Skip to main content

How do you protect an entity the size of Google? You think unconventionally, is how

ITProPortal is at the 27th annual Information Security Solutions Europe Conference (ISSE), one of Europe's largest gatherings of cyber security experts.

Stephen Somogyi of Google Safe Browsing gave an amazing keynote speech about how Google goes about protecting its billions of users around the world. Here are some of the highlights.

How do you protect an entity the size of Google? It's something we take for granted now that you have to think along unconventional tangents to do so. At Google we like to measure things a lot. We need to know how you behave. But we also need to see how things change over time.

When we think about risk, we need to think about proportionality. Given a shed, how would you protect it? Would you get a padlock, or an alarm system? The answer is, you have to know what's inside. If you have a lawnmower inside, a padlock might be enough. If you have gold bullion – apart from questioning your judgement – you might have to use a more advanced alarm system.

Using Google's safe browsing system, we protect twice the population of the EU every day. These are the scales we operate on, so every choice we make – even very small changes – have the potential to effect huge amounts of people very quickly. We also protect over 1 billion Android users, and our service protects a number of mobile systems.

Google Safe Browsing works in the same way as Google's indexing service, known as "crawlers", which search out the web page you want in our search – except it searches out badness. It seeks out malware. And we make all of our safe browsing data available available through an open API. We make that available to Firefox. So if you use Mozilla, you've probably used Google Safe Browsing today. If you use Safari, you're using Google Safe Browsing's data. Our users are global, and we have to act on a global scale.

But it's not about usability. If you look at the space shuttle endeavour, and its cockpit covered in buttons and dials, it's not the model of intuitive usability. And nor should it be. But there has to be a level at which your security is easy to use for the inexperienced. Otherwise people just turn it off.

I've met many security professionals who think that planning for resiliency is an admission of defeat. For us, it's just good engineering. We have to fail safe, because we will fail. We know this, because we have a good understanding of what it takes to get updates out into the world fast. We know that we can auto-update the vast proportion of our users in under 30 hours. You can't wait for a monthly patch cycle. The proliferation of vulnerabilities online is so fast, and so pervasive, that you just can't wait. We took a lot of heat at the outset for what was perceived as arrogance over that – people asked "why does Google know better than us when to update?" – but now automatic updating is an industry best practice.

I never thought I'd see people spray-painting the IP addresses of DNS servers onto walls, but that's exactly what happened when Turkey's government tried to block Twitter. People were trying to search for information, and those reliable systems allowed them to access it.

Five years ago, my colleagues were worried about rootkits and so on. Now criminals don't need to get malware onto your system if they can just convince you to hand over your data.

But you can't rely too much on your technical systems. There's a great story about a lottery company who sent out their fraud people after over a hundred people correctly guessed 5 out of 6 numbers on the lottery draw. And when they tracked these people down, they discovered that there was a fortune cookie company that had printed random numbers on some of their fortune cookie messages, and that of those 100 people, nearly all of them had simply played the number on the cookie. So make sure you always have humans inside your decision-making loop, because people do funny things. Sometimes they just play the numbers on the fortune cookie...

Follow all of ITProPortal's coverage of ISSE 2014, for all the latest in the world of cyber security.