Bill: Robert Hurlbut is an independent software security consultant. He owns Robert Hurlbut Consulting Services based in Enfield, Connecticut. Robert's background is in math, physics, and computers. Robert helps companies understand security issues and how to best address those issues in their products and services. He provides training and consulting as well as workshop for security topics. Please help me in welcoming Robert Hurlbut to the front of the room.
Robert: Thank you, Bill. Well, earlier I spoke a little bit about some of the things that I do with my company, through my company, and computers and so forth. A little bit about me - my background goes back. I was thinking this morning as I was coming here - on my bio on my website it says 20 plus years in software development, architecture, and other kinds of things with computer. But then as I was driving here I said, "Woah, it's actually 30 years now" which is a long time. But that also means that I have seen a lot of changes as you probably have as well in the computer industry.
There was a time when we use computers - we may have been afraid of them or we didn't use them that much. These days most everywhere, everyone everywhere is using computer in some way. For example, they might have a Facebook account, or they might have a LinkedIn, or they might have other kinds of social media that they're using. They're more and more on the web. And along with that they're also putting their data out there. More people these days are shopping online than ever before - Amazon and so forth. That's how they get their stuff, right? They don't go to the mall as much anymore. They get online and they put their credit card information in there and that's how they're getting their stuff. But with that, that means that people are also more vulnerable.
We've heard of a lot of these credit card data breaches where someone's got a credit card and we get those letters in the mail that says, "Hey, by the way, you probably have been involved in some kind of data breach. You might want to contact your bank. You might want to get a new credit card." Even worse, we've seen health care companies - hospitals and so forth - that have also been breached where now they have something even more important and more necessary to us, is our health care information that's also necessary to them. We can easily get a new credit card. Not so easy to get a new personal information status of us, not so easy.
So those are kinds of things that are scary and they're out there, but we also know that we need to be prepared. As I said I started about 30 years ago in computers - working professionally in computers - and that was actually right out of high-school, through college, and then continuing on. And one of the things I noticed - it's about 14 years ago or so we know 9/11 happened and that really - not only because of our safety and other things that we understood about. It also impacted computers because one thing we may not realize and not everybody knows is that also there were cyber threats happening all day long during that attack and it was unprecedented. Since then, more and more and more we are seeing all kinds of attacks against companies, against governments, against data all the time.
And so about 12 years ago I started myself focusing more and more on security. I started by teaching people, just in my own little group in my company. "Hey, we need to be more secure. We need to think about security a little bit more" and about how can we protect our data, how can we protect our applications. And then I've gone on and continued to do that for other companies - not just where I was but other companies as well. I found though in the last year or two it's really picked up. I get calls, "Can you come help us?", "Can you talk to us about security?"
One of the things that I do through my company is I help companies with what's called threat modeling. What does that mean? Essentially it's helping a company understand about the threats or the potential problems that are out there and then how to deal with them, set up a plan. We saw that today in our earlier presentation about our own personal safety so we understand that I think from a personal perspective, that we need to be a secure, we need to be safe, we need to be aware, but believe or not there's still companies that don't understand that. Don't understand that, "They're going to go get the big companies but mine is safe." What I do is I try to help these companies think about those things.
There is a document that comes out and it is renewed and updated and so forth every few years called the PCI document which is Payment Card Information and talking about how you store your data, your credit card information. It's a guideline for companies and these companies that want to store that information need to be compliant. Any of your major vendors, they want to be compliant. There's a particular line in that document that has always bothered me. It's, "Have a firewall or do secure code review." It's do one or the other. Now, guess what most companies will do? Can you guess? The firewall.
Now, what's a firewall? Just to let you know what a firewall is, think about your home. Imagine if you had a fence around your home, okay? That fence is your firewall and your computer company, they may set up a network boundary and put a firewall so that people can't come in. It closes everything up and tries to keep other people out. On the inside of that fence, imagine if you kept your doors open and your windows open, and let anybody come in. Well, "I've got a firewall. I've got a fence. As long as nobody gets the fence, we're okay." What that line said was either have a fence up or check your internal system to make sure it's secure and most would say, "I've got a firewall." That's the computer security - our computer companies have been running for a number of years. "I've got a firewall. I'm safe."
What I'm doing is trying to help these companies understand that's not enough. You also need to check what's inside your perimeter. That's where the data is. That's where the credit card information is kept, the applications that you're running, the website and so forth. That's what needs to also be checked and secured. When I work with a company - and I work with their developers and their project managers and other people in their company - I'll ask a series of questions. Are you doing this? Are you doing that?
One of the biggest questions I ask - the number one question I ask - "What keeps you up at night? When you go home at night is there something in your system, something that you're doing in your operations that if somebody was to take advantage of, would worry you to no end? What is that?" You'll be surprised that that one question will uncover so many things that is just not even said sometimes and it'll come out and say, "Yeah, we have a system where it's not password protected. It's just wide open. We don't even think about it because we've got all these layers that nobody'll ever get to." Aha, aha. Actually it's an interesting thing if you're familiar with Target breach, they were PCI compliant. They went through the whole line to the letter of what we need to do to be compliant and yet they were breached and mainly because another third party had access. Nobody cares about that HVAC company but they had access into the network and through that way the attackers were able to go in and get other information. If they had thought about that and said, "Wait a minute. That's another way in. We're not even checking that, but we're PCI compliant." My point is don't just rely on the outside but check inside.
There's an interesting story and I'll close with this. Do you know why we lock our doors? Do you remember there was a day and time where we didn't do that in this country? But do you know why we do it now? They say that there are 80% of people, if they came by and saw a door, they would never check. They would never go check the lock. They would never go see if it's open. There are about 10% who, out of curiosity, might check it and see that it's open, but close it back because they're not going to...Then there are that 10%, that 10% who will try, find it's open, and go in. 10% may seem like a small amount but yet that's why we do it. We would love to say 100% are never ever going to check, never going to open the doors, but it's because that 10%. We may say, "The majority of people are never going to come into my site. They're never going to come to my company and do harm or damage" and yet unfortunately it's that small percent that do. Unfortunately that percentage is also getting bigger and bigger these days.
If you're thinking about it - today you may be thinking in your head when I asked that question, "What is it that's keeping me up at night about my own security, about my own company, or even some of my clients?" Think a little bit further that, "I need to take a look at this, another closer look to see what's going on because somebody could be using my company against somewhere else or they could be coming in and compromising me."
I'm Robert Hurlbut. Thank you and I appreciate the opportunity to speak to you today.