Tune in to this episode of Ask A CISO to learn:
- Mikko’s TED talks
- Mikko on the internet
- New concerns with the internet
- Google, the world’s largest ad agency
- The Hypponen Law: If It’s Smart, It’s Vulnerable
- A future where programs write programs?
- The next revolution — is it good?
- About the book If It’s Smart, It’s Vulnerable
- Is the internet vulnerable?
- “Security by Playstation”
- Privacy died, and we killed it
- Tips and advice to secure your environment and regain your privacy
- Where multifactor authentication fails
About The Guest: Mikko Hyppönen
Mikko Hyppönen is the Chief Research Officer at WithSecure, and a world-renowned global security expert, speaker, and author.
Mikko has had his research published in the New York Times, Wired, and Scientific American. He regularly appears on international TV and has lectured at prestigious institutions such as Stanford, Oxford, and Cambridge.
He has delivered hundreds of talks in over 40 countries over the last 30 years, including keynotes in the most important security conferences such as DEF CON and Black Hat Asia. In 2010, he was awarded the Virus Bulletin Award as the best educator in the industry.
His latest book If It’s Smart, It’s Vulnerable, is an Amazon bestseller.
Mikko was selected as among the 50 most important people on the web by PC World magazine and was included in the FP Global 100 Thinkers list.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Hello, and welcome to another episode of the Ask A CISO podcast. My name is Jeremy Snyder. I'm the host of today's episode, and today is actually a real, real treat for us. We are delighted to be joined by Mikko Hyppönen, the Chief Research Officer at WithSecure, a world-renowned global security expert, speaker and author.
Mikko has had his research published in the New York Times, Wired, and Scientific American. He regularly appears on international TV and has lectured at prestigious institutions such as Stanford, Oxford, and Cambridge. He's delivered hundreds of talks in over 40 countries over the last 30 years, including keynotes in the most important security conferences such as DefCon, Black Hat Asia. In 2010, he was awarded the Virus Bulletin Award as the best educator in the industry.
His latest book, If It's Smart, Its Vulnerable, is an Amazon bestseller.
Finally, Mikko was selected as among the 50 most important people on the web by PC World Magazine and was included in the FP Global 100 Thinkers List.
Wow. That's quite a list of accomplishments.
Mikko, thank you so much for taking the time to join us today.
Well, thank you, Jeremy. It's a pleasure to be here.
Yeah, it's, It's really a treat to have you, and it's funny in that whole introduction, we didn't even mention the thing that I actually know you best for, and that's your TED talk on Stuxnet. To me, that was actually one of the most eye-opening talks that I ever watched about the cybersecurity industry. I'd actually like to start the conversation there.
How much time and research went into putting together that talk?
Yeah, I mean, TED really did change my life and my career. And initially, I remember running into TED on YouTube, like most people, like, what are these talks and interesting speakers, short talks, Let me watch a couple. And I got hooked and then I, I decided around 20, 2008, maybe 2009, that, you know, I, I, I wanna be there. I wanna be in the audience.
Yeah. Wherever these conferences are. And it took me actually quite a while to get there. I, I remember sitting in Long Beach, California, watching TED talks together with Bill Gates and whoever happen to be in, in the audience. And then I set my next target to actually speak at TED, which I did in, in 2011. And, and by that time I had already, I had already worked with information security for 20 years, but that really did change my, my life.
Most of my work today is around doing briefings for our customers and clients and leadership teams and board members, and doing public speaking. So I'm glad the, the, the talk went well, but I did spend months building it. It's pretty nerve-wrecking to try to distill your, your life's learnings into 18 minutes, which is how long the talk TED talks are.
Yeah, that seems like a real challenge. I mean, even me, I've not had nearly the career that you've had, but getting my whole career down to 18 minutes would be a challenge for me as well.
I remember one of the things you said in the talk is that you love the internet, and I'm curious, you know, here we are about 10 years later. Do you still feel the same about the internet?
Mm-hmm. I do, I I, I do love the internet for, for real. I think it's the best thing, which has happened during, during our generations, during the early two, two thousands or during the last 30 years, maybe.
However, of course, we have a trade-off. We're getting all these great upsides, all the great business opportunities, so much more connectivity and entertainment. But we get completely new kinds of risks, completely new kinds of crime. What internet really does is that it takes away geography, and that's great for business opportunities, and it's awful for crime, and we are getting both sides, both the good and the bad.
Well, that's exactly why I asked that question, because I think even since that time that you gave that talk in 2011, we've seen real dramatic changes in new types of content and new types of risk on the internet, not only from the criminal side, but even things like propaganda, misinformation, you know, interference with elections, and all of that at the same time that is enabled by the internet, isn't it?
Mm-hmm. I remember when internet was young and, and new, it was the adults and parents who were warning their children not to believe everything they read online. And now, today, to me, it seems like it is actually the parents and the older people who are falling for all these goddamn conspiracy theories and all kinds of weird stuff about how, you know, Covid-19 is, is a conspiracy to get something injected into our bloods, and people believe the most incredible things.
And at the same time, as you said, propaganda or influence operations or information operations or election operations are actually very real. We can be controlled or our opinions can be shaped by these operations, and none of this was possible before the internet. Interestingly enough, many of the targeting mechanisms which are being used by these operations, including election operations, by access to us, the consumers, through the ad agencies, and of course, the biggest ad agency on the internet is Google.
We, we think about Google as a technology company or as a search engine. It's really an ad agency and they have built one of the best profiling databases in history, and we are all there. They know pretty much exactly who we are. And that data, that information, those, those profiles were built to be used as tools for ads.
But now when they can be used for election campaigning, it's actually dangerous, 'cuz now it enables, enables like this tailor-made micro-targeting where completely different messages are shown to different people based on what we know they like or what we know they hate. And I'm worried about these kind of developments.
Well, that's a really interesting segue into your latest book, If It's smart, It's Vulnerable. Right? Is ... have I got the title right?
Yeah, that's right. That's the Hyppönen law.
So ... that's the Hyppönen law. So how did you come up with this law?
I think I just blurted it out by accident originally during one of my keynotes, but it really resonated with the audience and people spoke to me about it afterwards that they know that's nicely summarized on what's happening.
And of course, the "smart" here is, is a reference to smart devices, IoT devices, how we add functionality and connectivity into everyday devices and they become smart. Like your smart TV or smartwatch, your smart car, smart house, smart city. And as we add connectivity and functionality into everyday devices, at the same time, they become hackable.
If you look at mechanical devices like a traditional mechanical watch, that's unhackable. How do you hack a watch which doesn't run code?
Then you look at modern smartwatches like Apple Watch or Android watch. Of course, they might be hard to hack because they tried to build them as secure as they can, but in the end they're always hackable because it is running code and it is online, and these are being built by humans. And humans, including programmers, make mistakes.
And when programmers make mistakes, they create bugs. And when we have bugs in interconnected systems, they become vulnerabilities. And when you think about these vulnerabilities, what do you think is the thing that most people don't understand about vulnerabilities?
Sometimes I get asked that couldn't, you know, Microsoft build an operating system like a version of Windows which wouldn't have vulnerabilities? Why, why don't they do that? And, and of course there the whole concept of why we have these vulnerabilities is lost. It really is about humans making mistakes.
In the end, we can drill down to the root cause of every single security incident, every single data breach, data leak, malware outbreak, and it's always either a technical problem or a human problem. And in fact, if we keep drilling down, even the technical problems like the vulnerabilities in the end, even those are human problems because it's the designers, the coders who made mistakes because they're human.
And then we might, you know, try to look into the future and speculate that maybe one day, these systems will no longer be built by humans.
Now, as you look at technology development, machine learning changes, we are getting closer and closer to the time where programs write programs. So it might well be that eventually, we won't see bugs in the code, or the bugs in the code will be so complex that humans won't be able to exploit them anymore.
But that's maybe decades into the future.
So, technical vulnerabilities and human error, users doing stupid stuff, are the cause why we have all these problems. And in the end, even the technical problems deep down are human problems.
And will it be a good thing when we reach that point 20 or 30 years from now where, you know, computers are writing all of our code for us and we're not writing it ourselves anymore?
Mikko]: No, it, it will be horrible. I hate it. As a programmer myself, I hate the idea of a future where every single programmer will suddenly be unemployed.
However, it's going to happen. Exactly in the same way many of the other creative works, and I consider coding a creative job, just like artist or, I don't know, poet.
But those kind of creative works or jobs will be gone as well. Computers will be better in writing poems or doing lyrics or composing music, and I hate that as well. I hate the idea that computers will write poems, which we all would agree are better than human poems like, more deeper and more touching.
I hate that thing. I hate the whole concept, but I, I'm confident it's going to happen. So we are headed towards a revolution similar to the revolution, which happened 300 years ago when we invented artificial power. Because originally we only used muscles to do things, but then we came up with steam engine and then electrical engine, and that was a huge revolution.
A lot of people were really unhappy. A lot of people got unemployed because their muscles were no longer needed to do the job. You could do it with machines. I, Of course, when we look at that revolution now, we all would agree that that was a good revolution, and those humans who got unemployed by machines back then went to do more important things. Maybe.
Well, I guess I'm hoping that maybe that's what's going to happen now as well. When all the poets and composers and novel writers and coders are unemployed, maybe they will go and do bigger and better things. Things that computers can't do.
Yeah. Well, let's hope so.
I mean, I think you can actually look at the history of our home country and what happened with Nokia, for instance, where it actually started as a water turbine generating electricity for a sawmill and grew to become, you know, a company that grew and grew for a hundred years and then declined. And we can see, actually, both ends of the revolution. The initial revolution, and kind of the closing revolution for them.
So maybe an interesting story for us and for those who are interested to go check out for yourselves.
I wanna come to your book for a second. Your book is full of stories, and I think that's actually amazing, because for a lot of people, stories make a much bigger impact than just reading, let's say, academic research or facts.
How did you keep track of all these stories over the years? Because you've been involved for more than 30 years in research, and yet you have very, very detailed stories and descriptions of days and events and things that happened.
Do you keep a running log of all these things?
Well, first of all, the reason why the book is full of stories is that I love reading books that are full of stories myself. In fact, my favorite nonfiction author is a fellow Finn, a guy called Jari Parantainen, who only write in Finnish, unfortunately. But his books are like this: I mean, there, there's like facts and, and like data, and then a story, and then more facts, and then a supporting story.
And it makes it really nice to read it because you get, like, one part of your brain is processing factual statements, and then the other part of the brain is entertained by something engaging or an anecdote or a story. So I wanted to write a book like that myself. That's why it's filled with both facts and stories.
And I guess the benefit, the advantage I have, going back to my notes and being able to tell stories of things that happened decades ago is that I worked all these years at the same company. Company has changed names and we've spinned or spun out a couple of companies, but it is the same company I joined 31 years ago and I have email archives going back, I think to 1994, not to 1991, because we didn't use email when I joined this company.
Nobody used email in 1991 or very, very few people did, but yeah. Yeah. Well, you know, we, we didn't have even a local area network when I joined this company. We were moving files on floppies from one computer to another in 1991. But I got email around 1994 and I've, I have archives ever since.
So when I was writing this book and trying to remember what happened in 1998, when this thing went down, I just went back to my archives and reread the emails. So that's one benefit you get for working at the same company forever.
I do realize that when you change companies, you can't take your corporate email with you. But I haven't changed companies.
Yeah. Wow. That's quite a history.
I mean, I think in that same time, well, I got my first email address in 1992, but that was at the university and I think we learned to do attachments maybe one year later. So yeah, I, I understand the history.
That's really interesting. I had never considered what would happen if you had 30 years of email archives.
So I'm kind of curious when you think about, you know, the history and you think about where we are today, so you're talking about IoT devices, you're talking about all kinds of devices that are connected to the internet. I mean, we must be at some insane number of devices connected around the world.
If we think about all of the smart TVs, and the phones, and the watches, and the refrigerators, and washing machines and so on. When you think about these vulnerabilities, you think about all the risks that's happening in the world. I guess one question that I have is how vulnerable is the internet itself? Because all of these systems connect to it, but is there enough resiliency and redundancy in the internet in your experience to keep us kind of going forward where we don't have this one big risk to humanity?
Hmm. The core routing systems of the internet work remarkably well. TCP/IP, the, the transport protocol that delivers all the data works remarkably well, especially considering that it really is from the 1960s originally, and all of these was designed for a completely different world.
It is surprising how well the net works, and especially considering what you just said, 10 billion IoT devices are online already more, more to come all the time. It's actually quite interesting that when we look at largest botnets on the planet right now, including the botnets that are used to launch denial-of-service attacks, these used to be built out of infected computers, typically home computers, typically Windows computers.
That has changed. When we look at the biggest IoT, the biggest botnets right now, they're IoT botnets, so they're infected coffee machines, and doorbells, and security cameras, and home routers, and printers. It's easier for attackers to infect these things because nobody thinks about security of those devices, and you cannot secure them in the same way that you would secure a real computer.
You can't even run, you know, security software on them. So it, it is clearly a, a huge issue.
However, the fact that there's a huge amount of vulnerable machines and, and larger botnets than ever before doesn't directly translate into attacks against the internet itself.
You see, for someone to do an attack, they need a motivation. What's the motivation for an attacker to try to take down the internet? If you look at the different attacker groups or, you know, the various actors and actor archtypes. You have the criminals who are trying to make money. You have the hacktivists who are trying to protest. You have the nation states who are spying or waging war.
And for all of these attackers, it's much more useful to have the internet up and running than to have it taken down.
Criminals don't want the internet to be down. They can't make any money if it's down. Hacktivists love the internet. They live online. The last thing they want to hurt is the internet itself. Governments love the internet because that's how they, they've been able to change the life of spies from doing real-world spying and breaking into buildings to steal, you know, plans on paper, into hacking remotely into systems 'cause everything has become data.
Really, the only group that would logically be interested in taking down the internet is itself would be some kind of extremists or terrorists. You know, someone who wants to destroy Western values altogether or whatever. And those groups don't seem to have the kind of know-how and expertise. A little bit surprising really, that we haven't really seen cyberterrorism yet.
You would imagine that one of the terror groups around the world would've already launched, let's say, combined real-world and online attacks, which would make, for example, bomb attacks worse by taking down nine one one or emergency service phone lines at the same time. You would think that would've already happened, but it hasn't. Unfortunately, probably it eventually will.
So if we are going to see attackers who seriously try to take down the whole net, I think it could be done. But right now most of the attackers we see are not interested in taking down the net.
It's interesting. As you were talking, I was thinking about it and I was thinking, well, hold on, we have seen nation-states that take down the internet for their country. For a period of time, but then I thought through it a little bit more, and you realize that they take the internet down for the citizens, but not for the government itself.
So some dictator or some kind of authoritarian government, they stay online, but they take the internet down for their citizens. So I see your point completely.
It's a really interesting perspective on it.
And then when we look at countries which have taken down internet voluntarily, they use their own infrastructure, their own governmental routers or, or telcos and, and basically just order it to be taken down. That's a different thing from attacking the internet and taking it down globally.
I'm not saying it couldn't be done, but it would be done quite differently from these local outages which are planned and done on purpose.
You made another interesting point there that I wanted to dive into in a little bit more detail. So you mentioned that previously botnets were usually run on PCs and mostly on Windows machines. And I think those of us who have been in the security industry for a while, we all have our own perception about Windows. I certainly don't run it anywhere in my household.
I'm curious, you know, today, if you think about how you're actually doing computing on a day-to-day basis, maybe you're working on a Chromebook, maybe you're working on a MacBook or whatever, but 90% of what you're doing is probably done through the browser. And then actually, you know, a good percentage of our day-to-day computing is done on phones and tablets.
I guess my question to you is: are we more secure with our daily computing devices than we have been in the past, or are we actually introducing more vulnerabilities by grabbing smartphones and tablets?
I think we've never been as secure as we are today, as we are right now in 2022.
I think security situation is, is pretty good and I know it doesn't look like it. I know that the impression in most people's minds is that the security situation is horrible and every time information security is in the headlines, it's there because there's been yet another data leak, yet another data breach, yet another malware outbreak, whatever.
Um, but it, but seriously, when you consider the technical level of, of, of security of the operating systems we run or the devices we use today and 10 years ago, it is like night and day. We are getting much, much better. And the, the main reason why the situation looks grim, it's simply the fact that only the bad news make the headlines.
There's never going to be a headline about how a company prevented themselves from getting hacked by running up-to-date systems and deploying patches in time and running secure gateways and educating their users. That's not news when a company does not get hacked.
That's not news. It's only news when companies get hacked.
So the situation looks much worse than what it really is. And, and as you said, these mobile devices and, and the uses of browsers from our computers bring us layers that make it, makes security easier to manage. And especially these mobile platforms, iPads and iPhones and, and other devices are closed devices, which means ... I'm a programmer, but I don't have the right to write code for a computer that I own, which sounds crazy.
But that's the situation with my iPad. I own an iPad. It's my iPad, but I don't have right to program it. The only way I can write programs for it is to have the programs I've write, get accepted and approved by Apple, and then download them from the app store. And that's the way you would program it in general purpose matter, like you would program your computer.
If I sit down on my computer, I can write whatever I want and run it and give copies to my friends and they can run it. You can't do that with this closed environments.
I've started calling it security by PlayStation because PlayStation is exactly the same model. PlayStation and, and other games consoles are, clearly, they're computers, but you never hear about malware outbreaks or, or hacks on these computers because they're closed. Well, your iPhone is a PlayStation. It's exactly the same architecture.
It's really interesting, and it's one of those things that in a lot of conversations I've had with, with other cybersecurity leaders. We had a number of CISOs on this podcast, and one of the topics that's come up several times is actually the importance of hygiene and actually reducing the amount of extra stuff that you have on the network.
And people talk a lot about just kind of reducing the attack surface, shrinking things down. And in a way, it sounds like what you're saying is because things go through these controlled, you know, walled garden is often the, the expression used in English.
There is kind of a choke point that says either, you know, pass or fail, we're going to allow this software or we're not going to allow this software. But that leads to a second thing, which is we're now trusting someone like Apple or Google to approve software to get into our ecosystems. Does that bring another risk on its own?
Well, Apple has been doing surprisingly good job out of actually keeping junk out of the ecosystem. Quite remarkable considering the huge amount of applications that they actually have in App Store, but there's been very few incidents of actual malware in the app store.
Now, of course, I'm not claiming that these closed ecosystems and walled gardens are perfectly secure. They're not perfectly secure, but they are more secure than traditional completely open systems.
One claim that I hear a lot is that, you know, the existence of hacking tools like Pegasus, which allows access to, to iPhones is an example on how the iPhone security model is a failure. And actually it's not.
It's, it's the opposite.
I would consider the Pegasus hacks a success story. You see, Pegasus is a tool made by a company and sold only to governmental intelligence agencies. It's not being used by criminals, it's used by governments and, and the victims are very, very targeted because the price of hacking an iPhone with Pegasus is around 100,000 Euros. A hundred thousand Euros. If it costs a hundred thousand Euros to hack your phone, that's a success story because it means most people will never be targeted. It doesn't make any sense to target your, your systems for a hundred thousand Euros unless you are, you are a CEO or a prime minister, you know, you're someone special to be targeted by something which is so expensive, and that is an example of just how secure these things are.
And do you think a hundred thousand Euros is more than it would cost to do surveillance against you in an analog world?
Oh, it depends, but it's clearly more expensive than hacking your Windows laptop or your Mac laptop.
That's like five bucks.
So I think that's, that's really what we should be comparing it to. It is, it is much more secure. I have no idea how much it would cost to actually do real-world operations. I don't follow real-world spies. I only follow online spies.
Well, well, speaking of following online spies, I think one of the things that a lot of people have really been fascinated by in the last five years is the evolution of spies into more, kind of, organized networks online and, and almost into professional organizations where you have, kind of, layers of specialized player as everything from, you know, ransomware authors to initial access brokers.
You have customer support, you have 24/7 payment support. You have, you know, reviews online like five stars, would recommend. What is your take on kind of the evolution of this business model and this professionalization, and how should we as cyber defenders respond to it?
Yeah, I've been very worried about the increasing profits that the online crime gangs have been making. Around five years ago, I started floating the idea that one, one day, we'll see a cyber crime unicorn. A unicorn in the same sense as the biggest technology startups are considered to be unicorns when they're worth over a billion dollars.
When maybe one day we'll see a cybercrime gang, which would be considered to be a unicorn gang.
Unfortunately, we're getting very, very close of that becoming a reality when you look at how much more money these gangs have been making every year, and the fact that they've been most of their profit sitting in Bitcoin. If you had 10,000 Bitcoins five years ago, well that's now, you know, hundreds of millions suddenly.
So the, the amount of wealth these criminal organizations have at their disposal means that we will see new kinds of challenges. We've already seen them professionalize their operations, like you said yourself. They have their own data centers. They have their own lawyers. They have their own HR department and so on. We are getting very close to the time that they can actually start expanding into machine learning themselves, which, which they haven't done yet, but I think it's going to happen in the very near future, and that's going to change the speed of their operations, because right now, the defenders, companies like ours, we automate everything.
We use machine learning extensively to be able to find new attacks and analyze them automatically, and find references to earlier attacks, and do cross-referencing, and run the attacks or samples in different environments and see how they work, and build detections and test the detections and ship them automatically, which means our reaction times are very, very fast.
Most of the attacks are still crafted manually by the attackers. They write malware, they write modified, undetectable versions of it. They keep modifying it by hand. They run their own malware campaigns manually, like sending out spam emails with malicious links. When they get blocked, they rewrite them manually, so, they're working at human speed, and we are working at machine speed, and this will change in the near future.
So they will go to machine speed as well. They will automate everything they do. It's gonna be run by machine learning frameworks, and that then means that the only thing which can stop a bad AI will be a good AI.
And how do we get the good AI and make sure that it's on our side?
We started building our first machine learning frameworks in 2005, which is 17 years ago. And today when I speak with my colleagues in other cybersecurity companies, everybody's heavily reliant on machine learning frameworks.
This, right now, the edge is on the side of the defenders. If you look at where we were 10 years ago, it always looked like the attackers had the upper hand because they could always download and analyze all the defenders' programs and they had unlimited time to figure out ways around the defenses. I think it's changed.
Now, the defenders in many ways have the advantage because of the great level of automation and, and machine learning being used to find new attacks very quickly and, and block them very quickly.
So I think, you know, we don't have to invent the good AI engine, we already have it, but how well it will be able to cope when it gets an attacker that's at the same level we'll see.
We've only got time for a couple more questions here today, but I've got a couple that I'd love to throw into the conversation, Mikko.
So we've talked a lot about security and actually, I think your view that we're at a better place with security than ever before is a really positive and refreshing one to hear. I wonder if you feel the same about privacy, and how we as citizens, whether we have the same level of privacy that we've had in the past or whether we've actually moved in the opposite direction with regards to privacy.
Yeah, I, I wish, I wish I could be an optimist about privacy cause I am an ptimist about security in general and I'm an optimist about technology in general. Regarding privacy, we can't be optimists unfortunately.
Privacy has died and it died during our watch. We were the ones who killed it.
You and me.
We killed privacy. Generations before us had real privacy. We no longer have it. The future generations won't have it either. And the main reason is that we are living our lives online. And when you are living a digital life, everything you do can, and actually is being tracked. We even sleep next to these tracking devices, our mobile phones. They know exactly where we are, what we do, how we think?
Who do we like? Who do we hate? What do we like? What do we hate? We've become highly predictable, and since we do all of our communication, almost all of our communication through these devices, privacy has died.
Private discussions used to mean that you and me would go somewhere and have a chat, and no one else would know what we are talking about. Today, when we speak about private discussions or direct messaging, we're doing it on platforms, and those platforms see that you and me are discussing. If there's end-to-end encryption, they might not see what we are discussing, but they see that we are discussing something at this hour, and that means that privacy has died, and it died during our time.
And we have to feel a little bit sorry for all the future generations that we let them down.
Well, if that's the state of play, and we're the ones who did it, what would you tell our listeners? You know, some simple tips, some advice, some things that they can do to reestablish their own privacy and to make sure that their own environments are secure.
Cause I think that's really important for people to come away with a message of, like, Here are three or five simple things that I should do every day as I'm doing my daily work to make sure that I'm doing my part on keeping everything as secure and private as possible.
Well, the three main things I always tell to people is to first back it up, to patch it, and three, use a password manager. Use multifactor authentication. The backing up part really depends on whether we are speaking about ourselves as home users or private citizens or, or working in an environment in, in, in an organization, in a company.
Of course, it's the IT department itself which takes care of these things for us. I don't recommend end users to try to do backups on their own, but for your home systems, back things up so that you can recover your memories, which we have on our, our phones and computers even if your home burns down. So, it's not good enough to have it on a removable hard drive sitting in your closet. If your home burns down, you will lose all of that as well.
Think it through. Make sure that you have backups. Make sure they actually work. Make sure you can recover them, and make sure they work even if your house burns down.
Second thing, patch. People, when they get prompted about updates, they don't really think about security. They think about, you know, I don't need a new feature. I'm happy with the program as it is. Most updates give you better security. We should be updating whenever we are prompted for that.
And then password managers and using multifactor authentication. And here I think it's important to understand how and why two factor or multifactor authentication fails. How do you break into somebody's system if they're using an authenticator or a MFA system?
Well, you phish them, but of course, phishing doesn't get you in. It only gives you access to user name and password, but then once you have a username and password, you can start trying logging in over and over and over again, which then will trigger multifactor authentication query, which for most users means that their phone will start prompting them over and over again.
Would you like to log in?
Would you like to log in?
Do that 20 times, then call the victim who's just been hassled by these messages about logging that he knows nothing about. And then tell him, Hey, this is Jack from the IT department. I report to our CISO. What the hell are you doing? Why are you triggering the, the authenticator over and over again? I have to report this to our, you know, security people.
Then give him a way out that, you know... Asking for example, where are you? Like where are you sitting right now?
Well, I'm in Berlin.
Oh, you are in Berlin, huh? Well, in that case, I see. It could actually be a buffering issue between your laptop and your phone and these, the authentication server.
I'll tell you what, accept the last authentication query you got and I'll clear the buffer. Let's see if this works.
And then some of them will fall for this, and they will click accept, and they think that, that there's a technical problem. When they, what they really did is that they just let an attacker in.
This is known as multifactor authenticator exhaustion. You overload the user with the messages and then you dial them up and give them a way out.
Yeah, there was a pretty high profile attack based on exactly this attack vector just a couple of weeks ago as we record here on October 3rd, 2022, anybody in the audience, it will take one simple Google search for multifactor authentication exhaustion, and you will discover the event that Mikko is referencing here, and it is, I'd say a very nefarious and, you know, kind of, a terrible evolution of social engineering TTPs, but it is the reality that we live in.
Well, Mikko Hypponen, this has been a fascinating conversation.
I really thank you so much for taking the time to join us here on the Ask A CISO podcast today.
Mikko's book, If It's Smart, It's Vulnerable is out. It's available. You can get it anywhere online, including Amazon, good bookstores anywhere around the world. The audiobook narrated by Rich Miller has been available since September of '22. I do encourage everybody in our audience to go and check it out.
And on behalf of myself and Mikko, thank you so much for taking the time to join us on the Ask A CISO podcast today. Mikko, thank you one more time.
Thank you very much and thank you for having me.