l +1 262-553-6510

QPC podcasts have moved

Please forgive our old content here while we reorganize and redo our old website.

All new QPC podcasts are hosted on a more convenient platform for all of us.

Please visit where you can use the Podbean mobile app, stream directly from the site, and sign up for the RSS feed.

Breakfast Bytes - Verizon 2017 Data Breach Digest Review

3/3/2017, 3/17/2017, 4/7/2017, 5/20/2017



Verizon RISK Team 2017 Data Breach Digest

Lessons learned from the elite Verizon RISK Team and their last 12 months' adventures assisting clients with breach assessment, termination, and remediation.

MP3 - Verizon Risk Team 2017 Data Breach Digest - Part 1

MP3 - Verizon Risk Team 2017 Data Breach Digest - Part 2

MP3 - Verizon Risk Team 2017 Data Breach Digest - Part 3

MP3 - Verizon Risk Team 2017 Data Breach Digest - Part 4



QPC condenses and reviews the latest data breach digest and provides our own insight into the patterns seen by the RISK team.

Every year, the Verizon RISK Team puts out a new report covering the patterns of risk they find to be most prevalent from the prior year. Often they correlate that to previous years and see if risk in categories is getting less, more, or no change. We always get a lot of entertainment from the RISK team's no nonsense approach.

This year, there sure were a lot of preventable issues, but some curveballs were in the list also.

Download the commented report here.


Select excerpts

"Over the previous three years, just 12 scenarios represent over 60% of our investigations." - page 3

This has big implications for most organizations. This means that if you can learn how to mitigate the risks presented in the 12 covered scenarios, then you can signifcantly reduce your organizational risk.

"80% of data breaches involve exploitation of stolen, weak, default, or easily guessable passwords."

Common CMS attack chain of events - page 56

Top five victim-controllable investigative challenges - page 81


Summary themes

Not surprising, but all of the cybersecurity kill chain recommendations that QPC has been advocating for years kept coming up as items that could have prevented most of the breaches described in the report.

  • Use a perimeter security appliance as your core router or enable the same level of security between subnets/VLANs by security software running on switches.

  • Employees with access to sensitive data should only be accessing that from restricted systems. The employee should have a second computer with second user account that they do risky activities such as email and web browsing on.

  • Use network security rules to prevent access to anything but the absolute necessities from engineering or finance operations computers.

  • "anti-virus" is a dead strategy since it is signature-based detection. Instead use full endpoint security or host-based security products that include full anti-malware, script blocking, URL filtering, anti-ransomware, and USB blocking.

  • Use Geo-IP blocking and deny access to all countries that you do not specifically do business with. If you find some minor exceptions need to be made, except the resource, not the entire country.

  • Use full DPI and proxying of network traffic including application control. Do not allow malware to phone home and install things like command and control remote access trojans and keystroke loggers.

  • Scan for and block APTs at the network layer.

  • Use reputation enabled defense at the network layer and on endpoint security.

  • Use botnet detection and blocking at the network layer.

  • Note that DLP can be evaded by the use of encryption and atypical transmission mechanisms such as DNS data exfiltration.

  • Implement a SIEM system with full logging capture and retention with daily reports for analysis of any anomalies.

  • Train employees so they don't fall prey to social engineering attacks.

  • Finance managers should tell IT right away if they think their computer is "acting funny."

  • Use multi-factor authentication with every system that it can be used with. If a system does not support MFA, ask why are you still using it?

  • All websites that use forms-based authentication should have a WAF (web application firewall). The WAF should use GeoIP blocking, SQL injection attack stopping. DDoS protection, and protection against direct URL entry.

  • It should be impossible from a network connectivity standpoint to traverse to the rest of the secure network from the corporate public facing website.

  • Port 3389 should be restricted to allow only incoming connections from authorized subnets or authorized IP addresses of management computers. This is normally configured in Windows Firewall policy by GPO.

  • Restrict sources for WMI and WinRM calls to be authorized IPs only.

  • Use a security consultant to assist you in vetting a POS vendor. Many POS vendors have no idea about security. They claim they are PCI compliant, but their systems tell a very different story.

  • Remote access should be MFA-enabled and only allowed from specified whitelisted IP addresses.

  • NEVER use shared logins.

  • Never use USB flash drives whose complete and total history you do not know.

  • Users should never have administrative access or the ability to escalate privileges to admin using the same credentials.

  • Filter egress traffic to ensure that any malware trying to phone home is blocked regardless of what kind of traffic it masquerades as. Anything that is not proxied or whitelisted should be blocked.

  • Don't use unpatched server systems that are open to the internet. Seriously. Some fools are still doing this.

  • *** Have a strategic plan to maintain your systems and keep them secure and fully patched. Have a strategic plan to upgrade them regularly. Have a plan to upgrade business server-based applications at least twice per year or as recommended by the application vendor.

  • Budget for annual support for all your infrastructure and systems.

  • Secure and filter the guest network.

  • Malicious bank insiders can do a lot of havoc. Put controls in place to look for and alert on changes that violate policy.

  • Patch all CMS and use a sophisticated WAF on the CMS.

  • Use LAPS so that the local admin passwords on the systems are all different and the pwds regularly get changed.

  • Use an email system that has the ability to scan for and block malicious URLs or scripts in the email.

  • Harden Active Directory and admin security practices to prevent cached credential theft and exploit.

  • Force password change on all employees regularly.

  • Prohibit access to cloud based file sharing resources that are not required for valid business.

  • Prevent access to personal email and non-work related websites.

  • Maintain DNS logs for all internal DNS servers.
    Block internal systems from accessing anything other than authorized DNS servers.
    Prevent any DNS access egress except from authorized systems.
    Use a DNS proxy.

  • Patch applications on endpoints such as Flash, Reader, Java within 48 hours of the patch's release.

  • Stop using flat network design and get with the 21st century.