Director of Technology and co-founder of Epsco Ra Security Systems, Gideon Lenkey, gives an interesting outlook on the way human beings perceive potential online threats and how they react to it.
He highlights the important role of individual behaviour on personal and business devices, continuous training, internal policies, penetration test and incident response plan if a person has been breached.
Muriel: “Why do we often hear that Antivirus and Firewall are no longer enough on their own to protect organisations and individuals from potential cyber-attacks?”
Gideon Lenkey: “Well because it's entirely true! Think about all of the reported hacks you read about in the mainstream and trade news. Most if not all were using some sort of firewall and AVS products. The problem is firewalls and AVS are just tools, they don't really do much on their own and especially not when they're deployed in a default configuration. I would say on average the attackers know more about these products than the people who use them do. Think of it this way, would you buy a box of tools, set it in your garage next to your car and expect the car to be repaired the next morning? That pretty much sums up the vast majority of IT product focused security programs I've encountered in the field.
Often with this approach when there is a failure the solution is "we need a different product because this one didn't protect us". Despite all of the evidence to the contrary, the notion that security comes in a shrink-wrapped box is still out there living large and failing big.
Firewalls and AVS are essential basic tools but in order to effectively manage the threat posed by a motivated and capable human adversary, you need to do a lot more. You'll need a robust suite of protective and detective controls managed by qualified and experienced personnel all backed up by well thought out policies and supported by senior management. There's no quick or easy fix and the threat landscape changes almost daily.”
Muriel: “How can we train our people towards a secure information handling environment onboard and ashore?”
Gideon Lenkey: “In my experience people react to what they believe is a threat. For example, a masked man runs into a bank waving a gun. Everyone there perceives the threat, he's going to rob the bank, and reacts immediately. Now try to convince an employee, who feels very comfortable on their Internet connected device, that just by using that device they are being targeted by very capable human adversaries. They might acknowledge that they've heard about it, but they don't actually feel threatened. It's a tough one because you're pushing up against human survival instincts and insisting they're wrong, insisting there is danger where none is perceived.
The best results we typically get is when we perform a penetration test and then share the results so that everyone gets an idea of what was possible for the attacker to achieve. This is especially powerful when the test demonstrates serious and immediately exploitable vulnerabilities. Employers and managers can also raise awareness by finding and sharing stories of hacks and exploits in the public domain. The more industry specific the better.”
Muriel: “According to you, what are the challenges that cyber security have brought to our life nowadays? What shall one do if they have been breached?”
Gideon Lenkey: “Well it certainly used to be a lot less challenging! Cyber Security is now a part of your personal and professional life if you use any sort of network connected device such as a PC or smart phone. Even if you don't, there are third parties processing and retaining information about you that if stolen can be used to victimize you. Identity theft for instance. While there isn't a lot you can do to protect your personal information stored with third parties, any data you are responsible for on your personal or business devices requires you to understand and mitigate the risk of it being lost or stolen.
That's a big ask given you have to consider the operating system of the device, the applications you use, what kind of data is being stored, how that data is protected and even your own behavior using the public Internet on a device that could become compromised. While awareness is certainly improving the increasing complexity and shear penetration of the technology in question is arguably outpacing and negating the modest gains in overall cyber security posture. In my opinion.
If you are aware you've been breached your actions are really dictated by the severity of the breach, the privacy laws you're subject to and hopefully your incident response plan. If it's a common malware infection and doesn't involve access to sensitive or personal information, stealing email address or sending spam for example, you basically just clean it up and move on. Even if you get hit with Randsomware the process is pretty much the same as long as sensitive information isn't involved.
If the machine compromised handles sensitive information, information that is subject to data privacy law, then you must proceed according to law and again, hopefully to your incident response plan. Typically, this involves law enforcement and notification to affected parties. A good incident response plan really pays off in these cases. Failure to plan is planning to fail. Often the handling of the incident is tried in the court of public opinion so every action matters.”
Muriel: “Passwords' poor choices are often to blame. Many people think that a password should be easy to remember, like their phone number or date of birth, rather than one that protects their data. How do you deal with such cases when it happens?”
Gideon Lenkey: “We run into some really bad passwords during pen tests. Even on highly privileged accounts. To test passwords, we will typically take the entire domain hash file and run it through a special machine that tries to reverse or crack the password hash. Poor passwords or passwords that do not comply with password policy are flagged for reset. If the account is highly privileged, we may talk to the individual and make sure they understand the importance adhering to policy. Where there is no policy we will write it and can help assist with rollout and enforcement.”
Muriel: “In an article written by Andrew Sheldon and shared on your website, you give as an example the combination of two nursery rhymes: Mary had a little farm, e-i-e-i-o. And you say: "You're never going to crack it, you're never going to guess it and you're never going to forget it." I think this one is a great tip. In terms of protecting digital information, what is the advice you give the most?”
Gideon Lenkey: “Well in addition to the passphrases there are a few other ways to raise the bar on your opponent:
1) Stay off the center of the target by using alternative browsers and email clients. There are a lot more exploits for Internet Explorer and Outlook than there are for Chrome and Thunderbird. Even using a Mac or Ubuntu desktop gives you a significant advantage at least at this point in time.
2) Always keep everything up to date, both the operating system and applications.
3) Use multi-factor authentication for everything you can. As an Individual, turn it on for every online login that supports it. If you are a company, make sure all remote access such as VPN uses MFA.
4) Learn how to encrypt your data. Hard drives, devices, files, emails, removable media, cloud storage, everything. It's not easy but once you get the hang of it it'll give you real world protection and peace of mind if something is lost or stolen. Properly encrypted data stolen from email servers or cloud drives is nearly impossible for the thief to recover or use.
5) Get in the habit of turning off Wi-Fi and Bluetooth on any device you take out of the office or home environment.
6) Use a VPN on your mobile devices, especially when traveling. Mobile apps leak data and are vulnerable to Wi-Fi and Wireless man in the middle (MiM) attacks.
7) Stay paranoid.”
Gideon Lenkey is EPSCO-Ra’s Director of Technology. As President of Ra Security Systems, he has consulted on information security matters since 1989. He specializes in assessing and testing the security posture of enterprise IT infrastructures and managing enterprise cyber security initiatives.
He has provided advanced training to the FBI and has been consulted by both foreign and domestic government agencies. Mr. Lenkey is a past president of the FBI's InfraGard program in New Jersey and has been recognized by FBI Director Robert Muller on multiple occasions for his accomplishments.
He regularly lectures, writes and grants interviews on cyber security topics. In 2011 Mr. Lenkey co-authored "Gray Hat Hacking" third edition for McGraw Hill and is featured in the film documentary "Code 2600".
Muriel Matta (BSc, MSc, MPhil, Cert CTT Practitioner) is the Founder of Maravilhosa.
She is a multilingual Human Resources Management expert, with extensive cross-cultural experience, spanning 26 years in MENA, Europe and CIS.
Through her work with Organizations and Individuals, she helps solve the toughest HR challenges by customizing unique training and coaching solutions to inspire change, positive thinking and transformation.
Muriel can be contacted via email: Muriel@maravilhosa.net