Interview with Peter Woods, CEO,
First Base Technologies
BCS Editor-in-Chief, Henry Tucker, recently caught up with security expert Peter Woods, CEO of First Base
Technologies, an ethical hacking firm, to talk about hacking, penetration testing, advanced persistent threats
and possible government transparency regarding the data it holds on everyone.
Explain what you do.
Our firm is an independent testing
organisation. We provide what we call
a simulated criminal attack for clients
and obviously with their permission and,
obviously within the law, but as best we
can, we test their systems, their people,
their premises, to make sure they’re
resistant to attack and, if they’re not, then
we give some guidance as to how that
might be improved before they suffer a
real criminal attack.
Is there an ethical difference between
hacking and penetration?
I think it depends on who you talk to. In
our view, often penetration testing means
running some tests against a check list or
a clear requirement for a specific system
from a client, perhaps somebody who
wants to have their website tested or
perhaps their payroll system, something of
that nature.
Frequently the scope is pretty clear to
both the client and the testing firm and
we would say that is penetration testing.
On the other hand, with ethical hacking
we’re looking, in our view, at a bigger
picture. Maybe the client and we together
do a threat and risk analysis as to who
their attackers might be and what their
motives might be and how well their
resources could cope with a scenario
that tries to simulate an attack as best
we can and produce, of course, the
best value for money, but also the most
accurate, realistic emulation of the sort
of problems they might face.
People are always cited as being the
weakest link in the security chain, what
are your thoughts on this?
Whilst I understand where that comment
comes from, and in many ways I guess
I can’t disagree with it, I think it’s the
wrong side of the coin. I think a modern
organisation challenged with social
networking, bring your own device,
cloud services and heaven knows what
else, really needs to view its personnel
as its strongest weapon and its best
defence, the ‘human fire wall’, if you will.
I think investing in people, treating
them as adults, educating them in a
creative and sort of marketing way,
to understand what the issues are
that face that organisation and how
they can help protect that business
and their jobs would give us a better
result than just a constant spend on
more and more technology and trying
to lock down what people can do.
Do you think security is often seen as a
‘bolt on’ to the rest of the IT infrastructure?
Absolutely, it still is. I think the worst
case really is that the information of
IT is divorced from physical security
frequently; it’s frequently divorced from
the HR elements of peoples’ security. It is
part of IT and frequently, because of that,
may even not have the representation of
the board or executive level it deserves
and maybe doesn’t get the board
awareness it should and therefore doesn’t
get the investment and it’s certainly
not imbedded in business processes
that, personally, I would like to see.
Do you think there should be a push to get
IT security represented at board level?
Unquestionably, if you look at a retail
organisation, someone responsible for loss
prevention for, let’s say, internal audit and
risk will be in a very senior role and that
wouldn’t be a bad model to adopt across
all sectors. We need to see information
security responsibilities probably at board
level. At the moment we are probably
seeing a CIO reporting to a CFO and if
there is a CISO they report to a CIO so
they’re not getting the steer attention they
need and, more importantly, the business
needs to understand the bigger picture
of the threats of doing business in 2013.
EN HA N CE YOUR IT STRATEGY TWENTY:13
Woods intv.indd 81
81
01/03/2013 10:06
SECURITY
What do you think needs to happen to
make this happen?
Well, sadly, I think the organisations that
we’ve dealt with who have not taken
this seriously had serious incidents
and I wouldn’t say I would like that to
be the case, but it does seem to help.
It’s difficult to get the attention of senior
management with respect to information
security because generally they’re not
interested in IT.
It’s difficult to get the attention of senior
management with respect to information
security because generally they’re not
interested in IT and by inference they
assume they not interested in information
security and that’s coupled with the doom
and gloom mind-set that unfortunately, I
have to say, a lot of security people seem
to display and there isn’t frequently that
much political savvy and marketing skill
in information security professionals that
would allow them to interact at the senior
level. Sometimes we’re our own worst
enemy; sometimes the opportunity isn’t
there anyway.
How would you deal with, for example,
with the App situation?
I’m an optimist and I believe there are ways
around this that are really not that hard
to implement, but require a bit of courage.
Let’s look at the whole picture and then
divide it down by asset, understanding
what the value and impact to that asset
would be, then identify the threat agents
rather than who could be attacking that
particular asset. Why, how and then develop
a plan that allows us to explain to the
business with real business examples.
What sort of IT issues have you seen of
late that you are starting to flag?
Well certainly there’s the stuff that is
pushed by the press that’s deemed to be
trendy and big data, for example, at the
moment, and that is pretty ‘bleeding edge’
as far as security threats are concerned,
but that doesn’t make it real. But in the
real world we’re seeing massive adoption
of cloud with little or no security borne in
mind, often driven by a project requirement
or a very specific business requirement and
that means that security sometimes aren’t
involved at all; there’s little or no analysis
done before a contract is signed and then
probably it’s too late to engage in testing or
frequently testing not permitted at all.
Of course ‘bring your own device’ is
perceived as a problem too, and rightly
so. The complexities off the back of
Smartphone and tablet applications, in
particular, are massive. We don’t really yet
understand what the full threat picture
could be with Android devices. With little
or no regulation of IOS devices, there’s a
degree of security from Apple, but not really
to any level that a person would want to
see, so the more we allow people and we
ask people here to bring their own devices
into the corporate networks the more
complex and difficult and complex the
security management will be.
Cloud, plus BYOD, is enough for people to be
going on with and those two issues, coupled
with social networking, present such a
complex picture that people are drowning
in information with little or no way out.
82
Ask – if you implement this cloud solution,
as you are doing, have you considered then
a story line that steps through the whole
process from start to finish making it real,
making it like a case study or a war story
in a way that the business can identify with
and can then be enthusiastically embraced
and invested in.
Right now, what the senior people and
project managers and programme
managers hear is an awful lot of ‘waah’
from the security folk because they’re not
interested in the technology. They can’t tie it
back to the project or business concept that
they’re trying to implement and there’s no
story line to follow, so I would say a proper
methodology, threat and risk analysis tied
to good story-telling, and I don’t mean
inventing things, will solve this problem.
We have to move away from throwing
technology dishes and instead embrace
the business processes, educate them with
real threat models and real story lines and I
believe the money and resources will flow.
It’s shocking today how many
organisations today still don’t understand
the value of IT to their business. How does
this make you feel?
Confused? I have been known, because
I am quite passionate about I do, to be
perhaps a little overly critical of certain
senior officials when people express a
complete disinterest in IT. I don’t believe
companies that behave like that will survive
in the long-term, I really don’t. Some of my
clients, who may be in the main business
line, nothing to do with IT in any shape or
form, who have enthusiastically embraced
IT have seen real growth when everybody
else is suffering.
Those senior decision-makers, who
conclude that IT is just the same as
electricity and just a resource there
that provides the business with an
infrastructure to work from, are too shortsighted. We know that our discipline is
ever expanding and multi-faceted and
we have the option to utilise it to grow
our business, to differentiate ourselves
from our competitors, and security
should, just be a natural part of that,
just making a wrapper that makes a
decision, whether it’s a ‘cake walk’ or
whether it’s an enhanced manufacturing
process, making sure it works efficiently
and works securely and it’s not hard.
What other issues do you see, lurking on
the horizon that you think business should
be paying more attention to?
Well big data is just starting to tickle in my
tongue in terms of flavour of the month. Big
data is an interesting double-sided issue
because, on the one hand, we have the
privacy and the security concerns about
massive amounts of consolidated personal
information and, on the other hand, we have
the facility, the opportunity to use those
data mining technologies and analytical
technologies to effectively and efficiently
process vast amounts of data that can be
generated by our CM systems and so on.
I was party to a very interesting panel
discussion recently and it really opened
my eyes as to what we can do in the
security industry to utilise big data to better
understand threats and to better model
those threats, as well as being concerned
about helping to secure the data that so
many massive organisations are going
to start putting together, both for the
consumer and for the business. Big data is
big news in 2013, I think.
Do you think the future should be more
about transparency of data rather than
about locking it all down?
Oh, that’s a very interesting question. I think
there’s a generational divide here, isn’t
TW E N TY: 1 3 E NH A N C E Y O U R IT S T R A TEGY
Woods intv.indd 82
04/03/2013 12:17
SECURITY
there? The digital natives we are starting to
see now have a different attitude to privacy.
I have to say that in my role and, driven by
the Information Commissioner – not just in
the UK, but throughout Europe of course – I
diligently attempt to help people secure
that personal data. However, I am strongly
sympathetic to the idea of transparency. I
think it is a model that is essential to the
way that systems are going if we’re going
to see everything online and we are. If
we’re going to see everything in a virtual
environment then we have to have new
models to deal with new personal data
and, personally, I agree with you and I think
transparency is the way forward, not just
about data breach disclosure, but issues
like who holds what information being
voluntarily presented to you. The current
generation of people living in university, now
starting work, are very well aware of what
Facebook holds about them. Everybody
knows you can download that story, whether
people really care or not I think is the issue.
This new generation of employees, whilst
they inherently understand what the
arrangement is for the free services –
that their information is sold – I think
those of us who are, and I don’t want to
be dismissive of anybody, but in a more
responsible position right now, would
be much more enpowered were those
businesses to provide us with a more
responsible level of information about
themselves and their employees and I
think we’d have a much more realistic
security profile if they did that.
What are your thoughts on government
transparency regarding the data it holds
about all of us? Do you think they will
become more transparent?
It’s difficult to say in the UK. The UK is not,
in my view, not quite as predictable as some
other governments, I think. With the current
government I think it’s possible. Would it
ever be complete, would it actually be a bit
misleading in terms of how much data they
are prepared to disclose that they hold? I
think it’s possible.
Can you tell us about the significance, in
your eyes, of advanced persistent threats?
Something we’ve seen appear in the press
and that I had a reasonable amount of
exposure to, maybe one to two years ago,
is advanced persistent threats. It seems
to have disappeared off the radar at the
moment, as far as the press and indeed
conference topics are concerned, but in
our view it is a really important topic.
I’ve lost count of how many systems we’ve
tested where we’ve looked at internal systems
and found straight forward ridiculous password
vulnerabilities.
If you look at the analysis RSA published
of their own attack, which I guess was a
couple of years ago now, it was clear that
the various steps involved highlighted
to us, as a penetration testing firm, key
vulnerabilities that we see time and time
again in organisations.
it’s never been re-forged. I think people
forget that businesses are there to allow
people to do business.
Businesses aren’t there to provide an
office for technology to live in. They’re
not there to make money just for thin air,
they’re there for people and certainly, as an
Each of those steps was either about
employer myself for the last 20 odd years,
people or things that people don’t do quite
I have always tried to involve everyone
right. The first stage is, of course, about
in the business, in the business-making
spear fishing and really old fashioned
process, to let them understand what they
techniques, like ‘here’s an email with
can contribute and give them the feeling
an attachment’, which it says is about
of contribution and self-worth within the
next year’s recruitment plans and salary
working environment and as a result, our
reviews, it is very much guaranteed that the staff turnover is nearly nil.
target person would open it.
If large companies were magically able to
Then you see the issues with password
do that, to actually build a trust with their
quality and being able to conduct
employees, then I think it becomes possible
privilege escalation inside a corporate
to use those people as a human fire wall.
network just by password guessing. I’ve
They are much, less likely to open a stupid
lost count of how many systems we’ve
attachment or to plug in a USB stick they
tested where we’ve looked at internal
found in the car park or go to a dubious
systems and found straight forward
website without really thinking about if they
ridiculous password vulnerabilities.
like where they work. If they feel embedded
where they work, they believe their
And we’ve seen published on the inter-webs, employer has their interest at heart. So it
over the last couple of years, tons and tons
might sound touchy, feely, but my one, key
of password files that hacker groups have
advice is, trust and invest in people.
grabbed and exposed and we still see the
same patterns ‘1, 2, 3, 4, 5, 6’ passwords and
we find this still inside organisations at a
depressingly massive rate.
These individual points of failure, if you
like, of which there are four or five in
the RSA example, seem to present a
massive opportunity for nation, state
generated and, of course, competitorgenerated APT attacks; drilling down into
an organisation’s property with little or
no effort. And yet were we to do a proper
threat analysis and understand those
key vulnerability points, we may be only
able to plug half of them, but we’d end
up being resistant to most attacks.
If you could give one piece of security
advice to an organisation what would it be?
Trust and invest in your people. I think
somewhere along the line probably 20 to
30 years ago, the bond of trust between
employer and employee was broken and
EN HA N CE YOUR IT STRATEGY TWENTY:13
Woods intv.indd 83
83
04/03/2013 12:17