Why do organizations care about security?
Government policies and regulations
Data security laws around the world are perhaps the most significant drivers of change for companies adopting security measures. In the absence of regulations, companies spend less on security measures and it would be easier for them to deny the responsibility of a data breach. Earlier in January this year, Equifax agreed to pay 1.3 billion dollars partly in cash and free credit monitoring to the people affected due to its data breach back in 2017. Yahoo had to pay upwards of 100 million dollars for not taking sufficient measures to prevent data leak of more than a billion users. Since the payouts are relatively small compared to their net worth but are still very real, companies have started to invest in solutions that claim to solve their security problems at a fraction of the costs of these potential settlements. Though things are not rosy all around the world. A lot of countries around the world like India have non-existent or relaxed data security laws that do not incentivize the organizations to invest significantly in security.
The cost of security attack and defense
There have been several studies done to quantify the cost of a data breach or a security incident. Unfortunately, since a lot of these breaches are opaque, not a lot has come out of this research. A security incident like Denial of Service can cost an organization in terms of the revenue they could have earned while say their website was down, or time spent to restore from not so ready backups in case of more severe disruptions. Ransomware has been a major concern for companies in recent times costing companies hundreds of millions of dollars in damages. 2017 was a year of Ransomware attacks. First, it was WannaCry, which caused a loss of an estimated 4 billion dollars. If that was not enough, the next month it was Russian sponsored NotPetya destroying data beyond repair (even the ransom payments did not cause things to revert, it was pure destruction), causing damages to the extent of 10 billion dollars to companies such as Merck, Maersk, TNT Express, and Mondelez. Unfortunately, there is not a lot that can be done once you have been hit by one. Some companies claim to provide tech-based ransomware mitigation solutions while in the background using ex-law enforcement officers to negotiate with the ransomware hackers on the amount to be paid. There is an additional cost in purchasing defensive security products not limited to firewalls, DDoS mitigation solutions, endpoint security for individual devices, etc. to be proactive in their security measures. Most large organizations also have employee training programs to help them avoid common phishing attacks while at the workplace or using work equipment. More sensitive domains also do non-traditional exercises like simulated honey trapping.
Who should be responsible for security at an organization?
During the last five years of working in the security domain, I have received multiple calls from unknown organizations hit by a cyberattack such as a large DDoS or ransomware. Most of the time it has been a champion at some of our customer org who passed on my number to them. And most of the time it is too late to do anything at all for their current situation. While companies of all sizes have been creating a position of head of security, the responsibilities and roles vary quite a lot by domain, size of the company, and geographical location. A certain company might not decide to give any actual responsibility to the CISO, while another might just ask their IT operations head to lead the security initiatives too. In certain geographies, CISOs do not even have to come from a security background making it non-ideal to justify some hard decisions that they make.
In my opinion, software developers and product development processes at any organization are the first and the most important line of defense for any organization. This responsibility frequently gets passed down to Quality Assurance or even further to a dedicated security team. One of the most difficult parts of software development is the process of reading someone else’s code and figuring out stuff in an existing large codebase. (I once had to do it for more than a million lines of code at my first job, I had barely turned 21.) It is a pity that while we test the skill of writing code in any software engineering interview, we miss out on testing navigating a codebase and code reading skills. Developers reviewing their code for security issues is a much better model than passing it on as a huge blob to someone else.
Which comes to the next question, then what are security engineers in an organization supposed to do? A modern security team should focus on triaging external issues from bug bounties or elsewhere, supporting the organization in adopting modern security practices, and pointing out and help to fix flaws in existing products. An occasional red-teaming exercise for soon to be launched product would not hurt either.
Security as a product feature
Companies love to stay security compliant more than they love having secure products. One might ask how are these different things. Most of the compliance requirements are a bare minimum ‘administrative’ mandate and do not necessarily reflect the actual security posture of the companies. Take for example the PCI-DSS standard (Payment Card Industry - Data Security Standard in case you were curious). While you would see the PCI-DSS logo along with a bunch of other logos on the footer of every other website, it does not mean anything. It is not uncommon to find full credit card details on multiple websites even though the compliance requirement forbids that specifically. The new breed of fintech startups is the worst, even worse than the old banks.
The cybersecurity market
Cybersecurity has a quantification problem. There is no broad consensus on the adoption of common models to quantify risk, assess the real cost of a data breach to the users or the company. In this scenario, It is not uncommon for companies to pay for multiple cybersecurity products, some of which might even overlap in features. As in with several other industries, security solutions sell due to the sales team and most often not due to superior products or features. This results in a lot of overpromises and disappointments for the customers but the cost of implementation locks the customer for at least a few years. No CISO (Chief Information Security Officer) would want to be in a position to justify why they are switching to a different vendor in just a year after spending millions of dollars on the current ‘upgrade’. This when the risks associated with the problem or the benefit of switching are not even quantified properly.
One of the most disappointing things in the security industry is this culture of certifications. If you can get over the tsunami of ‘growth hacker’ profiles on LinkedIn, and find a security professional, you would generally find a lot of acronyms against their name. There is an entire industry build on security certifications where you even have to pay a certain amount per year to maintain the status. The problem is these certifications are worthless for most practical purposes, which is something that the people applying for certifications are not aware of. Unlike in any other job, where if you are averagely skilled, you can still do some work, if you have average skills in discovering security vulnerabilities in a piece of a program written by decent developers, you will find zero vulnerabilities. It is just that difficult. Having seen some of the best hackers out there, it is more a matter of skills, persistence, and creativity. If you have ever read a decent report on how someone came out to discover a security vulnerability, it is so original that it seems almost magical (not the ones on XSS and SQL injection and running tools.) Every secure product follows the same set of principles, while every complex security vulnerability is so unique. Anna Karenina's opening line. Getting certifications and knowing a bunch of tools can only get one to be better than beginners. A good hacker given the need can learn and pick a lock, crack a safe, hack a car, or adopt to any other complex task.
Do we even have any hope of solving security?
I have forgotten almost all of the theoretical concepts I learned in my undergrad by now. And why not, it has been almost a decade. One of the few things that remained with me was this proof in a subject called The Theory of Computation where it says something along the lines of most problems are unsolvable. No matter how hard you try, or the insane amount of effort and resources you put in, there is no solution to the majority of the problems. When you think about it, it looks kind of depressing. Unfortunately, security looks like one such thing.
A silver lining is that baseline security has been improving in all aspects. When I was just starting in high school, it would not be uncommon to find websites backups in obscure locations but in the open storing passwords in plain-text. We are still able to find those backups for some of the largest companies, but the passwords are no longer in plain-text. It is rarely still the case with some popular websites, sometimes erroneously, like Facebook till 2019. Once the issues became mainstream, we rarely see websites doing it. Next was the common security issues that anyone running an automated tool can find out (Two of the primary ones being XSS and SQL injection.) We have made advances in making our programming libraries idiot-proof and browser support to stop some of these attacks. Security by obscurity is going away, everyone has learned it the hard way that rolling out their proprietary cryptographic libraries is bad, and end-to-end encryption is beneficial for all parties involved. Though we still lack a popular and foolproof anonymity stack or an end-to-end encryption stack that can be used by developers in their apps.
Perhaps the only way to solve security problems would be a redesign using the first principles. For example, it is amusing that we trust a random-month-old website when they say that they use bank-grade security to store our data. The website has no downside if it lies, we on the other hand lose our data and privacy if we trust them. Is there a way for them to prove that our data is indeed secure? Or is there a way to retain control of our data so that a data breach does not have to be millions of records. This model would shift the onus of security to us rather than the 100s of different places where we share our personal and financial information, and then pray that every single one of them is secure. A new market might crop up selling security products at different price points to protect this format of personal data, now that you are responsible for your security. At this moment, these are just bits of wishful thinking.
Why do hackers care about security?
Why does everyone with a weak password or poor security does not get hacked?
If you have something like ‘123456’ as your password, you would expect to get hacked all the time. In practice, it does not happen as often. Two of the primary incentives that drive hackers would be financial and appreciation. Targeted attacks on individuals are really difficult and expensive. Whenever you hear a news that a particular random government site was hacked out of nowhere and then the media trying to connect it with any recent incident, it is probably the case that the person was trying a bunch of different websites but could only manage to get a particular one.
There is money to be made
For a security professional, there is a lot of money to be made. At the lower end of the spectrum are the security analysts responsible for wading through the enormous number of alerts that modern security tools generate, and then semi-automatically decide which of them are not false positives and are to be acted upon. Then there are penetration testers, who find security vulnerabilities in all sorts of software and hardware applications. Pen testers can work in organizations as security engineers or as freelance mercenaries. It is not uncommon for a good and experienced pentester to bill anywhere from USD 10,000-60,000, working fulltime for a whole month. There are additional opportunities in turning the whole thing into a productized consulting business where you package your offerings and timeshare among your multiple customers. At the other end of the spectrum is the dark side. Zero days are vulnerabilities that are unknown and hence yet unpatched by the software maker (or the user). There is a huge market for zero-days involving a variety of platforms. There are legitimate companies like Zerodium which advertises itself as the leading ‘exploit acquisition platform’ that pays hackers to provide them with novel security vulnerabilities instead of going to the vendor. The rewards can go up to 2.5 million dollars, though realistically the more commonly found vulnerabilities fetch around 100k. The highest reward offered by Zerodium is 2.5 times the highest reward for a similar vulnerability on the iOS platform offered by Apple. Given that you were able to spend a lot of time on finding such vulnerability, who do you approach?
Where do new security vulnerabilities come from?
Most of the theoretical concepts around novel security vulnerabilities are not new. The attack itself becomes viable when one of the requirements becomes feasible. For example, DDoS has been known for a long time. But when the Mirai botnet that brought down a significant part of the internet back in 2016, it was the explosion of the IoT devices landscape coupled with the fact that no one forgot to think about their security.
Ransomware or locking up your system or/and all your files until you pay a predefined extortion amount is not new. The invention of cryptocurrencies specifically Bitcoin meant that the bad guys did not have to rely on payment methods that were inconvenient both for them and the victims.
Side-channel attacks have been known for a long time but we are recently seeing a lot of traction in terms of exploits. Essentially, it pertains to information leakage based on the implementation of a digital product. It could be something like a rogue app on your smartphone listening to keypress tones while using your bank app via your phone’s microphone and trying to decipher your passwords typed anywhere else, to exploiting the fact that certain computer algorithms draw a different amount of electric power based on the input used. There have been side-channel attacks based on electromagnetic leakage in the past, to exploiting the difference in time taken to run a particular algorithm on a particular input, say on a remote server, and predicting based on that.
New platforms and technologies bring their own set of security challenges. With android came snooping malware, Facebook and Twitter gave rise to sponsored propaganda wars and online harassment. Cryptocurrencies had their challenges with entire crypto exchanges being hacked. Deep Learning brings around new challenges like bypassing biometric and captcha security measures, deepfakes, and adversarial attacks.
The debate on Responsible disclosure
Responsible disclosure is the process of giving a software vendor reasonable time to fix an issue you have discovered in their product, before disclosing it in the public. Though the word ‘responsible’ makes the alternate sound irresponsible, responsible disclosure has been a controversial issue. The other alternative is full disclosure right when you found the issue. Researchers in favor of full disclosure argue that giving months to a company to fix the issue at their own pace does not mean that a bad actor does not know about the vulnerability too. Full disclosure forces the vendor to scramble for a fix. Security researchers in the past have gone ahead with full disclosures and I would argue based on personal experiences that it might just be the right thing to do. Companies have misused our policies to substantially delay fixes to critical issues at the cost of their users’ security.
A note on Bug bounties
A major win with bug bounty programs by corporates is that it is now an accepted practice to research security vulnerabilities without the fear of legal repercussions. This has also helped in providing a platform for passionate people from developing countries to work on security. Unfortunately, bug bounty programs are proving inefficient not only for the finder but for the involved companies as well. Companies are being inundated with low-quality non-exploitable issues that are found using one of the several automated security scanners. A ‘hacker’ can submit several hundreds of such issues on a bug bounty platform in a month, expecting a payoff in a small percentage of them. Some of the companies might just reward a small amount of 50 dollars or so just to keep them happy and avoid any bad PR. Platforms like Hackerone have started using several methods like adding a signal and impact scores along with a reputation score, meant to deter such activities. Triaging a huge amount of low signal issues has been a nightmare for even some of the security teams at larger organizations. Then there are issues with the platforms itself. There is not much transparency in the whole process of rewards and marking a vulnerability as a duplicate of something that has already been reported. Unlike Nobel prizes or other forms of rewards, a duplicate report leads to zero rewards for the person who discovered it independently but reported after someone else. For the people discovering vulnerabilities, it is mostly a hit or miss in terms of the payment amount of bounties.
Why does the government care about security?
Attack on critical infrastructure
A lot of critical infrastructure including electricity plants, water supply, automated traffic monitoring systems are now connected and sometimes even use the public internet infrastructure for the ease of deployment and maintenance. This has opened up a new attack vector that can potentially be disastrous to the entire city. There have been instances of space research and nuclear facilities being specifically targetted despite being air-gapped (isolated from the internet.) Stuxnet, a specialized malware that reportedly took five years to develop was used to infect and damage the infrastructure of the Iranian nuclear program.
State-sponsored attacks
In Verizon’s yearly report on security in 2019, 23% of the actors responsible for a data breach were state-sponsored. And these numbers appear to be increasing. Hacking is no longer a single person sitting with their computer. It has since taken the form of organized crime and now into a full-on war between nations. I have already mentioned the case of NotPetya, which even exceeded its intended purpose. A lot of state-sponsored attacks in the recent past have been attributed to China. Sometimes it takes the resource of a nation to defend an attack by another one.
Fake news, Propaganda wars and influencing elections
Fake news is a cyber weapon. When smartly wielded, it has the power to cause civil unrest. Governments have been wary of fake news and spread of propaganda especially during the time of elections to influence a democratic process. China has its army of online trolls, ready to pounce upon anyone that criticizes the CCP (or CPC, whatever form you use). Middle eastern countries have their cyber army engaged in manipulating opinions online. In fact, in 2020, I would not be surprised if every major country has such a large group of people. There have been substantiated reports or Russia and now China meddling with the US elections of 2016 and the upcoming one in 2020.
Why do users care about security?
The end-users suffer directly and indirectly due to the consequences of cybersecurity breaking down. Loss of payment-related information like credit cards and their subsequent misuse is one of the most common examples. Lax security measures have been used to scam people using emails, phone calls, and fake customer support in the past. Ransomware attacks not only affect large corporates but locked out individual computer users. Certain nations have used a lack of cybersecurity measures such as end-to-end encryption or zero days to surveil activists not toeing their line.
Ever since Snowden’s leak of programs such as PRISM which confirmed the existence of surveillance on citizens and the government in cahoots with corporate entities to facilitate this. Post the brutal murder of Saudi dissenter journalist Jamal Khashoggi, the US government in Nov 2019 charged two Twitter employees of spying on the behalf of Saudi governments and giving out account information of dissenters. The current COVID-19 situation has added a challenge when countries around the world are increasing surveillance, the infrastructure of which might secretly last beyond COVID-19 (that is if there is a post-COVID.) Citizens living in authoritarian regimes like North Korea might be subject to further digital brutality.
Reading last week -
Loonshots by Safi Bahcall (meh, looks OK till now. Some good examples.)
Logical Chess Move by Move by Irving Chernev (one of the readings in my Chess quest.)
Range by David Epstein is about not specializing early on and experimenting with various paths (audiobook via Audible)
Other things that matter
Medium launched a newsletter for publications this week. There has been a lot of hate directed towards medium once they added a paywall and virtually stopped distributing content from non-top writers. Some people are leaving their jobs at Facebook, deleting their Facebook and Instagram accounts as a mark of protest against Facebook’s policies during the current movement in the US. There is a new password manager, by Dropbox.
I just hit a small personal milestone for the newsletter this week. I started it as a fun little personal experiment that puts me on a schedule of writing every Sunday afternoon. Fingers crossed for a much bigger milestone towards the end of this year. Until next weekend.