I had a chance to speak with Sean Wright, one of the UK’s foremost experts in information security and the chapter leader of the Open Web Application Security Project (OWASP) in Scotland.
What’s your background and how did you get started in cybersecurity?
I am one of the co-leaders of the OWASP Scotland chapter and I work for a large company in their engineering department. I’m responsible for the online security applications, secure app development, documentation reviews and all of that it what I’m primarily focused on. On my own time, I do a bit of research and interaction on cybersecurity side projects. I started tinkering with things on the side, but initially, there wasn’t much in terms of cybersecurity jobs - nor was my experience that much. So, I was a developer for numerous years. Then I got offered a job at my current company as a developer, which has acted as sort of a spring-board for getting into security.
You work remotely. What do you find are the challenges of that? How do you secure your devices outside of the office?
When it comes to work itself, our company provides everything I need. I don’t know all of the details, I just leave that up to them - since I have little control over this as well as this lying outside my responsibilities. When it comes to my personal stuff, I do get a bit paranoid. I use AlienVault (their free version) and additional layers of security, such as Pi-Hole. The only thing I cannot secure as I’d like is my router, because of my provider. At home, I use a private VPN, along with Proton VPN. So if there’s some issue with my home VPN, I can just switch to that. When traveling, there are things like BitDefender, but in reality, I mainly just use Linux when I’m away.
So would you say that a VPN would cover the majority of cybersecurity issues when not at home?
Yeah. One of the things that is scary is that I used a WiFi Pineapple in a hotel lobby once. I wasn’t even trying to spoof any networks - I was just setting up an access point for my own use. And within about five minutes, I already have five clients connecting to it. The other trouble with wireless is that devices constantly ping for wireless networks. So if you’re already connected to a free, open hotspot, your device will constantly ping and try to connect to that. If you have something like a WiFi Pineapple, it can then automatically set up a spoofed wireless hotspot. As a user connected to a public network, you probably would want to use a VPN - and then your traffic would be routed through that.
Let’s say that you’re connected to one of these spoof-hotspots, but you’re using a VPN on your device. Will this protect you or leave you vulnerable?
If your traffic is going over a VPN and you are connected to one of these spoofed-hotspots, all of the traffic will be encrypted. The hacker can still view the traffic, but it will be garbled. That’s why things like Transport Layer Security (TLS) are also important, because it’s end-to-end encryption. So even, say, you weren’t using a VPN, but you are using TLS - that’s also encrypted. The hacker wouldn’t be able to make anything out of the data being transferred.
What would you say is the biggest risk that you see with modern cyber threats?
For me, the biggest potential for flawed systems comes in the setup and maintenance of databases. In the past, nearly everything was hosted locally (within the organization’s data center) and even if you screwed up the configuration for that, the likelihood of any data being publicly exposed was unlikely. Fast-forward to today when you have the cloud, and you can see time and time again, people bring databases onto cloud infrastructure and don’t configure them correctly. Suddenly, your database is publicly exposed. Things like Mongo-DB and ElasticSearch - which are getting better in terms of security, but initially they weren’t secure by default. These databases have no default security defenses, like authentication and authorization. Then, when they’re exposed to the internet, suddenly all of the data is publicly accessible without any authentication. So anyone with relatively basic technical skills could get the data. It’s that simple.
How do you think most of these errors occur? Is it a lack of knowledge, or is it just easy enough to make a misstep?
I think it’s their lack of knowledge, but it’s also their asset management. We can see time and time again that companies aren’t keeping a good strong list of their assets, including which services they have, which ports things are running on, and what’s accessible where. If you have strong asset-management and detection, then you would detect that something is misconfigured and can address it as soon as possible. More often than not, though, it is not the company finding these instances - it’s someone else telling the company.
That can be disconcerting for companies, for sure. But for the average internet user, what’s your best advice so that they can protect themselves, so that even if they are included a database that is leaked, they could mitigate the possibility of threats?
There are some things that you can do. Make sure you regularly check Have I Been Pwned. It’s a service that will notify you when a breach has occurred with your credentials (e.g. email address and password). It is not always instantaneous, but it’s certainly a means of detecting if your details are part of a breach. Credit monitoring is also very useful because many breaches could be used for, at the end of the day, financial gain on the hacker’s end. Another thing that can be useful for a hacker is to use the leaked data in phishing attempts. It’s important to be mindful of emails from websites when they ask you to update your account details or reenter your password. One of the biggest giveaways to look for are spelling mistakes, actually. For most, English is not their native tongue, so they often make pretty obvious grammatical errors as well. If you are unsure, go directly to the site (type in the URL in your browser rather than clicking a link from the email).
That’s very good practical advice. What currently frustrates you the most in the world of cybersecurity, and what would you do differently?
It’s all too often that security is an afterthought. Databases should be secure by default, rather than reactively secured. With the cases popping up in the media all of the time now, the message should be getting across that they need to start taking security seriously. Another thing is when companies take offense after a researcher discloses something to them. They need to realize that it’s not a criticism of their company. They need to work with the researcher to solve the issue, because s/he’s helping them. The researcher could’ve easily gone off and sold it on the dark web or whatever, so they’re actually helping the company out. And the company needs to also make sure that they work with the researcher, and at least give them a simple thank you. I’ve worked on a few of these cases and that’s why I am frustrated with the status quo on this. In the last two years, I’ve probably found about five or six issues, and I have yet to get a thank you. [laughs] Denying the problem doesn’t make it go away.
What do you do when you’re not trying to secure the world?
I’ve got a family, so spending time with the family is priority - but I’ve admittedly not been doing that great of a job lately. So I need to focus on that a bit more. Also, going out for walks and such. Some online gaming. I’ve tried golf and failed horribly, though.