Good afternoon, everybody. Thank you for joining today's presentation. My name is Kamran Salour I am a data privacy and cybersecurity attorney at Lewis Brisbois. And as part of what I do in my day to day, I help companies respond to all types of data security incidents. And the question that I get all the time is what can I do as an organization to prevent a breach from happening? And so I figured I would gather all of the answers that I've given to people throughout the years and do it in this type of presentation. And so today's presentation is so you want to prevent a breach and how do you go about doing that? And, you know, before I go into depth into the answer, I want to give you a little bit of background of of who I am so I can add a little bit of weight and authority to the response. Like I mentioned, I am a data privacy and cybersecurity attorney. I've helped companies respond to hundreds if not thousands of data security incidents. And really, at the end of the day, if you could if you could put into a sentence, what it is I do is I help companies respond to breaches. And you'll notice that breaches have that term in quotes and I'll explain more why. Have it in quotes in a few minutes. But. That's really what I do and that's what I'm going to focus today's presentation on and letting people know what you can do to, you know, to start to prevent one.
So we're going to talk really about four things today. The first thing we're going to talk about is the term breach itself. And you'll notice I have the word breach here in red with quotes, and I'll explain why that is in a moment. But always, as we're going through this presentation, be be mindful of when the term breach is is in red, because it's going to have a different meaning than when it is not in red and without quotes. So the first thing we're going to do today is define breach. What does it mean and what does it mean in different contexts? The next thing we're going to talk about is really what the focus of today's presentation is. And that is, you know, how do you prevent a breach? Because that's the question on everybody's mind. You hear in the news, you hear in you know, you hear about the dark web, you hear about ransomware, you hear about all different types of of breaches. The impact that they have on organizations and really what can you do? What can you do to prevent it? That is always a number one question that I get from my clients. After we talk about ways to prevent a breach, we're going to talk about ways to reduce the likelihood of a breach, because one of the hallmarks of of data security or cybersecurity is to have a layered approach.
And you always want to have as many barriers to entry for the bad guys as possible. And I always like to think of it as take a house. If you have one house, it's dimly lit. There's a window open, the front door is ajar and you have a criminal walking across the street. That looks like a pretty good place for the criminal to go in and see what's inside and take something that might be of interest. Right. You have. It's dimly lit, so you assume that nobody's home. The door is ajar. There's a window open. There's not a lot of barriers to entry for the for the bad guy to get in. Now, juxtapose that with a house. Same neighborhood windows are closed, lights are on, the door is locked. There's a security sign in the front that says, you know, protected by X security company. You have a ring doorbell that when you walk by, it says you are being recorded. Chances are the bad guy is going to pass that house and go to a different house. And why? Because it seems like a lot of barriers to entry to get into this house. And so when we talk about cyber security and breaches and preventing breaches and reducing the likelihood of breaches, a lot of it, if can be distilled down to creating different barriers and multiple barriers to entry. And so we're going to talk about that in part three of today's presentation.
And then finally, we're going to talk about ways to minimize the impact of a breach. And that is a scenario in which, you know, notwithstanding the best efforts you put forward as an organization to either, A, prevent a breach from happening or, B, reduce the likelihood of a breach from happening. Sometimes a breach happens and. There are ways that you can prepare yourself as an organization to minimize or at least reduce the impact of a breach. And so we're going to talk about that as well. Now, before we go into into the, you know, part one of the presentation and talk about defining breach, I want to make clear that right now I'm using the term breach rather imprecisely. And the breach has a a legal definition based on the applicable law, but it also has a colloquial term that people often use, sometimes, you know, synonymous with the term hack or an exchange of using the term hack. And so it's be careful as we go through this presentation, we're going to talk sometimes about breach from a legal standpoint. We're going to talk about breach from a colloquial or non-legal standpoint. And that's let's talk more about that right now as we as we delve into part one defining breach. And so, you know. Obviously to define something. We need to know what it is. That's the whole purpose of doing a definition. And so. The term breach and have it here in red and in quotes.
That's that's using the term colloquially without the legal definition when people think of breach, you know outside of a legal domain, they are thinking typically about hack some sort of unauthorized access. It could be somebody got into your email and sent out, you know, emails on your behalf. It could be a ransomware type of situation. It could be something in between. But it's basically, you know, I like to think of it almost as a hack where somebody got into your environment. We don't know at that point. In a legal sense, if the unauthorized access by itself is going to constitute a breach, as you would define under the applicable laws. And so let's let's compare that to breach. As you see here, it's not in red and there's no quotes. This is when we use breach from the legal definition standpoint. Now we're talking only about US law here. So, you know, other laws are going to have different terms and different definitions. But at the end of the day and one thing that complicates the definition of reach and I think adds to the confusion when we're talking about reach, is that. The United States. You have you 50 states and you have D.C. and you have, you know, Puerto Rico and Guam and the Virgin Islands. So in total, we're talking about 54 different laws. And those 54 laws all define breach. Somewhat differently.
There's obviously a lot of overlap, but at the end of the day, when we're talking about reach, it's really going to fall. We'll distill it down to this, which is the unauthorized access to or and or acquisition of personal information. So some states are going to trigger or are going to define a breach as unauthorized access to personal information. Some are going to require unauthorized acquisition of personal information. And the difference there is access is a situation where a threat actor may get into your environment and once in that environment may be able to peruse files that contain personal information. The acquisition, by contrast, would be the threat actor gets into your environment. Sees these peruse files that have personal information and then takes those files, removes those files from the environment. That is that is the acquisition part. And so when we're talking about how to prevent a breach from a legal standpoint, you can see really the key is going to be personal information because you can have unauthorized access to your environment, you can have unauthorized acquisition of information from your environment. It is really the trigger when we're talking about a breach from a legal sense is the personal information. Now, wish I could tell you there's one definition of personal information across those 54, you know, laws that you know, that I just mentioned. Of course, there is not the definition of personal information is going to vary somewhat across those 54 different definitions and laws in general.
Personal information is going to be Social Security number, driver's license and account information with a means to access. And what does that mean? Think of your credit card, where you have your credit card number. You have the expiration date and you have the code on the back. If those elements are involved, that's typically going to fall under the definition of personal information. Of course, with everything I've just said, I'm summarizing 54 laws here. Obviously, if you are in a situation like this, you're going to want to look at the specific law that applies to determine if personal information is involved. But from this standpoint, we're just going to define it very broadly and very general. And so, again, you know, I started off the presentation by talking about breach and kind of breach be prevented. What can I do? Cameron People come up to me. I know you're a cybersecurity lawyer. I'm worried about cybersecurity. I hear about all this stuff in the news about ransomware attacks. I'm worried about my company. I'm worried about my employees. I want to prevent a breach. Can I prevent it? And guess it depends on on the answer that I'm going to give you is going to yes and no. And it's really going to depend. And it's a little bit of a trick question and maybe maybe better put a trick answer and. Really what the what the trick depends on or the answer depends on is how are we going to define breach? If we are going to define breach from a legal standpoint, are there ways to prevent a breach? Absolutely there are.
If we're going to define ways to if we're going to define breach from a non legal standpoint, are there ways to prevent a breach? No, but there are ways to reduce the likelihood of a breach and there are ways to minimize the impact of a breach. And so. We're going to talk now about. How do you go about? Actually preventing a breach. And then we're going to talk in parts three and four about minimizing the likelihood of a breach and minimizing the impact of one. So part two Ways to Prevent a Breach. And before I delve more into part two, I want to use this as an opportunity as well. A lot of times I have clients that come to me and they say, You know, when we're in the midst of a, let's say, a ransomware response, we're talking about. Ways to respond to the ransomware type of situation. Sometimes they'll come to me and they'll say, Well, I heard about this third party company that guarantees that I can prevent a breach or guarantees that they can. Decrypts, encrypted information. So I say this almost as a as a public service announcement. Be weary of claims that we can prevent a breach. We can, you know, decrypt encrypted information. It's because they're playing with words just like I am here and I'm not trying to do it to trick anybody.
I'm trying to, in fact, shed light on how you can be tricky with the use of the term breach. And so I'm going to talk to you in a way where, yeah, can you prevent a breach? And when I say breach, I mean a legal breach from happening. You sure can. And there's really two ways to do it. One. The simplest way is don't collect personal information, because if you recall, a breach from a legal standpoint cannot arise unless there is unauthorized access to or acquisition of personal information. So if you take personal information out of the equation. You're not going to have a breach from a legal standpoint. Good luck, though, operating a company without any personal information. That's that's going to be very difficult to do because, you know, you're going to have chances are you're going to have employees and you're going to collect personal information from those employees as part of your, you know, onboarding process. Right. And from a business standpoint, the chances are you're going to collect payment information from vendors, even from employees, in terms of paying them as well. Right. So it's very difficult to be an organization that does not collect personal information. There's some there's some workarounds with that around that, right? You could have all of your personal information collected outside of your network. You can have them housed in the cloud or with other third party storage where they're handling all of the air, they're handling all the financial information.
And that's a that's a way around it, around the sort of do not collect personal information. So don't want you to think that it's hopeless. Right? Because you do need personal information as part of your organization, but you cannot collect it on your own environment. And so that's really probably the easiest way to prevent a breach. But that only prevents a breach from happening in your environment. Those third parties, the cloud, those are all susceptible to unauthorized access as well. So you could have a breach of the personal information, but it's happening on a third party's network. That's a that's a discussion for another day, of course. But. Really from the simplest way is don't collect personal information. The second way is to encrypt the information that you do collect. And this one is a little bit more. It might be a little bit easier to implement if you're a smaller organization or the amount of personal information you collect is. Relatively small. And some organizations have very robust encryption policies and procedures in place. But in my experience, it is it is not used quite often, as one would hope. And there's reasons for that. There's cost reasons, there are performance reasons, but it's something that is an often overlooked area of of security. And remember, going back to that House theme encryption, if we're talking about data security, would be something like having.
A safe inside your house. So if a bad guy got into your house, went into your closet, was trying to get jewelry and realizes, oh, the jewelry is locked in the safe, that's an extra layer of protection from the bad guy being able to take the jewelry out of. Out of your home similar here? Think of the encryption as another layer of protection. And so the reason why encryption prevents a breach is that, let's say the threat actor, the bad guy gets into your environment, the bad guy is able to then find files and those files, you know, they're labeled, you know, Social Security numbers, let's say. But it's an encrypted file. The bad guy doesn't have the key to unlock the encryption. And so what the bad guy sees when he opens up the file is just a bunch of gibberish, essentially. So while theoretically the bad guy has access or has perhaps acquired the Social Security number file, in reality it means nothing. You can't use that information. It's gibberish. You can't decipher it. And so from a legal standpoint, this is not. Would not constitute the unauthorized access or acquisition of personal information. All of those 54 laws that I talked about have an encryption safe harbor, if you will, which means that if, in fact, the personal information that has been accessed or acquired is encrypted, then as an organization, you don't have any notification obligations because a breach has not been triggered because essentially that information is useless to the bad guy and the bad guy can't sell that useless information.
The bad guy can't use that useless information. And that's why encryption is another way to prevent a breach. And again, I'm using breach here in the legal sense. I'm not talking about unauthorized access to the environment. I'm talking about unauthorized access or acquisition of personal information in this instance, because the personal information is encrypted, it doesn't constitute a breach. So as I mentioned, you know, encryption is something that I rarely see in my day to day when I'm helping organizations. And it's a little bit disappointing, frankly, because there are different levels of encryption. And again, going back to what we talked about at the outset, cybersecurity is really about creating hurdles to entry, creating hurdles to access, making it as difficult as possible for the bad guy to get into the environment and take stuff from the environment. That's really the key to cybersecurity and one of those layers or one of those hurdles that we can put into place here is in fact encryption. So there's multiple types of encryption. We're going to talk about a few of the more common types, and I'm only going to talk about encryption on sort of existing devices that most people have. Of course, there is a bevy of third party. Uh, organizations, softwares, programs, you name it, that can do encryption and they can do encryption at a device level and a file level.
I'm not going to talk about those here. I'm going to talk about. Encryption on on a computer. I'm going to talk about encryption on. Really from a Windows operating system, because that tends to be the one that most people have and want to leave you today as part of the presentation with knowledge on how to actually implement some encryption. So it's not just some theoretical notion that, Oh yeah, if I encrypted files, then in fact I could, you know, I could prevent a breach or reduce the likelihood of a breach if we're talking in a, you know, in a non a non legal sense here. So let me let's let's go through some actual ways to encrypt. So. We're going to talk first about full disk encryption, and that's really encryption from a hardware standpoint. And if you have Windows 10 or higher, then it's equipped with something called Bit Locker, which is an encryption method or a way to encrypt the hard drive. So why is this important? Let's say you leave your, your, your laptop, you know, at a coffee shop. You leave it in an Uber. Obviously. That's not something that you want to do but what you want to do. Is in any type of situation is prevent the breach from happening and of course, reducing the impact of the situation.
So in this situation, you've lost your laptop. It's obviously embarrassing. There's obviously going to be information that you've lost. But if the hard drive is encrypted, then whoever gets that cannot access the information on the hard drive. Which. Is wonderful from a cybersecurity standpoint because it becomes useless information to the person who took the the laptop from you. And you can do this. Really? Five very easy steps. Okay. As long as you have admin access and administrator access is what I mean when I say admin access. Typically, if you're in an organization, they will do this for you when they issue you your laptop. But if you're running a smaller organization and you are the administrator, this is how you can do it. So you sign into your windows with your administrator account, you go to your start. You're going to hit settings. Update security device encryption. That's it. You're going to open device encryption setting, and if it's off, you're going to turn it on. And that's it. And. It's really as simple as that. And so by doing that, you now have encrypted your hard drive. And it's a very simple step to take to protect the contents of the information stored on your hard drive. And so in a situation like this, if you had an encrypted hard drive. You're not going to have a rich. Now there's a limitation to full disk encryption, and that is we're talking only on the disk level.
So. Metadata file structures. Content within the files is still accessible. And if we're talking about logging, which can be very important in the context of a forensic investigation, you're not going to have very granular logs. By doing this process. But that's okay because we're going to talk about. File encryption. So let's talk about file encryption now. And when we talk about encryption, it's, you know, sometimes people, when they're dealing with cybersecurity, can get the feeling that, oh, gosh, this is so complicated. This is so complex. I don't understand. This is really you know, I don't have the mental capacity to understand what's going on. And nothing could be further from the truth. As I tell people all the time, if I can understand what's going on, you can understand what's going on. I have no real, you know, technical background, but I'm trying to simplify this so anybody can really conceptualize and visualize what encryption is about. So I have this little, you know, graphic here on the side. Essentially, think of of encryption as a key and a lock type of situation. So if you've encrypted a file, the file is just going to read as as as the you know, this is a technical term here, of course, as gibberish. It's indecipherable. It's just going to appear not like anything. It's not going to be it's not going to be able to be comprehended. And the only person that can understand the contents of the file is the intended recipient of the file who in essence, has the.
The key to the law. So if I'm sending the file encrypted, I've essentially locked it. And the recipient, the intended recipient of the file has the key to unlock it. And. The nice thing about. While encryption as opposed to just this level encryption, is we're going to. We're also going to conceal information about metadata, about file structure, about directory. As well. And we're also from a logging standpoint, we're going to have a lot more granularity when it comes to our logs. But just think of it as a key and a log and. Or I could rephrase that. Think of it as a lock and a key. The person sending the encrypted file has it locked. The person receiving the encrypted file has the key to unlock it and make it reasonably readable and decipherable. And so anybody else in between cannot see what's happening and they can't intercept it and read the contents of the email. So think of it also, you may have seen those commercials for WhatsApp where they talk about, you know, sending mail that's open because on your standard text messaging, it's not encrypted the messages so anybody could intercede and see the contents, whereas putting those commercial WhatsApp, it's concealed so nobody can see it. Similar to that concept as well. So. I want again. I want I want this to be an informative session, but I also want it to be practical.
So I want a lot of people talk about, Oh, did you encrypt the file when you sent it? And a lot of people don't know how to do that, which is perfectly fine. So let's let's I'm going to put in here some instructions on how to actually do that. Okay. And one way is through the encrypting file system, which is part of your business versions of Windows. And again, there are other ways to encrypt files and folders. I'm just talking about Windows here because I think those are going to be the most, you know, ubiquitous, um, tools available. We're really going to talk about four very easy steps. Okay. We're going to take the folder that we want to encrypt or the file. It doesn't matter. We're going to right click on it. We're going to select properties. We're going to click Advanced and we're going to select Encrypt. That's it. So this is three F's. You're going to click, you know, you're going to right click on the folder, you're going to go to properties, you're going to click Advanced. And you'll see in that little. Button there. Encrypt contents to secure data. So once you hit advanced, you just click on that check mark. And now your file is encrypted. So very simple. Four simple steps. Right click Properties. Advanced Encrypt. And it's important to encrypt. The files that contain sensitive information. You know, frankly, I know you're not supposed to use your your work computer for personal.
A personal things. I know that's the rule. I know that's the best practice. That said, I know plenty of cybersecurity attorneys myself. Of course not. Of course not. But I know many cybersecurity attorneys that use their work laptop and they put personal documents on it. At minimum encrypt those documents because I don't want people at work. Again, this isn't me because I don't do this, but I don't want people that work. I wouldn't want people at work being able to theoretically have access to my personal information. And so I wanted encrypted and God forbid I lose my laptop. I know it's encrypted. The hardware is encrypted. But I still want to have this this level of encryption on my files as well. So that's that's one way of encrypting from a file or folder like. Now, another way to do it is just through Microsoft Office. Very simple as well. Five steps. The other one was for. But we'll do five in office. We're going to open a document in Word. We're going to click file, click info, click protect, document and encrypt with a password. So very simple. We're in word. We'll click file. Now we've clicked on info. We clicked on Protect document and we scroll down, we encrypt with the password. Very simple. Um, and this way we have a, you know, a password protected document that's encrypted. I tend to do this when I'm having to send.
Information that. Has no personal information. Obviously, I don't like to send personal information. Sometimes I have to. And so if I have to, if I'm not able to use a, you know, secure FTP site, I will then send the information. Password protected. So the recipient is or the intended recipient is the only person that can have access to it. Sometimes I'll use office to do it if I'm just, you know, in a word document. Again, very simple to do and something that should be done, frankly, more often. Now, I know you're probably thinking about email encryption, at least I hope you are, because we've talked about documents over that rest. We've talked about files and now we're going to talk about documents in transit. Now, one thing with email encryption is we shouldn't over use it because sometimes email encryption is a pain. I'll be the first to admit if I get an email from a client and I have to type in a password or go through a, you know, a share file to to get access to the to the email. And the email says, Can we meet at 3:00 pm? It gets a little bit cumbersome and that's probably one of the reasons why encryption isn't as widely adopted. And that's always one of the issues when you're talking about cyber security is you're trying to find the balance between those hurdles and those barriers that we talked about and.
And practicality. Right? So let's go back to that House example again. You know, it's one thing if you have you know, you lock your doors, you have a ring camera, you have a security system and you have a sign in the front yard. But now what if you added, you know, what's so much better? Let's create. Let's put gates and, you know, 3 or 4 gates, let's put bars. Let's put 5 or 6 locks on the door. Let's say you leave the house, you lock everything up. You go to your you go to your car and you forgot your wallet. Now you got to go back. You got to open the gates, You got to open the remove the gates, the undo 5 or 6 different locks just to go inside to get your wallet and come back. Over time, there's going to be time where you say, forget this, I am not I'm just not going to lock this. I'm going to bypass some of this because it's just a pain to go through all this. And so from an organizational standpoint, you want to always find that right balance between having effective cyber security, but having the right level of cyber security. Because if you make it too onerous and too cumbersome, then people are going to look for ways to go around it. And that obviously defeats the whole purpose of the cyber security. So let's talk about email encryption.
Easy. You open up outlook, you compose the email, you add, you know who it's going to, the body, everything. Just like you would just like normal. That's step one. Step two is you go to encrypt, which should be right there in. In your options settings, you click options you should be able to see encrypt. And then when you're going to send the email, you will see that it says encrypt only, right? This message is encrypted. Recipients cannot remove encryption and it goes to the intended individual. Again, very easy to do. It's in it's already in outlook and it's something that can be done more often, but it should be used. I don't want to say sparingly, I want to say it should be used appropriately because if you are sending encrypted emails all the time too that don't warrant encryption, then it's just going to frustrate the recipient and they're probably not even going to look at the information because or they're going to put it off because it becomes a pain to access encrypted emails at times. So be careful of the use of the email encryption. Okay. So we talked really right now about preventing a breach, and that was breached in the context of a legal definition where we're talking about preventing unauthorized access or acquisition of personal information. And so. Really the best way to summarize is don't collect personal information or if you do, encrypt it. And so we talked about different levels of encryption.
And again, you can talk about encryption for for hours and hours. And there's much, you know, other there's many other ways of doing encryption. I just wanted to highlight some very simple, easy ways that anybody could do, you know, as soon as they see this presentation. But now I'm going to shift the focus of the presentation to. Breech, but breech in a non-legal sense. And I want to talk about minimizing the likelihood of there being unauthorized access into your environment in the first place. And we're talking about. Breaches, right. In the sense of unauthorized access. Again, this could be this is the topic of many books, of many presentations. This is something that we can spend hours and hours on. But what I've done is I've distilled down to really five high level points that I see on a, you know, regular basis. Again, I do this day in and day out. I see many hundreds, if not thousands of organizations that have had a breach. And when I say breach here, I mean unauthorized access. They've had that happen. And there are these are some common things that had these organizations employed or done, the likelihood of them being breached would have been much less. And really, one thing that that I talk about is avoiding common entry points. And this goes back to the example of the house. If the burglar is walking down the street, sees the house window open, door unlocked.
There is no amount of cash on the dining room table that you can see from the outside. That's an attractive house for the bad guy to go after. And, you know, a lot of times the misconception is. That comes into play on two ways is that, you know, you're a smaller organization. You don't need to worry about cybersecurity because the threat actor isn't going to target you. They don't know who you are. There's no reason for you to be on their radar. You're small, you don't really count, so you kind of put your guard down. Another misconception is the notion that because you were the victim of an attack, that the threat actors somehow picked you out for some sort of personal reason. And while, of course, there are some very targeted attacks, those are the exception. Typically, a threat actor is going for the low hanging fruit, and that's the common entry point. You talk about an open port. You talk about having not having multifactor authentication. Talk about situations where there's a known vulnerability in a certain piece of software and you haven't patched it. Those are very easy, low hanging fruit for a threat actor to exploit. And so you want to avoid that low hanging fruit. So that's really, you know, first and foremost, something that every organization should have in place. The next thing you want to do is you want to secure your perimeter. That means you want to limit access into your environment.
And there's a number of ways that you can do that. The other thing you want to do is you want to secure your endpoints. And when I say endpoints, I really mean basically we're talking about servers, we're talking about computers. We want to have we want to have visibility into those endpoints to make sure that they are being monitored for suspicious activity and not just monitored, but having somebody able to once that suspicious activity is detected, to be alerted to that and be able to respond accordingly. The other thing that we want to do is let's say for whatever reason, the threat actor got in to our environment. We want to minimize their ability to move laterally. And that really means let's say they got in, they got in through server A, we want to we want to do everything that we can to prevent the bad guy from being able to jump from server to server B and server C and so on. We want to really minimize the ability of the bad guy to move around laterally. And then the other thing that we want to do, which is often again overlooked, and that's because, you know, I understand security for many organizations is viewed as a as just a cost, but periodic testing to see if what you have in place is actually working as intended. I can't tell you how many times I've dealt with an organization that they.
You know, swore up and down that they had all this great security in place. And of course, there was an attack. And as part of that attack, they realized, well, what they thought they had in place wasn't working as they had believed it to be working. And part of that was because they didn't test it, they didn't audit it. And so you kind of lull yourself into a false sense of security by putting things in place and just leaving them there. So it's very important to have, you know, periodic testing and not just penetration testing, auditing as well of the type of, you know, policies and procedures and infrastructure that you'd have. And so, you know, I talked a little bit about this common entry points remote desktop protocol is something that is a pretty standard. Um, there's an open port port 3389 that allows, you know, the desktop computers to, you know, you can you can access the computer from an outside outside of the office, essentially. That's sort of why it's called remote desktop. And the way to do it is through that port. 3389. Bad guys can search for open ports 3389 and and they can get into your environment. And that happens quite often. And almost invariably when I'm dealing with an organization that's been the victim of a ransomware attack and learned that they have open RDP, which is short for remote desktop protocol. That's, you know, 99 out of 100 times.
That's how the bad guy got into the environment. And so what do you want to do? You don't want to have those open 3389 ports. You want to also secure remote access, because I know people need to access remotely, especially with work from home and travel and whatnot. Do so through a VPN and make sure that VPN is, you know, password protected and you have multifactor authentication on that VPN. And that leads me to multifactor authentication when I'm dealing with organizations that have a business email compromise, which is a term used to describe when a bad guy gets access to your email environment, whether to commit wire fraud or phishing campaign, you name it, or they're in your environment Again, more often than not, we find out that that organization did not have multifactor authentication. Think of multifactor authentication as really a second and different means to identify or verify that you are in fact the intended, you know, user or of that email account. If you go to a gas station, often you will put in your credit card and that's your first sort of means of identification. And then they will sometimes prompt you for a zip code, which is a different means of identifying or verifying you are in fact, the, you know, the appropriate cardholder. That's an example of multifactor authentication that you've probably used without knowing it. But of course, I'm sure you know more and more you'll see that especially banks, when you when you enroll for online, you know, payments and whatnot or online account access to your bank, you might get a text message to you saying, are you trying to log in to your bank? A lot of organizations have duo where you'll have to verify.
Yes, you in fact, you are you are trying to log in just a second layer. Now, MFA is not invincible. People can get around MFA and there's a number of ways to do that. But certainly going back to that layer approach, one more barrier to entry. And so having multifactor authentication is really, really important to have in place. And then a patching policy. You know, in the news right now, there's there's a big a big vulnerability going around regarding a certain file transfer tool because there was an unknown vulnerability that was exploited. Um, and really to, to prevent the access through that vulnerability is you have to patch it. A few years ago there was the Microsoft Exchange server vulnerability, and if you patched it right away, you're probably in good shape. But I can't tell you how many organizations I've dealt with that were aware of the vulnerability, aware of the patch, but for whatever reason didn't get around to implementing the patch and they were victims of unauthorized access. So these are, you know, very simple ways of minimizing the likelihood of unauthorized access. And one way is avoiding the common entry points.
The next thing we want to do is we want to secure the perimeter. So we want to have a firewall in place that's going to monitor who's going in and who's going out. And you can block certain traffic from coming in based on, you know, specific IPS. You can block it based on geography. Let's say you're a Colorado company. You're not suspecting people from Eastern Europe can be logging into your network. You can geo fence those individuals, block those IPS from entering your environment. Again, there's ways around that. But it's a it's a barrier to entry. Another thing to have would be an intrusion detection system, which is going to report dangerous activity that's being suspected. And then the other thing to have, of course, is as a intrusion prevention system, which is actually going to prevent to identify, report and prevent potential malware from coming into your environment. So you want to make sure your borders, if you will, are are protected as best as can be from unauthorized access. So here's an example of a firewall. You see the stereotypical hacker trying to get in, But the firewall in this situation is blocked based on, say, from a geo fencing standpoint. The threat actor can't get in. Here is a description of IDs versus IPS, which, you know, here in the intrusion detection system, you have the attacker trying to get in. For some reason, he's able to bypass the firewall.
Now we have the IDs system creating an alert. And. Here. What we have on the other side is the prevention system, where the prevention system is actually going to prevent the bad guy from getting in after he penetrates the firewall. And again, this goes back to that layered approach. Maybe they get past the firewall, but they shouldn't get past the IPS. Maybe they get past the IPS, but then they shouldn't get past your endpoint detection tool, which we'll talk about right now, which, you know, we're talking about endpoints, computers, laptops, phones, tablets, servers. An tool that's commonly called is a great tool that's going to monitor your endpoints. And the purpose of that is to identify and prevent potential threats. Now, not all EDR tools are created equal, so you have to be careful. And it doesn't mean that you can't get past somebody just because you have a tool. But EDR tools are very, very effective means of identifying and of potential threats. Um, and you'll see know the nice thing about tools is unlike antivirus, antivirus can identify known threats. Edr tools you know, basically take advantage of behavioral analytics. They they they can detect suspicious atypical activity. So let's say, for instance, you were in you tried to log in your computer and Colorado and ten minutes later you were trying to log into your computer from Rome. That's going to create an alert because that doesn't make any sense. It couldn't be in Colorado and five minutes later be in Rome.
Right. So that's something that the functions will be able to do. They'll be able to identify anomalous or suspicious behavior. And so they're able to sort of detect threats real time and not they're not beholden to only being able to identify known threats. They can pick up on new threats. Now, the other thing that's very important is. Minimizing that lateral movement. And a lot of times what will happen is if you don't have good credential policies in place, what will happen is that a bad guy will get into your environment. And. Once the bad guy is in your environment. He will be able to. Jump around to very to different aspects of the environment. And one way to do that is if, for instance, you give all of your account holders administrative privileges. Then if the bad guy has been able to take the credentials of that one account holder and that account holder has administrative privileges, now the bad guy has basically access to additional accounts and can then use those accounts to leverage moving around the environment. And so one thing you want to do is you want to limit issuance of administrative credentials. And that's really governed by the principle of least privilege, which basically, you know, if the bad guy is sort of stuck and he needs other user accounts to go bounce from one server to the next, he can't do it.
That's a great way to to really reduce the risk and the scope of the of the of the bad guys penetration. Another thing to do and we want to limit lateral movement is to have a strong password policy. A lot of times what happens is a company has a very simple password that's easy to be brute force. And brute force is really just a way where you're just throwing out different password combinations and trying to get the correct one. So if you have a more complex password policy that increases, you know, almost exponentially the amount of time it will take a bad guy to be able to brute force the password. And so the more complicated and more complex the password is, the harder it is to brute force, the less likely a threat actor is going to take time trying to brute force and is going to move on to another target. A lot of times also you'll have the same password across the environment or a repeatable one like password. One, two, three, four. One, two, three, four, five. And which was making that up. I've seen that in real life happen. I had an organization that their passwords were literally password one, password two and the threat actor picked up on that and was able to go through all parts of the environment based on that type of password policy. The other thing to do to limit lateral movement is to segment your network.
And so. This way. You know, it's basically a different train track. And so while the threat actor is in on one track, he doesn't have the transfer to get to the other track or the bus route, however you want to frame it. And so now he's sort of stuck in that one network segment and he can't go to the other side. That's another way to help limit lateral movement. And then another thing, as I talked about, is doing the penetration testing, which again, you want to audit what you have in place, you want to test what you have in place, you want to make sure it works like you're expecting it to work, because otherwise you're going to have false reliance on these types of, you know, of the protocols and things that you have in place. And that is not what that is, not at all what you want to have happen because you spent money on. All of this and you want to make sure. That it works. Accordingly to two. Okay. So now we're going to we're going to shift gears to part four, which is really about, okay, notwithstanding all of the protocols that we put in place to help reduce or prevent somebody from getting in, notwithstanding the fact that somebody got in, there's still things that we can do to help ourselves as we are navigating the process. And so we're going to talk about ways to minimize the impact.
And I'll say, number one is to have cyber insurance. And cyber insurance is important for at least two reasons. One, obviously, insurance will. More often than not help defray some of the costs of a incident or, you know, whether it's business interruption costs, whether it's loss from financial fraud, whether it's costs of having forensic investigation, costs, of having outside counsel involved, it'll help cover that. We'll talk a little bit more about the other benefit of cyber insurance in a moment. The next thing we want to do is we want to know what data we have and where is it? Want to have offsite backups. We want to audit our vendor contracts. And I'm going to go into some explanation here why? So I mentioned that, you know, cyber insurance is going to help defray some of the costs, but it's going to have two other benefits. One, to get cyber insurance. Often, depending on the market, you have to have your organization in a, you know, a quote unquote, good cyber posture. And that means you have to sort of get your proverbial ducks in a row and you're going to have to establish to the insurance company that you are a good risk. And a good risk is typically one that's going to have a lot of those preventative measures and use preventative in quotes, of course, because it can't prevent the unauthorized access. You can only hope to to limit it and contain it, but you're going to have hopefully multifactor authentication, you're going to have hopefully a patching policy, you're going to have a firewall potentially.
You have EDR tools, so you're going to get your ducks in a row. It's going to help with cost. But maybe most importantly, it's going to put you in touch with the appropriate industry experts. I know a lot of times I come in after an organization has had their IT department try to help respond to the incident, and the IT department has gone ahead and, you know, destroyed all of the forensic evidence available. So from an investigative standpoint, we don't have a lot to go off of. A lot of times these organizations will charge a very, very high fee and work very, very efficiently. You'll have the right people that are going to lead the response. So I highly recommend you obtain cyber insurance. Next thing we were talking about, you know, knowing what you have and where it is. That's really, you know, a very simplified way of data mapping. And the reason why it's important is because you need to know when you have an incident, if the, you know, the company's crown jewels are impacted or have potential to be impacted. And so if you know that the bad guy got into server A but server A just has publicly available information and server B, which has all of the personal information and company information is segmented off from the network.
You're in good shape. Right. Similarly, if you have customers and you know the bad guy got into server A and your customer information is in server B and server B has not been impacted. You can tell your customers, hey, don't worry, we had an incident, but your information is safe. And what would be even better in that scenario is to be able to tell those customers, by the way, all of your information on server B is encrypted. You have nothing to worry about. There's a there's really a lot of value in knowing what you have and where it is because that's really going to help you in messaging when you're responding to an incident and messaging an incident is a topic all unto itself. But knowing what data you have and where it is is really, really critical in that process. The other thing as well, when we're talking about knowing what you have as well is, is knowing what data that you don't have access to. So if server A is encrypted and you don't know what's on server A, how are you going to know whether you need to pay for a decryptor key to get access to the information on server? A How are you going to know what other documents and information you need to replicate or recreate the information on server if you don't know what is on server A So that leads me to number three, which is having offsite backups.
So if if server A is encrypted and you have an offsite backup of server A, you're in a much better position because now you know, you have that information even though it's encrypted. That means from a business standpoint, your downtime is going to be reduced. That means from a you know. The need to obtain a decryptor key. That process is probably going to be eliminated or that need is going to be eliminated because you have the data. It's going to create a lot of efficiencies. It's going to reduce a lot of stress, a lot of uncertainty for you as you go through the incident response process. But I can't stress enough validate your backups are actually being backed up lots of times. Deal with organizations that they tell me we don't need a decryptor key, our backups, we have backups. That's that's the initial call. The next call is we checked our backups don't work. We need a decryptor key. I can't tell you how many times it happens. So validate that those backups are being backed up. And then the last thing we want to talk about here is your vendor contracts. This is admittedly, maybe, maybe a drier subject here. But we want to make sure that as the entity, if we have a breach on our network, we don't want contracts to require or force us to tell third parties lots of information with ridiculous timelines because it really detracts from our response process and it creates a lot of uncertainty.
So if within day one we have a contractual obligation to tell our customer about the incident, what are we going to be able to tell them? We have an incident. They're going to say, Well, what about our data? Our answer is going to be, I don't know. They're going to say, why don't you know? Well, because the incident literally just happened. And so it just creates a bad dynamic and a very unproductive dialogue and a lot of stress on both sides because the customer wants to know about its data and you want to tell them about the data, but you don't know. So you want to avoid situations like that. Conversely, on the other side, if if your vendor has a breach that impacts your information, you want to have certain procedures or provisions in place where one the your vendor is paying for all the notification costs so you don't have to pay for them and you want to have say over what's in that notification letter because you want to make clear, among other things, that the breach didn't happen on your environment, it happened on your vendor's environment. And so you want to be able to have a say over what's being put in that letter. Again, there's lots to talk about when we're talking about, you know, cost of notification and things of that nature. But you want to make sure you don't overlook your contracts, who you know, what obligations you're putting on yourself and what benefits you're obtaining through those contracts if your vendor has experienced a breach.
Well, that's going to conclude today's discussion. Now, we talked about a lot of things. And ultimately, you can go to a cocktail party and tell people I know how to prevent a breach and they're going to all flock to you and you're going to give them the answer. And it's again, it's a little bit of a trick question, a trick answer, but you can prevent a breach if you're talking about breach from a defined, legally defined sense by not collecting or storing personal information or collecting storing it in encrypted fashion. Outside of that, you really can't prevent a breach. And when I say breach here, I mean unauthorized access that's going to almost inevitably happen in some way, shape or form. But you can make it harder to happen and you can reduce the likelihood of the impact on you when it does happen. And hope I've left you today with with something to think about when we're talking about data security and really the take home, I would say is remember the layered approach. That's number one. Number two, never let cybersecurity interfere with productivity. And that goes back to the email example I was talking about. And number three, you have your arm today with ways to encrypt files and encrypt emails, and I recommend that you use that information going forward. And thank everybody for for listening. Thank you.
Read full transcriptSee less