Grit Studios in Bentonville and its founder Rick Webb are working to bring more attention to cybersecurity to Northwest Arkansas because of the global nature of many area businesses. Webb said cybersecurity is a growing segment in the technology world and the need for defense against attacks has never been greater.
Working with Semperis, a partner with Microsoft and accelerator alumni with offices in San Francisco, New York City and Tel Aviv, Grit Studios hosted its first Hybrid Identity Protection Tech Day in Bentonville on Thursday (May 30). Semperis CEO Mickey Bresman told Talk Business & Politics he became aware of Northwest Arkansas and the need for more interactions with cybersecurity expertise about eight months ago in meeting with Webb.
Semperis had a booth at the Northwest Arkansas Tech Conference in October but wanted a more intimate setting to connect with technology professionals in the region.
“We hopped a plane several months ago and had meetings with a few companies in the region and have signed on a couple of clients as well. We typically hold these Hybrid Identity Protection (HIP) conferences in New York or Chicago. This is our first time to take the event on the road to a smaller metro,” Bresman told Talk Business & Politics.
He said he was pleased with Thursday’s turnout that included tech workers from Fortune 500 companies to local high school data science teachers.
The bulk of the content shared at the event dealt with keeping networks safe from hacks which continue to plague all businesses. The top 20 breaches in 2018 included the following companies: T-Mobile, Facebook, Google, Marriott/Starwood, Saks Fifth Avenue, Shein, Sling Health, Orbitz and British Airways. They resulted in 1.5 billion accounts being compromised and 80% of the hacks involved stolen credentials.
Gil Kirkpatrick, CTO of ViewDS and 14-Time Microsoft most valuable professional, said in 2018 there were 12,000 identified breaches and 3.6 billion new identity records added in 2018, up 20% from 2017. The average breach size was 216,000 records, four times the amount in 2017. Last year, there were 14 billion total records available to hackers. He said in many systems the only thing keeping hackers out are passwords, which in many cases are far too easy to breach.
“Passwords are a disaster in my mind. We need to get rid of them soon. Usernames and passwords are readily sold on the dark web and it’s easy for hackers to acquire them. Asking humans to remember a string of random characters and never write them down, nor use the same password for separate systems is simply counter-intuitive for how humans operate,” he said.
Kirkpatrick said biometric signatures are likely the future to personal authentication but there are stop gaps for companies to use now such as FIDO keys which can be purchased on Amazon that assign a token identity accessible with a simple sign-in or facial recognition.
Ben Johnson, CTO and co-founder of Obsidian Security, spoke about cybersecurity risks that have expanded with so much data stored in the cloud. He said while Amazon Web Services merely protects invasion from above the clouds, it is the responsibility of the company storing data to ensure there are no breaches from within the cloud.
“Clouds talk to clouds, old-school firewalls are not there anymore to protect the data. Hackers don’t break in, they merely log in, because of lack of security defenses or mistakes by insiders,” Johnson said.
He urged businesses to restrict system access of insiders to only the areas they need to do their job. He said pruning access should be a regular activity for IT staffers. He said too often insiders are given permissions into the system which can be breached if they should also use the same log-ins on other systems or cloud-based applications. Hackers could gain access to company data through other cloud-based applications.
Passwords are no longer defensible against hacker attacks, according to Sean Dueby, Identity Architect with Edgile Inc. He said in August 2018 Microsoft blocked over 1.3 billion credential attacks. Compromised credentials were responsible for the following:
• 91% of successful attacks via phishing;
• 53% of IT security staff reporting spear phishing;
• 73% of passwords being duplicates, used for other applications; and
• 50% of breaches involved the most 25 commonly used passwords.
Deuby said web administrators and consumers need to ban the use of common passwords which are an easy way hackers break into systems. He said the use of the same password for multiple accounts is also a no-no, but it’s common. He said businesses using Microsoft systems are at risk with their Active Directory that stores all the user information. He said Active Directory is vulnerable to password spray attacks that is a brute force hacking against many accounts versus just one.
Daren Mar Elia, head of product at Semperis, said Active Directory has been around for about 20 years but it’s become more vulnerable to attack in the last five years as hackers have become more sophisticated.
“All a hacker needs is to gain a foothold with a phishing attack to get them on the domain and they can then wreak havoc on a company’s system,” he said.
Johnson said tech users are now mobile and that complicates the risk. The border is gone and the control gate with access does not require identity. He said businesses have to focus at the perimeter.
“When you don’t have control of the perimeter, all controls are gone,” he said.
Bresman said Semperis will host another tech day in the region in the coming months and will work to broaden the scope and size of the event based on responses from attendees. Webb said Northwest Arkansas has the makings of a small cybersecurity hub and Grit Studios will continue to foster the connections necessary to make that happen.
Also on Thursday, Arkansas Attorney General Leslie Rutledge announced a settlement from a security breach involving 3.9 million health records and personal information involving Medical Informatics and NoMoreClipboard LLC. They had systems hacked between May 7, 2015, and May 26, 2015. The hackers stole electronically protected health information, phone numbers, usernames, passwords, security questions, spousal information, dates of birth, social security numbers, children’s names and birth statistics. Arkansas will receive $112,950 in the settlement, Rutledge said.