Citrix Synergy 2019: Citrix clings to silver linings following data breach disaster

password on posit note

For a company that has always put security front-and-centre at its annual Synergy conferences, virtualisation firm Citrix is surely still feeling the sting from the disastrous data breach it disclosed earlier this year.

Hackers made away with 6TB of sensitive data, predominately corporate documentation, after infiltrating the company's internal networks and sticking around for several months before the company caught wind. But the truth is the incident could have been so much worse.

Thankfully, as far as Citrix is concerned, the suspected foreign attackers had no access to Citrix product or customer data, and no access to credential stores.

But that the breach was limited to corporate files hardly dampens its significance and business impact, and for those directly involved in the investigation and rectification, including Citrix's chief digital risk officer Peter Lefkowitz, the news came as a shock.

"I think any incident would shake anybody," he told IT Pro, adding: "There is nobody more focussed on security than a company that has had an incident, and we are using it as an opportunity."

Lefkowitz, who is determined to stay positive about the data breach, is mainly involved in the company's regulatory and compliance side, particularly with regards to legislation such as the EU's General Data Protection Regulation (GDPR). But he also played a key role in managing the aftermath of the data breach, in partnership with the chief security officer, and senior members of staff in cloud operations who deal with security.

The senior Citrix member even wrote to the United States' Attorney General earlier this month to disclose more details around the hack as well as communicate the causes to potential victims. Among the effects were sensitive files being removed from the company's system, including employee data and in some cases data on their financial dependents.

"Certainly the incident that happened, if anything, made us more focused on the topic, and made us look even deeper at everything that we do," he continued.

However, there was no mention of the incident during its main keynote address on the first day of its Synergy conference. Until we were able to put such questions to Lefkowitz, the company appeared reticent to go over old ground, preferring instead to remind visitors that investigations were still ongoing, and that all the information that it could release, had been shared.

Indeed, a day before Synergy kicked off, the company released another update via its blog, which was similarly light on detail. However, the post did reveal that cyber criminals, who are still suspected to have been international, had gained access to the company's internal network through a technique known as 'password spraying'.

This tactic exploits weak and commonly-used passwords to gain access to any one of a large number of user accounts in a guarded system. Criminals that lingered in Citrix's networks for an estimated six months were found to have exploited the company's weak internal password management regime.

For Lefkowitz, he envisages Citrix eventually moving beyond traditional password security, chiming with Microsoft's longstanding ambitions to eradicate the password entirely, as has been proposed vehemently in the past couple of years.

"I think this is going to be an area of really important evolution and an area of experimentation," he continued. "We'd love to get to a place where we don't have to rely on passwords.

"But until we get there, we're going to have to take a layered approach. We're going to have to do passwords and checking for weak passwords, and checking for burnt passwords, and multi-factor, various sorts of multifactor, logging and monitoring, and controls on the inside."

Since then the company has performed a mass-password reset among employees and has improved internal password management, according to its pre-conference blog. Lefkowitz says this includes pushing hard on multifactor authentication (MFA) - something we were surprised to learn wasn't already in place - which the company is "intently focused on", and encouraging its customers too to adopt this as quickly as they can.

But above all, the chief digital risk officer was keen to cling to the positives of experiencing the sort of incident that no company should hope to go through; namely, there is now a far greater awareness among staff and executives of potential cyber threats.

"We feel quite good coming out of that," he added. "Looking at the core security functions that surround our cloud, we were more vigilant, and following the incident, even more vigilant about looking at all of our practices, and examining all of our practices.

"Every single executive, and every single employee at Citrix, probably thinks more about these core, fundamental issues than they did three months ago. And that's a good thing."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.