Matthew Strebe is CEO, owner and founder of full-service outsourced information technology service provider Connetic. A deep network security and administration knowledge led him to author 18 books on network administration certification, network security and consulting. Strebe is also a FHOOSH Security Advisory Board member.
“[S]ecurity has to be baked into systems and products from top to bottom. Organizations need security expertise at every level and a class of people who are dedicated to protection in every department. If not, those organizations with only security “frosting” on top of their regular business are always going to have fragile environments…”
Q: How did you get involved with cybersecurity?
A: I started out as a teenage hacker before the commercial Internet existed, and we were using dial-up modems to access systems. I learned how to program at an early age, and I hung out with a group of friends in a hacking cabal back in high school.
My group had an understanding that we wouldn’t delete or change the data on any computer that we hacked into, so no one would know we had been there. We’d challenge each other to see who could go furthest into someone else’s system, and it really was just a puzzle-solving challenge for us at that point. It’s funny, because most of the same site tricks we figured out then still work today. There are some more layers on top, but many of the fundamentals are the same.
Q: What are the biggest security challenges facing companies you work with?
A: The biggest challenge is solving the social engineering problem with security. While many of the technology needs are solved, the issue now is: how do we take cybersecurity to the typical user? They’re not a computer scientist, they’re not IT people, they just want to do their job. They don’t want to go through a “Get Smart” TV show-type routine just to get their work done. How do we get our end users to not click on that email attachment? To look at the URL and realize where they think it will take them isn’t where it will actually bring them? To change their passwords regularly? It’s the human element that’s always a failure risk. We can set up systems to secure networks and information, but we can’t make sure everyone always accesses them in a secure fashion.
I’m also concerned when I learn of companies treating collected customer data as their own product to monetize, as these types of companies can sometimes show less concern for protecting that end customer data. If their data is compromised, and end customers can’t show any immediate harm resulting from their data being stolen, there isn’t yet any compensation or recourse. Even if a company lost all of your data, if hackers don’t use it in a way that harms you, there’s no recourse. Current law doesn’t value the theft of the data alone.
Here’s a case in point: People’s medical information has been stolen, but it hasn’t been stolen by hackers who want to monetize it; it’s been stolen by another country that is trying to put together a map of relationships among our citizens. They’re trying to see how they “turn” that congressman’s daughter’s friend in order to gain direct access for espionage, should they someday want to do that. Most of this information may never be used, but it’s been stolen nonetheless.
Individuals whose medical information has been stolen aren’t eligible for compensation because there’s been no monetary loss to them—their identities haven’t been used to get new credit cards, for example. But there has been a real loss to those individuals. How can we, as a society, put a value on the loss of that information and privacy? Or are we going to shift to a society where people just don’t care about privacy and there’s no shame in any information about anyone? That’s not really our society today, but it’s a possible future.
Markets should drive a change toward companies that better protect consumer data, as consumers begin to make choices based on the security of their info. They might choose to change insurance companies because their data has been breached three times, for example. Overall, the market places value on protection at some level. Companies are trying to balance a corporate need for security with the need to conduct business as usual. Markets should help raise the security bar to a better reasonable minimum, and we will need to increase regulation wherever markets fail to.
Q: How could we significantly reduce cybercrime today?
A: First, we have to differentiate between the two major types of hackers today: nation-states conducting cybersecurity probes—that’s a government problem; and criminal hackers trying to steal money. If you look at the nation-states’ efforts, they’re almost all leveraging tools originally built by cybercriminals to steal money. When these tools are already built and waiting, it lowers the bar to entry.
We could make a single change that would immediately protect peoples’ privacy and cut cybercrime: We could force credit bureaus to add a simple consent clause to their credit reporting process. In effect, you must agree in advance each time a credit bureau wants to share your information. It would be relatively easy to set up. A credit bureau would get a request to open a new line of credit, or a request for a consumer’s information, and before doing anything, they would contact you to approve or deny, and text you a code to confirm your response for that request.
If credit agencies couldn’t release your financial data without your specific approval each time it’s requested, the money for criminal hackers dries up and they move on. They’ll stop bothering to build tools to steal data, and the nation-states won’t get as many new tools to access data, either. When they have to bear the entire cost to build cybersecurity attacks, the rate will dramatically slow.
To drive this change, we just need a simple law that states if someone shares credit information without proper authorization, they’re liable.
Q: What do you see as the biggest opportunity for FHOOSH?
A: Secure data storage is easy to do wrong in larger organizations because people misunderstand the term “encryption.” They think SSL encryption between their browser and their web server keeps their data safe, but it only prevents a single type of attack that is actually very rare.
Full-disk encryption like Windows BitLocker or Apple File Vault is good for storing data on a laptop, but when a hacker breaks into a server, all the info is already decrypted so the systems can use it. This is another example of a use of encryption that only protects against a single problem, physical theft of the hard drive, and has no impact on data breach.
The right way is to encrypt inside the database fields themselves, as FHOOSH does. Applications that store the private information of third parties need this level of encryption. The business difficulty is the conversion from a non-secured form to a secured form, and maybe the consulting around that to make it happen. Or, build products that can automate the transition from non-secure to secure data, and the tools to integrate that secured data with storage systems. Those automation tools would open more opportunities for FHOOSH technology.
There is no such thing as secure encryption without key management. There are very few good key management options available, and none are deployed universally. Two-factor authentication is becoming more universal, but it doesn’t begin to solve key management. Here’s the challenge: The correct person needs to use the correct set of data, but how do we know they have the right to use that data? It can mean different things in different contexts: if I store data with a hospital medical provider, should they be able to decrypt and use my data if I’m not there? Who holds that key? It’s a social problem again, and these system-level problems need to be thought through and solved for key management to move forward. And really, nothing moves forward until key management does.
Very few recognize the importance of key management. Executives generally have little to no technical skill on security. They want to outsource it, so the security becomes a layer resting on all the other layers of an organization’s enterprise system, like frosting on a cake. This inherently means security isn’t present at every single level, and it creates potential openings that can be breached. Instead, security has to be baked into systems and products from top to bottom. Organizations need security expertise at every level and a class of people who are dedicated to protection in every department. If not, those organizations with only security “frosting” on top of their regular business are always going to have fragile environments, and eventually are going to fail.