Does the National Security Agency have "backdoor" methods at its disposal to subvert the encryption protocols commonly used by today's enterprises? According to Marc Maiffret, the answer is a definite maybe.
"There's just an amount of resources and focus [at the NSA] that's unmatched compared to any company," Maiffret said. "We trust that when they recommend an algorithm that it is something good."
In this interview, conducted at the 2014 RSA Conference, Maiffret, the chief technology officer of BeyondTrust Inc. and noted security researcher, discusses the NSA encryption controversy and what the fallout ultimately means for enterprises.
Maiffret also talks about a variety of other high-profile security incidents, including the 2013 Target data breach, which he says is a lesson in how basic security processes are far more important than any cutting-edge security technology.
Then Maiffret discusses the recent rise in website defacements and draws parallels to his first experiences in information security as a script kiddie in the late 1990s, and shares what he would say to convince today's young black hats to turn away from the dark side.
Read the transcript below.
Hello there I'm Eric Parizo with SearchSecurity.com it's greatto have you with us. Joining me today is Marc Maiffret. Marc is the ChiefTechnology Officer of BeyondTrust. Marc it's great to have you with us.
Maiffret: Thanks for having me.
Marc let's do a round robin segment on recent high profile security incidents. We're at RSA conference 2014, and obviously the NSA and the integrity of encryption protocols and products have certainly been hot topics. What's your level of concern about the companies that work with the National Security Agency and ultimately the integrity of encryption as a reliable data security patrol?
Maiffret: I think there's definitely been as I think some have said, they're kind of blurry in the lines of the mission of the NSA. And how much what is the balance you strike between being kind of defensive and offensive. And I think there was a lot of things as a country of different organizations and agencies that in the post 9/11 world there was a lot of focus on the kind of offensive capabilities.
And it's a double edge sword, right. It's the thing that's often debated about things like Zero-Day Vulnerabilities is, yes you can know about it and have that and it's a great weapon to use against an adversary. But also by allowing it to continue to exist it's something that can be used against yourself, right.
And I think for the most part the larger kind of challenge related to some of this stuff, it's just good that we're finally having conversations about what is the exact role. Because a lot of the oversight and processes that's been put in places. For many, many years ago technology in the world was very different when some of these things were created.
But I think there's always going to be a role for a level of monitoring. If you look at actually what, every security professional does for a living. It's managed a whole variety of devices that are doing full scale monitoring at their corporations.
They're looking at every email that's coming in and out for spam, viruses, etcetera. You're looking at everything happening across the network for signs of botnet malicious communication and in the same way that sort of monitoring can benefit to help you find bad things. Clearly government can benefit from doing similar.
But it all comes down to equally of do we have the right things in place that keeps an NSA or somebody from using against American companies, from abusing the power. In the same way that I hope your average corporation in America has the right safe-guards as we're collecting all this data for security. Are we doing the right safe- guards to protect business and employees that are working at these companies?
So give me your gut instinct. Do you think the National Security Agency can crack the protocols that are commonly used today for enterprise data encryption?
Maiffret: I would say their far more ahead than anybody. I mean, I think the fact that we're all still talking about, you know, buffer overflows and other techniques that essentially the 20 plus years ago. That a son of an NSA, Gapa Robert Morris Jr. was already writing exploits for fun in that case. It's just the amount of resources and focus that's unmatched compared to any company.
To the point that just as [inaudible 00:03:34] mentioned today earlier, that we put trust into the fact that the NSA has so much people and resources that we're trusting that when they recommend an algorithm that it is something good. That they recommended an encryption standard that is something good. And so it's a balance that I think is getting fixed that maybe got carried away.
Now the Target data breach and other recent retail breaches have brought brand scrapers back from the past. But reports suggest access control was ultimately the biggest issue there. What's your take on the Target breach, based on what we know so far?
Maiffret: Some of the stuff that we've seen based on how systems were accessed, how accounts were reused, how data was expatriated to the network is again kind of clear indicators that some of the kind of security basics are sometimes I think taken for granted.
You know, I always go back to the fact that there's maybe some new product that you could be buying that supposable is going to solve all these things. But whatever new security technology you're looking at, my companies included, doesn't really matter if you're not doing the right basics around how you configure your systems. How you've actually configured you network, how you've done network segmentation. There's not products that make up for doing those things properly and doing them right.
Switching gears just a little bit we've seen kind of an odd rise in Website defacements as of late. What's you take on why that is and what you think is happening?
Maiffret: Yeah, Website defacements are always fun. It's how I got my start as a teenage script kiddie being annoying. So yeah, it's amazing that the defacements are still happening given the fact that, not that they're not possible there's plenty of vulnerable web applications. But more people, especially younger people getting into hacking and security these days.
I mean there's just such an avenue that they can choose to take from my cyber-crime perspective and stealing data and reselling that data. That I'm kind of happy, not happy when I see a web defacement but I'm hoping there is some kid that's finding that out verses going and stealing some Social Security data base. But ultimately hopefully they translate into some research career or something else where they can probably make some pretty good money and not have to worry about going to jail.
Now that you mention that. That raises an interesting question that I'd like to hear your answer on. For all those young black hats out there like yourself 15 years ago, what would you say to those folks to really get them to understand that there's ultimately a better more profitable and more frankly, legal way to earn a living out there?
Maiffret: Yeah, I mean I think it's amazing. I think for guys like me 15, 17 years ago when we were breaking the systems it was we didn't have where you could run your own lab at home. So you would go learn about new and different operating systems by breaking into a company or a university and going and experiencing these system's first hand by using other peoples systems.
I mean, I think it's an amazing thing there's an entire industry in a field of subset of security with stuff like penetration testing. Where you can go break into completely legitimately and for a lot of fun and make great money doing it and use all those skills. And so it's something I guess like anybody when you're a teenager sometimes you get excited about something that you're doing, and it's try to hold out because give it a few years get through school, and there's amazing outlets for all that sort of creativity.
Finally let's end by talking about a subject that I know is of interest to you which is this assumption of breach concept that has become a trend recently were in the area of the de-emphasis parameter. It seems like enterprises are starting to focus less on stopping attacks at the perimeter before they happen and more on detecting them quickly and remediating them quickly. Why is that something that you take issue with?
Maiffret: I like to put it people as there's the kind of gave-up generation of security that's kind of happening right now. And you do need to assume breach, you know, you do need to assume that a targeted attacker especially given a long enough time line, doesn't really matter what security you have they're going to find a way in.
So you do need to equally have not just preventive controls and hopefully good configuration. But also systems and process in place that hopefully finds people sooner than later after a breach has actually occurred.
But I think sometimes people get carried away and completely writing out any sort of traditional solutions. In reality the things like anti- virus clearly don't stop any advance breach while firewalls have their limitations, IPS, etcetera.
There's still a lot of these systems that help kind of filter out all the basics, the basic attacks were you don't want your team focusing on that. You want them focused on it was the targeted attack they were trying to find verses the everyday cyber-crime. And when you hear companies that are talking about having some sort fake anti-virus type of [inaudible 00:09:15] on their system and they're just very clearly not filtering executables properly. Those are basic things that any sort of advance threat system etcetera get rid of that noise first. Before worrying about some of the more advanced stuff.
Marc Maiffret of BeyondTrust it's been great spending some time with you. Thanks for coming by.
Maiffret: Thanks so much.
And thank you, as well. Remember for information security videos you can always visit searchsecurity.com/videos. Until next time, I'm Eric Parizo. Stay safe out there.