Fraud Management & Cybercrime , Ransomware , Training & Security Leadership
ISMG Editors: A Tribute to Steve King
Steve King's Legacy in Cybersecurity: Insights and Reflections Anna Delaney (annamadeline) • July 5, 2024In this special edition of the ISMG Editors' Panel, we honored the memory of industry veteran Steve King, managing director of CyberEd.io. His friend Richard Bird joined ISMG editors to share reflections on Steve's legacy, his contributions to cybersecurity, and the importance of questioning the status quo.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
King left an indelible mark on the cybersecurity industry through his relentless questioning of norms and challenging of established practices. His ability to see beyond the surface and foster meaningful discussions made him a cherished mentor and friend to many. Bird shared how Steve's critical approach sharpened his own insights. "Steve was always questioning, always unsatisfied with rote answers, and that really struck up a great friendship with us," Bird said.
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, Editorial; Richard Bird, CSO, Traceable; Michael Novinson, managing editor, ISMG business; and Chris Riotta, managing editor, GovInfoSecurity - discussed:
- How Steve King's legacy will continue to inspire and guide those in the cybersecurity community;
- The unique security challenges posed by APIs in the financial services sector and why fraud and abuse are behind so many API-related data breaches;
- The key identity management strategies organizations should prioritize, especially in critical infrastructure sectors, to protect against ransomware attacks.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the June 21 edition on how Medibank’s lack of MFA caused a data breach and the June 28 edition on the growing fallout from the Snowflake breach.
Transcript
This transcript has been edited and refined for clarity.Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm, Anna Delaney. Today, we are honoring the memory of our dear friend and colleague, Steve King, who passed away late last week. We are fortunate to have with us Richard Bird, highly respected expert in the industry and identity field, who knew Steve very well. Richard, thank you so much for joining us.
Richard Bird: Pleasure to be here.
Delaney: And also with us - Tom Field, senior vice president of editorial; Michael Novinson, managing editor, ISMG Business; and for the first time, Chris Riotta, managing editor for GovInfoSecurity. Good to see you all.
Tom Field: Thanks Anna.
Michael Novinson: Thank you.
Delaney: Richard, since you knew Steve very well, can you tell us how you got to know him and share any reflections you have?
Bird: My introduction to Steve, like all great introductions, came through a network of friends, which probably says more about my choice of friends than it does about Steve's capability to see talent. But, I had a call at some point a few years ago and Steve said, "Hey, I got your name from John Kindervag, and I'd like to have a conversation with you about zero trust." And, that started this series of conversations and opportunities to spend time with each other. That was for me a hallmark of the last several years of being out of the corporate side and being in the cybersecurity industry. Because what I found with Steve was somebody that I very rarely find in cybersecurity or in technology, which was somebody who had that same orientation toward cynicism and skepticism and was always questioning, always unsatisfied with whatever the rote answer might be. That struck up a great friendship with us, and it was great for me as well because Steve was always sharpening my insights and sharpening my observations. I'd get these random calls and Steve would go, "What do you think about this?" And, I'm like, "Are we getting on air?" And, he goes, "No, I want your thoughts about this particular event or how you see this situation playing out." And, that was enriching for me. Tom has heard me say this multiple times, I don't think that there's enough reasoned debate and conversation within the security solutions industry. There's too much that's taken as gospel if it were without us exercising kind of that Socratic viewpoint. And, Steve was a master of the Socratic method when it came to the way that he interacted with people, which caused him to get the most and the best out of the guests and the interviewees and everyone that he interacted with.
Delaney: For sure. That encapsulates well. Tom, you worked with Steve for many years. How do you remember him?
Field: I remember meeting him for the first time out in San Francisco. He had contacted us and was interested in doing some work for ISMG. And the question was great. This is a terrific talent. He had great experience. What would he do? What could he do? As I was out in San Francisco for a Roundtable, I had the opportunity to sit with him over lunch and what I quickly found out was here was a man with deep experience of technology, business, security, had been an entrepreneur, knew how the business worked, and yet he retained the heart, the interest, the drive of someone just starting up an organization. As we got to work with him and got to know him, I saw the same sort of drive that Richard talked about, in the push to do more, to be different, to be distinct. Content wise, he always pushed us to have a unique voice to make sure that we stood out in all the noise about cybersecurity. What impressed me the most was that Steve never was about solutions or tools. He wasn't out to move product. He was out to solve cybersecurity problems, and that came out in all the conversations and all the productions that he did, and the work that he did toward the end of his career, in trying to change the whole dynamic of cybersecurity education and awareness. That's what stands out.
Delaney: You interviewed him a few times as well?
Field: Oh, we did so many productions. Richard and I did some productions with him about zero trust and other topics. One that stands out to me was during the pandemic, and we were talking about the nation-state threat in advance of the 2020 election, and we got on a panel. Sam Curry, currently the CISO of Zscaler, and Tom Kellermann, who at the time was with VMware Carbon Black, and there were other people that knew the landscape well and had got a good sense of what the threats were, who the adversaries were. We sat down and talked about what the real nation-state threat was and what the U.S. in particular needed to do following the 2020 election. I want to share with you a clip, which was probably a 40-minute discussion among us. But, Steve had some great things to say, and the things that he said in 2020 can as easily be said in 2024.
Steve King: Our business cybersecurity leaders are completely overwhelmed, understaffed, underskilled and don't have the wherewithal to do the job that has expanded and exploited in front of them. That's my take. We need to do so many things in education and upskilling and so quickly with resource allocation, staffing, and CapEx and OpEx support and the constant cycle of we can't get the board to do X, we can't communicate with our board, or the board doesn't understand, etc. It's tiresome. We've been having the same conversation for several years, and as long as we continue to do the same thing we did before and expect a different result, that's crazy. That's what is at the core of this dilemma that we have right now.
Field: Four years later, we could say the same darn thing.
Delaney: How do you think he's going to be remembered by the industry?
Field: I'll give you my take. To me, Steve King was a cybersecurity thought leader straight out of Haight-Ashbury. He's someone that back in the 70s you would have seen walking around with a T-shirt saying, "Question Authority." And, that's how I want to remember him. That's how I want to honor him. He questioned authority and the status quo. Because there is so much more that we can do if we try to break out of the mold.
Delaney: How about you Richard? I know you mentioned the other day, his whole ethos was "trust, but verify," not only in cybersecurity, but also journalism. I love that.
Bird: Isn't it strange that we think about people's legacies only after we lose them? Just sitting around for a couple of days processing Steve passing, I realized that his role in cybersecurity and his influence on us is in his capacity that he had to be the conscience of the industry. I love the Haight-Ashbury reference because what he was saying is we need to do better. Why aren't we doing better? What can we do to do better? And there are only a handful of voices that are serving as a proxy for discontent, frustration, lack of performance or improvement in security. It's a very small group that serves the voice of all the people that are working in security, both on the enterprise side and solution side, who have all of this pent up frustration of not seeing improvement. He served in that role. He served as our conscience to question what we had taken either as truisms or as incontrovertible and irreversible situations and facts within security - that's an important legacy. That's how we honor it by not accepting everything at face value and by trusting but by verifying, like I feel Steve did pretty much every day that I've known him.
Delaney: Richard, as we commemorate Steve, I know that he would want us to include some educational insights in the program. Given your expertise, we have a few questions for you on the theme of identity. So, Michael, take it away.
Novinson: Thank you very much, Richard, for joining us. I know your day job is at Traceable as the CISO, and I know you recently put out some research around API fraud in the financial services sector. I'm going to give you two questions here. Feel free to take them both on at once. First, what are some of the unique security challenges posed by APIs in the financial services sector? Second, why are fraud and abuse behind so many API-related data breaches?
Bird: When we look at the financial services sector, we see that the attacks and exploits that are being attempted, in many cases, are being successful. If you look at the kind of knock-on effect of the Snowflake situation on Santander Bank and the exposure of the information that they were setting in the cloud, which is all transported by APIs, we're seeing a couple of different motions that are happening in the hacker side or the exploiter side of the economy. When we look at history, every time there's a new attack or threat vector, the first attempts are always against banks. You and I have talked about this before, they go against banks initially, because, as Willie Sutton said, "I rob banks because that's where the money is." The highest amount of economic value for any nation-state actor, anyone that's trying to yield financial gain, is always going to be the banks first. So, we've seen this rush of attack methods against banks around APIs, and then we've also seen a very interesting rush by regulators, where regulators are moving strongly into prescriptive demands for APIs specifically. It raises an interesting question - in association with the questions you've asked Michael - which is, if we are seeing a landscape change in U.S. Federal Regulation, where regulations are becoming prescriptive rather than directed? Over the last 40 or 50 years, regulations said, here's the control that you need to meet, provide the evidence that you meet it. We don't care how you do it, but if you can show your work, we'll give you credit and you're considered to be compliant. When we look at API's now, the Feds, whether it's the FCC or the FFIEC, are saying, "No, you can't have a spreadsheet that itemizes your APIs. You must have a continuous inventory, and you must be able to prove that you have asset control and have done a risk management assessment of these APIs." So, that raises the question: Why are APIs different? Why are we seeing such a big universal change on both the bad guy's side of the equation and the good guy's side of the equation? It is because APIs have been in the wild now for close to 15 years in the modern web era. Technically, they were proposed as a theory in 1955 by a couple of IBM analysts. We know that APIs aren't a new thing, but their use in layer 7 in this web-enabled world came with the distribution of the creation of APIs strictly by developers, with no security guardrails or standards and multiple different protocols - Graph Excel REST. And, in doing that, by providing no security guard rails or guidelines on how those APIs have been developed, they've created this massive attack surface that's available to bad guys. So, once you defeat authentication for an API, and this will wrap into my identity background, it operates like any other transaction in the digital world that would be associated with somebody doing a job. So, if I defeat authentication with forge keys, credentials, API keys that haven't been rotated and so on and so forth, then I now have the keys to the kingdom, literally for whatever that API transaction is associated with, moving money, customer records and accounts, customer data, PII - as long as I get past the authentication piece. Then, I can execute any bad thing that I want to with that API, and I can even mutate and change that API for my own purposes, which is why this combination of extreme power and the ability to deliver massive amounts of business value comes at the cost of enormous amounts of risk and an exponentially expanding attack surface that today, in some of our surveys as you referenced, large enterprises simply aren't even acknowledging. They're saying, I know it's a risk, but I'm not doing anything about it. So, we're in the window of this dynamic change over the next 12 to 24 months, simply because the bad consequences are racking up in massive amounts of data and information that are being stolen by bad actors using APIs.
Novinson: Important stuff. I'm going to turn it over to my colleague, Chris, now.
Riotta: Thank you so much, Richard, for joining us today. Pleasure to have you, and I'd love to pick your brain about the federal government's progress in identity and access management through their single sign-on initiatives. There's been login.gov, which was launched by GSA, which is a significant step integrated with federal services such as Social Security Administration and the Department of Veterans Affairs. A lot of folks say that these initiatives bring massive benefits from improved user experience, enhanced security through MFA and increased efficiency. But, there are also significant challenges with integrating legacy systems, balancing security with privacy and ensuring scalability. So, how do you think that these single sign-on initiatives are facilitating and maybe even complicating identity management federal agencies? Is it getting easier for the federal government to provide a safer way for citizens to sign on to their government services? Or do you imagine that this could further complicate overall security in the long run?
Bird: I'm going to start with the tail end of the question first. I don't think that it will complicate security efforts or technology integration efforts. I am a huge fan of technology history, and as I always like to point out, nobody has ever written a cybersecurity history book, which means that we're doomed to constantly repeat the same mistakes over and over again because we refuse to acknowledge the value of our history and the evidence that supports that history. When we look at SSOs in particular, SSO was the very beginning of actual modern security in almost every aspect of what now constitutes a security stack. There was this transition period at the end of the late 90s where we were trying to figure out how to resolve the issues that went well beyond the old network firewalls. We were dealing with a lot of issues relative to differentiation of systems and at that time, if we think about the late 90s, we rolled out of the late 90s, and everybody had 27 accounts and a password for every one of their systems that they were interacting with. And now, I've always maintained the position that SSO itself is not security. SSO is an enabler and a pathway to get to things like federated authentication and managing the identity plane. When we look at the efforts that have been undertaken within the federal government - it's good yeoman's work. It's 20 years late. If we look at it from the broad brushstroke standpoint, because if you look at where the enterprise went, SSO became the standard of rigor, probably about 2009, 2010 and in that enterprise world. Now, I'm going to reflect for just a second as a customer of U.S. government services. I'm a veteran. I manage through challenges in the Social Security Administration, relative to family members, and I would say that my personal experience using the tools that have been developed and mandated in the federal government space have greatly increased my customer experience as it relates to my interaction with federal government. It's made it much easier. It's made it much more streamlined for me to be able to go from one set of systems to another. And, I appreciate that. It's still kind of clunky, and it's still faced with one reality that I've always thought is more important than the technology piece of this conversation as it relates to identity progress in the federal government. It is still faced with tremendous amounts of internal political and organizational friction within the federal government as associated with each of its respective departments. Great example - my son-in-law recently retired from military service after 23 years. He turned in his CAC card. Those of us who know Jeremy Grant know the history of the CAC card in great detail. And, here it is 2024 and he's still using a device-based approach identification in the federal government that everybody has hated for the better part of at least two decades and when we look at the other component pieces, we see agencies that are all about using id.me versus login.gov. So, the next stage of improvement is better centralization of the SSO services that are associated with how the government is delivering services, and then ultimately, that's going to finally bleed into that next tier, future state conversation that we need to have that we're always struggling with an identity, which is okay now what are the roles of biometrics? What are the roles of additive information to a citizen's profile without bending into concerns about big government? But, we've set the stage with the SSO efforts in the federal government to start to have meaningful conversations about improving from this position forward.
Riotta: It's an interesting perspective. Thanks so much. I'll pass it back to you Anna.
Delaney: Thank you! Richard, turning to ransomware attacks on critical infrastructure, we've seen recent ransomware attacks on major U.S. and U.K. water utility companies. Looking at those, what are the key identity management strategies that organizations should prioritize, especially in the critical infrastructure sector, to protect against these attacks?
Bird: Ransomware is so frustrating to me because the way that it gets modeled and the way that it gets presented in analyst reports, and all the news stories indicate that it's some kind of unique attack, when at its very core, it's an identity attack. Ultimately, it is somebody giving access to credentials and privileges that are associated with that person, usually through some type of phishing campaign or some other activity that allows the bad actors to get a hold of those initial credentials. Then, they begin patrolling the internal networks and systems and aggregating additional privileges and then get to the core privileges that are necessary for them to be able to shut down the assets and then offer them up for compensation to release them again. That whole track never gets well described in most popular media. The frustrating part about ransomware, and not to tie it intentionally to zero trust, but this was my zero trust epiphany, working with so many members of the ISMG team and CyberTheory team, Eve Maler, Greg Touhill, Chase Cunningham and John Kindervag and diving into this, every time I've gotten resistance about zero trust, I always bring up the ransomware example, and I'm like, look, if you want to start on a journey to zero trust, even if you don't believe in it, eliminate all persistent and implied trust within your networks today. Don't even take away anything other than all these excessive privileges that simply have been allowed to rock and manifest in your organization. These are all the baits that the bad guys need to go lock down your assets in your data. And, it's super challenging in today's environment to convince anybody that removing privileges from an employee that shouldn't have them anymore will block the pathway to these successful ransomware attacks. We still labor 20 and 30 years later with I can't take that access away from Bob because he might need it one day. That is not a business justification. That is simply an excuse for laziness and I know that people don't like to hear contentious statements about ransomware, like, if you get a hat on ransomware, it's because you're functionally and organizationally lazy about enforcing strong controls in your environment. But, that's the truth of it, and that's why ransomware is so successful, because even after so many big ransomware attacks and so many payouts, people refuse to look at the evidence and go address the historical root cause of this, which is excessive privilege and grants and entitlements post authentication for all the people that are inside of your organization. You're an accomplice to the crime when it comes to ransomware, and it's a statement that people do not want to accept. They want to believe that ransomware is successful because the bad guys are so good. And, the reality is, in the last 15 years, the bad guys have gotten dumber. They don't need to be technical experts anymore. They simply can go by and lease all the services they need on the dark side of the economy and leverage those and they don't even have to be intelligent anymore about how to defeat you because we're helping them by allowing ourselves to get defeated on a regular basis.
Delaney: Fantastic. We're always learning from you Richard. Thank you. Finally, I want to bring it back to Steve. He was dedicated and passionate about his work and always committed to improving cybersecurity. So, how can we ensure that we honor Steve and the work that we continue to do? Tom, do you want to start us off?
Field: You know this as well as I did. One of the passions he had in the past six months or so was to see the growth and expansion of ISMG.Studio in terms of creating a new type, a new breadth, a new scale of video productions to reach the cybersecurity community and talk about some of these problems that need solutions. I want to carry on. I want to make sure that we do honor Steve by ensuring that ISMG Studio is the entity that it can and should be. So, that's where I'm putting my name.
Delaney: We're with you there. Michael?
Novinson: I know I'm from the same place as you did, and I met him in Phoenix as well as in San Francisco and have been a part of calls with him for many weeks in the past couple of years. Certainly, people have already talked about the skepticism he brought in questioning authority. In addition, there's a certain degree of rigor that he brings that you don't just build and you don't go through the motions, whether that's interview preparation, putting articles together. You need to ensure that you don't accept conventional wisdom. You don't accept what groups of people are saying on LinkedIn and that you apply yourself to every stage of the work you do, and as an individual contributor here, It's about bringing a high degree of rigor to who I choose to speak to, what I choose to ask them, what I choose to do with that information, because good enough was never enough for Steve.
Delaney: Love that. Chris?
Riotta: Having joined the ISMG family less than a year ago, I feel there's not much else I can say that everyone hasn't already said about Steve. He was an incredibly impressive guy, both in his work and as a human being, the way that he questioned pretty much everything. I will say he was very gracious with his time. He was one of the first folks to set up a meeting with me to talk about what some of my reporting passions are. He immediately taught me to question everything that I thought I knew about covering government cybersecurity initiatives, not to take anything at face value but to dig deeper, to look into what you're being told. To truly verify every piece of information that you're receiving and to tell it and explain it in a way where you're getting to the impact and to how it's going to affect the folks that you're trying to tell the story, to who your audience truly is, and getting down into the nitty gritty. The few interactions that I had made me feel privileged and I feel very fortunate to have had the conversations with him in my short time knowing him. I'm going to take with me as I continue my own work in this field.
Delaney: Well said. I suppose, it requires a certain amount of courage as well to challenge the status quo. Particularly online, he was so good at writing posts that were so educational. So, I'll try and apply some of that to push back if I can. It's so important. But, also I promise to stay updated with the excellent educational resources that he put together with his team. They've created CyberEd, and it's brilliant education there. So, I promise to stay up to date with that. Richard?
Bird: For me, it comes down to something that was an exchange that I had with Steve, where, like you all have known me long enough, we've had so many conversations over the years. I'd also like to point out I've had such a long relationship with ISMG, I now recall meeting you all when you all three first started, which is awesome to see how ISMG's talent pool and bench has grown, and to have been had the opportunity to interact with you all. But, I've never been known to be the shrinking flower. I've got a pretty healthy reputation of saying things the way that they are and being straightforward and speaking truthfully. But, Steve has caught me short a couple of times and said, "Are you going far enough? Are you asking the right questions? Is there something else that you should be thinking about?" Steve challenged me on that a couple of times, and I found myself realizing that for whatever reason in that particular topic or that particular issue, I was kind of checking my balances. I was trying to be either conciliatory to somebody in the market that might be offended if I took a strong position, or if it was a tough subject that there wasn't a lot of data on. The first time Steve called me and said, I'd like you to be on a panel to talk about AI, and I'm like, "Why me?" And, it was "apply those experiences and apply that background that you've had in this entire track of technology history for the last 30 years. And, let's make some assumptions and associations with AI." That's it. It's constantly challenging to find the deeper answer is the way that we honor Steve. Not being satisfied with what's written on the wall. Let's step behind the whiteboard and see what else is in this big, messy ball that needs to be looked at. That's the way that we show Steve - the type of honor that would be respectful of what he built in the technology and security industries.
Delaney: Well said.
Field: Well said.
Delaney: Thank you so much for all your reflections today, and Richard, thank you so much for making this episode so special. We hope to have you back soon again, but for now, here's to remembering Steve King. Thank you so much for watching. Until next time.