1
00:00:02,320 --> 00:00:02,559
Speaker 1: Really.

2
00:00:02,560 --> 00:00:06,240
Speaker 2: It started relatively innocently. You have an engineer who's looking

3
00:00:06,280 --> 00:00:08,200
Speaker 2: at the server and looking at files on the server.

4
00:00:08,680 --> 00:00:10,559
Speaker 3: This is a story about a cyber attack on a

5
00:00:10,640 --> 00:00:13,680
Speaker 3: video game studio. As a software engineer was hard at

6
00:00:13,680 --> 00:00:16,079
Speaker 3: work on the company's next big game. He saw one

7
00:00:16,079 --> 00:00:18,560
Speaker 3: of his files had been moved by an impostor in

8
00:00:18,600 --> 00:00:19,280
Speaker 3: their network.

9
00:00:19,440 --> 00:00:21,880
Speaker 2: So immediately reaches out to the head of it, the

10
00:00:21,920 --> 00:00:24,720
Speaker 2: main IT guy, and says, who is this? Who owns

11
00:00:24,760 --> 00:00:25,440
Speaker 2: this account?

12
00:00:25,600 --> 00:00:28,120
Speaker 3: The main IT guy was the super admin, so he

13
00:00:28,200 --> 00:00:31,480
Speaker 3: knew right away that something was wrong and this wasn't

14
00:00:31,560 --> 00:00:32,479
Speaker 3: a normal account.

15
00:00:32,560 --> 00:00:35,559
Speaker 2: So actually what he did just shut down all the accounts,

16
00:00:35,720 --> 00:00:39,200
Speaker 2: killed all sessions, locked everybody out, required a password change

17
00:00:39,680 --> 00:00:42,600
Speaker 2: while he could dig into this because he immediately was

18
00:00:42,920 --> 00:00:45,239
Speaker 2: pretty freaked out about what was happening. And what they

19
00:00:45,280 --> 00:00:49,600
Speaker 2: realized was someone had come in and made a number

20
00:00:49,600 --> 00:00:54,720
Speaker 2: of accounts as super admin and had been poking around

21
00:00:54,720 --> 00:00:57,120
Speaker 2: and looking at everything and even exfltrading information.

22
00:00:57,360 --> 00:00:59,720
Speaker 3: They had no idea how long it's had been going on,

23
00:01:00,200 --> 00:01:02,840
Speaker 3: how much data had been extracted, or what else was

24
00:01:02,880 --> 00:01:03,840
Speaker 3: looking in their network.

25
00:01:04,240 --> 00:01:07,520
Speaker 2: They started digging into it, and they found locker software,

26
00:01:07,520 --> 00:01:10,280
Speaker 2: so ransomware software that would encrypt, and it was on

27
00:01:10,360 --> 00:01:12,679
Speaker 2: the server and it was ready to be deployed, but

28
00:01:12,800 --> 00:01:13,800
Speaker 2: it hadn't been deployed.

29
00:01:14,520 --> 00:01:17,600
Speaker 3: Catching the ransomware didn't mean the company was safe. They

30
00:01:17,640 --> 00:01:19,959
Speaker 3: still had to investigate all of their files and their

31
00:01:20,000 --> 00:01:23,840
Speaker 3: accounts searching for any other signs of attack. And worst

32
00:01:23,880 --> 00:01:26,280
Speaker 3: of all, they had to stop working on the new game.

33
00:01:26,920 --> 00:01:30,640
Speaker 2: Those minutes count and those days count. So every day

34
00:01:30,680 --> 00:01:33,399
Speaker 2: you can't have your employees behind keyboard is our days

35
00:01:33,400 --> 00:01:35,320
Speaker 2: that are going to be delayed. This is making it

36
00:01:35,360 --> 00:01:39,520
Speaker 2: even worse. And this Iiquy kind of becomes a hero

37
00:01:39,560 --> 00:01:42,360
Speaker 2: of the story because it was a really a courageous

38
00:01:42,400 --> 00:01:44,240
Speaker 2: call that he made to do this, knowing what it

39
00:01:44,280 --> 00:01:46,399
Speaker 2: was going to cost the company. They probably would have

40
00:01:46,440 --> 00:01:47,480
Speaker 2: had to be a huge.

41
00:01:47,360 --> 00:01:58,520
Speaker 3: Ransom from Bloomberg Media Studios and Chrome Enterprise. This is

42
00:01:58,560 --> 00:02:05,920
Speaker 3: Security Bookmarked. I'm your host, Kate Fazzini. I've been a

43
00:02:05,920 --> 00:02:09,560
Speaker 3: cybersecurity professional and journalist for more than twenty years, and

44
00:02:09,639 --> 00:02:12,760
Speaker 3: on this podcast, I'm talking with leaders in gaming, finance,

45
00:02:12,800 --> 00:02:16,480
Speaker 3: and manufacturing about what security looks like in a workplace

46
00:02:16,600 --> 00:02:20,680
Speaker 3: that's moved to the cloud. The video game industry is

47
00:02:20,720 --> 00:02:24,320
Speaker 3: a massive business, bringing in over three hundred billion dollars

48
00:02:24,360 --> 00:02:27,919
Speaker 3: per year. That's nearly ten times the size of Hollywood's

49
00:02:27,960 --> 00:02:32,040
Speaker 3: global box office revenue. But as the gaming business keeps growing,

50
00:02:32,440 --> 00:02:35,440
Speaker 3: more and more teams are accessing key systems and data

51
00:02:35,520 --> 00:02:37,760
Speaker 3: so they can do their jobs, and that means we've

52
00:02:37,760 --> 00:02:40,959
Speaker 3: seen a rise in account takeovers. So today I'm speaking

53
00:02:41,000 --> 00:02:41,760
Speaker 3: with Adam Murray.

54
00:02:42,160 --> 00:02:45,480
Speaker 2: I am the chief Information security officer at Arctic Wolf.

55
00:02:45,639 --> 00:02:48,400
Speaker 2: We are a managed detection and response company SAC as

56
00:02:48,400 --> 00:02:51,320
Speaker 2: a service and a concierge model, so that we make

57
00:02:51,360 --> 00:02:53,880
Speaker 2: sure that we're not only providing them security today, but

58
00:02:53,960 --> 00:02:55,840
Speaker 2: also make sure that we take them on a security

59
00:02:55,919 --> 00:02:58,200
Speaker 2: journey to improve their security over time.

60
00:02:58,800 --> 00:03:01,400
Speaker 3: I'm going to unpack add a story about helping a

61
00:03:01,400 --> 00:03:04,680
Speaker 3: game studio survive a ransomware attack to understand the account

62
00:03:04,680 --> 00:03:07,600
Speaker 3: security risks that all companies need to get control of.

63
00:03:08,280 --> 00:03:11,440
Speaker 3: Then I'll chat with David Adrian, security product manager for Chrome,

64
00:03:11,760 --> 00:03:14,680
Speaker 3: about why phishing attacks are so difficult to stop and

65
00:03:14,720 --> 00:03:22,880
Speaker 3: why this doesn't have to be the case. In twenty

66
00:03:22,919 --> 00:03:25,880
Speaker 3: twenty three, ransomware attacks in the gaming industry were up

67
00:03:25,919 --> 00:03:28,560
Speaker 3: more than thirty percent year over year, and they can

68
00:03:28,600 --> 00:03:33,160
Speaker 3: freeze at game studio's entire operation causing major delays. In

69
00:03:33,240 --> 00:03:35,960
Speaker 3: this story from Adam, the game studio caught the ransomware

70
00:03:36,000 --> 00:03:39,160
Speaker 3: threat early, but then they realized the attacker had also

71
00:03:39,160 --> 00:03:43,600
Speaker 3: stolen their intellectual property, including details about new releases, videos

72
00:03:43,600 --> 00:03:46,240
Speaker 3: and images that they weren't ready to share with the world.

73
00:03:46,480 --> 00:03:49,920
Speaker 2: We call it double extortion, where I've sealed up your code, right,

74
00:03:49,960 --> 00:03:51,760
Speaker 2: and then not only am I saying pay me the

75
00:03:51,840 --> 00:03:53,560
Speaker 2: ransom where you don't have access to it, I'm saying

76
00:03:53,880 --> 00:03:56,800
Speaker 2: I will release this to the world unless you pay me.

77
00:03:57,120 --> 00:03:59,800
Speaker 2: So I would say video game companies are likely to

78
00:03:59,800 --> 00:04:04,000
Speaker 2: be targeted by these ransomware groups mainly because video games

79
00:04:04,000 --> 00:04:05,800
Speaker 2: are likely to pay the ransom if you're able to

80
00:04:05,800 --> 00:04:08,440
Speaker 2: successfully lock up their code and get their backups and

81
00:04:08,840 --> 00:04:10,080
Speaker 2: lock up their backups as well.

82
00:04:10,560 --> 00:04:13,200
Speaker 3: And then finally, once they put out all the fires,

83
00:04:13,320 --> 00:04:16,080
Speaker 3: they could figure out how did this attacker get access

84
00:04:16,120 --> 00:04:16,839
Speaker 3: in the first place.

85
00:04:18,160 --> 00:04:20,960
Speaker 2: There was actually a phishing message as at all you know,

86
00:04:21,160 --> 00:04:23,599
Speaker 2: very often is it was. It was a phishing message

87
00:04:23,640 --> 00:04:26,400
Speaker 2: to this it individual, to this person, the.

88
00:04:26,480 --> 00:04:30,359
Speaker 3: Very person who had caught the intruder and pulled the alarm, and.

89
00:04:31,320 --> 00:04:33,200
Speaker 2: You know, he clicked on the link and it take

90
00:04:33,279 --> 00:04:35,039
Speaker 2: him to a web page, then a log and prompt

91
00:04:35,080 --> 00:04:37,040
Speaker 2: to come up. He put in his credentials. They did

92
00:04:37,080 --> 00:04:40,839
Speaker 2: not have MFA, so the attacker was able to get

93
00:04:40,839 --> 00:04:44,360
Speaker 2: those credentials, then log in and quickly make other accounts

94
00:04:44,360 --> 00:04:46,520
Speaker 2: and get off of that it person's account so they

95
00:04:46,520 --> 00:04:50,440
Speaker 2: wouldn't notice. Social engineering works and it worked really well

96
00:04:50,480 --> 00:04:52,480
Speaker 2: and it's why attackers use it so often. There are

97
00:04:52,480 --> 00:04:54,400
Speaker 2: lots of other protections they could have had in place,

98
00:04:54,520 --> 00:04:56,960
Speaker 2: but yeah, that was how the attackers got in, and

99
00:04:57,000 --> 00:05:00,159
Speaker 2: then we're using the other accounts to worm their way

100
00:05:00,160 --> 00:05:02,680
Speaker 2: through all of the servers and the whole environment.

101
00:05:04,560 --> 00:05:07,119
Speaker 3: Later in the episode, i'll share my conversation with David

102
00:05:07,160 --> 00:05:10,080
Speaker 3: Adrian at Chrome about how leaders can defend their companies

103
00:05:10,120 --> 00:05:12,680
Speaker 3: against phishing. But first Adam and I are going to

104
00:05:12,760 --> 00:05:16,040
Speaker 3: unpack what this one breach shows about the cybersecurity risks

105
00:05:16,160 --> 00:05:18,880
Speaker 3: that gaming companies face and what they can do to

106
00:05:18,920 --> 00:05:20,400
Speaker 3: be more resilient to attacks.

107
00:05:21,040 --> 00:05:24,280
Speaker 2: Video games is a large industry and so they're all

108
00:05:24,440 --> 00:05:27,560
Speaker 2: kinds of companies involved, and depending on the size and

109
00:05:27,600 --> 00:05:32,039
Speaker 2: the type of game, you'll have very different levels of security,

110
00:05:32,240 --> 00:05:35,159
Speaker 2: and that security will be leveraged at these different problems

111
00:05:35,720 --> 00:05:38,560
Speaker 2: at different levels. Let me give you an example, with

112
00:05:38,640 --> 00:05:42,760
Speaker 2: the rise of online gaming, so massive multiplayer online games,

113
00:05:42,920 --> 00:05:46,760
Speaker 2: there is a huge incentive for these companies to prevent cheating.

114
00:05:47,240 --> 00:05:49,560
Speaker 2: So you have these video game companies and they're spending

115
00:05:49,640 --> 00:05:53,279
Speaker 2: millions of dollars and using the latest cutting edge technology

116
00:05:53,320 --> 00:05:57,640
Speaker 2: AI to detect and defeat cheating on their games and

117
00:05:57,680 --> 00:06:01,440
Speaker 2: their online games. They're leveraging all of this great technology

118
00:06:01,480 --> 00:06:03,359
Speaker 2: to do that, and then on their corporate side, they

119
00:06:03,400 --> 00:06:06,839
Speaker 2: don't have MFA to protect their main accounts. It is

120
00:06:06,920 --> 00:06:10,479
Speaker 2: understandable that they focus on the anti cheating because that

121
00:06:10,560 --> 00:06:12,960
Speaker 2: directly goes to their bottom line because if they're cheating,

122
00:06:14,160 --> 00:06:16,280
Speaker 2: then players are going to go elsewhere, and there are

123
00:06:16,279 --> 00:06:18,039
Speaker 2: other game companies that would love for that to happen.

124
00:06:18,200 --> 00:06:19,919
Speaker 2: So it makes sense while they do this, But you

125
00:06:20,000 --> 00:06:21,760
Speaker 2: have to understand you could have a breach that costs

126
00:06:21,760 --> 00:06:23,240
Speaker 2: you millions, tens of millions of dollars.

127
00:06:23,760 --> 00:06:26,600
Speaker 3: You've said that companies shouldn't treat data breaches or ransomware

128
00:06:26,640 --> 00:06:29,680
Speaker 3: attacks as part of the cost of doing business. Tell

129
00:06:29,680 --> 00:06:30,640
Speaker 3: me a little bit more about that.

130
00:06:31,040 --> 00:06:32,800
Speaker 2: I mean, I guess if you're a business, everything is

131
00:06:32,839 --> 00:06:35,400
Speaker 2: the cost of doing business, right Like, everything is going

132
00:06:35,440 --> 00:06:36,960
Speaker 2: to your bottom line. But what I mean, is there

133
00:06:36,960 --> 00:06:40,239
Speaker 2: are things you can do today that will greatly lower

134
00:06:40,279 --> 00:06:42,800
Speaker 2: the likelihood that you will have a breach. And you know,

135
00:06:42,800 --> 00:06:44,560
Speaker 2: my whole job is to prevent breaches, So I think

136
00:06:44,560 --> 00:06:47,919
Speaker 2: they're terrible. We should all leverage security against them. But

137
00:06:48,000 --> 00:06:49,680
Speaker 2: it might be seen as you know, a risk worth

138
00:06:49,680 --> 00:06:51,600
Speaker 2: taking or a cost of doing business, or maybe we

139
00:06:51,640 --> 00:06:55,440
Speaker 2: won't get hit with an attack, and you know, maybe

140
00:06:55,480 --> 00:06:57,480
Speaker 2: I want to spend money on making my render look

141
00:06:57,520 --> 00:07:00,000
Speaker 2: that much better and the graphics look that much better,

142
00:07:00,040 --> 00:07:02,120
Speaker 2: And I just don't see how security is hitting that.

143
00:07:02,640 --> 00:07:04,640
Speaker 2: It's the similar thing many companies do, and then when

144
00:07:04,640 --> 00:07:07,200
Speaker 2: they get breached, they really regret it. Because if you've

145
00:07:07,240 --> 00:07:10,080
Speaker 2: been developing a game for three years, an attacker comes

146
00:07:10,120 --> 00:07:12,360
Speaker 2: in and they're able to deny you access to all

147
00:07:12,360 --> 00:07:14,600
Speaker 2: of your information, your source code, your art assets, all

148
00:07:14,600 --> 00:07:16,760
Speaker 2: of that, and get your backups. You are in a

149
00:07:16,800 --> 00:07:19,160
Speaker 2: world of hurt. That is a very bad position to

150
00:07:19,200 --> 00:07:20,800
Speaker 2: be in, and the likelihood that you're going to pay

151
00:07:20,800 --> 00:07:23,800
Speaker 2: the ransom is very high. I don't recommend that, obviously,

152
00:07:23,840 --> 00:07:26,320
Speaker 2: my stance is not to pay ransoms, but.

153
00:07:26,520 --> 00:07:28,880
Speaker 3: Yeah, it's almost I can't imagine not paying it in

154
00:07:28,920 --> 00:07:31,880
Speaker 3: that because if your whole entire company is at stake.

155
00:07:31,960 --> 00:07:35,360
Speaker 3: It's the entire lifeblood of your company, the reason for

156
00:07:35,400 --> 00:07:37,200
Speaker 3: its existence basically exactly.

157
00:07:37,280 --> 00:07:40,040
Speaker 2: It is literally your entire business. And so then you're

158
00:07:40,040 --> 00:07:42,240
Speaker 2: going to want to start thinking as an organization and

159
00:07:42,280 --> 00:07:44,360
Speaker 2: you try to say where are attackers being successful.

160
00:07:44,640 --> 00:07:47,120
Speaker 3: So when you think of enterprise security for game studios,

161
00:07:47,200 --> 00:07:49,400
Speaker 3: what are the most critical threats that you're watching out for.

162
00:07:49,760 --> 00:07:52,880
Speaker 2: You know, there are many threat or attack reports that

163
00:07:52,920 --> 00:07:54,960
Speaker 2: come out or data breach reports that come out each year,

164
00:07:55,080 --> 00:07:57,080
Speaker 2: artic Wolf as one as well, and if you look

165
00:07:57,080 --> 00:08:00,280
Speaker 2: at these, you'll see the primarily attackers are success full

166
00:08:00,320 --> 00:08:04,240
Speaker 2: in doing basically one of two things. Either attacking accounts

167
00:08:04,480 --> 00:08:06,800
Speaker 2: so you can think user name, password, MFA, attacking that

168
00:08:07,240 --> 00:08:11,560
Speaker 2: and getting access through that, or attacking vulnerabilities, so looking

169
00:08:11,600 --> 00:08:14,000
Speaker 2: at the code, looking at the configuration of cloud software,

170
00:08:14,240 --> 00:08:17,000
Speaker 2: SaaS software, whatever it is, and being able to exploit

171
00:08:17,040 --> 00:08:19,680
Speaker 2: those vulnerabilities and get in. So if you can really

172
00:08:19,680 --> 00:08:21,760
Speaker 2: look at this and say, how do I protect identities

173
00:08:22,440 --> 00:08:24,400
Speaker 2: at my company and how do I make sure that

174
00:08:24,480 --> 00:08:28,200
Speaker 2: we're patching and updating and not introducing vulnerabilities and misconfigurations.

175
00:08:28,280 --> 00:08:30,360
Speaker 2: If you can do those things to the right level,

176
00:08:30,440 --> 00:08:32,440
Speaker 2: you're going to protect your company and you certainly won't

177
00:08:32,480 --> 00:08:35,040
Speaker 2: be the low hanging fruit where attackers will try to

178
00:08:35,040 --> 00:08:35,480
Speaker 2: attack you.

179
00:08:35,800 --> 00:08:37,960
Speaker 3: What are some other ways that the companies can be resilient.

180
00:08:38,559 --> 00:08:40,240
Speaker 2: If you want to get really technical, we can talk

181
00:08:40,240 --> 00:08:43,000
Speaker 2: about shift left. In other words, you want to create

182
00:08:43,080 --> 00:08:45,480
Speaker 2: games and systems that are secure, so you want to

183
00:08:45,480 --> 00:08:48,240
Speaker 2: make sure you're baking security in from the very beginning,

184
00:08:48,600 --> 00:08:51,040
Speaker 2: so when you're still like whiteboarding the design of what

185
00:08:51,080 --> 00:08:52,959
Speaker 2: you're trying to do in the game, add a threat

186
00:08:52,960 --> 00:08:56,719
Speaker 2: model to that process from the very beginning, thinking about

187
00:08:56,800 --> 00:08:59,320
Speaker 2: how could somebody take advantage of this, how could it

188
00:08:59,360 --> 00:09:01,320
Speaker 2: go wrong? And by the way, you can also add

189
00:09:01,360 --> 00:09:03,640
Speaker 2: anti cheat in there at the beginning too and help

190
00:09:03,760 --> 00:09:05,640
Speaker 2: solve that problem at the very beginning, so you're not

191
00:09:05,720 --> 00:09:07,280
Speaker 2: trying to tack it on at the end. And then

192
00:09:07,280 --> 00:09:10,320
Speaker 2: when you have your detection and prevention methodologies out there,

193
00:09:10,360 --> 00:09:12,560
Speaker 2: they're going to be much more effective because the underlying

194
00:09:12,600 --> 00:09:16,320
Speaker 2: system itself is resistant to attack and resistant to cheating.

195
00:09:16,600 --> 00:09:20,160
Speaker 3: Game developers are obviously digital first. When you think about

196
00:09:20,200 --> 00:09:22,200
Speaker 3: the day to day work and collaboration that goes on

197
00:09:22,280 --> 00:09:25,800
Speaker 3: behind the scenes at the enterprise level, I'm interested in

198
00:09:26,120 --> 00:09:29,160
Speaker 3: how do workers collaborate. You're in an industry where you're

199
00:09:29,160 --> 00:09:33,520
Speaker 3: working with people who are specialists and extraordinarily talented, but

200
00:09:33,600 --> 00:09:36,840
Speaker 3: maybe like at one thing, and that guy lives in Aspen,

201
00:09:37,040 --> 00:09:39,880
Speaker 3: and then you know the other guy lives in the

202
00:09:39,880 --> 00:09:42,599
Speaker 3: forests of Oregon, and you've got to connect all of

203
00:09:42,640 --> 00:09:46,079
Speaker 3: these teams in different areas. How do you handle collaboration

204
00:09:46,160 --> 00:09:47,480
Speaker 3: across environments like that.

205
00:09:47,960 --> 00:09:50,880
Speaker 2: Yeah, so it's an interesting question in security. We've been

206
00:09:50,880 --> 00:09:54,280
Speaker 2: doing this for a long time, collaborating across time zones,

207
00:09:54,640 --> 00:09:58,920
Speaker 2: using various tools, different SaaS, apps or other applications to

208
00:09:58,960 --> 00:10:01,439
Speaker 2: collaborate and communicate. That means a lot of very sensitive

209
00:10:01,440 --> 00:10:05,280
Speaker 2: information as being passed through these suites of software. And

210
00:10:05,320 --> 00:10:07,200
Speaker 2: so if you can think of one thing, like the browser,

211
00:10:07,280 --> 00:10:12,120
Speaker 2: so much work happens right in the browser, and many

212
00:10:12,640 --> 00:10:15,559
Speaker 2: companies just don't think of the security of that particular

213
00:10:16,160 --> 00:10:18,679
Speaker 2: piece of software. If we dig into that a little bit,

214
00:10:19,280 --> 00:10:22,160
Speaker 2: you know, are you hardening that piece of software. Are

215
00:10:22,160 --> 00:10:24,240
Speaker 2: you making sure that everyone's using the same browser so

216
00:10:24,280 --> 00:10:26,679
Speaker 2: you can have the same type of security across the

217
00:10:26,840 --> 00:10:30,000
Speaker 2: entire organization. Are you making sure they're not sinking personal

218
00:10:30,040 --> 00:10:33,160
Speaker 2: accounts that can bring in different extensions that they're using

219
00:10:33,160 --> 00:10:35,280
Speaker 2: at home that do backups or copy and now you

220
00:10:35,280 --> 00:10:38,040
Speaker 2: have information going places you weren't thinking of. So really

221
00:10:38,120 --> 00:10:40,319
Speaker 2: making sure that each one of those pieces of software

222
00:10:40,520 --> 00:10:44,280
Speaker 2: is secured, especially the browser, is a really important consideration,

223
00:10:44,440 --> 00:10:47,520
Speaker 2: especially if we're talking about companies that are collaborating, you know,

224
00:10:47,520 --> 00:10:50,040
Speaker 2: with lots of remote employees and using software to do that.

225
00:10:50,520 --> 00:10:52,640
Speaker 2: There is one third aspect to this, and it's actually

226
00:10:52,640 --> 00:10:54,960
Speaker 2: illustrated by the story I told, and that is you've

227
00:10:54,960 --> 00:10:57,000
Speaker 2: got to have a good security culture. You've got to

228
00:10:57,040 --> 00:11:00,959
Speaker 2: train your people to be wary of social engineering attacks

229
00:11:01,080 --> 00:11:03,880
Speaker 2: like phishing and be resistant to those. You know, you

230
00:11:03,880 --> 00:11:06,360
Speaker 2: can have technologies to protect against it. But there's a

231
00:11:06,440 --> 00:11:09,400
Speaker 2: reason why so many attackers use social engineering is because

232
00:11:09,400 --> 00:11:12,600
Speaker 2: it's very very successful, because it's pretty easy to trick

233
00:11:12,679 --> 00:11:13,280
Speaker 2: human beings.

234
00:11:17,000 --> 00:11:20,160
Speaker 3: If you're leading a gaming company, your entire product is software,

235
00:11:20,200 --> 00:11:23,680
Speaker 3: and that product is constantly being accessed, tested and updated

236
00:11:23,679 --> 00:11:29,640
Speaker 3: by your teams. The same goes for your IP designs, assets, code,

237
00:11:29,800 --> 00:11:33,480
Speaker 3: marketing trailers showing new characters, new content, and it all

238
00:11:33,480 --> 00:11:36,040
Speaker 3: lives online. So how do you keep your own accounts

239
00:11:36,040 --> 00:11:37,080
Speaker 3: from being used against you?

240
00:11:37,960 --> 00:11:40,320
Speaker 4: So, if I'm a CSO or I'm in charge of

241
00:11:40,559 --> 00:11:43,280
Speaker 4: security an organization. The number one thing that I would

242
00:11:43,280 --> 00:11:48,280
Speaker 4: be focusing on is deploying strong, unfishable authentication to all

243
00:11:48,320 --> 00:11:49,440
Speaker 4: of my employees.

244
00:11:49,800 --> 00:11:52,600
Speaker 3: That's David Adrian, a security product manager for Chrome.

245
00:11:52,920 --> 00:11:55,839
Speaker 4: I focus mostly on network security, but I help everything

246
00:11:56,000 --> 00:11:58,000
Speaker 4: up and down the stack to make sure that we're

247
00:11:58,360 --> 00:12:00,920
Speaker 4: building Chrome to be as secure as possible, from the

248
00:12:00,960 --> 00:12:03,040
Speaker 4: application through the network to the cloud.

249
00:12:03,679 --> 00:12:06,360
Speaker 3: When I brought up ransomware attacks and gaming, he picked

250
00:12:06,440 --> 00:12:09,320
Speaker 3: up on account security and how important it is to

251
00:12:09,400 --> 00:12:13,280
Speaker 3: plan for what happens when an employee account is compromised.

252
00:12:13,600 --> 00:12:17,400
Speaker 4: Game assets or designs are I think the crown jewels

253
00:12:17,400 --> 00:12:20,160
Speaker 4: that gaming companies are trying to protect, and so I

254
00:12:20,240 --> 00:12:22,439
Speaker 4: feel for them in the situation and that they need

255
00:12:22,480 --> 00:12:24,200
Speaker 4: to figure out like how do we make this run fast,

256
00:12:24,240 --> 00:12:26,520
Speaker 4: how do we get access to everyone that needs it?

257
00:12:26,880 --> 00:12:29,160
Speaker 4: But also how do we, you know, make sure that

258
00:12:29,240 --> 00:12:33,560
Speaker 4: if someone bad gets in, they don't get everything. When

259
00:12:33,559 --> 00:12:36,280
Speaker 4: things go wrong, they go wrong bad and you risk

260
00:12:36,480 --> 00:12:39,840
Speaker 4: all of you your game assets getting encrypted and ransomwared.

261
00:12:40,200 --> 00:12:44,199
Speaker 4: And in many industries, the high value accounts are sort

262
00:12:44,200 --> 00:12:47,559
Speaker 4: of the administrators of the organization who might have access

263
00:12:47,640 --> 00:12:51,640
Speaker 4: to create new users in the gaming industry, there might

264
00:12:52,000 --> 00:12:55,360
Speaker 4: be a broader set of targets because any developer who

265
00:12:55,400 --> 00:12:57,760
Speaker 4: can build the game likely has access to all of

266
00:12:57,800 --> 00:13:00,880
Speaker 4: the assets for the game and able to get in

267
00:13:01,600 --> 00:13:05,200
Speaker 4: and they get access, let's say, as anybody who has

268
00:13:05,240 --> 00:13:08,719
Speaker 4: access to the underlying game assets, there might not even

269
00:13:08,800 --> 00:13:11,280
Speaker 4: need to be a lot of escalation of privileges. Sure,

270
00:13:11,280 --> 00:13:13,679
Speaker 4: if they get an administrator, they could create their own account,

271
00:13:13,880 --> 00:13:16,000
Speaker 4: but if they get a game developer, they might just

272
00:13:16,040 --> 00:13:18,040
Speaker 4: be able to walk away with all of the assets

273
00:13:18,040 --> 00:13:20,720
Speaker 4: for the game by default, because the developers already have

274
00:13:20,760 --> 00:13:21,400
Speaker 4: access to it.

275
00:13:21,760 --> 00:13:24,160
Speaker 3: And so we zeroed in on the moment when an

276
00:13:24,160 --> 00:13:27,160
Speaker 3: attacker breaks into a company account through a phishing link.

277
00:13:27,720 --> 00:13:32,199
Speaker 4: The most common sort of attack factor is still phishing.

278
00:13:32,800 --> 00:13:36,760
Speaker 4: It's not too hard to find who's working for some

279
00:13:37,000 --> 00:13:39,480
Speaker 4: company and then try and figure out what their email is,

280
00:13:39,800 --> 00:13:41,680
Speaker 4: and once you know their email, you can try and

281
00:13:41,760 --> 00:13:42,680
Speaker 4: start phishing them.

282
00:13:43,000 --> 00:13:45,280
Speaker 3: I think I had somebody tell me once that teaching

283
00:13:45,280 --> 00:13:47,960
Speaker 3: people to not get fish is like teaching them not

284
00:13:48,040 --> 00:13:50,079
Speaker 3: to fall in love. It's never going to happen.

285
00:13:50,200 --> 00:13:52,640
Speaker 4: I would flip it around a little bit and say

286
00:13:52,679 --> 00:13:56,240
Speaker 4: that trying to solve phishing with like phishing training fake

287
00:13:56,280 --> 00:13:58,880
Speaker 4: phishing emails. That type of thing. Even if it works

288
00:13:58,960 --> 00:14:01,120
Speaker 4: ninety nine point nine nine percent of the time, the

289
00:14:01,320 --> 00:14:03,600
Speaker 4: point zero one percent that it doesn't is enough for

290
00:14:03,679 --> 00:14:06,920
Speaker 4: everything to go wrong. Right, We've seen one phishing attempt

291
00:14:07,440 --> 00:14:11,240
Speaker 4: that succeed have impacts on everything ranging from gaming companies

292
00:14:11,240 --> 00:14:14,680
Speaker 4: to elections, and so, sure, you can try and like

293
00:14:14,880 --> 00:14:17,439
Speaker 4: get your employees to hide their emails, you can append

294
00:14:17,800 --> 00:14:20,240
Speaker 4: random digits to their emails, but at the end of

295
00:14:20,240 --> 00:14:22,640
Speaker 4: the day, eventually something's going to leak and someone's going

296
00:14:22,720 --> 00:14:23,320
Speaker 4: to get fished.

297
00:14:23,840 --> 00:14:27,280
Speaker 3: So let's talk about phishing protection. Obviously, these people are

298
00:14:27,320 --> 00:14:30,320
Speaker 3: going to get spearfished. It will happen, So what are

299
00:14:30,320 --> 00:14:31,840
Speaker 3: some of the protections available to them.

300
00:14:32,000 --> 00:14:35,680
Speaker 4: So the good news is that we have effective solutions

301
00:14:35,760 --> 00:14:39,120
Speaker 4: against fishing. I think if I were a CSO or

302
00:14:39,160 --> 00:14:42,240
Speaker 4: a CIO, like, the number one thing that I would

303
00:14:42,240 --> 00:14:47,240
Speaker 4: be doing is deploying strong, unfishable authentication. And while that

304
00:14:47,320 --> 00:14:50,280
Speaker 4: seems kind of straightforward, like let's just authenticate the people

305
00:14:50,320 --> 00:14:51,880
Speaker 4: that work for me and make sure they work for me,

306
00:14:52,360 --> 00:14:55,800
Speaker 4: that is probably most of the challenge for a lot

307
00:14:55,880 --> 00:14:58,560
Speaker 4: of security engineering teams is making sure that that can happen.

308
00:14:58,920 --> 00:15:02,360
Speaker 4: The easiest context to deploy them is web browsers for

309
00:15:02,760 --> 00:15:06,200
Speaker 4: enterprise users, where you have this source of truth where

310
00:15:06,240 --> 00:15:08,040
Speaker 4: you can say, hey, I know what all my employees are.

311
00:15:08,080 --> 00:15:10,920
Speaker 4: I'm going to ship them all some sort of token

312
00:15:11,120 --> 00:15:13,760
Speaker 4: to plug into their computers, making sure that every work

313
00:15:13,800 --> 00:15:16,920
Speaker 4: application that every employee goes through has to use one

314
00:15:16,960 --> 00:15:20,520
Speaker 4: of these authentication methods and does it from a managed browser.

315
00:15:20,960 --> 00:15:23,440
Speaker 4: And so if you can deploy those authentication methods and

316
00:15:23,480 --> 00:15:26,000
Speaker 4: you can make all logins only go through a web

317
00:15:26,000 --> 00:15:29,760
Speaker 4: browser and only use those authentication methods, you solve phishing.

318
00:15:30,440 --> 00:15:34,560
Speaker 4: With Chrome, enterprise premium organizations can access a centralized enforcement

319
00:15:34,640 --> 00:15:37,360
Speaker 4: point for all of their endpoint security in controls. This

320
00:15:37,440 --> 00:15:41,280
Speaker 4: allows for endpoint visibility across the entire enterprise network. IT

321
00:15:41,640 --> 00:15:46,160
Speaker 4: and security teams can deploy advanced security capabilities like advanced DLP,

322
00:15:46,680 --> 00:15:50,120
Speaker 4: like context A wear access controls, and then you can

323
00:15:50,160 --> 00:15:53,320
Speaker 4: get in depth reporting for all of those features and

324
00:15:53,400 --> 00:15:57,960
Speaker 4: so deploying stronger authentication that can actually be more user

325
00:15:58,000 --> 00:16:00,520
Speaker 4: friendly when done right, in the sense that it lets

326
00:16:00,560 --> 00:16:03,680
Speaker 4: people act how they would naturally and not have to

327
00:16:03,720 --> 00:16:06,360
Speaker 4: try to treat every email adversarially like it might be

328
00:16:06,400 --> 00:16:09,480
Speaker 4: a phishing email. Because with the right authentication, they'll actually

329
00:16:09,480 --> 00:16:11,440
Speaker 4: be protected by default, so if you send them a

330
00:16:11,440 --> 00:16:14,160
Speaker 4: fishing link and they get tricked by it, it doesn't

331
00:16:14,160 --> 00:16:16,160
Speaker 4: matter and the login won't work for the attacker.

332
00:16:19,080 --> 00:16:21,720
Speaker 3: To learn more about how the most trusted enterprise browser

333
00:16:21,720 --> 00:16:25,800
Speaker 3: can help protect your organization, visit Chrome Enterprise dot Google.

334
00:16:27,920 --> 00:16:31,840
Speaker 3: Next time on Security Bookmarked, i'll talk strategy with jf Lego,

335
00:16:32,160 --> 00:16:35,840
Speaker 3: Deputy Chief Information Security Officer at JP Morgan Chase.

336
00:16:36,040 --> 00:16:40,280
Speaker 1: So it's really how do you think through the awareness

337
00:16:40,320 --> 00:16:43,960
Speaker 1: for people with the most common types of attacks, but

338
00:16:44,160 --> 00:16:48,600
Speaker 1: also how do you turn your entire workforce into early

339
00:16:48,720 --> 00:16:49,760
Speaker 1: detection sensors.

340
00:16:50,720 --> 00:16:54,320
Speaker 3: Security Bookmark is a podcast from Bloomberg Media Studios and

341
00:16:54,400 --> 00:16:57,880
Speaker 3: Chrome Enterprise. Subscribe in your podcast app so you don't

342
00:16:57,880 --> 00:17:01,800
Speaker 3: miss our newest episode. Kate Fazzini, thanks for listening.