Before helping others with data security, one should make sure their data complies with the highest standards and regulations. This is what we did at Moqod, thanks to Matthew Frost, the CTO of Uptic, who helped us with our ISO. Uptic, the open-source Dev-Ops (software development and IT operations) company is Moqod’s partner to this day.
At Moqod we help start-ups jump into tech businesses, and they have questions about security. We couldn’t think of a better person to get the answers than Matthew Frost himself.
Moqod: Matthew, could you please tell us a bit about your background? What is your field? How did you get into Dev-Ops and what is the most fascinating thing about it for you?
Matthew Frost: I love technology. I started at a young age. My love for Dev-Ops developed from working in the IT industry for 7-8 years. We got to the point where we started to scale up the applications and the systems. We figured out that we couldn’t do it in an automated way and affect the way we managed it. So, we decided to do exactly this — automate and secure things.
Rather than looking at building piece by piece, we would look at the final result and work backward. My love for scaling and automation go together. You can’t build thousands of systems and thousands of applications without automation. For example, you can’t upgrade all these apps at once — you would have to hit the “upgrade” button thousands of times.
It was more of a pet peeve that turned into love. Having this ‘helicopter control’ is what motivates me.
Moqod: Your passion is about scaling the applications. When we work with start-ups, they think that security issues arise only when you grow. For them, it is as if only large organizations are targeted by criminals. Where do you stand on this point of view?
Matthew Frost: I think that anybody these days is a target when it comes to information. Hackers don’t look at you from the point of size demographic unless you are very big. They are looking at you from a more pragmatic approach, where they scan for weak systems. They are just arbitrarily looking for vulnerable companies. If you show up as one, they go for you. So, everybody is at risk if you don’t ensure a minimum baseline of security.
Sometimes you don’t need to be large to be hacked. You just need to be unlucky.
Moqod: Are there are certain types of companies that criminals prefer nowadays?
Matthew Frost: I would say, in general, those are IT companies and managing service providers. It is harder but people would target Amazon or Uber because the amount of data they hold in terms of the credit card information is very rewarding.
It is convenient vs rewarding. If you score highly at being either convenient to hack or rewarding, they will go for you.
Moqod: So, you don’t have to be e-commerce to be a target?
Matthew Frost: No but… For example, if you are doing e-commerce and you run WordPress, you may be more vulnerable. There is more security at stake. You can be tackled as e-commerce because you are hosting credit card details. They go for quite a big value at the black market.
Then they will zoom into the section where they can ensure success, such as the WordPress sites and the non-updated systems. These environments are low-hanging fruit.
Hackers know these are a better return. They can hack or attack thousands of them with automated tooling or they can attack a big one with a large sophisticated attack.
`Why don’t you go for an overall attack then? It is way more profitable from that perspective.
Moqod: How would you elaborate on the idea that security is expensive? Is it true that covering everything costs a lot?
Matthew Frost: I would disagree. The way it should always work and what we also do at Uptic is that at day one we put process and structure in place. A lot of companies don’t do that. They think of covering security when they are bigger and that is actually when it costs a lot. If you start with a correct basis for security, it will cost you next to nothing. If you need to retroactively ensure security for an already large operational company, it will cost you a lot more. You will need to go back and see where your vulnerabilities are.
If you plan that into your process from the start, it is much more cost-effective.
Ensure your security from the very beginning and it will cost you very little
Moqod: Start immediately! Got it!
What are the most common reasons for data breaches or leakages in your experience?
Matthew Frost: Honestly 80% of them are not sophisticated attacks or breaching firewalls. Most of the time it is emails, phishing, USB drives dropped on the floor in the parking lot… Surprisingly, this is more effective than you would think! People are good Samaritans. They will plug the USB in to figure out who owns it to return it. Boom! Compromised.
80% come from the workforce, people using day-to-day systems and teams which haven’t been educated in IT security principles.
You may think your IT administrator is at the most risk. However, it can be somebody in your finance department, within reception, or a non-technical organization. This where most of the attacks come from.
*Moqod: You do agree that people are the weakest part of the system?*
Matthew Frost: Yes, I do*.*
*Moqod: What are the top things you need to do to get secured?*
Matthew Frost: For this part, I would say the top things to do are people and the process. We all know that people use weak passwords. Having multifactor authentication immediately reduces your FRAT???7min40 model by about 50%-60%.
Another thing is that we do lose things. Losing your laptop or phone is a risk to the business. Mobile device management and encryption are two common standards that secure you against this problem.
The third is password management. A lot of attacks just come from people just using English dictionary words. Having a password manager storage with your organization would help.
Start easy security on day one. You don’t need to worry about infrastructure at this point.
Multifactor authentication, mobile device management & encryption, and password storage are the basics to start with security.
Moqod: What is the basic toolset for a start-up to install? Thanks to you, we now have the principles. What are the must-haves for a tech start-up?
Matthew Frost: So, if you manage servers, you need to secure the management interfaces with things like firewalls or password sharing. Single sign-on is a must, centralized management identity is an absolute must too.
Then, if you are using platforms like Amazon or Azure, the way you use them determines how you have security. If you are using it as platform-as-a-service, your security is more centered on accessing the information. If you are using infrastructure-as-a-service, you have to secure the operating system with tools like private keys and certificates.
It is easy to build a straight roadmap by using the best practices. However, this can change based on your type of organization.
If you are a tech start-up that does everything from the ground up, you are going to need more principles that are rapidly available from XXXX?(9min44sec) standards online. If you are a company that focuses more on SaaS integration, you need to focus less on things like certificates and other low-level encryption things. Focus more on single sign-on, access, and identity management instead.
The exact toolset can be hard to give. Instead, certain guidelines can be put. If you are managing systems, access management is a must. If you are managing platform-as-a-service, then identity and data management is a must. If you are using tools like Amazon Cloud, then ensuring that every action is audited (audit logs) is a must.
These three examples imply having different tools for different jobs.
The basic toolset for your security depends on the type of job you do
Moqod: Could you please name your top 5 principles to ensure your security without a large investment?
Matthew Frost: For any security model to work, you need some fundamentals. You need a process for identifying your weaknesses, a process for mediating your weaknesses, and a continuous improvement process. My five recommendations would be as follows:
- Mobile device management. First, you need a process to measure if the devices are compliant with whatever policies you define.
- Centralized antivirus. The antivirus in itself is already good. Having an antivirus with reporting capabilities to a central management organization or somebody within your team will help you figure out if something is at risk or spreading to other coworkers.
- Single signal. You need this for onboarding and offboarding of the new employees.
- ISO. Even though it’s quite a hefty BUCK??11:40 — read it, get it. It will help you understand how to define a proper management organization and the structure for your future as you grow.
- My fifth recommendation would be more of a mobile one. I would say: try to keep as much data off your mobile device as possible. Use encryption on mobile devices, laptops, and phones in general.
These basics will get you going. You will have a central organization managed from a security perspective, the most common FRETS???12min13sec you will cover and the control element you have with mobile device management. ISO will help you build a moment-sure security organization and strategy in general for your technology organization as you grow.
Moqod: Are you saying that it is not even necessary to get certified with ISO right away? Studying procedures and standards they offer is useful for everyone. Is it correct?
Matthew Frost: Indeed! Even if you say you don’t want to go for ISO right now, if/when you change your mind in the future, you will always be somewhat compliant. The transition will be much easier. Then again, the goal of ISO is not just to get a certificate. The goal is to build a service delivery organization or an IT organization with some minimal security practices that ensure you are not at risk. By being the least low-hanging fruit, you are less prone to the attacks or they won’t even affect you. `
It is about building up layers. I cannot stress this enough: security is not a one-time thing. It is building layers on layers on layers. If you peel off one layer, you are not directly vulnerable because there is a whole mechanism built on top of that structure. This mechanism protects every other link in the chain and the person/data you are trying to protect.
Security is NOT a one-time thing. It is built in layers over time.
Moqod: How strict should you be with your people at the beginning when you are a start-up? You work with freelancers or third parties when you are an entrepreneur and you only have a couple of people as coworkers. How scrupulous and bureaucratic should you be?
Matthew Frost: You don’t need to be very bureaucratic. If you are working with a lot of freelancers, you can have a Google Account, an Office 365 or G-Suite, where all your identity management is centralized. You can have password sharing. Of course, you won’t be issuing company laptops to your temporary employees but you can install mobile device management agents to ensure that this external worker isn’t putting your company information at risk.
Don’t try to enforce too much and be way too bureaucratic. Try to install an eco-system that aids security and doesn’t hinder convenience.
Moqod: What do you like to do the most among the tools you’ve mentioned? What drives your passion the most?
Matthew Frost: I like to observe the XXX14:48 aspects. When something does go wrong, normally you’ve got to figure out how it went wrong. I like building up systems where you aggregate all the login information, security information, and all of the XXXX15:02information into one place. Then you get to an entire replay of what happened. I find it cool because when you analyze it, you can figure out you got breached by something you would have never expected.
Having that central observability in the login aspect takes a lot of time to build up. Often we see that at first people don’t get why. What is the value? When I walk down the line of it, they have a lightbulb moment and see information about what has happened. Or, they can correlate that information to something happening on the other side of the planet. You can see what is going on in Asia or Europe and see an actor trying to attack you on two different continents.
Scaling and showing your security defenses is the most thrilling part of it!
Moqod: We remember you mentioning that security is an operation. Something you must include in your day-to-day operations. However, if everything is set up correctly, what is left to do? If nothing is going on security-wise … you are secure, aren’t you?
Matthew Frost: Partially. Security is a three-phase process. The first part is identifying your weaknesses. Then, in the second part, you find out how to cover them. The third part is covering those weaknesses. This is only the implementation stage.
Once you’ve got that covered, you think: “Aha! My systems are secure now! Like they have never been before!”. However, the standards for each of the security controls you implement are ever-changing.
Let’s take a more painful example. A XXXX?16min50sec certificate. You see it in your browser — it gives you a green tick. There are so many different encryption standards behind that certificate that you might have a green tick but still be vulnerable because you haven’t chosen the right encryption algorithm. These standards change based on the machines’ power available. As machines get more powerful, attacks change as well. You are always checking your defenses and you verify whether your mechanisms are still secure to the industry standards.
Operationally, your workload goes down because you have an effective medium to push policy and enforce security.
Also, operationally, you need to manage all the events that are happening within your organization. Maybe somebody loses a device. Maybe a server popped up in your dashboard as being red or possibly compromised. Maybe there is a large attack from a foreign country, for instance, China. You need to investigate whether it’s an error and ensure that your defenses and systems are up to date, your certificates are secure, your encryption standards are up, your password managing policies are all good. These are just some of them.
Security requires permanent control and surveillance.
When we implemented ISO BUCK??18min00 with you, Moqod. It is a pretty boring **BUCK?**But it gives you a fundamental framework for securing your organization. Reiterating on those secure points is the major part of the ISO — the feedback loop. You are continuously measuring your mechanisms, whether they are effective or working. That is the operational role of security.
Moqod: Do you think the landscape of security has changed in the last year with all the people working online now?
Matthew Frost: We moved to a more distributed IT technology from a centralized one. In the previous time we used to work with file shares, central connection points to a network like a VPN connection, and we would all access the same file share for information. Things like that were a paradigm.
We moved to the point where everybody works at home, even before COVID-19. We started using things like OneDrive, DropBox, and other tools to share information in a more distributed fashion.
I also see that attacks, in general, have moved to facilitate this. For example, you have the cryptoware attacks. They ensure that if we encrypt the content of files, and those files (or the virus) get distributed to everybody. Then they start re-encrypting. They build a chain of compromised systems. These viruses are no longer looking to get to the central user information in secure servers and platforms far away. They are trying to get as close to the user as possible. Then, they further infect other users to complete the chain and go up, to the more secure parts of the landscape.
I see that the viruses have moved with the times as well and become more distributed, just like our way of working.
Viruses move and evolve together with technology
Moqod: Thank you very much! We have a little tradition at Moqod of finishing interviews by asking to tell a funny or unusual story from experience. Maybe you have a story of a data leakage caused by someone’s … stupidity?
Matthew Frost: Ok, this is not mine but it was a painful one. The most common from what I’ve seen is absolutely painful.
We are all technical people in terms of development, operations, and IT professionals. Sometimes, we make mistakes as well. I have seen development co-workers publish a public project on GitHub with their API keys for Amazon, and then wake up to a huge bill for a cryptominus. Somebody XXXXXXXXXX20:46 as many large EC2 Instances as they possibly could for Bitcoin mining. I saw this a few times.
I’ve also seen clusters like databases publicly exposed without a username or password. Credentials were just pulled from those.
Last but not least… The silliest ones I’ve seen are: “You could win €1000 if you click on this link. Download this pdf.exe file and you’ll be totally fine”. Then the person wakes up to the laptop full of encryption they didn’t actually want.
Moqod: You wouldn’t expect it from people who write code…
Matthew Frost: That’s the problem. For example, now at Amazon, they scan GitHub depositories for credentials and immediately block them. You read in the news that there has been a “sophisticated attack”. I’ll tell you, 80%-90% of them are not at all sophisticated. It’s mostly stupidity. It’s just: “Oopsie! I had my had out of the game for five minutes, and let something out and now they are in!”. It’s never like in the movies where they breach firewalls and they are in the mainframe. It is more like: “Oh, accidentally sharing the credentials with the wrong email and it was intercepted because that computer had a virus. And then we never invalidated the credentials because there was no process for that in place!”
Thank you very much, it has been incredibly interesting! We hope to see you again soon!