Hacking Google: Lessons From the Security Team, Part Two
When it was launched in 2009, the Operation Aurora cyberattack was one of the first major nation-state cyberattacks aimed at private industry. Its impact forced organizations to take a hard look at their cybersecurity systems. Google revamped its entire approach to security in response to Operation Aurora, and the security team is now letting everyone see behind the curtain with its series Hacking Google.
The multi-episode series takes a deep dive into Google’s different security areas: The Threat Analysis Group (TAG), Detection and Response, Red Team, Bug Hunters and Project Zero. During a recent webinar, members of the Hacking Google team shared insights into what they’ve learned about cybersecurity, how to improve the approach and how to tackle the threats facing organizations today. Part one of this article looked at Operation Aurora, the threat landscape and spyware.
The Rise of Zero-Days
The number of zero-day exploits surged in 2021, with nation-states as the primary threat actors.
However, Google’s Parisa Tabriz, VP, Chrome browser, attributed the rise in known zero-day attacks to better detection and disclosure processes rather than more zero-day attacks themselves. In 2021, several security companies released studies highlighting the record number of exploits and Android and Apple began publicly disclosing when they discovered zero-days in the wild.
“Better detection and disclosure here is a real positive for security,” said Tabriz.
However, because the numbers are increasing, it means that threat actors are continuing to rely on these exploits as an attack vector. In response to attackers continuing to exploit known bugs, Tabriz said the security industry needs to do a better job to deploy correct and complete patches.
“One bug could represent a pattern of similar issues,” Tabriz said. Teams should address insecure patterns that exist in code to address the problems around zero-day exploits.
Future of Cybersecurity
What will cybersecurity look like in the next five or 10 years? While it is hard to predict what technologies will be around in the next decade, Heather Adkins, VP of security engineering at Google, made a bold and definitive statement: She believes we will see the death of the password. Enough progress has been made with security keys that the authentication experience will no longer need to rely on passwords.
This will follow an ongoing pattern of streamlining cybersecurity; Adkins predicted we’ll see the security controls required by compliance regulations be built right into operating systems and other technologies used across enterprise.
The ultimate goal is to make security as easy as possible, with far more integration between security and the rest of the digital ecosystem. In an AI-driven world, it’s just as important to focus on human safety and well-being and not just how to keep the technology safe.
Push-Button Recovery
“Everybody is going to be hacked at some point. The differentiator is how quickly we recover,” said Adkins.
Security teams like Google’s will continue to try and raise the bar on improving security defenses, with the goal of eventually making our digital systems nearly impenetrable. But bad guys are always going to get in somehow, so the next best thing is to add more focus on how networks can reduce downtime and recover quickly, she said.
“I’d love to see something like, if you have a cloud taken over by ransomware, you can just push a button and recover really quickly. That would make some of these attacks irrelevant,” said Adkins.
