What’s ahead for cybersecurity in 2019: TECH(talk)


hey everyone welcome back to Tech Talk
I’m Juliet Beauchamp and I am here with security reporter JM Porup from CSO
and today we’re talking all things 20:19 security predictions so stay tuned so JM thank you so much for being here
with us today always a pleasure always great when you
can Skype in so security is pretty much always on people’s minds whether they’re
consumers or people and you know businesses something that is huge that
just happened you know right here in January was or is it’s going on right
now is the issue with Apple the FaceTime glitch where you can FaceTime someone
and even if they don’t answer you can listen in and sometimes even see their
video feed which is a little creepy so security always on people’s minds but
today we’re not gonna be talking about that we’re gonna be focusing a little
more on the enterprise side of things so can you tell me a bit about what
security was like in 2018 some of the big trends that you saw with enterprise
sure well I mean the the the the Apple FaceTime bug is an interesting one and
thought-provoking because how is it that a Apple has cash reserves of how many
hundreds of millions of dollars and this is a relatively trivial bugs how is it
that they are not spending that cash reserve to actually secure their
operating system and and for companies most you know how many companies have
the cash reserves of an apple they also have to be asking if Apple can’t
adequately protect itself then then how can anyone else possibly do so so
there’s almost existential questions on the line here and that really brings us
to the first topic that we wanna discuss of course is the Yahoo lawsuit that got
settled just last week yeah absolutely so for a bit of background
Yahoo execs were basically held accountable for the gross negligence of
the of Yahoo’s security breach which was when was that
oh this this is going back I would need to check that the day but this is three
four five six years ago there were several I believe yeah and you know the
the it was a slap on the wrist but it was nevertheless a judicial recognition
for the first time that the idea that gross negligence in information security
exists as a legal concept in civil litigation and that directors who can
normally be held liable for gross negligence in other areas of corporate
administration can now be in theory held personally accountable for committing
gross negligence in the information security world as well and that’s really
sort of a positive step forward I think for society and corporate governance but
it’s going to be on a lot of executives Minds going forward that they can’t just
shoot from the hip or cover up breaches or try and ignore these issues
information security issues are not going away they’re going to get worse
and exactly does have to do their due diligence absolutely so that was so this
lawsuit was sort of finalized pretty recently yeah yeah sounds correct so you
know that’s that was then a few days ago a few weeks ago this is now what do you
see going forward do you think that execs of big companies tech or not tech
are going to be you do foresee them either being held more accountable for
their businesses security or lack thereof of good security or do you maybe
at least see them really making sure that their business is engaging in the
best security practices do you see them taking initiative well you know I think
there’s kind of two very it from a very high level to broad groups of companies
here there is the Silicon Valley move fast and break things model and I think
we’re beginning to see the end of that era because too many things are broken
now and we’ve incurred too much technical debt and I think Yahoo
breach was very much you know at the at the zenith of that sort of movement you
know five six seven eight years ago and I think tech companies who are stewards
of vasts amounts of consumer and citizen data I think they’ve already woken up to
the fact that they have to do a better job of securing that data but their
business is data like if you’re a Yahoo like that’s what you do you don’t make
refrigerators you don’t sell cars your business is data but then you have the
legacy businesses you have finance you have manufacturers if I’m a refrigerator
maker and I’m doing internet connected refrigerators my core competency is the
manufacturer the manufacturer of refrigeration machines it is not
computer security or software engineering or hardware manufacturing
this is all being outsourced often by people who don’t have deep technical
knowledge of these issues so we’re we’re gonna find out I mean III think this
brings us to the IOT issue you know we have Internet of Things devices widely
being deployed being rushed to market in the search for you know you know
increased quarterly revenue with little thought of the long-term consequences
and that’s not gonna end well I don’t think yeah so let’s talk about IOT
security it’s a hot topic and quite frankly as IOT devices and IOT
technology advances the security is really advancing alongside it and that’s
obviously going to be an issue for consumers who are you know buying IOT
doorbells and IOT refrigerators but it’s also going to be an issue for
enterprises that are relying on IOT devices to either secure their
businesses and just to help with every lots of facts lots of factors in their
enterprise so how do you see IOT security going forward in this year over
the next year or two right well it’s not just I mean it is a question of how am
haxe the consumer on the enterprise but if we look at something like the Mirai
botnet where you know millions of vulnerable IOT devices are enslaved by a
botnet and then used to DDoS the website or enterprise of your choice this then
becomes a threat to the the safety and integrity of the Internet as a whole so
it becomes you know people like to make comparisons to public health you know if
there is an infectious disease outbreak then that becomes a a collective
security concern and not an individual security concern so the idea that you
know an individual non-technical consumer is responsible for securing
their IOT devices clearly you know unreasonable nobody could reasonably say
that yeah but the problem is that you know if I finally selling fridges the
last thing I want to do is be maintaining the security the fridge for
the next 30 years I want to take my profit and go away and and we see all
sorts of alarmist responses to this you know widespread issue we have the the
alarming news from Japan just a couple days ago that the Japanese government
plans to automatically hack into every IOT device in Japan to test them for bad
default passwords and then notify the owner to to fix the password I mean this
is the digital equivalent of the police going door-to-door picking locks and
trying to kick down doors and then leaving a note saying you know your lock
was pickable your door hinges were weak sorry we kept your door down please put
a better one in that this is you know really not a great idea but it’s the
problem is getting so bad I predict we’re going to see more and more these
sort of alarmist almost authoritarian responses to the issue which should
concern everyone I think because it’s walking the line of
infringing on citizens privacy but then you know governments that the Japanese
government is saying well we want to make sure that our citizens are
protected when in 2020 that the Olympics will be in Japan and they want to make
sure that citizens and the Olympic event itself is the IT infrastructure is
protected so it’s it’s a tough argument for any government to make that this is
really doing good and as I don’t blame Japanese citizens for feeling like their
privacy is being infringed upon first of all Japan has a bonafide
interest in securing the Olympic Games like nobody is going to criticize that
you know there were issues the last time around like Japan has a bonafide you
know threat to deal with so there’s that but okay let’s say you secure all the
IOT devices in Japan well Japan may be a physical a series of islands but on the
Internet everything is connected to everything
else so you know oK you’ve secured your devices but that doesn’t mean I ot
devices and you know China can’t attack you or IOT devices in Canada or Brazil I
mean are you going to like attack you know IOT cameras in South America to
secure them for the Olympics in Japan like is that really you know I feel like
this is a solution that was not very well thought out interesting or at least
not explained very well so that’s what Japan is doing with its IOT devices but
here in the US there’s similarly our IOT devices aren’t any more less secure than
Japan’s I would assume yeah I would say you know par for the course so how about
here in the US how are how is the government taking steps to make sure
that I ot devices are secure or are there even any government sanctioned IOT
best practices guidelines out there sure well it’s a very much ad hoc on a
sector-by-sector basis mostly by regulators who
are stretching the limits of their regulatory authority to try to do the
right thing for instance in in the consumer space you see the Federal Trade
Commission the FTC doing very noble work in terms of using their limited powers
to enforce fair trade practices and and to enforce best security practices you
know III think most companies are on on notice and no they are on notice that if
they engage in gross negligence the FTC may well come after them but the FTC has
limited Authority in a very limited arena for instance if we’re talking
about connected medical devices in a hospital that’s not not the FTC’s
territory that’s the FDA and the FDA also has some very clue –fill people
who care very much about the security of IOT devices and hospitals but they too
have limited regulatory enforcement power and are doing the best to beat
their drum their ability bully pulpit to sort of improve that situation and on
and on the part of energy for infrastructure and so forth and so on so
we see a very piecemeal ad hoc approach by regulators stretching the limit of
their legacy powers while the government itself has taken a unfortunately
hands-off approach when it comes to this issue yeah I want to know what you think
do you think having some sort of guidelines recommended by the government
do you think that would be helpful in the US or at least force manufacturers
to follow something well see like being specific in regulations is a genuine
issue and we see this with the gdpr for instance the gdpr requires minimum
security best practices to protect citizen data but doesn’t specify brand a
firewall or operating system version because that would be obsolete by the
time the law became law so this is this is a genuine issue like how do we
regulate minimum security controls at a time of constant change so the best
approach appears to be some sort of high level prince
like here are here are the general principles that you have to do and then
that law points to sort of normative cultural best practices in the security
community as as you have to be in line with the best practices which is not a
perfect approach but seems to be the least bad alternative available to us
sure do you see something like that happening in the next year or two well I
don’t think it’s gonna come out of Washington in the next year or two but
we do see that coming out of California I mean for instance we see New York
state passing laws recently for financial cybersecurity California
recently passed a law for consumer cybersecurity and I would expect to see
California is probably going to be leading the way on this issue
interesting so also on the topic of cybersecurity there’s been a trend over
the past year or so maybe longer you can correct me but of businesses having a
really tough time hiring cybersecurity experts
mmm and there’s a multitude of reasons for it hopefully you can touch on a few
but do you think that this industry is going to continue to have few employment
tons of employment opportunities but not a lot of candidates or do you think that
maybe more people will go go towards cybersecurity jobs well there’s a host
of issues there the first and foremost is is that there is a a genuine demand
for more qualified cybersecurity professionals in enterprise and in
government the the biggest problem is that enterprises don’t want they want to
hire an experienced senior expert and there are only so many people with five
to ten years of cybersecurity experience they don’t want to hire juniors and
trained them but but the problem is is that results in you know inflated
salaries and bidding wars and you’re not growing the pool of
potential employees in an unwillingness to to invest in junior and mid-level
security people is is a real problem and really the only solution that I see and
also an unwillingness to look at remote workers because in many cases work can
be performed remotely not always but there are many cases where remote is a
viable option for security professionals and given a very small supply for a very
large demand it seems like both training and apprenticeships for employees as
well as remote are things that enterprises should be looking at because
the demand is just going to continue to grow and if enterprises insist on
focusing on short-term quarterly results and keeping employee expenditure low
then that’s going to have long-term negative consequences by not investing
in your own workforce and training them to be the security professionals that
you need absolutely and I would assume that you’re if you’re not looking at
multiple if you’re not looking at the long term your security practices are
going to suffer indeed so I you know III think this is partly an indictment of
short-term thinking in terms of profit-making enterprises who you know
executives are judged on yearly and quarterly financial returns they are not
judged on the 10 to 20-year health of the enterprise and that creates Mis
misplaced and senses for those executives and for the enterprise as a
whole and absent some sort of regulation or or C change and in the industry I I
don’t see how to solve that problem yeah and this is a real issue of just not
having actual people doing the work because you know AI and computers can
only do so much to protect an enterprise it requires a lot of just go to
old-fashioned man or woman power and enterprises are trying
to solve this problem with machine learning artificial intelligence and
there are orchestration and automation tools that can greatly increase the
efficiency of any individual security professional and their job but there are
there are limits there are limits to exactly how much you can extract from
that sort of almost cyborg employee a human employee whose work is augmented
by a machine learning algorithm you still need more humans dealing with
human adversaries because an intelligent human adversary is going to be able to
game to game a machine learning algorithm yeah so without sort of an
attitude change you don’t really first see this problem
of finding talented cybersecurity professionals going away well how long
does it take to train somebody to be a an experienced and effective cyber
security professional what I mean there the security day is a very broad field I
mean there are there’s a wide gamut of roles required to be filled but as with
any profession you don’t get from zero to expert in twelve months you know it
takes three to five years just to be good at your job and tend to be a master
of your job and if you don’t start investing in those people now you’re not
going to have the pipeline of people you need five years from now absolutely and
you’re not going to have these talented professionals that can help protect your
business from other adversaries so there’s multiple ways that a business
can be attacked and you know we’ve discussed some but one of them can be
ransomware sure I mean please you know not saying you know if you’re if you’re
not hiring great cyber security professionals your business is going to
be attacked by ransomware that’s not what we’re saying but do you know that’s
one of the outcomes well I mean ransomware has been a growing threat to
the enterprise for the last several years
and I think one may fairly predict that ransomware will continue to be a plague
in 2019 and Beyond but by and large ransomware is is affecting unpatched
systems ransomware is using old days not 0 days so if you patch your stuff then
you are essentially not vulnerable to ransomware but yet ransomware continues
to flourish both because of one a poor patching practices and two systems that
are unable to be patched there are systems in critical infrastructure
running Windows XP and they will continue to run XP because that is how
they’re built and they cannot be upgraded so so dealing you know the
first problem problem is solvable by having more security people you know
testing patches and deploying patches in as timely a manner as is feasible given
a particular circumstance and we’re not seeing that happen we’re not seeing that
happen and and this this is you know prevention what’s this thing ounce of
prevention is worth a pound of cure and invest in your people you know test
those patches to ploy those patches have you know a process in place to do that
and that that is a difficult but solvable problem dealing with
infrastructure running legacy unsupported versions of Windows or Linux
is a much more difficult problem to solve and one without a glib answer in
the short time we have available today yeah absolutely so could you just recap
a few of the big ransomware attacks maybe of just the past
you’re so Jennie big ones that stand out to you is that as especially important
and also something that can be learned in and perhaps businesses but also just
nations can adapt in the next few years well certainly the the wanna cry and
Petya ransomware attacks were were very unpleasant worms that spread across the
internet over the last two years but then we also saw the Nakia wiper we’re
attack which pretended to be ransomware but just destroyed your data and you
could not even pay a ransom to get it back and a key point and in terms of
public policy is that these these worms utilized a vulnerability in Windows SMB
called by the NSA called eternal blue which the NSA chose not to disclose to
Microsoft for patching but instead chose to weaponize and that exploit was stolen
by the shadow brokers who most believed to be cutouts for Russian intelligence
and and those people dumped those exploits on the internet for anyone to
use and so one key point to ask if you’re if you’re the enterprise and you
are affected by ransomware or ypur we’re like wanna cry or pet you’re not Petya
you know our own government here in the United States is at least partly
responsible for the economic damage caused by the those ransomware attacks
you know Mary giant global shipping company in Denmark that I think they
carry something like 35% of the world’s cargo containers massive infrastructure
they were hit hard by not Teta and suffered more than 300 million dollars
in economic loss and you know if NSA had disclosed eternal blue to Microsoft for
patching and chose not to open eyes it Maersk would not have suffered that
economic loss the search for perfect security as we’ve
seen in many context over the last two decades is a futile and
counterproductive goal but we do mitigate risk we minimize this we take
reasonable precautions we we do our due diligence and III think you know we are
as a society we aren’t even doing that and I think we need to get to the point
where we are performing our due diligence and then revisit the topic
absolutely so hopefully over the course of you know the next few years we can
get used to as individuals as a society and businesses can get used to the idea
of really making sure that they’re using the current best security practices and
adapting as they see fit one can only hope we can dream thank you so much Jam
my pleasure Thank You Juliet and thank you so much for tuning in to this
episode of tech talk if you liked this be sure to subscribe to our Channel and
give this video a thumbs up we’ll see you next time

, , , , , , , , , , , , , ,

Post navigation

3 thoughts on “What’s ahead for cybersecurity in 2019: TECH(talk)

Leave a Reply

Your email address will not be published. Required fields are marked *