 From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. The convenience of online access to bank accounts, payment apps, crypto exchanges, and other transaction systems has created enormous risks, which the vast majority of individuals either choose to ignore or simply don't understand. The internet has become the new private network and unfortunately it's not so private. APIs, scripts, spoofing, insider crime, sloppy security hygiene by users, and much more all increase our risks. The convenience of cloud-based services in many respects exacerbates the problem, but software built in the cloud is a big part of the solution. Hello everyone and welcome to this week's Wikibon Cube Insights powered by ETR. In this Breaking Analysis, we'll try to raise awareness about a growing threat to your liquid assets and hopefully inspire you to do some research and take actions to lower the probability of you losing thousands, hundreds of thousands, or millions of dollars. Let's go back to 2019 in an event that should have forced us to act, but for most of us didn't. In September of that year, Jack Dorsey's Twitter account was hacked. The hackers took over his account and posted racial slurs and other bizarre comments before Twitter could regain control of the account and assure us that this wasn't a system-wide attack. Most concerning, however, was the manner in which the attackers got a hold of Dorsey's Twitter account. They used an increasingly common and relatively easy to execute technique referred to as a SIM hijack or a SIM swap. The approach allows cyber thieves to take control of a victim's phone number. Now, they often will target high-profile individuals like CEOs and celebrities to embarrass or harass them, but increasingly they're going after people's money, of course. Now, just in the past month, we've seen a spate of attacks where individuals have lost cash. It's a serious problem of increasing frequency. So let's talk a little bit about how it works. Now, some of you are familiar with this technique, but most people that we talk to either aren't aware of it or aren't concerned. You should be. In a SIM hack, like this one documented on Medium in May of 2019, four months prior to the Dorsey attack, the hackers who have many of your credentials that have likely been posted on the dark web. They have your email, they have your frequently used passwords, your phone number, your address, your mother's maiden name, name of your favorite pet, and so forth. They go in and they spoof a mobile phone carrier rep into thinking that it's you. And they convince the agent that they've switched phones or have some other ruse to get a new SIM card sent to them. Or they pay insiders at the phone carrier to steal SIM card details. Hey, a hundred bucks a card, big money. Now, once in possession of the SIM card info, the attacker now can receive SMS messages as part of two factor authentication systems that are often used to verify identity. They can't use Face ID on mobile, but what they can do is go into your web account and change the password or other information. The website then sends an SMS and now the attacker has the code and is in. Then the individual can lock you out and steal your money before you even know what hit you. All right, so what can you do about it? First, there's no system that is hack-proof. If the bad guys want to get you and the value is high enough, they will get you. But that's the key, ROI. What's ROI? Simply put, it's a measure of return. Derived from dividing the value stolen by the cost of getting that value, it's benefit divided by cost. So a good way to dissuade a criminal is to increase the denominator. If you make it harder to steal, the value goes down. The ROI is less. Here's a layered system shared by Jason Floyer, the son of our very own David Floyer, smart DNA there. So we appreciate his contribution to theCUBE. The system involves three layers of protection. First, you got to think about all the high value online systems that you have. Here are just a few. You've got bank accounts, you have investment accounts, you might have betting sites that has cash in it, e-commerce sites, and so forth. Now many of these sites, if not most, will use SMS-based two-factor authentication to identify you. Now that exposes you to the SIM hack. The system that Jason proposes, let's start in the middle of this chart. The first thing is you got to acknowledge that the logins that you're using to access your critical systems are already public. So the first thing you do is to get a, in quotes, secure email. In other words, one that no one knows about isn't on the dark web. Find a provider that you trust. Maybe the one that doesn't sell ads, but that look, that's your call. Or maybe go out and buy a domain and create a private email address. Now the second step is to use a password manager. Now for those of you who don't know what that is, you're probably already using one that comes with your Chrome browser, for example. And it remembers your passwords and auto fills them. Now on your iPhone, if your iPhone user, go to settings, passwords, and security recommendations. Or if you're on an Android phone, open your Chrome app and go to settings, passwords, check passwords. You're likely to see a number of recommendations as in dozens or maybe even hundreds that have been compromised. Reuse passwords and or are the subject of a data breach. So a password manager is a single cloud based layer that works on your laptop and your mobile phone and allows you to largely automate the creation, management, and maintenance of your online credentials. Now the third layer here involves an external cloud based or sometimes app based two factor authentication system that doesn't use SMS. One that essentially turns your phone into a hardware authentication device, much like an external device that you would use like a YubiKey. Now that's also a really good idea to use as that third layer, that hardware fob. So the system basically brings together all your passwords under one roof, under one system with some layers that lower the probability of your money getting stolen. Again, it doesn't go to 0% but it's dramatically better than the protection that most people have. Here's another view of that system. In this Venn, the password manager in the middle manages everything and yes, there's a concern that all your passwords are in one place but once set up, it's more secure than what you're likely doing today. We'll explain that and it'll make your life a lot easier. The key to this system is there's a single password that you have to remember for the password manager and it takes care of everything else. Now for many password managers, you can also add a non-SMS based third party two factor authentication capability. We'll come back and talk about that in a moment. So the mobile phone here uses facial recognition if it's enabled. So it would require somebody, they either have you at gunpoint to use your phone and stick it in front of your face to get into your accounts or eventually they become experts at deep fakes. That's probably something we're going to have to contend with down the road. So it's the desktop or laptop via web access that is of the greatest concern in this use case. This is where the non-SMS based third party two factor authentication comes into play. It's installed on your phone and if somebody comes into your account from an unauthorized device, it forces a two factor authentication, not using SMS but using a third party app as you guessed it is running in the cloud. This is where the cloud creates this problem but it's also here to help solve this problem. But the key is this app, it generates a verification code that changes on your phone every 20 seconds and you can't get into the website without entering that auto-generated code. Well, normal people can't get in. There's probably some other back door if they really want to get you but I think you see that this is a better system than what 99% of the people have today. But there's more to the story. So just as with enterprise tech and dealing with the problem of ransomware, air gaps are an essential tool in combating our personal cybercrime. So we've added a couple of items to Jason's slide. So this air gap and the secure password notion what you want to do is make sure that that password manager is strong and it's easy for you to remember and it's never used anywhere except for the password manager which also uses the secure email. Now, if you've set up a two-factor authentication, SMS or otherwise, you're even more protected. Non-SMS is better for the reasons we've described. Now, for your crypto, if you got a lot, first of all, get out of Coinbase. Not only does Coinbase gouge you on transaction costs but we'd recommend storing a good chunk of your crypto in an air gap vault. Now, what you want to do is make a few copies of this critical information. You want to keep your secure password on you in one spot or memorize it, but maybe keep a copy in your wallet, your physical wallet. And put the rest in a fireproof filing cabinet and a safety deposit box and or a fireproof lock, lock box or a book in your library but have multiple copies that somebody has to get to in order to hack you. And you want to put also all your recovery codes. So when you set all this up, you're going to get recovery codes for the password manager in your crypto wallets that you own. Yeah, it gets complicated and it's a pain but imagine having 30% or more of your liquid assets stolen. Now look, we really just scratched the surface here and you're going to have to do some research and talk to people who has set this stuff up to get it right. So figure out your secure email provider and then focus on the password manager. Now just Google it and take your time deciding which one is the best for you. Here's a sample, there are many. Some are free, the better ones are for pay but carve out a full day to do research and set up your system. Take your time and think about how you use it before pulling the trigger on these tools and document everything offline airgap it. Now the other tooling that you want to use is the non-SMS based third party authentication app. That's so in case you get SIM hacked you've got further protection. This turns your phone into a secure token generator without using SMS. Unfortunately it's even more complicated because not only are there a lot of tools but not all your financial systems and apps will support the same two factor authentication app. Your password manager for example might only support Duo. Your crypto exchange might support Authy but your bank might only support Symantec VIP or it forces you to have a key fob or use SMS so it's a mish-mass. So you may need to use multiple authentication apps to protect your liquid assets. Yeah I'm sorry but the consequences of not protecting your money and identity are worth the effort. Okay well I know this is a deviation from our normal enterprise tech discussions but look we're all the CIOs of our respective home IT. We're the network admin, the storage admin, the tech support help desk and we're the chief information security officer so as individuals we can only imagine the challenges of securing the enterprise. And one of the things we talk about a lot in the cyber security space is complexity and fragmentation it's just the way it is. Now here's a chart from ETR that we use frequently which lays out the security players in the ETR dataset on two dimensions. Net score or spending velocity in the vertical axis and market share or pervasiveness within the dataset on the horizontal. Now for a change I'm not going to elaborate on any of the specific vendors today. You've seen a lot of this before but the chart underscores the complexity and fragmentation of this market and this is just really literally one tiny subset but the cloud which I said at the outset is a big reason that we got into this problem holds a key to solving it. Now here's one example. Listen to this clip of Dave Hatfield, the longtime industry exec. He's formerly an executive with Pure Storage. He's now the CEO of LaceWorks. LaceWork, a very well-funded cloud based security company that in our view is attacking one of the biggest problems in security and that's the fragmentation issue that we've often discussed. Take a listen. So at the core of what we do it's really trying to merge and we look at security as a data problem, security and compliance as a data problem and when you apply that to the cloud it's a massive data problem. You literally have trillions of data points across shared infrastructure that you need to be able to ingest and capture and then you need to be able to process efficiently and provide context back to the end user. And so we approached it very differently than how legacy approaches have been in place largely rules-based engines that are written to be able to try and stop the bad guys and they miss a lot of things. And so our data-driven approach that we patented is called Polygraph. It's a security architecture and there are three primary benefits. It does a lot of things but the three things that we think are most profound first is it eliminates the need for dozens of point solutions. I was shocked when I kind of learned about security I was at Symantec back in the day and just to see how fragmented this market is. It's one of the biggest markets in tech, $124 billion an annual spend growing at the $300 billion in the next three years and it's massively fragmented and the average number of point solutions that customers have to deal with is dozens like literally 75 is the average number. And so we wanted to take a platform approach to solve this problem where the larger the attack surface that you put in the more data that you put into our machine learning algorithms the smarter that it gets and the higher the efficacies. Look Hatfield nailed it in our view. The cloud and edge explodes the threat surface and this becomes a data problem at massive scale. Now is lace work going to solve all these problems? No, of course not, but having researched this it's common for individuals to be managing dozens of tools and enterprises as Hatfield said 75 on average with many hundreds being common. The number one challenge we hear from CISOs and they'll tell you this is a lack of talent lack of human skills and bandwidth to solve the problem. And a big part of that problem is fragmentation multiple APIs, scripts, different standards that are constantly being updated and evolved. So if the cloud can help us reduce tooling, creep and simplify and automate at scale as the network continues to expand like the universe we can keep up with the adversaries they're never going to get ahead of them. So look, I know this topic is a bit off our normal swim lane but we think this is so important and no people that have been victimized so we wanted to call your attention to the exposure and try to get you to take some action even if it's baby steps. So let's summarize. You really want to begin by understanding where your credentials have been compromised because I promise they have been. Just look at your phone or look into your browser and see those recommendations and you're going to go whoa I got to get on this at least I hope you do that. Now you want to block out an entire day to focus on this and dig into it in order to protect you or your and your family's assets. There's a lot of stake here and look one day is not going to kill you it's worth it. Then you want to begin building those three layers that we showed you choose a private email that is secure quote unquote quote unquote. Research the password manager. That's find the one that's going to work for you. Do you want one that's web based or an app that you download? How does the password manager authenticate? What do the reviews say? How much does it cost? Don't rush into this. You may want to test this out on a couple of low risk systems before fully committing because if you screw it up, it's really a pain unwind. So don't rush into it. Then you want to figure out how to use your non SMS based two factor authentication apps and identify which assets you want to protect. You don't want to protect everything. Do you really care about your credentials on a site where you signed up years ago? Never use it anymore. How's it having any credit cards in it? Just delete it from your digital life and focus on your financial accounts, your crypto and your sites where your credit card or other sensitive information lives and can be stolen. Also, it's important to understand which institutions utilize which authentication methods. Really important that you make sure to document everything in air gap, the most sensitive credentials. And finally, you're going to have to keep iterating and improving your security because this is a moving target. You will never be 100% protected. Unfortunately, this isn't a one shot deal. You're going to do a bunch of work. It's hard, but it's important work. You're going to maintain your passwords. You're going to change them every now and then, maybe every few months, six months, maybe once a year, whatever, whatever's right for you. And then a couple of years down the road, maybe two or three years down the road, you might have to implement an entirely new system using the most modern tooling, which we believe is going to be cloud based. Or you could just ignore it and see what happens. Okay, that's it for now. Thanks to the community for your comments and input, and thanks again to Jason Floyer, whose analysis around this topic was extremely useful. Remember, I publish each week on wikibon.com and siliconangle.com. These episodes are all available as podcasts. All you got to do is research, breaking analysis podcasts, or you can always connect on Twitter. I'm at dvolonte or email me at david.volonte at siliconangle.com. Of course, always appreciate the comments on LinkedIn and Clubhouse. Follow me so you're notified when we start a room and riff on these topics. Don't forget to check out etr.plus for all the survey data. This is Dave Vellante for theCUBE Insights powered by ETR. Be well and we'll see you next time.