The Human Factor in Cybersecurity: Q&A with Troy Hunt

Despite the pandemic pivot to remote work during the coronavirus pandemic, the basic practices of cybersecurity remain the same, says Troy Hunt. The challenges to organizations still revolve around core practices like patching vulnerabilities and using better passwords, says the cybersecurity expert, who launched Have I been Pwned? — a website that lets users check their online credentials to see if they’ve been compromised — in 2013. He is currently working on a book, tentatively titled Pwned, that grew out of his blog, where he discusses issues in cyber security. Written with tech writer Rob Conery, the book is due out later this year.

Mimecast spoke to Hunt from the relatively COVID-safe Gold Coast of Australia about the changes brought on by remote work, the new normal in data breaches and the shared responsibility of users in maintaining cybersecurity. 

Mimecast: How prepared where enterprises to tackle the cybersecurity challenges of working remotely?

Troy Hunt: We haven't seen mass issues that have had major impacts on businesses and individuals as a result of moving online very quickly. We've certainly seen many incidents that have been noteworthy. The thing that comes to mind is all the Zoom-bombing. Suddenly we had all of these individuals and organizations thrust into using processes and tools that they had no experience with and no time to properly learn and train on. But we got on top of that very quickly.

In fact, if we think about some of the really noteworthy malware that we've seen in the past, something like Wannacry, we've suffered a lot more from malicious software pre-COVID than we have from suddenly getting everybody online very quickly.

Mimecast: Has more of the responsibility for cybersecurity moved onto the employees working remotely?

Hunt: Everyone has had to take more responsibility in different ways, both individuals and organizations. Certainly, individuals have had to take on responsibility that they didn't have before in terms of securing their work environment, which is now their home. I often relay the story of when my son had to start homeschooling. I was actually very impressed how a collection of 10-year-old boys was able to adapt so quickly. But I was also quite amused on one of the first Microsoft Teams meetings they had, watching the father of one of the boys walk around in the background, having a business call very audibly over the connection.

We all had to learn very quickly and under duress, but it does feel like we got on top of that very quickly. Because ultimately, I don't think it's a hard concept for individuals to think about the security of their physical environment.

Mimecast: Now that we're starting to emerge from lockdown, is there a new threshold for cyber preparedness? Do we need to change cybersecurity training?

Hunt: I would imagine that any security training done today would have a much greater emphasis on the security implications of working outside the physical corporate environment. The simple concept of who else is in your immediate vicinity when you are on a phone call — things like that would surely have to feature more prominently than they did before.

What are the risks which now have greater emphasis than before? If people are working from home, they've got devices that other people might get their hands on. We don't, as an organization, have control anymore over the physical environment in which people are doing the corporate work. So what do we need to be conscious of, in terms of securing the endpoint? Someone's got a computer at home; how many different crazy USB sticks are they going to stick into there? It’s going to sit on their home network with all the unpatched IoT stuff; how do we protect against that?

The likelihood of someone physically picking up a device and misappropriating it changes as well. I don't necessarily know that it gets worse. Plenty of stuff gets stolen from the corporate environment.

There are now all of these factors which are at greater arm's length from the corporate remit of IT and security than they were before. That would surely have to factor in, and not in just the way we do our training, but the way we actually configure our SOCs, and our monitoring and everything that goes with it.

Mimecast: Do we need to have more of an emphasis on human factors, like "Don't have sensitive conversations while your kid's on Zoom?”

Hunt: One of the things that's most noteworthy about the changes in security over the last year have been the human side of it, and particularly the social engineering and the phishing side of it. Where the boundaries are defined between work and home are another thing that, of course, is much trickier when you're at home. Many organizations say: "Look, it's appropriate to use social media during your lunch break. This is part of making it an attractive environment to be in." Well, what happens when you're at home? Where is the boundary there? Because it often becomes a lot more blurred.

This does come down a lot to human behaviors. We know that very often we in IT security build all of these wonderful technical controls and then a human goes and screws it up because they do something stupid. That hasn't changed; that has actually become more important than it was before.

Mimecast: We’ve seen more automation used in security, but have we become too reliant on those tools?

Hunt: It's difficult to say that we're too reliant or not reliant enough. Instead, we've just got to recognize that there are multiple factors here. There are digital controls, and the other part of the solution is the humans. I fear that very often security professionals do get very focused on technical controls alone, very often at the expense of the humans. I will give you a perfect example of this: If we look at something like two-factor authentication, it is a fantastic technical control. Even SMS-based two-factor authentication is fantastic, compared to a single-factor authentication. So people really want to push this and that's great. But the problem is: it is an absolutely terrible user experience. 

Very often as a result of impacting usability we weaken the overall security posture, because people take shortcuts around it. There's a really, really fascinating area of our industry, which is to look more holistically at security in terms of what is the human impact of it.

Mimecast: You discussed a number of recent data breaches on your blog. Are we having a surge or just noticing them more?

Hunt: If we look at the factors that drive data breaches, we realize that yes, we are, and there are some very good reasons for that. One reason is that we have more systems than ever. We are putting more and more websites online. We're putting more and more backend services online than we ever have before. That is just the nature of growth. We're putting things online much faster than what we're taking offline.

We've got more people online, not just in markets like the U.S. and Australia. Particularly when you look at these emerging markets, which still have comparatively low proportions of the population online, they're growing very, very rapidly. We're connecting more things, too. I have more than 100 IP addresses in my house. I'm a bit special; I have been doing a lot of IoT automation stuff, so there's more things in my house.

The cloud has created the ability to put huge volumes of data online very quickly and very cheaply — and screw it up very quickly and very cheaply. A lot of the data breaches in “Have I been Pwned?” are from things like misconfigured S3 buckets or exposed MongoDBs without a password. We didn't have that problem 10 years ago.

I'm sure that if we have this discussion three years from now, we will make the same observation, that it feels as though there are more data breaches than ever.

Mimecast: What would you suggest are the best practices to protect systems as we adjust to this new normal?

Hunt: It's all the same old things that we've been saying for many, many years. That is, everything from giving people the tools to create strong passwords — things like password managers — to keeping systems patched and updated, through to the education piece, through to the monitoring of networks. One of the things that I see many organizations not able to do is to identify when large amounts of data regress through the network. Most organizations don't know when someone's just siphoned off terabytes of their information.

I don't think that there's anything too new at the moment, other than perhaps a greater emphasis on security in a remote office environment.

Mimecast: What's the most often overlooked cybersecurity risk: is it not keeping up with patches and updating your software?

Hunt: I think one of the things that I see most frequently now is misconfiguration, particularly around security posture. I would include within misconfiguration weak credential use, as well as a complete lack of credentials in some cases. We see a lot of database backups sitting there in publicly facing websites.

When I run my workshops (which are private, and I can show some things I probably wouldn't show publicly) I show how easy it is just to find database backups sitting there on the Internet. It's just a Google search. A simple, little Google search and you find all of these database backups sitting there on a folder, on a website, often called “Backup.” You go to the website, forward-slash "back up" and hey, here's gigabytes and gigabytes of database backups.

Mimecast: What would you advise an organization that wants to develop an effective security awareness program for its employees?

Hunt: One of the problems that organizations have is they don't look at this as a continuous exercise. They look at it as a one-off exercise on some sort of a regular cadence, normally annual. That's obviously not a good thing. I like the security programs where organizations get continuous training around things like phishing. I love the simulated phishing attacks that just happen out of the blue at any time. It keeps people on their toes.

I really dislike the approach that many organizations have of this being an exercise to tick a box, to satisfy a compliance officer such that if something goes wrong later on, they can say, "Well, we did our best. We did the training. They must have done the training; they signed off." That keeps lawyers happy and it ticks a box, but it really doesn't do a lot of good in practice.

Mimecast: Considering that so much risk comes down to human nature and the way people do their jobs, how responsible can IT ever be for cybersecurity?

Hunt: My view of security is that it's always going to be a shared responsibility. A good example of this is if you go to Twitter and you search for "Netflix hack" and have a look at all the results. All of these people tweeting things like: Someone hacked my Netflix and they put all of the language in Spanish. Can you please stop doing this?" I'll laugh a little bit and say: "You know, this is not a Netflix hack. You've got a stupid password." I'll put it in presentations and people turn around and say: "Oh, you're victim-shaming."

Well, hang on a moment; they have some responsibility here. I think organizations like Netflix have a responsibility to try and reduce the prevalence of credential stuffing and attackers logging in with the username and password of the victim. But it is a shared responsibility. Both parties have a role to play.