CyberSecurity Lion Repellant
I’m in something of a unique position to comment on Cybersecurity and business, having spent the entirety of my professional life working in Cybersecurity and also being first a small business owner and now in addition a startup founder. Despite years of working with clients on their Cybersecurity issues, it wasn’t until I found myself running an albeit Cybersecurity focused startup that I really understood the difficulty at hand. To put it quite simply when your laptop or phone pops up a notification that there’s a security update available and you have customers who need the new version of your software and investors who want you to come present at an event in an hour, and employees and contractors who are doing God knows what in terms of security posture themselves, why we so often click “later.” As a person so immersed in the Cybersecurity world it was difficult for me to truly understand that Cybersecurity is just another line item on the expenses spreadsheet, one that often falls woefully far down the list of priorities.
With security being such a hot topic in the media right now, it’s no surprise that there are literally thousands of security products and services out there that claim to be able to solve all of your company’s security problems. One need only walk the crowded hallways of any security or tech trade show and see the massive vendor setups front and center, bigger than your average one bedroom apartment, where spaces hardly large enough to fit a demonstration monitor far off the main row cost more than your average seed round. You will quickly realize that there are 10 or more panaceas for any security trouble that might ail your business.
We live in a world where technology is booming, where it’s suddenly cool to major in computer science. Not so long ago I refused to go to high school and went to college 4 years early because I was endlessly teased for being into computers, and I remember the exact date I became too tall to fit into the lockers in my middle school gym. In a world where everyone has smartphones, and where the average American family is quickly replacing everything from light bulbs to doorbells with “smart” devices connected to the Internet, I’m sorry to report that we in security are losing.
We in security are losing not in terms of money spent, certainly the numbers continue to increase in the billions spent on Cybersecurity protection. Yet we are losing because for all the money being spent, we aren’t solving the problems. We can’t even solve the simple problems; how can we possibly begin to face what we are up against.
I am often asked to speak on major trends I’m seeing in security. I’d like to start with something I touched on at the beginning of this article, the lack of security patching.
In March of 2017 Microsoft released a security patch for a vulnerability originally discovered and exploited by the NSA, codename EternalBlue. The NSA had reported the vulnerability to Microsoft after they suspected it had been stolen. The exploit was leaked by the hacker group Shadow Brokers in April 2017. In May 2017, the EternalBlue exploit was used in the worldwide WannaCry ransomware attack infecting more than 200,000 computers that had either failed to apply the patch or were using Microsoft operating systems so old they were no longer supported by Microsoft. Organizations failure to patch is by no means new. Looking back to 2003 a major computer worm called SQL Slammer rapidly spread across the Internet infecting most of its 75,000 victims in 10 minutes. Again, the culprit was a vulnerability where a patch had been released 6 months earlier.
Perhaps most famously in the failure to patch camp, in September 2017 Equifax announced they had been breached, exposing sensitive data on an estimated 143 million Americans. The source of the breach was an unpatched vulnerability in a web application using Apache Struts. Apache had released a patch for the vulnerability in March of 2017. This breach garnered worldwide media attention and congressional hearings and the firing, retiring, or stepping down of top executives including the CEO, CIO, and chief security officer. In the congressional hearings, the former CEO blamed the breach on a single individual of the IT staff for failing to apply the security patch in question. But I think he is wrong. I don’t blame anyone at Equifax for the breach, I blame us, I blame Cybersecurity, I blame myself.
Before I move on to the future I’d like to talk about a tale as old as time that continues to plague us, phishing attacks. You’ve seen them. We’ve all seen them. Many passwords have been stolen because of them. You may have even had to click through security awareness training warning that tells you not to click on links in emails or download suspicious attachments. Yet an offhanded comment at an event years ago has stuck with me all this time that simply says, “Links are meant to be clicked.” There are many unsophisticated phishing attacks successfully giving attackers a foot in the door inside an enterprise. And for the harder to crack targets, there is always spear phishing, or targeting phishing attacks to a specific user, often using information that is available about us online such as things we post on social media.
One phishing story that has ridden the wave of our news cycle like a whodunit murder mystery for the past two years is the Democratic National Committee (DNC) and Hilary Clinton’s campaign staffers being targeted by email based phishing attacks. I won’t go into the whodunits or the implications in election results here. There are millions of political talks available for that, but the facts as we know them are that DNC members were targeted with some of the oldest phishing tricks in the book like “Click here to reset your password”. That’s what got Podesta and leaked over 500,000 emails. As the attacks went on they became more sophisticated, appearing to come from actual members of the Clinton campaign with a spreadsheet attached entitled ‘hillary-clinton-favorable-rating.xlsx’.
Ask yourself if it was your job to ensure that indeed Clinton ratings were favorable and this showed up in your Inbox before your morning coffee would you click? If this example doesn’t resonate with you, take a moment to think about what you might click on. Something that appears to be from your boss, from your child’s school, a Facebook friend from your alma mater with a link to pictures from the good old days? An alert that your identity had been stolen in a recent breach? We in Cybersecurity often call phishing the vulnerability that can never be patched. Instead we strive to limit the impact of a successful phishing attack.
Another thing that we’ve seen increasingly in the news, and I fear we’ll see still more of going forward, is ransomware. The first generation of ransomware was often closer to bluffware. A message appeared informing you that the data files on your computer had been encrypted and that you could get a decryption key by sending money to some address. As often as not, the files weren’t even encrypted. More recently ransomware moved to hospitals, taking critical medical devices offline unless the hospital paid. And in March 2018, substantial portions of Atlanta were taken offline by the SamSam malware while the city spent $2.6 million to rebuild and restore their computer infrastructure instead of paying a $51,000 ransom. In June 2018, it was estimated that a third of Atlanta’s systems were still offline and that total costs to recover would be closer to $17m. With our world’s often insecure infrastructure increasingly connected to the Internet, these kinds of attacks will inevitably increase.
I am often asked to speak on what I see coming in the future. In a nutshell, more of the same except worse. We now live in a world where information is king. There was some foresight involved in companies such as Google and Facebook that seemingly gave their products away for free. Perhaps we didn’t realize that the real product isn’t a better search engine or the ability to connect with frenemies from high school to show off how successful we are now; the product was always us. These websites know everything about you and your employees. The information attackers can glean from them can be used against organizations in spear phishing campaigns. And their security is (unless you work for one of these companies) completely out of your hands.
But it isn’t just social media and search sites. Many companies are outsourcing more and more of their technologies to cloud and software as a service providers. Who hosts your company’s email? Google Apps, Microsoft Office 365? Do you use Salesforce.com to track leads, JIRA to track software issues, or Slack for instant messaging between colleagues? Are any of your servers hosted in Amazon Cloud or Rackspace? More and more I believe we will see breaches begin from a third party. The CEO of a breached company will no longer be pointing the finger at a member of their own staff but at the security team of an entirely different organization that they blindly put their faith in, over which their own security team has no control.
Along this same theme, you might say security lost control once and for all when the first executive got an iPhone or smart device for the holidays and insisted on putting it on the corporate network. Mobility quickly led to bring your own device followed in kind by the Internet of the Things. While I’ve discussed how security teams continue to struggle to secure devices they do own and control, now we have the added complication of these devices that are not only often owned and controlled by the end user rather than the company, but they have also effectively shattered the perimeter where so much of our security controls reside with their myriad communication methods such as the mobile modem and near field communication.
Attackers have already begun to catch on. As more users become aware of phishing attacks in emails and not clicking, attackers will simply move to sending attacks via text message, social media such as Twitter or Whatsapp, QR codes, and similar channels of attack. As organizations wake up about patching vulnerabilities such as EternalBlue, attackers will simply entice users into downloading malicious applications onto their Androids and iPhones. Those mobile devices outside of the corporate patching policy have corporate data on them. The attackers can exploit unpatched vulnerabilities or simply abuse the mobile operating system APIs to get access to sensitive data or even pivot onto other systems in the enterprise.
Finally, I am often asked to comment on what we can do to improve security. First and foremost, we must all start by taking security seriously. For every organization I’ve worked with that takes security seriously, there are a hundred more who make it known they are only doing this for compliance reasons, or because a potential business partner says they have to. While I may not agree that the CEO of a major organization can feasibly be directly responsible for ensuring proper security patching is in place, one good thing did come out of the Equifax breach. It shouted from a megaphone that there will be consequences at the executive level of not taking security seriously. But how does someone who is not a security expert go about taking security seriously?
I have never worked with Equifax or luckily so far, any organization that has suffered a data breach after my engagement. But without a doubt many sales teams from security companies had sold their preventative solutions to Equifax prior to the breach. I see these companies grow from their infancy pitching for early stage venture capital to their maturity in the prime location on the trade show floor. The message is almost universally the same, if you buy what we are selling you don’t have to worry about security anymore. Phishing attacks, patching, zero-day attacks, mobility, all the buzz words, you don’t have to worry about them anymore, all you have to do is buy what we are selling and all your security troubles will go away. How can we blame an executive of a company, or even a member of the IT staff for listening to these so-called experts?
The Cybersecurity industry continues to blame the victim; you didn’t patch, someone clicked on a phishing link, you allowed BYOD on your network, so it’s your fault. This is done while continuing to send the message that we can sell you solutions that can stop even the most sophisticated attacks. We can’t. We probably never will.
The only way to move forward is for customers to hold Cybersecurity vendors accountable for their message. If your vendor says they can detect and even stop zero day attacks against user owned iPhones, make them prove it. I’m certainly not here to say we should all throw out all of our preventative security solutions. I’m saying security market share should not be decided by who has the biggest marketing budget. It should be decided by who makes the best products that protect our organizations.
The only way to do this is through testing. I have spent my career working as a penetration tester, or a simulated adversary. I play the attacker before the real bad guys show up. I find your missing patches, I detect users clicking on phishing attacks in text message, I find security products not detecting attacks, I help organizations fix the problems and limit their impact. Every organization should be performing security testing.
And as a business owner myself, I get it, security testing can be a hard sell. If I was not a jaded security expert and I found myself faced with the task of utilizing a security budget no matter how large or small, I would have hard choices to make. Let’s say that one vendor was to say I can help you test your organization for security vulnerabilities or sell you a product that will discover your security vulnerabilities and give recommendations on how to fix them or limit their impact if they are exploited. And then say another vendor came to me and said buy this box and plug it into your network and all your security problems will magically disappear. I would do what so many organizations have done in deciding where to use their budget, what so many venture capital firms have done when deciding which Cybersecurity companies to invest in, I’d go for the silver bullet every time.
But as a trusted advisor said to me recently, Lion Repellent works 100% of the time until it is tested up against actual lions. You the buyers must take the Cybersecurity industry to task for our failures to keep you safe. So, take your security vendors to the zoo and see how they hold up.