Hackers seeking enterprise credentials: Apply within

The dark net is home to millions of enterprise credentials, giving cybercriminals the means to exploit an organisation’s vulnerabilities. Noel Allnutt from Solista explains why passwords are still such a risk.

In the very first episode of the IDentity Today podcast, we sat down with Noel Allnutt, co-founder of Solista, to discuss topics ranging from password hacking to building a successful security business.

Founded in 2013 to help organisations adopt new and emerging technologies, Solista arose due to a need to identify gaps in the marketplace coming out of modernised workloads for digital transformations. Noel’s extensive knowledge of the security sector runs the gamut, and he was the perfect person to speak to about passwords, the dark net and digital transformation.

Here, we’ve put together a Q&A that includes the best insights from our chat with Noel. You can also listen to the full podcast here.

A recent hack on MGM Grand saw the details of 10.6 million guests stolen – from tourists to tech CEOs to celebrities. What were your thoughts on that when you saw the news?

It was obviously a major hack, but it’s also ever-familiar news. We see a lot of news about the major hacks around the world. The fact that it’s a gambling institution as well as a leisure institution probably raised a few more eyebrows.

But culturally, do people want to know who’s been staying at these resorts? Is that information a little bit more secretive to others? There’s also the question of the depth of information – how much information do these institutions actually get before guests even sign into the hotel?

What are your clients saying about the rise of password hacks, and is it something they are increasingly worried about?

Password hacks are absolutely front-and-centre in the minds of decision-makers across the board. I think we’re starting to see so much more of it. There’s a lot of money being spent on minimising the intrusion vector around the password hacks. We’re seeing organisations try to really reduce the opportunity for hackers to get in – because they know that once they are in, they’ll have access to a number of environments.

You’ve got your privilege access management, which is critical to shutting down a business. And then there are various other exposures once the hacker gets into people’s environments: sending further phishing emails, social engineering and other things. So it’s top of mind for our clients because it is the entry point into so much more destruction.

Why is it that passwords remain such a ‘chink in the armour’? Is it a technology issue, or do you think it’s a cultural problem within organisations? 

This is something we talk a lot about internally at Solista, especially when we’re going out and helping organisations understand their cybersecurity posture. I think it’s both a technology problem and a cultural problem. And I’ll start with the technology problem.

The reason why we need passwords today is because of technology. It’s because of data. It’s because of the digital world we live in. So I believe technology has actually led us down the path to then requiring ways to solve this challenge: the challenge of passwords. So if you have a look at the early stages and some of the legacy operating systems – Windows and Mac OS – it’s always been required that you need a password to get in. The compound effect of that is you still need a password to get into any organisation today.

Then we have to look at the cultural problem, which I believe is a bigger challenge and one that is much harder to solve. We speak to organisations that are pretty savvy, but there is always that fine line between looking at data security and convenience.

One of the most commonly used passwords in the US is the name ‘George’, which provides very limited security. Why is it that still happening? Do people not believe there is inherent risk, or do they just not understand how a weak password can create vulnerabilities for themselves as well as the organisation they work for? 

It will be very hard to change the culture of passwords, so the solution may be to get rid of them altogether. I think anything that can sidetrack the necessity for a password will be hugely beneficial to society. That’s one of the challenges.

When people just needed one or two passwords, they’d be a bit more specific. Now that they need 10 or 15 passwords, it all becomes kind of ‘background noise’. So nothing becomes as important. We see so much on the news about hacks, and a lot of the things that used to sound huge alarm bells to society are now on the back burner – they are just part of our day-to-day lives. So cutting out all that noise and removing that friction is vital.

What is the best strategy to secure cloud operations against today’s cyber threats? 

I’d almost say automation because I’m a huge fan of where that’s taking the world and the efficiencies we can draw from it. But I have to say it’s our own encryption of data – encryption of data at rest and encryption of data in flight.

What we’re seeing out there is a conversation that we’ve had time and time again. And a lot of that has been led from the likes of the GDPR and the mandatory data breach reporting here in Australia. What’s come of it is that if the data is encrypted and then stolen, has your data actually been stolen?

I saw a lawyer stand up in front of an audience of CIOs about 18 months ago, and they posed that question: if you stole encrypted data, what was really stolen? And I think that is a tactic that we’re seeing a lot of businesses work towards. Now the challenge is about encrypting everything: is that feasible? Encryption technologies aren’t the easiest to set up and run inside organisations. Furthermore, if you have a look at setting up encryption in flight, there’s not too many overheads on the customer’s network. Encryption at rest? Huge overheads. We speak to customers who’ve had to double the amount of storage they buy in order to encrypt everything.

So it’s a really interesting one, encrypting everything. And I think we’re going to see more and more of that as the cost of compute and the cost of storage to encrypt and decrypt comes down.

In the past 12 months, what’s the biggest problem you’ve seen in regards to digital transformation and then the biggest solution?

I think the biggest problem has actually been across the board for many customers, which is balancing risk with digital transformation. Every customer is asking themselves “What are the gains that we’re going to get from adopting these new people, processes and technologies, and are those gains significant enough to reduce the risk and disrupt our traditional business strategy?” So that’s from a business perspective.

What that then means from a technology perspective and a security perspective is that data doesn’t just sit in the data centre anymore. It sits across distributed systems and environments on a global level.

One of the major projects we worked on last year was helping a global education organisation transform the way they secured student data. They had 80,000 students across 15 countries. As they were looking to grow their footprint, they had to ensure they could lock down all of that student data and get visibility over who was accessing the data at any point in time, anywhere in the world. Furthermore, if the wrong people were trying to access that data, they needed automated systems to perform the detection and response because they didn’t have enough staff to be on every endpoint across the globe.

What we helped this organisation do was lock down all their critical data and then build visibility maps around where that data was being accessed from. We then used the likes of AI and machine learning to start looking at anomalies to say, “Well, that doesn’t make sense.” That’s the type of thing organisations need to know about.

Noel dives even deeper into business vulnerabilities, securing your vital credentials and maintaining a startup mentality in the podcast. Listen to Episode 1 of IDentity Today via Apple Podcasts, Spotify, your favourite podcast app or online at Omny.