Interview: Uber's CISO reveals lessons learned from breaches
Uber's chief information security officer John 'Four' Flynn has a career history that many technologists could only dream of. From security at Google to Facebook, and from Kenya to Central America and the US, Flynn has been well-grounded in the world's biggest tech companies.
For the last four years he has been working with Uber, and it's fair to say that after some high-profile data breach turmoil, the company knows exactly how important security is.
I spoke with Flynn ahead of his whirlwind visit to New Zealand last week. We discussed lessons from the 2016 breach; the concept of privacy by design, and why bug bounties are important to help shape the future of security.
In 2016 attackers stole personal information belonging to 57 million Uber users and drivers – but the information only went public in 2017. The company was fined US$148 million and was accused of paying the attackers off through its Bug Bounty program.
Flynn says Uber learned its lessons in two major areas: The technical side, as well as the cultural and governance side.
"One of the things that it's important to understand about the breaches that it took place in a third-party system: Amazon AWS infrastructure," he says.
Since then, Uber tightened its AWS security and took the time to learn different best practices. It learned from other companies who have also been stung by insecure 'security gotchas' like S3 buckets and other areas that attackers have exploited.
"We have a dedicated cloud security team, focusing on shoring up the weaknesses, and really focusing on hardening those environments. And it's been a major focus ever since."
In addition to security best practices, the company has implemented multifactor authentication for all employees and its AWS environment. Engineering teams that interact with that environment must also use expiring credentials, which means access only lasts as long as it needs to.
From a cultural and governance perspective, many things have changed as Uber went through major transitions as it evolved.
"We believe that security goes beyond risk management. It's about earning the trust of users who use our service every day. That's been part of our cultural transition that has had a profound effect on our approach," says Flynn.
In 2017 Dara Khosrowshahi took over as CEO.. The company has also appointed a chief legal officer, a chief compliance officer, as well as chief privacy officer Ruby Zefo. Zefo, who joined in 2018, works closely with Flynn and his team. Uber is taking the concept of privacy by design seriously
"I think a lot of companies are starting to realise that privacy by design is an important part of how they operate. Fundamentally, it's not just about complying with regulations, but rather a change in how people go about their business. We've actually done a tremendous amount in this regard, by building and privacy and security into the actual process of the way we build our products from the ground up," says Flynn.
As products are developed, Uber assesses the privacy and security implications of certain ideas. The build teams receive guidance to make sure they understand those implications.
For customers, Flynn says it's about providing choices about what they share with the company and what security mechanisms they use. He believes the best way to apply privacy by design is to empower users.
"For example, in New Zealand we've recently rolled out the ability for users to have two-factor authentication (2FA) on their accounts. It's another way of giving people more choices.
Flynn adds that there are some key takeaways for other IT security teams that are considering privacy by design as a concept.
"There's a new field called privacy engineering that Uber has invested in. When we talked to other companies, they really liked the idea. It's a model where you don't just have a close partnership with the legal team, but also the technical staff responsible for building and shipping products.
"It goes beyond just working with other teams at the company, but actually meeting them halfway, by building solutions and tools for them to build privacy into their products from the beginning. what I don't see a lot in the security space, is IT security teams showing up with solutions that are built for those teams to consume."
"For example with privacy, we can actually provide solutions and technologies that we've built and that we run. Teams can easily onboard their applications and their services on to help them be part of the security by design story. I think showing up with solutions with engineers is a really important part of the modern IT security team.
External security researchers are also an important part of ironing out bugs and vulnerabilities in Uber's products.
The company's Bug Bounty program, which launched in 2015, has paid out US$1.7 million to researchers – but it hasn't been without its share of controversy. Uber allegedly used its Bug Bounty funds to pay out those behind the 2016 breach.
The company has revamped its Bug Bounty programme to be more transparent and to protect itself from things such as extortion – but interestingly, there's not too much to explain how Uber itself uses those funds.
"I'm a big believer in bug bounties as a larger component of the security model. Specifically, our Bug Bounty program has had engagement from many countries, including New Zealand. There's tremendous cybersecurity talent in New Zealand and we're always looking for more folks to come online to be part of the program," says Flynn.
With the cybersecurity skills shortage taking a toll on organisations, Flynn says that Neew Zealand has a strong cybersecurity talent base. He adds that it's important to bring new recruits into the field – one of the major issues is finding that talent.
"I know New Zealand can play a major role. Because of the level of education and the talent base, it's already there. I think it would be great to double down on that and bring more people into the field."
Speaking further about the Bug Bounty program, Flynn says it's designed for good actors who want to make internet security better.
"It's important to make sure to be clear about what appropriate behaviour looks like. We've also brought more internal people on board to manage the program and help it scale," he explains.
"We also focus on making sure we have all internal eyes on the program. My team runs the program, but we collaborate with the privacy team and others. We would look at the submissions, as we triage them and analyse them.
Uber's Bug Bounty program has a broad scope and it also fits in with the company's internal secure software development lifecycle.
"As a team starts thinking about building their design, they write that in a design document. We review that on the security side for any tips, or ideas that we might have about how to how to use some of the technologies that we build better, to better ensure security for their service.
"But as those things go into production, in a modern software, company, changes are made to those systems constantly, all the time. It's not like the old days where systems builds take six months, and then you launch it, it's actually constantly being iterated on," Flynn says.
"In a modern world it's important that we put automation in as these changes are being made to look for any signs of security issues that might crop up in the in the process of updating those systems."
"A Bug Bounty is a really important part of the lifecycle, because things that we found, using external researchers, as supporting us can actually be encoded in our automation systems. So we can actually learn from those things that we've seen in the past, and actually directly apply those into our systems internally.
"We can also make sure that before going forward and if those problems come up again, we can actually flag those for review before those things go live outside the company or a launched as a product.
The Bug Bounty program and automation helps continuous integration and deployment in the CICD pipeline, particularly as it's a virtual cycle of being able to understand the vulnerabilities, catch ones that Uber may have missed, and then find solutions to make sure the problems don't come up again in system builds. Hour by hour, day by day, it's all part of the larger ecosystem.