By Michelle Burrows, CMO, Splashtop
Jerry Hsieh has been at the forefront of IT risk assessment and security for the twenty-plus years of his career, most recently as the Senior Director of Security and Compliance at Splashtop, where he has served in a variety of IT and Security roles for the past ten years. Not long ago, he talked to Splashtop CMO Michelle Burrows about what drove his early interest in security and how he thinks about keeping systems secure, particularly with the increase in highly publicized security breaches in the past few months.
Michelle Burrows: Jerry, thank you for joining us. While security has been all over the news of late, it tended to be almost an afterthought in the past. How did you first get interested in security?
Jerry Hsieh: You’re exactly right – I’ve been focused on security for a long time and many years ago, companies tended not to think about security very much. I had an alarming experience back in 2003 and it ended up cementing my interest in security and risk assessment.
Michelle Burrows: That sounds ominous, please tell me more.
Jerry Hsieh: The company I worked for was one of the victims to an SMTP DDoS attack that ended up taking down corporate email services, including large companies and the one I was with at the time. I remember the timing so clearly because it coincided with my wedding and was the reason that I couldn’t really enjoy myself because of what was going on back at the office.
It also showed me first-hand the impact of something like that. We had worked with a company that was doing email filtering to protect companies like mine and others from an attack like this and they ended up shutting down because of this attack.
I also saw another incident first-hand that occurred when a product file was categorized as a virus after the AV vendor updated the definition. IT and the engineering team spent countless nights staying up and trying to resolve the incident as every single system was impacted and we had a lot of work to do to clean up files, working with our anti-virus vendor and fixing the definitions of what was defined as an attack.
Michelle Burrows: Wow, I guess having your wedding interrupted would be a memorable way to figure out all the things not to do in the security arena. Tell me about other early experiences you had with security.
Jerry Hsieh: I worked with another company in the semi-conductor industry as a security engineer. At that time, we worked on security mostly to stop patent infringement. The company hired a lot of security people as we were less expensive than a roomful of lawyers. This experience made me see security as a way to protect a company’s intellectual property.
Michelle Burrows: Right now it seems like we hear of some security breach or ransomware attack almost daily. What can companies do to protect themselves?
Jerry Hsieh: I get asked this and think about it a lot. In my opinion, the weakest link is usually the end-user. Most breeches are caused by a simple error – an employee clicking on a harmful link, saving a damaging file, using a weak password, or forwarding something. One single user can then compromise the entire system.
Michelle Burrows: That is pretty interesting that one employee can accidentally do a lot of damage. I think many people think they won’t be vulnerable to an incident like this because they have a firewall. Can you comment on that?
Jerry Hsieh: A firewall often gives people a false sense of security. I’ll hear someone say, “I won’t be prey to an attack because I have a firewall.” What they don’t consider is that while you can put up all kinds of protection around your network, one of your biggest threats can actually be internal. A firewall doesn’t solve your security problems, especially when hackers are getting more and more creative to lure employees to click on something in order to get into your system.
Michelle Burrows: If a firewall isn’t the only answer to security breaches, what do you recommend?
Jerry Hsieh: I recommend three areas to pay attention to:
End-user training / awareness training - To me, this is one of the most important items to focus on and ever since I joined Splashtop, I continually send out reminders about security risks. I make sure that everyone sees the message and all employees know how important it is to be vigilant. It helps that our CEO, Mark Lee, follows up with messages to our company that emphasize the importance of security and that it is everyone’s responsibility. When people know that it is something is important to the CEO, they tend to pay more attention.
Security policies - Many companies have security policies, but they should have practices in place to constantly monitor and test it. Having a policy is a good first step, but enforcing it is even more critical.
Continuous Penetration Testing - Continuously integration and continuous delivery/deployment (CI/CD) has been adopted by many companies. It is important to constantly “test” your network, applications to see if any vulnerabilities are being created during the Software Development Lifecycle (SDLC).
Michelle Burrows: I’m sure that when you tell people what you do for a living, some may feel like they need to “confess” their own bad practice. What questionable practice give you the most pause or concern?
Jerry Hsieh: I don’t usually have anyone tell me about what they do which may or may not be a best practice. I have found that most people don’t know what cyber security is in practice. They see it on TV or in a movie and watch how a “bad guy” with a single command, takes down an entire system. And then they also might think that they are safe from this due to their firewall. What they don’t understand is that the “bad guy” might be a single user in your company. Few data breach incidents are caused by employees who go rogue. What companies really need to adopt is a “trust no one” philosophy. “Trust no-one” is one of the main Zero Trust Access (ZTA) principles that I’m seeing adopted more and more widely.
The other misconception that some people have about cyber security is that it is something that you can “finish.” Cyber security is something that is never “done” and there is always room for improvement.
Michelle Burrows: Right now, there is a lot of attention on security – from the CEO to investors to boards. What should companies be most concerned about?
Jerry Hsieh: Companies need to be concerned about a number of areas.
They need to do thorough and honest risk assessment. When your company is attacked, it hurts your brand and erodes the trust of your customers, employees and even your board. You must assess your risk on a regular basis.
Monitor every piece of software, service provider and hardware on your network. Many departments are frequently vying for IT’s time and want to bring in the “latest and greatest” tools for everything from customer surveys to marketing and from agile development to expense tracking. But, each vendor, piece of software or hardware could be vulnerable to an attack. You must constantly monitor your vulnerabilities and ensure employees are updating their software and/or have the IT team proactively make patches by sending out updates proactively.
Do your research. There are now millions of products out there and keeping up with them and the bugs they could introduce to your system is a never-ending job. Your security team needs to be monitoring and researching vulnerabilities constantly.
Know that the attack vector has changed. Hackers have gotten a lot smarter over the years and have changed how they attack. While a dangerous email may have been apparent just a few years ago, now those emails are personalized in order to make it more likely to get someone to click. You must test your employees constantly so that security is always top-of-mind.
Michelle Burrows: Recently there was an announcement about VPNs being a gateway for an attack. In your view, why are VPNs (Virtual Private Networks) especially vulnerable?
Jerry Hsieh: Yes, VPNs have been a gateway for system attacks a lot more of late.
In my opinion, VPNs are being used more frequently for ransomware attacks for a few reasons:
VPN is old technology and were introduced in the late nineties. When a particular technology has been around that long, it is more likely that there is a design flaw or vendor specific critical software bug as we didn’t know then all that we understand now. As an example, I set up my first VPN back in 1999, purely relying on commands and using somewhat friendly user interfaces (UIs). I think back to that experience and not a lot has changed and misconfiguration by someone is very likely.
A VPN depends on your IT department configuring it correctly. I often see that VPNs are exploited because there is no standard way to set up, operate and distribute access. Each IT department will configure it in a way it makes sense to them and that introduces risk.
Home computers are used on a VPN. If an employee is working from home and need access to files at work, there is no simple way to prevent employee to use non-corporate issued system to establish VPN access. There are tools out there to help with this but they tend to be super pricey and resource intensive.
You can mitigate the point above with a policy that instructs your employees that they can only use their work computer in accessing the VPN. That then introduces another area of risk – public networks. If someone is traveling and they connect via a VPN through a public access network, they are inherently prone to attack.
Michelle Burrows: What alternatives can companies deploy instead of a VPN? Is there any downside to that alternative?
Jerry Hsieh: I know this sounds super self-promotional, but the best alternative is to leverage a remote access solution. And, yes, that includes Splashtop. Splashtop helps mitigate the risks inherent in VPNs because it enables you to only stream your desktop. This means the data in your corporate network is protected as you can just view the data. All the data is still inside your corporate network.
In contrast, when I’m on a VPN, I can start downloading whatever I want, which means that hackers can do the same. When I use a tool like Splashtop, I can view and operate or use the file, but I can’t download it. I can configure it so that only local computers can access it.
In addition, since we are talking about security, Splashtop offers many other security features such as device authentication, two-factor authentication (2FA), single sign-on (SSO) and more. All of these additional security features are things that a VPN cannot offer.
You asked about downsides for remote access technology. The only downside is that there is a learning curve as people adopt remote access solutions. But, since Splashtop was designed originally for the consumer market, the time it takes to learn it is minimal. And by minimal, I mean within a few minutes for the average user.
Michelle Burrows: Tell me more about a VPN vs. Splashtop?
Jerry Hsieh: Sometimes I hear that a difference might be a fixed investment as compared to the subscription model that Splashtop offers when you compare pricing of a VPN and Splashtop. A VPN is a long-term investment that some people may make once. But, they forget that VPN gateways often go down and investing in a backup gateway is expensive. Plus, a VPN requires maintenance – for vulnerability and patch upgrades. Splashtop takes over the maintenance and security work. Splashtop is maintenance free and available twenty-four hours a day, seven days a week.
Michelle Burrows: When you’re not obsessing about security, what do you do for fun?
Jerry Hsieh: As you’ve probably realized, I don’t have a lot of downtime. When I do have free time, I enjoy golfing. My wife may not be crazy about my role, but I love staying up with security trends and the work that I do every day.