The Five Most Dangerous New Cyber Attack Techniques (A review of the RSA Keynote)

2022 is a new world in the cyber attack space, and Katie Nickels, SANS instructor, and director of intelligence at threat detection vendor Red Canary, describes the top five new attack they are seeing in the space. Spoiler alert: one of them is attacks against backups! Learn from an expert as we discuss the top five attacks they are seeing right now. We talk about living off the cloud, MFA exploits, an increase in nation-state hackers, the increased use of stalkerware, and YES: attacks against backup infrastructure. We discuss each of these in this important episode of Restore it All!

Video

Transcript

[00:00:19] Prasanna Malaiyandi:

Hi, and welcome to Backup central’s restore it all podcast. I’m your host WC Curtis w Curtis Preston.

[00:00:27] W. Curtis Preston: Wow. That’s just, you will not assert my authority. So welcome folks. Welcome to the Backup Central’s Restore it All podcast. I am your host, and I actually know how to say my name w Curtis Preston, AKA Mr. Backup, and I have with me, my voter abuse stress counselor, Malaiyandi.

[00:00:56] Prasanna Malaiyandi: Oh, my gosh, Curtis, how are you doing after? So you volunteered at the elections and you were a site manager and for the listeners, if you wanna understand how elections work we did a podcast, uh, Last year. Was it no. Back in 2020 with Mark Thompson? Yeah. Election poll site manager explains us election systems. Go take a listen to that, but yeah, you were in the primaries helping out

[00:01:23] W. Curtis Preston: Yep.

[00:01:24] Prasanna Malaiyandi: and you had an interesting time.

[00:01:27] W. Curtis Preston: Yeah. It’s um, I, you know, I’ll say the same thing to anybody that anyone that’s Curious. If, if you do not trust our election system, then I would suggest you go volunteer as a poll worker. It, it is an incredibly information filled experience and, um, and that, and that’s what we talk a lot about, about.

In that podcast. And then I wrote a blog, something like how hard it would be to actually hack the elections, the, how absolutely improbable. So many of the things that people are saying happened, how absolutely improbable that. I mean, there’s no proof that it did happen and and how difficult it would be to do that.

And, and, and the closer you get to the actual process, the more you understand what I’m saying. But I will tell you that the process of volunteering to be a poll worker, especially election day, which is I get there at 6:30 in the morning. And I’m there till about 10 o’clock at night. And.

[00:02:31] Prasanna Malaiyandi: It’s a long day.

[00:02:32] W. Curtis Preston: It’s a long day and you know, it’s funny California or San Diego county.

Anyway, we do four days of voting. In fact, there are some sites there’s 203 sites. I think voting sites and about a dozen of them are open 11 days.

[00:02:50] Prasanna Malaiyandi: Oh my God. Could you imagine doing that?

[00:02:52] W. Curtis Preston: yeah, I, I basically said a big fat no, when they said I was like, listen, I got a JOB, I can’t be, I can’t be leaving for 11 days,

I mean, if I’m gonna leave for 11 days, what’s that.

[00:03:03] Prasanna Malaiyandi: Doing the podcast is your JOB, right?

[00:03:05] W. Curtis Preston: Yeah. Yeah. Um, yeah. And so I was like, I was like, I. I have zero interest in 11 day site, but I was at a four day site. And for the first three days we got a whopping, like a grand total of about 32 people over three day period. And then on election day we got 266 people,

[00:03:32] Prasanna Malaiyandi: Oh my God.

[00:03:32] W. Curtis Preston: significantly more than 32.

[00:03:35] Prasanna Malaiyandi: Yeah,

just a little.

[00:03:37] W. Curtis Preston: And, everybody’s like, oh, I didn’t, I didn’t know you were open. It’s like, it’s like, I guess you don’t listen to the news or the radio or anything. That that’s part of the problem is, you know, nobody watches the news or listens to the, like, what’s a radio, right? The.

[00:03:51] Prasanna Malaiyandi: Or checks their mail because

you got they because they sent out flyers. They’re like, Hey, here are those sites that are opened ahead of time. Go vote early.

[00:04:01] W. Curtis Preston: yeah. So, and of those 266 people, I’d say 10% of them were abusive

[00:04:10] Prasanna Malaiyandi: Hmm.

[00:04:11] W. Curtis Preston: to, to one degree or another,

um, you know,

[00:04:14] Prasanna Malaiyandi: Do you just wanna curl up in the fetal position?

[00:04:17] W. Curtis Preston: Yeah. And, and as a site manager, I take the abuse.

Right? I take the, I take the crazy questions. Um, you know, I had a, I had a Sharpie gate question, which I don’t know if you, you remember Sharpie gate, but this, this thing of like, that people were being handled Sharpie handed Sharpies instead of the official ballot marking pens.

And if you got a Sharpie, then your ballot wouldn’t count, which was nonsense. But that, that was one of. And somebody actually asked me about that. I was like, well, first off, not relevant to the current election because we use a ballot marketing device, which is a screen that creates your printed ballot.

You will be doing, you know, that’s one of the questions. Are we gonna get paper ballots? Yes. You are going to use a paper ballot. You’re going to create it on that device right over there.

Which is a computer. Is that a Dominion machine? Yes. Yes. That is Dominion machine, but it, you will be able to see the, the thing that it produces, which is your vote. Um, so yeah, just all day long. I don’t mind questions. I absolutely don’t mind questions. It’s I don’t need the, I don’t need the. Yeah, the attitude like I, like, I give everybody the same spiel when they come up to the BMD. That’s the ballot marking device. That’s you might call it a voting machine. We do not call it that. A voting machine is what we used to do, which is, or what some states used to do, which is it. Records your vote, right?

This is not a voting machine. This is a ballot marketing device. It prints your ballot. And I give this spiel to everybody about how it doesn’t store your vote, how it doesn’t transmit your vote and how that you will be able to see your vote before you print it, you’ll be able to see your vote after you print it.

Cetera, cetera, cetera. And this guy who was, you know, an anti BMD person was like, I don’t need, I’ll figure it out. Like, okay. Okay. Like, I’m just trying to help you vote, man.

You know, like I don’t need you to snap at me.

[00:06:14] Prasanna Malaiyandi: so I know before we’ve talked about like everyone, at some point in their life should work retail. Do you think everyone, at some point in their life should work an election?

[00:06:23] W. Curtis Preston: I agree. Yeah. I’m yeah, I think so. And first off it, it. So San Diego county, 200 polling sites, average of eight people. They wanted 10 people per site. That’s 2000 employees that are temporary employees that need to be hired and vetted and trained prior to the election. It requires two days of training to be a poll worker, five days to be a site manager.

And, you know, we, we only ended up having seven people. Let me just tell you. There’s a big difference between seven and eight and eight, nine, you know, on election day, just try to get, there’s no way to get the legally mandated numbers of lunches and breaks and whatnot, and still function as a, as a site.

[00:07:15] Prasanna Malaiyandi: because each person has their sort of role responsibility, right. Their task.

And it’s not like everyone’s just doing the same thing.

[00:07:22] W. Curtis Preston: Yeah, we cross train, right. We cross train across the whole site so that everybody can do every job, but still even with that, you have people that are better at certain jobs. And, um, so it was, I’m just saying, I, it was. It’s a lot of work. And then, um, and then we had to tear down everything the next day.

And, and now I’m today I’m, I’m sort of in, this is my first day where I get to sort of breathe after all of that. I don’t have any election responsibilities, but yeah. Yeah. Uh, and I, you know, I was looking for, and I’ll throw out our disclaimer Prasanna and I work for different companies. He works for Zoom.

I work for Druva and this is not a podcast of either company. These are our opinions and not theirs. And, uh, be sure to rate us at ratethispodcast.com/restore. And also, if, you know, if you listen to this and you, you’re interested in the things that we’re interested in, then just reach out to me @wcpreston on Twitter, or wcurtispreston@Gmail.

And we’ll get you on, man. You know,

[00:08:30] Prasanna Malaiyandi: Come join us. Come talk to us.

[00:08:32] W. Curtis Preston: come talk to us about. You know, tape, disc backups, archives security. We love talking security cuz it’s so it’s so adjacent to what we do. Right. It’s funny. I, I, I grew up hating security. like when

[00:08:48] Prasanna Malaiyandi: They were the people who would like stop you from doing things, right?

[00:08:51] W. Curtis Preston: yes, yes. Um, you you’ve been a Unix guy for a while. You, you was, RSH still a thing when you started.

[00:09:01] Prasanna Malaiyandi: Yeah. Mm-hmm,

[00:09:01] W. Curtis Preston: Okay. So in order to get, we used dump and, and, and, and rdump back in the day, right back before I had a commercial backup utility. The only way that rdump would work is to be able to rsh as root

[00:09:19] Prasanna Malaiyandi: Oh,

[00:09:20] W. Curtis Preston: one server to another, without a password. Right. Put all those things together. And I just made a security person’s head explode.

[00:09:29] Prasanna Malaiyandi: Back in the days before the internet.

[00:09:33] W. Curtis Preston: Well, we were, it was very, very, you know, like internet was just,

I remember getting my AOL disc. I was an AOL customer. Jeezy, you’ve got mail. What I remember was just really hating the security folks because all they did, all they ever did was just get in the way of me doing my job.

And I will say that if you are a backup person, then stop that, right.

If that, if that’s your way of looking at data security, cuz guess what we’re gonna talk about today. We’re gonna talk about information security. We’re gonna talk about the RSA conference.

[00:10:08] Prasanna Malaiyandi: And for the people who are don’t know who their security people are, go talk to them, have a conversation. Like I’m sure you both, like both teams are feeling the same sort of pressures and issues and just sort of go chat with them and figure out what you could do together.

[00:10:23] W. Curtis Preston: Yes. You both have a common goal, right. Of keeping the company safe. It’s just, you look at it from different sides, right? It’s like the, that is that story about the elephant, like the people approaching elephant, like one grabs a tail, one grabs like blind people approach it. Do you know what I’m talking about?

[00:10:45] Prasanna Malaiyandi: Are you crazy?

[00:10:46] W. Curtis Preston: what do you know the story I’m talking about

[00:10:50] Prasanna Malaiyandi: no.

[00:10:52] W. Curtis Preston: It it’s like three blind guys approaching an element. Like one, you know, gets the legs. One gets the trunk, one gets the tail and they describe the elephant in three different ways because it’s what they’re experiencing.

You’re experiencing the same thing is just you’re approaching it from a different angle. And so just talk about it. It’s like, listen, I know, I know you wanna do this. Here’s how that makes my job difficult. And he’s like, I know you wanna do this. Here’s how that makes my job difficult.

[00:11:21] Prasanna Malaiyandi: Yeah, I need access to every single system

[00:11:25] W. Curtis Preston: Yeah. And those of you that have heard the podcast, if you’ve, if you’ve listened to the podcast, I, I, more than once, I’m sure I’ve told the story where I worked at at, uh, a company where I, where the, the security people shut me down in the middle of thing.

It was a Y2K thing. It was, I just, I just lost it, but they were just, again, they were just trying to do their job.

[00:11:48] Prasanna Malaiyandi: Exactly. Be kind.

[00:11:50] W. Curtis Preston: I mean, they, they did not, in my opinion, they did not do their job because they were specifically told not to do what they ended up doing. And that’s why I went, you know, crazy. Yeah. Um, but the security people are your friends.

And if you’re a, if you’re a security type person listening to this and you, you know, you hate the backup person. Please don’t. So work together. This headline from, uh, RSA, I found this excellent article.

[00:12:21] Prasanna Malaiyandi: The RSA conference, just to be clear.

[00:12:23] W. Curtis Preston: Thank you. The RSA conference, which stands for,

[00:12:27] Prasanna Malaiyandi: Is it three dudes names?

[00:12:30] W. Curtis Preston: oh, I was gonna say really secure access.

[00:12:32] Prasanna Malaiyandi: Co-founders Ron ADI and Leonard, sorry, their last names.

[00:12:40] W. Curtis Preston: Okay, thank you. I was, I was very confused

[00:12:43] Prasanna Malaiyandi: Ron Reibes ADI Shamir and Leonard Adelman,

[00:12:48] W. Curtis Preston: Well, there you

[00:12:49] Prasanna Malaiyandi: R

[00:12:49] W. Curtis Preston: then what about the SANs Institute? Do you know what that stands for?

[00:12:54] Prasanna Malaiyandi: secure something.

Something,

[00:12:56] W. Curtis Preston: something something the security people listening to this podcast are like, oh man. Uh, but anyway, if you’re a security person, you know what the SANs Institute is,

[00:13:07] Prasanna Malaiyandi: CIS admin

[00:13:11] W. Curtis Preston: well, there you go. This was a talk at the annual RSA conference

[00:13:18] Prasanna Malaiyandi: which I think they do every year is kind of like their keynote.

[00:13:21] W. Curtis Preston: The keynote was the top five dangerous cyber threats in 2022. So it’s interesting because they are not, um, they’re not very similar to

[00:13:36] Prasanna Malaiyandi: What we think about normally.

[00:13:38] W. Curtis Preston: no, what I’m saying is they’re not the ones that they talked about just a year or two ago.

[00:13:42] Prasanna Malaiyandi: Hmm. Yeah.

[00:13:43] W. Curtis Preston: Year or two ago, they were focused on living off the land attacks, um, command and control. Deep persistence, mobile exploit, checkmate and check rain. I believe that’s his and threats at the perimeter. This is a very different list. And I gotta say, looking at this list, I feel somewhat vindicated because we’ve been talking about some of these things for a while. Wouldn’t you say?

[00:14:05] Prasanna Malaiyandi: Oh yeah, for sure. It’s it’s interesting, like you were talking about earlier in our discussion about like security and backup are there’s a lot of overlap there, right? Even in this list that they came up with, there’s quite a lot of overlap between like what we normally talk about and think about from like a backup data protection perspective and what they’re worried about from a security perspective.

[00:14:27] W. Curtis Preston: Right. So let’s talk about the first one. And it’s called living off the cloud, which may sound familiar for those of you that followed the SANs Institute. So they had this concept of living off the land, which is people that were using system management tools and systems to basically stay persistent and move around laterally within the organization.

We talked about lateral movement and minimizing lateral movement in. What podcast, when we had, uh, snorkel. Do you have, do you have the titles up there?

[00:15:00] Prasanna Malaiyandi: We did two, one was called security expert rips Okta for the response to hack, which probably isn’t as respo, uh, isn’t as relevant, but the next one is snorkel 42 security expert from Reddit explains his security cadence series. It is, it was done back in may of this year of

[00:15:19] W. Curtis Preston: He talked about the idea of, one of the things that you want to do is minimize lateral movement. So in this, it’s talking about living off the cloud, which basically just sounds like the, the cloud version of living off the land

[00:15:35] Prasanna Malaiyandi: It is a, it, it sounds reasonable. I think the one thing they mentioned is. With the cloud, right? Living off the land, you have access to certain resources and everything else. Cloud, you can just spin up things so quickly and use that as a staging point for so many other attacks, right. That it is. Um, a lot more scary than something that’s just within the corporate network, right?

Because a cloud might not be like. What’s to prevent someone from spinning up an EC two instance, an AWS right. Forgetting and accidentally leaving it open to the internet. And now all of a sudden you have connectivity into that cloud instance, right? An attacker could. And from there, depending on how the networks are configured, they could easily get access to your internal data centers to other internal services, just because you misconfigured something in your cloud environment,

[00:16:31] W. Curtis Preston: And then they also talked about. Enterprises tend to trust, uh, their, their own cloud provider. So if I want to attack you, and I know who your cloud provider is, I can

[00:16:43] Prasanna Malaiyandi: go through

[00:16:43] W. Curtis Preston: own environment inside that cloud provider and potentially allowing me not direct access, but, um, you know, just slightly easier because I’m coming from a place you trust. Um, which I would think is relatively easy to protect against,

[00:17:04] Prasanna Malaiyandi: Yep. I don’t know. It

[00:17:04] W. Curtis Preston: again, not an information security because I, I’m not gonna trust you just because you came from AWS, I’m gonna trust you because you came from an IP address range or known IP addresses from AWS.

[00:17:16] Prasanna Malaiyandi: But, but even those known IP address ranges, just because you’re spinning up and down so quickly, if their private IP address is sure. But if their public IP addresses, given how I can quickly spin up, spin down, spot instances, everything else, like I don’t actually know what IP range I will necessarily get for those instances

[00:17:35] W. Curtis Preston: Well, again, I’m not running a corporate it network, but I would think that there’s a way to deal with that.

[00:17:40] Prasanna Malaiyandi: there is, but it may be.

[00:17:42] W. Curtis Preston: I think that’s the point of this, of this thing is to say, address that concern, right?

[00:17:49] Prasanna Malaiyandi: Cloud makes it easy to do all these dynamic things, but make sure you’re thinking about how to still secure, even though things could be dynamic, don’t just leave it all open.

[00:17:58] W. Curtis Preston: right. And then the next is attacks against multifactor authentication. And I’ve seen this. First off, there are many different types of multifactor authentication. There are different factors as they’re called there is there’s SMS. There’s email. There are the little, um, the, to, you know, the little tokens,

[00:18:20] Prasanna Malaiyandi: Yep. Yep.

[00:18:20] W. Curtis Preston: uh, and then there are like apps like authy or Google authenticator.

There’s also just in my life. I know I also use the Symantec app, like one of my financial vendors, I have to download the Symantec MFA app as well as the, um, uh, oh. And my, my bank has its own authenticator app.

[00:18:48] Prasanna Malaiyandi: And since we’re talking about RSA earlier, right. Remember back in the day, all the key fobs that you would have, right. Which would give you the six digit code, which you then use for MFA. And now everyone’s moving away from that to, like you said, SMS or one of these apps. And I think the challenge is some of these methods are not as secure as others.

And so someone can impersonate can spoof can acquire those MFA codes that are being sent to supposedly you Curtis, but they’re intercepting it if you will. And using it to register their own devices. And once their own device is registered, now they have full access to everything.

[00:19:28] W. Curtis Preston: Exactly. And then, and then there’s also just a concern when it is a physical token or when it is an app on a phone or when it is an SMS to a phone. What process do you have in place for when someone loses their, their token?

[00:19:43] Prasanna Malaiyandi: No one ever loses their stuff, Curtis,

[00:19:46] W. Curtis Preston: Right.

[00:19:47] Prasanna Malaiyandi: or when they trade in their phone.

[00:19:50] W. Curtis Preston: I don’t know what you’re talking about. The, um, so, and, and do you have backup authentication mechanisms in place for when somebody loses their, their primary authentication mechanism? And do you have a way to disable the, you know, whatever, whatever I think you should have like, like a more secure method, like an app or the token?

If you’re attempting a direct attack on a person or on a company and you’ve targeted a person, you can very easily target the physical thing that they’re using as a token.

Right.

[00:20:30] Prasanna Malaiyandi: Your phone, right? This is what happens often with a lot of the crypto heists that you’re seeing is people call into the cell phone provider, pretend to be the person, port the number over to another carrier. Do the MFA, get the code and then clear out their crypto wallet.

[00:20:48] W. Curtis Preston: I went to a talk with, uh, Kevin Mitnick once, and I know not, everybody’s a huge fan of Kevin Mitnick, but I learned a lot in that talk about things like. How, how he gets, you know, how he hacks into physical, physical.

He, he has a lot more social engineering and physical hacking than I would’ve thought. And like, and he, he does white hat hacking. Right. And he talked about getting into a bank by using a, um, what, what are, what are they called? The little badges. There’s a name for that? The,

[00:21:26] Prasanna Malaiyandi: Oh,

the key card,

[00:21:27] W. Curtis Preston: that you,

what.

[00:21:28] Prasanna Malaiyandi: the key card swipe

[00:21:29] W. Curtis Preston: Well, like it’s key card.

There’s a, there’s a name for that type of key card. But anyway, he, he has a scanner that he can scan that if he’s he, he has two different ones, ones that he can scan from really close and the ones that he can scan from like several feet away. And he talked about going into a bathroom. the men’s bathroom in a bank where he needed to go and just waited for a dude to come in, guys, you know, go into the bathroom and he’s sitting there scanning the guy’s card.

Next thing you know, he’s got a badge to get into the thing.

Again. That’s why we have MFA. Right. So, you know, you need something more than

[00:22:07] Prasanna Malaiyandi: Digest that. Yeah.

[00:22:08] W. Curtis Preston: plus a digit,

right?

[00:22:10] Prasanna Malaiyandi: Or a picture.

[00:22:12] W. Curtis Preston: Yeah. Face

thumbprint.

[00:22:15] Prasanna Malaiyandi: Something else?

[00:22:16] W. Curtis Preston: Hopefully, he’s not cutting off anybody’s thumbs, but all right.

[00:22:21] Prasanna Malaiyandi: So the fourth one is attacks involving stalkerware against mobile devices. Right? So.

[00:22:27] W. Curtis Preston: Yeah.

[00:22:29] Prasanna Malaiyandi: Yeah. Well, if you think about this, this is a lot around, like there is the NSO group, right? You’re starting to see a lot of these sort of things being used, where people are able to leverage zero day bugs and other things to install spyware.

If you will, on mobile devices. And they can do it without requiring any interaction from the user. They’re now able to track where the user’s going, what they’re doing, read your emails, read all your text messages, pull out your MFAs. Right? It’s all scary stuff. And before we used to think, oh, it’s only in spy movies and it won’t happen to the common user.

Now there’s, there’s like groups and companies, which this is what they do. And it’s

[00:23:13] W. Curtis Preston: Yeah, that, that that freaks me out. Right? The idea of people just sort of randomly grabbing my, somehow these, these exploits. That’s why I will say like in my personal life, when, whenever. Apple comes out with, and they’re like, this is a security update and I’m like, boom, I’m

[00:23:32] Prasanna Malaiyandi: Uh,

[00:23:33] W. Curtis Preston: done. I’ve already like, I’m halfway through reading the article and I’ve already started installing it

[00:23:37] Prasanna Malaiyandi: Yeah. I think apple is the, yeah, I think apple products are the only one that I, oh, sorry. iOS products are the only ones that I immediately install.

My laptop. I’m a little out of date

[00:23:48] W. Curtis Preston: Yeah. of course I, I’m not, I’m not dragging my laptop around. Like I used to. Right. I’m look, I’m looking at my laptop right now, which for the record is never on top of my laptop. It just sits there. Right. Um,

yeah. So that’s, that’s kind of, so I, I guess the biggest thing there is again, secure your personal mobile device.

Um,

[00:24:10] Prasanna Malaiyandi: be careful if you plug in, like, I’ve seen a lot of people, they go and they just take the USB cable and they’re like, oh, there’s a USB port. Let me plug it in. Or they see a cable like plugged in or just standing there. And they’re like, oh, let me charge my phone quickly. And they plug it in.

It’s like, don’t do those sort of things.

[00:24:27] W. Curtis Preston: we, we, we talked a couple episodes ago. I think we talked about this, about the, the dropping of the USB thumb drives and stuff like that. But again, that same talk that, uh, that I went to with Kevin Mitnick. He had a, he had a guy come up on stage and he handed him a, a USB cable, a USB charging cable for his iPhone.

And he’s like, I want you to examine this cable. He’s. I’m examining it. And he’s like, okay, you know, and he is like, does it look any different? And he’s like, Nope. He goes, okay, we’re gonna plug it in over here. And he plugged it and he plugged it into the wall. He plugged it into the wall and then he, and then he pulled up his laptop on the screen and we could see that he was reading the guy’s data off his phone.

[00:25:15] Prasanna Malaiyandi: Yeah.

[00:25:16] W. Curtis Preston: I’m. Damn that’s. Yeah. So stay away from, you know, stay away from strange devices. This is also why you don’t enable the USB, you know, the USB, uh, the data access on the USB ports. When you put in a strange device, this is why you don’t just randomly use random chargers out there. Bring your own charger. Um, Know thy cable. Um, so the, the next one is another one. That’s that’s kind of, and again, this is one of these, like, um, this is sort of like the cloud, the cloud is not bad, but the cloud is being used in bad ways. Bitcoin is not bad, but being Bitcoin is being used in bad ways. And there’s a couple different articles that I saw in this, this.

The the, the CRN article doesn’t specifically mention Starlink, but the other article did, and they were saying that that Starlink enables a lot of really cool stuff. And they were talking about how they were able to re enable access in Ukraine, for example.

[00:26:24] Prasanna Malaiyandi: When the modems got wiped and they lost access and

[00:26:27] W. Curtis Preston: right. J just similar to. To that DR story that we had with, uh, the island that, uh, they, they had to use wireless internet, or they had to use satellite internet, which I’m guessing was not as good back then as it is now.

But what he was saying was be concerned about nation state hacking and With the advent of things like Starlink, you could be dealing with a nation state that doesn’t look like a nation state.

[00:27:02] Prasanna Malaiyandi: yep. The lines get blurred right between.

[00:27:06] W. Curtis Preston: So it’s

not E it’s not as easy as like, well, I’m just gonna, like, I don’t do any business with anybody in Russia. I’m just gonna block off all access from Russia.

Right. Um, you know, I dunno if I ever told you, but I, the backup central got hacked once.

[00:27:22] Prasanna Malaiyandi: Oh

[00:27:22] W. Curtis Preston: Did I tell you that it was a just years ago, but it was a SQL injection attack.

And for, for a relatively short period of time, I was flying some country’s flag on the, on the front page of my website. And also, uh, I was, there was some stuff in my metadata that was. Bad stuff. I don’t remember what it was, but it, they had inserted stuff in my metadata, which didn’t need to be there. Um, and that was the, that was the biggest evidence that, that that’s actually how I, something, something clued me in.

But, um, yeah, it was SQL injection attack recovered via backups. Of course.

[00:28:06] Prasanna Malaiyandi: Nice.

[00:28:08] W. Curtis Preston: Um, good news is backup central. Doesn’t have like A huge. Change rate

[00:28:14] Prasanna Malaiyandi: yeah.

[00:28:15] W. Curtis Preston: it’s like once a week I put in a new episode. So,

um,

[00:28:19] Prasanna Malaiyandi: And since you were talking about backups, since we’re talking about Ukraine, I can’t remember where I was reading this article, but they were mentioning, they were talking about Ukraine and how they got hit with these attacks. Like, and they were talking about how because they’ve been so like the it industry there has gotten so used to dealing with disruptive operations, they’re actually really, really good at restoring their environments.

Because they’re kind of doing it all the time. Like when not Petya hit. Right. And other things like that, they’re able to like quickly get up and running in like hours rather than like weeks that most other companies take, because they’re like, oh yeah, we just drill. We practice, we practice, we practice.

and so they have it down.

[00:29:06] W. Curtis Preston: and I think the same is true of me. It’s like the reason why I got so good at backup is because it, you know, partly because I had a job and that was all I did was backups. But then I left that job to become a quote, real sysadmin. And they put me at the headquarters of Amoco and they had the, the, the actual headquarters part, which is where I was at.

They. They had an it department that was kind of had been ignored. And so I was, I was in there doing the, the person that was running the it department, uh, just, wasn’t a very strong CIS admin. And, uh, and so they brought us in to, to assist and, and so we started doing things like crazy things, like loading the most recent, uh, patches and rebooting the servers once in a while and things like that.

But. But they were dying left and right. and so, so I just got really good at not only like just doing backups and restores, but doing bare metal backups and restores,

[00:30:05] Prasanna Malaiyandi: and doing quickly and pain free.

[00:30:07] W. Curtis Preston: yeah,

exactly. And, uh, you can hear all about that in the episode. Uh, how I, what is something about how I got the nickname crash?

I think

[00:30:16] Prasanna Malaiyandi: Uh, sure.

[00:30:20] W. Curtis Preston: there’s a, we have an episode we talked. How I used to be called crash,

Well, anyway, it’s up there somewhere. One of those episodes, we’ll find it, see if I can figure it out. But, um, yeah, that’s how I got the nickname crash, cuz I was like, I was rebooting servers and they weren’t coming back up and then, so I got really good at it.

So that’s interesting. So

[00:30:40] Prasanna Malaiyandi: the last one, your favorite

[00:30:41] W. Curtis Preston: and the last one we need, we need a drum roll sound. You boo. The fifth one is attacks against system backup

[00:30:52] Prasanna Malaiyandi: No one ever does that.

[00:30:54] W. Curtis Preston: Right. And you know, this has become huge, you know, and they’re saying here that backups were the last line of defense, but they’re also becoming the first line of attack. And, you know, they’re saying that the back the software used to create the backups have flaws and the backup software vendors have had to address these vulnerabilities.

And, and I would say it’s, it’s. It it’s less of a flaw generally in the backup software itself, but more in the overall infrastructure, right? Yes. There’s also, I’d say that historically backup software was not written with information security in mind. Back in the day, you had to be root to run your backups. You had to be root everywhere. So I used to joke a lot about the back. You know, backup admin is like trust your backup admin because they can delete everything, including your backups. So that’s no longer the case. And, and I will say this, if you’re I say it all the time, if your backup software still requires you to have root on servers that you’re backing up and or root on the backup server.

In order to just run the backups, then you need to run. Don’t walk from that backup software product. The, you should be able to put a junior person in charge of the backups, which you shouldn’t do, but I’m just saying you should be able to do that. Put someone who does not have sysadmin privileges in charge of the backups and, and they should be able to do everything that they need to do without needing

[00:32:34] Prasanna Malaiyandi: Operate root.

Yep. I’m just trying

[00:32:36] W. Curtis Preston: Because you wanna limit the blast radius, right. And the backup user itself is powerful enough, but the, you know, just limit the blast radius wherever you can. But the, but the biggest thing I think, um, is, as I said earlier, is we talk about it a lot is . How people are storing their backups.

[00:32:56] Prasanna Malaiyandi: So because all this data, right? There’s a lot of data. There are a lot of systems you’re backing up, right? Typically you end up writing to something, some other storage device for your backups. And a lot of people just dump it out over a standard protocol, like NFS or SMB . Right. great because now I can just bring in any storage array. I just plug it in. I now start backing up to it. Easy peasy. The downside is it’s an open protocol, right? It’s an open endpoint that anyone else can also access. So

[00:33:30] W. Curtis Preston: Emphasis on open

[00:33:32] Prasanna Malaiyandi: yeah, it is open. Um, and so anyone can access it, which means if ransom, if a attacker. exploits, it’s not even your backup server, but even any other server in the environment, they could potentially gain access to that Mount and start accessing, deleting, exfiltrating, which is probably even a bigger issue, right. Your data. And you could be in trouble.

[00:33:57] W. Curtis Preston: Yeah. And I would say, I would add to that just like the default installation of a lot of disk space backup products is, is not an NFS target. It’s just a regular disc target race, just a, you know, SQL back slash backups. Um, that’s not good either, especially if it’s a windows box, you know? Yes. I prefer Unix and Linux and yes, I think they’re more secure.

They’re not perfect, but it is a stating a fact saying that windows is the number one target for ransomware. It’s not the only one, but it’s definitely the number one. And so for your backups to be sitting on a Windows server, And, and then the backups are inside that server

you know, so

[00:34:38] Prasanna Malaiyandi: That’s probably not a good

[00:34:39] W. Curtis Preston: attacked, you can, you can do that.

There are ways to address all of these concerns

[00:34:45] Prasanna Malaiyandi: Yep. Which we talked about in numerous.

[00:34:46] W. Curtis Preston: yeah,

we have. Yeah. So, but, but I just do, I do find it interesting cuz we talk about it a lot and sometimes I, I feel like I live in the, you know,

[00:34:57] Prasanna Malaiyandi: Can I bubble

[00:34:57] W. Curtis Preston: of, of a backup company and I’m like, yes, but it’s nice to see. vindication of the RSA conference saying that one of the top five data risks right now

Is the, you know, the loss of your

[00:35:13] Prasanna Malaiyandi: attacks on your backups

[00:35:14] W. Curtis Preston: you’re doing them.

And, you know, and, and the, and I’ve said it before, but I’ll say it again. The reason this is the case, I’d say two things. One is. Hacking, you know, and, and, and all, and, and ransomware and all that’s creating an industry. So there’s resources and stuff that, that, that the bad folks just didn’t have back in the day.

But the other is the, in the backup industry’s move from tape to disc as their primary protection mechanism. And so it makes it really easy to get access to it. If you haven’t done the right things, um, go.

[00:35:55] Prasanna Malaiyandi: One of the articles on the SANs list of bad backups is from tech target. And there was a quote from the, one of the presenters, right? Backups are boring. Boring is good. Keep it boring.

[00:36:09] W. Curtis Preston: Yeah, yeah. Backups are boring. That’s why nobody wants to be the backup person, but you know, it is what it is. And, you know, you know, I saw that quote and I was like, I don’t know how I feel about that. And I don’t mean that like, Like I’m being insulted

[00:36:24] Prasanna Malaiyandi: Yeah, I think, I think instead of boring, I think it’s what is it simple or

[00:36:30] W. Curtis Preston: Yeah,

[00:36:31] Prasanna Malaiyandi: easy or something like that,

[00:36:32] W. Curtis Preston: Yeah. The problem is the, and again,

to a hammer, everything looks like a nail, but, and I work for a. Cloud backup vendor. But to me, the only way to do backups today, easy is to use the SaaS product that does backups. Everything else is hard, right? Buy a box, secure that box, buy some backup software, secure that backup software, buy a backup target, secure that and all that stuff. You know, just all of that. That is not simple. It used to be simple. It is not simple anymore. And you can’t just hand the keys to the backup kingdom, to the, to the new person and expect them to figure all that out. Right. They’re

[00:37:13] Prasanna Malaiyandi: Here you go. Good luck.

[00:37:16] W. Curtis Preston: Good luck, please, please keep the keys to our kingdom secure from all the bad, you know, hackers out there. Uh, the only way to do that in my opinion is to use SaaS service and, and, and, by the way, it, it, you know, let me rephrase what I’m saying is the only way to do it simply.

[00:37:32] Prasanna Malaiyandi: Yep.

[00:37:33] W. Curtis Preston: We’ve had the guys from Veeam on here. Right. I’m not anti Veeam and they’ve got answers to these concerns. It’s simple if you know what you’re doing, but to me, um, and I’m not saying it’s, I don’t know. I, I’m not attacking these folks. I’m just saying there’s nothing simpler than just put in an agent and point.

Right. You don’t have any of the backend security

[00:37:57] Prasanna Malaiyandi: Issue story

[00:37:58] W. Curtis Preston: stuff to worry about, right?

Yeah. Anyway. All right, well, um, you know, I’m gonna go maybe have a beer and, uh, think about my, all those people yelling at me over the over the, over the election.

[00:38:17] Prasanna Malaiyandi: not just gonna start. Oh, about the election. Okay. Yeah, no, I thought you were going to be like, yeah, I’m gonna go call all those people who told me I was wrong in the past and you just have like a book somewhere and you’re just going through it. Crossing out line by line,

[00:38:33] W. Curtis Preston: Yeah. Yeah. Um,

[00:38:35] Prasanna Malaiyandi: awkward silence. He didn’t deny it. He might actually have a book.

[00:38:39] W. Curtis Preston: I don’t know. Maybe I might have a book. I’m just saying maybe I got it all up in here. You know, maybe

[00:38:45] Prasanna Malaiyandi: good with names. You’re not good with names. I

[00:38:47] W. Curtis Preston: Okay, dang it. Dang it. I am busted. I suck at names like literally. I mean people that I know and talk to all the time, it, it hasn’t happened to me with you yet, but I’ve had people that I’ve known for years and then I’ll be talking to ’em and I’ll be in the middle of a conversation with him and I’ll realize, I can’t remember this person’s name.

[00:39:13] Prasanna Malaiyandi: This happened to me the other day, I was on a video call and I was talking to the person. And for some reason, my mind just went blank. And luckily though they had the name of the person at the bottom of the screen. I was like, oh, thank God. It’s like someone I interacted with so much. Like I was like, I should know this.

[00:39:32] W. Curtis Preston: Yeah. And I met a, I met a new person, one of the folks that worked with me at the election and, uh, his name is, is Allen. I had to think about it for a minute. And the reason I had to think about it was because somebody else started calling him, Larry, his name’s not Larry. They, they reminded him of Larry.

And so they started calling him Larry, and then halfway through the election. He just turns his badge over and he puts his, puts his name as Larry I’m like, okay, for a guy like me, that is not helpful. Like, I

[00:40:04] Prasanna Malaiyandi: You’re like it’s already hard enough keeping track

[00:40:06] W. Curtis Preston: it’s already hard enough. And then he added another he’s like, well, my dad always called me Bob or something like that.

I was like, grrrr, like stop.

[00:40:14] Prasanna Malaiyandi: That’s why like,

[00:40:17] W. Curtis Preston: Yeah. Anyway. All right. Well, thanks

for discussing the, the RSA conference with me

[00:40:23] Prasanna Malaiyandi: how’s it going? Anytime, Curtis, and go enjoy your beer.

[00:40:27] W. Curtis Preston: I will definitely do that. And remember folks out there. Thanks for listening. And remember to subscribe so that you can restore it all.


Join the discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: