The Pegasus exposé highlights the urgent need for ‘defence in depth’
The Pegasus Project – a collaborative exposé by more than 80 journalists from across the globe – is a timely wakeup call for any business that thinks its data is secure. Because the frightening reality is: it’s not.
The project revealed how a piece of spyware called Pegasus, originally developed for military and law enforcement usage, can exploit iPhones and Android devices to take control of a user’s phone. No one was off limits – a list of around 50,000 victims has been published, including politicians, heads of state, business executives, activists, royal family members, journalists and more.
No piece of technology, no matter how expensive or sophisticated, is truly secure and this project is the final proof, should it ever have been needed.
Despite billions of dollars spent by Apple and Google and all the top-flight engineers they have working for them, it’s still almost impossible to write bug-free code that a determined attacker can’t break in to. All they can really do is set the bar so high that it’s only firms like Pegasus’s creator, NSO, who can reliably pull this sort of thing off at scale and for a sustained period.
So, if you’re a company processing sensitive data, how would you rate your own software engineers and security architects? Are they better than those at Apple and Google? If so, perhaps you have nothing to worry about. But, if not, how do you sleep at night? If they can’t get this stuff right, how on earth will your teams?
MORE FOR YOU
Picking the locks of iOS and Android
Any firm that writes software, from Apple and Google down knows their software has flaws and that bad people are trying to find and exploit them. So the good firms are constantly trying to find and fix these holes in their software before anybody else discovers them. But software firms are also always shipping new features and versions of their products, which means they’re usually creating new security holes just as quickly as they’re fixing the old ones.
So the ‘bad guys’ have lots of opportunities to find these problems quicker than the vendors themselves. And if you’re a talented software engineer who’s good at finding these sorts of problems, you can sell the information you discover to firms like NSO, who will then upgrade their hacking tools so they can exploit the hole.
A good way to think about it is to imagine many different manufacturers of padlocks. Clever people are constantly trying to figure out how to pick the locks. And firms like NSO are in the business of selling a ‘Lock Picker’s Toolkit’ – lots of little spanners and wires and needles and who knows what else. Each time they discover another way to break into a particular type of padlock, they add an extra little tool to their toolkit and announce to their customers that their product is now even better for breaking locks.
Pegasus ultimately shows that, in the software world, if an adversary is sufficiently motivated, they will get in. And the Pegasus Project is just one in a string of recent high-profile data security breaches – just look at the Colonial Pipeline hack earlier this year or the SolarWinds hack last year. No one is immune.
The solution: defence in depth
So, if Apple and Google’s best software can get hacked – and sensitive data extracted this easily – how do you possibly think your business data is safe?
Data is like oil: depending on your viewpoint, it’s either your most valuable asset, or merely one leak from total disaster. Either way you need to use every tool available to you to create ‘defence in depth’ to stop it getting out.
But don’t despair. You may not have the resources of Apple. But there’s still hope.
The answer is to do two things. First, take advantage of protections that already exist. Don’t leave your back door wide open. Sounds obvious but it’s amazing how many mainstream security techniques are simply ignored by most firms.
Secondly, ensure you have depth to your defences. Multiple lines, not one. Yes: any given security technique might have lots of gaps, just like how you can see through the holes in a slice of swiss cheese. But if you layer enough slices of swiss cheese on top of each other, eventually the light is blocked.
What this means in practical terms is that you need to be taking advantage of every layer of protection already available. If you’re not, you’re a sitting duck.
But you should also be rolling out new protections as they emerge, especially if a new option implements an entirely novel technique. After all, there’s a reason why doctors don’t get too excited when a new ‘me-too’ version of an existing drug comes onto the market but get very excited indeed when an entirely new class of drug is discovered for a serious disease!
And that latter point is extremely important. We already have lots of tools for improving the security posture of firms, and competition between vendors in those categories means the bar is constantly being raised, but improvements within an existing category is usually incremental at best.
But you get a step-change in capability when an entirely new approach comes onto the scene. And the rapidly maturing field of Confidential Computing provides just that. As such, it represents an extremely promising new defence.
This new technology lets you run applications that prevent anybody from tampering with them or seeing things they shouldn’t – not even you, the operator. That might seem a bit odd the first time you read it. Why would you voluntarily give up the ability to see what information your applications are processing?
Well, the answer is: if the data your applications are processing is encrypted even from you and even when it’s being processed then even if an attacker did get through all your other lines of defence, all they’d be able to steal would be encrypted data that they didn’t have a key to decrypt it with!
And what makes this even more powerful is that applications secured by Confidential Computing can cryptographically prove to their users that their data is encrypted in this way, with a proof that is provided by the physical hardware that is doing the computations. So your customers can be enlisted as an extra set of eyes and ears in the fight against the attackers.
If you’re a business providing services to a customer, you can use this technology to convince them what your service will do with their data, before they’ve even sent it. They no longer have to trust you; they can verify for themselves. That’s the essence of confidential computing, and it’s a game-changer. It helps your customers build trust that you will protect your data, and it provides you with another layer in your defences against the hackers.
Until now, there’s been no good way to technologically control what happens to that data once it leaves your premises. And so data has, all too often, been shared between companies with scarily lax control over how it is protected. You didn’t need to be a world-class hacker to take advantage of this sort of opportunity. And confidential computing is a way to close down that line of attack.
A recent proof-of-concept from the insurance industry puts this into context. Using this technology, a group of innovative companies are enabling insurers to pool claims across their institutions and improve detection of so-called “double dipping” claims where fraudsters claim an event with multiple institutions. Confidential computing is facilitating this advance by enabling competing insurers to share sensitive information with confidence that it cannot be revealed to competitors or violate privacy laws and other regulations.
Indeed, this technology may be one of those rare examples of a security tool that also enables new business opportunities, in this case by making it possible to pool data that would otherwise be ‘too hot’ to share.
Confidential computing is a once-in-a-generation innovation in data security, and a new line of defence against the virtual Lock Picker’s Toolkit offered by the likes of NSO and many others. If you don’t have the resources of a software giant such as Apple or Google, you probably can’t afford to buy the world’s most expensive padlocks. But the next best option is to use every technology at your disposal – including the newest ones as they emerge – to ensure you have as many different types of padlocks as you can get your hands on. This is defence in depth.