[RADIO INTERVIEW] Bill Alderson on the Potential of Proximity Security
Hackers can’t hit a target they never see.
But is there (truly) a reliable way to prevent your data from being exposed to bad actors overseas?
And is there a way to automate this solution, so precious organizational resources aren’t spent in a back-and-forth cyber arms race?
In this fascinating discussion they talk about the perils of server default configurations, the downside of relying on GeoIP firewall settings, and what the future of network security might look like in an unpredictable world.
TRANSCRIPT FOR CYBER TALK RADIO – EPISODE 085 – PROXIMITY SECURITY
Bret Piatt with Bill Alderson
Speaker One: From the dark web to your radio dial, you are listening to Cyber Talk Radio on News 1200 WOAI.
Bret Piatt: Welcome to Cyber Talk Radio. I’m your host, Bret Piatt, a 20-year internet Security veteran. This week, we’re going to be talking, we’re going to title the episode Proximity Security, but we’re going to talk about how packets go across the internet. We’re going to get a little nerdy, so stick with us. But we’ll work through the intro to explain why this matters to everyone out there. And then for the engineers or other folks like us out in the audience, we’re going to explain some novel stuff that my guest and his company are working on. So, Bill, thank you for joining us today.
Bill Alderson: Absolutely. Pleasure to be here and to talk about our new product.
Bret: Yeah. Bill, go ahead and share a little bit about your background and what led you to the founding of HOPZERO.
Bill: Well, I’ve done a lot of work in the military space. I was actually talking at a military cyber symposium conference, just outside of St. Louis on June 28, 2016. While I was waiting my turn to speak, I was listening to other speakers, generals and other leaders in the military complex bemoaning how state actors and other folks are basically eating their lunch, getting into their data, exfiltrating it. I said to myself at that moment, “I can fix this.” The next day, June 29, I began work on the patent for HOPsphere Radius Security, which limits how far data packets can travel.
Bret: So, we’re going to go ahead and see if we can do a radio explanation of this. So, I’ll do my understanding, and then you can reach over and knock me on the head if I get some errors here. I think everyone out there in our listening audience has used a web browser before and visited a website. So, if you’re going from your cell phone to that website or your computer to a website, you have also probably experienced at your house or your office, there’s some router or cable modem or some other thing there. If you think about going from your phone or your computer to that first router, that’s a hop. As you go across the internet, that device in your house or your office connects up to something that your internet provider has that they call that their edge device, but that’s another hop.
And, if you bounce across from here to, let’s say central China, you might go for 22 hops. But if you’re going to go from say here in San Antonio where we’re broadcasting Cyber Talk Radio, and a few, you’re listening to us on iHeartStreaming, thank you very much for listening outside the audience. If you’re on 1200 WOAI, we appreciate our wonderful live listening audience there on the great AM radio as well. If you’re going, maybe to that iHeart Radio website, which is here in the US, you might be going for six hops or eight hops or 10 hops, but you’re certainly not going 22 hops. So, even these nation state actors, if I was a government across one of the oceans from the US, do I have control over the number of hops packets that goes across the internet?
Bill: As a state nation, no. The internet is filled with really millions of routers. You have one in your home, we have one in our businesses, and those state actors have them there. But because there are millions of routers, there’s still a path between any two locations on the internet, which is typically less than 40 hops. Anytime you have less than 40 hops, you are not communicating to the entire world. If you have like default settings for Microsoft is 128 hops or Oracle databases which are at 255 hops, Linux is down at 64 hops. So, any of those devices in their default configuration out of the box, they can communicate around the world.
Bret: Yeah, they can 64 hops away will get you anywhere with quite a bit of margin of error. This hop setting and for those listening, we’re trying to learn a little more about this, so you’ve probably heard of TCP/IP before. The IP, that slash IP, the second part of that is actually the base protocol, that’s what’s called the Internet Protocol. Inside of that IP packet, there’s a header. In that header, there’s that field for the hop count.
Bret: What this prevents is if you end up with a loop on the internet to where some device was routing improperly and it was bouncing back and forth, this keeps those packets that we’re trying to travel to that destination that gets stuck in the loop from bouncing around forever. So that the hops will eventually expire, 64, 128, 255 and they would dump off. But you guys have done something novel to, and even novel by the definition of the US Patent Office, to protect people from being able to communicate further than they need or to maybe even shorten the amount of time if something’s lost and the internet that it bounces around out there.
Bill: Exactly. And that creates safety. So, instead of being exposed to an attack surface that is the entire world, the entire internet, we reduce the attack surface of these devices so that they can’t be communicated to nor can they communicate from.
Bret: Yeah. So, example with that Oracle database. So, say if we were only supposed to be communicating with that database via computers connected to its local segment on a VPN or other hosts across a maybe a secured zone but no more than one other network away, you could lower that hop count down from 255 to four or three, and it would stop those database packets from getting out onto the internet. They would just expire, and the router would drop them.
Bill: Precisely. That is the most powerful capability, it’s changing that 255-hop count on an Oracle database that contains SOC data, PCI data, PII information, health information, you change that from its default setting down to, like you said, four. If there’s four routers in the data center, and we have a hop count of four, it decrements through each router. When it decrements to zero, when the hop reaches zero, that’s why we named our company HOPZERO, is because when the hop reaches zero the packet is destroyed by every router ever made. It is part of IP and what makes it work. So, we don’t have to put any software on any routers or anything. In fact, that Oracle database, we don’t have to put any software on that Oracle Database either. All we do is change that value in the operating system so that it will only communicate four routers deep.
Bret: Yeah. And so, I’ve got some real security geeks and Sys-Admins out there in the audience, they go, “Well, why don’t I just go change this on my database server by myself? It sounds like I should just do this right now.” Great idea. But it’s not that hard, as it?
Bill: Actually, you can do it. I encourage you to do it. As a matter of fact, as soon as you’ve got about 10 or 15 set like that and there’s one little bump because something does go awry somewhere, and the hops increase for a little bit, our system will find that and adjust for those. And, we will monitor for anything trying to escape beyond it. So, we really want people to go set the hop count because after you do it on 10 or 15 stations, you’ll be calling us up and asking us for that additional software that does all of the other.
Bret: Yeah, how do I how do I automate it?
Bret: Yeah. So, as you are digging through working on this idea and you realize like no one has done this before. What was that kind of epiphany moment of this is a real kind of clean, easy way to increase security, to make the attack surface smaller, to add attackers another hurdle they have to overcome? And you’re thinking, and what was that epiphany moment when it came through, what was going through your head?
Bill: Well, at that time that I decided that I was going to write the patent, I had already known for many years how IP hop count worked. I’ve trained 50,000 technologists in 27 countries on network forensics. So, I had presented what a hop count is and how those fields are and teaching people how to use wire shark to look at that metric and that sort of thing for many, many years.
However, it wasn’t until security became such a huge problem that you no longer wanted your hop count to be enough to go around the world. Now you are looking at saying, “Hey, man, we, we don’t want to communicate to North Korea and to other places on the globe. We want to restrict how far we communicate.” That’s when it really dawned on me that the firewall with all of its capabilities is unable to limit the distance. So, whereas the firewalls take care of keeping things in or keeping things out. HOPZERO’s solution limits how far data can travel.
Bret: Yeah. Speaking of firewalls, so why wouldn’t I just … If I didn’t want to talk to China, it doesn’t China some set of IP addresses, wouldn’t I just go block all of those?
Bill: That is correct. You can use GeoIP in the firewall and say anything that’s in China by virtue of its IP ranges that IANA gave to them et cetera. You can restrict where your packets go. Now, the trouble is that sometimes there are applications that need to go to China and certain providers, web providers and the like have things that are in China and you do need to communicate. So, when you hit that bit and say “absolutely nothing from China,” you now may have stopped a service like GoToMeeting. It may not work anymore or some other application.
Although that does work, and it is a good solution, it doesn’t work in every single case. When we set hop count, we set it on an individual device basis, not on a global basis. We can even set it by port. A cool thing about setting it by port is that, let’s say you have a web server, the web server you want to reach the entire globe. However, you don’t want Port 22, which is the SSH port which you can get access to the root functions of the box and control it, you don’t want that Port 22 going around the globe. So, you’re going to restrict Port 22 and allow Port 80 and port for 443 to be able to go around the globe.
Bret: Yeah. That is you get out. For those that have not been in hands-on managing firewall policies, as soon as you start trying to have IP exclusion ranges by port and protocol and individual server and system, you end up with a firewall rule set that is unwieldy and unmanageable. So, as you start thinking through some of these simple scenarios in your head, you’re going, “Well, I could just do this, I could just do that.” There’s a reason that those things don’t necessarily work.
So, if you’re listening to us live on the radio, you are on 1200 WOAI, this is Cyber Talk Radio. We’re talking cyber security. If you are listening to us on iHeartStreaming, thank you for joining us there. If you happen to be on your iPhone or Android device streaming our podcast, thank you for joining in to listen and be part of our audience there. You can also follow us on Twitter @cybertalkradio. You can find us on Facebook or on our website at www.cybertalkradio.com. We’ve been talking about network hop count and the patent and some of the work that Bill is doing with his company HOPZERO.
Bret: So, you’ve made the drive into San Antonio this morning down I35 coming this way. So, you guys are headquartered up in Austin, Texas?
Bill: That’s right. We are headquartered in Austin, Texas, and we actually have an office out of the Concordia University incubator there. It’s called CTX Incubator.
Bret: So, you’ve been all over the world as you’d said earlier training folks on these things. How did you end up in Austin, Texas?
Bill: In 2005, NetQoS, a performance company that was later bought by Computer Associates or CA Technologies bought my company that I had run for 16 years training tens of thousands of people and certifying 3,000 Certified NetAnalysts. When they bought the company, that kind of meant that I was going to have to move out of my home state of California where my family has been since the mid-1800s, just south of Monterey on the Monterey coast, to Texas. I thought, “Okay, I can do this for a little while.”
Well, it turned out to be a fabulous place. And then later on after I moved here, the company got sold to CA, and that kind of freed me up to go wherever I wanted. I ended up moving back to California, and just six months ago because all the development people that I know so well, the experts in processing this type of data were here in Austin. And so, I moved back purposefully to take advantage of the great people who were in the Austin area to help me build this company.
Bret: Yeah. As you guys go through on the startup path here, so many folks out there, I think there are cyber security practitioners listening to this. So, starting your own cyber security product company. You had this patent, this idea, you knew some people that can do development and kind of help you build a team, but how do you go from patent an idea to an actual business that’s up and running?
Bill: Very painfully. Even if you have an idea that sounds terrific and is terrific, it still has to be brought into some reality. You start by socializing it to some degree, and of course you don’t want to socialize things until you have your information patented. So, I waited until I had it patented and then I started talking about it, blogging about it, discussing it and socializing it with other technologists.
Bret: Yeah. Now you guys have been up and running for a couple of years now.
Bill: Actually, I have been up and running for a couple of years as the founder. However, I worked on the patents and started socializing it, working with investors and people that could help me do it. And actually, in February 2018, February 1, our team started. There’s four of us. That’s actually our true start date per se of when we started really writing serious code, other than prototypes.
Bret: Yeah. So, as you get out in front of early adopter customers and you start talking to folks about this. What are the reactions you’re getting from some of the networking or security teams?
Bill: It’s pretty eye opening. When I explain what we’re trying to accomplish, whether it’s the Cisco development team, security team or junipers team or semantics team, they come around and they start looking at it and they say, “So what is this?” I explain how we’re limiting how far data can travel by starving time to live. They look at themselves, one another, they look at me kind of with some curiosity and say, “Why didn’t someone else already do this?” To which I say, “I don’t know, but we’re doing it now and it’s very powerful and it’s going to make a dent. It’s not going to change every everything, but it’s going to make a very serious dent. Our objective is to stop the wholesale raiding of America’s data and the world’s data, so that everyone can keep their sovereign data theirs.”
Bret: Yeah. It’s interesting. We talked a little bit about how the hop stuff works. If you think analogy, if you’re out there listening still and not quite all the way up to speed. From air travel, like you think about, “I’ve got to go to one airport, and then I’ve got to go to another airport. I’ve got to go to another airport.” So, if you wanted to stop people from flying from San Antonio, Texas to the Middle East, if they were only allowed to take direct flights, you’re not going to be able to get there. You can’t fly on an airplane directly from San Antonio to Dubai. You’ve got to hop and stop somewhere in between.
Bill: Exactly. And, just another internet application that was one of the very first was BGP routers. BGP routers have a hop of one when they broadcast their routes. That’s purposeful so that they cannot peer with other than a direct adjacency. They don’t want to peer with some router that’s across the world or across multiple other routers. So, they limit the hop count to one, and that’s one of the major applications of hop starvation is the BGP router only allowing one hop so they won’t peer with other than adjacent peers.
Bret: Yeah. For those that … BGP is the way that all the different people out there on the internet talk to each other. So, if I was AT&T’s internet service provider and maybe I was Verizon, they will peer with each other over BGP. So, it’s kind of a low trust way to connect with each other. You only have to advertise all the IP addresses that folks can reach through your network. You don’t have to share any topology or other details with somebody who might be a competitor. It’s interesting though, BGP even with that hop count limiting is a frequent target of attacks. There was one recently here up in the Chicago area data data center peering where Amazon’s route 53 DNS service got hijacked for a couple of hours over a BGP attack.
If you are curious to learn a little bit more about BGP, there’s a recent article, there was plenty written up about that attack on Amazon’s route 53 DNS service. That’s a good one to get started. And then you could go down a rabbit hole of BGP attacks for the rest of your life.
Bill: Just like every other kind of protocol out there. It’s very interesting. I did a study on my own internet connection. What I found was over the period of about eight hours, I had 2,126 different organizations or IP addresses trying to attack my system. Now the firewall did block those attempts, but how often are we tempted to just shut off the firewall for a couple of minutes to see if this other application will work? Well, I’m here to tell you that if you do that, there are thousands of devices around the world who are constantly, even on a home connection to an ISP, they are constantly looking for any little hole that might develop. It’s amazing that they have that much traffic that it just is huge amount of traffic that have little attempts on every protocol to break into your home overnight.
Bret: Yeah. As folks go, “Well, why doesn’t your internet provider just block all this stuff?” They can’t. Because they don’t know whether Bill went to that website or didn’t go to that website. They’re delivering an IP packet that says I’m coming from this address, I’m going to this address and there’s a little bit more metadata and things on there. But the internet service provider doesn’t know if Bill asked for that packet to be delivered or not.
Bill: Exactly. So, they have to allow pretty much everything to see what develops of it. And then if there is a legitimate connection, or even an illegitimate connection, the internet does not check the security of any of the communicators on the internet.
Bret: No. Those internet connections are just the highway system connecting different things. If you think about that airport analogy again, there’s security checkpoints at the airport. At every airport you fly in if you land in another country, you go through another security checkpoint. The airport analogy is useful for explaining the hop count piece, but it’s much more like a highway system. I can get my car and I can drive from Texas all the way to New York and I don’t want to have to stop at a single security checkpoint anywhere along the way. The state of Texas is responsible for the roads here, and as soon as I cross into Oklahoma, they’re responsible for the roads there. So, the internet is set up very much that way as you go across on your computer.
Built into any operating system, there’s a command called trace route. You can open up a command prompt and you can use trace router. There’s even some websites that will do trace route stuff for you and you can see the different hops there. If you have the DNS resolution turned on, it will also show you the names of all those routers along the hop path. You’ll be able to see pretty quickly that you go from your ISP to some other ISP to somebody else to somebody else before you finally maybe get to the website. If you’re going to go shopping at Amazon, you might cross three or four different providers to go from your internet provider at your house to a backbone provider or two before you reach a website.
Bill: Exactly. I always talk about limiting how far your kids can drive in your car by reducing the amount of fuel or the toll value that you give them to go across bridges or roads. When they when the hop equals zero or the total equals zero, you can’t go anymore.
So, you’re listening to Cyber Talk Radio on 1200 WOAI. We’re going to go ahead and take a quick break here at the bottom of the hour for news traffic and weather update. We will be back with the CTO of HOPZERO to keep talking about how to keep data safe and protected from exfiltration on the internet.
Bret: Welcome back to CyberTalkRadio. I’m your host Bret Piatt, a 20-year internet security veteran. I’m joined this week by the founder of HOPZERO, Bill Alderson and we were talking about the novel approach to limiting how far your information can go across the internet that Bill has uncovered and is using to help businesses out there now. Protect their data from making it further than it needs to on the highway that is the internet. Thank you for coming down the highway today to join us from Austin, Bill.
Bill: Awesome to be here with you, Bret. It’s really nice here in San Antonio although I hope it’s going to break through and we might see the sun today.
Bret: If you’re just joining us after the bottom-of-the hour break, we’re talking about how to keep things safe and the kind of default operating system settings are one to over-communicate and overshare maybe further than you need to. You can listen to the first half of our program on Tuesday, May 15th. It’ll go up on our website at www.cybertalkradio.com. You can also find it on iTunes podcasts or on any podcasting service on your Android device.
In this segment of the program, we’re going to talk about some of Bill’s other experiences recently here in the cyber world. We have a giant annual conference, it’s now giant because the cybersecurity thing is starting to matter to more and more people. It’s called RSA. Used to originally be about a company, if you’ve been in the cyber industry for quite a while, they made the two-factor authentication tokens. You might have one from your bank these days, you might have one from the VPN service for your company. Now that conference has massively outgrown just multi-factor authentication. Can you share a little bit for our listeners that have never experienced RSA or learn much about it, what went on out there this year and kind of what’s your reason as an industry professional for visiting something like that?
Bill: RSA is in San Francisco at Moscone Center once a year. They also have it in other locations around the world but that’s by far the largest gathering of security professionals from around the world. I went this year to showcase and we were selected from a large number of companies to be in the early stage expo, where new technology was shown to the market. And that’s predominantly why we went out there this year. Last year, I went as well as just wanting to be more informed, to see what the market doing, to understand new products and services surrounding security. Thousands. I think there was 41,000 or more people, end-users technology people who attend the show each year.
Bret: For folks in San Antonio to give some size-scale scope, our convention center here holds about 20 or 25,000. So, the Moscone’s broken up into multiple convention centers and then that RSA conference floods the convention center and a bunch of hotel exhibition space there. It’s one of the probably five biggest conferences each year in San Francisco. But it’s a huge event all now tied to cybersecurity from authentication through to network through to application security to everything you can think about. So, as you were out there and you’re in this new technology expo, was there anyone working on something in another area that you thought was interesting to you as a practitioner that folks should be checking out?
Bill: I can talk about it generally, I don’t know all the buzzwords and terms associated with this. But this is about taking software that has been written for various operating systems and putting it into a non-operating system environment. What they do is they take your software and they put it into something that let’s say it’s supposed to run on Linux or Windows, and it doesn’t run on Linux and Windows. They take the components needed to only run that application so that the operating system that usually runs your application cannot be hacked by other means. I found that really exciting because that’s going to lead to our ability to have software that’s not on an operating system that has these proclivities to have problems.
Bret: Minimizing that attack surface, again, just back to the same kind of fundamentals with HOPZERO, all the different places you can go through to minimize attack surface, you make the job of the hacker much more difficult, job of the bad guy. And it’s his job these days. For those that think hackers are something like out of a movie you see on TV or just WarGames, these are sadly now, professional criminal organizations. And in many cases those professional criminal organizations run as an employer inside the country that they’re operating in with kind of the country turning and looking the other direction. Those countries have employment issues, they have salary and wage issues, they have economic issues that make them turn and look the other way.
And these criminal organizations agree to not hack businesses inside the country they’re operating from but they’re kind of free to go hack all across the globe. And because the internet is this big connected highway system that doesn’t necessarily have security checkpoints, there’s nothing to stop the folks in these different places from going in, hacking, stealing information or locking systems up for ransom or doing these other things. If you think about a police investigation, so from a physical, if you’re a business in San Antonio, Texas and somebody came in and kidnapped your staff. Well, they’re going to have to physically be at your office location, they’re going to have to physically hold it for ransom, they are there. The police in San Antonio, the FBI in San Antonio, whoever could come respond to that.
If your business gets attacked across the internet, those criminals didn’t have to physically be here. They got to virtually be here, they got to go 22 hops across the internet to get here. And those criminals, if you call the police here in San Antonio, they’re going to forward to the FBI, that’s going to get forwarded through to Interpol, Interpol is going to go, we don’t have an agreement to operate inside of that country and we can’t really do anything to help you. So, you have to do things proactively yourself to minimize your risk from some of these places.
I would love to solve the geo-political problems of the world so that countries didn’t have the incentive to allow these type of organizations to operate from within their borders to help their economies, but that’s a topic for another program and a thing for another time. And while the world is growing up in the way it is today, the onus is on us to do things to protect ourselves.
Bill: And another application that had a lot of talk was of course blockchain. And blockchain is the ledger technology behind Bitcoin. And of course that works perfectly for that. I ran into an old friend of mine, Radia Perlman. Now, Radia was the one, if you’ve ever heard of a switch or a layer two switch, she wrote the protocol that keeps loops from occurring and that’s called the Spanning Tree Algorithm.
And Radia is a brilliant woman who has … When you think of brilliant women in the industry, you think of Grace Hopper, the admiral who brought a lot of technology in. Well, Radia is kind of another person, another woman who has seriously brought technology in. She has just written a white paper claiming that probably blockchain isn’t a perfect application for every kind of use. It works good with Bitcoin but not with the other applications that people are trying to apply it to, although it’s very interesting. So, if somebody wants to look up and find out a little bit more about blockchain, she has a white paper that she’s written out there that basically is the other side of the coin, so to speak.
Bret: And if you follow us on twitter @cybertalkradio, we’ll get a link to that up probably with the blog post, an episode recap that we will do for the program here. Definitely, interesting reading that’s blockchain is going to be an area with lots of innovation, there’s counties out there going to using blockchain based things for title searches and for deed history and records on property. There’s some interesting places that it’s going to get used and I think that we’re going to see over the next 10 years or 20 years. Some places where people use it and you’re going to look back and go, they really shouldn’t have done that.
So, hopefully, reading her white paper will help some folks avoid those decisions that put them down a path of regret later on. Because after you make a technology choice, it’s often pretty hard to go back and make a wholesale change of something like that. This is why you end up making add-ons and security measures and controls around the system rather than just replacing the whole system itself.
Bill: So it was really exciting to bring out HOPZERO and HOPsphere Radius Security to the RSA event. We received a lot of interest from Cisco and Juniper and Symantec, just a lot of vendors who are amazed that, this sounds like an incredibly good idea. And they always ask, why didn’t someone think of this before. And then they kind of look at me curiously, just wonder, why you?
Bret: And they’re going to go back to their R&D teams and go, how did we not patent this. Because now they can’t go do it. Well, they can. They just need to call you and get a license.
Bill: There you go.
Bret: Yes. So Bill’s phone is it’s waiting for your phone call Cisco. As you were out there working on this and we’re going to air here in the middle of May on Saturday night, there’s going to be some cyber folks that are probably up right now working while listening to this because they’re trying to figure out how to deal with GDPR. They’re going to try to figure how to deal with the requirements around data exfiltration and data notice and the rest of these.
As I’m thinking through this just in my own head sure seems like HOPZERO and this type of technology is a great way to be able to go back to a regulator and say, my hop count on my database server that contains the sensitive of information is set to one. And that means only these direct computers can talk to it, it can’t go any further than this. I have evidence that these systems are all secured, controlled and they have not been compromised and that means the data could not have leaked any further than this. So, like there’s from a hack or a data exfiltration perspective, the information couldn’t get off of the network and you could go definitively prove that pretty easily.
Bill: Exactly. And in our effort to determine what the appropriate hop count is, we look at every packet that goes in and out of your organization or in and out of a data center and we tell you exactly where your data is going. After we have mapped out where your data is going around the globe, we sit down with the data owner of that application who is aghast to see their information exfiltrating to Kazakhstan and other parts of the globe unbeknownst to anyone. And the security people are doing a really good job trying to watch where your data is going but it’s really illustrative to have a map of where your HR database is going, where your particular owned application, SAP application, is going across the internet. And it’s amazing to see where your data is going and people are aghast to see that it’s traveling to faraway locations unbeknownst to them.
Bret: If I wanted to do discovery with HOPZERO, so say I just want to understand where my information is traveling. What does that look like if I call you on the phone and say, Bill can you come out next week and send your team and let’s go ahead and do discovery for my Tier 1 applications?
Bill: Actually, it’s easier than that Bret. What we do is we instruct your security people to give us just the network headers, just the information that routes packets. They give us that information, a small snapshot. We take it, put it into our mapping system, analyze it and then show you on a map where your data is traveling. And when you click on one of those points it tells you, is this a Tor exit node, is this an anonymous VPN. All of this type of information about that particular point that you’re communicating with. We also tell you how much information is exfiltrating out to that point and how much information is coming in from that point.
And because we have such a performance analysis background, we just went ahead and said, “well, what’s the throughput that this device is sending your data to determine the sophistication level of who’s hacking you or who’s getting into your information?” And we do latency analysis on all of those. So, when you click on one of those points, you’re presented with a whole bunch of very valuable information about who you are talking to. And we have found for instance on some applications, just looking at all the data and we found HVAC systems communicating around the world. And creating-
Bret: Target would have liked to known about that a little bit sooner. For those not hearing my joke, and this is not really much of a joke. For those not hearing or understanding my comment, its Target, the data breach there was through their HVAC vendor in their air conditioning and control system.
Bill: And it’s amazing once the application owner sits down and looks at where your data is going, what that does is it allows the application owner of that information to sit down with the security people and to begin to mitigate where that data is going. Because if you think about it, the security people are in darkened rooms, looking through logs, looking at Splunk data, looking at log data trying to determine where your data is going. But they don’t always know where it is supposed to go and not supposed to go. Who knows that? The application data owner knows that.
Bret: So we present our maps to those owners of information, the business people and say, this is where your data is going. And what that does is magically begin to get the people with the money and the influence in the business units into the security space, helping the security people and funding those initiatives to go about mitigating this data traveling to places beyond where they care for it to be traveling.
It’ll be interesting to see with the size of the fines on GDPR how this changes some of the business risk decisions. Because I think if you go: “look, I mean, what I’ve heard on the Equifax breach has cost two $250 million, they’ve blown their insurance policy out of the water. They’ve been on the hook for a big chunk of that themselves but many of these data breaches end up being 20, 30, $50 million, and if you’re a multi-national many billion-dollar revenue company, sadly enough we end up with $10 million mistakes on a fairly regular basis and you have to just kind of take that as part of doing business.” But now with the GDPR, we’re looking at potentially billion-dollar fines for this and I think every company in the world looks at a billion dollars and that’s still a real number, even Apple.
Bill: And to build on that, GDPR, they have the ability to assess up to 4% of your global revenue, gross revenue, not net revenue, which is an amazing amount. So, in our product when you get one of the maps that your data is represented as to going or coming from, we have a button you click GDPR. And guess what? It shows you all the places on the map that you need to apply and make certain any data that you are getting from that nation, you are treating appropriately for the GDPR rules.
Bret: So you can provide visibility into that as well.
Bill: Exactly. Any port or protocol. A lot of people look at it and say, we’ve been trying to get SSL on all of our web servers throughout our entire company. And then they’ll find that port 80, which is the HTTP protocol, is open. Well, you click a button and it will show you where all your port 80 is going around the world, and also how much information is going out and how much is getting in by each pier going in and out of your organization. They say, and you can probably speak more highly on this than I, that it takes about 250 days to find that you’ve been infiltrated.
And so the hacker is sitting there having a field day for 250 days. I mean, that’s just under a year that they are having free reign. And by looking at where your data is going and getting the end-user involved, it very rapidly starts to mitigate and it’s not only on the shoulder of all the security people. Thousands of security people are trying to figure out what to do but they need some input. They need some help from the data owners by looking at where their data is going and giving them information and saying no, it shouldn’t go here and yes, it should go there.
Bret: Interestingly enough, you would think it’s good news that the average on the amount of time it’s taking a business to detect it’s been hacked is going down. And you’re like, this is great, we’re doing good work. Well, what it turns out is that, that number is going down because of ransomware. As you find out immediately that you’ve been hacked, when the pop-up shows up on your computer screen. So there’s all these data points now that are one day, immediately. You’ve been discovered in one day that you’ve been hacked. So that number’s down to about six months on average still. Even with all of those ransomware pop-ups out there, it’s still taking an average of six months.
And we’ve had on Chris Garrett who used to be in the U.S. Air Force doing malware hunting and network reconnaissance. He talked about hunt and trying to go find attackers that are already in your network. I think something like what you all are doing with HOPZERO to … They’re going to get in, sadly enough, and anything you can do to slow them down, to make their life more difficult, to make their life more complicated, it will increase your odds that you are able to successfully mitigate any damage. If you go on like the physical person analogy of, if I go next door into a high-rise office building and I start walking around floor to floor, I probably can get over there, I can tailgate somebody through a door, I can get in and I can wander around the building. But am I really going to be able to grab somebody’s laptop or some other sensitive records and get out of the building before anybody notices?
Hopefully not, but the longer I’m allowed to wander around and the fewer locked doors you have, if you don’t have laptop chains locking the laptops down to desks and those sorts of things, the easier it’s going to be for me to steal a laptop. If it had a chain locked down to the desk, I’ve got to have bolt cutters with me. If I don’t have bolt cutters, well I just failed on that attempt, I got to come back with them again tomorrow. So all the things you can do digitally to make it more difficult for the attackers is important. Each one of these adds up to increasing the likelihood that they get caught or they give up and they move on to an easier target.
Bill: And one of the troubles is the social engineering aspect like you talked about of sending in fishing and spearfishing. Where they send you an email and it looks like your bank, it looks like your boss, it looks like your friend and you click on that and boom you’re going to North Korea and you’re going to get compromised. Well, part of what HOPZERO Hop Sphere Radius Security does is lower those number of hops that devices are able to go. And for instance, a lot of people use proxy servers in order to protect information that users are clicking on things. But what happens is it goes out and it can go out around the world. Well, where do hackers hide? Yes, they are in the United States, they’re in other locations but they work with impunity when they are beyond the border, when they are beyond the rule of law.
And so what we try to do is lower your risk to those deep web people beyond the rule of law from simply just donning a little tool that they downloaded that has the NSA toolkit or the CIA toolkit on it and they just start pummeling away at your devices. When you’ve lowered your hop count, they can’t connect to you and you can’t even get a login prompt in order to use … Trying to crack a password. So it’s really very powerful.
Bret: We were talking during that bottom of the hour break about an animation in your website. I know I’ve used a couple of analogies here during the program. But there’s an animated video on the HOPZERO website that goes through some of this in some more detail. If folks wanted to go visit your website and check that video out, where would they go?
Bret: Bill, for the kids that are in our audience, CyberPatriot, we have a lot of folks doing that listen out here, but should they worry that we’re going to solve all of the cyber security problems before they graduate from high school?
Bill: I think their future is secure. However, in the future, right now HOPZERO is working on securing the enterprise but our technology works in the home as well. So, if you have IOT gear, for instance, your refrigerator, your thermostat, your Barbie doll, your Dino toy. They’re all in your house, they can connect into the middle of the internet and once they do that, they can have a backdoor back into your network. By limiting the hop count of IOT gear that’s commercial or whether it’s home, you can keep those devices inside your home and limit how far data travels and keep that data in your home.
Bret: Thank you very much for joining us and thank you for doing your part to make the internet a safer place.
If you’re involved in IT, you’ve probably heard of HOPs. But you might have asked yourself: What does HOP count mean? And why should you care?
While it’s nearly impossible to predict the future, here are four key cyber security trends for 2020 we think every infosec professional should keep tabs on.
Even the best-trained dogs have leashes while in public. Despite how much one trusts their dog to act obediently, it simply is not possible to know what kind of situations one might encounter while on a walk—maybe an enticing squirrel? A loud noise?...
Enterprise Management Associates (EMA) is a leading voice in the information security industry. With its dedication to in-depth research — and unrivaled analysis — the EMA is an important resource for data management and IT professionals...
Chinese Army purportedly inserted chips to provide hackers a connection into the back-end infrastructure where they can steal information and credentials.