AwinguruTalks is a podcast and video blog in which we talk to technology thought leaders, experts and decision-makers. In it, we explore a wide variety of topics – including the current state and future of enterprise technology, IT security and remote working.
In our first episode, Awingu’s chief marketing officer Arnaud Marliere talks to author and cyber security expert Dr. Chase Cunningham. Chase has over two decades of experience in the cyber security landscape, and has worked for over 13 years as an expert at the US National Security Agency or NSA. In his latest book called “Cyber Warfare – Truth, Tactics, and Strategies”, he explores “strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare”.
Dr. Cunningham is also known as ‘Dr. Zero Trust’, as one of the current thought leaders of this deperemiterized security concept – an idea that we, at Awingu, pay close attention to, as we believe that it is the necessary future of cyber security. In the next 30 minutes, we’ll explore that Zero Trust idea, we’ll talk about Chase’s book, cyber warfare and discuss where the world of IT security is evolving for businesses – and how you should adapt.
Episode 1 - Dr. Chase Cunningham
"Kill the VPN!"1:56
Chase, you are “Mister Zero Trust”, so we definitely need to talk about Zero Trust. It’s not new as an idea or concept – it’s been going on for a couple of years already. Can you explain, shortly, what the idea behind Zero Trust is?
The history of Zero Trust dates all the way back to 2003, and that is where this group called the Jericho Forum had an idea around deperimeterized security. They asked themselves what security would look like in the cloud era and they were way ahead of their time. Fast-forward a bit to 2010, where an analyst at Forrester named John Kindervag took that idea of deperimeterized security and said: “that’s kind of a bad marketing term, let’s call it Zero Trust – that’s sexier.”
But at that time, it was really about firewalls, and NAC and segmentation in the network – whereas now where we have moved to a model of security being around the user, the end point the accesses. The “zero” side of it is where you’re removing the default pieces of configuration that would cause compromises – the shares, the accesses, the excessive privileges, all those things – so that you can keep things as close to “zero” as possible.
So basically, it is not because you authenticate with the right credentials that everything you do from there on should be considered “safe” as such, right?
Right, and that’s where VPNs are part of that problem. A lot of times when you look at VPN, it gives access to corporate resource; but in fact, it will just open the gates for me once i get in. After tunnelling through my VPN, I can touch all kinds of stuff. That is in contrast with solutions such as SDN and SDP: even though I get in, and even though i’ve got “creds”, it does not allow me to maneuver within that infrastructure. That is what you are trying to get to.
What you are saying is that SDN and SDP are really two of the core components in a ZT architecture? Could you explain that?
When you look at the current state of ZT, I think it is all about secure endpoints, managed mobile devices, software-defined perimeters, good identity and access management, multi-factor authentication, et cetera. And while there are other components that you can go further down the rabbit hole with there, i think that if you say what are the core immediate “post-COVID” things that’s kind of where we are at right now.
Now you apply all of that through the browser, you could do that through other solutions but that’s kind of the basic pieces of it as it stands today.
More and more vendors are applying ZT, SDP and other lingo in their talks, and I guess that businesses increasingly are actively searching for solutions that are enabled within that philosophy. Is this something that you can acknowledge as well, seeing this shift happening in the market?
Yes, i think the the market itself has pretty much lined up on ZT being the future stage for security infrastructure. The reason is that there has been such a growth within the US (from the DOD to banking to healthcare) and there has been formulaic work groups around that philosophy. But then, on the other hand, I get a lot of conversations and calls with people in Europe, Australia and japan – so this whole thing has become kind of a global bouncing point for what security looks like in the future. And that happens because it makes sense. it’s because it’s based on a strategy, not just “more” technology.
Let us talk a little about Awingu in a ZT context. It is a solution that is designed to really enable BYOD, among others, but securely. Everything runs through the browser, we aggregate different types of applications and make them available in HTML5, everything is available securely in a browser via an encrypted channel, et cetera. MFA is built-in, there’s obviously nothing running locally on the device – even if your device gets compromised, you know your security perimeter is a lot more isolated. How do you see Awingu in the Zero Trust landscape and philosophy?
We have covered Awingu in some of our research, and I think Awingu represents the future state of what we’re aiming towards in terms of cyber security. It’s fits the box of the kind of solution where you can safely say you’re packaging up security, it’s something that’s native to the user experience, it’s running inside the browser (especially via HTML5) and you put the user into that without pushing new machines to them, without VPN and other so-called solutions. You just say “here’s your browser, here’s your thing, go off and do secure operations.” And there is a lot of innovation going on in that space. In other words, i think in the context of Zero Trust that a solution like Awingu makes a heck of a lot of sense.
Definitely. IT departments have the ability to replace VPN with a different way of working. It’s a different approach to solve the same use-cases, but user-centric and with simplicity and security at the heart of it.
If you look at five or ten years ago versus today, do you see big shifts or is it also focused on ‘keeping things simple’ and hackers finding the simple ways in?
It still is about simplicity. You know, I was a ‘red teamer’, and being on the red teamer side you don’t have to try and do super crazy stuff. Most of the time, even if you look at what is going on, phishing is very useful, because phising causes the clicks and they get credentials and those types of things. Or ransomware is a big deal, because antivirus just hasn’t stopped that type of problem. So it’s not that there’s a need for really complex solutions, it’s really about the right solution applied the right way to negate all the basics that people cause compromises with.
So… can I simplify and say that humans are typically the weakest link? It’s not per se the tools that we’re using, but it’s maybe processes that are to complex, or people are not following processes, or we’re using the right technology but we’re not deploying it correctly. Does it come down to simplicity and user experience?
You know, I’ve had a change of thinking in the last couple of years. I used to think that people are the problem, and I don’t think that anymore. What I really think now is that we, people, typically made security something for security engineers, not for the average user. So what we need are solutions that sit in front of the average user that they honestly can’t ‘screw up’. That all they do is that they just do their job, operating in a secure environment, and then you dont have to worry about it.
And if we can do that – there has been a lot of talk about democratizing security and those type of things – we’re making it where they don’t have to worry about operating in the right manner. And that’s what we want to get to.
So really, if we make solutions that are simple enough, basically that cater the right level of user experience for the right user, then we’ll see a lot less breaches getting in?
Yes, and that’s one reason why I talk a lot to folks about stuff that maybe running through the browser, like browser isolation stuff, containerized security, those types of applications, where the user – they know how to use a browser – so put all your security controls in there, and push them through that and then, don’t worry about anything else. That’s what you want: you want ease of use, just like everything else. Security shouldn’t be super difficult, It should just be: “do your job.” Unless you’re a security engineer. Then it’s difficult, then it’s a whole other level.
A lot of it is about user behavior: making things simple and changing behavior. Introducing things that are not very complex to organize, like MFA. But shifting the behavior of users to make sure that you know they adopt those new things, that is what you need to do. On a higher level what kind, of advice would you give to you know businesses, public institutions, et cetera on how to secure their operations and specifically their workspace?
I think that what the infrastructure should look like is as “secure corporate” infrastructure as possible. Secondly, as secure users and endpoints as possible. And the region between those two is just contested space and then being able to push controls out to the endpoint, the user, that allow them to operate in a fashion that is by nature secure without default problems. Furthermore, pushing them through those channels and making it where they don’t have a choice but to operate in that fashion. And that’s where you’re trying to get to.
We don’t want optional security, we don’t want people having to pick and choose whatever’s best. When it’s easy and when it’s packaged and when it’s pushed out to those folks that are now remote – I mean, with COVID-19 100% of the world right now is outside the perimeter. Stop trying to do the old stuff that you were doing and move to this new approach.
So you’re saying: “kill the password”, “kill the VPN” and adopt this Zero Trust philosophy to your IT security. I think that’s great advice.
Who’s doing this hacking that you spoke of? I mean, there’s got to be different groups with different objectives to do this, or is there really one specific objective for these hackers?
Well, it depends. I put some stuff in my book about the history of APT and kind of what different organizations are aiming at in terms of hacking. There’s a difference between nation state type of activity (which is the grand sort of strategic stuff that the US and other countries are engaged in to gain a strategic advantage) and there’s the criminal side. So right now, a lot of what you’re seeing is kind of anybody everywhere they can find in a new foothold is using it. It might be an APT that’s just trying to gain a foothold to use it for something later, or it could be a criminal organization that’s just looking to do their criminal operations.
You dropped the acronym APT – can you explain this shortly?
APT is basically the Advanced Persistent Threat that you hear about all the time in the news. What that actually comes from is a group of air force colonels that sat around and said: “well, what does it really mean if a nation state is going to try and hack another nation state?” They came up with this term. The persistent threat that’s going to continue to come after organizations that have big-time funding, big-time resources and that are aimed at national strategic level activities.
You described it nicely in your book as well – I’d advise anyone interested to definitely read especially those chapters. It’s interesting to see how different nations have different objectives and different techniques which they apply.
Talking about cyber security and warfare, if we zoom in to businesses: what would you say today are the main threats, if you can summarize it down to a few of them?
Well, I think that there’s a there’s a chapter in my book about trying to drive past what the bad guys are typically looking for and then the real crux of it is not making that easy for them. In my mind, and this is based on history and experience, if you can get rid of the password – that is one of the most important things. Also, if you can get rid of VPNs that’s also very important.
And if you can actually work your way around default configurations and pushing your your organization to a position round the Zero Trust mantra, you’re eliminating a lot of what the adversary needs to do those compromising activities. That’s why I was really pushing the history of this: because there’s a lot of stuff in the media and in the news about AI and these crazy hacks and whatever else. However, the majority of what you see is exploitation based around those very simple things. Not some “mega AI-powered super hack”.
Let’s talk about ‘kill the password’. Why should we kill passwords?
Well, so, I published research on this but it’s been backed up by other organisations that have published the research. So, interestingly enough, roughly there is 15 billion compromised credentials right now, currently available. There’s only 7 billion people on the planet, so that means, basically, everybody’s got at least one compromised password. Why would you consider yourself ‘secure’ when you leverage something that you guarantee at some level is compromised? And I don’t mean categorically never have a password anywhere, because that’s just not going to work. But using systems where you have multi-factor authentication (MFA) and password-based biometrics, all those other things, like, it shouldn’t be that difficult.
My ten year old daughter knows how to do MFA for Fortnite, you know. So it’s something that we should be able to set up and use. And it’s not that hard. It’s enough of a ‘difference-maker’ for organizations that if you can do that, it changes the game.
You touch on MFA, which exists in different flavors, but it’s been in the market for many, many, many years. And I guess it also comes down to user-experience and people being reluctant to use MFA because they see it as a hassle, even if the security benefit is so much higher. What, for you, are the main trends if you look at the MFA landscape or, by extension, security in the authentication process?
I think it’s moving into a space where eveything is built around the user and the identity. If you go back historically and look at where security was ten years ago, it was around firewalls and the network. And now it’s really about the user, the identity and the access and that’s where we’re continuing to progress towards. So that evolution means that security is going to be more focused on what the end-user does, behavioral analytics, those type of things. It doesn’t have to be as difficult as you would think for people to adopt this and luckily we’re moving into a space where banking and healthcare are also moving to multi-factor authentications so most people are getting more familiar with. if I want to get into my bank account, “I’ve got to set up MFA or 2FA”, or at least have seen it somewhere.
If we look at Awingu as a solution platform, we have built-in MFA capabilities. They’re super easy to activate from an administrator perspective: you just slide it open and your users are enabled with MFA. And if the built-in flavor is not good enough or you want something else, fine, you can connect to a whole bunch of third-party MFA solutions in that mix as well.
But what I wanted to come down to is that still, in quite some cases, when we’re pitching the technology to administrators, you kind of get pushback. Even if it’s super easy to just activate it, the administrator is like: “Yeah, but my users – and specifically the senior users – they don’t want to use MFA because they think it’s a pain. They just want to put in the username and the cached password, and that’s fine.” How can they bridge that gap, and how can they educate, or maybe take their end-users on that security journey?
Yeah, I do a lot of workshops on that with people and one thing that I’ve talked to them about is your car, right, the car that you drive has a seatbelt in it, and it’s got an airbag. And it takes you an extra, what, three seconds to get in that car and buckle up? However, the statistical survivability of a car wreck wearing a seatbelt is exponentially higher than it is not wearing one. So is it worth it to take that extra three seconds to clip in? It’s the same thing with passwords and MFA. If you want to keep your job, if you want to keep your business up and running and you don’t want to risk a compromise, take the extra x number of seconds for a blip to show up on your phone and click ‘authenticate’.
For any logical person, other than just really being vectored in on not having a change in place, there’s no way that they can argue that that makes sense and I have yet to run across an organization that, once you approach it from that standpoint doesn’t say “okay, I get it.”
If we put ‘Bring Your Own Device’ (BYOD) into that mix… You know, VPN in a BYOD world seems to be a pretty difficult match.
Yeah. I mean, we should live in a world that’s BYOD. Honestly, that’s where there’s savings for the enterprise. Why, as a CEO, would I buy people laptops when they have one at home anyway? Wouldn’t it be better if I could just say: “Do your job, use your machine, I’ll put some controls in front of you and as long as you’re accessing corporate resources, I’m going to make sure you’re protected. If you’re doing stuff on the wilds of the internet, it’s your device – go nuts. That’s your thing.”
If we, not zooming in to specific VPN vendors, just look at the news for the past twelve months, probably all the major vendors have had their challenges. Is there a context in which you’d say okay, using a VPN is still okay, or should we really just kill the VPN altogether?
So I think if you plan for the long term, after this whole sort of ‘crisis thing’ has leveled out, I think you kill the VPN categorically. I advise people all the time: work to get rid of passwords and VPN. However, for the immediate time, if you have no other choice, VPN is better than nothing. So it’s one of those things where in the long haul, you want to move past VPN. Plan your budgetting, look to that, move to that state. However, if you’re in that space right now where you’re doing three years of innovation in three weeks, a VPN is a liveable solution. It’s better than nothing.
Why do you think it’s so hard for businesses to get rid of VPN or move on to the next hype, the next generation of technology?
That’s where I go back to the thing I said a little bit earlier: we need to make security solutions that are easier for everybody to use and that they’re more familiar with. VPNs are still something that you have to tell them to download, they have to put the right server config on it, they have to use the password, username, et cetera. It’s more complicated, but people are relatively familiar with a VPN, even ‘non-tech people’ kind of understand what VPNs are because it’s been sold in the media, in the marketing and whatever else. So it’s a little bit more familiar, but it’s not better by any stretch of the imagination.
We already talked about corona or COVID-19. We saw, from a vendor perspective, is that there are many companies doing RDP and having open RDP environments – which is pretty easy to map. At the same time, what we saw since the corona outbreak is that there’s a lot more open RDP ports out there in in the market, globally. I guess that can only mean there’s going to be more (or there have already been a lot more) breaches that haven’t been identified yet. As a topic expert, what do you see as the main you know issues or main types of breaches and outbreaks since the pandemic hit us?
The last numbers I saw were about phishing, which went up by 600% year-over-year. That’s a staggering number. On top of that, the RDP hijacking and looking for vulnerable RDP servers was up 3-400%. People are poking around, trying to find vulnerable RDP servers. Those two things being that escalated mean that there are many more compromises that we’re just not aware of yet. The reason is, of course, because people are scrambling to respond and keep businesses up and running. It’s going to take a while before they actually find a lot of these compromises, but I guarantee it’s going to happen. Exactly because of what you’re saying: people spun up servers to keep business running during corona.
Let’s discuss one more thing. As a topic expert – you have, after all, written the book on cyber warfare – if you need to make predictions about the cyber security landscape in a horizon of five to ten years, what do you think are gonna be the main challenges for organizations ahead of us. And you can be specific there.
I think we’re still going to be in a world that, unfortunately, does a lot of the same things. The last 30 years are going to return in a different version for the future. It still kind of bothers me, and I lose sleep over that, that people fight back against security principles. “Why do we want MFA?” “Why do we want secure alternatives to VPN?” It’s because there still is this issue around “being comfortable”. Where we’re going is that that stuff is going to become more ubiquitous. It’s going to become more built into the user experience and that will help to eliminate some of that. But we’re going to continue to have exploitations of these type of things for the foreseeable future, simply because of the culture problem. The human sort of not liking to change the way they do things, rather than the lack of technology.
So do you think 10 years from now we’ll still be using just simple passwords?
Oh lord, I hope not.
I think that summarizes it perfectly. Thanks for joining us, Chase!