Fresh Security's - Jason Hart - stopped by the Tonya Hall Show for an end of year review and to share some ideas for 2021. Settle in with a warm drink to keep out the winter chills for a lively panel where Jason doesn't hold back his opinions.
Tonya Hall: The threats of 2020 and the challenges of 2021, the state of global cybersecurity. I'm Tonya Hall, and joining me for this panel discussion is Wendi Whitmore, vice president of X-Force at IBM. Welcome, Wendi.
Wendi Whitmore:
Thanks, Tonya. Happy to be here today.
Tonya Hall:
Dr. Ronald S. Ross, computer scientist and Fellow at the National Institute of Standards and Technology. Hello, Ron.
Dr. Ronald S. Ross:
Hey, Tonya. How are you doing? Great to be here as well.
Tonya Hall:
Welcome. And from across the pond, Jason Hart of Fresh Security. Good evening, Jason.
Jason Hart:
Hey, Tonya.
Tonya Hall:
So welcome, everyone. Let's get started with you, Wendi. What are the big cybersecurity threats that your clients are dealing with today? And what are the cyber challenges that you foresee in the coming year?
Wendi Whitmore:
Yeah. Where do we start? I mean, goodness sakes, 2020 has been one heck of a year. So from a cyber perspective, we've seen no shortage of challenges either, right? So if we kind of take a step into the pandemic landscape, right, I think the biggest threat right now that organizations across the world are facing is this theft of intellectual property at a pretty massive scale, focused on pharmaceutical research related to testing vaccines and distribution. So we're seeing a number of our clients deal with this because it's not just one part of that industry, it's really the whole thing, right, the entire supply chain related to particular nation states looking to obtain that information. Whether they want to use it solely for the purposes of distributing to their citizens, or in protecting them, or whether it's also for an economic gain, right, I think a lot of that remains to be seen, but we imagine it's probably going to be a bit of both.
Wendi Whitmore:
Moving into kind of on the economic side of the spectrum, ransomware. Ransomware is something that continues to grow, grow, and grow. We are in the midst of doing research right now for a report that we're going to be releasing in January titled The X-Force Threat Intelligence Index. That's an annual report we release each year. Last year, or early this year at this time, right, in January, we released a report and we talked a lot about ransomware and its growth. Since then, every six months that we've seen, it's continued to grow nearly exponentially, right? It continues to double in size of the number of cases we're working and the impact that we're having, right?
Wendi Whitmore:
So we're no longer seeing these kind of one-offs, we're asking for a ransom in the thousands of dollars and it's very indiscriminate. We're seeing highly focused and targeted attacks in the tens of millions of dollars that these attackers are asking for. They're really also kind of bifurcating a bit of the monetization of it. There's a first part where you have the ransom, where you can pay to get the keys to decrypt your data. There's a second part then where we've moved towards this extortion technique, so public naming and shaming, and the threat that, "Hey, even though you paid us, we're now going to release this information publicly and we're going to damage your reputation. And so you also need to pay to prevent that."
Wendi Whitmore:
Related to that, we've seen the ransomware operators become much more sophisticated, right? A lot of the actual malware is the same, right? We're not necessarily seeing all these kinds of new and novel techniques in the actual code itself. But what we're seeing is a much more kind of sophisticated process driven approach in ransomware as a service where you see these human operators that are renting different components of software out and renting and hosting infrastructure for other attackers. That allows the attackers to do what I think we're seeing, which is become much more patient, really get the lay of the land, what's our insight and environment? And use that information and that intelligence to then determine how and when they're going to wage the second and third stages of the attack.
Tonya Hall:
No, great response. Ron, I'm going to throw the same question to you. On what new threats did NIST create guidance, and where do you expect the focus to be for 2021?
Dr. Ronald S. Ross:
Well, we started 2020 with the same type of situation we've had for the last several years. We have an incredibly complex infrastructure. We have millions, trillions of lines of code, billions of devices with IoT devices and all those new capabilities coming into the inventory. And we have the usual set of suspects. Wendi covered a couple of the big ones. We're always concerned about what adversaries can do, whether it's nation state, or terrorists, or anybody who has the resources to attack our systems. Of course, when the pandemic hit, if you can imagine moving an entire federal workforce from inside the fence to outside the fence, all the telework and all the remote work that happened all at one time, that was a huge undertaking and something we really hadn't done before.
Dr. Ronald S. Ross:
We'd been doing telework for years, maybe a decade and a half, but it was on a smaller scale. This was on a scale that we'd never seen before. So you can imagine those nation state level adversaries, all of the threats that were there before, once the workforce went remote, now we have to make sure that all of those devices, those laptops, those tablets that are going outside the boundary, those had to be configured with all of the controls, the safeguards that are needed to protect those devices when they're coming into a system from remote locations. That's a huge undertaking.
Dr. Ronald S. Ross:
I agree that the threats have been ramping up in intensity, whether it's for ransomware or just stealing intellectual property. Of course, they're trying to develop vaccines now and all of that medical information, intellectual property, I should say, that has a huge impact if that information is compromised, especially when you look at organizations like NIH or the CDC going through clinical trials. If those trials are compromised by a cyber attack where the integrity of the data is compromised, that means that those vaccines can't complete in the time we need to get them out to the public. So there's huge implications, monetarily, the potential loss of life.
Dr. Ronald S. Ross:
So, cybersecurity has gone to the top of the stack. It was already important before the pandemic, but it's getting even more important now. As we move into 2021 within a few months, we're going to have to deal with new ways of defending our systems, going to, there's a term you might've heard called zero trust architecture, zero trust concepts. That's the ability to have increased access control and authorization and authentication on smaller pieces of the system. So it looks when everybody moves remotely, now you're coming into that system, you're trying to access all the normal resources, but you don't log in and you're not inside the boundary like you would be normally. Now you're coming in from a remote location.
Dr. Ronald S. Ross:
So every time you try to access a resource, whether it's a file or whatever you're trying to get to, those things have to assume now that there's zero trust, and you have to go back and make sure that we know who you are, where you are, and that you're authorized to be getting that resource. That's an architectural construct, and we're going to have to go back and re-engineer many of our systems to make sure we have that capability. So I think that's some of the things that have happened as a result of the pandemic. I think maybe later, maybe we'll talk about some of the big benefits that come out of this as well. There is a silver lining, even though we've gone through some horrific times.
Tonya Hall:
We certainly have. Jason, Ron pointed out how more important than ever cybersecurity is and security should be at the top of the minds for CEOs and C-level executives. On what cyber threats did your clients concentrate this year? And what new challenges do you see in the new year ahead?
Jason Hart:
Yeah, okay. To Ron's point, there's this huge compound effect. From a bad guy's perspective, it's never been so easy to compromise an organization or data. But, look, I've been in the industry for 22 years, started out as an ethical hacker, seen it all, and to be blunt, nothing's changed. Okay? It's just bigger and easier. My frustration and what I hope for 2021, what could we do differently? Is first of all, this isn't a technology problem. So if you look at the amount of cyber spend on solutions versus the number of breaches that occur, the more we spend, the more breaches happen. Okay? There's a reason for that. The reason for that is most organizations do not focus on what they actually need to protect. They spray protect. They chuck security everywhere. Okay? A false sense of security, point one.
Jason Hart:
Point two is they believe because they have the latest and greatest technology, they're protected. It's not the case at all. What they need to do, and my hope is for 2021, and I've been saying this for almost 15 years now, every organization, irrespective of the size, the industry, the vertical, the type, need to understand, what are they trying to protect and why are they trying to protect it? Until they undertake that process, their security risk threats will not reduce. Fact. Once you can identify what and why, and more importantly, is it a confidentiality risk, an integrity risk, an accountability, an auditability? Okay? And map those risks to the threats and the likelihood and the probability and apply the appropriate control, we're just going to carry on spending, carry on seeing breaches.
Tonya Hall:
Very good. So let's jump way ahead with this next question. Where is quantum computing in making us rethink our current encryption standards?
Jason Hart:
I can kickoff, quantum geek, if you want.
Tonya Hall:
Go for it, Jason.
Jason Hart:
Okay. So that quantum, the probability and the likelihood, yeah, been talking about quantum for many, many years. Okay? Quantum is fast approaching. It's going to change everything that we do in a particular way. But, look, there's particular algorithms where there's a probability that it could be decrypted. Okay? So, that's going to happen. But on the converse of that or the reverse of that, there's quantum resistant algorithms. What does this actually mean? The implication of quantum from a cryptography point of view, it's only really an issue for, I'd say, a relatively small number of people or organizations in the world. The way we consume technology now, it's cloud-based. So quantum will be dealt with by the Googles, the AWSs, the Microsofts, et cetera, because the rest of the world consume that.
Jason Hart:
So, ultimately, there's this huge like, "The world's going to end." It won't end, okay? It's going to be dealt with. If I was a bank, would I be potentially worried? Possibly. I've yet to see a risk register where quantum is actually within that risk register. There are some very old algorithms which are very susceptible. But also, we're starting to have a concept of crypto-agility, the ability for applications, the database and systems to switch out different types of algorithms. That's just not for quantum. That's because of heartbeats, et cetera. So I personally believe it's not a big as problem as we're making out. It will be a problem potentially, but only to a select few who will solve and deal with it, or for us, and we'll just consume the results of what they deal with.
Tonya Hall:
And Ron, do you want to comment on that?
Dr. Ronald S. Ross:
Oh, I totally agree with Jason. I will just say that NIST has a huge effort ongoing in the quantum crypto area, so we're all over this problem. I agree, it's going to be a problem, but I don't think it's going to be catastrophic. We've had to deal with new technologies and technology innovations for our lifetimes. And so this'll be a new challenge. We will confront it. It's not going to be a huge catastrophic occurrence all at once. We're going to gradually get our sea legs, and I'm very confident we'll be able to address things in the mid and even the longer term.
Jason Hart:
Ron, to that point, I'd like to see a hacker in his bedroom having a quantum computer that he can actually afford.
Tonya Hall:
That's a pretty good observation there, Jason, and this is speaking from a former hacker. So as we close out this panel discussion, what are the recommendations that you can offer our audience on steps that they should take to protect organizations, whether in an office or working remotely? Wendi, I'd like to start with you.
Wendi Whitmore:
Well, I think Jason really hit on it, right? Not maybe so tactfully earlier, very directly, right? Organizations are just not doing the basics. There is so much technology that we can buy, but we see time and again that if you buy technology without really having the fundamentals in place, or even the fundamentals of how to use that technology, then organizations are going to fail. So I would really love to see organizations having an incident response plan, having it on paper, testing it frequently, identifying gaps. And oftentimes, especially as we map that to the remote workforce, that's new systems that we've now brought online that we have to have remote access to in order to do work, right?
Wendi Whitmore:
Let's make sure we've got multi-factor authentication on those devices. Let's segregate account credentials so that we don't have domain admin passwords and credentials that can be used on any and every system within the environment. Let's time limit privileged access. Then lastly, when it comes to ransomware attacks, let's really identify what is our most sensitive and critical information in our environment? And then let's make sure we've got some offline backups of that data. If it's truly critical that your business can't operate without it, it is worth the cost that you're going to invest in having some of those offline backups, so that you can avoid paying, potentially, a ransom of millions of dollars.
Tonya Hall:
Ron, Jason, any advice for the year ahead?
Dr. Ronald S. Ross:
Well, I'm going to go back to what Jason talked about. In fact, it's a great plug for one of the very first standards that I was involved in at NIST is something called FIPS, our Federal Information Processing Standard 199. And we call it the Triage Standard. It forces every federal agency to categorize all of their data and all of their systems, either low impact, moderate impact, or high impact, where impact is impact to the mission of the business if something goes wrong. I think that's a critical place to start knowing what you have in the inventory, both data-wise and all of the components that are part of those systems and networks, understanding that explicitly, understanding what you really want to protect and not going down that road, as Jason talked about. If you try to protect everything, you'll be able to protect nothing. You have to be very targeted and focus on your high impact or critical or sensitive assets first and make sure those get all the attention.
Dr. Ronald S. Ross:
The second thing I would say to kind of jump on what Wendi was talking about, make sure that when anybody's working remotely, they have fully configured laptops, or whatever the device is you're using, to let them get into that corporate network. Make sure they have a full compliment of safeguards and countermeasures that you would have if you were working inside the fence, so to speak. That's something that's not hard to do and provides a huge benefit.
Dr. Ronald S. Ross:
The last thing I'll say is if you have some data that maybe is not critical, then you can move it to the cloud. Try to get all of those resources and data assets to the cloud, so they can be protected by some of the FedRAMP approved providers that have gone to great extent to protect those cloud resources, those cloud services, and the cloud systems out there. So if we do that, I think we'll be able to get through the pandemic in 2020 and moving into 2021 and actually have some benefits to some of this remote work that we're doing today.
Tonya Hall:
All right, Jason, do you want to close us out with any additional thoughts that you have on how we can be more prepared for 2021?
Jason Hart:
Yeah. Just following up from Wendi and Ron there, brilliant basics from a cybersecurity point of view. Know what and why you're trying to protect it. Focus on the data, think like a hacker. And I'm going to do a plug, go over to Fresh Security and we'll tell you exactly what a hacker sees real time for free.
Tonya Hall:
And that's a wrap for this topic. Wow. Great job, guys, and Wendi, you as well. Thanks so much, everyone. I want to thank all of you for joining us on this lively discussion, Wendi Whitmore, vice president of X-Force at IBM, Dr. Ronald S. Ross, computer scientist and Fellow at the National Institute of Standards and Technology, and of course, Jason Hart of Fresh Security. Look for more of my panel discussions on emerging technology trends, as well as more of my one-on-one interviews with inventors, innovators, and explorers from across the globe right here or at tonyahall.net.