Olivier Le Moal - stock.adobe.co
Many businesses still using outdated security, says Troy Hunt
Too many businesses are using out-of-date approaches to security, a world-renowned cyber security author and trainer warns
There are many more security vulnerabilities and security options available today than even 10 years ago, but many organisations are stuck in the past, according to security expert Troy Hunt.
“I still see businesses using security approaches, technologies and processes from decades ago,” he told Computer Weekly.
The way organisations deal with things like passwords and security questions are a prime example of this, said Hunt, who is an internet security specialist, Pluralsight author, owner of breach alerting site haveibeenpwned.com, and recipient of Microsoft’s most-valued professional award.
“Many companies are still using security paradigms from decades ago, but the technology landscape is quite different now, with different risks, and so these paradigms no longer make sense,” he said.
However, Hunt points out that with a changed technology landscape, there are now also more options for organisations to authenticate individuals and do so with greater confidence, so there is no longer a need to rely on things like date of birth and mother’s maiden name, all of which is discoverable and is also frequently leaked online.
“Organisations now have text messages, messaging apps and email channels, and technologies such as NFC [near field communication], USB tokens and even sub-dermal computer chips, but relatively few organisations are using them,” he said.
In terms of security challenges and problems, one important thing most people do not understand, said Hunt, is the redistribution of personal data once it has been breached.
“Every day I get multiple emails and messages from people reporting they have found more data that appears to have been breached, and this stuff just gets redistributed en masse,” he said.
According to Hunt, most of this redistribution is by teenagers and young adults who are simply bragging about what they have found because of lack of awareness of any social responsibility. But some of it is driven by “commercial opportunism” such as the LeakedSource website, which was used to sell stolen identities and passwords.
“There is definitely financial motive,” he said. “We still see a lot of selling of data. Following the LinkedIn breach in 2012, we saw that data extensively sold. And details from the Adobe breach in 2013 are still being sold on the Dream Market on the dark web.”
Education is vital
In terms of improving cyber security by driving up accountability, Hunt believes education is vital. While legislation has a role to play, he said that until now, the fines issued for data protection failing have not really hit home, although the EU’s General Data Protection Regulation (GDPR) could change that with fines of up to €20m or 4% of global turnover.
Although Hunt does not believe there will be fines of around 4% of global turnover any time soon because that would be only in extreme cases, he said he would be happier to see fines of 1% or even 0.5% than just £400,000 for a company such as TalkTalk with a £1.8bn turnover for flaws exploited by a 15-year-old.
“I fear that organisations are looking at security and saying there is just not enough reason to spend on cyber security,” he said. “There is not enough return on investment. But if we start to see penalties that really hurt, we may see that ROI calculation change.”
Ultimately, however, Hunt sees increased awareness and cyber security education as one of the most important areas for organisations to concentrate on.
“I genuinely believe that the best thing we can do is get better education for people who are building IT systems,” he said. “The ongoing massive breaches indicate that we have got massive skills gaps.”
Basic security mistakes continue to be made regularly, said Hunt, citing the fact that many web services are still created with SQL injection vulnerabilities, which have been identified as a top risk for at least the past seven years.
SQL and command injection have long been in the top 10 list of web application security risks because they continue to have the greatest likelihood of enabling data loss or compromise, according to the Open Web App Security Protect (OWASP), which compiles the list.
“SQL injection is still everywhere, but this is nothing more than a human mistake that can be avoided by anyone who knows what they are looking for, which is simply an issue of education,” said Hunt.
“It requires no more effort or cost to write good code than to write code that is vulnerable to SQL injection.” Failure to write good code, on the other hand, is often extremely costly, he added.
“Education is cheap when compared with the cost of hardware appliances, security controls, penetration testing and the cost of breaches themselves,” he said.
Education pays off
Not only is education cheap at the time of doing it, said Hunt, but it pays off repeatedly as people apply the knowledge from a few days’ training across multiple projects and help to positively influence the cyber security practices within their organisation.
“Educating people around cyber security issues relating to their job roles is the most sensible and fundamental thing to do,” he said. “It also allows us to fix defects at the point where it is the cheapest to do so because the further you go into the lifecycle of a project, the more expensive it is to fix defects, particularly after a breach.”
In addition to good coding practices by in-house teams or commercial software development firms, Hunt believes there needs to be more education around data collection and retention.
“One of the reasons we are seeing so many data breaches is that everyone is collecting way too much data,” he said. “Breaches would be less of a problem if organisations stopped collecting so much data, and limited their data collection to only what they need, retained it only for as long as they really need, and use it only for the purpose it was collected for.”
According to Hunt, people should be able to access online discussion forums, for example, without having to provide personal data such as date of birth, which, once collected by the forum, could remain in its database for many years and potentially get leaked if that database is breached.
“Organisations have control over what data the collect, what they retain and how long they retain it, so I would like to encourage them to collect and retain as little data as possible,” he said, pointing out that data maximisation was one of the problems he highlighted in testimony to the US Congress on data breaches in November 2017.
In his written testimony, Hunt said: “Exacerbating both the prevalence and impact of data breaches is a prevailing attitude of ‘data maximisation’, that is the practice of collecting and retaining as much data as possible.” He said many organisations are doing this just because they can, just in case they might need it.
Read more about data breaches
- Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
- Stolen and lost devices are the biggest causes of data leaks in the financial sector, which experienced twice as many leaks in 2015 than the year before, a report reveals.
- The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
- Considering that a data breach could happen to any company at any time, a plan of action is the best tactic.
However, Hunt said this issue is worse in the US than it is in the EU because the UK and other European countries have a much better attitude towards data minimisation, which is a cornerstone of the GDPR.
“Organisations view data on their customers as an asset, yet fail to recognise that it may also become a liability,” he said in his testimony to the US Congress.
Organisations tend not to think about what happens when things go wrong, he said. “And it all comes back to that principle that you can’t lose what you don’t have. So, technical controls aside, if organisations just had less data to begin with, it would be a good thing.”
And when a data breach does occur, said Hunt, organisations need to ensure they have processes in place to deal with it. “We are now in an era where people are no longer judging organisations as harshly because they had a breach, but are judging them more on the way they handle it,” he said.
“In the case of the photo-sharing service Imgur, for example, the company notified affected users within 25 hours of me notifying them in November 2017 of a 2014 breach affecting millions of accounts, informing users of the breach, telling them what the company was doing about it, and apologising for the breach.
“If you compare that with Uber, which attempted to cover up a data breach in 2016 that affected 57 million customers and drivers, and if you compare it with the way Equifax handled its breach, it is clear that it is better to have a plan for how you are going to deal with a data breach and to be equipped to respond in a way that Imgur did. So planning to fail is, in a way, an important part of accountability.”
