Editor’s note: Ted Harrington runs Independent Security Evaluators (ISE), the elite security researchers who pioneered car hacking, were first to exploit the iPhone, first to exploit Android OS, pioneered medical device hacking, and run hacking event IoT Village. Harrington will be a keynote speaker at ISACA’s EVOLVE emerging tech virtual conference, taking place 16-17 November, and he recently visited with ISACA Now to share his perspective on understanding attackers and the emerging tech landscape. The following is a transcript of the interview, edited for length and clarity:
ISACA Now: How did you arrive at your understanding of how attackers think?
By studying them. A security researcher’s job is to find security flaws in a system in order to help drive security improvements, either in that system or more broadly in the impacted industry (or both). In order to find those flaws, we need to think like attackers think. The way to do this is by asking lots of “what if” questions, challenging underlying assumptions, and – very importantly – understanding motivation. Personally, I’ve always been drawn to understanding why people do the things they do and what motivates their decisions. This applies not just to ethical people, but also to attackers and malicious types.
ISACA Now: How are emerging technologies most impacting the threat landscape?
The only constant is change. Everything that changes fundamentally impacts attack scenarios. Whether that’s changes in the tech itself, marketplace conditions, or attacker methods, every moment of change impacts how things will be attacked and what we need to do to defend them. So, in its most simple sense, emerging technologies introduce new ways to be attacked. That said, it’s not all doom and gloom – after all, new technologies deliver tremendous benefits and we should constantly be driving for better. The takeaway is simply that with change comes the need to reconsider how a system might be attacked. That should not be a deterrent from innovation, though.
ISACA Now: What is your view on the security outlook for self-driving vehicles?
I’m very optimistic. The stakes are of course ridiculously high because we are talking about human lives being at risk if the security of a self-driving system fails. However, for that very reason, both the companies building these systems and the security research community are all very interested in addressing this problem. As always, there is risk – and in some cases, massive risk – of how this new tech could result in bad outcomes. But I believe in the work of the community of ethical hackers and security researchers focused on this and think self-driving cars will be viable from a security perspective. The obvious assumption implied here is that the companies building these systems need to invest the time, effort, and money in actually working on building secure systems, which I am hopeful they will do.
ISACA Now: What is the best approach for enterprise leaders to take in calibrating their security investments?
First and foremost, throw off the nonsensical shackles that hold almost everyone back. Most companies establish their security budgets by finding out how much they can obtain certain products and services and use those quotes to set their budget, without realizing that they are basing this on the cheapest end of the market. Security is like anything worth doing: you get what you pay for. So, when a budget is based on the cheapest approach, you get the cheapest outcome. Not exactly the best way to think about how to secure high-value assets that enterprises protect. Instead, I recommend leaders benchmark their security budgets on one or more of three methods: by overall software development budget, by headcount, or by revenue. In Hackable, I outline percentages that should be allocated based on those various benchmarks.
ISACA Now: What do you think security excellence should look like for companies in 2022 and beyond?
A few principles:
- Start with the right mindset and the right partner
- Choose the right assessment methodology
- Get the right testing
- Hack your system
- Fix your vulnerabilities
- Hack it again
- Spend wisely
- Establish your threat model
- Build security in
- Win sales
Each of these is explained in depth in Hackable!