WEBVTT - Security, Bookmarked: Gaming (Sponsored Content)

0:00:02.320 --> 0:00:02.559
<v Speaker 1>Really.

0:00:02.560 --> 0:00:06.240
<v Speaker 2>It started relatively innocently. You have an engineer who's looking

0:00:06.280 --> 0:00:08.200
<v Speaker 2>at the server and looking at files on the server.

0:00:08.680 --> 0:00:10.559
<v Speaker 3>This is a story about a cyber attack on a

0:00:10.640 --> 0:00:13.680
<v Speaker 3>video game studio. As a software engineer was hard at

0:00:13.680 --> 0:00:16.079
<v Speaker 3>work on the company's next big game. He saw one

0:00:16.079 --> 0:00:18.560
<v Speaker 3>of his files had been moved by an impostor in

0:00:18.600 --> 0:00:19.280
<v Speaker 3>their network.

0:00:19.440 --> 0:00:21.880
<v Speaker 2>So immediately reaches out to the head of it, the

0:00:21.920 --> 0:00:24.720
<v Speaker 2>main IT guy, and says, who is this? Who owns

0:00:24.760 --> 0:00:25.440
<v Speaker 2>this account?

0:00:25.600 --> 0:00:28.120
<v Speaker 3>The main IT guy was the super admin, so he

0:00:28.200 --> 0:00:31.480
<v Speaker 3>knew right away that something was wrong and this wasn't

0:00:31.560 --> 0:00:32.479
<v Speaker 3>a normal account.

0:00:32.560 --> 0:00:35.559
<v Speaker 2>So actually what he did just shut down all the accounts,

0:00:35.720 --> 0:00:39.200
<v Speaker 2>killed all sessions, locked everybody out, required a password change

0:00:39.680 --> 0:00:42.600
<v Speaker 2>while he could dig into this because he immediately was

0:00:42.920 --> 0:00:45.239
<v Speaker 2>pretty freaked out about what was happening. And what they

0:00:45.280 --> 0:00:49.600
<v Speaker 2>realized was someone had come in and made a number

0:00:49.600 --> 0:00:54.720
<v Speaker 2>of accounts as super admin and had been poking around

0:00:54.720 --> 0:00:57.120
<v Speaker 2>and looking at everything and even exfltrading information.

0:00:57.360 --> 0:00:59.720
<v Speaker 3>They had no idea how long it's had been going on,

0:01:00.200 --> 0:01:02.840
<v Speaker 3>how much data had been extracted, or what else was

0:01:02.880 --> 0:01:03.840
<v Speaker 3>looking in their network.

0:01:04.240 --> 0:01:07.520
<v Speaker 2>They started digging into it, and they found locker software,

0:01:07.520 --> 0:01:10.280
<v Speaker 2>so ransomware software that would encrypt, and it was on

0:01:10.360 --> 0:01:12.679
<v Speaker 2>the server and it was ready to be deployed, but

0:01:12.800 --> 0:01:13.800
<v Speaker 2>it hadn't been deployed.

0:01:14.520 --> 0:01:17.600
<v Speaker 3>Catching the ransomware didn't mean the company was safe. They

0:01:17.640 --> 0:01:19.959
<v Speaker 3>still had to investigate all of their files and their

0:01:20.000 --> 0:01:23.840
<v Speaker 3>accounts searching for any other signs of attack. And worst

0:01:23.880 --> 0:01:26.280
<v Speaker 3>of all, they had to stop working on the new game.

0:01:26.920 --> 0:01:30.640
<v Speaker 2>Those minutes count and those days count. So every day

0:01:30.680 --> 0:01:33.399
<v Speaker 2>you can't have your employees behind keyboard is our days

0:01:33.400 --> 0:01:35.320
<v Speaker 2>that are going to be delayed. This is making it

0:01:35.360 --> 0:01:39.520
<v Speaker 2>even worse. And this Iiquy kind of becomes a hero

0:01:39.560 --> 0:01:42.360
<v Speaker 2>of the story because it was a really a courageous

0:01:42.400 --> 0:01:44.240
<v Speaker 2>call that he made to do this, knowing what it

0:01:44.280 --> 0:01:46.399
<v Speaker 2>was going to cost the company. They probably would have

0:01:46.440 --> 0:01:47.480
<v Speaker 2>had to be a huge.

0:01:47.360 --> 0:01:58.520
<v Speaker 3>Ransom from Bloomberg Media Studios and Chrome Enterprise. This is

0:01:58.560 --> 0:02:05.920
<v Speaker 3>Security Bookmarked. I'm your host, Kate Fazzini. I've been a

0:02:05.920 --> 0:02:09.560
<v Speaker 3>cybersecurity professional and journalist for more than twenty years, and

0:02:09.639 --> 0:02:12.760
<v Speaker 3>on this podcast, I'm talking with leaders in gaming, finance,

0:02:12.800 --> 0:02:16.480
<v Speaker 3>and manufacturing about what security looks like in a workplace

0:02:16.600 --> 0:02:20.680
<v Speaker 3>that's moved to the cloud. The video game industry is

0:02:20.720 --> 0:02:24.320
<v Speaker 3>a massive business, bringing in over three hundred billion dollars

0:02:24.360 --> 0:02:27.919
<v Speaker 3>per year. That's nearly ten times the size of Hollywood's

0:02:27.960 --> 0:02:32.040
<v Speaker 3>global box office revenue. But as the gaming business keeps growing,

0:02:32.440 --> 0:02:35.440
<v Speaker 3>more and more teams are accessing key systems and data

0:02:35.520 --> 0:02:37.760
<v Speaker 3>so they can do their jobs, and that means we've

0:02:37.760 --> 0:02:40.959
<v Speaker 3>seen a rise in account takeovers. So today I'm speaking

0:02:41.000 --> 0:02:41.760
<v Speaker 3>with Adam Murray.

0:02:42.160 --> 0:02:45.480
<v Speaker 2>I am the chief Information security officer at Arctic Wolf.

0:02:45.639 --> 0:02:48.400
<v Speaker 2>We are a managed detection and response company SAC as

0:02:48.400 --> 0:02:51.320
<v Speaker 2>a service and a concierge model, so that we make

0:02:51.360 --> 0:02:53.880
<v Speaker 2>sure that we're not only providing them security today, but

0:02:53.960 --> 0:02:55.840
<v Speaker 2>also make sure that we take them on a security

0:02:55.919 --> 0:02:58.200
<v Speaker 2>journey to improve their security over time.

0:02:58.800 --> 0:03:01.400
<v Speaker 3>I'm going to unpack add a story about helping a

0:03:01.400 --> 0:03:04.680
<v Speaker 3>game studio survive a ransomware attack to understand the account

0:03:04.680 --> 0:03:07.600
<v Speaker 3>security risks that all companies need to get control of.

0:03:08.280 --> 0:03:11.440
<v Speaker 3>Then I'll chat with David Adrian, security product manager for Chrome,

0:03:11.760 --> 0:03:14.680
<v Speaker 3>about why phishing attacks are so difficult to stop and

0:03:14.720 --> 0:03:22.880
<v Speaker 3>why this doesn't have to be the case. In twenty

0:03:22.919 --> 0:03:25.880
<v Speaker 3>twenty three, ransomware attacks in the gaming industry were up

0:03:25.919 --> 0:03:28.560
<v Speaker 3>more than thirty percent year over year, and they can

0:03:28.600 --> 0:03:33.160
<v Speaker 3>freeze at game studio's entire operation causing major delays. In

0:03:33.240 --> 0:03:35.960
<v Speaker 3>this story from Adam, the game studio caught the ransomware

0:03:36.000 --> 0:03:39.160
<v Speaker 3>threat early, but then they realized the attacker had also

0:03:39.160 --> 0:03:43.600
<v Speaker 3>stolen their intellectual property, including details about new releases, videos

0:03:43.600 --> 0:03:46.240
<v Speaker 3>and images that they weren't ready to share with the world.

0:03:46.480 --> 0:03:49.920
<v Speaker 2>We call it double extortion, where I've sealed up your code, right,

0:03:49.960 --> 0:03:51.760
<v Speaker 2>and then not only am I saying pay me the

0:03:51.840 --> 0:03:53.560
<v Speaker 2>ransom where you don't have access to it, I'm saying

0:03:53.880 --> 0:03:56.800
<v Speaker 2>I will release this to the world unless you pay me.

0:03:57.120 --> 0:03:59.800
<v Speaker 2>So I would say video game companies are likely to

0:03:59.800 --> 0:04:04.000
<v Speaker 2>be targeted by these ransomware groups mainly because video games

0:04:04.000 --> 0:04:05.800
<v Speaker 2>are likely to pay the ransom if you're able to

0:04:05.800 --> 0:04:08.440
<v Speaker 2>successfully lock up their code and get their backups and

0:04:08.840 --> 0:04:10.080
<v Speaker 2>lock up their backups as well.

0:04:10.560 --> 0:04:13.200
<v Speaker 3>And then finally, once they put out all the fires,

0:04:13.320 --> 0:04:16.080
<v Speaker 3>they could figure out how did this attacker get access

0:04:16.120 --> 0:04:16.839
<v Speaker 3>in the first place.

0:04:18.160 --> 0:04:20.960
<v Speaker 2>There was actually a phishing message as at all you know,

0:04:21.160 --> 0:04:23.599
<v Speaker 2>very often is it was. It was a phishing message

0:04:23.640 --> 0:04:26.400
<v Speaker 2>to this it individual, to this person, the.

0:04:26.480 --> 0:04:30.359
<v Speaker 3>Very person who had caught the intruder and pulled the alarm, and.

0:04:31.320 --> 0:04:33.200
<v Speaker 2>You know, he clicked on the link and it take

0:04:33.279 --> 0:04:35.039
<v Speaker 2>him to a web page, then a log and prompt

0:04:35.080 --> 0:04:37.040
<v Speaker 2>to come up. He put in his credentials. They did

0:04:37.080 --> 0:04:40.839
<v Speaker 2>not have MFA, so the attacker was able to get

0:04:40.839 --> 0:04:44.360
<v Speaker 2>those credentials, then log in and quickly make other accounts

0:04:44.360 --> 0:04:46.520
<v Speaker 2>and get off of that it person's account so they

0:04:46.520 --> 0:04:50.440
<v Speaker 2>wouldn't notice. Social engineering works and it worked really well

0:04:50.480 --> 0:04:52.480
<v Speaker 2>and it's why attackers use it so often. There are

0:04:52.480 --> 0:04:54.400
<v Speaker 2>lots of other protections they could have had in place,

0:04:54.520 --> 0:04:56.960
<v Speaker 2>but yeah, that was how the attackers got in, and

0:04:57.000 --> 0:05:00.159
<v Speaker 2>then we're using the other accounts to worm their way

0:05:00.160 --> 0:05:02.680
<v Speaker 2>through all of the servers and the whole environment.

0:05:04.560 --> 0:05:07.119
<v Speaker 3>Later in the episode, i'll share my conversation with David

0:05:07.160 --> 0:05:10.080
<v Speaker 3>Adrian at Chrome about how leaders can defend their companies

0:05:10.120 --> 0:05:12.680
<v Speaker 3>against phishing. But first Adam and I are going to

0:05:12.760 --> 0:05:16.040
<v Speaker 3>unpack what this one breach shows about the cybersecurity risks

0:05:16.160 --> 0:05:18.880
<v Speaker 3>that gaming companies face and what they can do to

0:05:18.920 --> 0:05:20.400
<v Speaker 3>be more resilient to attacks.

0:05:21.040 --> 0:05:24.280
<v Speaker 2>Video games is a large industry and so they're all

0:05:24.440 --> 0:05:27.560
<v Speaker 2>kinds of companies involved, and depending on the size and

0:05:27.600 --> 0:05:32.039
<v Speaker 2>the type of game, you'll have very different levels of security,

0:05:32.240 --> 0:05:35.159
<v Speaker 2>and that security will be leveraged at these different problems

0:05:35.720 --> 0:05:38.560
<v Speaker 2>at different levels. Let me give you an example, with

0:05:38.640 --> 0:05:42.760
<v Speaker 2>the rise of online gaming, so massive multiplayer online games,

0:05:42.920 --> 0:05:46.760
<v Speaker 2>there is a huge incentive for these companies to prevent cheating.

0:05:47.240 --> 0:05:49.560
<v Speaker 2>So you have these video game companies and they're spending

0:05:49.640 --> 0:05:53.279
<v Speaker 2>millions of dollars and using the latest cutting edge technology

0:05:53.320 --> 0:05:57.640
<v Speaker 2>AI to detect and defeat cheating on their games and

0:05:57.680 --> 0:06:01.440
<v Speaker 2>their online games. They're leveraging all of this great technology

0:06:01.480 --> 0:06:03.359
<v Speaker 2>to do that, and then on their corporate side, they

0:06:03.400 --> 0:06:06.839
<v Speaker 2>don't have MFA to protect their main accounts. It is

0:06:06.920 --> 0:06:10.479
<v Speaker 2>understandable that they focus on the anti cheating because that

0:06:10.560 --> 0:06:12.960
<v Speaker 2>directly goes to their bottom line because if they're cheating,

0:06:14.160 --> 0:06:16.280
<v Speaker 2>then players are going to go elsewhere, and there are

0:06:16.279 --> 0:06:18.039
<v Speaker 2>other game companies that would love for that to happen.

0:06:18.200 --> 0:06:19.919
<v Speaker 2>So it makes sense while they do this, But you

0:06:20.000 --> 0:06:21.760
<v Speaker 2>have to understand you could have a breach that costs

0:06:21.760 --> 0:06:23.240
<v Speaker 2>you millions, tens of millions of dollars.

0:06:23.760 --> 0:06:26.600
<v Speaker 3>You've said that companies shouldn't treat data breaches or ransomware

0:06:26.640 --> 0:06:29.680
<v Speaker 3>attacks as part of the cost of doing business. Tell

0:06:29.680 --> 0:06:30.640
<v Speaker 3>me a little bit more about that.

0:06:31.040 --> 0:06:32.800
<v Speaker 2>I mean, I guess if you're a business, everything is

0:06:32.839 --> 0:06:35.400
<v Speaker 2>the cost of doing business, right Like, everything is going

0:06:35.440 --> 0:06:36.960
<v Speaker 2>to your bottom line. But what I mean, is there

0:06:36.960 --> 0:06:40.239
<v Speaker 2>are things you can do today that will greatly lower

0:06:40.279 --> 0:06:42.800
<v Speaker 2>the likelihood that you will have a breach. And you know,

0:06:42.800 --> 0:06:44.560
<v Speaker 2>my whole job is to prevent breaches, So I think

0:06:44.560 --> 0:06:47.919
<v Speaker 2>they're terrible. We should all leverage security against them. But

0:06:48.000 --> 0:06:49.680
<v Speaker 2>it might be seen as you know, a risk worth

0:06:49.680 --> 0:06:51.600
<v Speaker 2>taking or a cost of doing business, or maybe we

0:06:51.640 --> 0:06:55.440
<v Speaker 2>won't get hit with an attack, and you know, maybe

0:06:55.480 --> 0:06:57.480
<v Speaker 2>I want to spend money on making my render look

0:06:57.520 --> 0:07:00.000
<v Speaker 2>that much better and the graphics look that much better,

0:07:00.040 --> 0:07:02.120
<v Speaker 2>And I just don't see how security is hitting that.

0:07:02.640 --> 0:07:04.640
<v Speaker 2>It's the similar thing many companies do, and then when

0:07:04.640 --> 0:07:07.200
<v Speaker 2>they get breached, they really regret it. Because if you've

0:07:07.240 --> 0:07:10.080
<v Speaker 2>been developing a game for three years, an attacker comes

0:07:10.120 --> 0:07:12.360
<v Speaker 2>in and they're able to deny you access to all

0:07:12.360 --> 0:07:14.600
<v Speaker 2>of your information, your source code, your art assets, all

0:07:14.600 --> 0:07:16.760
<v Speaker 2>of that, and get your backups. You are in a

0:07:16.800 --> 0:07:19.160
<v Speaker 2>world of hurt. That is a very bad position to

0:07:19.200 --> 0:07:20.800
<v Speaker 2>be in, and the likelihood that you're going to pay

0:07:20.800 --> 0:07:23.800
<v Speaker 2>the ransom is very high. I don't recommend that, obviously,

0:07:23.840 --> 0:07:26.320
<v Speaker 2>my stance is not to pay ransoms, but.

0:07:26.520 --> 0:07:28.880
<v Speaker 3>Yeah, it's almost I can't imagine not paying it in

0:07:28.920 --> 0:07:31.880
<v Speaker 3>that because if your whole entire company is at stake.

0:07:31.960 --> 0:07:35.360
<v Speaker 3>It's the entire lifeblood of your company, the reason for

0:07:35.400 --> 0:07:37.200
<v Speaker 3>its existence basically exactly.

0:07:37.280 --> 0:07:40.040
<v Speaker 2>It is literally your entire business. And so then you're

0:07:40.040 --> 0:07:42.240
<v Speaker 2>going to want to start thinking as an organization and

0:07:42.280 --> 0:07:44.360
<v Speaker 2>you try to say where are attackers being successful.

0:07:44.640 --> 0:07:47.120
<v Speaker 3>So when you think of enterprise security for game studios,

0:07:47.200 --> 0:07:49.400
<v Speaker 3>what are the most critical threats that you're watching out for.

0:07:49.760 --> 0:07:52.880
<v Speaker 2>You know, there are many threat or attack reports that

0:07:52.920 --> 0:07:54.960
<v Speaker 2>come out or data breach reports that come out each year,

0:07:55.080 --> 0:07:57.080
<v Speaker 2>artic Wolf as one as well, and if you look

0:07:57.080 --> 0:08:00.280
<v Speaker 2>at these, you'll see the primarily attackers are success full

0:08:00.320 --> 0:08:04.240
<v Speaker 2>in doing basically one of two things. Either attacking accounts

0:08:04.480 --> 0:08:06.800
<v Speaker 2>so you can think user name, password, MFA, attacking that

0:08:07.240 --> 0:08:11.560
<v Speaker 2>and getting access through that, or attacking vulnerabilities, so looking

0:08:11.600 --> 0:08:14.000
<v Speaker 2>at the code, looking at the configuration of cloud software,

0:08:14.240 --> 0:08:17.000
<v Speaker 2>SaaS software, whatever it is, and being able to exploit

0:08:17.040 --> 0:08:19.680
<v Speaker 2>those vulnerabilities and get in. So if you can really

0:08:19.680 --> 0:08:21.760
<v Speaker 2>look at this and say, how do I protect identities

0:08:22.440 --> 0:08:24.400
<v Speaker 2>at my company and how do I make sure that

0:08:24.480 --> 0:08:28.200
<v Speaker 2>we're patching and updating and not introducing vulnerabilities and misconfigurations.

0:08:28.280 --> 0:08:30.360
<v Speaker 2>If you can do those things to the right level,

0:08:30.440 --> 0:08:32.440
<v Speaker 2>you're going to protect your company and you certainly won't

0:08:32.480 --> 0:08:35.040
<v Speaker 2>be the low hanging fruit where attackers will try to

0:08:35.040 --> 0:08:35.480
<v Speaker 2>attack you.

0:08:35.800 --> 0:08:37.960
<v Speaker 3>What are some other ways that the companies can be resilient.

0:08:38.559 --> 0:08:40.240
<v Speaker 2>If you want to get really technical, we can talk

0:08:40.240 --> 0:08:43.000
<v Speaker 2>about shift left. In other words, you want to create

0:08:43.080 --> 0:08:45.480
<v Speaker 2>games and systems that are secure, so you want to

0:08:45.480 --> 0:08:48.240
<v Speaker 2>make sure you're baking security in from the very beginning,

0:08:48.600 --> 0:08:51.040
<v Speaker 2>so when you're still like whiteboarding the design of what

0:08:51.080 --> 0:08:52.959
<v Speaker 2>you're trying to do in the game, add a threat

0:08:52.960 --> 0:08:56.719
<v Speaker 2>model to that process from the very beginning, thinking about

0:08:56.800 --> 0:08:59.320
<v Speaker 2>how could somebody take advantage of this, how could it

0:08:59.360 --> 0:09:01.320
<v Speaker 2>go wrong? And by the way, you can also add

0:09:01.360 --> 0:09:03.640
<v Speaker 2>anti cheat in there at the beginning too and help

0:09:03.760 --> 0:09:05.640
<v Speaker 2>solve that problem at the very beginning, so you're not

0:09:05.720 --> 0:09:07.280
<v Speaker 2>trying to tack it on at the end. And then

0:09:07.280 --> 0:09:10.320
<v Speaker 2>when you have your detection and prevention methodologies out there,

0:09:10.360 --> 0:09:12.560
<v Speaker 2>they're going to be much more effective because the underlying

0:09:12.600 --> 0:09:16.320
<v Speaker 2>system itself is resistant to attack and resistant to cheating.

0:09:16.600 --> 0:09:20.160
<v Speaker 3>Game developers are obviously digital first. When you think about

0:09:20.200 --> 0:09:22.200
<v Speaker 3>the day to day work and collaboration that goes on

0:09:22.280 --> 0:09:25.800
<v Speaker 3>behind the scenes at the enterprise level, I'm interested in

0:09:26.120 --> 0:09:29.160
<v Speaker 3>how do workers collaborate. You're in an industry where you're

0:09:29.160 --> 0:09:33.520
<v Speaker 3>working with people who are specialists and extraordinarily talented, but

0:09:33.600 --> 0:09:36.840
<v Speaker 3>maybe like at one thing, and that guy lives in Aspen,

0:09:37.040 --> 0:09:39.880
<v Speaker 3>and then you know the other guy lives in the

0:09:39.880 --> 0:09:42.599
<v Speaker 3>forests of Oregon, and you've got to connect all of

0:09:42.640 --> 0:09:46.079
<v Speaker 3>these teams in different areas. How do you handle collaboration

0:09:46.160 --> 0:09:47.480
<v Speaker 3>across environments like that.

0:09:47.960 --> 0:09:50.880
<v Speaker 2>Yeah, so it's an interesting question in security. We've been

0:09:50.880 --> 0:09:54.280
<v Speaker 2>doing this for a long time, collaborating across time zones,

0:09:54.640 --> 0:09:58.920
<v Speaker 2>using various tools, different SaaS, apps or other applications to

0:09:58.960 --> 0:10:01.439
<v Speaker 2>collaborate and communicate. That means a lot of very sensitive

0:10:01.440 --> 0:10:05.280
<v Speaker 2>information as being passed through these suites of software. And

0:10:05.320 --> 0:10:07.200
<v Speaker 2>so if you can think of one thing, like the browser,

0:10:07.280 --> 0:10:12.120
<v Speaker 2>so much work happens right in the browser, and many

0:10:12.640 --> 0:10:15.559
<v Speaker 2>companies just don't think of the security of that particular

0:10:16.160 --> 0:10:18.679
<v Speaker 2>piece of software. If we dig into that a little bit,

0:10:19.280 --> 0:10:22.160
<v Speaker 2>you know, are you hardening that piece of software. Are

0:10:22.160 --> 0:10:24.240
<v Speaker 2>you making sure that everyone's using the same browser so

0:10:24.280 --> 0:10:26.679
<v Speaker 2>you can have the same type of security across the

0:10:26.840 --> 0:10:30.000
<v Speaker 2>entire organization. Are you making sure they're not sinking personal

0:10:30.040 --> 0:10:33.160
<v Speaker 2>accounts that can bring in different extensions that they're using

0:10:33.160 --> 0:10:35.280
<v Speaker 2>at home that do backups or copy and now you

0:10:35.280 --> 0:10:38.040
<v Speaker 2>have information going places you weren't thinking of. So really

0:10:38.120 --> 0:10:40.319
<v Speaker 2>making sure that each one of those pieces of software

0:10:40.520 --> 0:10:44.280
<v Speaker 2>is secured, especially the browser, is a really important consideration,

0:10:44.440 --> 0:10:47.520
<v Speaker 2>especially if we're talking about companies that are collaborating, you know,

0:10:47.520 --> 0:10:50.040
<v Speaker 2>with lots of remote employees and using software to do that.

0:10:50.520 --> 0:10:52.640
<v Speaker 2>There is one third aspect to this, and it's actually

0:10:52.640 --> 0:10:54.960
<v Speaker 2>illustrated by the story I told, and that is you've

0:10:54.960 --> 0:10:57.000
<v Speaker 2>got to have a good security culture. You've got to

0:10:57.040 --> 0:11:00.959
<v Speaker 2>train your people to be wary of social engineering attacks

0:11:01.080 --> 0:11:03.880
<v Speaker 2>like phishing and be resistant to those. You know, you

0:11:03.880 --> 0:11:06.360
<v Speaker 2>can have technologies to protect against it. But there's a

0:11:06.440 --> 0:11:09.400
<v Speaker 2>reason why so many attackers use social engineering is because

0:11:09.400 --> 0:11:12.600
<v Speaker 2>it's very very successful, because it's pretty easy to trick

0:11:12.679 --> 0:11:13.280
<v Speaker 2>human beings.

0:11:17.000 --> 0:11:20.160
<v Speaker 3>If you're leading a gaming company, your entire product is software,

0:11:20.200 --> 0:11:23.680
<v Speaker 3>and that product is constantly being accessed, tested and updated

0:11:23.679 --> 0:11:29.640
<v Speaker 3>by your teams. The same goes for your IP designs, assets, code,

0:11:29.800 --> 0:11:33.480
<v Speaker 3>marketing trailers showing new characters, new content, and it all

0:11:33.480 --> 0:11:36.040
<v Speaker 3>lives online. So how do you keep your own accounts

0:11:36.040 --> 0:11:37.080
<v Speaker 3>from being used against you?

0:11:37.960 --> 0:11:40.320
<v Speaker 4>So, if I'm a CSO or I'm in charge of

0:11:40.559 --> 0:11:43.280
<v Speaker 4>security an organization. The number one thing that I would

0:11:43.280 --> 0:11:48.280
<v Speaker 4>be focusing on is deploying strong, unfishable authentication to all

0:11:48.320 --> 0:11:49.440
<v Speaker 4>of my employees.

0:11:49.800 --> 0:11:52.600
<v Speaker 3>That's David Adrian, a security product manager for Chrome.

0:11:52.920 --> 0:11:55.839
<v Speaker 4>I focus mostly on network security, but I help everything

0:11:56.000 --> 0:11:58.000
<v Speaker 4>up and down the stack to make sure that we're

0:11:58.360 --> 0:12:00.920
<v Speaker 4>building Chrome to be as secure as possible, from the

0:12:00.960 --> 0:12:03.040
<v Speaker 4>application through the network to the cloud.

0:12:03.679 --> 0:12:06.360
<v Speaker 3>When I brought up ransomware attacks and gaming, he picked

0:12:06.440 --> 0:12:09.320
<v Speaker 3>up on account security and how important it is to

0:12:09.400 --> 0:12:13.280
<v Speaker 3>plan for what happens when an employee account is compromised.

0:12:13.600 --> 0:12:17.400
<v Speaker 4>Game assets or designs are I think the crown jewels

0:12:17.400 --> 0:12:20.160
<v Speaker 4>that gaming companies are trying to protect, and so I

0:12:20.240 --> 0:12:22.439
<v Speaker 4>feel for them in the situation and that they need

0:12:22.480 --> 0:12:24.200
<v Speaker 4>to figure out like how do we make this run fast,

0:12:24.240 --> 0:12:26.520
<v Speaker 4>how do we get access to everyone that needs it?

0:12:26.880 --> 0:12:29.160
<v Speaker 4>But also how do we, you know, make sure that

0:12:29.240 --> 0:12:33.560
<v Speaker 4>if someone bad gets in, they don't get everything. When

0:12:33.559 --> 0:12:36.280
<v Speaker 4>things go wrong, they go wrong bad and you risk

0:12:36.480 --> 0:12:39.840
<v Speaker 4>all of you your game assets getting encrypted and ransomwared.

0:12:40.200 --> 0:12:44.199
<v Speaker 4>And in many industries, the high value accounts are sort

0:12:44.200 --> 0:12:47.559
<v Speaker 4>of the administrators of the organization who might have access

0:12:47.640 --> 0:12:51.640
<v Speaker 4>to create new users in the gaming industry, there might

0:12:52.000 --> 0:12:55.360
<v Speaker 4>be a broader set of targets because any developer who

0:12:55.400 --> 0:12:57.760
<v Speaker 4>can build the game likely has access to all of

0:12:57.800 --> 0:13:00.880
<v Speaker 4>the assets for the game and able to get in

0:13:01.600 --> 0:13:05.200
<v Speaker 4>and they get access, let's say, as anybody who has

0:13:05.240 --> 0:13:08.719
<v Speaker 4>access to the underlying game assets, there might not even

0:13:08.800 --> 0:13:11.280
<v Speaker 4>need to be a lot of escalation of privileges. Sure,

0:13:11.280 --> 0:13:13.679
<v Speaker 4>if they get an administrator, they could create their own account,

0:13:13.880 --> 0:13:16.000
<v Speaker 4>but if they get a game developer, they might just

0:13:16.040 --> 0:13:18.040
<v Speaker 4>be able to walk away with all of the assets

0:13:18.040 --> 0:13:20.720
<v Speaker 4>for the game by default, because the developers already have

0:13:20.760 --> 0:13:21.400
<v Speaker 4>access to it.

0:13:21.760 --> 0:13:24.160
<v Speaker 3>And so we zeroed in on the moment when an

0:13:24.160 --> 0:13:27.160
<v Speaker 3>attacker breaks into a company account through a phishing link.

0:13:27.720 --> 0:13:32.199
<v Speaker 4>The most common sort of attack factor is still phishing.

0:13:32.800 --> 0:13:36.760
<v Speaker 4>It's not too hard to find who's working for some

0:13:37.000 --> 0:13:39.480
<v Speaker 4>company and then try and figure out what their email is,

0:13:39.800 --> 0:13:41.680
<v Speaker 4>and once you know their email, you can try and

0:13:41.760 --> 0:13:42.680
<v Speaker 4>start phishing them.

0:13:43.000 --> 0:13:45.280
<v Speaker 3>I think I had somebody tell me once that teaching

0:13:45.280 --> 0:13:47.960
<v Speaker 3>people to not get fish is like teaching them not

0:13:48.040 --> 0:13:50.079
<v Speaker 3>to fall in love. It's never going to happen.

0:13:50.200 --> 0:13:52.640
<v Speaker 4>I would flip it around a little bit and say

0:13:52.679 --> 0:13:56.240
<v Speaker 4>that trying to solve phishing with like phishing training fake

0:13:56.280 --> 0:13:58.880
<v Speaker 4>phishing emails. That type of thing. Even if it works

0:13:58.960 --> 0:14:01.120
<v Speaker 4>ninety nine point nine nine percent of the time, the

0:14:01.320 --> 0:14:03.600
<v Speaker 4>point zero one percent that it doesn't is enough for

0:14:03.679 --> 0:14:06.920
<v Speaker 4>everything to go wrong. Right, We've seen one phishing attempt

0:14:07.440 --> 0:14:11.240
<v Speaker 4>that succeed have impacts on everything ranging from gaming companies

0:14:11.240 --> 0:14:14.680
<v Speaker 4>to elections, and so, sure, you can try and like

0:14:14.880 --> 0:14:17.439
<v Speaker 4>get your employees to hide their emails, you can append

0:14:17.800 --> 0:14:20.240
<v Speaker 4>random digits to their emails, but at the end of

0:14:20.240 --> 0:14:22.640
<v Speaker 4>the day, eventually something's going to leak and someone's going

0:14:22.720 --> 0:14:23.320
<v Speaker 4>to get fished.

0:14:23.840 --> 0:14:27.280
<v Speaker 3>So let's talk about phishing protection. Obviously, these people are

0:14:27.320 --> 0:14:30.320
<v Speaker 3>going to get spearfished. It will happen, So what are

0:14:30.320 --> 0:14:31.840
<v Speaker 3>some of the protections available to them.

0:14:32.000 --> 0:14:35.680
<v Speaker 4>So the good news is that we have effective solutions

0:14:35.760 --> 0:14:39.120
<v Speaker 4>against fishing. I think if I were a CSO or

0:14:39.160 --> 0:14:42.240
<v Speaker 4>a CIO, like, the number one thing that I would

0:14:42.240 --> 0:14:47.240
<v Speaker 4>be doing is deploying strong, unfishable authentication. And while that

0:14:47.320 --> 0:14:50.280
<v Speaker 4>seems kind of straightforward, like let's just authenticate the people

0:14:50.320 --> 0:14:51.880
<v Speaker 4>that work for me and make sure they work for me,

0:14:52.360 --> 0:14:55.800
<v Speaker 4>that is probably most of the challenge for a lot

0:14:55.880 --> 0:14:58.560
<v Speaker 4>of security engineering teams is making sure that that can happen.

0:14:58.920 --> 0:15:02.360
<v Speaker 4>The easiest context to deploy them is web browsers for

0:15:02.760 --> 0:15:06.200
<v Speaker 4>enterprise users, where you have this source of truth where

0:15:06.240 --> 0:15:08.040
<v Speaker 4>you can say, hey, I know what all my employees are.

0:15:08.080 --> 0:15:10.920
<v Speaker 4>I'm going to ship them all some sort of token

0:15:11.120 --> 0:15:13.760
<v Speaker 4>to plug into their computers, making sure that every work

0:15:13.800 --> 0:15:16.920
<v Speaker 4>application that every employee goes through has to use one

0:15:16.960 --> 0:15:20.520
<v Speaker 4>of these authentication methods and does it from a managed browser.

0:15:20.960 --> 0:15:23.440
<v Speaker 4>And so if you can deploy those authentication methods and

0:15:23.480 --> 0:15:26.000
<v Speaker 4>you can make all logins only go through a web

0:15:26.000 --> 0:15:29.760
<v Speaker 4>browser and only use those authentication methods, you solve phishing.

0:15:30.440 --> 0:15:34.560
<v Speaker 4>With Chrome, enterprise premium organizations can access a centralized enforcement

0:15:34.640 --> 0:15:37.360
<v Speaker 4>point for all of their endpoint security in controls. This

0:15:37.440 --> 0:15:41.280
<v Speaker 4>allows for endpoint visibility across the entire enterprise network. IT

0:15:41.640 --> 0:15:46.160
<v Speaker 4>and security teams can deploy advanced security capabilities like advanced DLP,

0:15:46.680 --> 0:15:50.120
<v Speaker 4>like context A wear access controls, and then you can

0:15:50.160 --> 0:15:53.320
<v Speaker 4>get in depth reporting for all of those features and

0:15:53.400 --> 0:15:57.960
<v Speaker 4>so deploying stronger authentication that can actually be more user

0:15:58.000 --> 0:16:00.520
<v Speaker 4>friendly when done right, in the sense that it lets

0:16:00.560 --> 0:16:03.680
<v Speaker 4>people act how they would naturally and not have to

0:16:03.720 --> 0:16:06.360
<v Speaker 4>try to treat every email adversarially like it might be

0:16:06.400 --> 0:16:09.480
<v Speaker 4>a phishing email. Because with the right authentication, they'll actually

0:16:09.480 --> 0:16:11.440
<v Speaker 4>be protected by default, so if you send them a

0:16:11.440 --> 0:16:14.160
<v Speaker 4>fishing link and they get tricked by it, it doesn't

0:16:14.160 --> 0:16:16.160
<v Speaker 4>matter and the login won't work for the attacker.

0:16:19.080 --> 0:16:21.720
<v Speaker 3>To learn more about how the most trusted enterprise browser

0:16:21.720 --> 0:16:25.800
<v Speaker 3>can help protect your organization, visit Chrome Enterprise dot Google.

0:16:27.920 --> 0:16:31.840
<v Speaker 3>Next time on Security Bookmarked, i'll talk strategy with jf Lego,

0:16:32.160 --> 0:16:35.840
<v Speaker 3>Deputy Chief Information Security Officer at JP Morgan Chase.

0:16:36.040 --> 0:16:40.280
<v Speaker 1>So it's really how do you think through the awareness

0:16:40.320 --> 0:16:43.960
<v Speaker 1>for people with the most common types of attacks, but

0:16:44.160 --> 0:16:48.600
<v Speaker 1>also how do you turn your entire workforce into early

0:16:48.720 --> 0:16:49.760
<v Speaker 1>detection sensors.

0:16:50.720 --> 0:16:54.320
<v Speaker 3>Security Bookmark is a podcast from Bloomberg Media Studios and

0:16:54.400 --> 0:16:57.880
<v Speaker 3>Chrome Enterprise. Subscribe in your podcast app so you don't

0:16:57.880 --> 0:17:01.800
<v Speaker 3>miss our newest episode. Kate Fazzini, thanks for listening.