In a recent podcast interview with Cybercrime Magazine's host, David Braue, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, Scott Schober discusses the Snowflake data breach, including what it means for the affected individuals and more. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Scott, thanks for joining me today.
Scott: Wonderful to be here with you, David.
David: So I wanted to talk to you today about one of the big things that's going on in cyber recently. This is the Snowflake incident. I think it's going to be known as, or there's probably a lot of names for it at the moment. But this is basically a resonatingly horrible hack of a company that's been happening. For listeners who may not be familiar with Snowflake. What is this company all about?
Scott: Yeah. Snowflake, really, fundamentally, is a cloud-based data warehousing company. If you think of it in that venue, I guess, and they have a lot of customers. In particular, this particular hack, they had about 165 Snowflake customers that were actually hacked or compromised, and many of them are notable organizations. So when these large organizations become victim, it's a tremendous concern because they've got a lot of personal information about their customer base. And I think, especially in the recent past few years, there's been a huge shift to pushing a lot of things to the cloud because it's gotten so much more robust and more secure that large companies are very comfortable putting their valuables there. For good reason, because, in general, I think it has gotten much better in the days gone back; many of us would joke around, put your data in the cloud, and well, that's as good as getting compromised. So, not as much anymore because they do such a great job with it, but in this case, well, I guess they let their guard down in a sense. There still are vulnerabilities and risk when it's hacked, and that's where the danger comes about.
David: Definitely. Now, hacking a cloud platform seems like it should be a little bit difficult. What's actually happened here? What have they done?
Scott: That's where it gets very fuzzy, and it is difficult how they actually get in. And there were a few things that were identified or reported on in the gaps or security vulnerabilities that they had and one in particular, they didn't really have proper MFA, multi-factor authentication, fully employed, which is obviously a no-no, and that's kind of common, unfortunately, within many organizations. If you trace back even the past 10 years when multi-factor authentication was available and being used and proven to be secure, many organizations just didn't implement it fully or use it, and that's where the vulnerabilities and weaknesses are.
They also had outdated and unrotated credentials and a few other things that allowed malware to get onto their system. And I think that's really dangerous. And there was some good recommendations if you read through the one article that we were going through. Some advice, and they urge, really have proper credential monitoring and must enforce MFA, and only allow MFA and access, remote access to trusted locations. You can't open it up with the Wild West, or else you have all kinds of problems there.
David: Yeah, it's definitely an issue and we're seeing that a lot of time when MFA is not being used properly. But if this was a 1-two punch, the MFA is the second punch. The 1st punch is the fact that from what we're hearing, and have been digging through this to figure out what happened and who was affected. These were just passwords that were kind of sitting around in many cases, weren't they? They were out there for a long time.
Scott: I don't know what I'd call that, but I guess just poor management. A lack of real clear roles there where they're managing passwords. You don't want to ever have stuff lying around, as it were. And it's hard to say because, in a sense, some of the reporting is saying, really, Snowflake's role, they're really not truly to blame. Not directly, but yet they are. It's the pointing fingers game, I think. What happens often with many of these things at the end of the day, I kind of say it really doesn't matter.
Snowflake has to improve its authentication system. They have to take better action, and you have to take ownership of things when you're running an organization, and others are dependent upon you, in this case, for secure cloud storage. You got to do things right, and you got to reach out, not just within your organization, but also your vendors, your partners, your customers, to make sure that they're all on board to keep cyber security tight. And I think there was a little bit of a lack of that. And that's certainly bothersome.
David: It's definitely problematic. We're hearing about credentials that basically were pulled out of previous hacks. There's info stealers that were installed on people's computers. I mean, some of these credentials, from what the reporting is saying, have been floating around on the dark web since 2020. So that means that the companies that were compromised haven't changed their passwords in 4 years, even though they were compromised 4 years ago.
Scott: Yeah. And what's the 1st thing that you tell somebody when you find out that you're a victim of any type of breach? Change your password, you know, go back and look at everything across the boards. And most people are very complacent. They just kind of go. "Yeah, I'm going to get to that. Okay." And they don't do it. And in this case, I thought what clicked with me a little bit, too, sometimes, when you associate it to certain large names, in other words, those that are affected, the victims, it mentioned there, LendingTree and a subsidiary was, QuoteWizard, and they really allow the borrowing of money and loan operators, and negotiate terms, and help with credit cards, and deposits, insurance. Everything numbers. That means there's a lot of sensitive data that they're holding. That's a concern. Ticketmaster is certainly very big. I think the single largest entertainment group that really handles all the different tickets for live events and things like that around the globe. And even there, I think they said that it was about 560 million Ticketmaster customers that had their names, addresses, partial credit card numbers exposed, and as I read that right away - Uh Oh, I said, "Wait a minute. I've used Ticketmaster," so when it relates to you personally, you start to think. How could they have done that? What do I do now? Now I got to take steps to change, so I think it spreads pretty wide. I think Santander also was a pretty big bank that's been growing greatly here in the U.S. as of recently, and they got about close to 150 billion in assets. They also were part of this compromise with some of the information. So it's pretty widespread swath of victims that are very notable. Some of these companies.
David: Well, this is the interesting thing. I mean, when you normally talk about a company gets hacked, they say. Oh, there were 1,000 clients affected. Those are the end customers that they're talking about. That's kind of how we think about hacks. There were this many records and this many people affected. But in a cloud environment, when you talk about a customer that's an entire business.
That's Ticketmaster that has 560 million customers, and that's only one of the companies that got hacked in a Snowflake incident. They're now saying there were 165 different Snowflake customers, which potentially means, I guess, billions and billions of people that have been compromised here.
Scott: That's a great point. You make, David. It's kind of the unknown. When you start to spread out and look at who is affected, probably one way or another, most of us probably are affected to some degree, and it just is really scary when we look at something like that. And they believe that the motivation, which is typically always financial, but in this particular case the trying to pull all the information and really extort with this stolen data. And I think that's kind of a new twist on a lot of things. Even ransomware has kind of migrated with extortion where they hold data and say, "Hey, I can really extort you by putting this out there publicly," be it sell it on the dark web, or even just post it for free. And then other people take it down. So now it's got wings, and it spreads everywhere, and you really don't know where your stolen data ends up, and you'll probably be part of another compromise, and that's often what I hear with people, they say, well, "I don't understand. I don't think my information was stolen, or I'm not sure how they got it," and that's because it goes through so many hands. And that's a powerful effect as a result of cybercriminals, when they extort data and have tons of it, they can parse that up and sell it, and they can really get the maximum value from it that way.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak, that's C-I-M-C-O-R.com/C-I-M-T-R-A-K.
And now, back to the podcast.
David: And of course, as this data gets out there more and more, and whether companies pay to have it not leaked, or whether it actually gets leaked because the companies won't pay. Over time, you get this almost baseline set of all the credentials we saw this, there was the breach recently with, I think they had something like 3 billion different credentials in the one breach which was just a collection of all the previous ones. So we can imagine that these credentials, once they've run their course for these cybercriminals, will probably end up basically in the public domain as well. I mean, this is scary stuff.
Scott: It is, and I think most crimes when they catch them and dig in and stuff, you kind of also associate a face, a name, and this is kind of still, the attackers are called UNC 5537, this obscure name number. We can't really make the connection necessarily and understand them. Obviously, until they dig in a little bit more and find out more about this cyber criminal gang. But there's a big disconnect from it. I always find out when you look at those that are committing the crime versus the victims, and that makes it almost difficult for us to fully comprehend the scope, the size, but who's behind it, and how to stop it from happening again? Because we know what's going to happen. They're going to take this to the underground economy and just start selling it, make their money, and they may pop up, maybe under this type of hacking group name or some other hacking group. It's really hard to, at the end of the day, get down and trace them. And that's what I find personally very frustrating. We're trying to obtain some tools on the dark web, working with law enforcement and doing it very carefully. And these are from some well-known hacker groups, and the 1st time we did it, they ripped us off and stole our Bitcoin. And it's frustrating. And you're saying it's so hard to trace them down and stop them even working with law enforcement, even putting all the precautions out there. So you could see how they're going to keep getting away with this. And these are well-orchestrated machines now that have financial backing, and every time they make a good compromise like this, they got a lot of money in the bank. So that means they're going to get better at this each time, which is a growing concern, I think, from everybody in the cybersecurity community.
David: Well, they do seem to be getting better. The numbers are bigger, the number of victims that are affected, the number of companies people are just trying to get on and have their digital lives. Companies are trying to get on and run their businesses in the cloud. This is transformation. This is the future. And then, of course, they have to deal with this sort of thing, and it really sets people back a fair bit. You mentioned the extortion attempts that have been going on there. This is a relatively new phase. Now, isn't it? The data was leaked. We're seeing this now where they're stepping through the chapters of the playbook where they now are at the point where they're saying, you know, we want a million dollars, or we're going to leak your data.
Scott: Yeah, that's a brilliant point because it gives the bad guys more leverage. And I think that's the fundamental problem. In some cases, even with some of the more advanced ransomware claims and things, I was at one financial conference recently presenting, and law enforcement did a brilliant job talking about ransomware, where it was, where it is now, and where it's going, and the one agent that was up there said, you know it's almost at the point where they don't even need to be that techy. They just need to exfiltrate all the data and extort using that. They don't have to worry even about encrypting the data on your drive and placing malware and doing this and that, and doing all the other stages that are a little bit more tech-savvy to people. They just got to take your data and hold it and hold you hostage, and tell you what they're going to do with it and demand the price, or else and that becomes very powerful. And then he was kind of forward thinking into some of the future things, talking about artificial intelligence and other things, how they could really leverage this to maximize the dollar. Just that data, how powerful it is. And I started thinking, I said, Wow, this is a scary world we live in. When cyber criminals are really thinking how to maximize that return with the minimal amount of work from technological side. That's a mess.
David: And the problem is, the technology has risen to meet their demands so quickly, so many of the attacks that are being done. They're just leveraging as a service things, as you say. It doesn't require the skill. I guess the determination and the persistence that it used to. You can just go log on. I don't know the cost these days, but imagine it's not very much and just sic some of these bots and these AI-driven tools on someone you don't like. Just wait a little while. See what happens. It's just kind of scary.
Scott: Yeah, sit back and count the coins. Another interesting thing I was thinking about, too, is, if you look at a lot of the headlines in the past, many of these cyber-criminal gangs would also target particular niches, and they hit every vertical. We know that, obviously, but it seems like they're not afraid to go after any companies that are in the tech space that are in the cybersecurity space even.
And in this case you've got a very robust company deep in the tech space and the advanced cloud space that understands cybersecurity. They understand vulnerabilities. They've got teams. They've got things set up well in advance to minimize the risks. But cybercriminals don't even blink an eye. They go right after them. So it helps us to appreciate, I think, how brazen they really are and how all of us, each and every person, needs to make sure that within our organizations, we do everything and anything we can to prevent them from breaking in because once they get in, it's just a disaster.
David: Most definitely. One of the other things that we've been hearing coming out of the investigations is that, apparently, some of the initial compromises happened because contractors of the companies had basically been using the same system for their work activities. So, they had their work passwords stored on their systems. And then they were also doing personal things like gaming and downloading parted software that often has malware in it. This sort of behavior obviously would violate most companies' security policies. But it seems to be quite rife. I mean, how do we even clamp down on that and get our employees to do the right thing?
Scott: That's a big challenge. I think it has been, and it will continue to be, a problem because many companies have a fairly weak bring your own device policy in place. Remote work is still in full force, at least here throughout the United States, where there's a good mixture. And what happens if you look at your home office? You're still using your personal device/business device, you're logging in. You're not as careful oftentimes with your personal credentials as you are with your business, and there's that merge there that's very murky, and I think until companies can define and say, hey, look, here's an issued work device. You can only use this for the following: boom, boom, boom!
And some companies do have that. The problem is, do all employees respect and use that? Well, they can't trust their own employees to do that. There's a problem there. So training, training, discipline, and checking them. Doing random spot checks and things like that will put a little bit of fear in them, because they don't want to be on the poster when the company's breached. That's for sure, but it is an ongoing battle within many organizations, and I've heard horror stories, everything from small businesses, but especially in the larger organizations, where it's extremely hard to manage all of those devices and logging credentials.
David: It's definitely hard, but it's so important.
Scott: Yes.
David: I mean, otherwise, these sorts of breaches happen, and it just feels to customers it feels like this is just an own goal by the companies that they rely on. We've provided our information to you. We've expected that you're going to secure it. You're going to do the right thing by it. And suddenly, 560 million concertgoers are compromised. Who knows what else is going to come from this? It's an ongoing thing.
Scott: Yeah, there's going to be a lot of upset, maybe Taylor Swift concert ticket holders or whoever else is affected if they bought their tickets, and they want to see their favorite star. And this happens. And that happens. That's really sad that it affects so many people, innocent people that have nothing to do with this entire debacle there.
David: Definitely. So now you mentioned MFA early on, multi-factor authentication, clearly a very important part of any company's security practice. How would that have helped stop this from happening? And would it have been enough, do you think, to have prevented this sort of wide-scale, high-volume compromise?
Scott: Well, I think when they go through multi-factor authentication they do need to have, I think they call it rotation often. Every so many years, you have to check through and make sure that it's tested 100%, implemented properly, and that all users are using it. And again, as you mentioned, you could set up many systems so it does not require you to use it. It's when they force you to use it, I think it's much better, because everybody comes over the hump and says, "All right, I have to use it. Suck it up. Let me make sure I understand how to use it and use it properly." And I think that's part of the challenge. And if you read through some of the details, they had Snowflake hardening guides and other things that they talked about where it was more trying to force people to use MFA. And that's really what companies and organizations need to do. They have to force all users 100% to be compliant. It's not an option. Once you leave it optional, you should do this, we recommend you should do this. People are going to opt out that are lazy because it's security versus a little bit lazy. Well, I need to do it quick. I don't have an extra 2 seconds to wait for the code or this or that. I just got to access it and just grab some quick data and do whatever and get off. That's part of the problem. Time is money, and people are forced sometimes to take the faster route. You can't allow that to happen. So, by continually upgrading, improving MFA, making it faster, and I think it's for many things here that I use, MFA's gotten much better. In the beginning, yeah, it did take a while. And there's still some systems that I log on to that I'm sitting there for 5 min, going, waiting for this email, waiting for the phone call, waiting for the code to be text, waiting for whatever. And that waiting period is very frustrating, which makes people say, I just want to opt out of this and do something else, and just log in and do what I got to do and move on. Those days have to change. And we have to just really keep improving it, I think, within an organization and 100& implementation top to bottom. Everybody's got to do it, especially those 3rd parties that are accessing it remotely.
David: Most definitely. Hear, hear. Now, we just got to get everyone else to do the same thing. You're right, though I think the tools have improved a lot. I mean, now, people have an app that will generate a code. It's tied to a particular site, for example, even if you're just using the text messaging validation that certainly plays a role, although there are other issues with that, but generally much easier, much less intrusive for people. So for employees to complain about, it probably is a bit outdated now, so we just have to make it So. It's pretty pervasive.
Scott: Yeah, I think that's so true, and I've heard it by many people who say, Oh, I can't be bothered by it. It's so annoying. It takes too long, you hear. I always tell them to stop for a second and think, what if your information is now compromised? What are some of the things that could be done if somebody hacked into your account? And they're like, Oh, you know, I didn't think about that, you know. I better take that extra couple seconds and do it. Okay. So sometimes it's just back up from it and just use common sense and think. And you're right, multi-factor authentication has been compromised. It's been proven just like pretty much all security. You could get through everything. But, man, you still lock your door at night. Why? Because you don't want the bad guy coming in. You want to slow him down or hopefully move on to the next house. Not in your neighborhood, hopefully, but get out of the neighborhood and go rob somebody else's house. These are deterrents. We want to put effective deterrents in and think security and work together. When everybody works together, if just a couple people were putting in multi-factor authentication and good practices with password management here, you and I wouldn't have a job, we wouldn't be talking about this today. But look how many people are affected, likely hundreds of thousands or millions. As a result of just this Snowflake breach alone. So we see how important it is for everyone to implement multi-factor authentication.
David: And maybe if they had done it earlier, we wouldn't be sitting here watching this Snowflake melt day after day.
Scott: That's right. Yes.
David: I couldn't leave that one on the table. Scott, thanks again for your time today. Really appreciate you taking time to talk with us.
Scott: Hey, wonderful to be with you again there, David, stay safe.
David: You, too.
July 9, 2024