This week, the RSA Conference draws its annual pilgrimage of
data security professionals seeking insights on market and technology trends. As
a seed-stage security investor in this industry, it has been my job to predict
the future of cybersecurity, and
so now’s a good time to share two important rules that have served me well:
(i)
Follow
the Money: what’s the most lucrative opportunity emerging for hackers
today? Identify the hacker’s next big opportunity, and you know who will need
to respond! This rule, for example, steered me toward spam in 2002 (Postini),
online banking theft in 2004 (Cyota), geopolitical warfare in 2009 (Endgame)
and DDoS attacks in 2013 (Defense.Net).
(ii)
Where There’s A Way There’s A Will.
Physicists know that if a natural phenomenon can exist, then most likely it
does. The cyber corollary is that
vulnerabilities in the wild WILL be exploited – it’s only a matter of
time. Poisoning the DNS, using the cloud
to factor large numbers, and streaming smartphone microphones were all
considered theoretical attacks, until they weren’t. Whenever we dismiss
vulnerabilities as too difficult to exploit, hackers eventually humble us with
their ingenuity.
Just this week we saw two important examples of this rule in
action. The first is Apple’s confirmation
of a glaring deficiency in their implementation of SSL that means we’ve been
kidding ourselves about how secure the Mac and iPhone really are. The software
engineers at Apple are mortal, and just as prone to the inevitable security
lapses that plague any complex system.
The second example is a blog post
by RSA about new malware on Android phones that coordinate with web based
attacks to hijack banking sessions. I have been expecting this “innovation”
since 2005, when I predicted
that banks, plagued by the security shortcomings of passwords and biometrics,
would adopt and embrace out-of-band authentication for any risky transaction:
That's why solutions in
the future will move away from 2-factor authentication and toward 2-channel
authentication. Since your bank knows your phone numbers, a bank computer can
simply call you when it needs to confirm your identity, and authorize the
specific transaction ("This is Wells Fargo--please enter the code on your
screen to authorize the transfer of $50,000 from your account to the account of
the Boys and Girls Club of Belfast"). This is a very inexpensive and fast
solution to deploy, and requires much less customer training. Not to mention
that it's secure (at least for many years, until hackers can easily identify
and commandeer affiliated phone lines).
This prediction turned out well: 2-channel authentication has
since become standard procedure for banks, application developers and consumers,
thanks largely to three investments I made back then:
1. If you’re a bank…
Cyota (acq. by RSA) is the market
leader in assessing your transactions for risk so they can be escalated for
authentication;
2.
If you’re a developer…
Twilio is the market leader in
enabling apps to launch phone calls or SMS messages for out-of-band
authentication (this may be Twilio’s single largest use case); and
3.
If you’re an individual…
Lifelock leads the Identity Theft
market, by contacting you through multiple channels when they spot a risky
transaction involving your Personally Identifiable Information.
However, as I parenthetically noted in 2005, it’s
theoretically possible to “commandeer affiliated
phone lines” in order to defeat 2-channel authentication. This
seemed like a pretty far-fetched idea 8 years ago, but sure enough where there’s a way there’s a will, and
bank accounts are where the money is! So I wasn’t too surprised to hear from
RSA that hackers now intercept your SMS messages and phone calls in order to
defeat the banks’ security mechanism.
It
is natural that hackers focused on this attack vector because so few IT people
understand the perils of mobile malware. Enterprises are busy deploying MDM and
app-wrapping products, but they ignore the rampant spread of malware that renders
those solutions useless. If I root your phone and ship home screenshots every
minute that you run SalesForce, what good are the MDM and MAM products? (Lucky
for Airwatch, they sold out before customers caught on to this.)
This is why we at BVP funded Wandera – the only company specifically building a cloud-based smartphone
security service, which filters out mobile malware during both download and execution,
as well as providing URL filtering, data leak prevention, and enterprise cloud
app visibility.
At the time we invested, many people warned us that mobile
malware is simply not a big concern. But see Rules 1 and 2 above! Smartphones
house our most precious secrets, and there are so many easy ways into them. I’m
predicting that enterprises and governments will quickly understand this, and scramble
to secure their employees’ phones just as they do their (larger) computers.
If you want to join me in predicting the future of
cyberspace, look for the money chasing hackers, and pay more heed this week at
RSA to the warnings of security
gurus, since no vulnerability is too hard to exploit. Where there’s a way,
there’s a will.
No comments:
Post a Comment