ISMG Editors: Zero Trust SpecialZero Trust Creator John Kindervag on ChatGPT, API Security, MFA Bypass Anna Delaney (annamadeline) • February 24, 2023
In the latest weekly update, John Kindervag, creator of zero trust and senior vice president of cybersecurity strategy at ON2IT, joins three editors at Information Security Media Group to discuss important cybersecurity issues, including the top zero trust storylines of the year, the impact of ChatGPT on the cybersecurity industry and how to tackle MFA bypass attacks.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; Tom Field, senior vice president, editorial; and John Kindervag, creator of zero trust and senior vice president of cybersecurity strategy, ON2IT - discuss:
- The predominant zero trust storylines as we approach RSA Conference 2023 and whether the vendor community has fully embraced the strategy;
- Whether AI large language model technology such as ChatGPT will enhance or overthrow cybersecurity as we know it;
- The specific improvements defenders need to make from the perspective of zero trust to secure data and applications in the wake of recent MFA bypass attacks.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Feb. 10 edition, which discusses how police nabbed the notorious Zeekill hacker, and the Feb. 17 edition, which discusses how a ransomware campaign is hitting unpatched VMware servers.
Anna Delaney: Hello, and welcome to this special zero trust edition of the ISMG Editors' Panel. I'm Anna Delaney, and this week we're joined by an industry veteran and the creator of zero trust, none other than John Kindervag. And the merry party also includes, of course, my teammates, Tom Field, senior vice president of editorial, and Mathew Schwartz, executive editor of DataBreachToday and Europe.
Tom Field: John, it's been three years now since zero trust really had its coming out party at RSA 2020. As we start to prepare for, believe it or not, RSA 2023 in April, what would you say are the predominant zero trust storylines going into the event?
John Kindervag: I think the wider adoption, the fact that we're talking about it at the federal government level, and we're seeing all kinds of movements in various governments around the world. I mean, it just has become, it's exploded. It started to really explode in 2016 after the OPM data breach and the OPM report from the Oversight and Government Reform Committee of the U.S. Congress. And it took a while for people to kind of bubble through that when Congress came out and asked OMB to push some guidance around zero trust. That was really the tipping point. It just took a while for people to see that. But what's unique about it is it's just a global movement. So this week, I've talked in Norway, I'm repping my Stavanger Vikings shirt because I don't have a background but I do have a 1953, 70-year flag for the Stavanger Vikings that three of my great uncles played on. And it was the first Norwegian soccer championship after the Second World War ended. So I went to Norway a while back and one of my great aunts was still alive then. I hope she still is now. And she gave this to me. It's a very old 70-year-old banner. So I'm wrapping that today because I didn't have a virtual background. But yeah, I've talked to Australia, and now I'm talking to England and Scotland. And, you know, everywhere, man, it's just crazy how this has become such a weird, global thing from when I first wrote the first paper and everybody thought it was completely insane.
Field: It was just three years ago, you appeared in our studio for the first time and you were the guest of one Mathew Schwartz. So Matt, let me pass the baton to you. I know you've got a question or two.
Mathew Schwartz: I know, I try to keep things real here. You know, keep the discussion flowing, John. And I think one of the big buzzwords we're going to be hearing at RSA, because we're already hearing it now. RSA is not that far away. It's ChatGPT. Shocker? I know. But when it comes to ChatGPT, there's a lot of discussion about what it can do, what it can't do, and what it might do and what we might not want it to do. And so I want to get your opinion, do you think ChatGPT is going to enhance or overthrow perhaps cybersecurity as we know it? Where do you see the rubber, maybe, first hitting the road? Are we in danger, perhaps of falling in love yet again, with the latest shiny new toy, when I think we can all argue that everyone often keeps overlooking the basics? And we get a lot of bang back for that buck if we were focusing more on them. But we've got ChatGPT for the moment. What's your take?
Kindervag: Well, I mean, right now, I think it's a novelty. And remember, this is the chatbot version of GPT-3, and then you're going to have GPT-4 come out. And then you've got everybody else coming out with an artificial intelligence/machine learning engine. And there's a lot of things that, you know, I've been doing work in this area for a long time. The company I work for - ON2IT, we have machine learning capabilities in our managed service. We're constantly looking at the traffic, so yeah, it's going to be fine. No one knows where it's going to go. I mean, it could be that Skynet become self-aware, they build a bunch of terminators. And, you know, we go into a big kinetic war there. And probably we lose in real life against the robots. But that hasn't happened yet. I guess, you know, August, it's destined to. You know, every year in August, we wait for Skynet to become self-aware. But I don't see it as an existential threat because the thing that constrains all of this as it relates to how we access resources on a network is TCP/IP, and I don't see that changing, right? We've got a couple of big things that kind of relate to each other, which are quantum computing, and living in a post-quantum world, and then, you know, all of the artificial intelligence stuff that's happening, and it probably will allow the attackers to craft more sophisticated attacks, and it will toast everybody who's not paying attention. I don't think it'll affect zero trust, because we're just focused on protecting the protect surface. So we've gotten to the point now, where we don't care what the threats are, because the policy in the companies that I manage, or we manage, and that I help architect have such defined policies, that, you know, it doesn't matter what the attack is, I really don't care. And everybody else is still in the 20th century in cybersecurity, and that's why this is profoundly resonant to leaders in cybersecurity, zero trust, I mean, because it has a path forward, it has a strategic vision and a mission that they can go for and accomplish to try to stop some of this stuff. But if you're old school, and if you struggle, say with something as simple as patching, which is actually not simple, but as basic as patching, well, then then you're in trouble. Right? If you have a pretty open policy set, and are just trying to deny bad traffic, it's going to be bad for you, right? So if you're relying on a single data point to make a decision, oh, they authenticated. So we're going to allow this traffic in, you're in trouble. Right? So you're going to have to think differently. And I think a lot of that thinking is, you know, what you need to do. We published it, you know, I'm working with ISMG. I'm working with cloud security lines. I'm working with your sister company, CyberEd. So you know, we're trying our best to get the right messages out. And there are some people who don't want that message to get out.
Schwartz: Very good, thank you. I know Anna has got a question as well, when it comes to threats, I think.
Delaney: Very good. Yes, indeed. Thank you. Well, I want to move on to API security. And then speaking of RSA, our good friend Richard Bird predicts that API security will be the big buzz theme this year. So let's see. But in this past year, John, we've obviously seen several high-profile breaches, which resulted from API exploits such as Twitter and T-Mobile. And it seems that the threat actors are increasingly targeting API vulnerabilities. Certainly, from the conversations I've had with security professionals, they all seem to indicate that this is a really challenging area. What's your advice to them? And how can organizations ensure effective API security?
Kindervag: Well, I mean, API's are amazing. We're in the API economy and one of the things I love about API's just to start off with, is they eliminate the need for standards. They solve the interoperability problems that we're trying to get with standards. And they incentivize innovation. So those are the good things about it. The bad things about it are, generally, the cybersecurity teams don't know they exist. They don't know how to control them, which they're just another TCP/IP connection. So they're controllable. There's nothing magical there. Its the programmatic interfaces, I think, that are very interesting. But they're controlled by the developers, DevOps, whatever you want to say. And those people are not incentivized to do good security, they're incentivized to move fast. I always call them the Ricky Bobby's of IT, right? They just want to go fast, they got a cougar sitting next to him, you know, in the car, and they got to go fast. And that's because they're incentivized that way. And so there needs to be a change of incentive structures for DevOps, to integrate more and not just how many code pushes can I do a day. And then there are some tools out there that you can use to kind of lock that down and all of the stuff. If you're looking at the API, and what's going across the API, you'll be able to see whether there's an attack across the API, you just have to be looking for it. Right? I'm often reminded of the old Vaudeville joke of the drunk person on who's looking for his keys. And the cop says, hey, what are you doing? I'm looking for my keys. Oh, okay. Let me help. I don't see any keys anywhere around here. Well, I lost him way over there. Why are you looking here because the light is so much better? And it's called the streetlight effect, right? So we're only looking at the places we have illuminated and we don't illuminate enough places. We saw this with GoDaddy. How many years were they in? GoDaddy? Three, is that what I read?
Schwartz: At least a couple.John Kindervag: Yeah, look at that. But they're in there forever. And you don't know they're there. It's like, wondering, hey, who's the person getting beer out of the fridge? I guess they can get beer out of the fridge. They belong here. I'll go back to bed. We don't do that. But you just don't have enough visibility, enough illumination, and enough street lamp. Street lamps for like cowbells. Tom, you always need more of them.
Field: Indeed! More cowbell. John, you and I have had a chance to participate in a lot of videos, a lot of webinars, not nearly enough cowbell. And we've talked a lot about enterprises on how they've evolved to embrace zero trust - their understanding the protect surface, their defining what it is they need to protect before they go out to try to protect. Now, what about the vendor community? How has it grown past the initial reaction of "Zero trust? Yep, we sell that."
Kindervag: Yeah, I don't think that they are enlightened as they should, because they're still trying to spin zero trust, to be defined based upon the technology they sell. And I understand that I came from vendor, I work for a vendor, but although completely different vendor from its perspective on it, and, you know, their bottom line is the bottom line. Right? And, what we don't see is a lot of folks who really want to change the world and make it a safer place anymore. They want to meet the numbers from Wall Street, they want to, you know, they want to create the new thing, they want to become billionaires with yachts. And it's different than when I first got into it, because all of the early people in cyber were very well-intentioned, you know, almost idealistic, I would say, and that's kind of gone by the wayside. Those people either have sort of been corrupted is one? One friend of mine said about another friend of mine, he said, because I was kind of like, wow, this guy, I would have never thought he would have been doing some of these things. And he said, yeah, he's discovered that he likes to be rich more than he likes to be right? And so what is your purpose for doing this business? To me, this is a public service, right? There's three adversarial businesses in the world. There's law enforcement, military and cybersecurity. And so you have to be willing to fight the good fight, and sometimes you're not going to be the billionaire. But if you can do something to make the world a little bit better, a little bit safer. You've contributed more than maybe all the billionaires in the world combined.
Field: Well said, John, and let me turn you over to Mathew Schwartz, who has taken the journalist vow of poverty and is doing good work indeed. So Matt, your question?
Schwartz: Right, not rich. Yes. MFA. That's been one of the big attack vectors that we've been seeing. I don't mean to play zero trust dartboard and just take every last attack that's working incredibly well, and throw them in your direction. But I think the two-factor authentication, multi-factor authentication bypass attacks have been so interesting, because they've taken down some really big names; these push notifications where people say, sure, no problem. I'll connect to that. What shortcomings have you seen with these MFA bypass attacks that have been hitting so many organizations? And what's your recommendation, John, in the context of zero trust? What specific improvements do these attacks demonstrate we still need to make?
Kindervag: Well, again, you're making an axis decision on a single data point. Did somebody accept the MFA challenge and give you a response? And then if so then equals yes. Allow? No, that's not enough data. That is one data point in the stack. So we talked about the Kipling method, which we've talked about before, how do you create policy for zero trust? Who should have access via what application? And ultimately how should we allow that access to happen? So how should we look at the whole packet? So I've always said MFA, which is really 2FA, think about this in this industry, by the way, here's a little bit of my soapbox. We had a number two, we changed it to the letter M and then we created a whole new category out of the same products, there's nothing different between 2FA and MFA, right? And there are fundamental flaws in the way we do it. Now, identity is always fungible. So if you look and you're saying that's the only criteria that I'm going to make a decision on? Well, you know, of course, you're going to get toasted, right? I mean, I always joke, I can prove this with two words Snowden Manning, the real Rihanna and Beyoncé of cybersecurity. They're so famous. They're one-word people, right? They had powerful multi-factor authentications called CAC - common access card. I called a CAC card once and then was stolen. Well, that's redundant. Yeah, I guess it is. I mean, it's literally on a little poll thing. And it plugs into their computer. So they are literally attached to their computer by a thin piece of string. And, so there was no question on the identity of these attackers. But no one looked at the packets post-authentication. And therefore, the exploit technique was the broken trust model. So this is something I've been saying for you know, 13 years now that you can't just rely on one single thing and everybody wants a magic button, everybody talks about the silver bullet. And I often will, you know, if someone talks about a silver bullet, I'll say, have you seen a vampire killing kit in real life from one of the voodoo shops in New Orleans? Right? Well, is today Mardi Gras? No, yesterday was Mardi Gras, right? So if you go into one of the voodoo shops on the side roads in New Orleans, you'll find vampire killing kits. And in there, there's a flintlock pistol that has the silver bullet, right, because some vampires get killed by several bullets, but there's going to be some holy water, there's going to be a steak. To put it through the heart, there's going to be a cross, a mirror, all the different things because different vampires get killed in different ways. So there is no such thing as a silver bullet. And what you have to do is figure out how to put together a system. Right? The vampire killing kit is a system for killing vampires, not that vampires actually exist, I don't believe that. But still, just the metaphor works really, really well. And so quit thinking about it as a product, quit thinking about a single technology, and then I will solve the problem. And it will be a project that's done. This is a process that is the entire structure of your organization, your company, and whatever company you have in the world does not exist unless your IT and computer systems actually work. And the thing that keeps them up and running is the cybersecurity stuff that is the structural engineering of this. So when we look at some of the tragedies recently, with some of the earthquakes, we should remember structural engineering, right? Hammurabi said some odd 1000 years ago, if someone builds a building and falls down on a person and it kills that person, you're going to execute the builder. Right? And, we need to understand that that's what cybersecurity does. Cybersecurity can't be short-changed. It can't be we can't do shortcuts, we can't just not quite do it as well as we could, because we could do it cheaper. That's what happened in New Orleans with the dikes, right? People went to prison because the spec says, put the piling down so many feet, we don't need to do that, we can save a lot of money off of that by not using as much concrete and then put that money in our own pocket. Right? So we see that same problem in cybersecurity people are going cheap. And they're reducing budgets now because the economy's bad. Well, the attackers aren't reducing their budgets, folks, you need to probably increase your budget and when I see you know, some of the statistics about how much of your budget goes to cybersecurity versus everything else in IT, I think that that's criminal, in my opinion, that you spend so little on cybersecurity, and spend so much on all your new funky toys in IT.
Schwartz: Well-put, I love the vampire killing kit. I'm going to have to get one of those together. Thank you!
Kindervag: Fly into New Orleans as you're going to, to RSA, you know.
Schwartz: I'll see if I can swing it. I'll converse with my editor. See if I can write that one off as a business expense.
Field: You can fact-check, John, on whether vampires exist anywhere.
Kindervag: Yeah, well, you know, the history of vampires is very interesting.
Delaney: For sure, well, it's been a rich conversation. Vampires, Norwegian football, yachts. I've loved this. But, we have one final quick question just for fun, if you were to create a cybersecurity-themed comic or cartoon, who would be your heroine, your hero, or even a selection of baddies. Tom's right there, right in the action.
Delaney: John, and Matt might remember this, this is my hero: zero. In this case, zero trust. John, I do this for you.
Kindervag: Thank you.
Field: How wonderful you are, zero, my hero.
Schwartz: Well, not to steal John's thunder or work with a concept he just recently introduced but I would go for silver bullet man. It would be more of a nemesis who kept suggesting things that didn't actually work, leading to inadvertent death and destruction. I think high jinx could ensue, but it would just depend on how you pitched it.
Field: Who was that masked man?Anna Delaney: Well, I was thinking more traditionally a bit of cat-and-mouse action. So definitely there's room for Tom and Jerry, a Pink Privacy Panther. Bit of Snoopy, and maybe a Tweety. So there's my comic for you. John, have you got any thoughts about who your hero or heroine would be?
Kindervag: Well, if you look at my Twitter profile, you'll see my Cynja avatar. So the Cynja, which actually exists, and we should resurrect that, well, it's a graphic novel series for kids done by Chase Cunningham and Heather Dahl, my good friends. And I'm the only other person outside of them who has a Cynja avatar. And so I'd like to see more Cynjas out there and maybe cyber ninjas. So if you next time you're on with Chase, get him to talk about the Cynja sometime because they were too early with that comic book series but I think that should defeat the Marvel superheroes big time. Because once we get AI on a network, I mean, Superman. Right? What are you going to do? You don't know how to program.
Delaney: True creatives. Well, John, this has been great fun. Thank you so much for joining the ISMG Editors' Panel.
Kindervag: Hey, thanks for having me. It's always fun.
Delaney: And thank you so much for watching. Until next time.