Get ready to dive into the murky waters of cybersecurity with our guest, Matthew Wolfe, director of Cybersecurity Operations at Impero Software Solutions. Ever wonder what information is under threat in the photo/imaging industry? Ever consider the ramifications of mishandling sensitive data? Wolfe unveils the significant role of human error in data breaches and emphasizes the value of cybersecurity awareness in preventing attacks, particularly through email phishing scams. We also discuss the devastating effects of compromised server security, using the Los Angeles Unified School District hack as a chilling case study.
In the second part of the discussion with Gary Pageau of the Dead Pixels Society, Wolfe delves into the chilling realities of ransomware, remote access Trojans, and the importance of email security gateways. Through the discussion, he highlights the urgent need for school photography companies to protect children's personal information and provide insights into the alarming value of social security numbers on the dark web. Learn how to navigate the perilous path of cybersecurity and shield your business from these hidden threats.
Energize your sales with Shareme.chat, the proven texting platform.
ShareMe.Chat platform uses chat-to-text on your website to keep your customers connected and buying!
Sign up for the Dead Pixels Society newsletter at http://bit.ly/DeadPixelsSignUp.
Contact us at firstname.lastname@example.org
Shout out to podcast supporter Keith Osborn of Memory Fortress for becoming a paid subscriber.
Visit our LinkedIn group, Photo/Digital Imaging Network, and our Facebook group, The Dead Pixels Society.
Leave a review on Apple and on Podchaser.
Interested in being a guest? Click here for details.
Hosted and produced by Gary Pageau
Edited by Olivia Pageau
Announcer: Erin Manning
Welcome to the Dead Pixels Society podcast, the photo imaging industry's leading news source. Here's your host, Gary Pageau. The Dead Pixel Society podcast is brought to you by Mediaclip, Advertek Printing, and IP Labs.Gary Pageau:
Hello and again, and welcome to the Dead Pixels Society podcast. I'm your host, Gary Pageau, and today we're joined by Matthew Wolfe, who's the director of Cybersecurity Operations with Impero, and he's coming to us from Texas today. Hi, Matthew, how are you today?Matthew Wolfe:
Great and I'm happy to be here. How are you doing today?Gary Pageau:
Doing good. Doing good. Now, cybersecurity is something that every business now has to deal with. It's unavoidable. There's death, taxes and cybersecurity, it seems like for most of the people, especially people in the market who are serving, you know confidential pictures, such as school photographers, or you know you're doing wedding photography and you want to maintain the cybersecurity thing. What is the kind of definition of cybersecurity that your company uses? What do you consider your marketplace?Matthew Wolfe:
For sure. So I guess my definition of cybersecurity may be different from others in our organization. Exactly that's why I'm asking right, yeah, exactly. So, for my definition is if it has any sort of electronic mechanisms within it where ones and zeros may pass through it, even through the power outlet, because there's such a thing as ethernet over power, then that device has the capability of being exploited. And so cybersecurity to me is where you defend, not only in the physical environment but also in the internet networking environment as well.Gary Pageau:
And what types of information? I would say, for example, you know, let's say you're running a retail store and you're selling cameras and prints and things like that what type of information is a person looking to exploit your network looking for? What are they trying? What is their objective?Matthew Wolfe:
For sure. So one of the most lucrative exploits that you can do is get credit card information or get different mailing addresses and different PII that you could be storing on one of your servers. But most of the time any information that's going to be exploited, the best bang for the threat adversary is going to be from the deep web. So you got the company's website. It's like the regular internet. Hold in in Dropbox ox, your Google Drive or your server. If you have a server, that's the deep web. That's where majority of the internet resides and that's actually where majority of the exploits target and that's where most of the threat actors try to get into.Gary Pageau:
Okay. So if someone has Dropbox which many of my listeners do because they use that to transfer back and forth, right, and even though you may have bought DropBox ox extra plan or whatever, you still are vulnerable with a platform like that DropBox ox specifically, but sort of like. These pass through environments like OneDrive, DropBox, et cetera.Matthew Wolfe:
You can be absolutely. There's a funny saying where technology can be a great servant but a terrible master, and that's where a photographer could have all these thousands of photos DropBox and have it in one folder, but then they share it and say allow this whole folder to be accessible to anyone on the internet. Well, just one time, that link just has to be shared, and then it's shared again, and shared again and the whole world has access to that entire photographer library of photos. So it's really a matter of exploiting controls that were not used to be exploited, but exploiting those normal controls to do something malicious with.Gary Pageau:
So what are the typical things your company sees that are like mistakes typical business owners make when they have to share data, when they have to allow access? For example, you know you have to allow a customer to have access to a folder with the pictures that they bought from you, for example.Matthew Wolfe:
I would have to say to review. So just because I want to share something with some third party or contractor or even someone else internally, a lot of times when it gets into data loss prevention, someone is not there to review what I share. Just because I'm going to review everyone in the organization, social security numbers doesn't mean I should.Gary Pageau:
So and that's majority of the time, that's when an issue like this happens is that there's there's not a check in balance, there's not fault tolerance for, for people, a single. Just because this person commits a request is a mean they should inherently do it.Gary Pageau:
So that's one of the things I think that most people aren't aware with cybersecurity, because you're the expert and I'm not, but from what I hear is it's it's when human beings are involved is when most of the breaches occur. It's either you know sloppy password management, it's sharing stuff they shouldn't over an open network, it's not using VPNs or whatever. So the human beings are the problem.Matthew Wolfe:
I would say 100% of the time. So, but I would say, in my research and in our teams research of how we look at how organizations are being exploited, one of the number one ways is through email and I think it's going to continue to be through email because without the huge drive in all the organizations across the world to do cybersecurity training, to look at what a fishing email looks like, until basically the whole world is trained, you're still going to have people clicking on an email. And that's where I, with you, know let's say, a photography company, the person in accounting, first week on the job they don't know what a good email compared to a bad email. They don't know that all the different sources of the good people sending emails in, so they're just clicking on every link, every link, and most of the time that's when the next way happens, because that attackers trying to get into the deep web, right.Gary Pageau:
So yeah, I mean I see that a lot of times. I mean I as a business, I get those emails. You know you've got an invoice from you know, usually someplace, like you know go daddy or geek squad or somebody. They're pretending to be somebody else and the email is just from you know so and so dot Nigerian Prince, dot something, something, something, right so it's. It's clearly a fishing expedition, but I mentioned there's a lot of people will fall for that.Matthew Wolfe:
Yep, especially with how crafty you can get, because I would say in roughly about 30 minutes I can send you an email from PayPal Now given. If you have proper control set up in your email box, it should be flagged. However, if it's not, then it's going to show from Matt Wolfe at PayPal. com and then she has email saying hey, you have $150 or $3,000 or $20,000 waiting to be sent to you. Click here to verify.Gary Pageau:
And it looks like it's. That's the name, paypal. com, and you're like oh well, I have to click on this link without looking into a little bit further. Right and that's where, in the cybersecurity industry, people have created tools in order to do those checks for you.Gary Pageau:
So what can they do? For example, give me an example. Let's say someone sends me one of those links. I get a link from MatthewWolf at PayPalcom. It says and I may not be the more person who normally deals with those emails, and I just see it comes in and says something like your order is ready, click here to do something and I click on that. So what can happen when that happens, when I'm the inexperienced or inattentive person who clicked on that, what danger have I put my company in?Matthew Wolfe:
Oh, every bit of danger. The moment you click on that link, you're done. I have everything. So part of my background. I actually served in the United States Army as a cybersecurity non-commissioned officer and I was part of both the blue team and the red team at different points in time. So I have built custom payloads like exploiting people. I have done this. I have exploited things time and time again and basically, when you click on a link I can send you to wherever I get. Every credential you've ever put in I can do.Gary Pageau:
I mean, so you can go right into the people's hard drive then and information there it's not just the internet stuff, it's what's on the hard drive itself of the computer.Matthew Wolfe:
Absolutely, because whenever you click on a link, I can make it where the website you go to does an automatic download and an automatic execute. So then basically, whenever I order or you think it's a file, and you click on the file, then it executes and then I own everything. So, yeah, it happens pretty quick.Gary Pageau:
Yeah, I mean there's been several cases in the industry where this has happened and it's ransomware. It's different things that could happen. So, once you own everything, is it always that ransomware situation or is it just? I'm fishing for customer information? What is the most prevalent thing that happens there?Matthew Wolfe:
It would have to be ransomware. Arlie said it's what's discovered most of the time. But one of the more deadlier things in industries that create is a remote access Trojan. That's something to where this remote access Trojan allows an attacker to be able to have access to the computer at all times and you don't know about it. So the attacker is downloading all your files. This kind of goes back to that DLP, that DataLock Prevention. You don't know that you're sending files out to anybody and everybody and that is one of the most undiscovered exploits out there.Gary Pageau:
In your network be set up to detect that kind of traffic, or is that something that's maybe happening in such a way it's unnoticeable.Matthew Wolfe:
Most of the time it's unnoticeable, unless you buy certain things to be able to catch that or see that. And that's where, in our organization, we have took every approach that we can think of to look at ourselves and be able to apply even our own tools to ourselves of how we can defend against all these adversaries out there, Because there's something that's called the cybersecurity kill chain. This was first created, I think, back in I don't know 2015 or something, or 2009. I don't know. Oh, my gosh ancient history, ancient history, yes, and so basically most hackers out there, they get familiar with the cybersecurity kill chain because it systematically walks you through how to exploit something and the first step is reconnaissance. And so that's where, if you can attack the initial step first and then you keep on moving down the chain. I say attack, sorry, defend the first step first and then move down the kill chain, you posh yourself for a better defend, and that's where catch the bad length before you even get to your mailbox.Gary Pageau:
And how could someone do that? Is there software? I mean, obviously everyone has a spam folder, Everyone's got a junk folder and that sort of stuff. So the email platforms are trying to do some of that, but according to my mailbox they're not that successful.Matthew Wolfe:
Right, exactly, and that's where there are going to be different email security gateway products or CASB Cloud Access, security Broker products that will inspect every email, inspect the source, to be a little too technical. They're going to look at the SPF, the DKIM, the DMARC, they're going to look at every one of these little small, granular details in the email that's coming through and they're going to set up their own thresholds. But then also they're going to have a holistic view across the globe of how other companies are seeing these emails.Gary Pageau:
Right, because I imagine part of what they're trying to do is it's a spray and pray kind of situation. They're going after thousands of companies to get 3% or 4%. If they can do that, they're winning.Matthew Wolfe:
Oh, even 1%. I mean it just takes one time. I mean it takes the Los Angeles Unified School District, I mean, and it could be just one email or one server that was available online, and then now they're losing hundreds of thousands of critical records, $100 million lost from one server being accessible.Gary Pageau:
So let's talk about that, because that's kind of a famous example. Can you talk about that one.Matthew Wolfe:
For sure. Basically, the information that was released about how things got in. It's very vague for a reason, and that's because, as a malicious person, you want to know how you got in or they got in. That way you can recreate it. So, basically, there were servers that were exposed to the internet. That should not have been. And then, on top of it, there were certain features that were enabled that should not have been, and basically, these people exploited those vulnerabilities that should not have been there to begin with, should not have even been visible. It was almost like locking your front door but then leaving a key dangling next to the front door with a sticky note saying well, this is only for stone. So whenever they get here, and it is literally that easy and that simple is what basically happened.Gary Pageau:
So what was the fallout from that? What kind of information was being obtained from that?Matthew Wolfe:
Oh, even driver license number, social security numbers, because it was the student information as well I mean, it wasn't just employee.Gary Pageau:
And that's where, in the photographic industry, especially for like we were talking about earlier before the broadcast, the school photography industry this is sensitive information. This is not their own information, not even customer information, but the information about children which can be very concerning to a lot of parents.Matthew Wolfe:
And it should be. And the main reason why is because social security numbers sell for a lot on the dark web. You know I talked about, like the front web, the dark web. So the dark web. Yeah, a student, I mean someone under the age of 18, typically doesn't have a credit card, and so if you get 500,000 credit or social security numbers, those social security numbers from the school district are on you. So now you can commit fraud very easily and, on top of it, with the sure amount that you've gained, if you sell them for two dollars a piece, then you're a millionaire.Gary Pageau:
Right, so you don't have to deal again, you don't have to do it, you don't have to score big. You score less than 1% with that spray and pray routine and you'll do well on this Exactly. So there's a high motivation to do it. So let's flip the script then on why people are doing it. Let's talk a little bit about what people can be doing to offset this or prevent it. Now we've talked a little bit about the human factor, right? I mean, train your people not to click on stuff. Put in some systems in place. Is there anything they can do from a technology standpoint to protect like, specifically like personal records or student IDs or things like that? Or is that just considered information? There's really not much else you can do with it.Matthew Wolfe:
Well, they can do a whole lot of preventative measures, especially in something that's called a defense in depth strategy. We can even dive into a specific scenario, too, of like well, let's say, this happened. Let's say would you want me to talk about, let's say, a photography company or like a school district, of what?Gary Pageau:
they could do Well more like a school district. I think would be interesting, because that's really where there's all great concern in the industry for that vulnerability.Matthew Wolfe:
Absolutely so. A school district. Basically, what they could do is, if their student information system or SIS system is in a certain VLAN or a certain network, restrict access to everyone except for those specifically like those people who need it. Then, for the people who actually need it, you can install certain software that prevents you from launching any unknown executables, what we talked about in the email earlier. You can put on an email security gateway, or CASB, to prevent any unknown emails from coming in or only accept certain emails, so that way that the SIS people or PIMS, whoever they are, they're accessing that SIS system Whenever they click on or they are supposed to get the email in, well, it gets blocked. Let's say it gets through. They click on a download link Well, now they try to click one, the application. But yet if they use a product I won't be very partial here, but Imperios Connect product we can stop applications from launching. But if that person tries to click on it, well, they can't because Imperios Connect blocked it. That's where you have to look at it from an organization perspective, of what tools do I have to prevent something very bad from occurring? You have to start with yourself first and your own organization first, and then you build on it.Gary Pageau:
What do you do, though? From a personnel standpoint, I would say, for example, you've got people like oh, this cybersecurity stuff is a pain, I got to keep logging in. It won't let me do what I want to do. I got to get permission if I want to access this. Then people start writing their logins on posted notes or who knows what else things people do. If you're the IT administrator at this company, you've got to be a hard ass.Matthew Wolfe:
That's what it seems like, but at the same time, in my experience, the reason why most people have to be that way is because they didn't plan ahead enough. Right. I say that very from experience where I rolled out certain changes that I did not think about everything or get enough input on and it bit me pretty hard. That's from that IT administrator. If you want to roll out SSO and multi-factor authentication with a physical token, if you want to roll that out in your organization, then get some champions to trial it first. Then, after they trial it, you work out all the hard angles and you get to most complicated people. You know who those people are.Erin Manning:
Yeah, honestly.Matthew Wolfe:
You get them to work on it first, because they're going to be your biggest critiques. If you get them on board to be a champion and get them through, it's going to help 90% of all the other people.Gary Pageau:
You solve the human problem with technology, with human beings, yeah.Matthew Wolfe:
Absolutely. It goes back to technology can be a great servant but a terrible master. The thing is, you could have the most expensive firewall in the world. There are some fantastic companies out there that do this, but if somebody doesn't configure it right, it's just a pay-for-weight.Gary Pageau:
Right, let's talk a little bit before we start. You were talking a little bit about metadata, about how that can be a potential thing to exploit. On one hand, photographers love the metadata and the companies that serve the divers love the metadata because it has a whole host of important information, including copyright, information, right, location, who shot it, what the rights are for that picture, etc. What are the dangers from your side with metadata? Because you were talking about, actually, it's a good idea to strip it out.Matthew Wolfe:
Absolutely yeah. I love talking about how I know exactly where my family is by the pictures that they upload on Facebook. I don't have a Facebook myself, but that doesn't mean I don't have access to Facebook. That's where I'm like oh, hey, mom, or hey brother, hey sister, I know exactly where you are right now. I send them a text and I was like how do you know? I'm like, well, because you're not stripping your metadata. However, it's going back to what you said. A lot of photographers like that metadata. That's where you got to take that double S forward and use it to your benefit and that's your exploit. If you know, a company does not want let's say, a photography company has to take pictures of classrooms and students are in there, and that school district wants a really tight security posture to say I don't want the geolocation of every single classroom to be out there and, as a photographer, you say, okay, I will strip that very specific geolocation of that picture and you still have all the other metadata that you gained from it. And that's where you take that double S forward and use it to your advantage rather than to your defeat.Gary Pageau:
So what would now talk a little bit about that process, because you know, I mean, that sounds to me like that's, that's onerous, is there? You know, obviously there's a script, maybe that could be written or something like that, but that sounds pretty onerous to have to customize fields for, you know, clients.Matthew Wolfe:
Yeah, I would say there's some software out there that you can bulk edit metadata off of pictures. It's been a few years since I've done even stegrenography, but even back then I was able to mask like tens of thousands of pictures and make it where I just strip out that one line item and it was the bulk change of removed geotagging and or from the camera itself before the shoot you can adjust the camera to not record that metadata. So I think it goes back to like a lot of preventative steps that you can do to make it where it's not administrative overhead, you know, overbearing or ominous.Gary Pageau:
But what's the danger in metadata? I mean it's just it just plays time location, doesn't it? Social security numbers? It doesn't have that kind of stuff. What's the problem with it?Matthew Wolfe:
I'll tell you a really good one. I can talk about this one. So I had a friend. They went on vacation and they were posting pictures of vacation and, basically, you know, the whole family is gone. They left the house. However, they posted previous pictures of, like you know, their family inside the house. Well, all those pictures were unsanitized. So, now someone who told me Facebook or Instagram down in those pictures, finding out the geolocation, saying, oh, they're from Texas, this is their house's geolocation and they're in Florida. Let me go to their house, break in sell their stuff. And basically that's what happened. The thing is, in their pictures they did not show, you know, their living home security system or or ADT. There was no visible signs of any cameras or anything. Right. So then, therefore, it was an easy target, right, and that's how pictures with the metadata led to an attacker having an easy target and stealing a lot of stuff.Gary Pageau:
And most of them don't think about that because either they're ignorant of what's in metadata or they just think it's not going to happen to me, which I think is probably what these types of thieves are looking for. Are the thought it's not going to happen to me Right? I mean, I probably every exploit your company's ever dealt with, the company you're, the, the person who's afflicted, calls you and says we never thought this would happen to us.Matthew Wolfe:
Yep, absolutely, and I think that's where people believe that they're going to be safe, apparently right, whereas the the real mindset you should have is that you're going to be exploited. It's just a matter of when and I know there's a whole lot of companies that say that and I have definitely stole that from, but it's definitely a true thing, I mean, it's it's a matter of when and that's where. If you keep constantly changing how you're doing your defense to make it better, then it's going to continue to delay it from happening, right, Because, basically, the only time that you're not going to be exploited is whenever you turn off the internet and delete everything you ever own, which wow so.Gary Pageau:
So one of the things that some of my listeners are running into is having to have cybersecurity insurance or protection of some sort in order to even bid on jobs. Now, from what I've heard, it's super expensive. It's not an inexpensive. One of them says it's going to be more than his health insurance premiums for the year. Is there anything they can do? Now? I understand your company doesn't do insurance, but is there anything they can do that could maybe process a technology, a product they could use to maybe reduce their premium, even Like say, hey, if I do these things, I'm less of a risk?Matthew Wolfe:
That's a great question. The best answer for that would be to ask the companies that are offering these cybersecurity insurance. A company can say what would it take to lower my premiums by 90%? They can get bold and whenever they seek out multiple companies that can offer that cybersecurity insurance, they're going to tell them Because basically, some companies say well, if you show us a proof of concept that you follow NIST incident response plan or ISO 27001, if you obtain that certification, we're going to reduce the premium by 50%. And so they, you know, pursue certain certifications or they show the proof of concept that they're following NIST. Or in Texas there's a Senate bill 820 that Texas school districts have to implement a cybersecurity framework and there are companies like Sinary that's out there, that they provide a service. These MSPs, managed service providers. Sinary will go to the district. They will basically do everything for them, turn a key Now, given someone has to be there to give them the information, but they put all that information together in the past. That way you can submit it up to the cybersecurity insurer.Gary Pageau:
Okay. So there's a lot of proactive things that people can do, just like they can do certain things in their workplace to make it safer and possibly reduce their other premiums. That's that's. That's good advice, that's good. So, matthew Furke, now tell me a little bit about Emparo and some of the stuff your company offers and where people can go for more information.Matthew Wolfe:
Absolutely so. We have several different products. One of them is Connect, which I shamelessly dropped earlier.Gary Pageau:
Well, you can drop it again here.Matthew Wolfe:
It's fine, well, perfect, perfect. So Connect, basically this solution. I think it's fantastic. We use it internally, if that tells you anything. But the product allows you to do not only remote connections that are proprietary connections are very secure, but you can also control all your devices, get asset management from those devices, implement access control. This goes back to that Dropbox link of being shareable to the whole world. Well, with Connect we can secure what files are being shared on different shared drives, so that product has so many great resources. But then we also have our classroom management solution, and then we have our well-being solution that really focuses on school districts, and then we also have our ContentKeeper web culture solution, and this goes back to clicking on those links. The majority of the time, whenever a link comes in through the email, if you hover over that link, it's going to show you the URL that you're going to go to. Typically, on the bottom of the screen It'll show you the URL. Well, it's a solution like ContentKeeper, which we use internally. Before you can get to that site. If it is a non-managed site, to where you're not supposed to go there, or we've never seen it before, it immediately gets blocked. You don't even get to see it. You don't even get to see it and you don't get exploited. So we have that web filter solution that primarily focuses on school districts. But, yeah, we still use it in the enterprise environment, such as ourselves, because it's very valuable to us.Gary Pageau:
I can imagine it would be a great win for a hacker to be able to break into you guys. I mean that would sort of be like a feather in their cap. I mean that would kind of be something that you got to be especially concerned about.Matthew Wolfe:
Absolutely. We'll take LastPass how they were just exploited recently. I mean, because they were able to exploit LastPass, think about all the people that they are now able to get into. Yeah, so we have to make sure that we are secure ourselves first, and then the products that we are offering. Because we use our own products, they're going to be, in my opinion, more inherently secure, right.Gary Pageau:
Yeah, exactly Exactly Well. Thank you, Matthew. It was great to meet you Once again. What is the company's name and where can they go for more information?Matthew Wolfe:
Yes, great to meet you as well In Impero Software. com. That's a great website, I think Again, I'm partial I think it's very uniquely designed. They can show you all the right areas to go to on that site to get you, to help you one, and there's a good spot to even inquire about what other services that I forgot to mention.Gary Pageau:
Well, thank you much best wishes and take care Nice to meet you. Likewise, thank you.Erin Manning:
Thank you for listening to the Dead Pixels Society podcast. Read more great stories and sign up for the newsletter at wwwthedpixelssocietycom.