Alex Heid of SecurityScorecard: Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information
Make use of Bcrypt encryption on sensitive data, such as customer passwords or other stored authentication information. BCrypt is one of the strongest encryption algorithms, and will require the most effort to crack from an attacker.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Alex Heid.
Alexander Heid serves as Chief Research & Development Officer at SecurityScorecard. Heid joined the company in June 2014 and has been instrumental in developing the company’s threat reconnaissance capabilities and building its security-centric platform. A recognized expert in the field, he frequently presents at industry conferences and is sought out by the media and analysts to discuss cybersecurity issues. Prior to joining the company, Heid held senior security roles within the financial industry, and was a senior analyst at Prolexic Technologies during the #OpAbabil DDoS campaigns. In addition, he is co-founder and President/CEO of HackMiami and served as chapter chair for South Florida OWASP.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in South Florida, and really got into computers in middle school, right around the time that Windows 95 came out. Before that, around age four, my father had an Atari computer that was powered by BASIC and he would allow me to execute scripts he wrote by typing the ‘run’ command. I guess you could say, I was a script kiddie in a literal sense.
My high school was one of the first in Dade County to have a high-speed broadband connection, and it was a great time to be able to learn the ins and outs of large networks — since everything was so new, it was oftentimes misconfigured, which led to some interesting adventures and allowed me to get to know the school’s IT staff on a friendly level.
I had always wanted to pursue a career that had something to do with hacking — but during the 90’s there was no formalized information security industry — and saying you wanted to be a “professional hacker” was as realistic as saying you wanted to be a Tyrannosaurus Rex.
After high school, I attended college and studied non-technical topics while working night shifts at an airport to pay for tuition. When I learned there was an industry for professional hackers (information security), I jumped into the world headfirst to learn everything I possibly could about the business side of the field.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
I discovered there was an emerging info-sec industry in the early 2000s when I was bored at work one day and cracked the WiFi password for the office. Turns out, that particular network controlled some critical infrastructure at customer sites and was not supposed to be connected to the internet at all — let alone connected to an old wireless router in the office.
I told my bosses about it, and they were appreciative about the discovery and disclosure. I learned there was an emerging team within the company that handled such issues, and I applied for it. I did not get the job, understandably as I was very new at the time. However, I soon discovered new job openings in the financial industry for “vulnerability analysts,” and after many attempts, was able to get my foot in the door at a major bank.
During my time there (2009–2011), I was a web application vulnerability analyst. The role of my team was to continuously hack the bank’s thousands of global websites, document our findings, and report them to developers. The job was fairly straightforward, but it also put me in proximity of the bank’s threat intelligence unit, which would frequently publish internal reports that I would read with excitement.
It was from these reports that I learned about the cybercrime ecosystem, specifically banking credential theft malware, such as the Zeus trojan. After work, I would go home and seek out command and control servers for these various strains of banking malware, attempting to uncover vulnerabilities in their web applications — in the same manner I had been doing at the bank. Turns out, there were many vulnerabilities to take advantage of.
Malware developers spent all of their time working on the payloads, but not enough time working on the front-end command and control web application panels. I became adept in the niche of ‘hacking the hackers’, as they were oftentimes all offense — with no defense.
I found various ways to obtain the stolen data from these servers and would provide the stolen data back to the threat intelligence team at the bank — who at first was quite surprised, and very supportive of the efforts. They took me under their wing and taught me the professional tradecraft of cyber threat intelligence.
Can you share the most interesting story that happened to you since you began your career?
From 2011–2013, I had the opportunity to join a newly formed threat intelligence team which specialized in DDoS mitigation services.
During that time, the Internet experienced the largest DDoS attacks that had ever been conducted which targeted financial institutions. The DDoS attack campaign turned out to be a state sponsored effort by the government of Iran, as a retaliation for the Stuxnet cyberattacks — and we were right in the middle of the crossfire. We were the only company equipped to handle the incoming attacks and mitigate them successfully.
Using a combination of dynamic solutions that would update mitigations as attack patterns changed, I contributed the same counterattack strategy against the incoming attacks to identify the malicious network’s topology and identify future victims.
We successfully were able to breach nodes of the botnet and provided the obtained data to the information security community and law enforcement for multi-industry mitigation efforts.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are many people to whom I am grateful for helping me get to where I am. 😊 At the risk of upsetting those I do not name:
- Everyone involved with HackMiami — This organization provided the weekly training grounds I needed when starting out.
- Delphim Martin — Delphim was my manager at the bank who took a risk in hiring me for my first info-sec job and introduced me to the bank threat intelligence team.
- Vishant Patel — Vishant was my unofficial tutor for threat intel tradecraft early in my career.
- Terrence “Tuna” Gareau [†] — Tuna invited me to interview after a single meeting at Defcon Hacker Conference and vouched for my skill sets. He passed away recently, a tragic loss for all who knew him and the overall community.
- The co-founders of SecurityScorecard –Aleksandr Yampolskiy & Sam Kassoumeh — both of whom took the risk, 7 years ago, of hiring me as a first-time R&D executive. Together with the whole organization, we have all achieved significant heights and I’m proud to work alongside them to help bring security ratings to every organization in the world.
Are you working on any exciting new projects now? How do you think that will help people?
SecurityScorecard has been developing enhanced detection capabilities and has built out a cutting edge team of threat intelligence analysts with backgrounds at some of the most stringent government agencies and institutions in the world . The SecurityScorecard Incident and Analysis (I&A) team is bringing new, exciting methodologies for malware detection, tracking, analysis and attribution.
We’re always looking to expand our capabilities, and at the end of last year, SecurityScorecard announced a series of new platform features designed to help businesses improve their cybersecurity agility. The events of the last year created a lot of new vulnerabilities for attackers to exploit, and we wanted to help simplify cyber risk monitoring and third-party risk assessment to make it as easy as possible for organizations to protect themselves, especially as every organization’s attack surface has increased exponentially.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
“It’s a marathon — not a sprint” is a cliché, but still very true.
The internet has an infinite amount of energy. There will always be a fire, there will always be something to hack, defend, analyze, crack, code, compile, or crash. However, the human capability only has a limited amount of energy — and if a person does not pace themselves while engaging in intense research then there can be negative ramifications — either in the form of deliverable quality degradation or physical health issues.
When feeling tired, take a break — if getting frustrated at no progress on an issue– go for a walk, or even take a nap. You will end up returning to your project with a new set of eyes.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
It depends where the business operates. That said, regulations like GDPR in the EU and CCPA in California may only apply to businesses operating in those specific areas, but they will likely serve as the basis for other regulations throughout the world. In simple terms, GDPR mandates that companies collecting customer data must implement security measures that meet the basic principles of data protection by design and default. It can’t be “opt-in.” CCPA focuses more on allowing users to know what data is being collected, whether it is being disclosed, and they can also request its deletion. As we move forward, more and more states and countries are probably going to implement these types of data protection laws, so businesses should already be making moves toward compliance.
However, it should be noted that a lack of standardization across industries, governments, and nations creates significant enforcement and compliance issues that have yet to be solved.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Each industry will oftentimes have some form of published best practices regarding information security practices — for web application security standards, I refer people to the OWASP.org project.
For more general business operational requirements, there are a few important steps. First, conducting a risk assessment to help categorize information into high risk and low risk categories.
Then you can set the appropriate controls for preventing unauthorized access of that data. It is important to monitor the effectiveness of those controls, particularly as the threat landscape evolves over time.
Continuously monitoring that data and who has access to it can help, and risks can be remediated as they are discovered. Again, prioritization is important here. It is impossible to eliminate all risk, but making sure high-risk issues are dealt with appropriately is critical.
In the face of this changing landscape, how has your data retention policy evolved over the years?
There are more rules and regulations for businesses to be mindful of now, but most of them come down to responsible data management. It is important for companies to know and understand the specifics of laws like GDPR and CCPA, but data protection is something that businesses should be prioritizing independent of outside influence. Regulations are becoming stricter, but even outside of that, there is a growing expectation that companies will take better care of their users and their data without having to be ‘forced’ into it by regulatory mandate.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
Companies should keep track of new legislation as it arises on this front, but as I mentioned before, responsible data management, as well as understanding the full scope of a technology’s features before deployment, should already be a priority.
Think of the way things have changed in recent years: the Mirai botnet emerged because IoT devices were being shipped with default username/password combinations.
Even before CCPA came about, the industry recognized the danger and moved away from that practice — however it still happens, and legacy devices are still in use.
That isn’t to say that these regulations aren’t important or impactful, but businesses should already be aware of many of the issues new regulations are trying to address.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
Absolutely, over the last several years there have been trillions of compromised username:email:password combinations hacked, leaked, and circulated on the internet. When creating a new account on a new service, I operate under the assumption that eventually the database will be compromised, and the password is being stored with a weak encryption or in cleartext. As such, it is important to use unique passwords for each service (and enable two-factor authentication where available in order to raise the level of difficulty for account takeovers with reused passwords.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Everyone gets hacked eventually. It’s not if, it’s a matter of when. Businesses should operate with the understanding that they will eventually experience an information security incident.
- Do not keep incidents secret, problems will not get better with time. There have been multiple examples where a company is penalized for nondisclosure of an information security incident, oftentimes in the forms of fines, or it could stall M&A discussions.
- Secure backups of customer data should be continuously archived in an encrypted, separated topology from where it is used in production. Ransomware attacks rely on holding data hostage, and having remote encrypted backups is critical to business continuity.
- Make use of Bcrypt encryption on sensitive data, such as customer passwords or other stored authentication information. BCrypt is one of the strongest encryption algorithms, and will require the most effort to crack from an attacker.
- Continuous security awareness training for staff is critical regarding the secure storage of customer data. As well as the weakest link in even the most secure organization can be the human that has been tricked by an incoming spear phishing email.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
My suggestion would be to continue the legacy of the hackerspace/infosec meetup groups. While I did not invent these movements, I believe it goes all the way back to the Homebrew Computer Club, it has been instrumental in developing the personalities and skill sets within the info-sec community. Check out hackerspaces.org or meetup.com to locate a group in your area, and if no group exists: CREATE ONE! Do not use a lack of an existing organization as an excuse to not get involved — form a group or join a group — you will be surprised who shows up and how quickly it will grow when you take the first steps.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!