Our Terms of Use and Privacy Policy have changed. We think you'll like them better this way.

How many security attacks did you fend off today?

  • Broadcast in Technology
Caleb Barlow

Caleb Barlow


Follow This Show

If you liked this show, you should follow Caleb Barlow.

2013 is well on its way to be another record year for cyber intrusions, keeping security as a topic in every corporation’s boardroom and in every government agency.  

How many vulnerabilities did your security team find scanning today, last month, or this year? And how many were high risk? In the first six months of 2013, the IBM X-Force Research and Development team analyzed 4,100 new security vulnerabilities and 900 million new web pages and images.

The IBM X-Force team just released their Trend and Risk Report which summarizes their findings on emerging threats and the 2013 attack landscape. If you are a CIO, CEO, CISO or a line of business executive this must read report outlines the new attack opportunities in areas like:

•       Social media: how social media is a valuable tool for business, but is also being used by attackers for reconnaissance and launching attacks

•       Mobile device malware: how the explosive growth of Android devices is attracting malware authors

•       Poisoning the watering hole: how attackers are compromising a central strategic target and launching zero day exploits

•       Distraction and diversion: how attackers are amplifying Distributed-Denial-of-Service (DDoS) attacks as a distraction to allow them to breach other systems

•       Old techniques, new success: how today’s security complexity can enable old gaps to be exploited




1:46 Caleb Barlow

Hi! This is Caleb Barlow and today is kind of the main event that we do twice a year where we will be talking about the latest IBM exports, trend and risk report out from just yesterday from the IBM exports research team. Before we do that a couple of quick things to remind everyone of, one is that the X-Force team will actually be taking one of its research on the road over the course of the month of October. So if you want to hear more about what we are talking about here today about, you know, how we manage over 13 billion security events literally everyday, you are invited to join us along with a few of the folks actually even here on the phone today on this X-Force road show. We will be in Boston, New York, Pennsylvania, Toronto, Chicago and Denver. Over the course of the month, if you want to see more information on that, you can go to www.ibm.com/security/x-force and up with some links on that on the scription of this podcast. The other thing that is kind of interesting news here is as the TSA starts to give us the ability to use our devices when plans are taking off and landing. One of the things you are allowing you to do looks like anyway is to listen to podcast. So if you want to subscribe to this show and get it stuck right down to your device, you will find a link to iTunes on the primary Blog Talk Radio site or you can just search for it on iTunes, subscribe to it, you will also find this show on techpodcasts.com, bloglovin, podcasters, securitycastradio to name a few. So for today though, lets get in with talk with the team your phone the IBM X-Force, so joining me today are Michael Hamlin who is the lead X-Force security architecture.

3:46 Caleb Barlow

Peter Allor who is one of our security strategies with particular expertise in the federal sector and Robert Freeman who is the manager of the X-Force research team. Welcome gentleman, how are you today.

3:57 S

Great thank you.

3:59 S


4:00 S


4:01 Caleb Barlow

Alright. Well. Let's jump into this, so you know, the--what I always love about kind of these discussions with you guys around X-Force and around the trends is that teams like, you know, you guys do this report every six months and, you know, its always amazing to me how much things have changed, how much kind of nothing has changed in terms of, you know, what we're looking at so, but before we get into that, maybe, you know, and maybe I kind of throw this out towards either Michael or Robert, but can you give me a little bit of description of what the X-Force team is all about, what you guys do and why you're an integral part of our security division.

4:44 Robert Freeman

Sure, so this is Robert, in a high level, the X-Force research and development team focuses on expertise around software vulnerabilities and malware producing rapid prototyping towards advanced technologies to protect against some of this increasingly sophisticated attacks as well as produced material both to educate our customer base as well as to also contribute back to the security and research community through common things like blogging and college talks. It is important because, you know, at a, again, a high level looking at the security community as well as benders of security products having the sort of leading edge security relevant and expertise really allows us to deliver the goods when it comes to our products as well.

5:50 Caleb Barlow

So, when I looked at and had a chance to read through this report which by the way folks can find a link to it, again, in the description of this podcast, you know, there are couple of things you always identify as really new attack opportunities or at least new elevations of attack opportunities and everything like social media, mobile device malware and really leveraging, you know, what you will call watering hole and kind of poisoning the watering hole as well as new ways of kind of distracting and diverting people. Let's start with social. So, you know, what's the big deal here with social, why are we seeing attacks pivot more towards social and, you know, what do we do about it?

6:39 Michael Hamlin

Well I think, Caleb, this is Micheal. I think one of the things that we see pivoting __06:43__ for social, one of the reasons is that we're all socially connected now watching the some of the recent conferences we've seen at 79% of adult Americans are on the social network, so its no longer just a thing you think about your kids on Facebook or Tumblr or the teenagers, they're business tools now, so it's a way into the people and we know the attacks have moved up from attacking servers to applications to trying to utilize people to get into the industries now.

7:17 Caleb Barlow

And what are the, you know, when we think about leveraging social, what are the attack techniques people are using? How is this different than, you know, kind of this phishing attack with __07:27__?

7:33 S

Well I think one of the things that differentiate them is that we are seeing very targeted attacks towards groups of people who have left their guard down. We see fake profiles that were set up on LinkedIn as more of the researchers published in the past. We see fake accounts themselves just setup on Facebook and LinkedIn, impersonating people, claiming they work in companies.

8:03 Caleb Barlow

(Crosstalk) I'm sorry go ahead Robert.

8:07 Robert Freeman

I know, I mean, yeah. I think we also see, you know, have seen occasional compromises at Twitter accounts and that seems like that sort of a dangerous emerging area where were talking about abuse of trust relationships, you know, when--I think you're about to talk about the use of social networking sites towards the reconnaissance of organizations and for years X-Force had been talking about, you know, essentially what were not well as calling social media sites from the perspective of social networks and, you know, triggering out who has, you know, what sort of relationship to other people in an organization, what their hobbies are, trying to develop, you know a big picture, so when you're trying to do something like spearphishing that they would have, you know, some additional leverage in that approach and, you know now what we are starting to see, you know, more active, you know outgoing sending malicious links and content through the site themselves to target and part of the picture there is again like the account compromises where, you know, filling the accounts where there, you know, similarly named to a person or brand or entity that one trust, but also that, you know, on these sites, they're typically, you know, its kind of like even though were not talking about Twitter, we're not talking about what really lengthy communications, most communications are, you know, more or less the equivalent of the old and some messenger kind of, you know, one or two lines and so, the amount of effort that goes into those, you know, communicating on these networks as well as, you know, processing all of the different networks that one...

10:06 Robert Freeman

You know as a part of these days might be relatively low, similar to how a lot of mobile users aren't necessary paying as much attention to suspicious emails on a mobile device as they are when they are working with the traditional endpoint.

10:23 Caleb Barlow

(Crosstalk) right. In that, go ahead Pete.

10:27 Peter Allor

I'm just going to say that, you know, we have problem here that we're thinking this is new and I want to say that use of the technology is not new. The techniques are old and what were missing here on social media is the fact that in our interaction face to face with people, we have social cues that discern what's being said, how to be invaded and basically we test the veracity of what the speaker is saying to us. In social, we have none of that. So, we are taking what we know and especially and were doing some called transit of trust to the device through a medium. The problem is that there are so many people who have multiple devices that you are now assigning trust to a device with no knowledge of how secure that device is or is maintained and so, this becomes a great opportunity for the malfeasance, if you will, to attack because we are trusting people naturally we want to trust. They have relationships so they trust, so the problems are that we are easily duped if we are not using all of those social cues and because were limiting the social cues, you can't see someone's face, you can't hear the information of their voice, you miss a whole lot of cues as to is this sure or not and so you trust it regardless and now whatever comes across, you easily respond to or you click on or you do something else that allows the attacker to not just sit and on several occasions and attack many people.

12:00 Caleb Barlow

So there is--well the thing you all said in here that are just kind of fascinating, right, so one is that, you know, certainly if I attack person A, I can get access to their social connections and use that to attack person B downstream and also represent trust. The other interesting thing that you all said is that because many times these messages are short, in many ways, it makes its easier, right? I mean, you know, in somewhat joking way, I mean, we have all learned that hackers can't spell, I mean we have gotten the--we have all gotten the email about the Nigerian prince needing you to wire money and of course every other word is spelled wrong, but...

12:41 S

You mean I did not win the Nigerian lottery?

12:43 Caleb Barlow

No, you did not I'm sorry. You know, I mean this is a really interesting point though. I mean, how hard is it in a 140 characters to say something interesting that somebody is going to click on and to make matters worse (crosstalk) one of the--yeah exactly, it is really easy and one of the other problems with, you know, particularly Twitter is with these--we shrink the URL, so, you know, hey check this out, I don't even see the real URL until I click on it or use some _13:13_ tools to brought it out.

13:16 S

I am glad you bought that up Caleb, because something that has become quite interesting is that the social media sites themselves, whether we are talking about a public post, a private post or something of the equivalent of a direct message, you know, whether we are talking about Twitter or another. They are taken upon themselves to scan these remote sites to evaluate, you know, do I think its likely to be malicious either from the perspective of, for example phishing or, you know, malware this sort of things does not mean that the technologies are perfect or that they can't be fooled but, you know, I think that it, you know, its an acknowledgement on their behalf that, you know, they need to be proactive and in attempting to detect these attempts, but even as were are talking about, you know, something that's maybe, you know, 140 characters or so whether it's an obfuscated link or not if it's a compromise of brand and that brand could be a person, for example, musician and their, you know, its just that, you know, a very basic social engineering exercise and that's essentially what we are talking about here is a twist on social engineering attacks, you don't even necessarily need a true expert, you can have a link to a just a piece of malware and a probably greater than average number of people who will actually install that malware just on the basis that it is, you know, there is new thing by this artist or, you know, brand or you know something like this. I mean, to me, it seems like there is a lot of risk here as far as people perhaps working around the kinds of technological security systems put in place to prevent this sort of things from happening on the basis that they really believe that what they are getting is legitimate.

15:32 Caleb Barlow

Did you have any favorite examples?

15:37 S

Ah, you know, not of hand, but you know, I think individually we have seen, you know, different components that I have spoken about reported in the media, the real question is, you know, when do these things all come together. For example, you know the idea of a musician being used to words, the social engineering a sort of an analog of the old peer-to-peer networks where malware would masquerade as for example, you know, artist Britney Spears or something like this and it was just malware, it wasn't, you know any sort of media of hers, so the risk of this...

16:26 Caleb Barlow

Throughout getting Britney's latest song you get infected with malware.

16:30 S

You get infected by malware and this sort of thing, you know, I can very easily see being played out on, you know, sites like Twitter, could be LinkedIn, could be Facebook, could be Google Plus, it could be anybody, you know, I don't really want to point the once say you know more likely get here than here but there is not basic...

16:51 Caleb Barlow

But I think there is another signs of this too, right, we have seen recently were news organizations had their Twitter account hacked said some rather, you know, the hackers acting on behalf of the news organization said some rather inflammatory things that then actually cause the stock market to change, right? And you know, really strikes me as -- wow, I mean, so in this case it wasn't even about malware but the thing that I really try to impart on clients is that this is about brand identity, right? And trust and security is becoming part of that brand identity, so if your official accounts are breached or some of your executive accounts are breached it might not be just about malware, it might be -- what does the bad guy say on your behalf even if that gets corrected, even minutes later there can still be a lot of damage cause.

17:51 S

But Caleb you're talking about the first level of the attack and, you know, I agree that is important, so in the case of attacking a news organization you are attacking the brand, people trust it, so they will go there, they will get something will happen to them but you know, the question then is was that the real attack? What's the real attack the manipulation of market because it was going to cause people to do something, so in some cases you can see that an attacker has multiple levels of thought process here and means to affect our daily lives and that's what people miss here, it sometimes it is about the brand or it is about who comes to the brand but sometimes those are _18:37_ as oppose to what the real objective is, so you really have to study this and in greater detail who was attacking for what.

18:49 Caleb Barlow

Alright, so let's use this point peak to kind of pivot on another thing you guys really uncover which is this whole concept of poisoning the watering hole. So let me ask you first, what exactly are we talking about when we're talking about the watering hole?

19:03 S

Sure. I'll jump on that. So a watering hole is a very targeted type of an attack. So much like we've talked about in the last report, we talked about exploit kits and drive by exploits were excites you with normally go to get compromise in the act of viewing them in your browser, takes advantage of a security floor and exploit typically in something like Flash or Adobe or Java. Java is a very favorite target these days. When a watering hole is taking that same technique but applying it to a very targeted group of individuals you want to attack. My favorite example is the Department of Labor. So a third party site, it was part of the Department of Labor's website hosted the site exposure matrix and this is where you have toxicity and radiological exposure data that is updated on the first of every month. The attackers in this case knew exactly who is gonna go there, you and I aren't gonna go there. Well, I might because I used to work in the nuclear field but I know friends are dead...

20:10 Caleb Barlow

You're just a geeky kind of guy so might go there.

20:14 S

I am (crosstalk). So in the first of the month when this new data came out the people who go hit this website were from all our department of energy labs, the guys at Brooke Heyman, at Los Alamos at Oakridge. So this is a targeted attack at government employees and highly secure, highly risky environments who all had their desktops compromised.

20:35 Caleb Barlow

But you know, what's fascinating about this because by watering hole you're effectively literally talking about the kind of the analogy to, you know, the watering hole in the middle of Sahara, its get poisoned. The animal comes there to drink and they die, right? In this case, the watering hole, you know, if you think about any industry, if you think about any type of profile of individual there is probably a pretty good watering hole you can identify and what's fascinating about this is you don't really have to then go break in to this people's computer, they're gonna come to you.

21:08 S

Right, you're saving both on time and effort and you don't have to work at breaking at someone else's secure area. They will come and download it and you just wait. So you don't have to break in one area it's a way of attacking multiples without hacking to do the work for the multiples. It's the same reason that job is so important because it's cross platform. So you are looking for a way to attack people with a minimum investment.

21:36 Caleb Barlow

So what type of impact can come from a watering hole attack and, you know, is there is anyway to defend yourself against it?

21:45 S

I guess it takes the damage of the same thing as social. We have our guard down a little bit when we're going to the same site we always go to, we're not clicking on a mysterious lane, we're not going to a site we never heard off. Our corporate security controls aren't gonna block that website because it's brand new and doesn't have any reputation, so in some ways it's a very risky thing to think about how do I protect myself from it. In others, it's the same diligence. A lot of these, they're drive by attacks at the browser and not really at the browser itself but the plug ins that run in the browser, so we moved up the stacks, so disabling plug ins using techniques like click to run, like we mentioned, I know, in several _22:28_ reports we talked about using turning on high security, so that Active X doesn't run on every site, you visit only your internal sites, turning off Java Scripts for sites you don't trust, sending your Java profile to high so the Java plug in isn't assigned plug in it won't run. That same type of techniques for protecting the desktop.

22:53 S

Which is either there really is the fact that the _22:58_ community has done a lot in our core operating systems and applications, so the attack has to move up the stack for the plug ins, for the place that don't have large interresponse and quick turns on when they find the problems or a problems is announced. So, it becomes easier. The problem is the offenders are also gotten used to the _23:19_ we will do our normal path cycle and we'll take care of all the big stuff and so people don't worry about "the small stuff". But the small stuff counts and that's really where you get the ability to enter the organization and the water hole does allows you to place for them to come to get it because the security is lease stringent and what a user pulls down. Again, we come back to the users because the problems are and socially we found a way to get the user to do something there. (crosstalk)

23:52 Caleb Barlow

That springs up this theme of trust, right? In that, you know, just like what you're talking about with social where a respectively trading on someone's trust to get them to take a leap of faith. I'm really doing the same thing here in the watering hole. I am investing the place that everyone goes to drink all the time, so who's gonna be suspecting something bad?

24:15 S

Yeah, that's true Caleb, but at the same time I think what we are going to see is an increasing amount of what are known is zero-day attacks kind of trickling out of these watering hole attacks and what I mean by a zero-day attack is a totally new exploit at more likely than not the effect of Bender knows nothing about and the security community as a whole probably doesn't know about. So, what I think is -- it's fascinating because you know recently there was Internet Explorer zero-day to the best of my knowledge or was related to a watering hole attack and I think that some of the Java zero-day attacks were this year were as well. I think we're gonna continue to see that, that sort of and not necessarily all the time certainly with the planning of old office documents being emailed on a daily basis trying to get into organizations, run old version of Microsoft Office but as Steve mentioned that is really a good way to find a way into one target -- might turn out to be very difficult to do or maybe very easy depending on their own sort of security profile and policies but once you get in there you don't necessarily have to get a 100% of all the people who visit to be successful in that endeavor and so it's a very attractive and in my opinion way too to leverage your arsenal of zero-day attacks. So I think I will continue to add this being an interesting sort of combination of -- oh, there's a watering hole. Oh, there's a zero day attack. Oh, buzz related to the browser that turns out to be a relationship. I think this is gonna be included.

26:38 S

But I think that the challenge here to people are gonna assume it's always a zero-day attack and they can do nothing about it and that's not really what's happening. (Crosstalk) The zero data of the special case is when they want to get our particularly hardened set of organizations. The reality is that the underground isn't using zero-days all the time because they don't need to.

27:02 S


27:05 Caleb Barlow

You know what else I think is -- so fast that I can think is, is it fortunate that to think about the ecosystem that surrounds us, right? So you know, let's say the bad guys wanna break into an energy company, right? So they've tried the energy company hopefully it's fairly fortified. They've got good defenses. They've fought through -- they bought all the right products but what's really fascinating about this is they may look at this and go "well, I don't even have to break into the energy company because there is this gym that everybody that works at the energy company happens to go to, so let me break into the gym and their scheduling systems -- for when people schedule their workout classes and stuff like that and I've got a high likelihood of catching a whole lot of people that work at this energy company because the gym is right down the street." I mean, that's that type of sophistication we're talking about here, right?

27:59 S

Well, in that case, you have a couple of -- what I mean is the first is just a social of "hey, here is the new thing at the gym, click here and sign up." The other way is people log in and they will use passwords and that becomes another great way to this game act as this is by reusing your password or variation on your password that you sign in your hobbies and your social profile. You probably have a related your password to that so it becomes an easy way for someone to recon and find a way in.

28:32 Caleb Barlow

So don't use same password at the gym that you use at work. Alright, let's pave it to DDoS. This was another thing that has really been in the news. It's not new but why is Distributed denial of service having a bigger impact today?

28:55 S

So one thing we've seen with DDoS is that it's escalated. We mentioned it in a full-year turn report but it actually started in this year with using amplification attacks where they've been able to use a technique similar to what started out in the 90s as a Smurf Attack for attacking networks but this is a DNS amplification attack and I sent a request from myself and I spoof a source and instead of sending it for me I off say it from my target so let's say we'll stupid as a bank and I send that to a legitimate DNS server and the reply is much bigger than my request so I can send a lot of replies and use that server to amplify my attack so I may use kilobits of bandwidth on my site and return a huge amount on that side by using distributed DDoS. Those went up to 300 and 500 gigabits a second of DDoS attacks this year and the problem is there are sort of people...

30:00 Caleb Barlow

And the point is that it can take just anybody down, right?

30:04 S

Right, and as Peter mentioned earlier sometimes you have to have ask what's the actual cause of the attack. Is it really a DDoS? Is that really anonymous trying to knock your bank offline for some higher purpose or some calling that they have, or was a destruction technique to waste your resources not your -- technical resources but your personal resources. So your technical guys scrambling to figure out what to do for DDoS and I know they're gonna make a mistake or is the DDoS causing the firewall or the router that choke and they are gonna lighten the filtering to try and knock it out or they're gonna just switch to a different feed end that might bypass on security controls. Sometimes this DDoS are the smoke screens.

30:51 S

Yeah, they're great blinding attack and the problem there isn't what the receiver can do, it's the fact that everyone else in the world basically of 95% don't have their DNS tuned properly to help block a lot of this amplification.

31:11 Caleb Barlow

So ultimately, what you're saying, correct me if I'm wrong here, the attackers are using the DNS system and DNS providers to amplify their attack, right? They're using the system that's in place to actually cause this amplification.

31:26 S


31:28 S


31:30 Caleb Barlow

So, are the steps that organization can take to help address this kind of new amplified attack?

31:39 S

Yes, I mean they outlined a lot of specifications. I mean, if you talk to the folks at NanoGaN and elsewhere the techniques for doing this are known. There are challenges because you have to really work it through to work for you and so it's not a light task to do with the promise that no one is doing it and that's allowing the attacker to really have his way using the system against us.

32:07 Caleb Barlow

I often -- maybe I'm being too overly simplistic with this but I kind of view this as the new form of organized protest, right? I mean if you're engaged in a business that's going to do something, that's gonna upset a large number of people and historically, you'd have people protesting with picket signs outside of your company. Now it's like everything else we do it electronically.

32:33 S

But that scenario of focus scale, I mean that is not just a protest. That one was certainly there and it's a good percentage but you find at the criminal element is using the same attack methodology to attack organizations to get in and steal and there are others who use that because they're trying to break in and compromise systems or to gain access and to secrets and electrical properties. So don't think it's just half of this, it's much brighter than that. They are certainly there and it's been a large.

33:09 Caleb Barlow

So your point is (crosstalk) stress on this system to see what breaks?

33:12 S

Exactly and that's where others are learning from. The underground learns very well and take the example. They are not afraid to buy from each other or to loan each other that type of information.

33:29 Caleb Barlow

Okay, so as we see DDoS attacks grow, as we see kind of these new forms of social attacks emerge, what about old techniques? Do you think we're seeing some old techniques continue to be out there or continue to grow things like cross-eyed scripting and sequel injection, I mean what's your general feeling -- kind of the old school here?

33:58 S

In the army, they have a saying, you want a new idea? Read an old book. In many respects all the attack techniques still work for a lot of different reason but the easiest thing to do is when the attack techniques stops working effectively, on a note the key word is effectively they rotate to something else so eventually they have to come back involved because people forgot to block that, to patch for it or in some cases, their point product license expired and as a couple of years later and, hey, everything works new again.

34:41 Caleb Barlow

Have you seen anything surprising around like basic security practices, like reusing passwords, I mean there are efforts to educate people making a difference or do we still see this cause the same problems out there?

34:57 S

You know things like passwords efforts are good to a certain point. The problem is that how many passwords does an individual have? Most individuals have up to like 40 some passwords. You can't manage 40 some passwords so the problem is people haven't gone to a federated ID. I mean, that's probably the reasons for the net security for threat identities in cyberspace. But that's about getting you something that it's a better aide idea that you can use around and it is type __35:27__ access. So we have real problems in around that is how to manage that, in a technical sense to allow people to do it easily. People take the path with least resistance and we have got to use technology and make that have an appropriately secure one.

35:45 S

Well with passwords, we also see the added complexity of -- there are so many places both businesses that people are employed at as well as that they use to consume information or to purchase from, have a different password formulas and policies and so you know it's actually quite difficult for an individual to mentally manage your combinations of letters and characters and uppercase and lowercase and symbols and stuff like this versus maybe longer streams of relatively short words, all crammed together. But nevertheless I mean experts let us recommend using something like some sort of password lockbox or remember one really complicated one and then you can store all of the rest of yours. However, not all of them are created equal and particularly sophisticated attackers might be able to break in to some of this.

37:06 S

You know Caleb you ask of things were getting better and things were changing, if people are changing behaviors? Notice some of the companies, I don't know if the rest of you have noticed, but I notice there is a lot more of the things that I deal with personally like drop box, offering two-factor authentication app or switching to a two-factor authentication for account changes. I think a lot of companies are realizing that there are gonna be data breaches and passwords. They're gonna get out there and customers might have reuse the passwords so they're adding an extra set of technical challenge. They're not all perfect and we can do things to even make two-factor off broken if we want like sending our two factor apps or Google voice number so it comes in as a text message or comes in as an email rather now it's going back to that email account that might have already been compromised but I think it's a change. It's positive. It does add more security to our accounts.

38:10 Caleb Barlow

Absolutely, now let me ask you a somewhat provocative question that somebody posted it earlier today. So we talk about like all these social engineering attacks, these new ways of thinking about trust, can we successfully educate people to not click on that link, to think when they getting this highly sophisticated social attacks at this watering holes or is the education side of this just not gonna work and we are gonna have to do this with systems? I mean I've got my own views and I'm curious of yours.

38:51 S

I just I'll jump on that grade first. In some ways the education is useful but when it comes to target sophisticated attacks, I agree with the side of the house that says there are better places you should spend that money than spending it on ongoing and recurring training for end users. Honestly, we should get to a world at some point where an end user can click any link he wants and we should take care of it with our network controls, our system controls. We should be protecting our users. We're not there yet with everything. So there is some need for education but I don't think it's the magic bullet everybody tends or thinks it is. (Crosstalk) on that one. You know, I'm not gonna see the territory easily. People will not take security seriously until it hurts them, unfortunately. That seems to be the trend until you experience the __39:55__ and you don't know not to do certain things is analogy. How many people download and think of the water hole attack. One developer, I go up to this other place and I will post something down and my organization, I have probably 10 others who are gonna do the same thing. Why do we have to have 10 or 11 people downloading? That's a matter of -- we should have a single download to bring in internally and know what to do there. The second part of that is who ever checks to check some, to see if it's really the right package. We just assume because we went somewhere and they had it. It's fate. We have made an assumption. How many people will take a tiny URL and use a different plug in and find what the full URL is and stop clicking it, you type your way in. So these are techniques to help make yourself more secure but we're so jammed with so much information and data that we don't take the time and we've gotta educate people on that.

40:56 S

Now, I think Michael's point very seriously about -- you know, do I trust the user? No. Am I gonna verify? Oh, yes. But I don't believe that that lair by itself is gonna be sufficient, you have to look at this as how am I gonna defend the lairs and then how am I gonna tell that someone's trying to access my data and stop it before it goes anywhere? So seeing that the never control and/or the user by themselves are gonna be the line of defense that's be the be-all end-all. I think it's really hard to pull up with a great goal but you have to defend the lairs and you have to realize that the sophistication of the attacker isn't a technology sophistication, it's a matter of his being able to be persistent and study long enough to find out the way around that particular road block. (Crosstalk) that's the best way that you can tell that you have a problem.

41:57 Caleb Barlow

Okay, Robert how about you? How do you feel about this?

42:00 S

Well, I think it's a fascinating question and my initial got instinct is to respond. It's always a good idea to have some amount of customer or end user education on security. I think you know Pete had a number of good suggestions. I don't really know that they would actually stick even if you were to really make a consorted effort to explain all these things because ultimately requires more steps and it's sort of like a lot of people still don't use password managers like -- I just spoke about a few minutes ago and so I don't want to get too far away from the idea because I do agree it's part of a good layering of security towards security controls but at the same time as we -- you know, for example, talking about abuse of trusted relationship, I think that there are going to be instances in the future where people are so dead set on by trust that even with technical control is in place that they will work around everything in front of them because everybody for some extent has had a bad experience with the security control, whether that was an AB false positive or over blocking with some sort on net nannyish kind of web filter or some other sort of control where they had a legitimate need or interest and they were prevented from doing so and that I see is being a really tough problem to solve.

43:59 S

Again, let's just looked at it as a sort of a layered opportunity where you sort of sat there with education but you know as you work across his path there you then have other potential controls in place. Yeah, hopefully there is something there to provide everything but I feel that it's sort of the last frontier for us to protect again, that abusive trust in relationships.

44:28 Caleb Barlow

Alright, well let's just go around the __00:44:29__ is there any closing thoughts? Michael, let's start with you.

44:37 S

I guess by close up -- I like Peter's comment about if you wanna find a new method, read an old book. We do find a lot of the old techniques whether they're from the physical world or from the electronic world being used again. Hackers don't need to reinvent new tech, new methods, they just use the new technology and use the existing methods and our psychology of how we deal with things like social and mobile. It's impacting our guard and how we look for these attacks.

45:14 Caleb Barlow

Alright, Robert?

45:15 S

Alright, you know I think I'll continue that thought in related to the web application, security domain. We still see a lot of for example simple injection, PHP exploitation, cross-eyed scripting that can be leveraged towards breaking into servers and I think there should be a paradigm because it is so well understood that how it's been long since result but it hasn't and for organizations out there. It's really critical to have a full catalog of the web applications you're running, the web servers, the database servers. __46:00__ as well and if you're running contact management systems what plug ins do you have with this contact management systems because that has been a really strong opportunity for attackers to find bugs and contact management just in plug ins and take advantage of the longer patch lead times that those developers intended to have relative to the major CMS providers than risk themselves.

46:35 Caleb Barlow

Okay, well, gentleman -- oh, excuse me, Pete, you. What are your closing thoughts aside from reading old books?

46:42 S

Well, you know, we have this problem we're in this mentality we can't win. And I think that's so wrong. The bad guy has all the opportunities to pick one spot. Well, yeah. Got it but what we're missing here is the fact with social movement and wave that we're using in technology that we have a user problem and that user does understand risk management. We have to articulate that. We have to understand that. Now, we have to gird that with technology that assists and to help verify and protect. I mean I'd love to have the patent on the electroshop return password click on malware. That would be great I would make money on that, but this is not someone else's problem. This is our collective problem so as an individual we have to learn what's going on here and we have to figure out that we're part of that solution set because we have a risk problem. We can't secure everything that's end of grade because we have too much of everything and because of the way we're doing business. So we have to change that and not allow that attacker free reign. We have to limit his reign and when we realize that we will be able to turn the tide and feel that we're winning as oppose to being defeated here.

47:52 Caleb Barlow

Okay. Alright, gentlemen, well thank you all for joining us yet again and of course we'll probably talking with you all again by another six months or sooner when we do the next X-Force team of research report and if again the folks want to learn more about the upcoming road show where you can meet some of these individuals and other folks of the X-Force team or would like to get a copy of the report, the links to that will be in the description of this podcast and thank you for joining.