A Perspective in CybersecurityA chat with Daniel Correa
Daniel is a highly skilled security professional. His insights about the
current cybersecurity landscape complements previous perspectives on our
blog. Daniel has a bachelor’s degree in Computer Science and holds
qualifications such as
OSWE. He recently finished
We started this conversation by discussing the main threats companies face these days.
Figure 1. Splash screen of the payload of the original version of Petya
What are the leading cybersecurity threats organizations currently face?
- You get to hear that newer threats are based on machine learning
ML) and artificial intelligence (
AI), but I disagree. I don’t think this is feasible for now. Most of those
ML-based threats seem just marketing to me. A
MLapproach is viable for defense: there is 'big data' on network (traffic) and user behavior, required to train smart decision algorithms to prevent incidents.
- Current threats aren’t that different from those we have known for years. Organizations are focusing on containing malware. Perhaps, two newer variants are worth mentioning: malware that instantly wipes data and criptojacking.
- Common ransomware looks to encrypt data, so that crooks can ask for money. In the wiper malware, organizations face data availability issues. With the wiper, attackers want to inflict damage right away.
Is wiper worse than other types of malware?
- Not necessarily. It depends on the data and the backup policies in place. As with ransomware, if data is fully backed-up elsewhere, there’s no damage. If it’s not, there might be trouble. The consequences are usually reputational, and sometimes those are worse than financial. An example of the wiper is the NotPetya, which caused significant trouble to Maersk, the Danish shipping company.
Fluid Attacks, we blend automation with the best talent in hacking
to find weaknesses in our customer’s systems by means of our
Continuous and One-shot
Hacking services. As Daniel says,
hacking skills are still not replaceable by machines.
And the other variant?
- Cryptojacking. Capturing machines, so third party resources are devoted to mine cryptocurrencies.
What is your opinion of cryptocurrencies?
- I believe all financial transactions will be made over blockchain or similar technologies sometime in the future. Some big players and central banks are doing research and testing with digital currencies. They might find an innovative way to make it work with current systems. Although I would say this is difficult without undermining one of the premises by which bitcoin was proposed back in 2008: decentralization.
What are other threats still out there causing troubles to organizations and people?
- Phishing. It still makes it to the
ML-based recognition on email providers, browsers extensions, and endpoint software protections against this threat, nothing reduces to a great deal the odds of falling to well crafted phishing communications. Human psychology at play.
- Other relevant threats are those coming from the supply-chain,
often overlooked. All the hardware, a significant proportion of
software, and many specific software developments aren’t
proprietary. So, what’s 'inside' is up to suppliers. Let’s say you
have a data center with hundreds of servers. Nobody has checked the
suppliers' proprietary chips for malware because nobody does that.
What do these chips have? Who knows! In practice, it’s entirely
possible to program something to be activated in the future that
causes a harsh incident, or a spectacular hack. And it has happened.
See, for example, Meltdown and
Spectre. See how a telecom company
found backdoors in home
Rate is high: a study found that
59%of companies surveyed had a Third-Party Data Breach. And you can keep going: a supplier has at the same time more suppliers, and those other suppliers too. The supply-chain is revealing itself very critical. Think of
IoTdevices in this same line of thought: those deploying these devices face complex threats.
Figure 2. CVSS Severity Distribution Over Time. Source: NIST
- Application and infrastructure weaknesses will always be major threats. As time passes, more and more vulnerabilities are found. All that’s man-made is prone to error. We produce chips, create software, deploy infrastructure, design security policies. Could antivirus software have software weaknesses? Hell yeah, there are plenty of examples. It even goes into making it possible for an attacker to gain administrative control through the faulty antivirus by leveraging on its privileges.
What do you think are the primarily blind spots when managing cybersecurity?
- I like an analogy: cybersecurity works as a 4-piston engine — people, processes, technology, and management. Pistons must be synchronized, lubricated, going at the same speed, among others, for the engine to work correctly. You can have the best technology, systematic processes, and proper management. But, if people fail, the whole cybersecurity endeavor fails. People are the piston that fails the most. That’s why, I believe, we see so many incidents and frauds. People keep clicking malicious links; people still give information away they should not. Small actions are all attackers need.
Do you think the problem is that people fall into those attacks?
- Not only on those, but people also fall for other untargeted attacks. We invest in high technology; we streamline processes; managers are conscious and attentive to cybersecurity. But it takes only one person to open a breach. Perhaps, we should do more on awareness.
Are awareness programs the solution?
- I’m in favor of awareness programs. Nonetheless, it’s not enough to focus on employees only. I think we have to start educating at an early age about risks in the information, digital, and technology domains. As the idiom says, you can’t teach an old dog new tricks.
What about a more interactive approach where people could face a threat more realistically?
- A must. In the NIST Cybersecurity Framework, this is recommended. Some day I gave a one-hour talk. I described risks and how we can prevent them. I showed people websites where they could check if their emails have been compromised in well-known incidents. People liked it and were engaged. Afterward, we ran a simulation where people could fall for a real attack. They didn’t know. A non-negligible proportion of attendees, many of them security professionals just fell. Just telling people what to do or not, is far from enough.
- But, when people face and feel the downsides of risks, they learn; they increase their awareness; they really pay attention to their behaviors and change accordingly. People react after their security is broken, provided that the hole brings palpable consequences.
Figure 3. Cyber warfare specialists. June 3, 2017. Air Force photo by J.M. Eddins Jr.
How can organizations do better in their pen-testing?
- I would recommend two things: focus on testing
ITassets where an incident can endanger operations and the corporate mission. But here’s where this suggestion makes real sense: identifying those assets is no easy task. Not all organizations have this clear. Companies should devote time and effort to clarify business priorities and failure points in
- Second, use a red teaming approach. Diversity of perspective adds value. One or two security analysts —a typical setting— could do a good job, but a more diverse approach to attacking could mean exceptional performance.
We’re grateful to Daniel for this conversation. We hope you have enjoyed this post, and we look forward to hearing from you. Do get in touch with us!