CSE: You are known as one of the few cybersecurity experts who have access to the entire Microsoft Windows source code. In your view, can a better understanding of computer operating systems contribute to our IT security?
Paula Januszkiewicz (PJ): First of all, there are many effective and reliable hack attacks that almost always work. The attack techniques like ‘Pass-The-Hash’, Spoofing or SMB Relay are still examples of awesome tactics that allow attacker or penetration tester to get into a target organization. New devices, new risks, and new threats are appearing every day. Nevertheless, knowing the basics helps to develop a better understanding of operating systems, which makes it easier to recognize new unintended actions. Good cyber security experts can predict negative consequences, and prevent consumers from fully welcoming connected devices into their homes and lifestyles, for example. On the other hand, emerging threats also mean that new solutions are developed, and finding a concrete solution is certainly a challenge – but it is not impossible!
CSE: Do you see opportunities that better protect enterprise systems by embedding greater software security into standard business applications?
PJ: The more employees there are, the harder it is to ensure cyber safety. But the truth is that cybersecurity is not a problem for users – it’s a problem for IT departments. So, the first and essential step in enterprise security strategy is to include security controls into the Software Development Life Cycle [a process for planning, creating, testing and deploying an information system]. To reduce the risk of a successful application attack, security aspects should be included in every phase of SDLC. The architecture should be done with great attention to details. The sooner security experts are involved in a process of application development, and the sooner security vulnerabilities are found, the lower the costs of application changes become. What’s more, even if you create a perfect security system, you still have to manage the human factor. Companies need precise processes for code review and employee training.
CSE: Cyber attacks sometimes betray the ‘signature’ of the cyber attacker and maybe reveal insights into their future approach. Sometimes they repeat the same techniques, the same approaches, time and again – especially if they have proved successful before. Are we now getting better at anticipating hackers’ future orientation – and at planning our security strategies accordingly?
PJ: OK, so this is what happens: a cyber attacker gets into your infrastructure and, using a server misconfiguration, creates an account by himself and… And what? This is the moment that we wonder if we could prevent this action from happening, and trace back a hacker’s activities in our systems. Luckily [with digital systems], nothing can be completely hidden. In order to provide hackers’ future orientation, and to get better than a hacker [in the] cybersecurity race, we should be constantly carrying-out the research to find all vulnerabilities before they are found by someone wearing a ‘black hat’. It is extremely important to focus not only on the present but also on the cybersecurity future. It is simply not possible to secure the infrastructure with outdated knowledge about the potential attack vectors. With every new tool or solution, we are getting better and better.
CSE: Having a more accurate insight into the nature of the threats an organization faces can prove useful in organizational defenses. How can organizations extend the scope of their threat intelligence to gain a better knowledge of who is actually targeting them in cyber attacks?
PJ: The most important notes from most contemporary surveys are that cyber criminals’ targets are now bigger and their rewards greater to gain significant data than years before. The simplest answer is that you should be aware of the fact (of) who can get the most from stolen data. While new technology and solutions can help Chief Information Security Officers make better decisions for an organization faster, nothing is more essential than having a second pair of eyes. To be precise, in order to gain knowledge about potential attackers, organizations may use specialized techniques known as OSINT (Open Source Intelligence) and SOCMINT (Social Media Intelligence). These solutions provide information from both – publicly available sources like media, public government data, reports, CERT publications, and social media – including Facebook comments, Twitter tweets, technical forums, chats, and even forums out there on the ‘dark web’.
CSE: Uptake of enterprise penetration testing has increased, and this has helped organizations understand that hackers can succeed because they find unfixed vulnerabilities, and not just necessarily because they are now technologically ingenious. Does top management in some organizations still view pen-test programmes as a ‘nice to have’, but not essential, part of cybersecurity?
PJ: Unfortunately, there are still people who do not consider penetration tests as a crucial element of reducing the cybersecurity risk. Luckily, it is changing over time. To make penetration tests more compelling, we often provide our potential clients with the samples of our reports. In many cases, they understate the value of penetration tests – simply because they are not aware of all benefits connected with them. Penetration testing is not only about finding the vulnerabilities. Our reports always contain deep technical descriptions and appropriate recommendations on how to mitigate them.
CSE: Does CQURE find that top management (i.e., board/c-suite-level executives) now have – or look to have – more proactive input into their organizations’ cybersecurity posture than they used to? And if that is the case, what are the factors you see as driving that shift?
PJ: The protection of information and corporate resources is an essential element of business strategy, and represents a competitive advantage in today’s economy. Given the real threat to local and global incidents. These include major challenges such as industrial espionage, cyber terrorism, cyber crime, and the illegal trade of electronic data. Appropriate procedures for an access to information and data protection, IT systems and infrastructure are becoming a key area of concern (for organizations of all sizes), ranging from small-to-medium sized business to enterprise-level companies. Organizations’ approach should be driven by potential losses of both money and trust.
The interview is taken from: https://www.cseurope.info/it-sa-2018-keynote-speaker-interview-paula-januszkiewicz-cqure/