Have You Been Pwned?
About this episode
OCTOBER 25, 2019
Many agencies have a reactive approach when it comes to handling cybersecurity, but it's important to not take a back seat. After a breach, you need to know how and why an attack happened and that's where Brian comes in. In this episode of the GEEK FREAKS PODCAST, we put Brian Semrau, digital forensics investigator and information security specialist for SMBs, on the Insurance Hot Seat to share his knowledge on all things cybersecurity from 2FA, anti-virus, cyber insurance, and more.
Check if you have an account that has been compromised in a data breach:
THIS WEEK ON THE HOT SEAT
RON HARRIS
VICE PRESIDENT
- 15 years in the industry.
- Enjoys spending time with his family, riding his Harley, and finding time to sleep.
- Fun fact: Ron broke both of his arms.
- He's a simple person, enjoys work, but also enjoys being alone reading a book or learning something new. Loves candy DOTs!
Brian Semrau
DIGITAL FORENSICS INVESTIGATOR &
INFORMATION SECURITY SPECIALIST
"I have over 10 years of experience in the Information Technology industry. I started out fixing computers and found a love for fixing computers with malware on them - the nastier the malware, the more I enjoyed finding (and destroying) every little piece of it to help people make their computer usable again (especially if it was a new strain that AntiMalware solutions didn't have a definition for yet). This led me to pursuing a career in digital forensics. Along the way, I became a security engineer for a company with users and offices around the globe, as well as opening my own consulting firm."
VIEW TRANSCRIPT >
Transcript #12
The Insurance Hot Seat – Brain Semrau
Ron: (00:00) Welcome to the Geek Freaks Podcast. Before we get started, make sure to hit the subscribe button on Spotify and Apple Podcasts and any other podcast listening platforms you may be tuning in from. On today's episode of the Insurance Hot Seat, we have Brian Semrau, a full time Digital Forensics Investigator and part-time Information Security Specialist for small and medium size businesses.
Music: (00:21) [Intro Music]
Ron: (00:34) Hello Brian. How are you?
Brian: (00:37) I'm good, how about you?
Speaker 1: (00:38) You know, I can't complain too much. It's sun is shining and we're in October. Not a lot of leaves have dropped off the trees here in Michigan, so I'll take it right now.
Brian: (00:46) I hear you on that.
Ron: (00:48) So being the industry expert with, um, digital forensics investigators, um kind of tell me about what you do, how you do it, and, uh, then we'll jump into the, the, the meat of it.
Brian: (00:59) Sure. Well, you know, when you're talking about forensics of any, uh, you're, you're basically looking at something where it is, um, trying to find something that's already happened, right? Trying to find evidence of that. Um, when talking about a digital forensics, you're talking about something that's happened electronically or on a digital device. So that comes into play a lot of times these days with breaches when we're talking about digital forensics incident response. So, um, yeah, if you get breached or something, especially, you know, if your insurance, if you're in the health industry, um, [inaudible], anything like that, it's not enough just to say, hey, I've been breached. You have to know what was exposed. Um, and a lot of times that can actually help you because the potential of what could have been exposed prior to investigating and seeing exactly what happened is much greater. A lot of times than what actually did get exposed. So you had to come in and say, hey, just how they got in, here's what they got. Uh, it can be very helpful, not just from a peace of mind perspective, but also just from limiting exposure and potential risk to your company as well.
Ron: (02:09) So I guess the, the, in Layman's Terms, it's the detective, right? So if an actual home robbery happens, you are the detective that comes on the scene to kind of figure out why, how, what they got, well, you know, maybe they stole the TV, but in your case it's data, right? So I think it's, uh, an overlooked valued asset that a lot of companies, you know, they realize, Hey, I got 30 years worth of CRM data, but they don't realize how much that's worth to other people. And...
Brian: (02:37) Exactly. And the problem is you may know that somebody got in, but unlike a home robbery or a physical robbery where it's pretty obvious what was taken when you're talking about some digital unless, it's something like ransomware where the data is modified in some way. It's going to be hard to figure out what exactly happened without having somebody like me come in and help you out with that.
Ron: (02:58) Yeah. And I think that's a, a really good thing to understand is that you don't know what's taken right? Cause the file can still exist there and they're just copying it or they're just moving data from here to there and there's really no track or trail or trace until it hits the internet. Or you know, there's a, a social security number that's leaked that's coming from your leak or whatever the case is. So, yeah, I mean it's very important to do and I think people overlook it. And is you as a third party, you get brought in on special cases I assume? Or is there retainers or how does that work?
Brian: (03:28) Yeah, it depends on...So we also do security, so we'll help, you know, if a company has, uh, has had an incident in the past, we're more than happy to help them figure out what happened and all that. But then we can also help them secure their infrastructure from the beginning. And of course there's no such thing as a hundred percent security. So I'm not going to say, that you know, by using us, you would never get hacked. But at the same time, it severely limits the, um, the likelihood of that and the exposure that would happen if you did get hacked. If you have the proper controls in place, ideally there's not going to be much movement. Once they get into something, they're pretty much just going to be there.
Ron: (04:06) Well, and I think that's overlooked too, right? Is that people can buy all the antivirus, all the firewalls, all everything, right? And if nothing is a hundred percent foolproof, there's always a lot of environmental things that can happen. The end user, or maybe the updates didn't happen or they didn't get applied or the firmware didn't get applied and now you're exposed. And I think it kind of takes from our role, we're kind of the custodians of that, right? There's that we have to do the right things. We have to ensure the right policies and procedures are put in place. But it's only gonna work is if the end users adhere to those rules. So that's where people like you come in that say, okay, well there was an accident. It's time to clean it, clean it up and figure out what happened.
Brian: (04:46) Yup. Well that's where defensive [inaudible] come in too. I mean, you know, there's a huge fascination these days it seems with antivirus, but in reality, antivirus should be your absolute last line of defense. I mean, we've basically treated if one of our customers has an anti-virus detection, we treat that as if it's been a full breach and we do a full DFIR (Digital Forensics and Incident Response) investigation to figure out how it got in to that point because it should've been caught early you know, and, and we'll then adjust defenses later to accommodate that so that we know that it doesn't happen in the future. You know, we stop it before it gets to be on point of that hold.
Ron: (05:19) And that's another thing that people don't really tend to think about is that payload, how's it getting in? Why did it get in? Did we type something in wrong? Did we hit the wrong domain? Uh, you know, why didn't the DNS filtering catch it? Why didn't the firewall catch it? Why didn't it stop at the edge? You're just, there's not a lot of thought put into that process because when it hits the fan, it hits the fan, right? So everybody's in panic mode, catch up mode, trying to clean up all the messes that's, that are happening. And I think, you know, the very last piece of it is the actual what happened, right? And that goes overlooked in a lot of this. So it's important that companies like you guys exist because it helps us understand, helps providers understand what the hell is going on.
Brian: (05:59) Yup.
Ron: (06:00) So from your aspect, um, a lot of our customers and a lot of our listeners are small, medium businesses. Do you got any thing that you see in the marketplace right now or anything that's going on in the world that we should be on the lookout for? Or maybe things, you know, phishing attempts or anything that, that, you know, any little nuggets that we should kind of keep our eye out on for them?
Brian: (06:18) Yeah, I mean there's, it's changing day to day. I mean, you know, what's valid now might be completely different in an hour. Um, but you know, one of the trends that we're kind of seeing right now is that, um, where the major attacks are happening are aren't even on clients, so [inaudible] they're against managed service providers and I.T. companies, um, or even internal I.T. departments for larger enterprises. And the reason is because once you get into one of those guys, you've got access to all their clients. You know, cause everybody's got their RMMs out there. The other remote management software, they've got remote access or ScreenConnect or yeah, whatever remote software they're using. And once you get into one of those, even if it's a basic technician account or help desk account, I mean the possibilities are endless at that point. Um...
Ron: (07:09) The feds just released a bulletin about that too. I think that was released last week or the week before about, about for providers like us, uh, you know, not having the maturity as, or security posture, I guess I would say in what they're doing. You see a lot of it in the forums of like, uh, you know, we're, we're pretty active in a lot of the MSP communities. And, uh, some of the larger ones got hit because they didn't have 2FA turned on their, um, uh, antivirus actually it was delivered through a web route. But um...
Brian: (07:38) Yup. Well I had an amazing conversation the other day with somebody where I was just astounded. I mean it was on a form page for one of the nature of remote management and monitoring tools and this RMM had basically decided we're going to enforce the two factors turned on for all of our clients, which of course is a really good thing and it's really good thing that they should have been doing before. Um, and I'm really happy to see it moving in that direction. But there was a guy there who was saying, Hey, what's going on with this new access thing? You know, I can't get in. And so I come into help mode and trying to help him out I'm like hey did your two factor code get lost or you know, what's going on and the more I talked to him the more it became evident, he had never even used two factor on anything in his life. He didn't know what it was. Um, you know, and you know, maybe he's not one of top level technicians and that's fine. But just the fact that somebody that has access to an RMM doesn't know what two factor is. I mean, you really do have to make sure that your computer guy isn't just somebody, you know, Joe Blow off the street who kinda knows computers. You know, we have to make sure that they're actually doing it properly and you get what you paid for.
Ron: (08:43) Well and I think a lot of the MSPs or ISP or whatever are scared --- right now, right, is because now we're, we're the threat point now where the ones that have, we do, we have the keys to a lot of castles. We have to make sure they're protected. Like we use a third party tool to track passwords that's not connected to our RRM and we don't save passwords in our RRM like we have to do the right things to ensure that nothing happens down the road. And I think for a long time that wasn't a very big spot or a very big thought in our heads was like, we have to do the right things on our end. As we're telling our customers, Hey, have good passwords, have complex passwords, change your passwords, use two off, and then we're using two off. But are we changing our passwords? There's a lot of things, you know, in the last 18 months, 19 months, two years that we had to really look inward on as we started to roll out our policies is like, okay, well we're saying this, but we've got to eat our own dog food. Right. And I don't think a lot of providers want to do that because it's the same thing that you see probably with customers is stricter security. The right security is not convenient for anyone, but that's the point of it.
Brian: (09:47) No. Yeah. You need to find that, that balance, because at some point, if you make it too hard, users are going to try to start to circumvent it and when that happens you have to figure out. Okay, absolutely make this so it's not blocking toward users, but at the same time feel secure. Um, you know, and for instance, you know, forced password changes, that's one of the big ones. Um, [inaudible] actually recommends against it now, um, you know, but for years he always told people you don't change your password regularly, you know or in many cases you'll be forced into it, um, and you know, nowadays we're seeing that two factor is the more effective way. Rather than constantly changing passwords and of course two factor isn't the silver bullet you know, it's not something that's going to stop anything and everything. There are still ways to bypass two factor. Um, for instance, if you're using a cell phone, you know, in text-based two factor, um [inaudible] it's called sim clone, which is they trick your phone company and it's basically transferring your phone service to their own phone. Um, it's one of the more extremes, the other thing is session hijacking, um, because when you're using your computer and you're logged into a site, it gives you a session token, which is valid, you know, for however long the site sets if you've hit remember me, it could be for days, for weeks, for months, and once somebody gets that token, they can get in without your two factor code because as far as the site is aware they are you, um, you know, and that's an area where we've been looking at a lot of the RMMs. Um you know Ninja had an issue not to long ago, where there was a major announced breach of an MSP where they got in through the session token. So they're able to completely bypass two factors. Um, there was another RMM recently, and I can't say who yet because they're still fixing the issue, but, um, we found a session issue on their system and filed a responsible disclosure and we're like, hey there's this issue where you know you're not handling sessions properly so it makes it easier if somebody were to ever get this token and it exasperates the issue even further. Um, so, you know, it could be a vulnerability on the RMM side, it could be an issue where, you know, your computer was exposed to malware or something like that and instead of going after passwords, they went after session tokens.
Ron: (12:02) And that's crazy because it's, I mean, as you're talking about Ninja, you're talking about, you know, a fairly small RMM in comparison to some of the larger ones. But then you see like Microsoft making a lot of changes to their security postures and what they want us to do and how we need to do things. And you know, we have to use the Microsoft authenticator because I have a admin account for our partners and that's a powerful password to have. So now I have to use their authenticator and you know, that's fine. It's great, it's, it's good. But like, it's weird to me to think that six months ago that wasn't a thing. And now everybody's seeing kind of behind the curtain on how we work and what we control and how we have to manage all this stuff where it's now like, okay, now the bigs are forcing us to do things that should have been done in a long time. But now we have the, now they have the capabilities of doing it before it was a pain in the butt to turn on two form factor for three accounts. But they found a magical way to do it and it was great.
Brian: (12:55) Yeah.
Ron: (12:58) Do you see, if you had to have a crystal ball, do you see this getting any better? Do you see it getting worse? Uh, what's kind of, what's your, you know, crystal ball prediction?
Brian: (13:09) I think it's going to get a lot worse, but eventually it will get better. Um, one of the big things is it now on the public's eye you know, whereas 10 years ago, you know, you start talking about hackers and crackers, you're picturing these nerdy guys, you know, with the hoodie on and you know holding something up to a payphone [inaudible] to freak it you know, or the the dial tone, it gets you to somebody's [inaudible] or something like that. But these days it's, uh, it's a lot more out there. Privacy, security or both, um, at the forefront of people's minds these days. I think, uh, so especially when we're talking about legislation that's coming out, you know, we saw in Europe, GDPR is a huge step forward and privacy I don't think it's by any means uh, so you know, the best thing that could've happened, but you know it's better than what was there before. Um, you know, because with privacy a lot of times comes security controls. They're not necessarily synonymous, but, um, a lot of times they go hand in hand. So, I think these days um you know the legislation in the U.S. is going to be coming more work, a lot more where they're going to start coming up with things where you know we have more statutory issues where if somebody does cause a breach well they're, they're more liable for it and it's not just going to be something they can pass off to their insurance to deal with. You know, if they have cyber insurance, that's great, but it needs to be something a little bit more than just, oh my insurance will cover it. You know just the flat on the rest type of thing.
Ron: (14:35) The scariest thing to me too is a negligence is a, like it can void your cybersecurity policy and negligence in anything is to be like, I didn't change my passwords. I didn't do, you know, the, the, I guess the the right thing I want to say for lack of better terms in the front end that they can then say, yeah, you had a breach and your one point $4 million policy doesn't pay out because you didn't do the right thing.
Brian: (14:55) Yeah.
Ron: (14:55) And I think a lot of businesses overlook that.
Brian: (14:57) Yeah. Especially with doctors offices. I mean, you know, look at a lot of these, especially independent doctors, you know, they're like, well I don't want to deal with HIPAA. You know my, you know, I think that in their minds it's not if I get a lawsuit, it's when I'm going to get a lawsuit. It's [inaudible] practice. So then they transition, they have a [inaudible] they apply that to this cyber area as well. And so they think, Oh well, you know, if I get hit, the fine my insurance will cover it and worst case scenario I'll just go bankrupt or something like that, you know and I'll know, just off my practice. But in reality, that's not how that works. You know, you're, those those issues are going to follow you no matter where you go. And it's getting to the point where I think insurance is getting smart and they're not covering a lot of these things when there is this gross negligence going on.
Ron: (15:41) And I think that, uh, even so we work with a lot of insurance companies and ranging in size from like three to, you know, 80 peoples our largest and on any level, whether they have three employees or they have 80 employees, they have to, we have to help them build this posture and they have to be ready for the changes that are coming. I mean, we've been working our tails off to try to figure out a way to roll all this out in a, in a form or fashion. But, uh, before I get you off, do you have any tips, tricks, anything we can get out here to the listeners about keeping their tail safe in this environment?
Brian: (16:12) Well, you know, one of the big things is, uh, take a look at 'Have I Been Pawned' um that's Have I uh letter I uh been B E E N Pwned P W N E D.com. Um, that's a site run by Troy Hunt. Uh, it's fantastic site to be able to see, um, if your password or your email or anything has been found in known breaches. Um, and there's lots of technical stuff that goes into making sure that that site isn't going to cause a breach in itself when you check your password there. I can go into all the technical details, but I think suffice to say it's been really thought out and it's, that is one of the few places where I would actually say go check your password, go check your email. And see what information is out there about you.
Ron: (16:54) Oh, that's go ahead sorry. And that's been, we just got not lit last, but last year we got a lot of emails with people's old passwords in them and because they were on that website.
Brian: (17:04) Yup.
Ron: (17:05) So not because not because, but because we use that website to check against it to say, well yeah, you're in the Adobe hack in 2008 or whatever it was. Your password got leaked and you use the same password. So that's why it looks so familiar to you.
Brian: (17:17) Yup. Well, and the crazy part is, you know, you look at um some of these breaches, I mean they're, they're years old. I mean, the LinkedIn breach I think was 2011 and it's still one of the most popular, um, password lists out there that they'll track and people are still using their LinkedIn password from 2011 without two factor.
Ron: (17:35) Yeah, it's crazy. It's crazy. Uh, well, Brian before I get you off the phone here, is there, how can my, you know, how can the listeners get a hold of your where can they find you? Is it LinkedIn? Is it a website, Twitter or anything like that?
Brian: (17:55) Um yep. Best place to go to would be Infosecchicago.com. I N F O S E C chicago.com.
Ron: (17:55) Perfect. As always Brian, I appreciate it. Thanks for joining us today. I know it was very insightful for me. I love hearing...I know it's a hot topic today, so, um, yeah, thanks for listening everybody and we'll, uh, we'll talk to you soon. Have a good day.
Brian: (18:13) Thanks.