protected in its own little bastion there the reason i say this is you know the

stuff sits on the networks and we forget about it and sometimes what we'll do is we'll in our patching processes we'll say hey this machine we know we can't patch this machine we just kind of shove it off to the side don't do anything with it well then it turns out that we forget it the other thing you can do is come in and look at certain things sometimes patches all they do is turn on or off a service that you can do manually so look at what's coming out what's in the patches and go you know what yeah i can shut off that version of smb on that machine or whatever it takes also focus on your biggest

vulnerabilities and use real data to determine the priorities my colleague and friend roger grimes wrote a book called data driven defense i love the book it talks about looking at what your real threats are as opposed to just oh gosh there's this named vulnerability that has nothing to do with me so keep that in mind and you know try to determine your priorities it helps us from wasting time patching things that really aren't that big of a threat to us while we leave the other stuff wide open so last but not least on this one control outbound traffic now i added this one because of what's been happening in ransomware starting the end of 2019

and it started with our good friend mays m-a-z-e that version of ransomware decided it was going to start actually exfiltrating data and then dumping it on the web now this is a really really ugly trend that's been going on and quite frankly it's changed how ransomware works um and it's really really caused us the the you know the requirement to look back over this and go okay backups aren't enough anymore we have to do some other stuff so what i've been seeing in a lot of these attacks now is they get in and they exfiltrate data what was it the la or the i'm sorry the new york law firm that happened there that dealt with all the

cri the i wanted to say criminals uh the entertainers in southern california right uh all of these super elite uh movie stars and stuff uh they got breached they had 750 gigs of data pulled out of their network and nobody noticed that's a huge amount of data on these stars and we're talking about some sensitive information here we're talking probably movie contracts um you know all of that kind of stuff that they may not necessarily want to do who knows there could be you know uh divorce uh you know information in there or prenuptials or there's just a ton of information and to have 750 gigs of that go shooting out the side door without anybody blinking

an eye that's dangerous now what i find is a lot of organizations we focus on the firewall on inbound traffic so we block the stuff coming in that we don't have live or we don't need right so we put up the deny all sort of thing coming in and then we allow the certain things that we need well and that's great that's fantastic the problem is we don't do that on the outbound so what happens is uh let's go back and pick on our receptionist now our receptionist gets hit with some malware that uses let's say ftp channels as command and control well now they're doing command and control out on ftp channels and there is absolutely no

reason that that receptionist needs to have ftp traffic enabled in or out of the firewall like there's no reason they should go to an ftp site ever so we've got to look at those i see data being exfiltrated out through fdp through whatever through all of these different areas uh but we just leave our door wide open going outside it's like you know the door is locked coming in but anyone can go out and that's fine for emergency situations with the push bar but it's not fine with our data and that's that's where we need to focus on that some um the data exfiltration piece and just opening those command and control channels can be significantly limited

if we block the the outbound traffic stuff or at the very least start alerting on it you know if your receptionist starts going to ftp sites and moving traffic you should at least get a very large you know alert in your sock or whatever that text message so those are some things to think about on that and i highly recommend you look at dlp solutions if you want to but that does cost money but most of us are firewalls are equipped to do that and yes again you're going to break things when you do it it's it's going to happen but you try to roll it out a little bit more gently start looking at the traffic

that's leaving to begin with you may find things that you really don't want to see already working out of your network so that is my seventh and final of those um so in summary right there's a lot of ways to improve security without adding more technology most of the stuff i've talked about here is actually using things that you already have in place and that's a key is look at what you have before you go out and buy something new i see a lot of cool products they sound great they're wonderful they're basically a re-badged you know whatever that we already have in place and now we have to manage yet another device yet another piece of software integrate

another thing there's another pane of glass that we have to deal with right and unfortunately we spend a lot of time now i love tech right uh back in the day i had a switch it was an hp switch and it had these little blades that popped in right and i would actually go into the server room turn off the lights and just watch that thing light up it was the most beautiful switch i've ever seen i still remember it now 20 years later it was absolutely gorgeous and cool to watch i love blinky boxes i love technology sometimes that's not the answer that's kind of the key to this let's look at what we already have

without buying the new stuff and let's try to do the most that we can with what we have a lot of these methods that i'm talking about for example role-based access control you know our back is going to require documentation overhauling and some process looking at this is actually a good thing though i know we all kind of groan also at processes and procedures and writing stuff but man those are incredibly important when it comes to a lot of things your processes and procedures really really help tie everything together so it's actually a good thing that we go back and re-review those i want to be clear don't try to take all this stuff on at once

do one or two things at a time and get those in place and then move through it okay so don't go out of here and decide you're going to hit all seven things at once not a good idea the other thing you want to do is work on your security culture within your organization and that'll help your your organization spot new trends and attacks kind of as they happen which is you know oftentimes better uh you know like as they're evolving than than afterwards okay so you know far too often i've seen people go oh you know what i did this thing last week it seemed really weird and and ever since i clicked on that my machine's really been

running slow i don't know the fans are going crazy i can barely get anything done right and you're going oh man come on but that was a week ago right this stuff's already been in there what we want to do is have people that are are used to saying you know something seems odd here and being willing to turn around and report it not always easy to do but part of that is us as security professionals really need to take the mindset and the role that we're there to help the users make smarter security decisions every day that's what i want to drive home if we can help them make those better choices we're going to be way ahead in

the long run right so then bob clicks on something and instead of being ashamed or or not sure what to do he says man you know i pick up the phone call say i just i click something and now my machine's acting weird it may be nothing but can you help man i would rather get that call 100 times than you know than the one that's uh uh well last week something happened and you know now everything's on fire so let's keep that in mind when it comes to creating that culture let's make it so that security is not the department of no but rather someone that's there to help them when they need something

and that'll go a long long ways towards towards helping in the long run so that being said that i think i'm just about out of time right here this is my contact information reach out to me anytime i use the at eric crone twitter on here more than i do anything else but feel free to reach out to me email linkedin whatever always happy to discuss this sort of stuff and uh and and help people out wherever i can i love to be able to share the experience i've had over the years with people so having said that uh have a great time enjoy the rest of the conference and hopefully i'll see you around when we

have these things in person sometime thank you