S2E11: Why do breaches happen?

Okay, good morning, good afternoon, good evening everyone. And depending on wherever you are, take whichever wishes you need. So welcome to SecurityLah with me finally.- Welcome, welcome.- Sky, yes, yes.- I am so sorry doc, for you to have to stand alone for the last couple of weeks.- Yeah, so I was scratching my head trying to make it as interesting as I can, because I really miss you guys. All right.- Yeah, we miss you too, we miss you too.- Okay, so Sky, I mean, you and I are both in the security industry. And the thing is this, I think we are somewhat privileged or in another way cursed that we always hear about breaches everywhere. It's like every other week I have a call or someone tells me and say,"Hey, did you know company X had blah?" And then company Y this, and I'm like, okay, so what do I look like? Someone who's interested in bad news. I mean, bad news for some people, but people who are doing consulting like me, it'll be like good news. So I'd be like, okay, so what can I do for you?(indistinct)(upbeat music)(upbeat music)- Ladies and gentlemen, welcome to SecurityLah podcast, season two.(upbeat music)- I have a different thing because whenever something happens I know I'll receive texts from some bankers, CIOs and CISOs. Hey, do you know if this really happened? Can you confirm? It's like I'm the central agency of breaches in Malaysia. I don't know where they get that impression, but I'm thankful that we can provide whatever information that we have at the moment. So getting this podcast is a very interesting thing for us actually.- Yeah, yeah, it is. And it actually helps us to give like a first stab at a warning to people to say that, hey, we are seeing these things happening. And we want you to know so that you probably could do something better to secure your environment. So I think the topic today is why do breaches happen? So Sky based on your experience, what have you seen out in the open where you could probably say your top five list, five items of things that you think cause breaches?- I think one thing is for sure, when they think that they are too secure, when they think they are secure, it is when they think they are strong, that's the time when they are weak because some of these organizations will become really overconfident. Often we hear people say, I've got nothing for them to steal. That's a confident level of someone who thinks that, I won't be chosen.- I've heard that many times. It's like, I'm just a small business or not even a fancy defense industry or any of that stuff. Who would want anything from me?- I'm not a bank. I got nothing for them to steal. So what they probably don't realize is why people are going for the easy targets nowadays. So I think the breaches happen simply because either we are too overconfident or we underestimate those that are doing the data breach.- Okay, so your first point is that overconfidence because you think you're not a target and you think that nobody's gonna come after you, right? So that's your first point. What's your second one?- The second point will be, my defense is top class. That's another overconfident, right? My defense is top class. So I don't think, even if they try, they can't get in. You know, I have two layers of firewall. I got two layers of IPS. I've got WAF, I've got application firewall. I've got EDR, I've got next generation antivirus. How can they breach in? I mean, so-and-so told me and not, you know. So, you know, some people tells me, you know, that I won't be breached if I put these things in, you know, I will have 99% of protection. Of course, they will always tell you that they are, there's no 100% protection, you know, but these are the people that's not doc and sky. So these are another batch of another angle of overconfident of thinking that whatever they're put in is going to actually protect them. Now, from what I have seen, okay, maybe we will leave this for later, but one liner, no one is unbreakable, all right? If it is a targeted attack, let me assure you, you will be breached, okay? That's number two.- Okay, so let me recap what you said. So the other thing is that you have organizations that spends a lot of money, resource, buying top-notch brand X, brand Y, chap ayam or whatever, and putting all this infrastructure in place. And obviously everybody's going to say that, you know, I have the best infrastructure, I've spent X million ringgit, and we have all the systems, all nice fancy acronyms, everything set up, that's protecting our boundaries and our walls, like a castle, right? Like a medieval castle, and you have this huge thick boulders, and it's on the hills, covered by a moat with crocodiles. And I can go on and on, but I think you get the point that overconfident about the security posture. I think that's the crux of your statement. Okay, so what's your next one, the third one?- The third one will be along the lines of focusing so much on business and not understanding the risk is actually higher than it seems. Because the kind of risk that we are talking about is not just somebody coming in to steal data or to breach the network. You know, we learned about reputational risk, we learned about the physical loss of data, of course, and of course, the removing of resources and valuables. But the actual thing is, it is actually something that is, what's that word? Where you stack one to another. One first breach is probably, if we give a value to the first breach, let's say it is 10, the value of 10, and the second breach is not 20 anymore because the second breach could be 30 in terms of damage, 30 over 100. And then the third breach that comes is not 60 or even 70, it is probably close to 90 or even 100, because that actually brings you to a place where, you know, your breaches actually multiplies the risk and the fact of the domino effect. It is not just one single task. Everybody remembers if you have been breached before. Until today, I think we are what? How many years was Sony breached? Yesterday, I was talking to my children and they were just talking to me and I said, "No." They said, "The TV is Sony. It is a very strong." I said, "No, Sony has been breached many years before." All right, people who still remember. And when it is in this world of social media, where things are spreaded out so quickly, trust me, one single wrong move, one single error, one single breach, you will be publicized and you'll be famous for the wrong reasons.- Absolutely. So you're talking about risk. I think you started off the whole point by highlighting that risk is something that people don't seem to have a proper grasp on, you know? And you also mentioned about the cascading effect or the domino effect where, you know, it just takes one minor thing and it starts cascading to a bigger one. You mentioned Sony, which is really a good example. The one that comes to my head is Mossack Fonseca. Mossack Fonseca is a law firm out in the Panama. And as a result of the breach, the Panama Papers were released, which highlighted how the rich and famous were hiding their money, you know, tax evasion. Now, technically, tax evasion in some countries is not illegal, but it's just to say that, you know, you don't wanna pay tax to your country and you move your money around the global financial system. So, you know, Mossack Fonseca was just a lawyer's office. Not even, as I said, not even a defense industry or the bank or someone big that you could do something with. But even then, when they got breached, the impact was much more far, far reaching than what anyone could ever imagine. Now, suddenly the rich and famous were stripped naked and you can actually see, hey, you got a bank account in Panama.(laughing) Kinda scary, you know?- Sounds familiar.- And you're absolutely right. I mean, never underestimate what kind of data a small organization may have, you know?- Yeah.- I'm reminded at the time when I was working at Telco, and these were the days where, you know, colorful just came out. It was after Nokia 3310, you know, you had the colorful phones and then you had all these MMS messages, right? Videos and everything. And I think, Sky, you definitely remember this bit where, you know, there was an explosion of videos and personal videos were somehow leaked out.- Yeah.- You know, many rich and famous also got stuck into it. I was unfortunately or fortunately working in a Telco and my role required me to investigate these stuff. So, you know, and most of the time, one of the things that we found out was that those who got their data leaked, one of the things that they have done before was that they have gone to a shop, gave their phone and said,"Oh, my phone got this problem. My LCD cannot see or my keypad not working." And after they took it back, probably one or two months later, their videos get leaked or their MMS gets leaked. So, one of the things that we found out is that technicians, what they used to do was they'll back up your phone because they don't want to erase anything from your phone. So the first thing they do is they back up your phone and then they do their repairs and then they restore. So the owner of the phone says,"Ah, all my data is here. Very cool. You are awesome. I like you." And, you know, they will end up going to that particular repairman without realizing that he now has a copy of all their data. Phone numbers, SMS, MMS, you name it. Whatever that's in the phone, it's with them. And you know what these techs do when they have free time? They just go and browse."Oh, got this video. Very compromising. Very nice. Let me forward it to my friend." And that's how it got exploded. But unfortunately, me working in telco, everybody will blame the telco."Ah, you guys are the one who's sitting down and looking at my message out of the one billion message we get every day." And we are leaking that. So I'm like, "Well, as much as I love being able to do that, I really don't have the bandwidth or the time because I'm processing about a few million messages a day. So, you know, while yours may be juicy enough, but not interesting. Thank you very much." So, you know, that's what happened. Okay. So let's go to point number four. So what's point number four for you? My point number four will be a little bit on the personal side. It is like a grid. G-R-E-E-D. You see, because the hackers or the outside guys who are bad, they feed on those things that... the human emotions within us, the desires, the lust, you know, so that they will be able to trap you. And when you are greedy and wanting a quick money or quick benefit, that's where you fall deep into it. I always tell people during my training sessions, just have to remind yourself that nothing comes for free. Everything that you get, you need to work for with your two bare hands. You know, and if things come to you, you know, always ask again,"Is it really free?" You know, because they will always tell you that this is free. If you click this, if you click that, if you click this, you know. So, and the other emotion that probably will be number five will be the fear emotion. I don't know if these two can be combined together, but these are the what we call phishing techniques, right? While working on the, we call FUD, fear, uncertainty and doubt of the human mind. Right? Once they attack, they know who you are, they exactly know your behavior, they'll be able to push this kind of emails or advertisements into your machines. And the moment you get into clicking any one of them, and that's where you are hit. So education, maybe we can use the word education number four as the main heading, because educating the people around us is very important. If you do not know, you know, like the very famous Malay idiom,"Segan bertanya sesat jalan." You know, you don't know the way you must ask, you don't know the way of computer security, then you must ask. Otherwise you'll be lost and you'll be hit with all these attacks. Awesome. So if I were to recap what you said, you started off with greed, and then you said fear and you use the right terminology, fear, uncertainty, doubt, FUD, which is one of my favorite acronyms. You know, I'm reminded of this example. I mean, I also teach and I like to give this example. You buy a cleaver or a knife and you take it back to chopped vegetables and chopped chicken, for example. Right. If you're vegetarian, you chop vegetables. If you're non-vegetarian, you chop chicken. Chicken is acceptable to everyone. Right. And just say, while you're chopping chicken, you cut your finger. I've never seen anyone taking the knife back to the shop and complain to the owner. Oi, your knife cut my finger, you know. What kind of knife is this? Lousy knife. You know, no one has ever done that. What most people will do, oh, I cut my finger. Ayo, I should have been more careful. Let me go to the first aid box, take out the plaster, put my finger. That's how technology works as well. You don't sit down and blame the knife just because you cut yourself. You tell yourself you just got to be more careful. And unfortunately, that's now the case with technology, whether it's your laptop, your desktop or your mobile phone for you to do whatever you want to do. E-banking service or anything. And I'm reminded of the time when I was in the financial sector and, you know, people come up to us and say, oh yeah, I just lost X amount of ringgits or Sing dollars. And, you know, it's really heartbreaking because these are people with their life savings, you know. That was quite sad. Yeah. And the thing is this, and we asked them and we asked them because we want to help them to get their money back. I said, uncle, auntie, you know, in Asia, we call them uncle, auntie, if they're older than us or bro or sis, right. How did you transfer this money out? And the conversation usually goes, oh yeah, I got this person calling me saying that I got a speeding ticket in Kanga Perles and I have to pay a hundred ringgit immediately. You know, I may have other court case issues. And, you know, so I just wanted to make the payment. Okay, fine. You made the payment. Was it to an institution like Jabatan Makamah or whatever, you know. Oh, no, no, no. It was an individual's name. Why did you transfer it to an individual's name? Enjoying the show so far? Subscribe now so that you don't miss out on the latest episode. We are available on Spotify, Apple podcast, Google podcast, and many other platforms. Visit podcast.securitylah.asia to get the links to subscribe. Oh, the person told me to do that. Okay. So you willingly transferred the money to the person. Yeah. Did the bank stop you and ask you for a OTP? Yeah, yeah, yeah, yeah. The bank did. And then what happened? I put in the OTP code. Okay. So you know, you're transferring the money to someone else, right? You're giving money to someone else, right? Yes. You put in the OTP, even though the bank tells you, hey, wait, are you sure you don't do this? Yeah. And then now you sit down and cry. Okay. As much as I sympathize, you know, yes, the guy cheated you. Well, and granted. You know what you just did? What did I do? It's like you, someone random come up to you and say, give me 50 ringgit. You just open your wallet, give 50 ringgit. And then you realize you don't have any money. And you know, like what you rightfully said, these things, education is necessary. In fact, some industries like financial sector, I can talk about financial sector because I was normally there, right? And anyone asked the uncle, you know, right. You got ATM card? Yeah, yeah, yeah. I got ATM card. When you put in the ATM card, you know, there's a screen that first before you go. Yeah, yeah. That nagging screen. Did you ever read it? I know. I just keep money. You know, I just want to take out money. Okay. So we try to tell you, but you skipped it. Do you know what it is? Yeah, it's always about some scam, but you know what? I will never get scammed. Uncle, unfortunately, you still got it. So that's a bit difficult. You know, because you have people who are technology centric, they learn a bit faster. And you also have people who have challenges adopting technology because this is a new way of doing things. I can give you a very good example. My mother, my mother, God bless her soul, walks 2.5 kilometers to the post office just to make sure she sees the printout on the bill to say the bill is paid. And she was really heartbroken when there was no more bills because a lot of the organizations stopped sending bills. So she said, how am I going to pay my bill? So then no choice. My family member had to take up the role and say, no, no, no, it's okay. You don't need to walk 2.5 kilometers anymore. I'll just pay online. Then how do I know got proof bill paid or not? You just have to trust. So you see, generational gaps also contribute into this issue of understanding how technology works. Okay. So your fifth point. So my fifth point is basically the scammers, those people that you mentioned, you know, was trying to trick people and all that. They have actually created a network where they can actually work together closely. I believe some of them helps one another. They have a place where they put up things that they find and they can trade. But surprisingly, even after many, many years of developing high defense mechanism, high defense technologies, we who are so-called defenders or the blue team, right? Those attackers, we call them red team sometimes, you know, we are not working together. We are not sharing information. We're not saying to our neighbor that we just got robbed because this guy did this to our gate and they entered through this blah, blah, blah, blah, blah, blah. And we're not telling our neighbors. So the next night your neighbors got hit the same way. And then the following night, another neighbor got hit the same way until the entire row of houses are hit. And that's exactly what's happening in the cyber world today. Many of us, when we are hit, we are so afraid to let people know that we are hit, that we hide behind a frame. I don't know the reason. I'm sure they are all valid. Okay. But because we are not sharing information, we will not be able to fight this enemy who is unknown, who is united and they are all out to get us. So we must start working together, at least share those incident details of how the attack went on. You may not even want to talk about who you are or what industry you're from. It doesn't matter. All right. That at least you can say, Hey, this is how they attack. Blah, blah, blah. There must be a platform that we can create. I hope you guys will have a, I mean, I hope that if we set up something like a WhatsApp group or something, or a broadcast for you guys, those people who are listening, I don't know if you will respond and let us be the platform for you to share those information. So that we can blast it to the people around us. People we know that they will also be able to defend based on the knowledge of your attack. Okay. I got two words for you, Rodney. I got two words for you, Sky. Yeah. Pai Seh Lo. You see any organization in Asia and I noticed this in Asia. It's like, you know, you don't want to show that, hey, my defense is so weak. No, I don't think that's what they want to do. And, and, and I echo your suggestion. I think we should have a platform where we can share information. We don't have to share saying that, Oh, I got breached. I lost $10 million. No, instead you can share. Okay. There's an attack that we observed. Here are the IOCs. These are the IP address. These are the C2 controllers. This is the malware hash. Keep it objective on the kind of attack that you're seeing rather than, you know, just the key indicators. So you can say that, Oh, they use a MSRPC to jump in between machines. Information that is pertinent about the attack rather than, you know, this industry or this person or this company, you know, let's not go, I would say, let's not go personal, you know, don't go personal, keep it professional. And we can use terminologies like TLP traffic light protocol. So you can say that this is still under investigation. So we put it under TLP red. So do not broadcast, keep it confidential. Don't even share it in your TI platforms, just keeping confidential. Once it turns to say TLP white, then you can say, okay, fine. So now these indicators and all that we can share it everyone, you know, so that mechanism, I completely agree with Sky. It's something that we should have and it's an opt-in kind of a thing. So if you want to get information, but it also works both ways. If you're going to sit there quietly and just wait for everyone to give you information and you're not going to contribute, then, you know, then the value is not going to be there because I can assure you everybody just want to sit and get info and say that, you see, I got access to all this info. But would someone share with you if you don't share? That's something that, you know, we need people to start thinking about. Yes, everyone wants to get info. Recently, we had a very long time planning with the bank. I think about half an hour or one hour before the meeting, we received a note from the bank unable to join the meeting, unable to start the meeting today. It needs to be postponed because there is an all hands on deck incident. I don't know if you heard that phrase before, all hands on the incident, but nobody said anything after that. I am of the opinion that maybe it's nothing to do with data breach. Nobody said anything after that and nobody had any information on what happened to that particular bank. So, you know, maybe because we are the first ASEAN or Asia related security podcast, maybe we can also try and see if we can create a platform for these people between you and me. I think we know almost all the financial industry, CIOs and CISOs. We could actually, you know, help this guy to be the platform for them to throw their information in so that really to become those IOCs or IOAs that is needed. What do you think? Yeah, I completely echo your suggestion. The only thing is whether for them, they'll be like, you know, what's in it for me? What do I going to get and all that. And I guess with any platform, access to information is the same. They'll probably ask us and we are ISO 27,000 certified. I can certify people for that, but, you know. Can you hear me? Yeah, yeah. So, Sky, we do this. I certify you, you certify me. You're also a consultant. So we work both ways. Yeah, that kind of works. Okay. So you've covered, wow, you've practically took all the five points out of my mouth. So now let me think if there's anything else that causes breach. You've covered hygiene. I think lost equipment maybe. Lost equipment possible. Yeah, you have configurations. You're absolutely right. I bought a Cisco switch from a third party, second hand switch. I mean, I can't afford a brand new switch. So I bought a second hand switch and I realized that the configurations wasn't wiped. And when I looked through the config and I realized, holy crap. Password. Forget about the password. The password was the least of the problem. Configurations of a branch inside there. You know, connections to paynet, connections to this, connections to that. IP addresses. Was it clear text? Yeah. I mean, I didn't have to crack the supervisor password because the supervisor password was Cisco. Default. That was very strong password, right? Default enabled password. Everyone used to go to super user mode on Cisco switches. So I was like, I just try this. Ooh, it works. So then I was able to download the config and I said, it's okay, fine. I'll just wipe the switch clean and then start using it because I didn't want to have any residue data in it. So you're absolutely right. Second hand equipments. There has to be some cleansing process to make sure that you don't have any residue configurations, sensitive information, like maybe even IP addresses. Some have even VPN connection profiles. So you practically know to connect to that VPN concentrator, what's the password, what's the configuration. So these things are something that you definitely have to do. Have you ever received, I don't know how many locations, I mean, how many offices you have gone to work, but I have actually received a secondhand laptop when I joined one organization and when I fire up the browser, I could still access the Facebook account of the previous user. Ouch. You know, that's kind of bad. Well, so far I've not had that kind of incidents. Mostly because I think my clients are very cost conscious. So when I asked them, you know, between giving me a laptop that they have a corporate policy on versus me using my Mac, the answer is always you say, no, no, no, you use your Mac. No problem. No problem. So I'm like, you do know my Mac is going to have your sensitive information, right? Yours is a Mac. Theirs is probably a Windows machine. Which one is more secure? See, end of the day, you're trusting a non-secured machine with sensitive information. Of course. You have no control whether I'm going to keep it in the machine, I'm going to keep it in the thumb drive, I'm going to put it in three different cloud service providers. You have no idea. But of course, there's professional courtesy, there's non-disclosure agreements. They trust you mah. Of course. Then they also have to pay me, you know. So rather than to give you another laptop and then increase the cost, so you use your own. Yeah, exactly. And then some organizations think that's an acceptable security risk and good for them, right? So if you think you're fine. You are an ISMS certified auditor. You should know how to......passes through hands. That took a longer time than I thought. I think you covered all the bases, to be honest. I think it was perfect. You took words out of my mouth and I was just... You caught me off guard. I never thought you'd be asking me for five. I thought you're going to ask me for two. No, it's okay. I think it shows that you have that experience and you're able to articulate what I believe your customers have always been lacking on because you've seen this in the industry day in, day out. It does. So it's easy for you to take that, articulate it and say. And just don't limit it to this five or six points that we discussed. There can be a lot of things. And I always give this example. You live in a very nice house, single story, double story, three stories, ten stories, whatever. And your walls are concrete, cement and all that thing. But even if it's a brand new house, say you build a brand new house, everything's perfect. Somehow or rather, maybe living after six months, you'll notice two things. And this happens in Malaysia. The first one is you will notice a cicak or lizard. Somehow they get in. You don't know how, you don't know where they came in. And I'm using myself as an example because I've seen that in the place that I stayed. And the second one is Semut or ant. They're always around. Somehow or rather, they just get in. Right. And the challenge is always, you know, so we do silly things. Like, for example, we put a little bit of sugar just to see where the ants come from. And then we trace it back to the ant colony. And then you put a bait or whatever not right to get rid of them. And you realize that eventually they lose one colony, they create another one, they create another one. And this whole scenario of hacking is similar to that. They just need one tiny little hole, very tiny little hole. That's just enough for them. You are like homeowners, you know, you're a homeowner. You have to look at every single nook, cranny, corner for you to find out where that hole is. Yeah. And when you are comparing cybersecurity with homeowners, I suddenly remember my experience with two break-ins within three months. They came in exactly the same time because I went out exactly the same time. So in other words, I mean, on a Sunday night, my family and I, we always go for dinner. We leave the house with ***** and we'll come back *****. And both times they robbed us during that time. And come to think of it, we realized that there was always a motorbike park opposite us at certain time in the afternoons towards until the evening. And because I normally if after dinner, we'll go out and throw rubbish and all that. And you will see these guys sitting on the motorbike. So you see, sometimes we don't realize it, but many attackers or scammers are actually watching us in various in the things that we do. If we are not careful, our program, our daily agenda, daily movements and timings could have been fixed, could have been sort of written down by these people. And if your usage of the Internet is more like a routine, then I suggest you relook at that routine. Yeah, perfect, man. That's a damn good example. Reminds me of the movie Home Alone, where these guys will break into houses and turn on the tap. So all the houses that had their tap running, those are the bad guys. So I guess we've summarized why do breaches happen in a very simplistic manner. What I said earlier, these are not the only reasons why people do get breached. But this is our observation in the industry that we've seen for years and years based on the customers and the clients that we've interfaced. And this is what we see. And I'm guessing and also I believe Sky is also in the same opinion that if you could solve some of these key issues, you are better off than anyone else. So you wouldn't be that low hanging fruit that someone is just going to gain access and do whatever they want to do in your network. Don't make it any easier. Exactly. So with that, we bid adieu to you. Thank you and have a good day. Good day to you guys. Bye bye. Thanks for joining us this week on SecurityLah. Make sure to visit our website at securitylah.asia where you can subscribe to the show in iTunes, Spotify or via RSS so you'll never miss a show.[ Silence ]