Interview with Lachlan Turner, Principal Consultant and Founder, Ark Infosec Labs Inc.

About Lachlan Turner

Lachlan Turner has been working in the field of cybersecurity for 14 years. He is the founder of Ark Infosec Labs, a cybersecurity consulting firm that specializes in helping vendors achieve Common Criteria (ISO15408) and FIPS140-2 (ISO19790) certification for their products. He is also a management board member of the Common Criteria User Forum.

Mr. Turner first gravitated toward information security as part of Australia’s cyber intelligence agency, the Australian Signal Directorate (ASD). He helped form a security startup called Stratsec, which provided various cybersecurity services primarily to the Australian Government. In 2009 he moved to Canada, where he became the Technical Director of Computer Sciences Corporation’s (CSC) cybersecurity labs. From there, he launched Ark Infosec Labs with the goal of advancing cybersecurity so that all people can safely enjoy the benefits of technology. He earned a Bachelor’s of Information Systems from Australian Catholic University, and holds Certified Information Systems Security Professional (CISSP) and Certified in Risk and Information Systems Control (CRISC) certifications.

Interview Questions

[] Your path to a career in cybersecurity began with the Australian Department of Defense, or what is essentially Australia’s NSA, and then you moved into the private sector. What drew you toward cybersecurity, and what about it as a career choice has kept you engaged for a decade and a half?

[Mr. Turner] In Australia we have what is called “work experience,” where, as a high school student, you get to work at a job for two weeks. I chose to work as a plainclothes security officer, taking bags of cash from one place to another. When I was a bit older I started studies to become a police officer and during this time I discovered a passion for technology. So, I enrolled in university, and for my final year project I wrote a paper about IT security. I seemed to just have this thread of security interest that married with a passion for technology.

Now with every year that passes, cybersecurity becomes more critical, as our businesses and lives move increasingly online. I think this has kept me engaged over the years – the fact that it is an emerging industry. Even the term cybersecurity is new. To be honest I didn’t really enjoy security evaluation work when I started – it’s quite tedious and more documentation focused than you would think. After a while you get good at something, though, and then you actually enjoy it and start to see the benefit of your work. I’ve found that I enjoy the relationships formed with customers, and the times when you discover a security vulnerability that is subsequently addressed in the product. For me, I see what I do as critical to a secure online society.

[] While the impact of a cyber attacks varies by the nature of the target, to what extent do cybersecurity concerns and measures differ across industries and organizations? In other words, the potential fallout from a compromise in a military network may be more ominous than a systems breach in a retail chain like Target, but are the preventative measures and cyber defense protocols fairly similar or quite different?

[Mr. Turner] Great question. Nowadays, if you are on the Internet you are a target. And, in reality, everything is connected, whether by a network cable or a USB stick. So, everybody is a target, just like every house in the neighborhood is a target for burglars. Which house does the burglar choose? The easiest one to get into, unless there is something of particular interest to the crooks, in which case they may go to extreme measures to get in.

In terms of cyber defense, as with physical security, there is a spectrum of controls that may be employed, depending on the nature of what is to be protected. The controls themselves are quite similar across industries and organizations. The difference is the amount of resource and human capital employed and the level of compliance oversight applied. While there are new technologies and attacks coming out all the time — and these are an important factor — the fundamentals of good security, and just plain old good IT management, remain fairly constant. You need to know what you have deployed, in terms of inventory. You need to keep your systems up to date, which is essentially patch management. You have to prioritize and minimize privileged access to vital systems. And, you need to layer your controls in order to create depth in your defenses.

The work I do at Ark Infosec involves evaluating and verifying the security and cryptographic components of IT products, which helps to open government markets to the vendors.

[] Do government agencies typically require that products meet the Common Criteria Evaluation and Validation Scheme standards that you specialize in? And, are you working for those government agencies or for the vendors?

[Mr. Turner] Yes, some governments specify Common Criteria (CC) certification as a pre-requisite for procurement of security enabled products. In this scenario, I assist the vendor to achieve certification, so the vendor is my client. Although compliance can to some extent set the market standard, vendor innovation moves a lot faster than government compliance standards, so we can end up with security technologies and features that are beneficial but that are not really addressed/required by government compliance. In other areas, government compliance is a very good thing: for example, the U.S. Government has been placing a lot of emphasis on entropy sources, which is a critical component for cryptography that a lot of vendors can get wrong.

[] A standard like the CC is likely to be inherently bureaucratic in nature, and complex, but what are its primary components?

[Mr. Turner] The CC is an international standard (ISO/IEC 15408) for evaluating the security properties of IT products and systems. It defines a framework for the oversight of evaluations, syntax for specifying the security requirements to be met, and a methodology for evaluating those requirements. The CC is used by governments and other organizations around the world to assess the security of information technology products. As I mentioned, it is often specified as a pre-requisite to procurement. Governments often publish Protection Profiles that specify the security requirements to be met for a specific technology type.

So, a typical CC evaluation will look at product specification and design, aspects of the development environment, product delivery procedures, user and administrator guidance, and culminate in functional and penetration testing — basically white-hat hacking. It involves verifying the security and cryptographic components of IT products, which insures their safety and helps to open government markets to the vendors.

[] Do you see these cryptographic components as being separate from other security measures, or are they part of an overall cyber defense strategy?

Crypto is actually a part of our daily lives without us even realizing it. Chip-enabled credit cards, smart phones, garage openers, fobs, copy machines, web browsers (the list goes on) — they all contain crypto modules that underpin the security of transactions and communications. Crypto is also a critical part of an organization’s cyber defenses. In fact, the very technologies that make up our cyber defenses likely all contain cryptographic functions.

At the most basic level, we can say there are two types of crypto as it relates to a cyber defense strategy: Primary crypto is a control in and of itself — think file encryption, VPNs or Public Key Infrastructure. Secondary crypto plays a supporting role in other IT functions — think remote admin interfaces protected by SSH or TLS, or the password hash function of an operating system. People will often think of primary crypto and forget about secondary crypto, but both are important and should be addressed a part of any cyber defense strategy.

Depending on what the crypto is being used for, governments will typically require that certain algorithms and key lengths are available in the products that they procure. In addition, most government agencies will have a validation program, such as the joint US & Canadian Cryptographic Module Validation Program (CMVP)/FIPS140-2 to validate the implementation of a cryptographic module.

[] You’ve talked about the importance of security being built in at the design and development level of new systems and applications as they come online. At the same time, a lot of the day-to-day work in cybersecurity involves maintaining, patching, and diagnosing weaknesses in existing infrastructure. Which do you see as the bigger challenge?

[Mr. Turner] The bigger challenge I would say is building secure systems from the start. This is really hard because the basic building blocks and methodologies that we have today are not themselves inherently secure. To move towards something better we have to address security challenges at every layer of technology, starting with hardware and working up through the protocol stack and into applications. This will take a long time and will require some very bright minds to be applied to the problem. Cybersecurity related research is critical in this respect and academia has a very important role to play here. We will be playing security whack-a-mole for quite some time yet though, so courses for students regarding security architecture, secure network administration, and secure coding practices would be a great start.

[] Even the most secure systems can be compromised if the people using it don’t take the necessary precautions. How do you address that vulnerability in your own work? And, how should experts in the field of cybersecurity work broadly to mitigate this problem in large organizations, as well as in smaller and mid-size companies?

[Mr. Turner] This is probably the single biggest factor in cybersecurity intrusions today for individuals and businesses of all sizes. At the moment email phishing, where a user is tricked into clicking a link in an email, is the attack vector of choice for most malware. The emails can look very convincing and can even appear to come from someone we know. As with security in general, defense-in-depth is key.

A good defense-in-depth strategy includes several basic components. User education is important. People need to know not to click links in emails, not to insert that USB key you found or were given into your computers, and they should alert the IT department if they see anything that looks suspicious. Spam filters are also important, as is antivirus software and a good firewall. There are free options, like Sophos and Windows Defender. And antivirus/firewall protection is important for mobile devices as well. Finally, it’s crucial to keep a daily backup that is stored separately from the main network, otherwise ransomware can encrypt your backups. There are other controls but these are the basics. I apply these to my environment.

A great example of defense in-depth and the use of crypto would be the LinkedIn hack that saw hackers steal the hashed passwords of millions of users. Unfortunately, LinkedIn did not “salt” the hashes, making it a lot easier for hackers to rapidly try passwords against the hash values. A hash is one-way cryptographic operation that will turn a variable string into a fixed length garbled string, but given the same input value the same output value will be generated, unless a “salt” is introduced. I’m sure that LinkedIn had employed many defensive layers, but had they added just more layer — the “salt” — the impact of the same hack would have been greatly reduced.

[] Given the arms race nature of cyber crime, and the speed at which digital technology is evolving and spreading, are cybersecurity professionals just going to have to accept a certain amount of chaos and insecurity as the norm? With that in mind, what are some of the best ways for experts in the field stay up to date with new regulations, new attack strategies, and new technologies?

[Mr. Turner] In short – yes – this is the norm. It’s pretty much impossible to stay abreast of every new attack in every technology area however there are constants and similarities. For example, cyber-attacks generally always follow a set pattern or “kill chain” to use an industry buzz word. It is useful to understand this fact when learning about a new vulnerability or exploit. To keep somewhat current, I subscribe to multiple newsletters, Twitter feeds and security blogs, including Brian Krebs’, Schneier on Security, and the SANS Institute newsletters. If something piques my interest, I’ll dig deeper. I also attend conferences and participate in online forums, particularly with respect to security standards like Common Criteria and FIPS140-2.