News Feature: Google Security interview "human solutions - the way to go."
News Feature: Google Security interview "human solutions - the way to go."

During cyber-security awareness month Google has launched of a range of personal and corporate security enhancements (see further down page). Ahead of the announcements, Google security expert Allison Miller, spoke to SC Media UK's Tony Morbin about the organisation's approach to security and privacy concerns.

On a roof terrace in Google's new HQ, overlooking the newly rebranded Mid-Town section of central London, Google's Alison Miller sought to reassure SC Media UK that the internet colossus did care about the privacy concerns of individual users.

Certainly Miller agreed with the suggestion from the NCSC's Ian Levy, that its time stop blaming people if the tech's too complex to use.

She told SC:  “I think it's very unfair to expect users to shoulder all the burden.  As information security as a discipline has grown over the years, we've focussed a lot on the technology because we're technologists, so we created layers of technology to protect the technology and it all works very well unless there's humans involved.  But the thing is the humans are the point. 

“A lot of social, economic or payment platforms are consumer facing – human facing – so we can't really expect the technology that we used to use to isolate us from the world, to hold through when the technology that's most useful  to us is the technology that connects us as humans So we need to seek other solutions than relying on the technology to protect the technology.”

The people centric approach became more explicit when SC asked whether the solution was not simply to supplant the humans through the use of AI.

Miller responded, “I don't think humans are the problem, the problem is that humans are the target.  We can rely on tech to protect the tech, but a lot of the attacks that we see are really bad human behaviour that's attacking other human behaviour.   The number one cause of large security breaches is still phishing – its tricking someone.  So looking for more human solutions to those problems is the way to go.”

Miller went on to outline her view on the main issues.  “Step one is understanding what the threats really are.  Is the threat really that your encryption keys aren't big enough and strong enough, or is it that the people who are part of your system are the target, as well as what you are relying on to protect it. 

“Step two is that anywhere that humans are using your system or have choices to make impacts the security of the system.  How can you design those choices, experiences, in a way that makes it really easy for them to be successful? And more difficult for them to make honest human mistakes?  I think about phishing sometimes, and I think, who has time to scrutinise every single link that comes through before clicking on it?   - 18 tabs open is a slow day, right?”, she laughs, to acknowledging nods all around.

“Any time where we can reduce the cognitive load on people is going to improve our chances of success.  The last place where I see modelling for the human factor coming to bear is machine learning and artificial intelligence.”

Miller went on to explain how her viewpoint was formed in relation to her varied background in the information and security world, including  a lot of time doing fraud analytics, noting it used, “...those same techniques about being able to understand what an attack pattern looks like and recognise it as its happening and being able to re-route the user behaviour or the flow is really useful. We use machine learning and AI and a lot of those techniques in what we are doing,  to find malware on the web, which is one of the initiatives I work on – Google Safe Browsing -  and anywhere where you have, in your system, a place where your system might get gamed. Meaning, not attacked necessarily by an exploiting an application security flaw in the technology, but some place where people might be exploited or bad behaviour might be happening.”

“That's a really useful place to put that technology because it can take so much more information into consideration – and it doesn't have 18 tabs open – or maybe it does, but it's just working one tab at a time and machines are really good at recognising certain types of pattern that people don't necessarily have time for.”

Another ‘human' aspect to consider is the people working in the sector, with the cliché that techie security professionals – the traditional source of CISOs, don't necessarily know business risk or articulate it well – but if not techies, who? Miller responds that, “One of the things that makes cyber-security  so exciting and also so challenging for professionals is that the discipline is nascent, so we have to keep learning and we have to keep bringing in themes and ideas from other places, because we are learning as we go – but we have to learn fast, because the stakes are so high.

“I am a big believer in ABC – always be cross-training – which has always helped me in my career and its going to help the discipline in understanding that the problems we are facing are multi-faceted, which means that solutions from lots of different disciplines are going to be brought to bear in order to be successful.  So it's both [tech and MBA backgrounds]. 

“If a CISO needs to compete for resources within the C-Suite, they need to be able to speak the language of the other executives.  And depending on the environment or the challenge, having that solid technical credibility is really important, but also being able to speak the language of business, because we don't do security just because security is cool (though sometimes we do) but we do security to protect things, to protect the interests of the businesses we work with, or the consumers we work for.”

Talking to a highly successful woman in Cyber Security with a tech background, an obvious question is, how do we bring more women into cyber security?  One approach is to emphasise all the non-tech roles in the sector using soft skills, while some of the women with tech backgrounds say, no, just get more women to do tech at a younger age, so we were interested in Miller's view.

Clearly demonstrating that ‘soft skills' of diplomacy can be combined with tech-understanding, Miller replied: “It's important to bring more people into cyber-security from all types of different backgrounds and what's going to bring them in is a wealth of job opportunities and the excitement of all that one gets to learn and build.

“For me and my career, there wasn't an industry there yet.  The job descriptions that I ended up filling hadn't been created so everything I ended up doing was new.  In some cases there hasn't been a job title that fit what I was doing, and it's so much fun.  There's a pioneering aspect to that, which is part of being a growing nascent industry, in that there aren't a lot of definitions. 

“And I think folks who are successful in this industry, who are drawn into it, are ones who are  either hackers – people who like to take things apart and understand how they work – or they are makers who like to build things that achieve certain outcomes, or they are  protectors, or they are business people. 

“So it's hard to find one thing that's going to bring any particular set of people in; people come into this field because something drew them  in. Something appealed to them. So different aspects appeal to different folks.

“In cyber-security, like in life, you learn things from wherever you've been  and bring them wherever you go, so maybe not just being so rigid about the definition of what a cyber-security professional needs to be will be helpful because its changing and its expanding.”

The issue of ethnic minority representation within Europe and North America's cyber-security industry was touched on.  Miller commented, “Cyber-security doesn't exist in a bubble, it has a lot of the same issues that tech has, and tech hasn't figured it out yet either. Is it a pipeline problem, a retention problem, a culture problem? its all of it.  It's a very thorny problem.

“I think we'll get there, but it will be fits and starts as we figure out, what is cyber-security, what isn't it, who wants to do this and what are the opportunities and what is the growth path for them.”

Given recent stories of the amount of malware found on Apps on Google Play, Miller was asked, how do you stop malware on your platforms and what have you done to stop recent cases of malware?

“Security is challenging everywhere and at Google too,” acknowledged Miller, adding, “We are dealing with adversaries who try and hide their behaviour from us.  The team that I work with, Safe Browsing, our charter is to go find webpages that are hosting malware, phishing, unwanted software, and that comes in all kinds of flavours.  The web is a big place, it's very dynamic – there's no way for us to download a copy of the web every night and scan it. 

“So there are big challenges and we invest a lot of time and resources into making sure our technology is up to the challenge and doing our best to protect our users from any harm that might come to them – on our platform, and wherever they might roam on their browsers or their mobile devices.

“No security system is perfect so the best we can do is keep attacking the problem and root out the bad behaviour.  The Safe Browsing Team recently had a milestone, we announced that our technology is now used by three billion devices. Last spring we were at two billion, and we did a lot of work to optimise for mobile, because that's where a lot of this activity is going. 

“The web used to be this thing you looked at from your desktop and a browser, but now mobile Apps are creating a new version of the mobile web.  We are excited that we have expanded that way.  Just like spam prevention or fraud prevention or any of these types of protective activities where you are dealing with adversaries, it's a cat and mouse game and you have to keep working at it.”

So is it blacklisting, whitelisting, threat hunting on your system we asked?  “All of the above of course,” Miller laughed.

Miller adds, “We've invested significant resource in our systems to look for malware and phishing, and we continue to invest more every year.”

Miller felt it wasn't her remit to go into the intricacies of regulation, simply acknowledging, “The legislative environment is complex and challenging, and I am thankful we have excellent counsel and folks who are working on that – who are not me,” and when asked about issues such as meeting the future GDPR need to report a breach in 72 hours, replied, simply, “Google complies with the law in every jurisdiction in which we operate.”

Her colleague, Elijah Lawal, UK & IE Communications Manager stepped in to add, “It's difficult to say how GDPR will impact us, but we fully intend to comply and are in conversations with legislators and regulators.”

So what are the main, threats faced as far as Google is concerned?

Miller replies that the biggest threats are not new.  “Phishing is still huge. As far as we've come with endpoint security,  malware is still a problem.  What troubles me most is the industry has this brittleness, when a breach happens – and they continue to happen – consumers (at least in the US) are experiencing breach fatigue, they are tired of resetting things, having a new credit card issued, and all the rest.  So I hope we can figure out how to respond to these mass events more gracefully, in a way that doesn't make it worse than it already is if there is a breach.”

When quizzed on the problem of reconciling Google's business plan being based on gathering information, versus the consumer desire for privacy, Lawal stepped in.  “It's always a balance, and on to keep our customers' data safe, one of the most important things we do is give them control.  We use the data to provide better services.  If you share your location data with us, we can tell you about your commute to work, but at the same time we want users to be comfortable with us having that data. 

“In terms of reconciling what we have with what users want us to have – we give them very easy controls of how we use that data.  Very simple dashboard – when they go to My accounts at google.com they can literally press a button and that stops personalised advertising, a simple button will provide all the information that Google has – its called ‘take out' so if you don't want to use Google services anymore you can click that button and download all the information that we have and then move on to another services.

“Also in MyAccount is MyActivity so you can see different devices that have logged into your account, different locations, changes made to your account, which should add to security calm as there is a one stop shop where you can see everything that has gone on with your account. 

“We also have a website – privacy.google.com – which gives a nice overview of how we use data to make our services better and also empowering you to make choices in that regard,” said Lawal, concluding:  “Data's very important to us and the products and services we provide, we also want users to be able to be in charge of their own data.”

However not everyone is convinced and there are certainly still sceptics about Google's approach to privacy. A recent Sophos Matt Boddy blog, The Google tracking feature you didn't know you'd switched on details how using GPS, Wi-Fi and cell tower data, Google's Your Timeline can paint an accurate picture of your daily life. Boddy says that if you've got it switched on, it stores every step you take and everywhere you go – and most people have it switched on without making a conscious decision to do so.

But given its raft of new security features (below) Google is certainly responding to security concerns:

Google new services

Google Advanced Protection

Last week Google announced that it is rolling out a new three-layered cybersecurity plan designed to give extra protection to those most in need.

Google Advanced Protection has been in beta for several weeks and is now available to those using personal Google accounts. However, corporate account holders are not eligible.

The new security measures include having the individual using one or two USB-based security keys, which must be purchased separately, that will generate a number to be used as part of the accounts 2FA process. This will stop an intruder from entering the account even if they have the correct password.

The second line of defence is Google will automatically limit full access to a person's Gmail and Drive accounts to only that person thus eliminating the possibility that the owner might mistakenly give someone else the right to access these apps.

Google is also building in a methodology to determine if a person claiming to be an account owner is legitimate. The company noted that malicious actors often attempt to impersonate an account owner and claim to have lost access to extra steps will be put in place to prevent this from happening during the account recovery process. This will include requests for more details about why you've lost access to your account.

Commenting on the news, Javvad Malik, security advocate at AlienVault, said in an email to SC: “This is a very positive and reassuring step taken by Google, and hopefully other companies will follow its lead in bringing better security capabilities into the hands of the masses through protective measures, as well as increased monitoring and threat detection.”

Richard Parris, CEO at British digital identity expert Intercede suggest that although Google should be congratulated for leading the charge when it comes to cyber-security, striking the right balance between digital security and user experience remains essential, telling SC Media UK, “....one thing that stands out to me is that in the eternal battle between digital security and a painless user experience, Google's new advanced program falls short on the convenience front. Being the patience-poor and fickle creatures that we are, unfortunately if a security measure compromises the end user experience it will almost certainly never be fully embraced by the mainstream.

“What's needed is a level of security that is both secure and convenient to the end user and this can be done.”

Charl Van Der Walt, chief security strategy officer at SecureData suggests that hopefully it is only a matter of time until something like this is available to all Google users. He adds, ““One caution, however, is that a very significant number of successful breaches are still achieved via a compromised desktop, mostly via a malicious document attachment. Undoubtedly Google will become far better at detecting and blocking such attachments, thereby better mitigating an additional threat vector not covered by these ‘advanced' new controls.  High profile users however, should be aware that unauthorised access to their computer is as much a threat to email confidentiality as unauthorised access to Google itself and these new controls will do little to change this. Instead such users should think hard about the platforms they use to access email and how they open attachments. Simple, limited-use platforms like a Chromebook or a tablet are generally safer to work from, but using a Yubikey with a tablet can be tricky, especially on iOS devices. This seems a pity, and looks to be a trade-off.”

Jurisdictional consideration is another factor and Van Der Walt says, “Google itself might have access to email and contact data, and given Google is a US company, the US government may be able to obtain access. This, however, is a ‘political' consideration rather than a technical one.”

Data Loss Prevention (DLP) API

The Data Loss Prevention (DLP) API, which went beta in March, can help quickly find and protect over 50 types of sensitive data such as credit card numbers, names, and national ID numbers.

New ways introduced to help protect sensitive data with the DLP API, include redaction, masking, and tokenisation.

DLP API offers native support and scale for scanning large datasets in Google Cloud Storage,Datastore, and BigQuery.

“Google Cloud DLP API enables our security solutions to scan and classify documents and images from multiple cloud data stores and email sources,” says Sateesh Narahari, Google VP of products, managed methods.

De-identifying data removes identifying information from a dataset, making it more difficult to associate the remaining data with an individual and reducing the risk of exposure.

Redaction and suppression remove entire values or entire records from a dataset, eg the DLP API can identify and redact a name, social security number, telephone number and email address.

Partial masking obscures part of a sensitive attribute - for example, the last 7 digits of a 10-digit phone number.

Tokenisation, also called secure hashing replaces a direct identifier with a pseudonym or token which can be used where you need to retain a record identifier or join data but don't want to reveal the sensitive underlying elements. Tokens are key-based and can be configured to be reversible (using the same key) or non-reversible (by not retaining the key). Token types used can be Format-Preserving Encryption - a token of the same length and character set; or secure, key-based hashes - a token that is a 32-byte hexadecimal string generated using a data encryption key.

De-identification and masking techniques applied in real time, sometimes referred to as “Dynamic Data Masking” (DDM) can be used if you don't want to alter your underlying data, but want to mask it when viewed by certain employees or users.

Other techniques deployed include bucketing, K-anonymity and L-Diversity  quickstart guides.

There have also been enhancements to Google's anti-phishing defences.  

As mentioned, Safe Browsing now helps protect more than 3 billion devices from phishing. It hunts and flags malicious extensions in the Chrome Web Store, helps block malicious ads, helps power Google Play Protect, and others. And it continues to show millions of red warnings about websites it considers dangerous or insecure in multiple browsers—Chrome, Firefox, Safari—and across many different platforms, including iOS and Android.

Gmail Phishing protections now include showing a warning within Gmail's Android and iOS apps if a user clicks a link to a phishing site that's been flagged by Safe Browsing. New systems that detect suspicious email attachments and submit them for further inspection by Safe Browsing. This protects all Gmail users, including G Suite customers; updated machine learning models specifically identify pages that look like common log-in pages and messages that contain spear-phishing signals.

Also last week, ESET, launched Chrome Cleanup, a new scanner and cleaner for Google Chrome designed to help users browse the web safely and without interruption.  Chrome Cleanup will be available for all Google Chrome users running on Windows and will alert Google Chrome users to potential threats when it detects unwanted software. Chrome Cleanup is included in the latest version of Google Chrome.