Martin McKeay, thanks for talking to us. You are an expert in information security, could you please tell us more about you, your technical background and your motivations?
I started in IT nearly 20 years ago as a help desk technician, I’m now a Senior Security Advocate and I’ve done nearly every job in between. In my early career, I managed several small networks as the sole IT person for an entire company, meaning I had to be desktop support, server administrator and network all at the same time. I’d always been interested in security, but when I started digging into PCAPs and IDS alerts, I realized it was the career I wanted to pursue. This led to a role as a security manager at a small business, which I left to spend time as a Payment Card Industry Qualified Security Assessor, and finally to my current role at Akamai. During much of that time I’ve also recorded a weekly security podcast and maintained a blog (www.mckeay.net)
A good, well rounded early career has left me well equipped. I can talk the language of a wide range of the sub-disciplines of Security, from network, to compliance, to server. My current role requires me to pick up skills I haven’t dealt with much before, programming in R and statistical analysis of large data sets. I’ve always like learning new things and security is a career that requires constant maintenance and gathering of new skills.
Can you tell me something about your work at AKAMAI?
My role at Akamai, Security Advocate, is all about communication. Until recently I had been working in our London office and visiting much of Europe, speaking at conferences and helping customers understand how Akamai secures its own technology. Now, my responsibilities have shifted and I am the Editor of Akamai’s State of the Internet / Security report. Akamai collects petabytes of logs concerning Internet traffic every quarter and we publish our understanding of attack traffic, as well as research and opinions on the future of the Internet. I like to think of our global network as a series of sensors, waiting to be interpreted and understood.
The audience we can reach with the information in the State of the Internet Security report is much bigger than anything I could hope to communicate with face to face or at conferences. It gives me the opportunity to look at the Internet at a global scale and ask questions about what is going on. We have multiple teams contributing to the report, which gives me the opportunity to see how others understand the Internet, as well as shaping future research. It’s very challenging.
According to you, what are the major risks connected to the use of the Internet?
The very thing that makes the Internet so great, communication, is it’s greatest weakness. We all carry multiple devices that are constantly connected to the Internet and that number is going to increase greatly in the next 5 years. With this greater ability (or requirement) to be more connected, we’re also proliferating an environment where vulnerabilities and exploits are so common they’re almost not noteworthy any longer. There are many risks related to being on the Internet, but the one I’m watching most closely is Distributed Denial of Service Attacks, DDoS.
The greatest threat in my world view is botnets and malware that build on the recent success of the Mirai botnet. Build upon IP Cameras and DVR’s, the botnet has been responsible for some of the biggest DDoS attacks seen to date. When the source code for this software was released earlier this year, it almost guaranteed there will be more tools built with the same methodology in mind: compromise large numbers of IoT devices and use them to fuel attacks. Mirai only targeted a small subset of the potential IoT targets, future botnets will likely spread their net wider in search of systems.
The growing size of DDoS attacks won’t have an affect on just the targets, it will have an affect on the Internet as a whole. As the bandwidth consumed by such attacks begins to not only impact the data centers, but also the upstream links to the Internet. It is entirely possible that large regions or whole countries can be impacted as the massive flow of DDoS traffic hits those links. In many regions, the attacks seen in the last three months are already big enough to bog down large areas and impact multiple services.
What are the 4 tools that cannot be missed to protect the Internet?
HTTPS, DNS, information sharing groups and Google. HTTPS is vital to both personal privacy and security, but also to protecting businesses across the globe. It’s regrettable that so much Internet traffic is still unencrypted, but trends do show that it’s improving all the time.
For many organizations, DNS logs are a great untapped resource for finding unusual traffic, or more importantly, the destination of the traffic. More and more security teams are starting to mine these logs for important clues about viruses and suspicious activity. DNS activity becomes even more important at the large scale, as it provides more possibilities for statistical analysis.
Information sharing is an essential requirement, there are important organizations in both governmental organizations and private industry. State organizations, like the Department of Homeland and industry associations or in Italy CLUSIT, play an important role for learning about current events, upcoming threats, new tools and are needed to stay abreast of a constantly evolving threat. In the same vein, I don’t know any security professional who doesn’t use Google or another search engine to research the unknown. Even more than having an organization notifying you of new threats, I find being able to search the repositories of human knowledge to be indispensable.
These may not be tools in the traditional sense, but they are the tools I find indispensable to protecting the Internet.
Are you favorable to a lesser or greater encryption?
I have always been in favor of more encryption. Encryption is key to personal privacy, something I view as a fundamental human right, and without privacy, we start censoring our actions and thoughts because someone might be watching.
Do you think that more awareness and education could help the people and the industry to better protect their assets?
Awareness and education are part of the essential foundation that must be laid to create a successful security organization. We need the person at the keyboard to be able to recognize a potential threat before they click on the link. But we will never be able to reach every user who might trigger a vulnerability, so we will have to continue to invest in technology to supplement the human element.
What are the most dangerous menace behind cyber attacks? State sponsored hackers, hacktivist, rogue states? and why?
To the individual citizen, the biggest danger is from untargeted attacks, such as compromised sites or large scale phishing attacks. They aren’t aimed at a specific target, but they are what the average person is likely to see. For enterprises, the nation state actor is probably going to be the hardest to protect against.
State sponsored hackers have something most other groups lack, resources. Whether the government is paying an external group to perform a deed or it’s an organization that is explicitly part of the government, the resources available are almost certainly much greater than a hacktivist or a rogue state. Having money and people, especially highly trained specialists, make nation states a much more difficult attacker to detect and defend against.
We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure?
If the nation state actors haven’t been researching and planning for cyber attacks against each other, I would be highly surprised. But for the most part, few, if any, attacks against critical infrastructure will be directly the cause of fatalities, and are likely to be used sparingly. Instead, it is more likely that the critical infrastructure targeted will be the Internet itself, using DDoS attacks and compromised sites to interfere with communication and spread disinformation. It’s much more productive to have a long term campaign gathering intelligence than it is to reveal your tools once and ruin the surprise that might serve better at a later date.
Your most important advice for digital startups…
Think of security in the planning phase of everything your organization does. Just like the security of your building is established when the architect first sets pencil to paper, the security of the product you sell and the systems you use are best considered from the beginning of the process. In the connected world, every product is a security product. In many cases, security concerns might simply mean that you have to encrypt traffic to and from applications, a simple security measure every organization should take. But for more important applications require a greater understanding of security models and what your organization is trying to protect.
What technology you use is much less important than how well you use it to protect your organization.