Insider Threats, 2018 Security Concerns, GDPR: An Interview with Troy Hunt
In today’s world, data protection is a high concern for many businesses big and small. As part of Cyber Security Awareness Month, I had the privilege of sitting down with Troy Hunt, world-renowned internet security specialist and creator of the famous website, “Have I been pwned?”. His knowledge and expertise have taken him around the world as an international speaker on web security.
In this interview, we explore current trends in the cyber security industry, and dive deep into predictions for the coming year. Further, we discussed the developing impact of insider threats, and it’s neverending affect on data security.
Megan Thudium: What security threats do you project to see for businesses in 2018?
Troy Hunt: If we look at the way the trends are going, the ones that stand out making it much worse, is the easy accessibility of externally facing resources such as MongoDB and [Amazon] S3 Buckets, which are really readably left open without protection. We say this over and over again, organizations of all sizes are putting their data in these services leaving them publicly facing and not putting any passwords on them, and this seems to be an increasing trend. I hope honestly this should be one of the big things to look out for next year. Where we really, really want to try being more aware of what exists and what is being put out there for the organization. That is one of them, and the other one is, has been for some years now, IoT. The trends that I’m continuing to see with IoT is a rush of these devices to market in such a way that makes you wonder if anyone has stopped to think how these things are actually put together.
If I look at things that I’ve been involved in directly, like the Nissan LEAF case, which was using the VIN number of a vehicle in order to authenticate and control features of the car remotely. And we wonder why in the world would you want to do that, and yet we have one of the largest car makers pumping out vehicles like this.
That’s a good example, things like the Cloud Pets which I read about earlier this year, the little toys that you put in your kids bed, that have a listening device and a recorder, that records the children’s voices. And these devices have no “off” on the Bluetooth, and then you combine them with the previous trend of leaving your things exposed. They had coupled facing MongoDBs, no passwords, and they lost a huge amount of very sensitive data which also included pointers to all the kid’s recordings which is sitting in S3 Buckets with no authentication whatsoever on them. It feels like you have these multiple factors and they combine and multiply to make individual bad situations just turn into disasters.
I’ll add one more thing, which I believe is very fascinating. There’s an emergence of IoT devices that collect data that we’ve never had digitized before and particularly when you think about things like the adult toy industry which is now taking a class of information and usages of IoT devices, there’s records now. It’s a very personal thing. When we look at things like the We-Vibe case a few months ago where individuals ended up getting settlements up to $10,000 each, because this class of data that we’ve never had before was digitized and sent to the manufacture. This consists of problems that we’ve not even begun to conceive of until we begun putting bluetooth and wi-fi, internet connectivity into things that had just never seen that class of interaction before.
MT: What are your top concerns about the approaching GDPR regulation?
TH: I did a course for Varonis on GDPR a few months ago, in fact I did it in May, because that was one year before the launch. I think most people are worried about the extraterritoriality and all the things that closes in there. I think, to be honest, the biggest concern that I have about GDPR is that there are a lot of people making a lot of assumptions about what will remain. I’ve made the observation, in the court the lawyers will remain rich at the moment due to GDPR, saying: “You gotta do this, you gotta do this, otherwise you might go to jail and you might lose 4% of your gross revenue.” It’s creating a bit of a feeding frenzy, which I believe is unhealthy.
During my travels to workshops around the world and speaking to organizations, I hear a huge amount of concern from organizations that they don’t know what to do, and they get conflicting advice even from experts. A perfect example of this, this ‘right to be forgotten’ there’s a lot of debate as to whether or not that applies to database backups. So if I was an EU citizen/resident, and I popped up and said: “Hey, I want you to delete my data”. Does [the data] only have to come out of the active ongoing system which is used to manage the transaction records, or do we have to go back to the database backup? If I have to do that, how do you go back to a potentially rolling backup that could be off site with seven years worth of data and just to look for one record without destroying all the referential integrity and everything else that goes with it. The only answer I have to the people arguing about it both ways, it’s one of these things where we just have to wait to see precedence, so I guess in summary, the biggest thing that worries me about the GDPR is it’s still immensely grey, experts still arguing with each other and the only ones that are happy about the whole situation are lawyers.
MT: What is the most overlooked yet simplest step companies can take to improve data and overall IT security?
TH: Develop the security, develop the training competency. I have an invested interest in a huge amount of what I do is focused on developers. This is because, a huge portion of the time involved when we see a data breach or other serious security incidents, the developers have played a significant role. So the Nissan LEAF case case that I spoke about, someone built this system such that you could use VIN numbers to authenticate, so you’re unaware VIN numbers are printed in windscreens, so you could walk pass a car and grab what’s effectively API Key which is nicely positioned on the wind screen and very clearly legible, because the VIN number is meant to be. And you can then use this to take control of someone’s car. Now, maybe there was an architect upstream that designed this model and made the security people sign off on it, but a developer somewhere put this together. They never went: “Hang on a moment, what’s going on here?”
Single injection, we still see it all over the place, developers are building bad code that does that. We see other risks such as cross-site scripting (XSS) and direct object references which are developers writing bad code. The reason I think this is the number one area to focus, because this is where a lot of the problems begin. It’s also one of the easiest things to fix, because if you take something like single injection, the code that’s resilient is no harder to write than the code that’s vulnerable to single injection. It’s literally the same number of lines and in some cases it’s actually must more efficient to be resilient to single injection, because there’s various frameworks that can take care of it for you.
From an ROI perspective, it’s saying to the organization: “Here’s something that you can get your people to do, which won’t cost you anymore money and is the most likely thing to save you from really serious pain. And the only thing that you gotta do, is educate these folks that are actually building these systems and once you educate them, they’re going to use that knowledge over and over again across so many different projects, it’s just the best ROI in the world.”
MT: What are you initial thoughts and concerns about the Insider Threat and how it relates to data security?
TH: One thing that strikes me until today is excessive permissions. We see this so extensively, and I partly say this due to my 14 years in Pfizer Pharmaceuticals. I see permissions, but we see this time and time again in other organizations as well. It’s a combination of excessive permissions making it easy, because we don’t have to worry about the effort that goes into a granular role-based access model. And mentalities around entitlement are interesting as well, so there’s a story often told, where a manager says: “I’m a manager, and I control this team of people beneath me. I should be able to have all their rights, because I can tell them what to do.” And that mentality is always assuming that the person with those rights is always going to do the right thing.
And on one hand, maybe they all go rogue, so maybe they’re all being incentivised, maybe they’re being put out to access data, and to provide a turnover adversary, but maybe they also intentionally do the right thing. Now we have a high-rate of ransomware infections, and they get ransomed. Let’s just look at Wannacry this last year. So the rights of individuals are important, but we’re still giving people way too many.
The other thing that I’ll add, as organizations we’re still very, very bad at being able to identify when anomalous behavior does occur. Someone was interviewing me about Equifax the other day, they asked: “Shouldn’t you be able to see when 144 million records walk out the door?” And, yes. That’d be very nice, but it’s also a very hard thing to do. We see time and time again, organizations that have malicious parties inside the network for long periods of time, like Sony Pictures, he was in there about a year and infrentrated terabits of data, but there aren’t mechanisms to identify when an insider or malicious process within the organization is really behaving in an abnormal way, sucking huge amounts of data. That is still a hard problem to solve.
A lot of security companies will be happily take a lot of money tho to give you solutions. To help you fix that.
MT: When it comes to insider threats — in your experience — is the larger threat a negligent employee or the nefarious one out to do intentional harm?
TH: I think it is often a combination of the two, because the negligent employee is opening the way for the external party. The negligent employee is clicking through security warnings that they shouldn’t, and very often, we’re lacking the hard controls, to insure that you can’t shoot yourself in the foot.
MT: Anything else you’d like to add to the topic over insider threats and protecting data security?
TH: The only other thing that I’d like to add, we hopefully are going through an evolution beyond the assumption that the perimeter is secure. That everything behind the perimeter is fine. It blows me away that you can still have large multinational organizations, where they say: “The application is inside, the firewall, we don’t need to worry too much about HTTPS, we don’t need to worry too much about single objection, because they’re behind the firewall. Nobody’s going to get behind the firewall.” Unfortunately, we now know that’s not the reality, but that mentality is still going to take a long time to get over.