When Aviva Zacks of Safety Detective interviewed Chuck McAuley, Principal Security Researcher of Ixia, a Keysight Business, she found out that cybersecurity is part of his DNA. He spends his career concerned only about how cyberthreats will affect end-users, namely, humans.
Safety Detective: How did you get into cybersecurity?
Chuck McAuley: My career in cybersecurity is closing in on 20 years at this point, but even when I was a teenager, it was part of my DNA. I have always had an interest in figuring not only how something worked, but what it could be bent into doing. College degrees weren’t as specialized as they are now, and I achieved a degree in Computer Science, focusing on operating systems and networks. My first career position outside of some junior development roles was as a penetration tester and perimeter network security engineer. I would figure out how a network was broken, and then focus on protecting it. We were probably one of the first small IT business-to-business operations to offer managed security services, focused on Netscreen Firewalls and Snort IDS deployments. Very quickly from that job, I joined a startup known as Imperfect Networks that was focused on creating test solutions for the newly emerging Intrusion Prevention Systems that were coming out from many vendors, including TippingPoint, Cisco, Sourcefire, and Juniper Networks. Since then I’ve been involved in network security testing and threat intelligence at BreakingPoint, Ixia which is now a Keysight business.
The thing that keeps me engaged in cybersecurity is the endless set of challenges that present themselves. This is an industry of constant innovation, adapting and changing as the use of computers and the Internet changes at the same time. Security comes after convenience and adoption and normally does so at a cost to users that aren’t readily apparent. The constant war against a changing battlefield, adversaries, and user behavior is what keeps engaged year after year.
SD: What industries does Ixia, a Keysight business, service? Why?
CM: Keysight helps enterprises, service providers and governments accelerate innovation to connect and secure the world. Keysight’s solutions optimize networks and bring electronic products to market faster and at a lower cost with offerings from design simulation, to prototype validation, to manufacturing test, to optimization in networks and cloud environments. The company’s customers span the worldwide communications ecosystem, aerospace and defense, automotive, energy, semiconductor, and general electronics end markets.
SD: How does Keysight aim to stay ahead of the cyberthreat curve?
CM: At Keysight, we provide a large set of services to help keep people secure. Our best-known cybersecurity product, BreakingPoint, is a tool to watch the watchmen. It simulates the Internet at scale and complexity, to ensure that the best-of-breed next-generation firewalls, intrusion prevention systems, and other security controls can keep you safe from the threats that keep you most concerned. It can simulate a 100 Gigabit + DDoS attacks, data exfiltration, and hundreds of applications to ensure that the complexity you encounter in the real world is brought into simulation for testing and validation. Using BreakingPoint, powered by Ixia’s Application and Threat Intelligence (ATI), we can test the world’s biggest, fastest and best network security devices.
SD: What are the worst threats to cybersecurity today?
CM: Recently, I was asked on a panel, “What keeps you up at night?” My response was: people. Our increasing reliance on technology puts us at increased risk because we are more exposed which makes us more accessible to criminals and malware. It’s not the release of leaked old NSA exploits that makes us vulnerable to WannaCry. It’s the fact that millions of Windows XP system were working “good enough” to not bother upgrading, even after Microsoft had declared XP end-of-life. It isn’t that Mirai malware variants take over hundreds of thousands of endpoints in hours. It’s that people deploy IoT without understanding the consequences of exposing them to the Internet. A data breach happens at a credit monitoring service that impacts all Americans and the credit industry barely notices. On one hand, this shows us how remarkably resilient we are to crime and theft, but on the other hand, it shows us our complacency and the trade-offs between convenience and security.
SD: How does your company protect the end user in the age of IoT?
CM: That’s a really good question. The Internet of Things is such a large, all-encompassing term, it helps to define what is meant when you think of IoT. At the end of the day, an IoT device is any connected and/or embedded device that wouldn’t be considered a traditional computer. Thermostats, cars, refrigerators, cameras, and even Internet routers, all fall under the IoT umbrella. I like to think of anything that doesn’t have a screen and keyboard, that runs an embedded operating system (typically Linux), and is remotely managed is an IoT device. That’s a loose definition, but it seems to be the one that best fits.
We find that the biggest risks of IoT devices tend to be the same risks that used to impact traditional computers fifteen or more years ago: remote administrative ports open (like Telnet or SSH), default username and passwords, clear text administration consoles and simply CGI-based bugs. Most of these devices could be secured much more effectively by adopting well-known practices for securing devices, including two-factor authentication, API-driven administration and disabling or filtering unnecessary listening services. Many IoT devices ship with services enabled and default passwords that are useful for debugging and development, but unnecessary for production deployments.
Understanding that most IoT vendors won’t adopt these sorts of practices for a long time, we’ve developed a solution and product that fits well with protecting IoT devices called ThreatARMOR. This device is powered by our Threat Intelligence framework that tracks hundreds of honeypots and fetchers scouring the Internet. We track brute-force attempts, common exploits, phishing sites, and malware command and control locations. A few years ago, we began tracking Mirai based botnets, and have gotten quite good at following their changes and picking up on new exploits and attempts used by them to target more IoT devices. ThreatARMOR pulls this verified feed data from Keysight’s servers every five minutes and blocks access by any IP address on that list, preventing any IoT or other devices you might have deployed from falling victim to the same attacks.
SD: How do you see cybersecurity developing in the next five years?
CM: Cybersecurity will develop more as a discipline rather than being a jack-of-all-trades broad practice. We’ve already seen this come to pass in many ways. You’re no longer a cybersecurity expert, you are a malware analyst, or red teamer, or a network security administrator. I think as we become increasingly reliant on the Internet for our lives, this specialization will continue in ways we aren’t even aware of now.
I also think that you’ll start seeing version 2 of the walled garden. Currently, Apple leads the way in terms of disallowing software and services outside of their ecosystem from working on their devices. This enforces a level of control and safety in that environment. Granted, there are ways around it, and many vulnerabilities still appear. However, I think this model will be seen as a revenue driver and adopted by any major player that sees opportunity. You will start seeing more enforcement of secure programming pushed from the gatekeepers down to application developers as the risk to the entire software ecosystems expands. On the same front, you’ll see the same from cloud providers who will designate preferred software vendors and operating systems authorized for use.
In the IoT space, more devices will get connected and the attack surface will continue to expand. Convenience trumps security, and it will be convenient to have everything connected, whether we understand the trade-offs with risks we are taking or not. Hopefully, certification bodies will take note that IoT devices need better scrutiny before productization and develop requirements for software support. This will help mitigate many of the problems we see with lower budget IoT devices today.