Expert Interview with Stephen Cobb, Aryeh Goretsky, and David Harley on Digital Security

Nothing's more important than digital security these days. But what do you need to be secure? Stephen Cobb (pictured here), senior security researcher at ESET and part of the We Live Security digital security blog, spoke with us about security, and brought in fellow experts, Aryeh Goretsky and David Harley, to discuss what you need to know to keep your digital life secure.

How did We Live Security get started?

ESET wanted an appealing online destination where everyone - corporations, consumers, researchers, IT staff - could easily find and access our large and growing collection of cybersecurity content. This content, much of it produced by ESET experts with decades of experience fighting malware, ranges from blog posts to podcasts, white papers and how-to videos. The design of the old blog at ESET.com, which was started in 2006, was not conducive to making all of this content readily accessible. In 2012, we began to create a new site with the code name "Infohhub" and launched under the name We Live Security in February of 2013. Why We Live Security? Because that's what we do: We live security.

How has security online changed in the last few years?

In the years since the original ESET Threat Blog was fired up, the biggest change is probably the ubiquity of online computing. Today, almost everyone in society is a mobile computer user, whether they are using a laptop, tablet, smartphone, or some combination of those. That shift has greatly expanded the scope of online security - the attack surface, if you will - so in addition to protecting the servers on the back end and workstations in the office, we have to defend a wide range of highly mobile endpoints, including the smartphones in people's pockets and purses.

During that same period, we have seen cyber crime become an industry and a way of life for some people, organized around thriving underground markets that allow criminals to buy and sell data and services.

There have been quite a few security breaches lately, such as Target's. Are these breaches becoming more common, and can they be stopped?

Breaches are an increasingly common occurrence, and not only in high-profile areas such as big retail chains. The thriving underground market for personally identifiable information and the skills required to steal it has naturally led to specialization in the expertise required to breach systems, as well as a creativity in identifying targets, potential repositories of PII that can be successfully attacked with little risk of detection, such as hospitals, schools, and even churches.

Organizations that understand the nature of the threats and take them seriously will stop a far higher percentage of attacks than entities that are less prepared to defend themselves. One characteristic of market-based cyber crime is that the bad guys are constantly looking at risk/reward and return on investment. With so many online targets, those that are better protected and thus require more effort to breach, may get a pass. However, if you are targeted by a determined adversary, you not only need good defenses - layers of protection that offer "defense in depth" - you also need to be ready to respond to a breach, if it happens.

What are some pressing security concerns online that may not be getting the press they deserve?

I put this question to two of my colleagues, ESET Distinguished Researcher Aryeh Goretsky and Senior Research Fellow David Harley. They pointed to a range of issues, from social engineering and passwords to lingering threats due to poor cyber hygiene.

Goretsky: Just because a threat is old, does not necessarily mean that you are protected against it. As an example, ESET has received so many reports of the Conficker worm every day since 2008 that it has remained in our top ten list of threats nearly six years. This is a worm that by all means should be extinct by now, but it still constantly re-appears because of poor security practices, such as failure to block the use of removable media and not using strong network passwords.

Another issue I do not think many people take seriously is the importance of good password hygiene. Too many people use the same password over and over in multiple places, and that means if it gets stolen in one place, an attacker is going to use it to try and log into every kind of webmail, financial service, shopping and gaming site, to see if they can find some way to commit crime, whether it be stealing funds, placing orders or simply using your account to send spam.

Harley: Everyone with some security knowledge recognizes the effectiveness of social engineering and its impact on the safety of the public at large, but because instilling resistance to psychological manipulation is largely an educational issue rather than technological, it's difficult to present the message consistently as newsworthy or in a way that will both attract and inform. There are only so many ways you can say, "Be careful out there," so pieces that do try to address the issue tend to focus on very specific attack techniques, like some of the common gambits used to trick victims into clicking on malice links. This approach isn't valueless, since it does have some negative impact the future effectiveness of stereotyped social engineering ploys. However, it doesn't easily translate into wariness in the face of other gambits.

Unfortunately, this fragmented targeting can be seen in many other areas of security reporting: For example, issues around PIN and password protection tend to focus on publicizing and avoidance of "known bad" passwords (and PINs, where the data exist) rather than on the mechanisms that predispose people to the use of over-used passcodes - memorization by ergonomic considerations like easy-to-remember key sequences, memorization by mapping to easily-guessed personal data, memorization by mapping to cultural and semantic stereotypes, and so on.

What are some common-sense ways to protect yourself online?

Harley: Many attacks, including a great many malware attacks, are easier when directed against people who routinely work from an account with full administrator privileges. The need to force some kind of privilege escalation in order to make the attack fully effective may introduce uncertainties and unanticipated variables into the attack process that make it more obvious that an attack is underway, decreasing the chances of success. If your routine work is done from an unprivileged account, using an administrator account only when necessary for purposes such as legitimately installing or configuring applications and systems, it can significantly reduce your attack surface (the degree to which you are exposed to attack).

In the workplace, the continuing take-up of BYOD means that there is more risk of a successfully infiltrated over-privileged account causing damage and compromise on systems right across the enterprise. That problem can be mitigated by restricting the range of accepted BYOD units to those devices that can be safely administered and controlled centrally.

Goretsky: If you use a free Wi-Fi or Internet connection while at a coffee shop, traveling, etc., do *not* log into any websites with a username or password, such as financial or shopping sites. A criminal may have set up a fake hot spot in order to capture usernames and passwords. Only access them from a trusted network connection. If you are away for several days and cannot avoid using these services, immediately change the passwords when you get home.

Do not put off installing updates for your operating system, commonly-used applications like Adobe Flash and Reader, Java, and so forth. Because use of these programs is widespread, they are the first thing a criminals attack on computers. Likewise, keep your security software updated so it can detect new threats.

How do you see online security changing in the next few years?

Harley: Providers of financial services will have to put more emphasis on multi-factor authentication. This change has been underway for many years, but implementation has been hampered because of the difficulties of avoiding making it more onerous for the customer to access such services. The immediate returns will not be as dramatic as may be hoped, in part because the shift from dedicated handheld authentication devices to versatile personal communications devices using an app introduces many more security-impacting variables.

Goretsky: I think we are going to see more use of secure connection (website connections that begin with https://), partially as a reaction to concerns about pervasive monitoring of the Internet. Advertising companies and their partners, social media firms, are going to take even more steps to collect information (social media firms) about people on a minute-to-minute level, allowing them (advertising firms) to tailor their content, which will cause at least one very bad gaffe (e.g., sending inappropriate advertising to someone at a funeral or cemetery, a hospital, in a courtroom, etc.), but most people will largely and blithely accept with no outcry.

Cobb: The security technologies we have today will remain in use as the foundation of a multi-layered approach to security. New technology, such as highly granular network monitoring and automated threat intelligence, will be added. But experienced security technology companies will continue to emphasize that technology alone cannot make you secure. The human element must be addressed and efforts to educate the public on good cyber hygiene, such as San Diego's Securing Our eCity, will continue to improve the performance of humans in the protection of data and systems.

Follow We Live Security on Twitter for the latest security news.