The 'Known Good' Podcast

Cyber Hygiene w/ CPO Paul Farrington

October 25, 2021 Glasswall Season 1 Episode 1
The 'Known Good' Podcast
Cyber Hygiene w/ CPO Paul Farrington
Show Notes Transcript

Welcome to the launch episode of The ‘Known Good’ Podcast, Glasswall’s all-new place for discussing important topics from across the cybersecurity space.

Our starting point looks at getting some of the basics right. The complexity of today’s highly connected technologies and the growing sophistication and volume of threats means that for many, just keeping up to date with ‘cyber hygiene’ essentials can be a challenge, leaving organisations vulnerable to attack.

The consequences of poor cyber hygiene can be far reaching and have played a central role in some of the most widespread and damaging breaches in history, including the infamous SolarWinds incident.

In this episode, we're joined by Glasswall Chief Product Officer, Paul Farrignton, to discuss the fundamentals of cyber hygiene, why it's vital that organisations raise their game and what steps they can take to refresh their approach.

David: Today, I’m talking to Glasswall Chief Product Officer, Paul Farrington. Paul, hello and welcome.

Paul: Thanks David, great to be speaking with you.

David: Today, we’re looking at the issue of cyber hygiene in particular, and why it should be a key part of every security strategy. A big problem though, Paul, is that a lot of organizations see this as basic security housekeeping that each user has to do to keep their systems and devices safe.

But the consequences of getting this wrong can be devastating. I mean, as we’ve seen with the now infamous solar winter attack. But, perhaps before we go much further, let’s perhaps get started with some definitions, and then we can look at how organizations can refresh their approach.

So as far as most businesses are concerned. What is cyber hygiene and why is it important to the way every organization approaches security?

Paul: So, I suppose it’s a little bit like breathing air. You know when you’re breathing the air, when you have it, that it feels good, when it’s absent, life starts to become pretty tricky quite quickly. So, just to use an analogy with domestic hygiene, personal hygiene, the absence of either, not always, but can lead to disease or compromised life expectancy, or even things which are more serious.

So as we think about cyber hygiene, it’s when you put it in place, the steps which maybe reduce the transmission of threats into our business or enterprising environment, and to help mitigate the risks of, if those threats actually do present themselves in the business environment, that we can reduce the impact of that threat, and actually achieving its intended outcome.

So, just as we’ve been reminded during the Covid-19 pandemic, we need to exhibit good hygiene. So again, to use that analogy of hand washing or maybe facial covering, just to reduce the speed of transmission of threats. And cyber hygiene is really all about taking sensible precautions.

If we choose how we exercise that caution, the good news is that we don’t need to slow down the speed of business, and those business interactions because we’ve actually been living with cyber threats for probably the last couple of decades, and probably beyond.

So actually, there’s an awful lot of good news which we can speak about. I think we can say that the glass is half-full, rather than the opposite. We don’t need to think about the doom and gloom aspects, and to focus our mind solely on the negative aspects.

Today, there are many different solutions and approaches, and just really standard good practice that we can put in place to help ensure that our business environments, our organizations, our institutions are strong, and it really just starts with putting in place the basis, which perhaps we can start to speak about.

David: Sure, that sounds good. But from a worst case scenario perspective, what kind of problems are we looking at if cyber hygiene is not dealt with properly on a regular basis?

Paul: I suppose, some of the examples that hit the PR news wise would be relating to, say, ransomware, the total control or takeover of a business environment, or say; critical infrastructure, or if it’s a pipeline, or it’s an energy utility, or even just an everyday business which is unable to operate because the machines within the environment, the PC’s have been taken over.

So that’s perhaps one of the worst case scenarios. Maybe even the destruction of data, digital assets, or the organization can no longer function even if it actually regains control of the computing environment, the data then, is no longer available or corrected in some shape or form.

So those are the kind of nightmare scenarios which hit the news wise. I think, in general though, if we can kind of just take down a notch the alarmist stories that we perhaps observe in the media. The everyday breach, let’s call them infections, are real and happening every single day. But probably the impact is less severe for most organizations. It may be that malware is actually presented to a single machine, or machines within a network environment, that after a period of time, that infection is detected and then the clean up can take place.

Now that might mean that there is some data exfiltration— simply meaning that the sending of data outside of the organization— that could culminate in the loss of intellectual property. Or perhaps more likely, information about your customers, your prospects, so that you may be then at risk of being in breach of, say, GDPR Legislation here in the UK, or a wider field across Europe, or around the world, where you have that responsibility, of course, to ensure that how you process data relating to individuals is tightly controlled, and you understand where the data is, and how that’s been processed.

In a situation where you’ve lost control of your environment because there’s malware which has been propagated throughout your business, then you’ve lost control of how you can enforce those regulations. So really into all about ensuring that you put in place the steps to make it unlikely that you’re gonna experience that loss of control of your IT environments. And again, there are various measures which we can think about to help mitigate that potential eventuality.

David: Okay, and would it be fair to say that, looking at those examples of loss of control, that perhaps the most high-profile example of failure of cyber hygiene is the SolarWinds attack?

Paul: I think it’s probably, in the recent living memories, one of the most startling and troublesome examples. But there have been larger breaches; so Yahoo! in 2013, 3 billion records were exposed, Alibaba in 2019, 1.1 billion, LinkedIn, 700 million in 2021.
So SolarWinds is not necessarily the largest breach in terms of the impact to the number of users that are impacted.

But if you just look at the scale of the number of customers of SolarWinds— which includes the likes of Microsoft, many US government departments, and then organizations around the world— estimates stand, around 18,000 customers installed a malicious update from SolarWinds, which then resulted in the compromised environments for those customers, for those organizations that were using that power software.

And actually they were trying to do the right thing. They were trying to patch the software to help protect and ensure the stability of the Orion SolarWinds package, which is basically an IT administration service. And so for those customers, and for the administrators, they were actually trying to do the right thing. But because attackers had actually breached the environment within SolarWinds, had actually purposefully changed how the software update is delivered— injected Malware into that environment— what was then propagated out to customers had that software with bad intent.

And the speculation, I think there’s strong evidence that the Russian Intelligence Service has been associated with this particular attack on SolarWinds. And I read that it’s estimated that the insured loss is maybe up to 90 million US Dollars. So it is— in terms of the financial impact for that organization, but then the clean up that’s involved for the customers and for any downstream parties that were affected by this, this has been huge.

And I think it’s been a wake up call for governments around the world, but also enterprises, to consider how they’re protecting the software supply chains, and actually really being diligent about the controls that they put in place to mitigate for this type of scenario happening again.

David: And I know, Paul, of late you’ve been involved with also writing on the Glasswall blog about this topic. And we looked there about how a lot of organizations think that cyber hygiene is quite often about making users are trained; end user training, and dealing with security risks. But why’s this become such a common perspective? And the reason for that question is it can create problems, can’t it?

Paul: Yes. First of all, I think it’s important to underline that we need to ensure that we’re investing in the security awareness of our users, of our employees, people that are interacting on behalf of our customers, our prospects with the data that they’re providing to us. Or maybe just employees within an organization, or systems and institutes that process the data, which we’re providing maybe to pay out our taxes, or to buy our driving licenses, or re-register for a particular permit.

It’s really vital that the people that are interacting with that information, that data, are trained about the risks that they may face from attackers or people with malintent to try and circumvent controls that are in place. And so, there’s no escaping that. We absolutely need to ensure that we’re investing in our people, and that they have the tools at their disposal to do the right thing.

And that they’re given time and space to actually implement those controls. Too often, I think, is the case that security is an afterthought. There is a rush to provide a service or a product, to figure out how to make revenue from that, or to achieve a particular business objective. Or even in government, local government, to meet a policy objective without necessarily thinking about what the downsize might be if attackers were able to compromise the environment.

And we can talk about lots of different technical controls but we also have to recognize that the people within our organizations— they can be hacked. And that sounds like a strong statement but if you think about the subtle ways in which people can be influenced— the advertising industry, for years, has been aware of subtle things which they can do to help influence and to encourage people to behave in a certain way to be more likely to purchase items.

And that’s, by large, that’s been, I guess, a force for good in terms of helping commerce and for kind of a consumer economy take hold in the western world, and for us to move forward and to have a growth in our economies. But there is a downside to the fact that the human mind can be influenced in adverse ways.

And if you, maybe you’ve seen the recent movie from Netflix: The Social Dilemma. Some of the people that have worked in social networking companies have come to the forum and explained how when they thought about certain features, or technologies, or algorithms, as when these different networks were first being created, they started out with the best of intents as to how they could interact with their users, and encourage greater utility from users; the Like button with Facebook.

But now you kind of move the movie forwards to 2021 and we all observe how different parts of society have very divergent views, and partly that’s because of the algorithms which are being used to kind of potentially sow seeds of discourse. And in the same way that we can ensure the user is really encouraged to keep coming back to the device, to keep scrolling, and to keep wanting to receive likes in a certain social media platform. In the same way attackers can seek to hack the human mind, as to how they will trick the user into clicking on a certain link, to open a business document.

Which may seem completely innocent but with the right type of payloads— or the link that takes you to the site which causes the download of some malware— if we can achieve those circumstances as an attacker, then we’re perhaps exposing, and actually leveraging the need for humans to interact with their world, to trust people, and to engage with their environment. And that has downsides if we don’t ensure that people understand what those downsides are, and how to mitigate those potential risks. Then we’re not preparing our people on how to address and to actually deliver on cyber hygiene in our organizations.

David: Okay, so notwithstanding the fact that users are clearly a hugely important component of good cyber hygiene, but you’ve said yourself that it is broader than that, the focus needs to be wider. And so, for anyone that thinks their organization needs to refocus on cyber hygiene, what’s a good starting point?

Paul: Yeah, I think that’s a really good point, David. There’s only so much you can expect of the people within your organization. So that awareness is really key but don’t have unreal expectations as to how secure you can make your environment in the absence of other technical controls or process controls. So having a catalogue of assets, whether physical or digital, that’s key because it helps you to understand what your perimeter is.

What is the franchise that you need to help secure to be able to prioritize how you secure those assets? So classify, in particular, the data assets. Classify those assets so you have an understanding as to what’s the most vital data items which need to be secured, that just absolutely cannot be leaked to the outside world or to be changed in some way so that the integrity is maintained.

And then the very simple things, but crucially important, investing in firewalls, malware protection— which today in 2021 should include Content Disarm & Reconstruction, also known as CDR, and perhaps we can talk about that in just a moment. But malware protection with CDR is vitally important. Ensuring that you have the ability to recover from a disaster, having the data backup service, so that if the worst does happen— and it may happen, that’s something that we all need to come to terms with— it may be inevitable that organizations will be breached or compromised in some way.

So you have to have a Plan B. How do you restore back your business operations? Get your data back to the place it was before the breach took place or the infection happened, so you can resume and start serving your customers and making the revenues that you need to once again.

We talked about security awareness, that’s really key. Having services such as Intrusion Detection Systems, web application firewalls— a different variant of the standard networking firewall, and one thing which I really underline is having Multi-Factor Authentication. Sometimes you’ll hear of that as being MFA or 2FA, the 2 just means the number of different factors that you have.

So having the passphrase plus something else as a minimum is really important. So if you have an authentication application on your phone—an app which just creates a random number so that when you’re typing in your known passphrase, which you’ve remembered or written down— having that random number being generated every thirty seconds, it makes it virtually impossible for the attacker maybe to take your passphrase when you’re not there and to login or authenticate on your behalf because in the absence of that random number, they simply cannot log into your account.

So that’s crucially important in helping to protect both the user, the organization, institution from circumstances where maybe your passphrase has become part of some huge data breach. And there are many examples, some of the largest data breaches have included passphrases where they’re not encrypted, they’re actually disclosed in plain text. And so world users are actually recycling their passphrases. That’s something we want to really strongly discourage.

And kind of leading on from that, a really strong piece of advice for anyone listening, and if you just maybe classify yourself as just an average everyday user of IT, to have some kind of password wallet. And there are different types of services that provide this service, 1Password is one example, and it’s basically a secure wallet in which you can contain all of your passphrases or passwords.

And you can make those passphrases as long and as complex as you want to because you’re not actually going to be remembering those passphrases. You’ll have a really strong passphrase to actually unlock that wallet, and then to utilize each passphrase in an individual basis. So that when you come to log into one of your services, whether it’s your banking service, or to do payroll for your staff, that nobody can guess that. It’s complex, and you’re also using that multi-factor authentication as well.

And then just to kind of round off on the point there, multifactorial authentication, that’s a huge boost for security. But also having a VPN, so virtual private networks, to ensure that wherever you are, as an end user, as you’re trying to communicate with, perhaps, your company, your organization, that you’re doing so from a secure tower.

So if you’re working remotely or in a place, as we all are today, in a hybrid setting. So maybe sometimes you go into work, sometimes you’re working from home, sometimes from, say, a coffee shop— then having a VPN is gonna help to provide security to your environment, and make it less likely to have kind of Man-in-the-middle attacks taking place. So those are some of the things which you could really focus on.

Things like patch management, that’s important, as we learnt with SolarWinds, for example, it’s not a panacea. It is the right thing to do to ensure that you’re reducing any security vulnerabilities by having a good patch management process in place. But it’s really having security layers in depth, which is where you’re going to provide that total cyber hygiene solution, which you really need for your organization.

David: Excellent and interesting to hear. And perhaps we can bring this a little bit closer to home now. You mentioned CDR technology, Content Disarm & Reconstruction, but explain this in the context of the impact [00:21:04 – inaudible] can have on our organizations’ address to cyber hygiene, and what is Glasswall’s approach to this?

Paul: So hopefully, the Glasswall approach is refreshingly different to what’s come before. Over the last 30 years, we’ve had a host of different malware protection companies starting with antivirus companies looking for particular signatures, which are pieces of bad software expressions. So when that software is maybe on your PC, on your Mac, as it’s operating— because it’s doing its business of infecting your machine— you can fingerprint that piece of software and understand what bad looks like. And for a number of years, that’s been good enough, I suppose you could think of it that way.

But with the threat landscape accelerating the way that it is, without us being fueled by bad access from nation states, which maybe have an axe to grind for, particularly countries, say in the West. Or because some actors want to install ransomware software onto your machine so that they can receive some kind of payment to unlock your device. That’s one avenue which is incredibly popular at the moment.

Or maybe just an actor wants to install some malware, in that it has an alternative purpose, and maybe it’s just to mine cryptocurrencies using the resources of your computer, not necessarily to harm your environment but to use that computer resource, and to win Bitcoins, for example, for the attacker.

The landscape now is so intense, and there’s never been more incentive for the bad actor to want to focus their attention on the user who’s just going about their business, trying to live their lives, interact with the world—whether that’s friends, family, or to do the work which they’re paid to do.

And today, antivirus and even the enhanced endpoint detection response solutions that maybe claim to use, say, machine learning, or to use advanced algorithms, they’re not really cutting it. They’re doing a job but in most cases they’re leaving their window open, and that window can be measured in time. When we think about the threats entering the business environment, it takes time for these solutions to actually identify patient zero.

And if I said patient zero two years ago to you, you’d probably, I guess, raise an eyebrow as to what I meant by that. But we all now, today, having lived through a pandemic, understand precisely what patient zero is. And the fact that it takes time to develop a response to the threat.

So we first isolate that threat, that, in the case of Covid-19, we isolate the virus DNA, and also the energetic makeup of that virus. And then we start to figure out, how do we, maybe research, say, a vaccine or drugs which help to counteract the effects of that infection and that disease.

That all takes time, as we’ve observed ourselves, in our own lives. And that’s no different really to how the map that most malware protection companies operate. They have to reverse engineer, and to understand what the threat looks like, once they’ve actually identified, and they’re looking for the bad, once they’ve received that signal, as I said, they try to understand how the payloads the malware is trying to inject into the host machine, or onto your phone, or wherever the technical environment might be, what that looks like, and how to try and counteract that. So we’re talking days and days, and sometimes weeks, perhaps months, to be able to create a counter measure which effectively neutralizes that risk.

With Glasswall, we’re not doing that, we’re not actually looking, we’re not trying to detect that bad firewall which is coming through. Really our philosophy is the complete opposite of most of the malware protection vendors.

We assume that every single file which is in transit or at rest, so think of a far movement from one trust-end to another, so moving from the internet into your organization, that potentially every single file has malware in it. And so if we work from that premise, and assume that it’s really just a question of time without a Glasswall solution that users will be infected, what we can do is to say, “Look, the user, what they most care about is the content which is actually within that document”.

So, if we’re talking about a PDF, for example, that might be, say, the final version of a contract that just needs that countersignature, and then the deal can be closed, and it’s 4:30 on a Friday afternoon, the deals just gotta get done. The last thing the user needs, maybe it’s a CFO, or it’s the sales person that’s involved in the deal, they don’t need security to get in their way because they have to close that deal, and they’ve got to move on. It’s the quarter, and this is just imperative that it gets done.

So, any security solution that prevents that from happening, then most likely the users are gonna try and evade that, they’re gonna try and switch off that solution that gets in the way. So with Glasswall, we’re actually providing the protection, the threat removal from the file, within milliseconds.

So the file coming into your organization has the threats removed but there isn’t a tax on time. Because we’re not looking for how to reverse engineer that particular threat, we’re actually just removing any spaces or places that the threat could exist in, taking those away and reconstructing the document or the file which is presented to the user. But crucially, and this is really important, the file which goes on to the end user or to the dependent system, is visually identical to the one that came in.

What we’ve done though, is stripped out everything else that doesn’t need to be in the file. So without active content, say a macro, that maybe have a nefarious purpose or links which may take a user to what seems to be an innocuous, and maybe harmless link on, say, Google Drive, that then has a piece of malware that might be downloaded into the environment, we’re taking all of that away and restoring the document back to the manufacturer’s standards for that particular document type.

And so, when the user opens up that document, not only is it safer because the threats have been removed, it’s more likely actually that the document is going to be stable, unlikely to crash because we’ve actually repaired any broken structures within that file. So it’s a win-win from a user’s perspective; the threat’s removed, they actually have a more stable document that’s unlikely to crash. And we’ve all experienced those moments where we’ve been working on a really important document that crashes for some unexplained reason, and maybe because we think it’s getting too hard, but most likely, because it’s been corrupted in some way.

With Glasswall CDR technology, we help to prevent that type of scenario, and we’re doing that, as I mentioned, in a sub-second process. So it’s really security at the speed of business and in line with what the user expects. And so from their perspective, we’re completely invisible to the process. We’re actually doing the job, removing the threats, we aren’t getting in their way and slowing them down, or making them think, ‘how do I evade this security and go around this control which is preventing me from doing what I need to do’?

David: And it’s a fascinating solution. And Paul, thank you very much for your time today. Just to bring things full circle and to round it up for us, what are your top, perhaps, two or three pieces of advice for getting cyber hygiene right?

Paul: I would start with the leadership. It’d be great for me to say, start buying up some solutions, and start implementing at different technology controls. But start with the leadership, explain the reality of the above link attack landscape to your peers on the leadership team. Explain the need to invest in both corporate and product security, so if you’re delivering a product or a service to your customers, make sure it’s secure.

Make sure that you’re thinking about how that data is going to be protected, and that’s part of the cost of doing business. And you’ve accounted for that cost because it’s a necessary cost that’s keeping you in business, and keeping you ahead of your competition. Because I fundamentally believe that we can make security a competitive advantage, like I use the absence of air or oxygen analogy.

Once you have an absence of security, you know about it, and you don’t want to be that competitor in the marketplace that has the absence of security in its products, maybe because there’s a breach that takes place or people start to talk about the fact that your software is vulnerable. So, start in the boardroom or with the Executive team and ensure that everyone understands why we’re doing this, and how it’s going to help us be more agile, and more competitive.

Secondly, I would say, implement the basis, so we spoke about some of those: having the firewall disaster recovery, backups, making sure that you’re really focusing on malware protection. And not just the protection that was good 30 years ago or 20 years ago, but that’s good in 2021, so you need CDR as part of that.

And finally, I’d say, take people with you. And I’m talking about the people across your organization at every single layer. Explain what some of the risks are, without scaring people or turning people off to the idea that security is really everyone’s responsibility, and we’d need to get mindshare to being as secure as we can be. But also being realistic and pragmatic that we just need to do business, and we’ve got to keep making sure that the company is moving in the right direction.

But if we’re helping to ensure that we provide the tools to people, and explain to them which behaviors are going to be incentivized, which ones are gonna be discouraged in relation to security. I think that helps to set up a firm for success and to achieve that cyber hygiene, which I think, increasingly today, most organizations crave.

David: Paul, many thanks.

Paul: Thanks, David.