This Week in Enterprise Tech 531 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Louis Maresca (00:00:00):
On This Week in Enterprise Tech, we have Mr. Brian Chee, Mr. Curtis Franklin back on the show. Now you have sites and services that use analytic libraries. Well, they may be collecting more data than you think. We'll talk about it. The DDoS attacks are on the rise. Today we have Steve Winterfeld, he's advisory CISO of Akamai, where we're gonna discuss the current state of things and just how you can protect your organization. You definitely should miss it. TW on the set
Announcer (00:00:28):
Podcasts you love from people you trust. This is TWiT
Louis Maresca (00:00:43):
This Week in Enterprise Tech. Episode 5 31. Recorded February 17th, 2023. How Akamai are you about DDoS? This episode of This Week in Enterprise Tech i brought to you by Cisco, orchestrated by the experts at C T W. When you need to get more out of your technology, Cisco makes hybrid work possible. CDW makes it powerful. Learn more at cdw.com/cisco. And by thanks Canary, detect attackers on your network while avoiding irritating false alarms. Get the alerts that matter 10% off and a 60 day money back guarantee. Go to Canary. DO tools slash twit enter the code twit in the hat they hear about us. Box. And by aci, learning tech is one industry where opportunities outpace growth, especially in cybersecurity. One third of information security jobs require a cyber security certification. Maintain your competitive edge across audit IT and cyber security readiness. Visit go ACI learning.com/TWiT Welcome to Wyatt This Week in Enterprise Tech to show that is dedicated to you, the enterprise professional, the IT pro, and that geek who just wants to know how this world's connected. I'm Lewis Maki, your host, your guide through this big world of the enterprise, but I can't guide you by myself. I need to bring in the professionals, the experts signing about your own senior analyst at amia. He is Mr. Curtis Franklin. Curtis, it's great to see you, my friend. How's your week been?
Curtis Franklin (00:02:19):
It has been a good week, Lou. It's been one filled with some research. I've got some projects starting up. Been watching my colleagues publish an awful lot. And it is amazing how full our dance cards are getting for the R S E conference. RSA is coming up and I'm just trying to keep my meeting count down to double digits per day if I can do that. I'm gonna call it a successful conference.
Louis Maresca (00:02:53):
And do you act like the, the airlines you double book just in case
Curtis Franklin (00:02:58):
<Laugh>? I wish. It is the sort of thing where the, the hard part is actually keeping plenty of time between meetings because it is astounding how often you'll get companies that say, oh, well we're not in the convention center, but we're in a hotel that's very close. Very close is one of those terms that varies in meaning depending on exactly who you're talking to. Right. So I'll definitely have my hiking boots on when I'm at rsa.
Louis Maresca (00:03:34):
Indeed. Well, it's great to have you here Curtis. Thanks for being here. Well, we also have to welcome back our very own neck architect at Sky Fiber and he's our favorite network guy. He is Mr. Brian Chee , how's everything going on your side? How's the the fairgrounds for treating you?
Brian Chee (00:03:49):
We're having a lot of fun. We're running a whole bunch of cable trying to get ready. The fair, the load out for the fair actually starts this next weekend. And so lots and lots of rides, all kinds of things. It's, it's a, like any big state fair for a large city. But this won't gonna be one of the first times I'm doing it from the IT side trying to get a bunch of security cameras up and make sure we can kind of keep an eye on what's going on with the folks enjoying the Central Florida Fair.
Louis Maresca (00:04:26):
Well thanks cheaper for being here. We appreciate it. Well, we should get started cuz we have a lot to talk about here. If you have sites and services, do you have analytic libraries? Use them Well, they might be collecting more data than you think. We'll talk about some scenarios where that's not so good. Ddoss attacks are on the rise. Say we have Steve Winterfeld, he's Advisory CS ciso, advisory, ciso, aai, and we're gonna talk about and just discuss the current state of things and just how you can protect yourself. So stick around lots more to discuss, but before we do, let's go ahead and jump to this week's news. Blips, we can't have an enterprise week with a leak. According to this Aris Technica article, health information for a 1 million patients was stolen using a critical go anywhere vulnerability. First, let's talk about what Go Anywhere actually is it's a managed file transfer service.
(00:05:14):
It's supposed to actually help organizations securely exchange data between their systems and trading partners and customers. Now, when they're very definition of their service, it claims to be secure. Well, one of the biggest hospital chains in the US said hackers obtain health information from 1 million patients after exploiting a vulnerability and go anywhere. Community Health SA Health Systems of Franklin, Tennessee said in a filing with the Securities and Exchange Commission this week that they were attacked and the hackers targeted go anywhere. Surprisingly, two weeks ago, journalist Brian Kreb said on social media that cybersecurity firm Florida had issued a private advisory to customers warning that the company had recently learned of a zero day remote code execution ex exploit in and actually targeted go anywhere. Now, the vulnerability has since gained the designation c v E 20 23 0 6 69 and for to patch the vulnerability on February 7th. But the attack vector of this exploit requires access to the administrator console of the application, which in most cases is only accessible from within a private company network through V P N or by an allowed list IP address.
(00:06:22):
In the case of ch h s, the malware used in the attack was an updated version of a family known as Tru Bot, which is used by a threat group known as Silence. Now, silence in turn has ties to a group tract as TA 5 0 5 and T 5 0 5 has ties to a ransomware group called Clock. Now, the type of attack that can get access is formally called a pre authentication derealization issue with a very high rating for an exploit and attacker value. Now, to exploit the vulnerability attackers need to either network level access to go anywhere as Ms. Mfts administration portal, or the ability to target an internal user's browser. And first, what they do and what, like, what we always say on this organ, on this show is the most effective way to help prevent something like this, especially this type of attack is patching, right? Because they have a patch. They, it's up, it's available to update, definitely go pack your services and update right away when it is your organization and you're dealing with health data that should be your prize zero going forward, always patch things. Now another thing you can do is ensure that network level access to the administrator port is restricted to the least number of users possible. And remove user browsers access to the vulnerable endpoint in the web XML file. In fact, maybe even Wall Garden. The entire system going forward.
Curtis Franklin (00:07:45):
Well, just in case you still don't believe that malware is the constant battle of wits and technology between attackers and defenders. I give you this. One week after CISA released a recovery script for ransomware targeting VMware ES X I virtual machines. A modified version of the malware is already in circulation that renders the decryptor script useless according to csa. And the F B I, around 3,800 servers across the globe have already fallen victim to the ransomware, which is known as E X S I. Args researchers at Malware Bites say that previous versions of the malware would skip large blocks of storage in its encryption run, encrypting smaller files and encrypting enough of the larger files to make it effective. The new variant only skips small blocks of storage in these big files. Typically one meg on one meg off pattern files smaller than 128 megs.
(00:08:48):
Well, they're still fully encrypted. Well, with all this, how can you tell if you're hit, whether you've been hit with the older version of E X S I RS that does have a decryptor script or the newer version that leaves you really vulnerable? Or if the ransomware note directs you to contact the threat actor via the tox encrypted messenger you've been hit by the latest and well not exactly greatest version. If the ransom note from directs you to a Bitcoin address, well that means that you're lucky enough to have the old ES x I ARGs variant encrypting your files and still could be hope,
Brian Chee (00:09:39):
Right? So this was one of those great stories about how, you know, journalism got involved and helped out someone. Well, Matthew Hillier can't get Comcast service at his home in Arvada, Colorado, but that didn't stop Comcast from claiming it serves its house when it submitted data to the federal communications commission's new broadband map. Well, Comcast eventually admitted to the fcc, did it didn't serve the address, but only after ours, Technica got involved. And thank you ours Technica for this great story. Comcast will have to correct its submission for Hillary's house, and a bigger correction might be needed because it appears Comcast doesn't serve dozens of other nearby homes that had claimed as part of its coverage area. Well, okay, so I've actually helped other friends on this particular issue and have gotten varied excuses like, oh, the G P S accuracy varies, and that caused your friend to be listed when it actually, when in actuality you can't offer a service at their location.
(00:10:46):
Hmm, another interesting thing I learned as my partner and I were firing up a wireless internet service provider in Honolulu, was that the big players won't even consider running fiber to a building or neighborhood unless a minimum of 40 potential customers exist in that location. So we did what makes sense. We target our market at those underserved two and three story walkups in the greater Honolulu area. Well, this, however, doesn't excuse Comcast from patting their coverage numbers. Rumor has it that the folks that created those coverage maps sometimes rock and roll and add entire neighborhoods because they're right next to the neighborhood that is covered. So instead of actually confirming those addresses, perhaps someone took a liberty. So no one's been willing to step up and confirm any of these rumors at I stress. These are rumors I don't have any proof. So that's all they are rumors. However, as more and more of these types of cases arise, one must wonder who's taking those shortcuts.
Louis Maresca (00:12:00):
We have another breach to share this week. Now, according to this Tech Crunch article, Atlassian and Envoy are at each other's throat trying to point the finger blame on their most recent breach. Oh, hack group known as Siege Sac leaked data on Telegram this week that it claimed had stolen from Atlassian. Now, this data includes the names, email addresses, work departments, and phone numbers of approximately 13,200 Atlassian employees along with floor plans of Atlassian headquarters. Now, Atlassian was quick to point the finger of the blame for the breach at Envoy, which the Sydney headquartered company uses to actually organize its office spaces. Now, in a statement from Atlassian, they quote, learned that data from Envoy, a third party app that Atlassian uses to coordinate in-office resources was compromised and published. However, no Atlassian customer data was exposed. Now here's the interesting part. Envoy fired PAC with claims that there's no security compromises on their system at all.
(00:12:54):
And that force Atlassian to actually change their tune a bit, seeing that the data was retrieved from Envoy using an Atlassian's employee's credentials that were published in a public repository, whoops. They found evidence in the logs of the requests that confirms that hackers obtained valid user credentials from an Atlassian employee account and used the access download. The effective data from Envoy's app. Envoy is no stranger to security issues. In 2019, researchers found ways to actually expose customer data. Now it goes to show you that if you entrust into third party systems and those services really require you to do a thorough audit and just how they secure and treat your data going forward and you know how they integrate into your business, take the time. You won't spend an extra time. Well, folks, that does it for the blips. Next up we have the bites.
(00:13:42):
But before we get to the bites, we do have to thank a really great sponsor of This Week in Enterprise Tech, and that's Cisco orchestrated by the experts at C D W, the helpful people at C D W understand that hybrid work continues to evolve and that your organization must evolve with it to succeed. Now, with so many options to collaborate remotely, you need a strong and consistent network to empower your workforce and keep them together. Consider a Cisco hybrid work solution designed and managed by the C D W experts now to deliver the same quality, the network experience to all your offices, even your satellite ones, connecting your team from pretty much anywhere. Because Cisco networking keeps things flowing smoothly and securely with embedded security compliance and multi-factor authentication that protects collaboration among your spread out team. Now with real-time visibility into distributed application security, user and service performance, you get a better line of sight into how your network is operating and how better to grow your organization.
(00:14:43):
And Cisco networking levels, the playing field, providing access to flexible high-end collaborative experiences that create an inclusive work environment. When you need to get more out of your technology, Cisco makes hybrid work possible. CDW makes it powerful. Learn more at cdw.com/cisco. Well, folks, it's time for the bites. Now, HIPAA is that privacy act that attempts to keep corporations in line when it comes to your patient health and personal information. You, you kinda wanna trust it, right? Well, this dark reading article takes us to the dark set of things and how parent company Facebook meta might be encouraging corporations to actually violate. That's right. In this example, a hospital was actually sued for using META'S ad tracking code violating hipaa. Now, as a brief reminder, HIPAA really requires that a patient health information be secure and confidential and it can be only used or disclosed for certain purposes.
(00:15:41):
Now, this includes any information that may be used for identifying the individual such as their name, address, or even their birthdate. Now, according to this lawsuit, two hospitals were hauled to court and that they were using megapixel ad tracking code, which shared sensitive medical information and data with Facebook. Now, the key here is sensitive medical info, which actually violates HIPAA in this case. And you may be wondering what kind of information did they share, right? Or according to the suit the data they collected for. And these two hospitals were sharing medical conditions, prescriptions, doctor's names, prior appointment history, so the patients could be targeted for advertising according to the lawsuit firm. And behind the action here. Now, what people would use when, when people actually use health system websites to schedule an appointment, the code allegedly captured sensitive personal information such as medical conditions, those prescriptions and those doctor's names.
(00:16:34):
Now the firm says in one case, for example, a woman got targeted ads about heart disease and joint pain just after entering her info into one of the hospital's websites. Now, before I read this article, I thought, hmm, maybe they just released p i i that they were maybe sharing or something like that. But how could they think that they would get away with sharing? Medical history is really beyond me here now. I can't get even some of my doctors to disclose what they're calling me about without providing proof of identification. So another interesting thing that goes along here, this past December, the US Department of Health and Human SER services actually issued guidance on using online tracking tools and healthcare customer relationship management systems. Now, the, that they actually addressed online tracking technologies like Google Analytics or ME Meta pixel, which which actually collect and analyze information on how internet users are interacting with those regulatory websites.
(00:17:28):
Now, what comes to HE health systems using any type of tracking system outside the bounds of itself is a no-no. And the only reason for it to be useful is for profit for that healthcare provider. So blocking it should be possible. Now, obviously this isn't the first time Med Med has been held accountable for collecting detailed information. This p meta actually was been fined 390 million euros just recently by European Union regulators in a major decision, a violation of EU general data protection regulation. So this is a very interesting case of, well, should the organizations even be using this type of analytics library. I'm gonna bring my co-host back in because you know, obviously HIPAA is one of those things. It's, it's, it's, it's pretty easy to understand. Don't share any information. Is this a case where these organizations were just using it because they needed to know about their traffic on their site and they just didn't really know what data was getting funneled somewhere? Or is it just benign in nature, or what do you guys think?
Brian Chee (00:18:33):
Yeah, I'm, I'm gonna speculate. You know, when I saw a bunch of things happening at the university's website, I saw the developers throwing in the templates for the ad trackers and so forth because he wanted to maximize things. They threw it way up as part of the, the template for the entire website without thinking how far that reaches. So we, we actually went in and said excuse me, are we really supposed to be tracking all this stuff? And in our case, we caught it before the website went live. But in our test cases, some test SSNs made it into the system. It's like, no, no, no, that's bad. That's a big FERPA violation. So I can see this happening, especially when you've got a development team developing a system and they're understaffed and rushed. So I call this the rock and roll factor. You know, just throw it up as high as you can, make it as global as you can so that we can get in and get to the meat of the problem. And sometimes it goes too far. Agree.
Curtis Franklin (00:19:55):
Well, Lou, I I think that this is a great way to discuss the difference between privacy and security. You know, we often think that privacy violations only happen when there's some sort of breach of the system. You know, guys in dark hoodies are breaking in and stealing private information to sell on the black market. That didn't happen here. I am sure that the patient's information was transmitted very securely to people who should never have been seeing it. It was not a security violation, but it was a massive privacy violation. The the weird thing is, I know when I was, for example working on a grant proposal around a hospital at the University of Florida, I was never anywhere near patient information. But cause I was working with the hospital, I had to go through HIPAA training. I somewhere in my files still have a HIPAA certificate suitable for framing.
(00:21:13):
Everyone who works in and around health organizations should have training on what HIPAA means and what it means to their job. The fact that someone thought that advertising dollars over weighed the consideration of patient privacy means that there was a dramatic management breakdown at this organization. And, you know, it's not simple if you're not a healthcare provider, and that means hands-on healthcare provider or you, you're not an insurance company paying them. You don't need any personal health information unless that patient has given you explicit written permission to have it. And we know that not everyone who went to that website gave that explicit written permission. So this is just a horrible story, and I can only hope that it will be a true cautionary tale for other IT professionals working in healthcare.
Louis Maresca (00:22:31):
That's a great point. I I, I do wanna point out, I mean, a lot of organizations, and I think it goes back to something that sheer said is a lot of organizations should be taking catalog of the libraries that they're depending on, and those that are of course, bundled with their dependencies as they deploy their services. And so this type of thing should be reviewed on a regular basis. It should be reviewed by security people. It should be reviewed in compliance scenarios. And I think this is a perfect example of these two places not doing that. These are cases where when you're building an application obviously this application is built and it's deployed and there's some kind of you know, DevOps related to it. There should be tools in place to let you know when you're doing something that's not compliant.
(00:23:19):
And I think just like Curtis said, you know, there, these organizations need to pay attention more to these types of things going forward, you know cheaper. I wanna ask you a quick question. When you, in the case of the university, you know, obviously this is probably maybe a bunch of students building this thing, but in the case of a, of a, of a maybe health organization like this, this is probably a corporation that maybe they, you know, they, they paid to actually build is shouldn't that they be held accountable for this rather than, you know,
Brian Chee (00:23:51):
Well, you know, the, the DevOps professionals are supposed to know what their tools do and the scope of their tools,
Louis Maresca (00:23:57):
Right?
Brian Chee (00:23:58):
You know, sometimes, but, you know, I'll go back to the FERPA violation. We, we actually had another one where a professor ba he posted a spreadsheet basically up on a website with the students grades. Well, that would be fine, as long as you, you know, obscure the name, you know, full names and things like that. Both bozo put in social security numbers. It's like, no, you had the training, you know about ferpa. He goes and posts it and then heads off to Switzerland <laugh> for, to go back home. It's like, idiot. We actually had to take down the entire website. And it was really only exposed for about two hours. But sometimes you start getting into bozo <laugh> people that are trained that just didn't engage brain, it happens. Humans are fallible. Personally I think, you know, in this case, this hospital might want to consider a few additional checks and balances.
(00:25:14):
Maybe have someone outside of the DevOps team review things before it goes public. One of the things I always tried to do was pick up someone that literally wasn't technical to review things before we went from draft to public. Just because sometimes it's hard to see the forest from trees anyway. That's enough of a rant. Humans make mistakes, humans need to do better. And in the case of hipaa, someone's going to hold their feet to the fire in the future and they're gonna need to do a lot of retraining. I think
Louis Maresca (00:25:58):
In this particular case, I mean, this is a huge lawsuit, you know, this, these, these organizations are gonna be hit with a class action suit that's gonna probably enforce, enforce them as a force function to change all of their policies and their process. I guarantee that. Now let's just hope if we speculate a little bit, be a little bit about this, you know, let's just hope it's not some front end developer that was trying to get the best of those organizations trying to make some money off of the amount of traffic that was hitting those organizations. Cuz I can't imagine, I, Curtis I wanna throw this to you because I can't imagine an health organization needing some kind of ad tracking tool. Like, why do you need ads on a health site or a service?
Curtis Franklin (00:26:36):
Well, there are a couple of of reasons you would need them. One is for your own ads, for your own in-house ads, but obviously not. What's going on here. Healthcare organizations tend to, let's remember most of them today are for profit institutions and therefore they would get a commission or a, an actual ad placement payment for every ad they serve. And like most online ads today, it's not based, just don't have many eyeballs see it, but on what the response rate is. And so they have a financial incentive to target those ads as carefully as they can. It all gets back to money. And ultimately someone somewhere deciding that the money that came in from the advertising could more than pay for any fine that occurred if there was a problem. You know, it's the, the same stream of logic that says that defending against ADI DDoS attack is more expensive than being hit by ADI DDoS attack. And they weigh those numbers and the math tends to work really well right up until it doesn't. And then when it doesn't work, it really doesn't work.
Louis Maresca (00:28:07):
It's true,
Curtis Franklin (00:28:08):
It's true.
Louis Maresca (00:28:10):
Well guys, I think we've probably beat that one to death. So let's move on cuz I definitely want to get to my guess. There's lots of interesting topics we're gonna get to here. So bef let's make sure we move on. But before we do that, we do have thing. Another great sponsor of This Week in Enterprise Tech. And that's Thanks Canary. Now most companies discover that they've been breached way too late. Now things Canary fixes this as just three minutes of set. Three minutes, that's it, with a n with no ongoing overhead and they nearly zero false positives. And you could detect attackers long before they actually dig in. Now it's no wonder why things Canary Hardware, VM, and cloud-based canaries are deployed and loved on all seven continents. Prowling attackers look for juicy content. You know this, they look over your network, they browse active a directory for file servers and explore file shares looking for documents.
(00:28:57):
They try default passwords against network devices and web services and scan for open services across your network. Now, when they encounter a things canary, the services the services on offer are designed to solicit further investigation. That's right. At which point they're actually betray themselves. And your canary notifies you of the incident. Order, configure and deploy your canaries throughout your network. These can be hardware or virtual or cloud-based birds Make on, make them windows file servers, maybe make them another router. Throw in a few Linux web servers while you're outta each one. Host realistic services and looks exactly and acts the same way as its name stakes. Now when then when you actually sit back and you wait, your think canaries run silently in the background waiting for intruders, constantly reporting in and providing an up to minute report on their status. Even customers with hundreds of canaries receive just a handful of events per year.
(00:29:55):
When an incident occurs, think Canaries will alert you via email, text message, slack notification, web hook, or the old-fashioned syslog way. Now a principal security engineer of of an F 50 company says Canary has helped us detect and mitigate several incidents that could have turned into catastrophes and alert, fired by their cloned site. Token allowed us to identify and force a takedown of several doppelganger domains that were purchased by bad actors for the purpose of launching phishing attacks against our employees and customers. I can't recommend this product enough. You don't know what you don't know, but Canary helps you know what you need to know when it matters. You may have heard about Circle CI Compromise recently, while most users found out about the incident directly from their things Canary Canaries work and continually prove it. Visit Canary do Tools slash TWiT and for just $7,500 per year, you'll get five canaries, your own hosted console, upgrade, support and maintenance.
(00:30:59):
And if you use Code twit and they how to here by this box, you'll get 10% off the price for life. We know you'll love your things Canary, but if you're not happy, you can always return your Canaries with their two month money back guarantee for a full refund. And all the years we've offered a money back refund guarantee it's been claimed zero times as canaries add incomparable value. That's Canary Tools slash Twitch. Enter the Go twit and the hatty here about US Box. And we thank things Canary for their support of This Week in Enterprise Tech. Well folks, it's my favorite part of the show. We actually get to bring in a guest to drop some knowledge on the twit. Ryan, today we have Steve Winterfeld, he's advisory ciso. Akamai, welcome to the show, Steve.
Steve Winterfeld (00:31:45):
Excited to be here.
Louis Maresca (00:31:47):
<Laugh>. Fantastic. Well, our audience is from all different experience levels and all different points in their career. Some of them love to hear people's origin stories. Can you take us through a journey through tech and what brought you to Akamai?
Steve Winterfeld (00:31:59):
Certainly. So, you know, I I was actually in adjacent many, many years ago was running battle simulation software for the military and had a chance to follow my passion with, you know, security was a hobbyist moved over and started to build a, the first computer emergency response team for southcom. So got to jump in right in on the response side. And, and for people that are thinking about this, you know, you can come in and follow the analytics side, you can follow the compliance side, you can build and and develop. There are a lot of skills we need here. And for those of you that are kind of on your journey, I would encourage you to think about your North star. What do you want your final job to be? So, you know, do you want to be a C I S O for a Fortune 500, the C T O for a cyber company? Think about that now and use that to guide your skills. If you're in cyber and you don't love to learn, you're probably in the wrong field.
Louis Maresca (00:33:05):
Indeed, indeed. That's good. Good advice. I like that a lot. Now we have, we have a ton of talked about here, especially the concept around DDoS attacks. Now, we hear a lot about, in the news, the uptick of ransomware. We hear a lot of, you know, uptick of, of organizations being hit by this and they're focusing on that. We don't hear necessarily a lot about the change or the, if, if organizations are being hit by DDAs attacks, is this just because they're handling it? They're, they're, they're doing fine. What's, what's the current state of things when it comes to that type of attack?
Steve Winterfeld (00:33:37):
So really the business model from the criminals point of view is an extortion campaign. You know, pay us to not attack you. And so, you know, you'll, you'll get a short attack followed by a ransom or an extortion demand to, to not attack you more. You were talking about healthcare earlier last week. We saw a rash of healthcare organizations attacked by kill net. Every year we see new records broken. Earlier this year we saw Google Public Cloud come out with, you know, a 46 million or 46 million hits. Cloudflare just talked about 71 million Mariah bought last year was 2.5 terabytes. And so I wanna step back for just a second and geek out a little bit about what those mean. So when you hear about an attack and you hear request per second, that's somebody attacking a webpage. If you hear them bits per second, they're trying to clog the pipeline, just overwhelm you with data.
(00:34:44):
If you hear packets per second, they're trying to to attack the CPU and overwhelm the processor. And finally, if you hear queries per second, they're trying to take down the dns, you know, wipe out the phone book or the GPS of the internet. And so there are different ways or different aspects of what were being attacked. And so you have to say, am I at layer three four protecting? Am I at layer seven protecting, am I protecting my d n s? And then when these hit these attacks, okay, that's a big number, but, but let's say, okay, what really happened? So we'll go to the Google plug Cloud attack. So for 69 minutes there was this, this long attack, but then, you know, during it, all of a sudden in about 10 seconds, it peaked from normal attack to a record setting attack. And that lasted for just a few minutes. And what was the impact? Low impact. A lot of these were hearing about huge numbers, but they were behind good infrastructure. So the impact was mi you know, mitigated a lot.
Louis Maresca (00:35:57):
Now it's interesting you said this cuz the Google Pub, public cloud, you know, they have obviously they're major DNS services that tend to get hit with this a lot. What is the advantage here? Like what are, what are, what are, what are hackers doing when they're actually doing DDoS attacks? What are they, what are this, their major, their main focus here when they're doing this? Is it, is it smoke and mirrors? Is it trying to basically do something over here where they do something over here? What, what, what, what's the main, the main thing that they're trying to a achieve essentially?
Steve Winterfeld (00:36:24):
So if I'm, if I'm a criminal, I can sell denial of service as a service. One of the most attacked industries. So we'll talk about the top three most attacked industries. Do you want to guess what number one is
Louis Maresca (00:36:41):
Ransomware?
Steve Winterfeld (00:36:44):
It's actually against gaming. Gaming is the number one industry attacked. Oh, what? Followed by financial services, followed by high tech. So when you think about who's being attacked, gaming is, you know, those Budd services. So you know, if it's attacking a hospital that's kind of extortion preventing you from, you know, saving lives. And that's kind of the kill net. So the, the kill net is haist. So they're not necessarily financially motivated. They're tied into Russia and they have a political agenda. So countries supporting Ukraine, then they're gonna go against them. There are others that are, like I said, you know let's say you're a gambling site and just before a major game, like the Super Bowl, if I knock your site off, you're gonna lose all your revenue. So pay me 25 Bitcoins not to do a D D O S attack against you.
Louis Maresca (00:37:45):
Yeah, that makes sense. You know, I, I've actually seen some scenarios where organizations were giving away something free. Like you had to go sign up for an account and they gave you a free, you know I don't know, piece of software whatnot for a temporarily use for DevOps scenarios. And I've seen scenarios where, you know, they'll go and create some kind of botnet that DDoS attacks their service to kind of like have them go focus on that while they go and create a bunch of, you know, nefarious accounts in this kind of free fee phases. And then they, you know, they stopped their DDoS attack and they now have all these nefarious accounts that weren't being watched because as the organization went and focused on the DDoS attack. So it seems to me that sometimes the attack itself is a direct you know, essentially directed at a particular service to take it down in this case, like you said, to, to gain some capital on it. But in some cases it's, Hey, I'm gonna do it over here to, to make you, you know, spend a bunch of time trying to stop it while we go do something over here. Do you think that, is there a specific trend that you're seeing when it comes to those types? Is it all types that you're seeing kind of trending or is it particularly ones that are focused on making money?
Steve Winterfeld (00:38:55):
So I'll say there's, there's two kind of attacks that are adjacent attacks. The one is attack is a distraction, which is what you were talking about. The other is attack to overwhelm my logs. So if, if you just overwrite my security logs, cuz I have so much DDoS information that makes it really hard for me to do an investigation as well. So I've seen both of those methods used on the, on the aggressor side. We have a, a really a broad blend here. Like I said, we have a hack list with one motivation and they're having a big impact going after hospitals, going after airports. You have others that are almost proof of concepts where you see a large attack, but there was no extortion. We see a number that we think are part of an integrated attack and, and now that this is, you can go rent this as a service, I think that offers even more business models as the criminals try to go out there. So more complexity bigger attacks and more diversity and purpose.
Louis Maresca (00:40:06):
So, you know, as we see obviously as, as a service is creating a big problem cuz now it's making it, it's bringing kind of that down the barrier of entry down to much lower layer. So people can just go, go and pay somebody to go and do what they need to do. But I'm, I'm curious, you know, as we see more and more organizations get hit by this, some of them believe that all they need to do is make sure that they can scale really well, that their service is elastic and they won't ha be hit that hard by a DDoS attack. Is that a fallacy? Does it, does that mean that they they're not really paying attention to the real problem?
Steve Winterfeld (00:40:41):
So I, I guess part of this goes back to your business model. You know, I've seen people that really protect their websites and then they'll get hit with the DDoS on their infrastructure side and now their employees, all their remote workers can't get in. Or they'll really protect their website and their workers, but not their d n s. And so then you take down their d n s. So I think part of this goes back to, you know, looking at your overall security model and where you can accept risk. And ultimately, and this is true just about every security control you have is your current cons, security control, keeping up with the latest volume metric attack. So then are your security playbooks designed to go fast enough? We just said it went from a low attack to a, a record setting attack in 10 seconds.
(00:41:39):
So are you designed to be responsive inside? You know, cuz if you have elastic bandwidth that takes two minutes, then you're offline for at least two minutes. And if that's an acceptable business model, that's great. And so a lot of this comes back down to getting into the specifics, but really you gotta exercise these, you gotta have playbooks. And then, you know, so many of us have this matrix security control are, are is your I S P doing it as somebody like Akamai, we provide that service. Are we doing it for you? Is it, are you using some cloud native capability? And as you do all this, that's a shared relationship. So you know, if there's a human in the loop, how are you making sure that that goes at, at the speed you need to go to? Does that all make sense?
Louis Maresca (00:42:30):
Absolutely. Now we, we like to talk about the obligatory mid-size business that does have those shared relationships. They may be attempted themselves at a, at a, at a security playbook, but they are, you know, obviously looking for some way to protect themselves from this type of attack. Both remote workers as well as access to their services, maybe their web applications. Is there something they should be looking for you, you mentioned Akamai doing some things here. Is there something that they should be looking for that's definitely helpful? They can go and purchase some service to help here or some kind of software, that kind of thing.
Steve Winterfeld (00:43:04):
So there are certain functions that, you know, as a CS o that I'm like, okay, the things I do every day. So every day I'm fighting a phishing email so I can keep that in-house. And, and I've got the skillsets to do for it. There are other things that I don't do that often. How often do I need a forensic investigator? How often do I need, you know, somebody who can go fight a D D O S attack if I only get a couple of those a year? And so those are areas where I kind of say, where do I want to go to a managed provider and where do I want to keep it? You know, an internal playbook or internal skillset. And, and then finally, where are the skillsets in demand? Things like threat hunters talent is incredibly hard to get.
(00:43:51):
So do I want to bring in threat hunters and, and I'm going down a rabbit hole, but you see what I'm talking about here. And so something like D D S I tend to think a great opportunity to put it under a managed provider. You know, and again, there are so many, you know, you're, if you're a small group with an I S P, your I S P probably has some capability. If you're a startup in a cloud environment and you're completely cloud native, and I'm so jealous that you don't have any tech debt and I don't even wanna talk to you. But if you're in that kind of an environment, then you know, maybe you just go with that cloud native and, and as you get larger, you start to worry about, you know, vendor lock in. But that's a, a different problem for a later day.
Louis Maresca (00:44:36):
Right, right. All good suggestions. Well, I do wanna bring my co-host back in, but before we do, we do have to thank another great sponsor of This Week in Enterprise Tech, and that's ACI learning now for the last decade. Our partners at IT Pro have brought you engaging and entertaining IT training to level up your career or organization. Now IT PRO is part of ACI learning. Now with IT Pro ACI learning is expanding its reach and production capabilities offering into content and learning mode. You need at any stage in your development, whether you're at the beginning of your career or looking to move up in your sector, ACA Learning is here to support your growth, not only in it, but cybersecurity and audit readiness. Now, one of the most widely recognized beginner certifications is the comia A plus certification. Now COMIA courses with IT Pro from ACA learning make it easy to go from daydreaming about the career in IT to actually launching it.
(00:45:31):
The earning certificates opens doors to most entry level IQ positions and supplies, potential promotions for those already in the field. Now tech is one industry where opportunities outpace growth, especially in cybersecurity. Now, where recent Linked In Study predicts IT jobs will be the most in demand roles in 2023. So there's no time to waste. Now about one third of information security jobs require a cyber security certification compared to 23% of all IT jobs. Now, while organizations are hungry for cybersecurity talent, the cyber skills gap grows bigger each day. We just talked about that. Now the average of salary for cybersecurity specialists is about $116,000 a c i Learnings information security analyst and cybersecurity security specialist programs can actually help you get certified. Now in 2022, the Global Cybersecurity Workforce gap increased by 26.2% compared to 2021. Now, IC a c I learning offers multiple cybersecurity training programs that can prepare you to en enter or advance within this exciting industry.
(00:46:41):
Now, the most popular cybersecurity certifications offered are C I S S P C Council Certified Ethical Half Hacker Certified Network Defender, cybersecurity Audit School and Cybersecurity Frameworks. Now, where and how you learn really matters. A c learning offers fully customizable training for all types of learners, whether preferred in person, on demand or remote take learning beyond the classroom, explore everything a c learning has to offer with IT. Pro Audit, pro including Enterprise Solutions, webinars, and the Skeptical Audit Podcast Practice Labs, learning hubs, and the partnership program Tech is one industry where opportunities outpace growth, especially in cybersecurity. One third of information security jobs require a cyber security certification to maintain your competitive edge across audit IT and cyber security readiness visit go dot aci learning.com/twit. That's go dot ACI learning.com/twit. Don't forget to use our special code TWIT 30 to get 30% off a standard or premium individual IT PRO membership. And we thank ACI learning their support of This Week in Enterprise Tech. Well, folks, we've been talking to Steve Winterfeld, he's the advisory CISO of Akamai. We've talked a lot about de Dios DDoS attacks here. Now how, how about been saying this wrong? Is it actually D D O S attacks or am I okay saying DDoS please, please help me?
Steve Winterfeld (00:48:17):
I think most people are saying DDoS
Louis Maresca (00:48:18):
Okay, <laugh>. And
Steve Winterfeld (00:48:19):
That kinda goes back to CISO versus C I S O. Yeah,
Louis Maresca (00:48:22):
It's, I thought for years I was saying that wrong. Yeah, thank you. Appreciate that. Well, I do wanna bring these guys back in because they are a lot more experienced in, in networking stuff than I am. So Hubert wanna throw this to you first
Brian Chee (00:48:36):
Actually, I want to ask a question that I got hit with by a salesperson trying to sell me a rack or a portion of rack in one of those new super colos where they have so many pieces of fiber coming in and so many providers that the salesman said, oh, we might as well have an Infinity signed. You know, saying that's how much bandwidth we have. Aren't we just moving the target, especially with DDoS?
Steve Winterfeld (00:49:06):
Absolutely, yes. And, and again, it goes back to, you know, some of that is in the type of attack and some of that is in the assumption that you can just take over everything with pure bandwidth, but absolutely not a convincing argument.
Brian Chee (00:49:28):
Super cool. Now you guys sent me this great press release about a report that you're cobbled together called The Evolution of DDoS, return of the Activist that is published in February of 2023. Could you tell our listeners a little bit on how they can, you know, get access to that and also, you know, what kinds of resources are you providing to help people learn about protecting themselves?
Steve Winterfeld (00:49:58):
Absolutely. So I wanna be very clear that that was a joint effort. The financial services ISAC and Akamai got together. And so the financial service ISAC represents all the banks across the world, banks, insurance companies, you know, wealth management traders. And so we went to, you know, what they're seeing hacking into the, the banks or attacking the banks, what we're seeing our platform. And, and we wanted to collaborate and we wanna say, first of all, what do, what are we seeing for the threat? So you can go educate your leadership on, on what are the most common things we're seeing on the threat. And these are examples like you know, since the war in the Ukraine kicked off, we basically seen, you know, and these are, these are not accurate numbers but the, the numbers in, in Europe in the us let's say it was 70 30 and they almost flipped in, in where the D D O S attacks were happening.
(00:51:01):
And so, you know, those kind of trends, then you can go back and talk to your leadership about if you're, if you're in Europe, you can go back and say, Hey, listen, we need to re-look at our risk posture. But if you go to FS ISACs website or akamai's website and look for that, you know, return of the Hack us, you'll see it. And that's where we talk about that, those kil net kind of organizations. We'll have a different business model, which, you know, it was, we wanna wanna do that extortion. And right now it's interesting I, I spend a lot of time talking about the, the triple extortion threat, ransomware, xFi data being, you know, sold if you don't pay me and D D O S if you don't pay me. And, and of course we know that those are, are probably the three we see in the press the most. We also know that if you want to be a, a profitable hacker, probably business email compromise is still the most profitable threat methodology. But, but we picked the one for D D O S and we really wanted to educate that. And then the last part of the report is how to mitigate, how to think about this, you know, your playbooks, your crisis management plan, how to, how to upstream do the protections and the exercises.
Curtis Franklin (00:52:23):
Steve, I want to drill in a little bit on a couple of the things you've said when you were talking about DDoS attacks one of them being the very rapid ramp up of, of volumetric attack. Have we passed the point at which it is absolutely required that companies have some sort of automated response in place for DDoS attacks? I mean, have, have we left human response times in the dim recesses of history at this point?
Steve Winterfeld (00:53:02):
So ultimately our job is to prevent material impact to the business to make sure we don't impact profit. And so that is a question that we have to answer in conjunction with our cfo F o. And so if the CFO f says our website can be offline for half hour, and I'm okay with that, then you can have a human in the loop. If you're in a heavily regulated industry, if you're in healthcare where safety's on the line absolutely. I think that, you know, we are at the point where you can't turn on your D D O S protections. They have to be always on.
Curtis Franklin (00:53:45):
Well, you know, that, that gets me to the next one. One of the things we are hearing a lot about in cybersecurity is the deployment of artificial intelligence. And we're gonna use that as the single term that hits AI ML deeper, you know, the whole array. To what extent do you see machine intelligence being useful as a technology in response to things like D D O S attacks, which for some organizations can be very sharp and transient, you know, just long enough to keep them from accepting orders at the opening of a big sale or something like that.
Steve Winterfeld (00:54:33):
So a lot of this goes, I think, back to what environment we're in, you know, and so I think ml is, is an appropriate for your layer seven attacks, your request per second where you're trying to interpret is this authentic traffic you know, there's more likely to mimic it's not a UDP flood or a sin flood, it's something, you know, more interesting. A complexity of the attack has changed. So in 2010, 90% of the T methodology were from five techniques. Now those five techniques represent just over half of the attacks. So half of the attacks are this matrix of these different techniques. And so for you to have something to recognize, which is an attack, which I should black hole, which allows through yeah, I think that is becoming more and more necessary.
Curtis Franklin (00:55:36):
Well, you partially answered my, my next question with what you just said, but I'd, I'd like to get a little more, because when people think of D D O S attacks, they tend to think of a purely packet flood, something that chokes a network pipe. But, you know, there can be things that do in fact choke a network pipe. They can be connection floods, there can be, you know, ARP floods. There can be things that try to choke out your server with, with service requests rather than network. Are there patterns, or as you said, are attackers now using all of these in combination, really attack an organization in full?
Steve Winterfeld (00:56:29):
So <laugh>, we have a range. You know, we were talking earlier about some of our employees can do things that challenge us make decisions that, you know, just that momentary lapse in judgment. And so again I've got a case of a very sophisticated hacker coming after one of our European customers for an extended period weeks multiple times and a very iterative, sophisticated battle trying a technique coming back, trying a different technique. And so that's one end of the spectrum. And then I've got, you know, somebody go rent a botnet and throw junk on the wall at the other end. And so i, it really is that spectrum of things out there. And then every you day we wake up and, and then what does somebody invent? So iot, OT is really the bane of our existence. So i o t is providing so much of this to attack with. And then you get somebody come up with the, you know, the phone home, d d o s re reflection attack where it's, you know, billion to one, like 4 billion to one, you got the middle bot reflection. And so there's this brand new technique which let's, I don't wanna call it a zero day, but, but at a layman's term, almost a zero day technique that is changing the paradigms of what we're dealing with. So yeah, it is that constant battle.
Louis Maresca (00:58:08):
Steve, it's amazing how time FL has been having filed lots of great stuff here. Thank you so much for being here. Unfortunately, we're running a little low on time, so I wanna give you the chance to tell the folks at home where they can learn more about Akamai and all the wealth of services they have to offer.
Steve Winterfeld (00:58:22):
Yeah, I would encourage people to come to Akamai, look up our security blogs, we've got some great features in there. Come down with the report, the evolution of D D O S the rise of the hacks, and feel free to reach out and look at any of our capabilities. Thank you.
Louis Maresca (00:58:43):
Thanks again, Steve. Well, folks, you've done it again. You sat through another hour, the best thing enterprise and pod IT podcast in the universe. So definitely tune your podcaster to tw. I want to thank everyone who makes this show possible, especially to ma my amazing co-host right here. Start Mr. Brian Chee sheer to what's going on for you in the coming week. Where can people find you?
Brian Chee (00:59:03):
Well, actually Saturday, Sunday, Monday, I'm actually going to be manning the Maker FX booth at the Orlando Science Center. They're running a STEM fair, and I'm gonna be talking a little bit about the pods project, it, a research project I did for DARPA on creating one of the first self-organizing self-healing wireless networks. We happened to partner with the M I T media ad, and the result was ZigBee. So we're gonna be talking about that. I've got all my slides from the deployment at Volcano National Park, oughta be fun. Now, if y'all wanna throw some ideas at me, probably the best way is still on Twitter. I'm a D V N E T L A B advanced net Lab. You're also more than welcome to throw an email at me, I'm sheer spelled C H E E B E R T twit tv, or you could also hit me and the rest of the host atw twit tv. We'd love to hear from you. And it doesn't matter if you know your English isn't, you know your strong point as long as you're willing to let us use machine translators. So, caveat there. Would love to hear from you, would love to hear your ideas for shows. If you wanna ask us questions, go right ahead. Thanks, and stay safe, everybody.
Louis Maresca (01:00:35):
Thank you. Cheaper. Well, we also have to thank of everyone, Mr. Curtis Franklin. Curtis, what about you? What's coming up for you in the coming week? Where could people find you?
Curtis Franklin (01:00:43):
Gonna be heads down writing a bunch of stuff. I'm also going to be spending a little bit of time at that stem fair alongside my friend Brian as we try to let people know what's going on with STEM education in central Florida. If you wanna keep up with me, I can recommend Twitter. I'm at KG four GWA Mastodon, I'm at KG four gwa@mastodon.sdr.org. I'm on LinkedIn, I'm on Facebook. I'm just pretty much everywhere, but TikTok haven't been able to get into doing that yet. So and I think the window is closing on new opportunities on TikTok. So you know, look for me. And like I said, if you're going to be at either RSA or Enterprise Connect in Orlando, look, look me up. I would love to have a chance to meet you in real space.
Louis Maresca (01:01:46):
Thank you Curtis. Well folks, we also have to thank you as well. You're the person who drops in each and every week to get your enterprise goodness and what'll make it easy for you to watch and listen and catch up on your enterprise and IT news. So go to our show page right now, twit.tv/tw that you'll find all the amazing back episodes, the show notes, the cohost information, of course the guest information, and also the links of the stories that we do during the show. But more importantly, you'll get those helpful. Subscribe and download link support the show by getting your audio version or your video version of your choice. And listen on any one of your devices or any one of your podcast applications cuz we're on all of them. So definitely subscribe and support the show. Now you may have also heard of Club Twit.
(01:02:29):
It's a members-only ad-free podcast service with that bonus TWIT plus feed that you can't get anywhere else. It's only $7 a month. So there's a lot of great things about Club Twit, but one of them, one of them is actually the exclusive access to the members only Discord server. Now I'm on it right now. It's a lot of great conversations going on in there. You can chat with hosts, producers, there's lots of separate discussion channels, plus they have some awesome special events as well. So lots of fun stuff. Join Club Twit and be part of that movement. Go to twit tv slash club twit. Now, club Twit also offers corporate group plans as well. It's a great way to ha give your team access to our ad free Tech podcast. The plans start with five members at a discounted rate of $6 each per month and you can add as many seat as you like there.
(01:03:15):
And this is really a great way for your IT departments, your developers, your sales teams, your tech teams to stay up to date with access to all of our podcasts. And just like that regular membership, they can join the TWIT Discord server and get that TWiT plus bonus feed as well. So twit TV slash club twit. Now, after you subscribe, you can impress your friends, your family members, your coworkers with the gift of TWiT cuz we talk about a ton of fun. Tiktok is on the show and I guarantee they will find them fun in industry as well. So definitely have them subscribe and join the party. Now if you've already subscribed and you're available on these days, Friday, 1:30 PM Pacific Time, we do the show live. You go to live dot TWiT tv. There, you can choose from any one of our streams there.
(01:03:57):
You can come see the behind the scenes, come see how the pizza's made, come see all the fun stuff that we do before and after the show. So definitely come and join the, the live stream. And if you're gonna join the live streaming Weisel, jump into our IRC channel as well at IRC dot twit tv. We love our chat room. Just go to that website right now. You can jump right into the Twit live channel there. We have a lot of great chat channels in there, but also a lot of great characters in the Twit live channel there. They give us some amazing topics, some questions, great show titles. They're doing that right now. Thank you guys for being here and being part of the live show. Definitely hit me up twitter.com/luman. There I post all my enterprise tidbits, direct MessageMe, send me show ideas, have topics about careers, whatever you wanna do.
(01:04:42):
You can also hit me up at lin linkedin.com/Louis Maresca. There I have lots of great conversations about people you know, who are starting in their career, who are in the middle of their career, who are looking to get into particular part of their career. So definitely hit me up there as well. Even for show ideas. If you want to know what I actually do during my normal work week at Microsoft, you can always check at developers.microsoft.com/office suite. There. We, we post all the latest and greatest ways for you to make and make your office solutions more productive for you by developing your solutions, whether it's recording macros with our newest, latest, and greatest office scripts, which is cross-platform, or it's using the traditional web ad in model, which is just, you know, really a great model for you building add-ins and audit solutions for whether it's Outlook or Excel or Word or PowerPoint.
(01:05:29):
So definitely check that out and make your office more productive for you. I wanna thank everyone who makes this show possible, especially to Leo and Lisa. They continue to support This Week in Enterprise Tech each and every week, and we couldn't do the show without them. So thank you for all their support over the years. Thanks to all the engineers and staff at twit. And I also wanna thank Mr. Brian Chee just one more time. He's not only our co-host, but he's also our tireless producer as well. He does all the bookings for the show and the plannings for the show, and we really couldn't do this show with Hoos. Thank you Cheever, for all your support over the years. Now, before we sign out, I wanna thank our editor because of course they make us look good after we record here because we make a lot of mistakes. At least I make a lot of mistakes. He, they kind of edited them all out. So thank you for all that. Of course, our TD for today, he's the talented Mr. An Pruitt. He and he does an amazing show called HandsOn Photography here on twit, which I watch each and every week religiously. And what's going on this week in the show? Cause I can't wait.
Ant Pruitt (01:06:23):
Well, thank you Mr. Lou. this week on the show I decided to take a look at just doing some selective adjustments in photography. So like, if you have a, a shoe that a client wanted you to take a photo of, but they decided the color was wrong, well let's just change the color pretty easily inside the Photoshop and not change the color of everything else. So head on over to twit.tv/hop and you'll see how now, yes, on the screen it looks like a big blob of paint, but trust me, watch it all the way through. It's going to be Dagone. Beautiful.
Louis Maresca (01:06:56):
Amazing. Thanks so much aunt. And until next time, I'm Louis Maresca just reminding you, if you want to know what's going on in the enterprise, just keep quiet.
Mikah Sargent (01:07:07):
Hey, I know you're super busy, so I won't keep you long, but I wanted to tell you about a show here on the Twit network called Tech News Weekly. You are a busy person and during your week you may want to learn about all the tech news that's fit to well say, not print here on Twitter. It's Tech News Weekly. Me, Mikah Sargent, my co-host Jason Howell. We talk to and about the people making and breaking the tech news, and we love the opportunity to get to share those stories with you and let the people who wrote them or broke them, share them as well. So I hope you check it out every Thursday right here on TWiT