some of the data breaches at companies such as home depot and target, sony's playstation as well. this week on the -- "the communicators," we will discuss data breaches with wade baker of verizon. verizon has put up a data breach report for 2014. mr. baker is the chief technology officer and security director for verizon enterprise solutions. what does that mean, mr. baker? what the you do? >-- what do you do? >> we research security technologies and try to bring them into our products so we secure corporate customers and consumers. >> what is the definition of a data breach? ,> and unauthorized individual or it could be a group, gains access to a nonpublic -- nonpublic information. the clearest definition of it. could be corporate secrets, could be personal information, could be e-mails, any kind of

information you don't want the public to see. >> what are the major conclusions of your 2014 data breach report? >> major conclusions are that this thing is getting more and more complex every year. we see a wider variety of attackers. 10 years ago in the security space we mainly worried about network worms that would roam around the internet fast and knock servers off-line, but now we are worried about large-scale denial of service attacks, worried about eastern european organized crime targeting banks. we are worried about advanced threats centered around espionage. the problem has gotten much more complex. >> joining the conversation today is joe marks from politico, technology reporter. >> thank you. so wade, the focus has been on these big point-of-sale attacks happening between when you swipe your card and the information

going to the company. are we particularly vulnerable at that moment? >> we are. a lot of people are aware, when they buy something online, to make sure the site is legit. a little worried about entering the payment card. but you just don't think about it when you swipe a card at a terminal, just because we have done it for a long time. we are used to that technology. it is less mysterious. but the fact the matter, essen as you swipe a card the data transfers at a network inside store, communicated to a network, and there are many points when that could be copper mise. these things -- compromised. these things happen every day. >> there was one recently at home depot, and of course target last year. your report says that as of 2013, these were decreasing. is that right? >> they are decreasing, but there is an important distinction.

we have been doing this report for seven years. we have 10 years of data. you can see changes in the threat landscape over that time. seven years ago we saw very large banks and payment processors compromised, very big breaches. then we had an era where it seemed like a lot of mom-and-pop shops, small to medium businesses, were compromised. now in the last year it seems to have shifted back to larger retailers. it is just a natural flow. numerically speaking, we have fewer, but as far as the amount of data compromised it is much larger, because those are larger breaches with more impact. >> when this happens, it seems it is not necessarily the store third-partys some that the hackers are able to get in through. then access all this information. can you explain this ecosystem, and is there a way to possibly

make it safe? >> it is a frightening web when you start digging into it. this doesn't only exist in retailers. it is pervasive, the supply chain we are all a part of, increasingly complex. at specifically retailers, point-of-sale system is in a store, and the store is part of many other stores. it could be multiple chains under one umbrella of management. these things are all going to be networked. very often with retailers, there is not a local security team there to take care of the point of sale system, so you hire a third party who is responsible for protecting and maintaining the point-of-sale system. anytime you add a third party to the mix, you add a way for people to access the point-of-sale system, usually remotely, which also opens up the door for an unauthorized individual, hacker, whatever you

want to call them, to exploit that vector. that happens in a lot of these. they steal the password of the third-party managing the system and access them just as though they were the ones authorized to do so. >> in the case of target, the inroad was the hvac company. you don't expect them to have the best internet security. that is not their expertise. is there a way to force security on this ecosystem? >> there have been many. an interesting point. not only are there more third parties in the mix, but we are also putting more things on the network. is connectedn hvac to a network connected to another network that your payment systems are connected to, that is something we tend to forget about as we add complexity to networks over

time. and there should be. anytime you have a payment network, it should be completely isolated from anything else. but it is like an old house. networks have grown up over time. you knocked down a wall and you find a passageway into another part of the house you did not even know existed. so it is a difficult problem. >> has wireless added to the problem? >> most definitely. going back to retail stores, not only do you have the network, the wireline network, that you have wireless systems they could be for employees, for inventory payments, even rfid and bluetooth, the things that come in and out of stores. so absolutely, an attacker could sit in a parking lot and of the wireless network is not secured, they could gain access remotely. report,eport, -- your which is online at our website,

communicators,/ you talk about nine types of hacks. one -- what is that? >> we have all been on the web and all used some kind of online web application, a website, something like that. a lot of people don't realize it looks like a page of words. somewhereerver running a web application. sometimes various applications will take your data if you fill out a form, return information back to you, help you manage your bank account, play with facebook, whatever you like to do online. these applications run on code, and anytime you have code there can be vulnerabilities in the code. the software also needs to be updated over time. many times these things stay on internet and are not cached and updated.

people are familiar because he get updates on your own pc constantly escaping with a web server or application. if you don't take care of them, they will have holes in them, and the bad guys know exactly what they are. >> and vulnerabilities run a fromenant --huge gamut, credit for data to the syrian electronic army ceiling a twitter account. -- anything related? >> some of them are. the analyst are having difficulties getting her arms around them. we talked to organizations and many said, forget it, i can't even keep up with the threats out there. they seem so diverse. we did some analysis, and i won't go into the math behind it, but basically all these

100,000 incidents fit more or less within one of those nine buckets. some of them are very related. we have some thing called crimeware, which is malicious software that gets installed on a computer and is various things. we also have a pattern, denial of service attacks. normally you wouldn't think malicious code running on a computer is related to denial of service attacks, which are launched at a web server to knock it off line so it doesn't work anymore, but the fact of alwaretter is, often m gets installed on a system and joins one system to a network of other systems that have the same malware installed on them, and as a unit these hundreds of thousands of systems, a distributed denial of service attack, attacks a website. maybe you are upset with a message they released. it knocks it off-line.

a lot of these patterns are interrelated. >> are there cases in which it is the same people who are hitting the defense department, trying to steal intelligence, who are also getting your bank account information? >> there is some of that. a lot of the shadowy underworld that is difficult to track. there are some groups that definitely are financially motivated, in business to hack into banks and retailers, wanting to steal personal information so they can translate that into cash. others are firmly rooted in more espionage, working for a government type thing. then there's a middle ground where we do see some movement in between, some shared tools that they use, and also shared people as far as we can tell. so yes, there is a connection. that's one of the things that we

as security researchers try to know. because the better we know our adversary, the better we are able to protect against them. >> are these people sitting in their basements? is there an organized office? is this government sponsored? >> it is truly all of the above. we have worked with law enforcement agencies who busted down doors and drag people out of their basements, literally. inhave also participated fairly large-scale arrests of multiple individuals that are very highly connected together, very well organized, each with individual specialities. someone writes malicious software, the others know how to wash the money, all these things. just like organized crime. then there are others definitely working on the half of a government. they have an office with pictures in it, all that kind of

thing, going in and out of work. they go to that building. that is their job, to hack into companies and steal information on behalf of a government. >> is this profitable? >> it seems to be very much so, unfortunately. there are places, i have seen photos of some eastern european where anr instance, insane number of people drive lamborghinis and things like this. thet of that is the spam, fake pharmaceuticals, the financial fraud, tax fraud, medicare fraud, all these things. staggering amounts of money that at some point along the chain are traced back to data that was stolen, stored at a corporation or government. >> verizon is an isp, a wireless provider. what kind of measures does your company take to prevent attacks on your systems?

>> of course, we are in many playing ground a lot of this takes place over. so i will go back to the denial of service attacks that are an attempt to knock a company off-line. could be a government. could be a company. that takes place over our network in many cases, so we very often jump in their with that company being attacked, work with them tightly, because the more they are attacked, it is also slowing down traffic on our network and affecting other customers, so we try to shut that off as close to the source as we can, both to preserve that company and our own network. from a data breach perspective, we are very often trying to find malicious communication taking place. we work with companies to

prevent them from ever having intrusions into the network, but we also have a team that helps respond when something does go wrong, to respond very quickly and work with law enforcement, do notifications, whatever is needed. it is multiple levels, at the consumer and corporate level. >> when you find someone on the network like that, can you give us a play-by-play about how you get them off? do you take them off right away, or check them out for a while? >> it depends on the customer and what they know about it. if it looks like just a system that is maybe infected with network, weside the will just recommend to take that off-line as soon as possible. attacksore complex sometimes we need to watch and see what is going on, and we have worked with customers to set almost network cameras on their network to see what's

going on, and now we have evidence. you need to catch them in the act, so to speak. we can do that. many times it is putting evidence together, almost digital fingerprints. you can tell certain attackers by the way they do things, the artifacts they leave behind, and that traces to certain groups. a lot of times we will work with law enforcement at that level. unfortunately, it is often kind of a whack a mole situation. you may only think there's one compromised, but there may be hundreds or thousands. you may clean this one up, but they pop up here and here and here. that's one of the most difficult parts of responding. >> can you explain how they get in to do that? >> absolutely. often there is one initial vector of infection.

you would be surprised how symbol that is. >> what is a vector? >> just a way in the door. think about, if i wanted to get into a house, what could i do? walk in the front door, break a window, if i really needed to i could tunnel up through the floor. if you are an attacker, you will take the easiest way in, which is what most attackers to. sometimes that's a vulnerability in a web application. sometimes that sending a phis hing e-mail to a user that they clicked on, and that opens the doorway for an attacker to come in. once they have, we call it a foothold or established ground inside the network, then they can spread around. we know how internal networks are. now they are part of the daisy chain of computers, and they can hop from computer to computer. a lot of times they will go to

the domain server that has all the user accounts and they steal hundreds or thousands of passwords, and now they can do that. the lateral spread throughout the network after that initial compromise takes place. it can happen very quickly. the idea is to get as deeply entrenched as you can, so that you see everything going on in the network. >> the phishing emails, click here to enter these sweepstakes? >> some of them are not as cheesy and obvious as those. ame of them, the good ones do well-crafted e-mail. say theyreason, let's knew we were meeting today. they might send an e-mail, thanks for coming today, i thought you would find this article interesting. they can make things believable by knowing you would have a

conference at a certain time or something like this, but as soon as you open the pdf document or whatever it is, you are infected, and many times don't even know about it. >> a lot of it is technology. but also social engineering. >> absolutely. almost all the advanced attacks start with the exportation of a person i. a really simple attack, tricking someone to click on something. >> are the regulations of the federal level that apply to all this? >> there are standards and regulations for how we protect systems. many of them, depending on processing payments, a set there, storing government and classify data, another set of standards. there's increasing discussion on when an incident occurs, what

you are responsible to report on it or disclose. so if you have information stored on individuals and that is compromised, you have to report that publicly and notify the individuals. and more and more of this discussion is taking place. it's not always regulated into law. a lot of it is voluntary. there's a realization that if we can share information, we are aware of the situation going on. because the attackers are working together. that is a fact. >> why is it better that information sharing the voluntary rather than something organized to the government? >> many times they are voluntary. you can join, get information, give information, and they'd don't require you have to tell me exactly these things on every

single bit. i think it's better voluntary, because you are going to get better information that way, you are going to get to the root issues. if we make a law saying, these things have to be shared, essen as you make that law now it has to be updated and changed, and the situation we are in is very fluid and things can change drastically over time. so something needs to adapt to that regularly. same thing with controls. if i say, here are the 10 things everyone needs to do today, one problem we have had in security is they don't get updated fast enough. a lot of complaint about that in the retail and financial sectors. information sharing is extremely important, and there's a lot of really good reasons to do it that organizations are latching onto.

they realize, if i share and get information, that is very helpful to me, and i am also reaping the benefits, and so are my peers when we do this. the last supper years especially, that has really increased as far as i can tell. >> are there concerns from the other side, that when you share information you're giving up your own intellectual property or you might be violating an agreement with a client? >> absolutely. you are asking very perceptive questions. the things that i hear as far as concerns on information sharing, yes, violating some kind of client privilege. ,hould i be able to share that abstractions of that information with others so they can better prepare for a similar attack? concern about brand. if i share this and say that we had an incident, is that going to reflect negatively on me and look like i am not prepared to deal with security? on that note, we are

increasingly under the impression that the difference between secure organizations and nonsecure organizations often is not whether they have ever had a compromise, just because it is a fact of doing business, like any other accident, but it is how well you prepare for and respond to those things. you see organizations that take forever to figure out what happened, very slow to respond, and then there are some that act very quickly and let everyone know about it, open and honest, deal with the situation. that is often the difference between good and bad cases. but there are concerns. >> you think that model is understood by the public, that you can be breached well or breached badly? are companies explaining that to the public well enough? >> i don't know. i did a little experiment with my family at holiday gatherings and stuff like that. over the last several years that i have been in this breach

world. when there is a breach, it is big on my radar. did you hear about the such and such breach? for eight years i have gotten this no, what are you talking about? it reminds me of how small the world is. but the last year, i have asked that question, and they have heard of this. so it is getting down on their level far more than it has in the past. i don't know if it's because we are all tired of having our credit cards swapped out so many times a year, or getting the breach notices, or what it is. but there is definitely an awareness, and some of that is companies themselves driving that. government regulation seems to be -- more of a buzz about it. >> do you attend the black cat press conferences held in las vegas? >> i attended this last one. >> was invaluable for you? >> it was.

it is good to understand the perspective. some of the events are changing over time. black hat is one i like to go to because you can see people out there, look at this attack i figured out, and they are trying to get publicity for themselves. that's perhaps not great, and might even be part of the problem depending on who you talk to. but it does give you perspective on how easy some of these things are. you see the latest attacks, the trends. as soon as these are talked about in a public forum, you know it is a matter of time before the criminals use the same technique. so it is a way to keep up. >> on a personal level, how often do you change your passwords? do you, for example, bank online? >> i do bank online and on my mobile phone. passwords, maybe every six months, to be honest

with you. i don't change them that often. but the thing that i do is i use a password manager. i do not try to make up my own passenger -- passwords, because i will either forget them or make extremely weak ones i can remember. so i outsource that to a brain that comes up with very complex passwords. a lot of these programs are freely available for people to download. i highly recommend one. a lot of times they will it you know, there has been a breach with such and such, you might want to change your password. that is extremely helpful. so that is a tip i tell everyone, change that. and i also always enable two-factor authentication through my mobile device or something if a bank offers that. when i log in not only do i enter my password, but i get a digit code on my mobile device. that makes it a lot harder for

criminals to gain access to your account. so always try to enable that as well. >> final question? >> every two or three months there seems to be, the password is dead article. is the password going to die soon? >> i hope so. [laughter] dierobably won't completely , but if you think about it, we have the means of getting over this. i think this has got to be a collective thing that we as consumers, as an industry, as retailers and banks, we need to get together and figure out how to do this. not just throw some things out there about how easy this would be. think about the fact that we enter passwords, sometimes we have to look it up, and that is how we gain access to these important accounts we have. there is a lot of information that we can do passively. most of us have microphones on our computers. my voice is far more unique in

my password. the way that i type at a certain cadence is unique, statistically. we have mobile devices, most of us, with fingerprint readers on them sometimes, cameras. that's a little creepy, but they could look at it. we know where that device is. if that device is in the same location as your computer, that is a good match. there are so many other ways we could authenticate someone. i just think we have gotten used to the password. it's him was like a crutch now. >> the data breach investigations report put out by verizon is available at c-s pan.org/communicators. marks, thankoe you. >> c-span -- created by america's cable companies 35 years ago and brought to you as a public service by your local cable or satellite provider. i will governor terry branstad is running for a fifth -- iowa

governor terry branstad is running for a fifth term against jack hatch. they faced each other tonight in a televised debate. here is a look at ads they are running in the race. iowans were out of work. unemployment was the highest in 25 years. the state budget was $900 million in debt. then terry branstad came back, and so did iowa. a budget surplus, 140,000 new jobs. unemployment reduced nearly 30%, and governor branstad is just getting started. iowa is back. terry branstad is building i was future. >> he is honest, compassionate, a visionary. he is always looking forward. where can we go next? to do better, bring jobs to the economy. and we see that. the jobs today, young people moving back.

more iowans are working today than at any other time in our state history. i am really optimistic about the future. he definitely has a passion for this state. iowans are years, tired of governor terry branstad. the scandals, bad deals, and political favors. million bad deal, taxpayer money given to an egyptian billionaire. isu economists call it the dumbest economic decision made in iowa. branstad even tried to abolish preschool funding. aren't you tired of terry? time for a fresh start. jack hatch for governor. >> there are two men running for iowa governor. terry branstad forces tax breaks for corporations, and jack hatch supports tax cuts for middle class families. while he gave away millions to a

wealthy egyptian comedy, jack hatch was putting iowans to work . only one thing branstad and jack hatch have in common. for jack, that is one thing too many. >> the debate between iowa governor and democratic challenger errors live tonight at 8:00 eastern. next, a look at the role of financial services with wells fargo ceo john stumpf. he gave his thoughts on the economy and housing market. top mortgages the lender and bank by value. this is one hour.