Paul Love, CO-OP’s Chief Information Security Officer, and Veronica Desrosiers, VP of Enterprise Risk Management, attended DEF CON, the hacker’s conference, in Las Vegas last month. If you aren’t familiar with DEF CON, imagine roughly 20,000 hackers, media folks, government and law enforcement agents, security experts and hacking industry vendors under a single roof – all to witness the state of the art in the inglorious world of hacking.
Every year, DEF CON seems to generate news. This year, hackers worked their magic on voting machines. In less than an hour and half, they managed to hack the voting system DEF CON set up – and they found more than one way in. Also in the news: Marcus Hutchins, the hacker who singlehandedly disabled the Wannacry ransomware bug was himself arrested by the FBI after attending DEF CON.
How did two serious security experts navigate in this environment? Here’s what they had to say:
What was your first impression?
Veronica: Going in, my expectation was that this would be just another typical security conference, where I’d learn more about what security attackers and defenders are doing in the security space, so we can continue to mature our controls to meet evolving threats. I’ve been to many conferences, and expected the usual “professional and organized” type setting. Within the first few minutes there, I knew I was in for an adventure.
Day one was interesting. I felt reluctant, and a little uncomfortable, if I’m going to be honest. This was by far the largest conference I’ve ever been to, and while it was organized, it was more like organized chaos. I was literally amongst hackers – people who may be the adversaries that we’re trying to protect ourselves from. By day two, I was feeling more at ease and was ready to embrace the chaos.
Being there with Paul was certainly helpful. As a veteran to the conference, he provided some history and context to the conference. For example, I didn’t know that these types of conferences used to be very hidden, and held in secret locations. To go from that to one of the largest conference centers in Las Vegas is pretty remarkable, and a cool opportunity for me. Ultimately, while I would say it didn’t meet my original expectations, it certainly exceeded them overall.
Paul: This is my fifth one, so I already knew what to expect. You see a mix of well-intentioned and malicious hackers, police officers, corporate security people, and some bad and nefarious people as well. The conference is organized around technical talks and “hacking villages,” where attendees can learn about issues and try things out for themselves. Some of this year’s villages were about car hacking, the Internet of Things, lock picking, social engineering and voting.
What did you hope to learn?
Paul: I learn something different at every DEF CON, especially how the security controls that are in place are being tested by the community to help make them more secure
Veronica: I saw demonstrations on security controls like physical locks. The presentation was about how locks work so that people understand how to put in better locks, and how reliance on weak controls is dangerous and gives a false sense of security. During the demonstration, we saw how a lock could be defeated in seconds. I’ve obviously never thought about trying that before, but with help I was able to see how something everyone relies on can be defeated easily if it’s not a strong control. It makes you think about security and how vulnerable we all can be.
Paul: That’s an important takeaway. We were there to continue to understand the threat environment and how attackers are looking at our systems, to get into the mindset of the hacking community.
What surprised you?
Paul: This year we saw a lot of signs that the hacking community is becoming more of an industry. There’s something called Crimeware as a Service (CaaS). It’s hacking software and services that anyone can buy and use to become a hacker. So if, for example, a malicious person decided they wanted to target someone or a group of people, they could buy crimeware with full support and tutorials and create mischief.
What’s surprising is not only that this software exists, but if you buy the software and you can’t get it to work, there’s a telephone support number you can call and they’ll walk you through it. People are reviewing the software and rating it. And this is a fairly small universe, so a negative review can really hurt a company. As a result, they’re very service-oriented.
So basically anyone can become a hacker now. It’s like franchising: You can buy a turnkey system. You even get good customer support.
If that’s so, how do you protect yourself and your family – or a company like CO-OP?
Veronica: That’s definitely what comes to mind when you see these things. Now that I know how easy it is to defeat something that seems secure like a physical lock, I’m taking another look at my front door. You gain a totally different perspective on security when you apply it to your personal life – it’s a definite game changer when you start thinking about protecting your family or home. I also think the personal perspective is a more effective way of communicating these ideas back to our colleagues at CO-OP, ensuring that we are all active participants and champions of security. The responsibility of keeping our members’ data secure is a very serious one.
Does what you saw at DEF CON change the way you approach security at CO-OP?
Veronica: Absolutely! It helped me understand the impact that hacking, in all its forms, is having on security. From lock picking to social engineering, we are all vulnerable. We can’t let our guard down – not as individuals, not as an organization.
Paul: That’s true. We’re continuously improving our information security controls and processes in light of emerging threats. We’re working with our partners in risk and through other inputs such as this conference.
But much of what we do is constant. We’re adding technical controls to help supplement the processes we already have, and employee awareness is one of the key things. We’re counting on continued vigilance on the part of employees – not clicking on links in emails, not clicking on attachments. When you get a call, you should be cautious. We all have to do business: We respond to email and we talk to people by phone. But we can still be careful and follow basic rules to keep ourselves, our loved ones and our company more secure.
Did you leave feeling that we as an industry are doing a good job on info security? Or do we have a lot to learn?
Paul: It’s a little like seatbelts were in the 1970s. Nobody used to wear seatbelts. But then, in the 1970s, public awareness grew. Now, if I get into a car without putting on a seatbelt, I feel uneasy. Wearing a seatbelt is just something we do now.
That’s where we need to go with security practices. We want to get employees to feel that security is something we do. That goal is accomplishable, but we’re still getting there.
What about members?
Paul: Security and IT professionals have not made security simple for average people.
Most people don’t know what all the parts of their cars are, or how they work. They can still drive a car safely if they follow certain basic rules: obey traffic laws, maintain their brakes, keep the tank full of gas. It should be the same with information security. The average consumer may not understand all the working parts, but they should understand the basic principles of keeping their data safe – at home and at work. This is something that we are continuing to strive for in our internal program and in working with our customers.
To stay on top of the latest fraud news, make sure you tune in to FraudBuzz every month.