Let’s start by talking about data breaches in terms of individuals. We give a lot of the same advice that you do: Create strong, unique passwords; don’t reuse passwords; take advantage of HIBP
But we came across this story recently about the study that Google did using their Password Checkup extension, where they found that even when people were told they were using compromised credentials, something like 25% of them just went on using those compromised credentials. What do you think might be going on here—and what can be done to get people to take password security more seriously?
I think what’s going on is that there’s a general sense of apathy—that people just don’t worry that much about it.
And frankly, to answer the second part of the question, it very often takes something adverse happening, in terms of security, before people do take it seriously.
Unfortunately, we all get out there and talk about best practices—and people hear it, and they know it—but they just don’t have the motivation to change.
I mean, let’s take password managers. Password managers are unequivocally the single best thing you can do for your security posture as a normal, everyday person. But they require change. And until people want to invest in actually learning how to use a password manager and changing their processes, they’re just not going to do it. And the catalyst that they need to do that is usually something really bad happening.
On the subject of password managers, some people seem to be under the impression that they’re risky—that it’s like putting all your eggs in one basket, creating a master key that someone can hack. What could you say to allay people’s concerns about this?
Well, when people say “isn’t that putting all my eggs in one basket, what happens if my password manager gets hacked,” there’s an easy answer, which is: You’re screwed! Like it’s going to be a really, really bad day.
Password managers aren’t perfect. But we’ve got to ask: Well, what are our options here?
But really that’s not the right question to ask, because you need to have this discussion about things like likelihood and impact. We’ve got to compare two different states. Password managers aren’t perfect. But we’ve got to ask: Well, what are our options here?
One option is that we don’t have any way of recording our passwords. Which means that the only option that we can possibly have is that the passwords tend to be weak, reused, or, usually, a combination of both.
Now, what’s the likelihood of something going wrong there?
Well, if you’re in one data breach, and someone gets your credentials, then they’re in somewhere else. If they phish your password, they’re into everything else. That’s a very high likelihood scenario, it happens all the time.
The impact of that can be anywhere from mild (let’s say if it’s a password that hasn’t been reused too extensively), to the severe, for example if they get the password to your Gmail, which is then the skeleton key for everything else.
So then we sort of compare that to the alternative, which is the password manager.
What is the likelihood of something going wrong with a password manager (used properly, there’s the caveat)? If you take something like 1Password, which is the one that I use, and you set it up, and you’ve generated a security key, which you need to set up on any new device, and you turn on two-factor authentication, and you have a strong master password—the likelihood of something going wrong there is just infinitesimally small.
You’d have to have something else of a really, really severe nature go wrong in order to have somebody get into your password manager. And then, yes, the impact is high, because they get into everything. But if we don’t have this discussion about likelihood, it’s really difficult to have a discussion about what’s the best option.
Moving to the enterprise side of things, you’ve written before that everyone is at risk for a data breach or a hack. You don’t have to be a huge multinational, you don’t have to be doing something that hacktivists oppose, you don’t even have to present some financial upside to hackers. Basically, if you’re on the Internet, you’re a target.
So what do we say to small and medium-sized businesses, or organizations like schools, who may not have a lot of funding or staff? What can they do to prevent data breaches if they don’t have the resources of an Apple, or a Microsoft, or a Google?
Well, first of all, I’d challenge the latter point. I mean, I have a lot of organizations on HIBP which are multi-billion dollar multinationals—LinkedIn is in HIBP, Dropbox is in HIBP, Adobe…these are big organizations with serious resources. There’s a lot of evidence out there to suggest that regardless of your organization’s size, you’re not more or less likely to have a security incident.
Another example is turning on two-factor authentication. With most services, you can do this for free—and there are even some services that give you a discount! I still get a discount from Mailchimp because I turned on 2FA. So there’s a case where security actually saves you some money.
The second thing is that there’s a lot out there that can be done which is free—or near free.
We see compromise after compromise due to reused credentials. If you’re a small business, everyone in your organization should have a password manager. Products like 1Password have enterprise models. You can ship it out to everyone. Get a password manager!
Another example is turning on two-factor authentication. With most services, you can do this for free—and there are even some services that give you a discount! I still get a discount from Mailchimp because I turned on 2FA. So there’s a case where security actually saves you some money.
If you’re going to spend a little bit more money, where we constantly see smaller organizations having breaches is around things like unpatched software. You know, their forum is running on vBulletin…and they haven’t been patching vBulletin. Outsource that stuff! You can get managed vBulletin, or whatever other forum of choice it is. It’s going to cost you a little bit more money, because now you’re actually paying someone however many dollars a month to maintain it, rather than just standing it up on a $3 a month virtual private server and waiting for the IT guy to update it once in a blue moon. But things like keeping your software up to date get frequently, frequently featured in best guidance for enterprises, so businesses really should be thinking about what’s their strategy to do that.
And for smaller organizations that do have someone building software for them, whether it’s someone internal or external, just invest in basic training for those people around things like secure software development practices. Training can be really cheap. Frankly the biggest cost in training is actually taking people away from their revenue-generating work! I’ll often go into organizations and it will be, say, a bank, and there will be 30 people there for two days. And, you know, imagine what 60 person-days are worth to a bank. That’s a big commitment. And 60 person-days for a small business is a big commitment too.
But education is one of those things that, from a cost outlay perspective, is relatively minimal—and it pays off over and over and over again, because these people take what they learn and they apply it to every single project. And training can take many shapes. I do a lot of workshops at conferences where it can cost a couple of thousand dollars for two days, but a whole heap of that training is online at Pluralsight. Pluralsight is online training; costs you about a dollar a day. And look, honestly, if you’re not going to make an investment of a dollar a day and some time, you’ve really got to reassess your priorities.
How do you think businesses can better engage third-party security researchers?
Well I think the major thing that comes to mind is that there are a lot of external parties—like myself—who are often finding either vulnerabilities or exposed data floating around, and I think the engagement that I’d really like to see from companies is, first of all, to be contactable. And what I mean by that is to actually make it easy for external parties to get in touch. The number of times I’ve been struggling and struggling to find a contact at an organization so I can actually report a data breach there is just crazy.
There are initiatives out there like “security.txt”. Security.txt is a proposed standard which is literally just a text file in a constant path on a website which has security contacts in it. If you go to haveibeenpwned.com/security.txt there’s a text file and it says “hey, here’s how to get in touch with me”; “here’s how to encrypt your communications if you want to”. It shows a willingness to receive feedback from the external community, which is really important.
I think that mindset as well—recognizing that security incidents do happen, that your organization is going to be subject to them at some time or another, and being willing to receive outreach from the community in a receptive fashion—is really important. Very often people will just be met with standoffish behavior; with an organization thinking it’s a shakedown. Unfortunately, the way some people approach it, sometimes it is a shakedown, so that’s a problem too! But recognizing the value of community is really important.
Tesla’s actually got a really neat vulnerability disclosure web page which says something along the lines of “We value the security researchers who are out there. We commit to responding to you in 24 hours. If you follow this guidance we won’t take any action against you if you’ve found something nasty…” And it’s guidance like “don’t take our customer data” or “don’t change our data”. You read it and go like, yeah, that’s pretty reasonable.
On the “contact us” page have a link for security…even something like that. Just make it easy for people wanting to do the right thing to actually do the right thing. You know, in so many cases we’ll see a security researcher do something like dump all the data publicly because they say “I didn’t think the organization would take it seriously.” And the sad thing is: Often they’re right. And that’s not the outcome you want.
Let’s move from enterprise issues to the political and legal aspects of data breaches. You’ve said in interviews and even congressional testimony that the general trend of data breaches is that the problem is just growing and will probably continue to grow. Some of this is probably driven by lax development, maybe around IoT products being rushed to market, for example. Some of it is just companies not taking the issue seriously. And some of it might be the fact that so many companies are just sucking up as much data as they can as their standard operating procedure. On a macro level, then, do countries like the United States need to follow the EU in implementing something like GDPR—some kind of law that has the teeth to compel companies to take security a little more seriously?
I think at a high level there needs to be a bit of enforcement and a bit of incentivization.
GDPR, from an enforcement perspective, is good. I do lament the fact that it’s a regulation from one corner of the world that provides protections to some friends of mine but provides no protection to me as an Aussie. I feel a little bit sad about that! So I would really like for such a global piece of infrastructure as the Internet to have more unification.
Australia is particularly bad with things like their Notifiable Data Breach scheme, which is literally, quantifiably, ten times worse than GDPR in many ways. For example, with GDPR you’ve got to report a data breach to your local regulators in 72 hours—in Australia it’s literally ten times longer, which is just crazy.
I think at a high level there needs to be a bit of enforcement and a bit of incentivization.
But I’d also like to see stronger incentives for organizations to do the right things in the first place. One thing which comes to mind—which might be a bizarre thing to hear me say—are things like cyber-insurance, which is actually providing really interesting incentives. More and more companies are really recognizing they might have a data breach and that they need cyber-insurance. But if premiums are priced commensurate to risk, and organizations are actually incentivized to do things which will reduce their risk footprint, because they literally save money, then that’s great. So I like those incentives which kind of drive organizations to do the right thing in the first place.
Last question, what’s on the horizon for HIBP and for your work? In June you announced Project Svalbard, an initiative to find a new home for HIBP via an acquisition…
That process is still charging ahead. We are getting toward the end of it. My sincere hope is that in October we’ll be able to announce the outcome. There are still several different possible ways it could go but we’re sort of starting to filter those down to a much narrower set, which is good.
I’ll be going with it, so wherever HIBP goes, I’ll still be a part of it.
My hope is, and that’s certainly what I’m aiming to do with this process, that we take it to somewhere that can fund it better, that can get better use out of the data that’s in there, that can help me process a lot more of the data (we’ve got a really cool plan for that which has had a lot of support from all the parties we’ve spoken to).
I want to see a lot more people knowing about this. And I want to really try to make an impact on the data breach scene in a much more positive way.
There are several aspects to that. I would like all of these sets of data that are floating around (being traded between, a lot of the time, just kids) to bubble up to the surface.
I’d like for organizations to know about their data breaches. I’m in the middle of two disclosures at the moment with data that’s been floating around for ages…and the companies didn’t know anything about it until I contacted them! That shouldn’t be the case.
I’d like much better protections for people who come forward with data, and I’d like a much more consistent, agreed industry standard for how we do things like try to reach out to organizations. Fortunately, the two I’m talking to at the moment were kind of responsive. But you know, if I don’t hear from anyone after a week of trying to contact them through published contact details…what should I do? At the moment—a lot of the time—people end up going, “Oh, it’s too hard” and the data gets out and it floats around. They don’t necessarily go public like I could at HIBP, because they’re worried about the ramifications for them as individuals: Will I get into legal trouble if I publicly come out with this data breach?
So I think there’s a lot we can do, and it might just be sort of reflective of the industry needing to mature a little bit, because obviously technology and infosec have moved ahead faster than a lot of legislation has. I think we’ve got to find better ways of doing this.
To learn more about Troy Hunt and his work, or to see a schedule of upcoming talks, visit his website or follow him on Twitter. To see a catalog of Troy’s online courses, visit his Pluralsight author page.
