In an interview during Nvidia’s GTC Conference, which runs from March 21 to March 24, the CEO said the late February hack proved the company needs to move to a “zero trust” security posture and that it has the technology to do it. “Zero trust” means Nvidia will treat all employees as a potential security threat.
“It was a wake-up call for us,” Huang told Yahoo Finance. “Fortunately, we didn’t lose any customer information and any sensitive information. They got access to source code, which of course we don’t like, but nothing that is harmful to us.”
Lapsus$’s has also hacked Samsung, Microsoft, and Okta in recent weeks. In the past, the organization has taken over user accounts at crypto exchanges and drained their funds. Hackers like Lapsus$ have taken advantage of remote work throughout the pandemic, which made businesses more vulnerable to hacks.
Lapsus$ isn’t a traditional ransomware organization. Rather than limiting access to victims’ computers, this group extorts its victims by gaining access to their data and threatening to leak it online if they don’t pay up, according to Microsoft’s Threat Intelligence Center.
In Nvidia’s case, Lapsus$ gained access to source code and ordered it to remove limitations on its graphic cards that make them less useful to cryptominers, according to The Verge. It also wanted the company to make its graphics cards drivers open source, which would have revealed its proprietary information. If not, the group said it would leak Nvidia’s proprietary data on its own.
According to Microsoft, Lapsus$ gains access to victims’ systems using social engineering techniques. Essentially, the group tricks its victims into giving up their usernames and passwords, which the criminals then use to root around in an organization’s files.
While it’s unclear how Lapsus$ gained access to Nvidia’s servers, Huang stressed that most cybersecurity threats come from within an organization. Often that comes in the form of an employee’s credentials, their username and password, being stolen or otherwise compromised.
“The fact of the matter is the intrusion tends to be internal. It tends to be somebody wandering around your hallway, somebody who has access to a fair amount of privileges,” Huang explained. “And so we need to be what is called a zero trust architecture company, and we’re accelerating our path to do that.”
Zero trust security essentially means an organization doesn’t trust anyone to gain access to its services, without usernames, passwords, and multi-factor authentication. Once a user is verified, zero trust security procedures continuously check to determine if that user is authorized to access any other parts of a company’s systems.
Of course, there’s far more going on in the background that limits apps from talking to each other and ensuring users have the least amount of access they need. But from a worker’s perspective, that’s more or less the gist of it.
“The path to a zero trust data center starts with the technologies that we’re building,” Huang said.
“And so I’ve got to go build that technology faster, all the way from Bluefield, the DPUs that does security to the switching architectures that we have, the software stacks that we’re creating, as well as this new AI framework, we call Morpheus to do real-time exhaustive inspections of anomalies on the network in your data center.”
Inside Nvidia, Huang said employees are hyper aware of using multi-factor authentication, but, he said, that can become burdensome.
“So now, this has happened to us, and the discipline around it, the rigor around it has gone through the roof, which is fantastic. But long term, we have to make it possible for our data center to literally be completely wide open, completely exposed, and yet be completely secure,” he said.
“And so we have to really bring accelerated computing into the enterprise…and we know how to do that. I’ve just got to go do it.”