Grubhub Interview: Modern Attack Techniques Against Web Authentication Infrastructure

Aditya Balapure

Aditya Balapure
Team Lead, Information Security, Grubhub

Aditya Balapure

Aditya Balapure
Team Lead, Information Security, Grubhub

Prior to Security of Things World USA, we.CONECT spoke with speaker Aditya Balapure, Team Lead, Information Security at Grubhub. Aditya is building and managing Information Security Teams for securing and breaking systems.

we.CONECT: How big a problem will a lack of security with IoT devices be?

Aditya: In today’s world, most technology devices created are fully connected in order to enhance user experience and unleash the power of the world wide web; however, with that security can be challenging to achieve. Most device manufacturers focus on engagement, user experience, and product features, security oftentimes comes at an additional cost. As an industry we are moving closer to enablement of technology and automation, and IoT plays a key role in that space whether it comes to automotive, home, office etc.

Lack of security with IoT devices could potentially be a big problem as people develop a growing concern towards how companies handle data privacy and security overall. The last few years have been really important from a consumer standpoint where more and more privacy issues and data breaches have come to light, impacting public image of companies and their financial numbers. In 2018 alone, a number of issues came across home automation solutions where devices allowed unauthorized data sharing, ultimately revealing private conversations and granular location data. As you can imagine, this is a huge issue among consumers. More cryptocurrency malware and exploits are also being targeted towards IoT devices since user detection on these is difficult and can be armed to attack in distributed denial of service scenario or for profit. This is just the beginning and as user dependency on these IoT devices increases, so will the risk and various attack vectors.

we.CONECT: Which security measures do you see as being the most important for the next wave of IoT implementation?

Aditya: The three pillars of a successful security strategy have always been People, Process, and Technology, whether it be the super computers or IoT devices. It’s imperative that device manufacturing and development companies start with the basics and integrate security as a value proposition in their product development. While it does come at an additional cost, if you take into consideration the overall impact that comes with the lack of security – financial, regulatory hearings, fines, you name it – it’s worth it. In the end, it’s a much easier financial win for the team to do things the right way from the start rather than to reactively handle should something go wrong.

Additionally, education and awareness on password best practices and patching is very important. Best way to get this done: by simply embedding these best practices from the device setup stages. Based on metrics, it’s been found that a few of the most common ways IoT devices are hacked is due to weak passwords and unpatched firmware – essentially what is taught in the basic security 101 class. Companies need to improve the process, making it compulsory to set strong passwords on initial device setup and make sure default credentials are no longer enabled. Additionally, there needs to be a proper channel of update/patching the firmware, a good timeframe for that could be when user interaction is least (since the device usually has activity data).

Universal device identity, encryption in transit, and possible identity revocation during exposure could be incredibly valuable to the overall security. Improving privacy policies and making it more transparent and understandable for a normal user, clearly identifying data sharing and collection, can be an impactful step. Along with better technology, companies need to think of defence in-depth strategies to enhance and improve the overall maturity of their product.

we.CONECT: What change would you like to see when it comes to implementing IoT security?

Aditya: I personally feel it’s all about the mindset – companies need to start thinking about security not as a special feature or an additional cost, but an ingrained part of product development. Teams should be staffed with security specialists, and product managers need to work with them from the requirements-gathering, design, development phases for end-to-end product development and testing.

we.CONECT: How can organisations develop a security mind-set within their companies?

Aditya: Most importantly, developing a security mindset within companies should start with their employees by building a security culture and overall awareness among each team. This includes employee trainings, sharing of publicly available of data on incidents, and overall impact of those incidents for users is all helpful for an organization to help employees understand the importance of security in the overall product lifecycle.

we.CONECT: What role do standards play in managing IoT Security?

Aditya: Standards will always play a major role in setting a baseline of what is considered an acceptable best practice in order to manage security on IoT devices. An important point to keep in mind is how these best practices are consumed. Oftentimes, difficult to understand and complex standards are hard to maintain and do not clearly help users understand how much needs to be done – and why. I also often see that standards are way too broad without any implementation guidelines or examples to actually support those, which makes implementation and enforcement even harder.

we.CONECT: Who should be responsible for providing IoT Security?

Aditya: As mentioned before, security must be considered as an integral part of product development from the beginning, hence everyone involved in that process is ultimately responsible. From a leadership standpoint, yes the business owns the risk, but it eventually trickles down to everyone doing their part to create a secure end-product for the customer.

we.CONECT: You’ll be speaking at Security of Things World USA in San Diego about modern attack techniques against web authentication infrastructure. Please can you give us an idea of what delegates will take away from the session?

Aditya: It’s exciting to have the opportunity to speak this year at Security of Things World in San Diego! Those attending the talk will ideally take away thoughts and learnings on new modern authentication attack techniques prevalent on web infrastructure. I personally plan on talking through hackers and how they’ve been utilizing data breaches for fun and profit, how attack techniques have changed from the more traditional ones to a multi-layered approach, and how IoT devices play a role in targeting web authentication.

we.CONECT: What expectations do you have regarding the Security of Things World USA event in San Diego? Which outcomes and benefits do you expect to gain from the exchange with the participants?

Aditya: I am looking forward to the event and a great lineup of talks from the experts in the information security industry. It’s going to be interesting to discuss and converse with the leading global experts on new challenges for the IoT industry in each of the sectors, and what they see as challenges to overcome should we foresee a world of different connected vendor devices.

we.CONECT: Which burning questions would you like to discuss within the Security of Things World community?

Aditya: I’m looking forward to connecting with other industry experts on their thoughts and opinions on current IoT security standards and the disconnect from an implementation standpoint. As an industry we seem to be progressing very fast in pushing newer products that both enrich the user experience and connect the world, but we need to figure out what strategies we can build to market security as a product offering in this hyper growth. I’m also curious to understand what steps are being taken by regulatory bodies and government organizations to track security lapses across device manufactures to prevent risk to sensitive user data.

we.CONECT: Time for some shout outs! What did you read recently that would interest other like-minded people? Have you seen/heard any inspirational speakers recently? Who is an IoT Security guru or inspiration in your eyes?

Aditya: I recently read an article from the INSEAD Business School on “Data Security for the Internet of Things” and found the article really inspiring to project the next wave of IoT transformations. We are going to see more machine to machine (M2M) transactions/communications in the future, so how can we scale and grow this network? At a conceptual level this sounds more interesting when you look at when machines are going to transact with each other for the human and also on behalf of the human (without any supervision). Security, privacy and integrity are going to be the utmost challenges on how that part of the future shapes up.

I also came across a great panel discussion few days back by the MiT Enterprise Forum of Cambridge on “The Future of IoT is Now, Can IoT Security Catch Up?” which discussed some of the challenges on the future of IoT and what mechanisms to secure user data and privacy are out there. When it comes to IoT “Security Gurus,” I would say the entire information security community, which includes both industry and research facilities, are putting in some great collective efforts to improve overall IoT security and strategy. We have some fantastic strides being made by multiple working groups and foundations on this very initiative, and I’m excited to connect with everyone at the event to learn more!

we.CONECT: Thank you very much for participating in this interview.
Previous ArticleNext Article