For this interview, we're joined by Bill Brenner. He's the Senior Program Manager for Editorial in the Information Security Group at Akamai. Prior to that, he was the managing editor for CSO Online and CSO Magazine. According to Bill, he fights the never-ending battle against cyber-evil one article at a time.
In the interview, we discuss why Akamai even has a manager for editorial in the security group. I get Bill's opinion what's going on with attacks today growing in size, frequency and even sophistication. Bill also recently gave a podcast about websites getting hacked by third-party services and widgets and we discuss what is happening in this attack vector.
The following is a brief excerpt of our interview:
Jeff Williams: We just saw the USPS got hacked this morning for 800,000 employees' accounts. We're seeing attacks growing in size and frequency and even sophistication. What's going on?
Bill Brenner: Well, from the perspective of having written about hundreds upon hundreds of data breaches and attack techniques, I'm not sure that I feel that the world we are in is any worse than it was, say, five years ago. But what you see is attackers being very motivated because they've been successful just enough to have monetary gain from launching these types of attacks. At the same time, you have companies that, they take their compliance seriously but they take the check-box part of it seriously.
An assessor comes in, tells them what they need to do, and their overriding goal is to check off all those boxes. But making investments for security doesn't necessarily mean you've put in a system that is adequate security. I think what you see is companies just continually having their systems compromised because a lot of the same mistakes end up getting made. Everything from systems and apps and what-have-you that may not be perfectly compatible being jury-rigged together, and in the process, holes get left behind that the bad guys can then exploit.
Jeff Williams: Are you saying you think that this is just sort of a flash-in-the-pan, like with the recent attacks against Target and Home Depot and Apple and so on?
Bill Brenner: I'm not sure if flash-in-the-pan is how I'd put it. These are real problems, but I think what you have is, it's a continuing battle that's been going on for a decade now where companies doing business online and the ease with which credit cards are taken, if you look at the last 30 years, it's still a relatively new thing.
Companies are still trying to get good at it. And unfortunately, and I suppose this is human nature, companies don't really start to get security right sometimes until they've been hit and they've suffered consequences. You know, it's a lousy way for it to happen, but it tends to be how it happens.
Jeff Williams: Yeah, it's an unfortunate aspect of human nature, isn't it? Like, we're just not very good at understanding the risk if it hasn't actually already happened.
Bill Brenner: Yeah. You know, one interview I did, it was with the chief information security officer of a retailer that I actually shop at quite a bit. It was for an article on how this chain had achieved PCI security compliance. A week later, they became the latest data breach headline. I don't think it's for lack of trying.
Jeff Williams: Let me ask you about a recent pod-cast that you did about websites getting attacked by third-party services and widgets. What's going on with that attack vector?
Bill Brenner: Rather than the bad guy going against their target directly, what they're doing is they're looking at other services that the website they want to target is using. An example of that is DNS. If the attacker can compromise the registrar that a site is hosted with, they can pretty easily change IP address mapping, pointing it at other sites. Really finding weaknesses.
Jeff Williams: The typical application depends on huge numbers of things, right? Services and libraries and widgets and so on.
Bill Brenner: Exactly. A lot of blogging platforms out there allow users to install all kinds of widgets that come from third parties. If you use WordPress, you can get all of these widgets that did not originate with WordPress but they've been made compatible to use with WordPress. It could be a widget that you're using to track your blogging traffic, or it could be a widget to create certain sidebars on your blog homepage. If you're an attacker and you're looking to target everybody who uses WordPress, this story about third-party attacks really goes at, where are the widgets that we can find weaknesses in and exploit?
That's what's going on here. If you're a large company, a retailer perhaps, and your services and systems rely on widgets or other services that are not yours, you're paying for it. The attacker can go after those services and get you in the process. That's what we're talking about.
Jeff Williams: Yeah. It's really that whole software supply chain issue, right? It sounds like you were focused mostly on things that happen in real-time, but there is a delayed channel there as well, right? If you're using a library that somebody controls and they check in some back-door or something, it could be devastating. I actually once wrote that if you wanted to take over every data-center in the world, all you'd have to do is Trojan log for J and wait a couple years. It's in every center data-center in the world, running as root probably or a privileged account. What do you think happens? How do we get in front of that?
Bill Brenner: Well, I mean, the simple answer is, if you're a company relying on third parties for features that you're offering online, you really want to inspect these third-party offerings and see what is it that they are doing to secure things on their end. What are the potential risks of using them and how can you harden your systems against exploits that may target the things you can't see because they're third-party offerings? To me, it really comes down to knowing what it is you're choosing to use and putting a lot of trust in it.
Jeff Williams: Yeah. Unfortunately it's just a massive scale.
Bill Brenner: Yeah, and there tends to be a focus on functionality over security. In a perfect world, you have just the right mix between both. Because you could have the tightest security in the world but if it makes your website unusable, what have you really accomplished? How do you have that functionality but still cover all the bases security-wise and figure out how you want to balance your risk? I think that that's a recipe that most of us are still trying to get right.