As part of the Bitwarden 2020 Open Source Security Summit, Bitwarden CEO Michael Crandell had the privilege of sitting down with a Red Hat enterprise security architect (who, for privacy purposes, goes by ‘Freshman’) to discuss his background, the security threats and challenges he saw throughout the year, how he balances usability and security, and his practical take on credential management. Red Hat is a leading US-based provider of enterprise open source software solutions and is a subsidiary of IBM.
The discussion kicked off with some context into Freshman’s background. Freshman currently works across Red Hat to identify potential security issues and then works with the stakeholders to address them. Sometimes this work involves creating new enterprise security standards or modifying existing enterprise security standards and policies to ensure the organization remains a step ahead. Freshman has 20+ years working in a security capacity for global organizations in both the public and private sectors and has dabbled in offensive and defensive security, customer exploitation, fraud and abuse, threat intelligence, social engineering, and a myriad of other things. Having seen how different organizations operate, from small, four person shops all the way up to Fortune 50 organizations, Freshman’s perspective was eagerly anticipated. The following is a Q&A between Michael Crandell and Freshman.
Michael Crandell: 2020 was a tumultuous year, to say the least. Massive increase in working from home, which put extra strain on security systems. From what we see out there in the statistics - 400% increase in phishing and a major uptick in cybersecurity claims. What are you most worried about between phishing, credential stuffing, social engineering, and stolen credentials?
Freshman: Can I just choose all of the above? Social engineering continues to be a huge, huge issue. It’s a huge attack vector for baddies and it's not just for email anymore. Social engineering is happening via the phone, via social media. We’re seeing it in the mail, in our chat messages, and on social messaging apps. It’s always great to get a message on WhatsApp from your President asking if you can wire money to some lawyer somewhere, because that always happens. I think social engineering continues to be that vehicle, I mean 400% this year, that’s huge.
“Credentials continue to be the thing that baddies want.”
Credentials continue to be the thing that baddies want out of this. They’re looking for data but they’re also looking for the credentials. I read somewhere that credential reuse is 64% in the public space right now. If you’re not using a password manager, I think the average number of passwords that have to be memorized is something like 90 different credentials.
There’s a bunch more statistics around how we're doing this in the enterprise versus how we're doing this at home. But I think there's a lot of carryover between the two, especially now with a pandemic happening, and being forced to, for many, to be at home. We [IT security professionals] have to wear a lot more hats, we've got a lot more personal device use and crossover. When you have organizations, only 50% of which require multifactor authentication, or less than 40% require the use of a password manager, that adds to the types of threats that we're seeing. It doesn't help prevent these things. It just makes the situation worse.
Michael Crandell: Right. You made an interesting comment there about the fact that this problem spans the worlds of work life and personal life. How do you think about that in terms of a solution? How do you think about personal and work and your role in helping increase the security around credential management?
Freshman: So, I think that it's important that we bring awareness, it's got to be a collaborative effort. But I think that we need to be thinking about more than the user in the workplace. We have to think about the devices that we're using and how we're using them. We [open source organizations] may have an open device usage policy. How do we look at, identify, and manage the risk? But also, how do we manage the user experience as well, to ensure we’re giving our customers the right tools for the job.
To a certain degree, a layered approach needs to happen. Awareness is one aspect, but it needs to go beyond awareness. For example, it's good to be aware that phishing happens and provide updates on the latest phishing campaign, but we need to be able to provide the right tools. Even providing the right tools that will overlap between life and work so that we're setting the right bar and right standards for users to make sure that they actually understand and that it’s muscle memory for them to continue using these tools.
"It’s important to provide the right tools that overlap between life and work so that it becomes muscle memory for employees to use these tools in all aspects of their digital lives."
Michael Crandell: I know from past conversations you take a very practical perspective on all of this. What are the biggest challenges from a practical perspective?
Freshman: I think it's balancing usability and security, right? We need greater transparency and it needs to be easy to use. Our users are very, very smart. I hate seeing an industry where we treat the user as a lesser citizen because they failed to catch a phishing attempt or a social engineering attempt or they clicked on a link for ransomware. We let them down. We’re giving them the tools to be able to do things and we have our security policies and requirements in place, but we’re forcing them to use five different passwords in order to get to the services and resources they need on a daily basis. We give them password managers, but don’t allow them to use the 2FA functions to be able to store TOTP functions within the password manager. Things like that. How do we get that right tool to the user? How do we ensure the process is there?
"Balancing usability and security. We need greater transparency and it needs to be easy to use."
I can give you an example of thinking more about the user experience and why that’s important. A number of years ago I was working for a Fortune 50 organization that had an unfortunate phishing breach. Credentials were compromised and the accounts that were targeted were then used to to reset passwords for social media accounts for the organizations. Those accounts were then defaced and it was a black eye on the brand, but it happened. Management, as part of the aftermath, said ‘we need phishing training, you and your team should go build the phishing training.’ And we did. We had all the right hits. We had ‘hover over links, make sure you understand who it's being sent from, if you’re not sure this is phishing, send it to the information security team and they’ll look at it and let you know.’ All the typical stuff you would pass as part of your security awareness and compliance training. We put together the security training and it went out and everyone took it and thought it was great. Pats on the back and handshakes all around.
But then, I stopped for a second and started thinking about what we had just done. I went back to one of the VPs that was leading this effort and said, hey by the way, what was the email address we used? Where are people supposed to send the phishing if they find it? And he thought about it for a second, and couldn’t remember. So I started asking other people and no one could remember where it was to go. And I looked at that and said, we failed. Because one of two things is going to happen. After two minutes of looking at this, Alice in Accounting, if she can’t find the email address, is going to delete the message or click on the link and do what we didn’t want them to do to begin with. There’s going to be an assumption that it’s probably OK, but that information security is going to get mad at me either way, I just hope they actually had the protections in place to actually prevent this. And that’s a really sad thing to think about. So, we need to make sure we think through the user's process. Users are maybe lazy to a certain extent, but there are also users that have an entirely different job and mindset from what we do. It’s important to incorporate them into the conversation and understand what it is that they’re asking and what their needs are.
Michael Crandell: Sure, we’re getting into human nature now. You’ve made a comment in the past about how we don’t hire for security awareness. Would you say a little bit about that?
Freshman: Right. I would be surprised if anyone at this conference had ever seen or submitted a job description, whether it’s an administrative assistant or someone in HR that listed as a required job skill, ‘must be able to generate complex credentials for multiple systems every 90 days’ or ‘has a proven track record of recording and reporting phishing in a timely manner’. It just doesn’t happen. We hire these people and they’re very good at what they do. But then we put them in new hire orientation and bombard them with security requirements and training and have this expectation it will be common knowledge for them and easy for them to pick up without the tooling. It’s not something that everyone grasps immediately. It’s the same organizations that have zero tolerance to three-strike policies for phishing. This can be a bit scary because we’re almost treating them [users] as the first line of defense - first, last, and only line of defense. We need to have appropriate tools in place to help them feel they are not the only ones involved, I think that’s important.
Michael Crandell: You’ve said before we shouldn’t see the user as the only line of defense in this whole picture. By the way, did you ever find a solution to the phishing email - the difficult to remember email problem?
Freshman: I went back and said, ‘why in the world did we not have a button’? ‘Why in the world do we not have an easy point-and-click solution’? We have a message, this looks dodgy, I want to be able to pass this over to my information security team and pass this over to whatever my mail service provider is, if I’m not working at a small business and leveraging Google and Microsoft. ‘Where do I get this message into a solution that’s already existing and advertised, to make sure it’s part of my organization’s workflow and my security team’s policies and see whether or not I’m right’?
We have solutions right now that you pay big money for, that will modify links within emails, do a bunch of things and validation on the backend, create gamification. I don’t think they have the user experience in that workflow. How are we encouraging people to click on links and if they do click on links, what are the ramifications within the organization?
This is all within the battlespace of an attacker. The attacker controls the body of the message. If we’re creating ribbons and things and modifying links, we’re creating muscle memory for our users that I think is counter-productive to what we’re trying to accomplish. I think it’s a matter of time now where more security professionals and more organizations need to start asking themselves the question ‘why don’t we have this? Why aren’t we thinking about the users or the user experience?’
Michael Crandell: Very much in line with what Martin Mickos was talking about with respect to democratizing security and how everyone has their small part to play. Last question: what do you see for 2021 or what would you like to see in the security industry?
Freshman: As we continue to build out and bring more people along for the open source journey, I think it’s important we ensure the secure user experience is a part of that. Continue to educate, continue to encourage people to think about using multi-factor authentication (MFA), continue to think about how interconnected these capabilities are and think about what the long-term user experience is going to be as we change multi-factor options, or as we look at trying to detect phishing, secrets, or other things. Open source, or source code management, continues to be a target now. It’s not just the IP of closed-source organizations. We need to help educate the communities to push this further and think about interconnected devices, the hybrid work environment, bring your own device, and how we, through open source, can better secure that. So, that’s my hope for 2021. We’ll see.