CSOs: Are You Prepared for the Next Security Breach?
Just ahead of the RSA Conference opening this morning in San Francisco, I did a quick interview with Rake Narang, Info Security Products Guide Editor-in-Chief. Don't miss Jon's mobile security panel on Thursday, and let us know if you'd like to meet at the conference this week at rsvp (at) duosecurity.com!
Rake Narang: Why is there an increase in security breaches these days? Who’s behind these targeted attacks? Are these attacks happening mostly to organizations based in USA?
Dug Song: Today’s breaches are really the result of three critical market forces at work:
Loss of endpoint and user control- BYOD is the most obvious example of a much larger phenomenon at work - the intersection of employees’ personal and professional digital lives. Between social networking, casual web browsing, and increasingly open electronic communication between employees and the outside world, employees now present the largest remotely-discoverable attack surface for any organization. Who wants to portscan a firewall or noisely probe for web app vulnerabilities when the blueprint for a successful phishing attack is only a LinkedIn search away?
The industrialization of cybercrime - The underground economy has grown from commercially-motivated identity theft rings targeting consumers, to politically or ideologically-motivated actors running massive account harvesting operations for persistent, infrastructure-level compromise. The tools for performing such attacks are now well-packaged and supported commercial software, not random exploit source code posted to mailing lists. You know that offensive security as a market opportunity has finally arrived when the bad guys have adopted the strategies and tactics of the good guys – and vice-versa!
De-perimeterization - Organizations now rely on a combination of infrastructure, applications, and work both inside and outside the building, requiring a careful calculus of dependency, compliance, and trust. Most organizations get this wrong, for reasons often beyond their control (lack of resources).
There are clearly macroeconomic issues driving computer intrusion as a tactic of economic conquest and ideological warfare; I’d defer to folks like Mandiant or Richard Stiennon to elaborate on those topics, though.
Rake Narang: What can we learn from the recent cyber attacks on the Facebook, New York Times, Twitter and even the US government? Where are the next big threats coming from?
Dug Song: While it’s easy to understand how such major organizations might be specifically targeted, today, every organization on the Internet is as much a target of chance, as a target of choice.
For example, when attackers breached NBC this month, they didn’t do so to post screwball articles about Martians landing on Earth (or the resurrection of dead celebrities), or to falsify financial reports to game the stock market. They set up drive-by malware to compromise NBC News readers, and harvest further accounts en masse – likely in the same manner as they originally found access to NBC. Even when sites are breached via web application attacks, the goal is often to extract the user database to recover emails and passwords to broaden the scope of an attack to other organizations. Users hold the keys to many kingdoms, it turns out!
The next big threats aren’t coming from anywhere in particular – they’re increasingly pervasive as attackers find ways to hack the public at large.
Rake Narang: Why are organizations unable to handle security breaches that come through numerous mobile devices including tablets and smartphone?
Dug Song: Mobile devices will eventually be a rich target for attackers, as they find further reach into the enterprise. But the adoption of such platforms is slowed by the security questions organizations rightfully have about them, which have as much to do about who is responsible for securing them, as how they might actually be secured.
Employee-owned devices are a poor fit for the current landscape of MDM (Mobile Device Management) and MAM (Mobile Application Management) vendors, as employees really don’t want their personal phone to be managed by their employer. In a BYOD model, an organization needs to apply stronger and more sophisticated mobile-aware access controls on their side, versus mobile application and device management on the user’s.
With a wide variety of consumer mobile platforms, and very diffferent security strategies employed by each, most organizations we talk to are simply waiting it out, buying their own devices to manage, or turning a blind eye to the problem. Platforms like Android, where no single entity has responsibility or control over the security of the device (neither the user, nor their employer, nor the carrier, handset manufacturer, or Google itself!) are quickly evolving, while companies like ours work to find ways to at least assess the security posture of such devices for compliance.
We believe the future of mobile security lies in a shared access configuration model of device inspection, security assessment, and compliance assertion across platforms – not total device control (particularly in BYOD environments), and not in any device monoculture.
Rake Narang: How can products and solutions from Duo Security enhance security?
Dug Song: As a company, we’ve focused on democratizing proven, but previously inaccessible security technologies for the mass market by making them easy and scalable.
Mandiant points out that 100% of breaches involve stolen credentials – there’s no better way to gain insider access, than to become the insider. And identity is the most critical organizational boundary to protect as traditional network, application, and endpoint controls are obliterated by cloud, SaaS, and BYOD models.
When your attacker is otherwise indistinguishable from an employee, two-factor authentication is the only hard security control you have left. It works, and prevents simple user password-stealing attacks from escalating into catastrophic breaches. For the last twenty years, two-factor authentication has been hampered by the cost and complexity of traditional solutions, and terrible user experience. We’ve worked hard to make two-factor authentication ridiculously simple to implement, manage, and use, and are proud to be innovators in a market which has stagnated for decades.
Over a decade ago, I worked with a group of friends to release OpenSSH, the de facto open-source standard for secure remote access to Unix-based systems and nearly all modern network devices. With Duo, we are proud to have an even larger impact in protecting the data for hundreds of millions of users worldwide across companies big and small.