Michael Cobb, CISSP-ISSAP, is a 20-year veteran of IT security with a passion for making industry best practices easier to understand and implement. He is an advisor on security controls and information-handling practices and is a renowned author and presenter. Cobb wrote the FHOOSH dispersed data encryption white paper, available for download here.
“Some (IoT) devices will generate huge amounts of info, and I suspect most developers aren’t encrypting it. The fact that FHOOSH can easily drop into any application to secure data would be helpful.”
Q: What drives your interest in cybersecurity?
A: The first word that came to mind was actually Frustration! Information security so often lacks the true commitment of senior stakeholders, which is why it rarely receives the attention and resources needed to do it well.
In the past, security was like insurance: it was simply an expense businesses had to incur. Now, people see if they can secure their business data well, it’s a differentiator. It’s most apparent in the mobile device market; vendors are trying to outdo themselves with added security features. They’ve also realized for security to work, it has to be user friendly. In that market segment, we’re starting to see a sensible balance between security and usability.
For enterprises, web, software or technology where security isn’t the main product, they’re a little behind the curve, but regulatory environment changes should move them to where they have to do security well to even compete. For developers to embrace security, it really needs to be easy to implement, and that’s certainly an element of FHOOSH. Though I’m not sure how strictly new EU regulations will be interpreted, even the threat of greatly increased fines will move security much closer to the top of the agenda. It’s great to see that security is now finally becoming a boardroom issue and it is very rewarding when a client appreciates the benefits security brings to their operations.
Q: With Secure Shell (SSH), do you see the same security around encrypted net protocol vs. Transport Layer Security (TLS) or Secure Sockets Layer (SSL)?
A: Secure Shell has created a proliferation of keys. The keys get handed out to everybody, no one is quite sure which keys do what, or enable someone to do what, and this is a huge problem. The fact that the FHOOSH system enables easy rotation of keys and management of keys to secure access and authorization is a definite plus. The typical enterprise could have something like 17,000-plus keys, No one knows quite what they each do, who has them, none of that. Hackers are the ones who will spend the time to map them and work out which are the valuable keys, since a single compromised encryption key can decrypt huge amounts of data. Stolen credentials have been used in pretty much all of the big breaches over past few years.
Q: What trends do you see affecting data security most this year?
A: I’m sure the European Union’s changes to privacy rules will create unprecedented challenges for any organization that holds or uses European personal data, both inside and outside the EU. The General Data Protection Regulation (GDPR) has been formally adopted by the European Parliament and Council earlier this year, with the new rules coming into force in 2018. Organizations can be fined up to four percent of global turnover for breaching the new laws, which certainly makes data security a board-level issue. It will be interesting to see whether countries like the US and Japan follow suit, or wait and see its impact.
I think the scale of recent data breaches, plus the types of incidents we’re starting to see—connected baby monitors being abused, kids’ data being stolen, taking control of Jeeps remotely—these events are possibly more alarming to government officials than people’s credit cards getting stolen. This data breach shift from purely monetary to personal safety/individual beaches will force changes in many regulations.
Internet of Things is a security disaster waiting to happen, at the moment. People want to rush out and get the latest Internet-enabled appliance, but there’s been little thought paid to how anyone with criminal intentions and a network can access all that data. Some devices will generate huge amounts of info, and I suspect most developers aren’t encrypting it. The fact that FHOOSH can easily drop into any application to secure data would be helpful. While the info itself may or may not be relevant, in most cases, the security of the actual device usually hasn’t been addressed, either. FHOOSH secureKeys will help with that. IoT developers who are told, “Great job, but you need to secure all this,” just need the easiest way to protect the info. FHOOSH will be right up there as an option.
Q: What are the biggest security challenges facing companies you work with?
A: I think they’re all struggling to keep control of their data and systems. They’re all generating vast amounts of data and consuming it in ways they never imagined; it creates as many concerns as it does possibilities. Trying to keep data secure and trying to control access to it while still being able to realize its full potential is a real challenge, and it’s new ground for everyone. Security probably can’t grow fast enough to manage all of the changes we’re seeing. In response to major breaches, regulators will need to step in, and we’ll need to legislate certain security controls in ground-breaking technologies such as drones, and driverless cars.