►
From YouTube: Data Breaches During the Pandemic
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
just
to
kick
things
off,
I
really
wanted
to
just
describe
who
f5
labs
are
for
those
that
are
familiar
and
we
are
a
threat,
research
team
as
part
of
f5
networks
and
as
part
of
that
threat
research.
What
we
aim
to
do
is
collect
as
much
real
world
attack
data
and
threat
data,
as
we
can
to
produce
freely
available
reports
that
we
publish
on
f5labs.com
some
of
the
data
that
we
get
come
from.
A
Our
internal
security
and
customer
incident
response
teams,
but
we
also
work
with
some
of
the
newly
acquired
businesses
that
f5
have
brought
under
the
f5
umbrella
over
the
past
year,
including
shape
security,
silverline
and
volterra.
But
we
also
work
with
external
data
providers
such
as
webroot
such
as
the
github
security
alliance,
and
we
partnered
with
a
company
called
deflectio
to
collect
a
huge
amount
of
attack
traffic.
A
That's
are
monitoring
and
capturing
all
across
the
world,
so
what
we've
seen
across
2020
is
a
slight
change
in
attack
behavior,
and
what
we've
aimed
to
do
is
make
this
easily
digestible
for
everyone,
and
so
we've
updated
our
findings
in
our
newest
application
protection
report
series
it's
available
again
on
f5labs.com
and
essentially
in
that.
What
we
do
is
combine
the
data
as
I've
just
described
from
internal
and
external
threat
research
organizations,
but
we
also
collect
data
from
data
breached
notification.
A
So
if
we
go
through
thousands
of
these
letters
by
hand-
and
we
drag
out
the
information,
some
of
which
is
very
detailed
and
explains
exactly
how
an
attack
was
compromised
and
in
some
cases
just
alludes
to
the
fact
that
email
was
compromised
by
attackers
so
over
the
past
12
months,
there
were
really
three
things
that
stood
out
to
us.
The
first
was
the
email.
A
Compromise
is
still
a
huge
problem:
that's
both
from
attackers
getting
access
to
credentials
and
logging
on
to
staff,
member
inboxes
and
stealing
data,
as
well
as
data
accident
being
disclosed
via
email
chains.
Ransomware
has
seen
a
huge
rise
over
the
past
year.
We
think
likeliness,
due
to
the
pandemic
and
more
and
more
people
working
from
home
and
there's
also
been
a
sharp
uptake
in
the
amount
of
credit
cards
sniffing
across
the
web
as
well.
A
So
I
think
it's
useful
to
look
back
at
other
years
and
see
how
2020
was
different
to
previous
years,
and
what
we've
always
seen
for
a
good
couple
of
years
now
is
that
what
we
call
access
related
attacks
have
been
significantly
the
number
one
method
which
attack
is
used
to
steal
data
for
2018
and
2019
49,
and
then
52
of
all
breaches
were
as
a
result
of
some
compromise
at
the
access
layer.
Now,
when
I
talk
about
access,
what
we're
referring
to
is
really
essentially
the
human
being.
A
It's
you
and
I
it's
the
person
that
is
interacting
with
an
application,
so
that
could
include
email.
Sorry,
it
could
include
attacking
methods
such
as
social
engineering.
It
could
be
brute
force
password
guessing
it
could
be
password,
credential,
stuffing
attacks,
it
could
be
malware,
that's
stealing
passwords
from
from
keyboard
entry.
Really
anything,
that's
attacking
the
human
layer
or
the
method
of
authenticating
or
gaining
access
to
an
application
is
what
we
call
that.
A
A
Web-Based
attacks
are
sort
of
significant
threats.
Holding
kind
of
second
place
around
about
18
to
19
of
all
breaches
were
a
result
of
some
web-based
system
or
api
being
compromised,
but
when
we
break
this
down
between
different
sectors,
what
we
see
is
a
differentiation
between
how
different
sectors
are
attacked.
So,
for
example,
if
we
look
at
public
public
bodies,
we
can
see
that
the
majority
of
their
breaches
were
as
a
result
of
malware.
A
It
could
be
malware
stealing
data,
it
could
be
malware,
deploying
ransomware,
which
then
hijacks
that
data
and
asks
for
a
ransom.
Other
industries,
such
as
retail,
for
example,
face
a
different
kind
of
threat
vectors.
Predominantly
speaking.
For
the
last
year
again,
we
saw
retail
trade
majorly
being
affected
by
web-based
attacks.
So
attackers
essentially
looking
to
compromise
an
exploit
of
vulnerability
on
the
website.
It
could
be
potentially
injecting
simulations
code
to
steal
payment
card
or
credit
card
details,
and
so
on.
A
So
it
really
does
depend
what
your
what
sector
you
find
yourself
in
as
to
what
the
primary
kinds
of
threats
will
be
that
you
face,
but,
as
I
said,
access-based
attacks
are
typically
the
most
common,
largely
because
they're
the
easiest
for
attackers
to
exploit,
and
for
the
past
couple
of
years
we've
seen
that
the
number
of
support
cases
logged
to
the
f5
security
incident
and
response
team
have
been
something
to
do
with
password-based
login
attacks.
A
So
a
really
significant
proportion
of
all
support
cases
that
are
logged
are
to
do
with
password-based
logins
and
in
fact
we
actually
saw
an
uptick
over
the
last
year
going
from
around
about
just
under
30
to
around
about
36
percent
in
2020.
A
It's
easy
for
attackers
to
perform
these
kind
of,
often
web-based
or
social
engineering-based
attacks
to
get
access
to
password
databases
and,
typically,
what
we're
seeing
is
the
way
that
passwords
are
then
being
stored
are
not
very
well
performed,
they're,
not
very
well
encrypted
or
hashed.
So
again,
looking
at
a
breakdown
for
the
past
few
years,
we
see
a
bit
of
a
change
in
terms
of
of
those
password
databases.
How
were
the
passwords
being
stored
now
in
2019
things
were
not
very
good.
A
Now
in
2020,
thankfully,
we
saw
many
many
more
incidents
in
which
partners
were
hashed,
with,
what's
known
as
the
bcrypt
algorithm,
actually
a
very
secure,
password
algorithm.
Now
why
it's
important
to
store
our
password
securely
is
that
you
know
many
of
us
now
really
have
to
assume
breach.
A
At
some
point,
we
have
to
assume
that
attackers
will
gain
access
to
our
systems,
which
is
why
we
need
a
multi-layered
approach
to
security
and
one
of
the
layers
that
we
can
approach
password
security
with
is
by
ensuring
that
we're
storing
them
securely
using
an
algorithm
such
as
bcrypt.
A
Now,
if
passwords
are
not
stored
securely,
if
they're,
not
hashed
or
if
attackers
are
able
to
reverse
the
hash,
essentially
for
password
database
dumps,
then
there
are
a
number
of
different
password-based
attacks
that
can
be
performed.
The
most
common
that
I
think
most
people
are
familiar
with,
are
brute
force
attacks.
Now,
in
this
case,
an
attacker
might
try
to
gain
access
to
one
account.
I've
given
an
example
of
a
fake
email
address
of
mine
here,
david
w
at
f5
labs.xyz,
and
for
my
email
address.
A
There
are
many,
you
know:
top
10
000
top
100
top
1
million
password
lists
freely
available
on
the
web,
and
but
they
may
also
use
some
algorithm
to
help
change
it,
so
they
might
remove
vowels
in
a
password
and
stop
it
for
special
characters
or
numbers,
which
is
typically
what
lots
of
users
do
when
thinking
of
their
passwords.
A
Now,
by
contrast,
we're
seeing
a
huge
increase
in
the
number
of
attacks
that
we
call
credential
stuffing
attacks,
and
in
this
case
attackers
are
not
necessarily
going
after
one
particular
user
they're,
essentially
looking
for
any
account
which
might
gain
them
access
to
a
system,
and
the
reason
this
attack
is
so
successful
is
that
many
of
us
keep
reusing
the
same
passwords
across
multiple
sites.
It
could
be
our
banking
sites
to
corporate
systems
to
google
and
yahoo
accounts.
A
We
frequently
keep
using
the
same
passwords,
so
we
know
the
attacker
knows
that
a
password
stolen
from,
for
example,
a
yahoo
data
breach
may
well
be
successful
in
trying
to
log
into
my
bank
account,
and
so
in
this
case
the
attacker
uses
automation
to
try
and
log
into
dozens
or
hundreds
or
thousands
of
different
websites
using
multiple
different
password
and
email
email
address
combinations
and
what
we
see
is
roughly
one
to
three
percent
success
rate
which
doesn't
sound
very
high,
but
when
you
consider
that
attackers
have
got
potentially
millions
or
tens
or
hundreds
of
millions
of
known
good
email
and
password
combinations
from
someone
else's
data
breach,
actually
a
one
to
three
percent
success
rate
could
mean
that
they're
logging
into
tens
of
or
hundreds
of
thousands
of
accounts.
A
This
kind
of
attack
is
heavily
automated.
They
will
hide
their
attacks
through
proxies
through
bots.
They
will
be
typically
performed
very
low
and
slow,
which
means
that
the
common
ways
of
identifying
and
detecting
brute
force
logging
attacks
don't
work.
We
can't
simply
perform
a
password,
lockout,
sorry,
an
account
lockout,
because
it's
a
different
account
being
attacked
every
single
time.
A
Quite
often,
the
attacks
are
coming
from
different
ip
addresses
with
different
identifiers,
so
it's
very
very
hard
to
identify
the
kind
of
parental
stuffing
attack
that
is
actually
happening
now,
also
during
the
past
year
or
during
2020.
During
the
time
that
many
of
us
were
suffering
with
the
implications
of
the
pandemic,
we
saw
a
huge,
huge
rise
in
the
amount
of
fishing
and
social
engineering
attacks
that
were
being
conducted.
A
Overall,
we
saw
about
a
15
year-on-year
increase
from
2019
to
2020
in
social
engineering
and
phishing
attacks,
but
drilling
down
specifically
into
certain
you
know.
Months.
Over
the
year
we
saw
a
roughly
220
increase
in
the
number
of
incidents
being
locked
to
f5,
so
to
do
with
social
engineering
and
phishing
attacks.
A
You
know
many
emails
claiming
to
have
information
about
the
kobit,
19
vaccines
or
spreading
misinformation
or
promising
promising.
You
know
updates,
and
they
would
send
malicious
links.
They
would
send
malicious
attachments
through
all
using
these
tricks
purporting
to
come
from
trusted.
Organizations
such
as
the
world
health
organization.
A
A
You
know,
huge
number
of
pros
and
cons
in
terms
of
encrypting
traffic
on
the
web,
but
clearly
what's
happening
is
that
fishers
and
other
threat
actors
are
using
encryption
and
valid
https
certificates
to
protect
their
fraudulent
sites,
because
they
know
that
if
they
don't
present
the
valid
certificates,
if
they
don't
have
the
padlock
in
the
corner
of
the
address
bar
of
the
browser
that
the
victims
may
be
suspicious
and
may
be
wary
about
visiting
that
site.
A
So
last
year
we
saw
last
year
we
saw
a
raise
in
the
number
of
vision
sites
using
encryption.
It's
now
up
to
72
percent
of
all
those
phishing
sites
use
valid
encryption,
and
actually
a
hundred
percent
of
drop
zones
were
using
encryption.
A
Now
drop
zones
are
attacker-controlled
servers
where
stolen
data
is
sent
to
so
clearly,
a
huge
number
of
of
malicious
sites
are
using
encryption,
which
is
why
it's
so
important
that
we
have
some
kind
of
method
and
tactic
and
policy
in
place
to
be
able
to
look
inside
that
encryption
and
filter
where
traffic
is
going.
A
What
we
also
saw
last
year
was
a
slight
increase
in
the
amount
of
what
we
call
real-time
fishing
proxies
being
used,
and
these
are
unique
because
real-time
phishing
proxies,
as
the
name
suggests,
have
attackers
logging
on
to
victims,
maybe
banking
sites
as
they
are
being
fished.
So
typically,
what
happens
with
phishing
sites
is
that
attackers
will
build
a
fraudulent
phishing
site.
A
They
will
send
the
link
out
to
potentially
millions
of
potential
victims
and
then
sit
back
and
wait
to
collect
credentials
now,
because
more
and
more
banking
sites
and
retail
sites
are
using
things
such
as
multi-factor
authentication
or
maybe
additional
security
questions
which,
which
change
randomly
every
time
the
user
logs
in
the
attacker
knows.
They
need
to
be
there
ready
to
pounce
as
the
user
as
the
victim
is
logging
in
to
the
phishing
site.
A
Now,
as
the
banking
site
or
retail
website
asks
for
a
cheap
fact
to
pin
or
ask
for
a
security
question,
the
user
can
enter
it,
but
because
the
attacker
sees
this
in
real
time,
it
lets
them
log
into
the
bank
and
perform
fraudulent
transactions
at
that
moment
in
time,
and
this
just
makes
it
increasingly
difficult
to
you
know
not
only
identify
phishing
websites
but
be
able
to
you,
know,
block
and
and
restrict
these
fraudulent
transactions
as
they're
occurring.
A
Now,
as
well
as
access
related
attacks,
we
talked
about
or
mentioned
at
the
start.
Web
related
attacks,
and
this
is
just
a
a
simple
chart
from
the
the
honeypot
of
the
threat.
The
kind
of
attack
traffic
that
we
saw
over
2020
majority
of
tax
are
looking
to
log
into
some
kind
of
web
route
or
some
kind
of
administrator
access
to
the
website.
A
But
if
you
scan
down
you'll
see
a
number
of
attacks
looking
for
a
particular
cve,
so
the
attacks
are
a
huge
amount
of
attack.
Traffic
is
just
scanning
the
web,
constantly
looking
for
websites
which
are
out
there
that
aren't
being
updated
that
are
about
that
are
vulnerable
to
a
brand
new
vulnerability
or
cbe,
which
has
just
been
announced.
A
Now,
in
some
cases,
these
vulnerabilities
are
brand
new
and
what
was
really
interesting
is
if
we
look
back
to
the
the
fire
eye
breach
of
a
few
months
ago.
We
realized
that
an
awful
lot
of
their
red
team
or
attacking
tools
that
they
used
were
based
on
vulnerabilities,
known
vulnerabilities,
these
weren't
proprietary
or
unique
to
firearm.
A
And
again,
if
we
look
at
the
average
age
of
those
cves,
we
see
that
some
of
them
are
almost
seven
years
old.
The
average
age
of
all
the
cbes
that
they
use
was
just
over
two
years.
A
So
this
means
that
fireeye,
for
example,
know
and
attackers
know
that,
even
though
a
vulnerability
has
been
announced
and
patches
are
probably
available,
that
many
many
organizations,
many
many
systems
aren't
able
or
aren't
even
aware
to
go
and
patch
those
systems.
So
they
know
that
there
are
thousands
or
tens
of
thousands
of
vulnerable
systems
out
there.
That
haven't
been
patched
for
an
exploit.
That
was
honest
years
ago.
A
You
know
accidentally
open
systems,
a
great
hat
system
actually
called
greyhoundwarfare.com
proactively
scanned
the
entire
web.
Looking
for
open
amazon,
s3
buckets
and
azure
blobs.
Now,
in
many
cases
these
buckets
are
used
to
store,
pdfs
or
files
that
we
want
to
give
access.
You
know
to
our
to
our
customers,
but
in
many
cases
access
to
these
systems
is
accidental.
A
A
Many
apis
are
simply
put
out
on
the
web
and
not
correctly
authenticated
and
not
correctly
secured.
So
it's
clear,
then
really.
I
think
that
the
number
one
cause
of
breach
across
the
entire
spectrum
of
on-prem
web
cloud,
api-based
deployments,
really
comes
down
to
pro.
You
know
a
lack
of
authentication
and
authorization,
so
just
to
conclude
very
briefly
and
not
to
scan
through.
All
of
these
really
visibility
is
is
key
not
just
in
terms
of
knowing
what
assets
and
cloud
systems
and
apis
that
you
have
but
visibility
in
terms
of
the
traffic
as
well.
A
Really,
it
needs
to
be
you
know,
least,
privileged
access
absolutely
deny
by
default
and
only
provide
access
and
authorization
to
the
people
and
systems
and
devices
that
actually
need
it.
Patching
really
really
has
to
take
priority.
We
can't
sit
back
on
our
laurels.
Even
for
non-critical
web
systems,
attackers
are
constantly
scanning
and
looking
for
open
and
unpatched
systems
so
really
having
a
robust
patching
policy
in
place.
Really,
I
think,
needs
to
be.