Welcome to another episode of “A Little Privacy, Please!”
Today, we’re thrilled to introduce two guests we regularly collaborate with in the real world: Tony Martino, President of Anjolen, and Rolin “Bud” Peets, Chief Protection Architect at Harbor IT. Each of us brings a unique set of experiences to our clients, helping them investigate, mitigate, and remediate cybersecurity and data breach incidents. In today’s episode, we discuss best practices and insights for handling these breach situations.
So, Tony and Bud, welcome to the show—let’s dive right in!
Let’s begin by outlining your respective roles in a cybersecurity and data breach incident.
Rolin “Bud” Peets (RBT): We’ll use our last big case as an example because it was really all-encompassing.
Harbor IT came in after we received a call that one of our brand-new customers was in trouble due to a potential incident. Harbor IT helps contain, identify, and conduct initial investigations regarding the threat actor involved in that particular incident. That’s the IT side. Separate from that is Harbor IT Cyber, which I lead. I stepped in from a cybersecurity and data privacy perspective. I’m certified in both and try to straddle that fence.
We quickly realized we had issues that would likely lead to some type of reporting, and we weren’t entirely sure what was happening in the customer’s tenant. We needed expertise, like forensics expertise, and that’s where we all came together.
Tony, Anjolen, and their great team, along with Jenny Holmes and Nixon Peabody, were fantastic. We pulled those pieces together, and that’s how we partner on these things. We move quickly, recognizing the significance and getting the right people involved. We facilitate the response and remediation. Now we’re fully engaged in IT management from a Harbor IT perspective, and I’m building out their security program.
Tony Martino (TM): Anjolen comes to the table in these types of incidents very much on a cybersecurity incident response basis. Our skillset is rooted in cybersecurity assessments, penetration tests, risk assessments, and vulnerability assessments. We bring a whole suite of incident response capabilities to the client. Most specifically, as Bud mentioned, digital forensics.
It’s our ability to examine the evidence and artifacts left after an incident has occurred, helping our client understand how the threat actor gained access, compromised, breached, etc. We then collectively assist them in plugging those holes and mitigating those gaps.
Lastly, using our skills, especially digital forensic skills, we help the customer recover where possible, retrieve lost data, and get their entire operation back on track.
If you could offer just one crucial piece of advice to a company or organization aiming to avoid becoming the next data breach victim, what would it be?
TM: The one thing is protecting your data. Cybersecurity is so holistic. There are so many things to pay attention to, including physical security and data security, both external and internal. To me, if you can lock up and protect your information through a process we normally refer to as encryption, wherever that data is—whether at rest, in storage, or being transmitted to another party, a customer, a vendor, or an employee—using high-level modern encryption to protect and secure data wherever it lies is probably the greatest thing you can do to secure it.
Could you elaborate on how encryption is used to protect data? Additionally, are there instances where bad actors can exploit encryption?
TM: Like so many tools, encryption can be a double-edged sword.
So, how is it used? Practically, encryption at its core is taking information and scrambling it. The key to unscramble it is very sophisticated and, with modern encryption, just can’t be done by a threat actor at will.
So, thinking about if I need to transfer sensitive information about my employees to the company that handles our payroll, taking that data and securing it using strong encryption so that as it’s passing through the email system, passing through the internet, even when it lands at the payroll company’s computers, we want to control who is allowed to access it and who’s allowed to turn it back into that humanly readable data. And strong modern encryption can do that for us.
It can also help protect even against physical theft using encryption on phones and laptops and external media like thumb drives. Should any of those get lost or stolen, encryption could ensure that no one else can discover the data.
Can encryption be used against us? Unfortunately, the answer is yes, most commonly referred to as ransomware, which is where a threat actor intrudes on a customer’s network or data storage location and encrypts their data, the customer’s data, the target’s data in a manner that can’t be reversed easily, and the threat actor then holds that data hostage for ransom until the victim pays up.
So yeah, encryption is our savior, but sometimes it can also be a threat as well.
Data backups are crucial for an organization to recover and resume operations after a breach. What advice would you give to a smaller company or nonprofit, which may not have a large IT team or budget, how should they set up their backups to ensure they can seamlessly get back to business after an attack?
RBM: To me, it’s crucial for any company, whether small or large, to know what data they collect, store, process, and transmit. For example, personally identifiable information or business confidential data. The key is knowing what it is, where it is, and whether you are backing it up.
If you’re hybrid, like most organizations now, make sure that your MSP or third-party service provider is backing it up for you. Don’t assume they are; it may be an additional service you have to purchase. Know where it is, know what it is.
Additionally, consider your obligations from a regulatory or legal perspective regarding retention. I fully believe in the minimization of data and systems—the less you have, the better off you are. Hopefully, these concepts come together to help minimize risk for an organization.
Regarding backups, use reputable cloud-based service providers or some other type of replication that will protect you and your data from being impacted by ransomware.
We’ve been discussing a breach we recently worked on together, and I noticed that both of you mentioned the hacker didn’t fit the typical profile. What would you say defines a “typical” hacker these days, and what trends are you observing?
TM: I say this almost tongue in cheek; I tell people, these aren’t your father’s or your grandfather’s hackers anymore.
We have this notion in our head, largely driven by media and movies, of hackers being teenage kids living in their mother’s basement, wearing a dark hoodie, no lights on, and really just poking around, not for a reason. Maybe just for the fun of it, maybe just to prove they can, occasionally to get someplace that’s of value to them, like changing their high school grades.
That’s not what we’re facing anymore in the world. Today, it’s a business. Hackers are very well organized. In some cases, they’re nation-state backed—you’re talking about an entire country training, funding, and equipping a team of hackers the same way you would train, fund, and equip a military group. That’s what we’re facing.
And the name of the game today, in some places, are things like national secrets and espionage. But for our purposes and the clients we work with, the name of the game normally is money. And these are very, very efficient operations of highly skilled people who are operating like any large corporation you deal with. They have policies and procedures, and they have training programs and certifications. And it’s not as simple as just trying to shake off a 15-year-old who has a thing for your business and just keeps poking at you because they either don’t like you or they saw your sign driving down the street. We’re facing adversaries now with means and skills and talents that, in many cases, overwhelm many customers’ abilities to defend against them.