Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Red Flags That Could Mean You’ve Been Breached
Quick Take
On this episode of Compliance Unfiltered, The red flags are out in force! The CU guys have an important chat about some of the key red flags that could me you have been breached! What are some red flags at the user level? What are some of the most important signs to look out for at the system level? And how can you be better prepared for a breach in the future? All these answers and more on this week’s episode of Compliance Unfiltered!
All these topics and more, on this week’s Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the flat man, to your compliance NASCAR race, Mr. Adam Goslin.. How the heck are you, sir? I’m doing good, Todd. How are yourself? Man, I can’t complain. I truly can’t, and the title is a bit fitting today is we’re going to talk about some flags, specifically, Adam, some red flags that could mean you’ve been breached.
So set the stage for the folks on this one, if you would, please. So the reality is that there are organizations, like there was one recently, Pure Foods, it’s a meal delivery service. You know, they had a data breach that exposed 1.2 million customers’ worth of data.
And although they were breached in January, it wasn’t until July that they said, hey, we have a problem. And the attackers, meanwhile, you know, had six months of unhindered access to whatever they wanted. So, you know, the details are sketchy, but they apparently started seeing signs of suspicious activity back in February. And it’s not real clear what was going on between February and January. July. But if they’d taken action at the first signs, well, then, you know, they would have been able to, you know, kind of prevent a good amount of damage, probably avoided the class action lawsuit that their customers have now filed end to end to end. So, you know, the whole point of today’s topic is, is kind of being cognizant and watching out for those red flags.
Most assuredly. Now, what are some of the red flags at the user level that we’re talking about here? Well, you want the users to know what to look for. And oftentimes, they’re the ones that can spot some of the earliest warning signs. And these are going to kind of be across the board. But yeah, I would strongly recommend people training their employees what to be on the lookout for, that type of thing. But first and foremost, erratic computer behavior. When the bad guys get into and onto systems, they start monkeying with stuff. They’ll turn off a program. They’ll change a program, change settings within programs, etc. And more often than not, the modifications they start making, so that they can do what they want to do, start causing strange behavior, shutdowns, blue screens, applications just firing up all on their own when they never did before. Slow computers, your laptop battery is suddenly just draining away. But you can’t figure out what’s going on. You could have some bad stuff running in the background. Another sign for the users is passwords not working. So I often tell the users, don’t just dismiss, oh geez, well, my password’s not working. I need to go in and reset it. Type of thing, that’s a lot of times how they get missed. But if you didn’t do anything to change your password and you didn’t get any, you’re not receiving any message from the system, it’s time to change your password or something along those lines, then don’t dismiss it. Especially for users, let’s say it’s your email. You’ve got your email on your computer. You’ve got your email on your phone. You know you didn’t change the password to your account. But all of a sudden, your phone’s lighting up and saying, hey, I need you to reenter your password to your email account.
You know, that type of thing. So, you know, if the phone starts popping up with, you know, with messages for programs that are shared, you know, kind of shared use between your mobile device and your actual machine, then, you know, pay attention. The strange emails, text messages, you know, a lot of times, especially with ransomware, you know, they’ll send emails and messages that look like they come from a trusted source, you know, may say something about an email attachment or here, you know. click on this masked URL, you know, and install this piece of software, it can come all over the board. But, you know, the one thing that I would I would strongly suggest is if you’re not expecting to receive a message from so and so, then be suspicious out of the gate, you know, send them you know, send them a message and say, Hey, did you just send me something about fill in the blank, you know, and whatnot, but you know, you contact them through a secondary channel, so if you received an email, give them a call. If you received an email, send them a text, you know, if they sent you a text, stop by their office, whatever, you know, but just using different, different channels for validation, if you will. Also, redirected website activity, you know, you know, sometimes there’s websites which will, you know, kind of point you off to secondary websites and whatnot, but if I’m trying to go to, you know, www.google.com, and all of a sudden, I’m landing on, you know, you know, google.cz as an example, and it’s redirecting me there, then start being start being suspicious, you know, especially when you’re going in and doing, you know, kind of doing internet searches, you know, that’s a lot of times where you’ll see some strange behavior. Absolutely. Now, what are some of the other signs to watch out for with users? Well, some other signs, a breach, and I’ll go through these in more of a, you know, kind of a list fashion, if you will, but, you know, emails that are requesting password resets, emails from unknown sources that are,
you know, asking questions about user account data, random pop-ups on your machine. Your contacts are receiving social media invitations from you that you didn’t send, you know, browser toolbars that suddenly appear, missing money from your bank account.
I mean, these are all things that can happen at the user level that would give you kind of an indication that there’s something afoul. Well, what about at the system level though? So, system level, things that you can look for on the systems that you’ve got, you know, again, similarly, making sure that your various, you know, folks in IT, system administrators, you know, are kind of, are familiar with these as well. Some of them are going to appear straightforward, but sometimes you’re just not thinking about it this way. Unexplained user accounts, probably a big one. You know, if you are an organization that is doing regular and or periodic user account reviews, if all of a sudden you’re whatever, you know, I’m doing maintenance on a particular system and I happen to see there’s a new user sitting there that I can’t explain, you know, you’re doing your quarterly, you know, account review, you know, seeing accounts that you didn’t create and that you didn’t expect, immediately start questioning it. You know, the minute we want the system admins to report anytime they’re seeing strange user accounts, etc. You know, the I would far rather that eight admins raise their hand to say, we might have a problem only to find out now it’s benign. It was a new a new system or a new, you know, service that we put onto the onto the machine that required this particular user account. I’d rather do that and get it onto the approved list, you know, and, you know, and whatnot. Then for, you know, somebody just kind of shrug their shoulders, if you will. The unexpected software installs.
So whatever I’m on a, you know, a database server that doesn’t typically do anything with, you know, with web traffic and all of a sudden there’s a web server installed on there. You know, that type of thing, new software that that you didn’t install, you know, go ahead, ask questions. We ought to be able to trace it back through change control to find out who put this on there. And if not, you know, then what’s up? A big sign, especially on, on systems is your task manager, your registry editor suddenly doesn’t work. You try to pull up the task manager and it just sits there. It doesn’t do anything or it or it coughs an error. You know, things along those lines, they’ll, they’ll try to the bad guys will try to mask their activity by not allowing the administrators to see what’s going on. So they can’t see running processes on the machine, you know, things along those lines. So you can’t see what that they’ve. Meanwhile, install this or have this service running, things along those lines. Turning off the task managers and registry editors, it just gives them more time to do more damage. I’ve actually seen this one firsthand and it’s moving most pointers. I think I’ve brought it up a couple of different times on the pod before, but you’re standing at the console, you’re staring at this particular machine, and things are happening on the screen.
You don’t have your fingers on the keyboard or the mouse. It’s basically somebody in remotely controlling that particular system or device, opening programs, typing stuff in, executing commands, there could be all sorts of different things that you’ll see. But you see that going on? Yeah, you want to dig into that one pretty quick. It is really creepy when you’re not expecting it and you’re just. seeing things moving, it really kind of freaks you out the first time that you have the opportunity to see it.
You don’t forget it.
Yeah, I have no doubt. Now, what are some of the other signs to look for with systems? Well, some additional ones that you can keep an eyeball on, reports of excessive failed login attempts for a particular user or a particular system, antivirus programs that are malfunctioning or suddenly becoming disabled for no apparent reason. Similar to that would be you see systems that haven’t been patched in some period of time, maybe another one have disabled the auto updates for patches because they don’t want the automatic updates that would otherwise happen on the machine to overwrite the changes that they had made. Similarly on a system, if you’re seeing systems rebooting or shutting down, going offline, things like those lines, those are all gonna be signs. The computer, the network or the internet connection slowing down on a particular device, as well as when you’re seeing strange network traffic patterns or unexpected traffic. Certainly you wanna have your firewall rules between devices locked up as best you can, but for those organizations that never used to see web traffic passing from this system to that system or SSH traffic, things along those lines, and now all of a sudden you’re seeing it, that’d be another kind of another indicator or pointer that hey, Houston, we might have an issue.
And what about at the support level? Because I mean, ultimately that’s what it’s gonna boil down to here, right? you know, attackers will gain entry to systems with information they get through research beforehand. You know, bad actors will gather up to bits of seemingly innocuous information about your company. And they may do that through contacting your staff at various levels, calling into customer service, calling into technical support. You know, it’s interesting as you set about, you know, attempting to attack an organization and you’re doing so through those channels. You know, you can get… bits of, you know, a tiny bit of information from this person, call back in and get somebody else. And now you can go ahead and, you know, get a different bit of information. Now I can string those two together, use them to start sounding believable as I’m calling in things along those lines. So it’s actually astounding for the for the, you know, kind of the dedicated, you know, attacker of systems, just how much they can pull out of those support related, you know, related conversations. So, you know, some examples, you know, in the support arena, the caller is calling in and asking what seem like harmless questions about employees or the company. You know, you, you start getting reports from security researchers that you’ve never heard of, you know, wanting to help the organization out. Now, sometimes that’s this stuff is legitimate, not saying, Oh, it’s an instant, you know, red siren going off, because sometimes there are some, some helpful folks out on the internet that do security research that, you know, actually help organizations out. But, um, you know, if you’re seeing these reports, dig into it a little bit and see what they’re, what it is that they’re seeking, you know, you know, out of this, especially if they’re, they’re wanting to get integrated or involved with attempting to help to fix it for you, you know, things along those lines, that that’s where, you know, that’s where you start to get a little suspicious about what’s up, you know, if they’re just reporting it and want to get a, you know, want to get a finder’s fee, basically, for, you know, doing the work of reporting this, you know, to you and, and, and whatnot, then, you know, that’s one thing, but if they want to start getting system access to help you fix it, then you know, reports from customers and partners that are indicating they’ve seen some sort of a sign of a breach.
It’s really easy for the folks that are on the phone to, you know, kind of dis, smell well, geez, you know, no, we didn’t, no, we didn’t send it. anything like that and they kind of dismiss it and move on. Don’t dismiss it. The reality is that the third parties or customers, those are a huge piece of the puzzle. And if you’re paying attention, they can be a great warning sign. You have something to miss. And probably the most startling of things that can happen is someone from the media calling into your support organization to attempt to interview someone to discuss your recent data breach. There isn’t much worse than being the last one to find out there’s an issue. So yeah, that’s always an entertaining one, if you will.
Indeed. Parting shots and thoughts for the folks this week, Adam. Well you know the there’s a there’s a lot of different there’s a lot of different cost of a breach you know studies that are done stats that fly around etc. I personally like the one that’s done it’s actually a Michigan based company that’s called the Ponymon Institute they’ve done a an annual you know data breach study for years at this point in the game and one of the things actually that I like about them the most is that it’s real companies that really got breached that are the focus of the of the survey way back in the day it used to be five companies ten companies fifteen companies but you know these days they literally have hundreds of companies that they talked to over you know well over a dozen different countries in well over a dozen different industry sectors and one of the things that I really like about what they what they do is they break the, the aggregate costs of these real people that really got breached that really had to pay money and they break it down to an aggregate cost per record and that way it makes it relatable to the you know to different organizations it’s it because it in my mind’s eye it is misleading to just say every time you get breached gonna cost you five million dollars well if I’m a small sewing, sewing, sewing and repair shop that it consists of a single owner then that’s going to be dramatically different than a you know retail, retail food chain you know having their card systems breached as an example, those are going to be in different arenas. So, you know, I like the notion of the cost per. Now, one of the findings, one of the interesting findings, I was talking about this a minute ago, is that only one third of the breaches of the hundreds of people they did interviews with, only one third were actually discovered by the company itself. Two thirds of the time, the company was second, at least second to know, because it was someone else that found out and notified the organization, whether it was a customer, whether it was the news, whether it was a vendor, a partner, you know, whatever it may be, somebody else had kind of figured out, hey, you have a problem and told them about it as the main source. you know, and that could be coming in any number of flavors, right? It could be a ransomware announcement. You know, I’ve even seen instances where the FBI, because of investigations they’re doing with some other organization, now comes back over to, you know, to a secondary company that they found, you know, had data floating around out there that had obviously been breached, and the FBI is actually knocking on the door and letting the organization know.
So, you know, as an organization, you don’t want to become a statistic. You need to pay attention. It is really important. Don’t brush off, you know, the red flags that the organization may see. You know, a lot of the times where somebody else that ultimately raises the flag, you know, kind of the introspection that gets fascinating is that there were signs within the organization itself, but they didn’t catch them. You know, those little things that might seem benign, you know, don’t brush them off. It could be the first signs that you actually have an issue. You know, and the more adept the organization gets with paying attention to those signs, the better they’re going to be able to turn around and respond, you know, to those. It will also work as an education mechanism for the active personnel to have an idea and better hone their capabilities and skills at detecting this stuff. Training the internal personnel, I can’t overstate how important it is to get them, you know, get them to follow best practices, pay attention to those warning signs. Literally, the health and protection of your organization is at stake. And the one thing that just drives me nuts about some of the companies out there is that, and I’ve heard it more times than I can count, where somebody is saying that, oh, this is IT, this is cybersecurity. Well, that’s an IT thing. So all these other departments, accounting and HR and customer service and da, da, da, they just basically shrug their shoulders and go, this is an IT thing, you know, this doesn’t have anything to do with me. And it couldn’t be further from the truth. Every single person within an organization needs to maintain that vigilance, needs to watch for those red flags. You are absolutely a critical part, you know, of the other protection of the organization.
And that right there, that’s the good stuff. Thank you. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
