Speaker 1: Welcome to the cyber risk management Podcast. Our mission is to help executives thrive as cyber risk managers. Our hosts are Kip Boyle CEO of Cyber Risk Opportunities and Jake Bernstein, Cyber Security Council at the law firm of Newman Du Wors. This is a show where we help you become a better cyber risk manager, the show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities and if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of cyber risk business strategy program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us at cyberriskopportunities.com and newmanwor.com.

Speaker 2: Hi everyone. Before we get started with this episode, we have a special announcement as a regular listener, you know that the same technology that makes our jobs easier can also make things easier for cyber criminals. Given this it's not surprising that enhancing cybersecurity is near the top of many organizations To-Do Lists. What is surprising is how many businesses approach cyber risk management the wrong way. We want to help fix that at two Lunch and Learn Webinars, so join us for the 10 biggest mistakes you are making with cyber risk and how to fix them. On the East Coast, we'll start on Wednesday June 26th at noon, and on the West Coast, we'll start on Thursday June 27th at noon. Invite your team members to join you in the conference room for this Lunch and Learn Webinar, registration to this exclusive 45 minute webinar and the Q and A Session is free, but space is limited. Visit cyberriskmistakes.com to reserve your spot today. Now on with the show.

Kip Boyle: So, Jake. What are we going to talk about today.

Jake Bernstein: Today Kip, we're going to talk about the rise of web apps and what that means for cyber security. And I want to start by clarifying what we mean by that term web app. So, why don't you go ahead and give us a definition.

Kip Boyle: Okay. A web app, what is that? Well, it's what we call a client server computer program and client server as a systems architecture is something that's been around for a long time. And don't worry people in the audience we're going to be very careful not to turn this into a tech heavy conversation, but we do need to bring out a couple of terms and define them for you. So the client very simply is the web browser, the server very simply is a machine that is often in a cloud or in some kind of a hosting data center. It's somewhere else it doesn't have to be a big Blinky Light Chassis that you might see on television, the whole idea is the client initiates stuff and the server mostly responds and also servers tend to talk to multiple clients.

So, you're going to have many people using their web browser in order to do stuff in the web app and there's typically one server or a small cluster of servers that are responding. And most of the business rules or the logic, the feature, the functionality of the web app is coming from the server and a lesser amount of that is coming from the client. Now, web apps make heavy use of things like JavaScript, HTML5 and they use a bunch of web commands, like get and post and we're not going to dive into what all those things mean. So that's just a basic understanding of what we mean by web app.

Jake Bernstein: Okay. So for the non-techies just some examples of common web apps include, I would say websites that people use every day, Gmail, almost every banking site, Google docs, even Facebook and Twitter.

Kip Boyle: Yeah.

Jake Bernstein: And I would say too, that web apps include a lot of what I would consider more professional tools that are in heavy use these days apps like Smartsheet, Airtable, Asana, Trello. They're just tonts-

Kip Boyle: Power BI. Anything that you're using through a web browser is going to be a web app that could be office 365 right, online Word, online Excel. What's funny is that when we work with customers on cyber risk management, it's funny but it's also tragic when we'll say to them, "okay, how many cloud services are you using?" And somebody might say, "we're a not using any cloud services, we just have our Dropbox."

Jake Bernstein: Yeah.

Kip Boyle: Not only is that a web app, but it's also a cloud service, so things are a little hazy right now.

Jake Bernstein: They are, one thing that just to point out is that a great many of these modern web app are running on virtual servers probably in Amazon web services or Azure, by definition if you're using any of these applications part of your company is in the cloud.

Kip Boyle: Yes. That is so true. A web app almost by definition, if it involves the internet is cloud.

Jake Bernstein: So, Kip. Here's the question are web apps secure?

Kip Boyle: Okay. Counselor now I'm being deposed, it's obvious. You've essentially asked me "Hey Kip, have you stopped beating your wife yet?"

Jake Bernstein: Is that what I asked you? I think I just asked our web app secure but maybe that wasn't a fair question and we both know it. Why don't you explain why that's not necessarily a fair question? Lets at least... even though it's not a fair question from our perspective. It's a very fair-

Kip Boyle: It's a relevant question.

Jake Bernstein: It's a very relevant question. And I think it's one that a lot of listeners want to know the answer to. So let's do our best to talk about that.

Kip Boyle: Okay. I want to use a term here that is a little term of art in the cybersecurity world which is called an Attack Surface. An Attack Surface I often think of that as analogous too, we see people doing these wall climbing sports, right. So somebody says, "I'm going to climb up the face of Half Dome in Yosemite National Park." Anybody who's ever seen a picture of Half Dome or if you've walked up to it? It's a sheer rock wall going up as far as you can see. And the peak of athleticism is to do that without any ropes or any climbing aids beyond just your fingers. And-

Jake Bernstein: That sounds insane.

Kip Boyle: From my point of view, I don't need an adrenaline rush like that to feel alive, but apparently some people do.

Jake Bernstein: There you go.

Kip Boyle: When we talk about a tax surface, right on a web app, what we're really saying is that when there's a large attack surface, that means there's a lot of places that you can as an attacker that you can get a hold on right, you can try to attack it this way and you can try to attack it that way. As you contemplate attacking a large attack surface, you might have 15 to 20 ways that you can discover with just doing some inspection, all these different ways that you can attack it.

Now, if you have a small attack surface, that typically means that there's just not much there to use as a basis for launching an attack. The other thing sometimes I think about is when I say, "that's a very small attack surface." Sometimes it just feels to me like it's a smooth wall right, where there're no cracks, no place to grab onto with your hands or your feet, it's completely smooth and you're wondering like how in the world can I even get one foot off the ground? There's just no attack surface here, there's just nothing to grab onto.

Jake Bernstein: Yep.

Kip Boyle: Conceptually that's how we think about attack surface. So web apps generally do create a large attack surface, mostly because this is something you're doing over the internet. And so if you want to use a web app, you've got to be connected to the internet and it just opens up a whole bunch of possibilities. So having said that web apps themselves are not inherently secure, there not inherently insecure, but I think what we need to understand is that there are some very important differences between a web app that you use as we've defined it and more traditional software. So by doing a compare and contrast we can start to answer that completely relevant question that you asked.

Jake Bernstein: Okay. So, let's say I'm running a classic client side application Microsoft Word, I don't strictly speaking need to be online and let's assume just to be clear that we're talking about the downloaded full client version. I know there is a web app version of Word online, but I'm talking about the classic one. And so-

Kip Boyle: What we call Fat Client.

Jake Bernstein: Fat Client, there you go. That means that an attacker would need to directly infect my computer to see what I'm doing in my word document if I'm offline, right.

Kip Boyle: Yeah. That's right, because all of your data and all of the program logic is running on a single computer and you're right, you could disconnect from the internet, you could disconnect from your local area network, you could just drop your wifi connection and then you can isolate your computer and you can write your secret memos.

Jake Bernstein: There you go, right. If I'm using a web app then it's really that there are just more opportunities for anti-social behavior, which is a euphemism I'm I just developed for hacking.

Kip Boyle: But it's right.

Jake Bernstein: It is correct, yes. Not only can attackers always target my actual computer, but they can also attack the router, a firewall, even the secure tunnel that's used by the HTTPS protocol. There are just so many places to poke around and find vulnerabilities and weaknesses and exploit them.

Kip Boyle: Yeah. And also on the server side too, right.

Jake Bernstein: yes.

Kip Boyle: So, I think of a web app as being my computer connected to another computer and that there's this a tube or a tunnel, right. So anybody who's ever seen these pneumatic tubes of old, where you would take a piece of paper and you'd put it in this little capsule and then you would drop it into this tube network where there was air rushing through the tube and by putting little capsule in there, it would shoot it someplace and then somebody would get your message, right. The last time I used one of these things was in an old time in bank teller drive up window. How I think about it is I've got this tube digital one, right. Between my computer and some computer and the cloud and I'm passing data back and forth between there and as an attacker that creates a lot of attack surface, right.

From the client side, I can follow the tube, I can see all the little places where one little piece of tube connects to another little piece of tube, because it's not one single cylinder, it's a whole bunch of little cylinders all it together and every one of those little connection points right, is a little piece of attack surface. crosstalk That's how I think about it so you're right there's a tunnel and there's just a tunnel of places to poke around. While all of that is true while there's all this technological aspects there's also a psychological aspect to this.

Jake Bernstein: Absolutely. What do you mean by the psychological aspect?

Kip Boyle: Well, our friends the marketers of cloud services are who I'm thinking about when I say that there's a psychological issue here. So, a lot of people think, let's just move all of our computing, all of our storage, let's just shut our own data centers and telecom close it's down and let's just move everything into the cloud and if we do that we'll be safe.

Jake Bernstein: I've heard that a lot.

Kip Boyle: Yeah. So have I, and I've heard it from the marketing messages that comes out of cloud providers and they're all guilty of this, right. So I'm indicting them all wholesale no one crosstalk than the other they're different, right. A lot of marketing there's always a kernel of truth in it. It's not fair for me to say that "no going to the cloud is a horrible idea from a security point of view and it'll never work" right, that's just me going in the opposite direction and exaggerating based on the same kernel of truth. So the reality is all lot of things in the midpoint so-

Jake Bernstein: Absolutely.

Kip Boyle: But the issue here that I really want to put my finger on is what we call a false sense of security, right. That's the psychological issue in play here just as much as the technological issue right, is this idea that if you really believe as an executive and you're managing cyber risk for your company, if you've really bought into this idea, lock, stock and barrel that if we just move to the cloud, everything will be okay from a cybersecurity point of view, then you've got a false sense of security. That's what that means

Jake Bernstein: It is. I want to be clear that, we're definitely not bashing web apps. web apps they're the future in a lot of ways, there's a lot of-

Kip Boyle: It's created so much value.

Jake Bernstein: Yeah.

Kip Boyle: For our economy. And let's be honest, I use them all the time. So do you.

Jake Bernstein: We're using one right now to record this Podcast.

Kip Boyle: We are unabashed, unashamed users of web apps ourselves.

Jake Bernstein: In fact, a lot of law firms including my own has switched almost all of our time keeping and billing software to what our effectively web apps. They're very incredibly useful, but I think that what people need to remember about the cloud and web apps is that generally speaking you are responsible for the safety of your own credentials and that means that if you allow something to take your credentials, your username and password, then your web app... Let me put it this way, the web app doesn't know if it's you or someone using your credentials to log in.

Kip Boyle: Yeah.

Jake Bernstein: That is a fundamentally important thing to understand about web apps in the cloud, is that it doesn't know, it doesn't care. It probably currently there's not a real easy way to know that at all.

Kip Boyle: That's always been true, right. crosstalk digital authentication's always based on something that is presented to the computer, my user ID, password combinations traditionally been without authenticate, but the computer really isn't capable of knowing. Is this Kip presenting Kip credentials, or is this Jake presenting Kip credentials? The computer doesn't know, it just knows these are valid credentials. Welcome.

Jake Bernstein: And if you're interested in a longer discussion of that, go look up our IAAA episode, where we talk all about identification and authentication.

Kip Boyle: Right.

Jake Bernstein: And authorization, et cetera. But for purposes of the web app here really is particularly all the web apps that you can access without any form of multifactor authentication. You think about security and web apps and one of the main things for example, a bank app will make you do is generally have some two factor multifactor authentication protocol, which just means that you can't log in with just your username and password.

Kip Boyle: The cynical interpretation of that is I have to jump through another hoop.

Jake Bernstein: That hoop is there for your protection. And I think hopefully people understand that these days and what is almost scarier to me are the great many web apps where it isn't even an option to turn any MSA on.

Kip Boyle: Yeah. Just to push back a little bit on your assertion, which is the need for multifactor authentication, should be just generally accepted. We talked about that fellow who's suing Apple Computer because he can't turn off to factor authentication and he's alleging that is greatly impinging on his productivity. So it'll be interesting to see how that case resolves.

Jake Bernstein: Sure, it will. I don't think he'll ultimately win that, but it definitely is an interesting case to bring.

Kip Boyle: Yeah. I think it's a data point that says, not everybody believes this right, not everybody's convinced and when you look at the... there's this great little model right, about the adoption of technology and it looks like a bell curve and if you've ever read some of these books about how innovation diffuses through a population, then you've probably seen this. But just what we're really talking about here, is laggards, people who will not adopt new technology without kicking and screaming and complaining and generally being a nuisance all the way.

Jake Bernstein: Yeah, it's true. It's very true. And I think that with web apps what people need to I would say, be aware of more than anything and for purposes of giving people a quick bullet point list of things they can do. Is know that, I'd say number one is just recognize that you're not automatically more secure or safer. In fact, if anything, the opposite is true when you're using web apps. And if your Crown jewels, if the intellectual Crown jewels of your company are based entirely on web apps there's nothing wrong with that, it's just that you need to be aware of that risk so that you can properly take action.

Kip Boyle: Yeah, that's right. And it's funny because even though the marketing messages from cloud providers says "Come to the cloud, you'll be safer." They actually do when you start scratching it a little bit and you're what does this really mean? What you'll find in almost every case is you'll find a white paper or a webpage that says, "Security in the cloud" Security with web apps is what they call the shared responsibility model.

Jake Bernstein: Yeah.

Kip Boyle: Which is to say that the cloud providers and the web app providers are assuming a certain amount of responsibility for security so that don't have to right. And so the classic example of that is that they have data centers that their computers are stored in, so that you don't have to build data centers anymore, you can just use theirs and their data centers are quite frankly very good from a physical security perspective. Most of them are located in highly remote areas because that's where the cheap electricity and the cheap land is, right. So it makes sense to build them out in the middle of nowhere and they're hard to get too, when you go into them there are just layers and layers and layers of security including your geometric hand readers, man trap, so all this stuff's, great.

You don't have to invest in that, you can just benefit from it it's wonderful. But here's the thing, so anything that you have to take responsibility for, there's going to be a setting for that so if you go into the administrative consoles of any of these web apps or any of these cloud providers, you're going to see some settings that you can make. Here's the rule of thumb, if there setting for it, that's your job. You need to figure out what the right setting is and you need to make that setting, don't just accept everything by default and off to the races, right. If there's a setting and you can set it, then you've got to think about what the setting should be and that's your responsibility.

Jake Bernstein: Exactly. And what's even, I would say more critical is to dig into those settings early and often, so that you don't accidentally leave yourself uncovered. And you hear all the time about data breaches that are actually the result of what is often called an secured S3 bucket.

Kip Boyle: Yes.

Jake Bernstein: And I've heard that phrase over and over again and all that means is that someone misconfigured an AWS service basically, which they call the S3 bucket. And is that Amazon's fault? No, it's not.

Kip Boyle: No, it's not.

Jake Bernstein: Amazon on AWS is what we call infrastructure as a service, it's a type of cloud offering where you basically get to buy virtual computers and servers, but then that's all they give you your responsibility is to then configure that and set it up in a secure way.

Kip Boyle: Right. So that's infrastructure as a service and then there's also platform as a service and software as a service, which is a web app is really classified as a software as a service. When you buy infrastructure you're going to have more responsibility for security than will if you buy a platform and you'll have more responsibility with a platform than you will have with a SaaS or a software as a service. But in every one of those three cases, you're still going to have things that you've got to configure. And in the case of these S3 buckets, funny great little lingo there all it really is a file server, so if you think about we've got file servers on our local area network well, now you've got a file server in the cloud.

And here's the thing if you were lax, lazy and permissive about securing your file server on the land, the impact of somebody breaking into that is pretty limited. First of all if they've got a break into your local area network, they've got to figure out what's going on, they have to do that undetected, then they have to break into your file server, there's some effort there. But when you've moved your file server into the cloud, you've really made my job as a cyber attacker much easier because your cloud file server is something that I can see without breaking your company's cyber security, I don't have to get on your local area network now I can just interact with it from the internet, from wherever I want to interact with it.

And I can interact with it programmatically, which means there is no human being sitting there trying to find your file servers and trying to break into them, there's a program that's doing that. I've written a piece of software to do it and that's how most of these S3 buckets are discovered these days. If you've got crawlers, you've got programs that are crawling all around Amazon web services, Azure and Google and Dropbox and all these places where people are dumping their files and they're just trying over and over and over again to discover stuff and see if they can get into it. As a cyber attacker, I can just launch these things and sleep and it'll tell me when it's found something, right. So I can be out at the pool and I get an alert and it's like cool, I've just found my little program has just found some sensitive data that I can now sell and make some money so that I can have Pedro skim my pool next month.

Jake Bernstein: Yeah, it's completely true and I think that the way things are moving there's no way we're not going to end up on the web apps. So people... everyone just needs to learn this and get used to it.

Kip Boyle: Yeah, definitely. Web apps aren't going away, we're not saying they should we're totally cool with web apps. As users of web apps and other cloud services have to become a little more sophisticated, a little more knowledgeable in understanding what our responsibilities are and then actually living up to them.

Jake Bernstein: And one thing real quick before we end here is web apps are also commonly the enabler of what we call Shadow IT inside companies.

Kip Boyle: Yeah.

Jake Bernstein: And I don't want to get into that a great deal, but even... the thing to be aware of is that because web apps are so easy to sign up for and use and access your company. As a cyber risk manager, you have to be aware of the possibility that employees have created web app and cloud service accounts outside of the IT structure that you've built and managed.

Kip Boyle: Yeah.

Jake Bernstein: This happens all the time.

Kip Boyle: It happens all the time. And not only can they sign up for this for the credit card, maybe a company credit card and you don't even have visibility into it but a lot of this stuff's just free. And so we had a customer recently where they were doing a ton of data sharing and most of that data sharing was being done over personal box accounts. Our helpless customer was really pleased with all the productivity and the cost effectiveness of that. But we had to unfortunately point out that okay, that's all well and good but if Mary quits tomorrow. How do you get your data back? Especially if she quits under bad situation.

Jake Bernstein: Exactly. It's very dangerous.

Kip Boyle: So, yeah. There have been problems inaudible and there's lots of ways to deal with all of this, but not only would we say if there are settings for a cloud service, get in there know them and set them in a way that's good for you and then periodically check them because this stuff changes all the time. New settings are made available to you with little or no announcement or existing settings are changed their meaning and intent will change, but you've got to keep up with that. But then also you need to think about using the business versions of the web apps so you can have a centralized management console so that when you say, "my security policy is that when you leave my company all your data belongs to me." That's a totally reasonable security policy but if you don't have a centralized management console where you can enforce that, then chances are more times than not your policy is going to get violated.

Jake Bernstein: And it happens quite often.

Kip Boyle: Shocking frequency these days. This is great and appreciate you being in on this conversation Jake. That wraps up this episode of the Cyber Risk Management Podcast, today we talked about the rise of web apps and what they mean for cyber security for our executive cyber risk managers. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Speaker 4: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Speaker 3: And management's goals should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Speaker 4: You can find out more by visiting us at cyberriskopportunities.com and newmanwor.com. Thanks for tuning in. See you next time.