Posts by Yegor Aushev
It was 3 AM when a high-profile investor in a fast-growing Asian startup called us. The situation was not pretty. In a panicked voice, he said: “The Startup we invested a lot of money in has been hacked. The hacker can do whatever he wants with the service. Help us”. Hundreds of thousands of daily users depended on the mobile application, gaining traction and popularity daily. The entire business was on the line.
Any sustained damage caused by the hacker would mean severe consequences for the startup in a hyper-growth stage and beginning to be a leader in its segment. We went straight to work because the situation was dire. The CEO and technical team effectively lost control over the business to the hacker.
What We Found
- Within a day, we found multiple attack vectors from which the hacker could compromise the startup and take control. Overall, we found over 20 critical bugs in the software. The attacker had an incredible amount of options.
- The CEO didn’t take care of security because he didn’t understand it. He blindly left it to the technical department. An increase in sales and burn rate were his largest priorities. There was significant pressure from VCs to grow. Now, he paid the price — limitless amounts of stress and sleepless nights.
- Developers didn’t take care of security either. They were too busy struggling to maintain a hyper-growing startup while releasing features at breakneck speed. Basic controls and strategies were absent because the operation mode was “release first, think later.”
- The tech department was made of “all-star” developers from some of the best universities in the world and the best computer science programs. Almost none had been exposed to proper security training for developers. They built an incredible product that was easy to maintain from developers’ perspective, but it was also a playground for any skilled hacker once he was inside.
- The startup was lucky that the hacker had tech smarts but didn’t have the “street smarts.” Like all lottery winners, he didn’t know how to use his jackpot properly. He faced our team, and he was shut out. It was a situation where destroying the business was easy, but the hacker likely didn’t have the experience to take full advantage of his opportunity. Such luck is sporadic, and it saved the startup.
- Despite all this luck, we conclude that there was an irreparable loss of sensitive data and intellectual property; it is pretty much unavoidable.
Capabilities and skills enhancement: the critical element
Capabilities Enhancement and skills improvement related to security for the entire company is still a huge issue. Just like software needs to be updated, humans need to stay up to date with the latest knowledge. This will not be solved by training just developers or hiring an experienced CISO.
Enhancing your capabilities is the core of cyber security, starting with people.
Training the tech department is not enough. Various training scenarios can help but can’t keep up with the rise in threats and technological advances. Management and all other regular employees are responsible for maintaining the organization’s security, and relevant capabilities/skills enhancement must be constantly implemented.
It’s the era of people-focused security.
- All regular employees must support the security initiatives, obtain relevant knowledge, and constantly apply it as part of corporate life. It’s not just about training the tech people or fixing tactical security issues. A large number of problems begin at the non-technical level.
- Management must also have the relevant knowledge, integrate security as a strategic asset to the business results, and constantly drive the organization’s capability enhancement strategy.
The CEO can be a threat to security
If the CEO is not interested, everyone else will be uninterested. Technical people, especially developers, like living comfortable lives in their own zone. They want stability and not to be bothered. It’s how things work in reality — developers will inevitably make things comfortable for themselves if proper preventive and contingent actions are not in place within the organization. A CEO who doesn’t understand security and does not ensure a business strategy-security strategy integration will inevitably end up experiencing a life of stress and sleepless nights. Someday.
In this case here, “I don’t need help, my strategy is perfect, we have the best team” transformed into “Please save us”. Don’t be arrogant, there is always someone better, and security is never perfect.
What to do Immediately: Quick Wins
Where do you start? Of course, you need to start working on the organization’s capabilities enhancement and skills training. However, here are quick basics that will allow a CEO to dig into issues:
- Ensure that there are no backdoors, which are prevalent, like malware. Supply chain attacks are persistent in 2022, and planting backdoors in open-source software is trivial.
- Make sure everything is always patched and updated. Few understand how many problems this can eliminate.
- Cloud misconfigurations are very frequent and are an awful mistake to allow.
- Adopt an internal identity and access management framework, no matter how simple.
- Establish MFA across cloud access points. Unfortunately, this is often not done in “release first, think later” environments.
- Backup. Backups must be recent.