Uber's John Flynn On Data Security And His Sympathy For Equifax
John Flynn, the chief information security officer at Uber, understands what it’s like to have to oversee the protection of large amounts of user data—an experience that may inform his somewhat contrary view of the recent Equifax hack.
Earlier this month, the credit reporting firm surrendered the personal information of as many as 143 million consumers in the United States after hackers exploited a vulnerability in a web application that had a patch available for months.
According to Flynn, who spoke Tuesday at the Structure Security event in San Francisco, the seemingly simple patch job isn’t quite as easy to apply as one might imagine.
"Shaming people over what credentials they might have is, first of all, just wrong," Flynn said, in reference to the former Equifax Chief Security Officer Susan Mauldin Smith's background that includes a bachelor’s degree and a master of fine arts degree in music composition, before noting that even when patches are available, they aren’t easy to apply.
“How many of you have a server sitting under somebody's desk somewhere that you're afraid to touch, you're afraid to patch it because you don't know what's going to happen if you reboot that thing?" Flynn said.
It’s an issue that plagues many companies, as evidenced by campaigns like the widespread WannaCry ransomware attack that hit more than one million machines earlier this year and the wiper attack known as Petya that affected organizations in more than 65 countries.
"If you look at news stories in cybersecurity in the last six months, what you'll see is that they all have one common denominator,” Flynn said. “They all have a known vulnerability with patches that are available."
Uber’s CiSO said there is often too much focus on the types of attacks that get headlines when most organizations are still failing to pass the simplest tests. "There are talks about zero-days and esoteric things,” Flynn said. “The reality is those of us on the defending side are still struggling with some of the basics of patching our systems."
The solution to that problem, according to Flynn, it to adopt methods that allow organizations to more quickly respond and adapt to threats—specifically those found in a Developer Operations environment that utilizes engineering principles. Unfortunately, the that process is challenging because “"we don't have any of those tools for the server under that desk.”
“That's why patching is still hard, because people are afraid because we don't have the basic principles in place to allow us to do it with low risk," Flynn said. "It's one of the biggest problems in security right now."
Flynn said one way that organizations can judge their security programs is by how many engineers they have on the team “I believe the best way to solve security is to not just buy products but to build a custom, tailored solution and integrate those with the rest of your company's infrastructure," he said.
That problem with patching may well expand as more and more devices—including cars—come online and require speedy responses to threats. Failure to do so may not just put data at risk, but human lives as well.
Flynn said much of what he and a coalition of other security-focused experts throughout the tech world found when they formed the Future of Automotive Security Technology Research (FASTR) was that automotive security is "quite similar in a lot of respects to the rest of the way we think about [conventional] security."
Flynn said Uber has been sharing security notes with automotive companies like Tesla and have found that cars are a part of a larger ecosystem and require taking into account many aspects like computing, data centers and even customer services when dealing with security.
Flynn also said Uber has been changing its approach to data and is attempting to be more transparent with users. He said consumers have to "know what data we are collecting, they have to understand why, and they have to have choice about it."
The ride hailing company has come under fire in the past for some of its data-related practices including collecting location information from customers after their rides ended, its “Greyball” program that used location data to avoid authorities and operate illegally within cities and its Hell program that allowed the company to track drivers for competitor services like Lyft.
Flynn said Uber “believes very strongly in transparency” and has taken to updating it polices to give users more control over what data the app collects. The company has also “limited the amount of data we are collecting,” according to the CiSO.
Even with the acknowledgment that data is extremely valuable and organizations currently have a hard time doing the basics required to protect it, Flynn balked at the idea of more government-level regulation.
"There is a lot of regulatory activity in this space," he said, pointing to efforts by the U.S. Federal Trade Commission and the General Data Protection Regulation (GDPR), which is soon to go into effect in the European Union.
Flynn called regulations and the GDPR in particular a "compilation of a lot of best practices that we already do," and noted "it is a way of ensuring companies are doing the right thing in terms of data protection practices and so forth.”
Editor’s Note: Newsweek Media Group and International Business Times partnered with Structure to host Structure Security 2017.
© Copyright IBTimes 2024. All rights reserved.