Why do you believe it is important to have open source security software? Wouldn’t that make it easier for hackers to crack the code?
Yes, and this is a good thing! Open source is especially important for core security functions precisely because everyone can take a look at how the security is actually implemented. Hackers, researchers, academics, tinkerers — when everyone can see how security works, everyone wins. People can learn from both good implementations and bad, vulnerabilities can be discovered and disclosed before and while bad actors are exploiting them, and ultimately, open source can help promote a clear, concise, maintainable code base.
What are some easy security protections for companies to implement, especially companies that have never dipped their toes in any kind of security investment?
Companies who are new to the software distribution game should look to assembling, rather than inventing, their own software. Using standard libraries and frameworks can solve many “old” and “easy” computer security problems before they come up. While there are occasional cross-library vulnerabilities, the path of writing one’s own control software opens up a Pandora’s Box of unsanitized input and buffer overflows. Modern application frameworks tend to do a pretty good job at helping developers avoid 99 out of 100 “gotchas” in secure design.
With ransomware crime on the rise, how can everyday citizens protect themselves against being “held hostage?”
The security industry, as well as regular IT industry, has been advocating reliable backups for decades in the context of sudden and unpredictable disaster. A silver lining to the ransomware threat is that it helps promote the idea of backups in the face of malicious, rather than merely accidental, disaster. My hope is that ransomware is the emotional kick that people need to actually take backups and distributed data storage seriously.
What do you predict will be the next major issues in cybersecurity? What industries or devices are particularly vulnerable?
Distributed, malicious computing using a network of popular but insecure IoT devices seems practically inevitable; in particular, the massive install base of small office / home office (SOHO) routers. The problem with a router-hosted botnet is that these devices often don’t have a reasonable patch pipeline, so such infections can last a long time — potentially much longer than standard desktop and server malware.
We saw a hint of this in the “HackCensus” of 2012, where an unknown person temporarily took control of hundreds of thousands of insecure home routers to conduct mass portscanning. While the Carna botnet seems to have been short-lived, it’s only a matter of time before this large, installed base of ready-to-pwn devices gets marshaled into malicious computing again.
Tod Beardsley is the Principle Security Research Manager at Rapid7. He has over 20 years of hands-on security knowledge and experience, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT ops and IT security positions in large footprint organizations such as 3Com, Dell and Westinghouse, as both an offensive and defensive practitioner. Today, Beardsley often speaks at security and developer conferences on open source security software development, managing the human “Layer 8” component of security and software, and reasonable vulnerability disclosure handling. He can be contacted via the many addresses listed at https://keybase.io/todb.