Earlier this week, VPN Creative got the opportunity to sit down with the CEO of Tenable Network Security Ron Gula to get his opinion on everything from the recent breach on the Community Health Services servers at the hands of Heartbleed, to what he thinks the security landscape will look like in the wake of one of the largest bugs in the history of the Internet itself.
Check out the full transcript of our talk here, and let us know your reaction to his thoughts in the comment section below!
Hi, Ron, want to start off by thanking you for taking the time out to talk with us about the state of Internet security, and more specifically, the threat that Heartbleed represents for developers and the average customer alike.
Heartbleed took the world by storm this year, shocking many professionals in the industry not only for its relative simplicity, but also the fact that it went undetected on hundreds of thousands of enterprise-grade server networks before anyone realized something was amiss. This in mind, do you think Heartbleed was the last bug we’ll see on this scale, and if not, where do you believe the next threat will come from?
“It’s definitely not the last that we’re going to experience on this scale, primarily due to the practice of code reuse. The big problem came from the reliance on the SSL library, which in itself has a lot of open sources uses. It has a way of creeping into everything.
The next threat is probably going to be in the cloud. Cloud-based services are especially vulnerable to the same problems we saw with Heartbleed, with the Internet-as-a-Service sector likely carrying they largest burden of that risk.”
Heartbleed showed us that there is always more money in blackhat operations and participating in clandestine activities than there is in fighting the problem at its source. What do you think the industry can do to better incentivize programmers into coming over to the side of the light?
“I don’t believe that’s true. I think there will always be more money to be made in defense than in offense.”
Do you think that the next Heartbleed can be prevented, or are these sorts of problems an inevitable effect of human error in the coding of security protocols overall?
“[These problems] are going to be difficult to prevent, because they all leverage common resources. The more you concentrate into one spot, you have a monoculture. [The next threat] could hit Amazon, could be iOS, could be one app on Android. They’re going to spread quickly, and they’re going to take [the] world by storm no matter what.”
What improvements could developers behind such widely used and relied on standards like HTTPS make to better protect the public at large?
“People who patch faster, are more secure. Those who are last don’t have a good long term strategy. Tenable believes in patching first, as consolidation makes services easier to monitor, easier to defend. Look for bad things happening on your network before someone does something bad. People weren’t monitoring for SSL bugs, even after it debuted. [We know] you should always be ready for the next risk.”
With POS scams and ransomware becoming the go-to option for most major hacking organizations over the course of 2013 and 2014, where do you think the next threat will pop up next?
“I still think that the POS scam has a lot more room to be exploited, and hasn’t reached its full potential yet. POS scams haven’t been solved, and we’re going to be hearing about them for a long time. POS scams have [the] same infrastructure as SCADA systems, meaning that it takes a long time to make changes that will actually have an effect we can rely on the foreseeable future.
I classify ransomware as phone bank scams, and they aren’t going away anytime soon either.
As a security professional who is constantly updated on all the latest happenings with breaches, bugs, and poorly-patched code, what do you think we as reporters can do to keep people better informed of the threats that problems such as Heartbleed pose to the general public as a whole?
“You need to make the boring exciting. People only want to hear about the big companies who have been compromised, or what the major zero day of the year is. What doesn’t get covered is the people who don’t get attacked, the people with good security. I wish it would, because there’s not a secret on how to keep a secure network.”
Many blogs, press releases, and articles have been written in the past year about the “death of consumer-level anti-virus products”. Do you see this as an accurate assessment of the current landscape, and if not, why?
“If you’re running a Windows computer, you have to run some kind of anti-virus, and on top of that, you need a second, separate way to audit that computer outside of the initial operating system. Anyone who’s in the industry knows that computers are cheap these days, and if you want to do something like secure banking, do it on an iPad. If you want to browse daily, use an iMac. Watch the links you click, because as a whole, the Internet is a hostile place.”
Ron spoke highly of the iOS architecture, likening it to the Windows NT of yesteryear both in its inherent flexibility, and the security that comes with that sort of early architecture.
“iPads are immune. As long as you don’t jailbreak it, or run something that hasn’t been vetted by the App Store team ahead of time. This will change eventually, but for now Apple is the best solution when it comes to keeping yourself secure. In a way it reminds me of Windows NT first came out, it was totally secure, but as more was added, it lost that capacity along the way.”
Thanks again for taking time out of your day to speak with us Ron, I really appreciate it.
To wrap things up; smaller netsec outfits such as Tenable and dozens of others have started to lead the charge into making the Internet a safer place, and have picked up the ball that was left on the ground by major industry players like Symantec, McAfee, and Kaspersky.
Why do you think we’ve seen such a drastic shift in that responsibility over the past several years, and do you believe that the former giants of the security space will be able to regain their relevance in the coming decade?
“We’re planning on that not to happen, because of the migration to cloud, virtualization, and mobile workspace. This space used to be dominated by securing the Windows desktop, but now customers are moving into the cloud. How fast or quickly are they [Symantec, McAfee] going to change? Can’t say. Here at Tenable we believe we can provide the safest solution through constant monitoring. Monitoring is what prevents hackers from getting in in the first place, and should be everyone’s most reliable line of defense in the fight to stay safe on the Internet.”
Be sure to stay tuned to VPNCreative’s new interview series next week, where we talk to the Chief Intelligence Officer at Lookingglass Security Jason Lewis about potential threats for iOS and Android that are lying in wait just over the horizon.