A day after Microsoft (MSFT) confirmed it had been hacked by cybercrime group Lapsus$, Nvidia (NVDA) CEO Jensen Huang called his own company’s experience with hackers a “wake-up call.” “.
In an interview at Nvidia’s GTC conference, which runs from March 21-24, the CEO said the late February hack proved that the company needed to move to a “zero trust” security posture and that it had the technology to do so. “Zero trust” means that Nvidia will treat all employees as a potential security threat.
“It was a wake-up call for us,” Huang told Yahoo Finance. “Fortunately, we did not lose any customer information or sensitive information. They got access to the source code, which of course we don’t like, but nothing harmful to us.
Lapsus$ has also hacked Samsung, Microsoft and Okta in recent weeks. In the past, the organization has taken over user accounts on crypto exchanges and drained their funds. Hackers like Lapsus$ have taken advantage of remote working throughout the pandemic, making businesses more vulnerable to hacks.
Lapsus$ is not a traditional ransomware organization. Rather than limiting access to victims’ computers, this group extorts its victims by accessing their data and threatening to leak it online if they don’t pay, according to Microsoft’s Threat Intelligence Center.
In Nvidia’s case, Lapsus$ gained access to the source code and ordered it to remove limitations on its graphics cards which make them less useful to cryptominers, according to The Verge. He also wanted the company to make its graphics card drivers open source, which would have revealed its proprietary information. Otherwise, the group said it would self-disclose Nvidia’s proprietary data.
According to Microsoft, Lapsus$ gains access to victim systems using social engineering techniques. Essentially, the group tricks its victims into giving up their usernames and passwords, which the criminals then use to pry into an organization’s files.
While it’s unclear how Lapsus$ gained access to Nvidia’s servers, Huang pointed out that most cybersecurity threats come from inside an organization. Often, this comes in the form of an employee’s credentials, username and password being stolen or otherwise compromised.
“The thing is, the intrusion tends to be internal. It’s usually someone walking around your hallway, someone who has access to a good number of privileges,” Huang explained. “And so we need to be what’s called a zero-trust architecture company, and we’re accelerating our journey to get there.”
Zero Trust security basically means that an organization does not trust anyone to access its services, without usernames, passwords and multi-factor authentication. Once a user is verified, Zero Trust security procedures continually check whether that user is authorized to access other parts of a company’s systems.
Of course, there’s a lot more going on in the background that stops apps talking to each other and ensures users have the least amount of access they need. But from a worker’s point of view, that’s more or less the point.
“The path to a Zero Trust data center begins with the technologies we build,” Huang said.
“And so I have to build this technology faster, from Bluefield, the DPUs that provide security to the switch architectures that we have, the software stacks that we’re building, as well as this new AI framework we’re calling Morpheus to do comprehensive, real-time inspections of anomalies in your data center network.
Within Nvidia, Huang said employees are very aware of using multi-factor authentication, but, he said, it can get cumbersome.
“So now it’s happened to us, and the discipline around it, the rigor around it has exploded, which is fantastic. But in the long run, we have to allow our data center to be literally completely open , completely exposed and yet completely secure,” he said.
“So we really need to bring accelerated computing into the business…and we know how to do it. I just have to go do it.