Why Data Breaches Keep Getting Worse

Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm not Joe Patti. I'm Adam Roth. That's right. How are things today, Adam?

Really good. A couple of deer walking out front, some wild turkeys, some fox, some sheep. It's all good. But it's really weird. They're walking two by two, and they're walking towards this big structure. It looks like an ark.

Really? Well, either we're in big trouble soon or you need to see a professional, one or the other. I don't know. It's probably both. But I would lean on the second one. Okay, well, speaking of the end of the world, it seems like lately it feels like the end of the world. This seems to be the year again of more data breaches. They keep getting bigger and badder. You know what I mean?

There's no doubt about that. Breaches are not going away. And I think even though we think there's a lot of them, there's going to be a lot more. There's no way to prevent your data from getting out there other than maybe sitting in a cave and writing everything on paper?

Which I've thought about. But we're going to get into that today. What, caves? And purchasing caves? No, data breaches. Oh, sorry. We'll start another channel or podcast for cave living. That'll be something. But before we do that, for this channel, please, everyone, on Spotify, follow us, comment, tell your friends. And on other, you know, podcasting platforms on YouTube, like, subscribe, follow, comment, share. You know, we're really trying to... Threaten. Threaten. Threaten, but we have nothing to do with it.

I'm not saying bodily harm, just tell people if they don't follow the podcast, you're no longer going to talk to them.

That's right. They don't follow the podcast that the earth is going to get deluged and we'll all die. That's it. That'll be a good one. Um, but yeah, but no, please. We are seriously trying to build up our audience here in the channel and that really helps quite a bit.

If anybody can prove to me they got a hundred followers either on LinkedIn or YouTube, we'll get your custom made security cocktail hour cave shirt. Cave shirt. Yeah, it'll be like a cave and there'll be you writing on a tablet. Oh, yeah, we'll make it custom just for you.

I thought you meant like one of those Fred Flintstone outfits with like our logo.

I might come on the next podcast wearing that. That'd be kind of cool.

Save it for Halloween.

I was just going to say, keep in mind Halloween's coming soon. That's right.

We need another Halloween episode.

I might wear the Flintstone costume for our Halloween edition.

Cool. All right. Excellent. But for now, we're talking about breaches. So here's the latest rundown of the big ones. There have been a couple of big ones. There's been this national public data which is a company that most people I think have never heard of, and most people have no idea that they had their data, because they do background checks on people. Like, you know, you go to get a job or whatever, they do a background check on you, and they collect all this data. So they did the nice job of collecting all this data, getting it together, making it easy for people to buy it. And guess what happened?

Somebody picked it up at a store like Five Below,

more or less Yeah, they It's out there now.

What's out there and now the bad guys have it all conveniently packaged up for them Yeah, I mean, that's really it right, you know, your data is always out there. It's somewhere somewhere someone somewhere has gotten breached and Even that data that's on the dark web You don't know about it until you know about it. And what I mean by that is You know, people go out there to scour the dark web. There's threat intelligence services that scour for people's data when they're hired to do it. Usually they call it an RFI, right? And an RFI is request for information. So a company might say, hey, is my data out there? And then all of a sudden they come across this data. I'm like, oh, wow, this is bigger than we thought. Your data is contained with everybody else's data. So there's plenty of data on the dark web that doesn't ever hit the news until it's really big.

Oh yeah, well this MPD one, I think they were saying it actually happened back in April. It's actually pretty old and they're just around now getting to tell everyone about it.

Billions and billions of records. That's kind of scary, right? So, I mean, a record could be 20 different pieces of data, but we have what, 350, maybe 400 million the most in the US. Let's just say 400 million people and we have billions of data. That pretty much means that everybody's data has been compromised that has some kind of data. Like in the U.S., it's social security numbers. In other countries, it's unique identifying numbers of who you are. Other people have sort of social security numbers. So pretty much every civilized country probably is compromised if they do background checks on them.

Yeah, well, was it May Brooks who was on the show who said, like, her Israeli ID number has been compromised so many times she doesn't even worry about it at this point, right? And we're not that far off. Don't think we're so good. But yeah, and you know, like you mentioned the numbers. I mean, I've read some articles. You know, it's kind of funny. We know that a lot of people in security don't understand, or people who are not in security don't understand a lot of this stuff. But, you know, I've heard some people writing comments like they say three billion records were stolen. How is that possible? Does that mean half the planet? How can that only be the United States? It's like, well, it's more than one thing for each person. You know, there are multiple records or multiple pieces of information about you.

Yeah, I mean, then that's exactly it. Right. But just keep in mind, you know, if you're a North American country like Mexico or the U.S. or Canada and you come to the US and you have property here or you're buying something here, they're still gonna do a background check on you. Just because you're not American doesn't mean you can't have a background check. In other countries, you can do also credit checks on yourself. And for example, my wife, she was naturally born in another country. In order for her to get a background check or a credit check, she has to go to that bank That bank that's that's um, that's a contracted by that country to do background checks and credit checks. So Very easily if your information is compromised in a bank that's located in the u.s But is handling other countries your data can very easily be stolen.

Oh Yeah, the you know tentacles of the u.s. Reach out everywhere. Well, we'll screw everyone but

And also keep in mind, if you have a credit card and you're going to other countries, that credit card is accepted in other countries, which means that credit card can also be gotten in other countries, whether it's MasterCard or Visa. We're not the only country with credit cards.

We're not? I'm just letting you know. We're not. I use credit cards. I only use credit cards in travel. Who uses a traveler's check anymore? Who even uses cash?

Do you remember those days? I remember those days.

Traveling, what a pain in the ass.

I want to get $1,000 in American Express traveler's checks, you know? Remember those days? That was universally accepted stuff.

Oh yeah, well I'll tell you, I went to Europe for the first time in a long time, post-COVID, and you know, it used to be you'd go to a country like Italy, where they were never really big on, you know, tax compliance, like a lot of cash going on, and they went totally the opposite way. Now, they don't take cash anywhere, and it's tap to pay.

Yeah, I was just gonna say, yeah.

You see some dude on the street, yeah, he's got one of those little things to take, you know, phone payments and stuff. It's better, you know?

When I was traveling, and I know we have to get back to the breaches, but when I was traveling to other countries, building out data centers, it was so weird because it's not accepted in other countries to take your credit card and give it to the person, let them walk away and swipe it. They bring the credit card machine to your table and they swipe it for you. So it's tap to pay even on the cell phones. It's so easy these days. But you don't know if you're tapping to pay for your meal, Or you just purchased a wedding dress for the guy's daughter that's getting married next week.

Well, it is good to check, and you gotta look at your stuff, but we'll get into that and protecting yourself. Because I did do a clip where I said use Tap2Pay. Tap2Pay is much safer than giving someone your credit card. Anyway, so another breach. Change Healthcare. Another company that nobody's heard of. Well, you know, for the most part, I had never heard of it. And they do some kind of service for, you know, healthcare providers, hospitals, doctors, whatever. Some kind of processing, whatever. They're basically a third party. And they lost what? Hundreds of billions of people, millions, hundreds of millions of records. I saw one thing that said a third of the U.S. population has like, you know, their personal data and also health care, you know, information. P.I.I.S. P.H.I. P.H.I., sorry, yeah. Right. Personal health care information. Well, it's out.

And that's really personal, right? Because a lot of that relates to diagnosis and health care codes and possibly even notes on some of the things that you've had. And some of it's really personal. I mean, you know, there are organizations before they hire you. They'll ask you, which I don't know the validity and the legal part of it, to release your medical records, depending on what type of job you're doing. and that information could be in there. Even certain, even firearm purchases require that they check with your state's mental health to see whether, I'm not saying right or wrong, I don't wanna get into the politics whether it's right or wrong, but the point I'm making is you're releasing your health information to an agency that we're hoping safeguards anything that you have. So all politics aside about weapons, I'm just saying that you gotta release your information to a government agency, and if that information gets compromised in a breach, you really, what are you gonna do? There's not much you can do.

That's right, and if you think that, oh, it's the government, they're gonna take care of my stuff, they're very skilled, yeah, just Google government breaches. There have been some very big ones. So, here's how this came up. I, uh, I was on a, uh, on a, on a social media site. It's actually, and it shows you that this, that this stuff is getting into like, you know, the, the mainstream, obviously there are new stories, but people are talking about it. So I'm on this, uh, this site it's nextdoor.com. You ever use that one?

Yes, I have. And it's funny. It's people around there, the dark web stole all my information.

Well, I also find it funny because, you know, I mean, I mean, it goes to show you how it's getting because, like, you know, it's usually people looking for a plumber or someone to, like, redo their driveway or something. And now people are talking about the dark web. People are posting about this stuff. And I'm like, hey, people are all civilians. What do you know about this stuff?

Well, you know, it's like I don't want to be obnoxious and arrogant. It's just kind of funny. And what I mean by that is just because you and I might be a drop more knowledgeable than others. It doesn't mean that we're going to belittle what people say, but I guess what we're getting at is even though there's a legitimate concern, people don't understand what's really happening. And it's kind of our job, I feel like, to educate people about this is what's really happening. It's comical, but because it's almost saying, Do you know uh, I'm gonna make an analogy. Um, do you know that the sun tried to break into my house because I saw it shining through my window That's how we see it. That's how we perceive it and I know that sounds a little bit condescending but We just want people to know what really kind of happened and we're not even the experts at it We just we're reading a lot of it, but we understand a little bit more because we're in that field

Yeah, well, we actually, this is our business, Adam. You can say we understand it. It's okay. You don't have to be too humble. But yeah, you know, it's like the way I look at it, it's like when I'm hearing these things about, you know, reading this stuff about security that, you know, non-security people are talking about. I've said it to my friends, too. I've got two friends who are accountants who like start talking about some accounting or some tax law. And I'm like, is this what I sound like when I talk to you about security stuff? Because I have no idea what you're talking about. Yeah, so anyway, you're right. I think it is our job. It's our mission. And, you know, actually, you know, part of the show is to explain stuff to people, you know, how the world really works. So. I jump into this one thread where, you know, we've got this thread, people are talking about the breach, you know, it's very cool and it's interesting to see what, you know, what's getting to people, what they're hearing about. And someone says, you know, why can't they just hire some engineers who know what the hell they're doing or who are good or whatever. And so I very delicately, very delicately get into this discussion and I say, look, you know, I don't want to say like it's not that simple, you know, but I say, Look you need to be looking more at the top at the leadership and not at the engineers I said it is knowing how things work It is highly likely that there are a lot of people in the technical areas and IT and security and in their risk shop and whatever who knew that there are issues and knew that there are issues leading to this and you know maybe they didn't uh you know maybe they weren't listened to probably some decisions were made not to do it but also what i find interesting where we can contribute something is you know people say like oh how can they make this mistake or how could they miss this And it's like, well, you know, you can always trace these breaches to, you know, one or more, usually more than one, you know, technical thing. Like the MPD breach, or the change management breach was, there was a remote access system that was on the internet that only had a username and password. It didn't have multi-factor authentication like it should. But, how did it get like that? And how did someone miss it? That is the interesting part.

That's the part that's tough. Let me say this, Jerry. I mean, I'm on a lot of those sides, right? And when I mean a lot of those sides, I'm also a physical security guy. I'm a network security guy. I'm a cyber security guy. And my house has cameras. My house has an alarm. My house even has sensors when you come near the house. It doesn't mean that my house can't get broken into.

And, you know, it's like saying that's what the machine guns are for the robots.

Yes. Well, those those have been deployed as of last week. The problem is that the A.I. might not be up to up to speed. It might it might just kill a small little dog. I don't know. I'm joking. But but what I'm getting at is so you have a house, you put an alarm in, you put in cameras. And then that's like saying when somebody broke in, why didn't they design my house better? you're you're empowered to add as many layers of security you want but how much money do you have and how much security you're gonna put and the more security that you put into anything whether it's a network or a device or a server the more cumbersome it can get and they kind of call that security through obscurity sometimes too as well right um so i can build a house With brick doors and steel. I mean brick brick house or steel house and steel doors and double locks and everything else and multi-factor authentication with uh fingerprints and retina scans, but You know, okay now you do that you just spent 10 million dollars on a home And you can get in it takes you 30 minutes to get in It's kind of the same in the network or some kind of thing or a business you build out this incredible incredible Incredible security you put in four firewalls and this and that but the complexity is you got to manage it and then you as a customer When you subscribe to that health care company or whatever it is, and then you get pissed off that you're paying $9,000 for a bottle of aspirin because they're protecting your security Is this gives and takes and I'm not saying that you shouldn't have good security I'm saying you should and isn't in the end is a there's a middle place where you can meet but you still gotta maintain it. And that's the point I think we're making. You gotta know where your openings and where your vulnerabilities are. And sometimes there's those unknowns. That's the last thing I'll say about that. You can't know about every vulnerability because you don't own or build all that equipment. That firewall, that server might have a vulnerability that exists that you'll never know about.

Yeah, well, that's right. You know, I got to get into a couple of things there, you know, that I want to talk about too, which was, you know, it's like you say, like you're protecting your house or whatever. It's not, there's the cost, obviously. And the cost, you know, get pushed to customers now. Companies, of course, can be greedy. They don't want to spend whatever. They make decisions on what they think is the best for them. Unfortunately, you got to remember that when they talk about When they talk about the cost of security measures, they mean the monetary cost to them. But when they talk about the cost of a breach, much of the cost goes to the customers. They pay the price. It's their data getting out. And very often, remember, in these two breaches we talked about, you're not actually their customer. It's another party. So there's a lot of buffering and indirection there. But also, You've got the situation where, like you were talking about in your house, it's like, okay, you got your house, you want to protect it. If you're in an apartment in New York in the 70s, I remember when I was a kid, you'd see those shows where everyone's apartment door had like eight locks on it. That was all crazy.

Of course, bars and everything else, you turn it.

Yeah, all that crazy stuff, yeah. To put that in your house, say, in the suburbs or in a rural area or in another setting, you know, you might say, yes, it will protect the house and, you know, yes, and it will protect you even from the unlikely case. But for that unlikely case, think of all the, you know, the inconvenience and the time you have to spend every time you want to answer the door or every time you're going out dealing with all those locks. And in business, the equivalent of that is time and time is money and people. And it means people are spending time doing that instead of making money. And it can actually slow down the business. That's why a lot of people in businesses and in work, I mean, think about it. They hate the security people because they make their jobs harder. And that's exactly the push and pull that you get that leads to some of these things.

So I know somebody who came to me the other day and said to me, hey, Adam, I know you're in cybersecurity. I want to, I need to protect my data and do file sharing, but I want to be able to do government contracts. Do I build a server and put a server? I said, Oh my God. I said, yeah, you could build a server and then you could put a firewall in and you can do all this, but the cost is going to be the tens of thousands of dollars. And then somebody has to maintain that. So what's the alternative? You put your stuff in the cloud. but you don't always have control over everything in the cloud. So while you might have access to your, your, your, your data within maybe, um, a container is a bigger cause there's a bigger part to it. You don't control the server or that it sits on that virtual server and you don't control the, um, the firewalls on the, on the, on the larger level. So while you might protect your own container, your own little, device or part of it, everything else, whether it's Amazon or Google or, or Microsoft Azure, you can't control all of it. And sometimes if the people that are managing the, the, the, the, the bigger part of it do make a mistake, there's no control over it. So you're, you're, you're doing risk versus reward. Put your stuff in the cloud. It's cheaper for you. And you'll be able to maintain your part of it, but you can't control everything.

Well, that's the thing. The cloud discussion is interesting. A while ago, when the cloud was a bit newer, people would say, is the cloud more secure than running something yourself and securing it? Is it more secure to put your stuff out in Dropbox or to run your own server at home? And I used to say, well, it depends on how good you are at security. Are you better than them? But it's a bit more than that because, you know, the first thing is you don't know how good they are because you can never really find out. Even, you know, companies, when we do, I mean, we do audits and we do assessments before you do business with someone, you still really don't get a lot of information that's really going to tell you. But also, you know, running the stuff yourself is expensive and, you know, very often the companies don't have the knowledge and they have to hire security people. which is expensive and security software, which is very expensive. So you tend to put it out and trust someone else. But then you see like what happened with with Microsoft and their cloud popped big time. And you say, how does that happen? Well, It's very complicated. Security is hard. It's very complicated and it's very expensive, even for Microsoft. That is one of the biggest companies in the world. They still, you know, they could do it. They could make it impenetrable, but it would be something that no one could afford and that no one would want to use.

I'll give you another example. You know, let's talk about physical security. We get probably thousands to millions, depending on where you are, of containers within the U.S. government a year from outside this country. We don't have the ability to check every single container. We have some tools in place to check for nuclear material and other things and sniffing dogs and random checks and things that are profiled, but that's kind of the way it is with cybersecurity. We have to let, from the top down, make sure those people, those management, are checking the other managers that are checking the people that are doing the changes. There is no way to validate every single change that's done that makes sure it's correct. And sometimes things do slip. And usually, smaller companies have less resources And it's usually led, it's led by one person. And that one person is probably inundated and overwhelmed to a point where it just gets so cumbersome. Larger, medium and larger sized companies have multiple checks in place. They have change control. And even those change controls, somebody could still make a mistake. It's not like somebody goes back and says, let me validate that change. What they're validating that is that that change seems accurate and they sign off on it It doesn't mean they go back and check it. That's why it doesn't mean that yeah Yeah, and that's why companies hire other people third parties to order this stuff to give documents to their customers aim We were ordered by a third party independent and they say this is good. But most but most likely There's a medium and high and high level things that are found that have to be fixed.

Well, the scale of things is very important that you hit on. And that's something that I always like to tell people about. You know, like with the change health care thing, they go, OK, there was the system that's for remote access. And it very obviously had something that wasn't right. But anyone who saw it should have said, you know, something should be done about this. Well, it's possible that they saw it and they said, you know what, we don't want to fix it. We want to accept the risk of it for whatever reason. And so they got bitten by it. But it's also very possible that You know, we're looking at this kind of from one direction, from the direction of there was this one problem, how did someone miss it? But the people who are doing the defending and doing the management of it are looking at thousands of things. And, you know, you mentioned the small businesses, the big enterprises. In a small business, you know, that even has maybe one IT person, you'd be surprised how fast the complexity of things grow, even in a small company, and all the things you have to do and keep track of to secure it. And as you get to an enterprise, it's huge. They may have tens or hundreds of thousands of things that they need to check regularly and remember that they're constantly making changes. Things are not static. They're constantly There are new vulnerabilities constantly coming in. They're always being touched and tweaked, and finding the errors in that is actually very difficult and very expensive. And then there's also the alerts. Sometimes, I mean, like with Target, when they had that big data breach, they said, oh, they got an alert. How did they miss it? The answer is actually ridiculously simple. It's because that One thing was a fairly low priority thing that came out against the background of thousands of other things that were very similar. How do you know it was that one? That is the hard part.

Well, yeah, that's attribution and known with a single point or multiple points of failure. But for those out there, like let's let's make believe let's do a scenario. You go to your CPA and you have your taxes done every year. So a nice little small office, 10 to 20 people. That person has to be able to store their stuff on something. They're most likely using Gmail or Yahoo, even though they might have their own website. But let's say you're at Gmail.

Or some commercial service that's basically the same thing.

Yeah. So you're sending your taxes via Gmail. They walk away from their computer. And they're opening their Gmail from their home computer. They turned around, and their kid's using the same computer. Kid goes on this website, goes to download the brand new game. That brand new game was great. They downloaded from a site. They might even want to not buy the game and they download it from a torrent site. They open the game, the game creates a backdoor. That backdoor allows a hacker to come in. They get the password and username by capturing the password and username from memory. Now they have access to all your taxes. It's really that simple. Under law. Yeah on the enterprise locations. We have so many different checks in places. We have proxies in place We have firewalls. We have um, you know things that check your mail for exfiltration of data, but guess what? Every single one of those can be defeated Very easily So what do we do? We use something called a sim or security information event management Which literally pieces all these different tools together and creates these rules if they do this and that and this and then that and then this and then that, then raise a flag. And even that is so complicated because you gotta get somebody to constantly monitor all these alerts and then you get alert fatigue, then you gotta tune them out. Okay, we don't wanna get these alerts anymore because it's just too much, we can't do it. So then somebody gets through another alert that you tuned out.

Yeah, and the thing that's important is to say that, you know, like you're saying, oh, when you have the security systems and they have to be monitored, someone can still get through. OK, it's possible to get through them even if they're working correctly and they're set up right and no one made a mistake with it. But. people make mistakes, and so it may not be optimal. And, you know, again, getting to the scale of things, you know, talking about the cloud, and I'm going to pick on Microsoft again, only because I've worked with Microsoft a lot recently. You know, when setting something up with them, when you're doing the very high-level enterprise, you know, big company stuff, when you're using their cloud, They have a lot of security. They have a lot of stuff. It's actually very good. It works. It's cool. However, they have something like 2,500, 3,500 security settings, something like that. That's not easy to figure out, to make sure you've got all of them right for what you need to do. And when you make a change, to make sure someone hasn't touched the right one, or it hasn't affected something else. Remember, changes are going on. all the time. And the systems are changing all the time, because they're being upgraded, they're being changed. I mean Microsoft, I will pick on them because they're always changing the names of things, which is incredibly irritating. And so we need systems that are designed just to check those systems. And then we need systems to check them. It gets very expensive. It gets very complex. And throughout all of this, people still need to do business. Your accountant still needs to do his accountant. Your lawyer still needs to do his lawyer stuff. They're not going to spend all day doing this.

So we're going to make it even simpler than that, which is actually really more complex. And what I mean by that is this. The most failable part of any cyber security program, I believe, is usually the layer eight. And we call layer eight, there's different layers of the OSI side. Yeah, you gotta explain that. Yeah, I am, I am. So everyone knows how clever you are. Yeah, I'm real clever. We get, we get very, so there's a, there's a thing that they teach you in school. It's like, almost like saying, I went to school to learn calculus and I never ever used it in my life. Well, there's a seven layers of how communication is starting at the physical layer and then going all the way up to the application and layers and stuff.

Well, hey, just to be clear, when we're talking about computer networking, there's something called, like you said, the seven-layer model. And it starts at the bottom with the actual wires and stuff that you're plugging in. And then there's software on top of that, and software on top of that, and software on top of that. And by the time the stuff that you see, like when you put in a URL like HTTP, whatever, that's basically the top level.

So the layer above that, that's never defined is called layer eight, and that's called the human layer. And the human layer is the most failable part, including myself, including Joe. So what happens is if somebody really wants your data, they're going to see what they can do to convince anybody. And guess what? It's not always the secretary or the janitor or the person answering the phones that gets compromised. It's people like us. Somebody calls somebody like us and says, I'm blah, blah, blah. And you know, we need access. And they're saying, how stupid can you be? You're a cyber guy. But now with AI, I can maybe call Joe and get enough information about Joe and then someone could use my voice as if I'm, you know, me, and then call Joe and say, hey, Joe, remember that episode that we did? Can you send that to me along with the password and username to the file? I don't have access to it right now. And Joe might say, wait, it sounds like Adam. It probably is Adam. He even mentioned things that we normally talk about that most people wouldn't know, but those people did a lot of social searching and got a lot of information about us, pieced it together, used some kind of AI voice to copy my voice and my enunciation and my Brooklynese and now Joe's convinced it's me, sends the file over along with the password and access to it, and now the person got access to everything.

That's right. You know what? If someone impersonates Adam, all he's got to do is make a random statement about, you know, PISM, like physical IT integration, and I'm like, that's Adam. Only Adam would say that. No, but you're right. I mean, even IT people, even security people who are trained are, you know, vulnerable. This is a cat and mouse game. And, you know, like we say, it's not just The people who are trained, who are vulnerable. It's not just the people who are smart or anything. Smart people get tricked by this all the time. These people are pros who go after it. Oh, executives are the worst. Executives, because they're, the bad guys know exactly how to push their buttons. They're very skilled at it.

There's several CEOs or CFOs or CXOs, some kind of C something O, that have wired money, 40 million, 30,000 you know just to other people because hey guess what you know remember that you know acquisition we're doing we need money right away and Like well most people don't know about that acquisition but the person the hacker the threat the threat actor was able to get that information and Kind of convince somebody to wire money just you know we worry about spending $500 on something they wire 10 20 million dollars You know often like it's nothing so like how could somebody send 10 million by mistake? It's pocket change sometimes to them.

Well, also, we should get into a little bit about how they do it. When you're talking about liking the executive, how do they make a mistake ordering someone to wire all this money? It's like, well, like I said, they push their buttons and they know what to do. They need to be like, this is for a big client. And they'll put urgency on it. There's pressure. There's no time to check. You've got to send it now. We're going to lose this. Or there's a regulatory thing. They prey on all the things that they know are on those people's minds, basically. When you see the gift card scam that is very obvious to a lot of people. Someone says, I'm stuck here. I get an email from someone that says, I'm stuck here. I don't have my phone. My phone's dead. I'm borrowing this computer, whatever. And I need money or I need this. Send me all these gift cards. And it has to be now. You're going to see the signs like, it has to be now. It's going to be for a client, it's going to be your boss or someone who is an authority figure or something. They know exactly how to do this stuff. And another thing is that, like we said, we talked about the change healthcare that it came in by a weakness that was in a system that shouldn't have been there, that could be exploited. But actually, most of these ransomware attacks, I don't know about you, you know the stats, I think it's 70% or more, actually come in through phishing, through people getting an email and clicking a link and opening an attachment. And most of these, that's where it starts, despite the controls we have they can still get through them and even all the training we do with people so you don't click the link don't open this and it doesn't come in as somewhere and I mean it used to come in as things like oh it's a little joke or something from a friend but you know now it's gonna look like something official like something that's important like something that you're gonna be in trouble if you don't deal with this that it ends up being real that's how they do it.

And sometimes you They also prey on your curiosity. So I turn around, I hack into Joe Patti's computer or I get access to his email. I end up getting his password and username some way. I'm in his email and I find an email that was sent by me and I do a reply. And it comes looks like it's coming directly from his own email. He opened I say check out these vacation pictures Well, check out these new logos or something. He's like, oh, I'm curious. He opens it up that picture allows our vulnerability Creates a backdoor Trojan back to a command and control where somebody on the other side can start accessing the system It's really that simple sometimes somebody got access to somebody else's email. The email looks legitimate You hover over, like, this really is his email. This really is coming from him. You know, I've looked at the IP address. It's the same IP address.

That's right. If you have your security people check it, they're going to say, yeah, this is real. That's legit. And it is. But it got stolen.

And what we always recommend is that email looks a little bit fishy, even though it looks legitimate. You call the person that you know at a legitimate number. Don't look at the signature at the bottom and call that number. Like, for example, email comes from, let's make it up, NYPD. It looks like a real email from NYPD. And you call the main number and say, can I speak to that person that sent me this email? At least you can turn around and validate. I'm not saying nypd.compromise or whatever. But I'm saying is, you know, it came from your doctor's office. It came from, you know, UPS. It came from somebody. Take that email, call back the number that you Googled, make sure that's a legitimate site because guess what? People can put things at the top of your Google search too and you'll think it's real. Find a way to validate it's really the number, call that number and do that and see whether or not that email's legitimate because a lot of people get compromised and it comes from a law firm. Guess what? You have a subpoena, you're in trouble. You're in trouble.

Do this or you're in bigger trouble. That kind of thing. That's how it is. So, to summarize, how do breaches happen? Well, a lot of different ways. But many of them boil down to the fact that stopping them is difficult and expensive and inconvenient. And the bad guys are very good and are always working on new ways and know how to all the vulnerabilities human and otherwise they can exploit and kind of the next thing is and companies that are trying to make money and be profitable and government agencies are not often really good at doing things that are difficult and expensive that are not really their business. And that is the tricky part. And that's why these happen, and that's why they're going to continue happening, unfortunately.

I mean, I guess the good news is there are more laws in place that give a lot more penalties if you do get compromised or something of that nature. However, as you add more legislation and as you add more laws, You add a layer of complexity that you have to make sure that you're adhering to the law, which requires third party outside consultants to make sure you're doing the right thing, which creates more costs and that more cost gets passed on to you. At the same time, you know, it's like it's like we want more protection. It's almost the same as like, well, guess what we want. I'm a New Yorker. Joe, for the most part, is a New Yorker, right? We live in the tri-state area. We want more protections, a lot of bad things going on. We're worried about terrorism. But will you get upset when there's a gun check or a baggage check or something going into the subway and now you're on a line waiting a longer period of time? Are you willing to give up a little bit more freedom for a little bit more protection? Or do you want less protection and more ability to move around? And that's that's that fine line. It's the same thing with your computer systems. It's the same thing. We're protecting your data You know Are you willing to go through three or four steps to get to your data? To get to your vendor to get to your website to get to your bank account Oh, I gotta put in a pin. I gotta hit a push button that it says i'm really that person This sucks. I hate it. But then You know you become more vulnerable if you, so it's a fine line.

Right, and there are some other aspects to that too that are interesting to look at. The first is you talk about more laws, regulations, you know, we call that compliance, showing that, you know, there are these things you have to do and you're showing that you're doing it. Well, there's a phenomenon where people, where you think you say, well, people are going to be scared, so they're going to get their, you know, improve their security. Not necessarily. Some places then will spend, they'll put resources that might otherwise have gone into improving security into the compliance side, into showing that their security is okay. And also when those regulations aren't good and aren't as appropriate or efficient for one business or one entity versus another, in order to satisfy the government and the regulations, they may spend money and put resources into stuff that's kind of a waste or that's inefficient. And then that means they're not dealing with the real risks and stuff. And the other thing is, Another thing, like Adam, you talked about, you know, checks and this and that and all, and you know, TSA gets a bad name for this. There is also a concept called security theater, where people or organizations will spend, and I'm not going to pick on anyone in particular, but the phenomenon here is that a company spends something on a security measure that's very visible, and even deliberately inconveniences people because it's visible, they see it, they say they care. But the truth is, it's not very effective. And that, again, takes resources away from putting in measures that are effective, but that are not as obvious to people and that they don't see. So, you know, we get back to this is a, you know, how do breaches happen? How do these things happen? It's a very complex situation. There's a lot that goes into it. It's not just about hiring the right people, or spending enough money, or, you know, doing whatever. There is a lot to it, and that's why it keeps happening, and it's going to keep happening for the foreseeable future.

And, you know, if you look online, you'll see a lot of criticism about the way things are done, and it's funny, you'll read it, and you'll get one level of criticism that says they could have done this, and they're right! And then you'll get another level of criticism says you're wrong. They could have done this And you're right. Wow, they're right, but they're both right So the question is a lot of it is opinions forget about let's put all money aside Let's put all work aside. Let's put Whatever it takes aside There are so many ways to do things but what we don't think about is the resolve of how determined a threat actor is. And some of these threat actors are nation states, which means that's a government. And that government has such a large amount of money, almost bottomless pockets to do what they want. For example, Natanza, I believe that's the name of the nuclear facility that was compromised. And they had an air-gapped network. How many millions of dollars went into that mission to compromise that site if somebody wants something and they had that resolve? they're gonna get it.

Yeah, and from the defender's perspective, you know, you say like, oh, they should have done this, they should have fixed it. Yeah, that's right. But you know what? There's kind of a saying that says that the bad guys only have to be right once to find one problem. But the good guys, the defenders, have to be right all the time. Because remember, the other thing, like I said, you know, you say, oh, it's so obvious looking back that that should have been fixed. okay that's right and they missed it but what about all the things and then why didn't they catch it well maybe they were fixing a lot of other things and maybe other things they thought were a higher priority and like Adam said some of these things boil down to opinion and risk decisions because we know we can't do everything so we try to do the most important stuff and of course The other piece to it is that this involves people are doing all these things and that they're bringing that this is the A team bringing their A game. To be fair, um, places do make mistakes and places and not everyone is at that level of competence and you got to deal with that too. These people are expensive. These systems are expensive and that's the deal for now.

I mean, look at a day in the life of a medium to large size enterprise. Every computer has vulnerabilities. So you have attorneys, you have accountants, whatever the firm is, and they're dealing with their customers, and they get a pop-up. Your system has to update in order to get the latest security patches so you're not vulnerable. So you've got to find a time to do it, and you can't let it happen indefinitely. So you give the end user 12 hours to do it, let's say, and they're working 12 hours. So now they got a reboot in the middle of their whatever they're writing they're writing they're doing that somebody's taxes or they're doing some rebuttal for court the next day and they reboot that you've taken away 30 to 40 minutes of work plus Whatever they're writing they have to save and they lose that train of thought so that's just even a computer and then think about the firewall changes and then think about the proxy and that the person has to get out to a certain site in order to recover certain documents in order to do their work. So now you have to have a security person open that portal, because normally that portal will be bad. You don't want exfiltration. You don't want data to be removed from your network. So you have to make sure that wherever you're letting out, you give them a certain amount of time. And then it's not automated. You've got to shut it down, that access. There's millions of moving parts in any medium to large size company. Whether it's vulnerabilities, whether it's URLs to a website, whether it's documents, whether it's PDFs. PDFs can be loaded, sent to somebody, they're like, oh, how did they know I needed that document? Because they were watching on the internet, this is the attorney working on this case. They get that email, they open it up, boom, trap door or back door. And that back door can go through a port that's normally Use like HTTPS, so you can't there's no way to to cover every single base even if you have any Unlimited amount of money. It's really daunting when you think about it

Okay, Adam, you're depressing me. We're heading for last call. Even though it's coffee, we're doing this in the morning. A little Sambuca. I'm ready to start drinking after this, but end on a positive note. What's your positive thought?

My positive note is that like anything else, if you look at today's events, what's going on in the world, you just got to make yourself happy. Concentrate on the good things. Don't worry about every single thing, but just be aware It's almost like situational awareness whether you're walking down a block whether you're surfing on the internet Whether you're whatever you're doing just be more aware Life is great. You know, we're living in a world where we can enjoy ourselves as well.

I Think you're right, you know when it comes to security, you know computer security and all these other things the fact is it is what it is, not what we want it to be. And we got to learn to deal with it without driving ourselves crazy. And, you know, we'll have to talk in the future about how it's like, OK, that's nice. But, you know, how do we protect ourselves if we get hurt? Well, there are even in these scenarios ways to protect yourself. We'll get into that in a future episode. But for now, we are pretty much out of time.

So I just want to add one more thing. If you can get us a certain amount of followers, reach out to us, I will literally make you a caveman security cocktail hour shirt.

All right. Okay. Adam has put the challenge out there. So yes, please share the show. It really helps us. And have a safe day. Support the mission. Try to enjoy your day. That's right. Support the mission. All right. Take it easy, Adam. Take it easy. Bye, everyone.