Podcast-Ep.5---Blog
Beyond The Perimeter Podcast, Episode 05: Why AppSec is Key for Your Dev Toolbox
Reading Time: 6 minutes

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we discussed the Poshmark data breach and interviewed Avi Douglen from Bounce Security about Application security risks.

Breach of the Month: Poshmark

On August 1, clothing marketplace Poshmark confirmed they had experienced a data breach. Poshmark is said to have some 50 million users.

The looted data includes customers’ full names, genders, cities, email addresses, linked social media profiles, and account passwords—but in a hashed cryptographic form. 

Due to the breach, the company is telling its customers to watch out for phishing emails, especially those that look like they are coming from Poshmark.

In a blog post by Poshmark, they warned their users with the following statement, “Be aware that Poshmark would not ask for personal information such as your login information or password in email communications. If an email you received asks you for this information, the email was not sent by Poshmark and may be an attempt to steal your personal data.”

In this episode, I talked to Avi Douglen to learn more about his experience in application security and why businesses should look into adopting an application security program internally. 

Not The Common Career Path to Security

There is no one true path to a career in cybersecurity. Some people will have the aspiration from a young age to work in security and some will learn on the go. In Douglen’s case, he was at the right place at the right time: “I actually kind of fell into it. I started my career doing software development of a product that I was working on and the security always seemed a bit dodgy. But whatever, you know. I’m a new programmer. What do I know about it? But then I got recruited to go work actually at the Israeli Police as a developer of security software, security infrastructure for all the very sensitive systems as I’m sure you can imagine. While I was there, of course, we’re developing security products. So I was part of identity management, permission controls and access controls before that was even a thing.

Like many security professionals, Douglin gained his security experience on the go. “I learned from actually testing things out because this was back before security was so popular. There were so many things and it was like OWASP was barely starting and this was back in like 2001. I discovered all the security aspects as we went on and kind of as the requirements came from the field and from the developers that had their own requirements but we don’t know how to deal with these.”

By gaining this experience over time, it led Douglin to a career in application security. “I got recruited into a security consulting company and I came in knowing a lot about security requirements from the developer side. So from there, I kind of found my home so to speak in application security and software security.”

Application Security is a Shared Responsibility

When asking Douglin what his thoughts were about those whose responsibility it is to conduct application security, he commented that it’s a tough thing to answer. “That’s a really interesting question and I would push that back to say, OK, who’s responsible for the quality of software? Well, sure, it’s the organization and sure you do expect a developer to be responsible for the quality of the code they put out, right? Obviously you’re not going to hire somebody to write code if they don’t know how to write code. But the organization absolutely needs to support that. You need to have time and the right tools for application security. You need to have the education and process, methodology and it needs to really be treated – from my perspective, it needs to be treated exactly like the quality of software and it’s one aspect of quality. You can’t be an excellent programmer if you’re not also doing security. It really comes down to how you’re producing software.”

Douglin believes that it’s not only on the developers who are actually writing the code. “I don’t think it should all be on the developer side, not at all. But it definitely needs to be one part of it. There are definitely organizations and there are developers that try to push the code out as fast as possible and don’t really care about bugs or passing tests or even if it really works. You know, if it compiles on my machine, I will push it to GitHub, right? On the other hand, obviously we can’t fault all on the developer side because not all software security is in code and I really think that security just needs to be one other aspect of everything that everybody does. So DevOps folks are doing DevOps and security needs to be part of it. Their pipeline needs to be secure and if they’re doing unit testing and things like that, they obviously need to be security unit testing.”

Organizations Still Have Room For Growth With AppSec  

When asked are organizations more equipped with application security, Douglin commented it depends on the organization. “There are two completely different types of organizations and you really can’t correlate them. Some of the more mature, more responsible, more security-minded organizations will distribute across the graph as you would expect and some of them are early in their journey and some of them don’t have a full program and some of them do, some of them are more evolved.  On the other hand, some that you would expect to be more evolved and have a full program don’t necessarily and they never will and even if you try and push it into them, it will not succeed and just too much heavy decades of legacy, legacy of code, legacy of process, legacy of people sometimes, that you – that will never change. So breaking it down to your question, I would say it’s a tough question because I think most companies are not where they should be. Many are on the right path.”

Douglin highlighted the importance of open source security tools as something that developers at organizations can start adopting in their application security toolbox. ”There are some great static analysis products called SAST, static application security testing, which basically is an automated way to scan your code and these are great and you got some tools which will monitor your dependencies and your components. Open source components can have a known vulnerability in one of the versions of the components that you’re using and usually, most products will have several dozen dependencies, external dependencies at least in a trivial application. Sometimes it could easily be hundreds or more. So there are some great tools out there. I just saw one of the vendors come out with an open-source plug-in for a visual studio code that will monitor in code and it will tell you that this library actually has vulnerabilities. You should upgrade or use a different library.” 

Huge Advocate of OWASP Projects 

Douglin is extremely active in the OWASP community and in his spare time, he is taking part in his own OWASP project. And when asked which projects he recommends listeners to check out the list goes on. “There are a bunch of great projects out there. I am part of a sub-project which is a Threat Modeling Cookbook, which is starting to put out a whole bunch of “recipes,” kind of like threat patterns. So if you put in a bunch of Docker microservices. Then there’s a set of threats that you need to consider and take care of and you don’t need to spend two days of threat modeling this infrastructure and you have a set of common standard mitigations that you can use without having to consult the security expert. So all these things is – that’s where we’re headed to try and create that and flesh that out”

OWASP has an endless amount of projects for free for developers and security experts. When asked which projects Douglin recommends listeners to check out,  the list goes on. “There’s a lot of great projects depending on where you’re coming from. First I will call out to OWASP ZAP. That’s an interactive proxy which does a lot more than that. Not only does it monitor and intercept any requests being sent between your browser and the server. It has a lot of dynamic attack functions. So it would kind of test your web application as you’re testing it and it supports a great API. So you can integrate this and I know a lot of QA teams and DevOps teams that have integrated this in automated tests and yeah, you can definitely invest and get a great commercial product, web scanners, you know. But this integrates better than some of the other products out there and the ZAP API is great.”

Douglin also recommended how noobs can get started with OWASP projects. “Go to OWASP.org, click on projects. You get a whole library of projects there. Another project that I really like especially for people starting to discover this field of application security is what’s called the OWASP Juice Shop which I say is the best place to never ever, ever, ever buy juice online. It’s basically a modern webshop to buy juice except that you never actually get the juice. What you do get is a whole bunch of built-in vulnerabilities, which are common for modern applications. So it’s great for exercising, for learning and for practicing different vulnerabilities and finding out how SQL injection works and how cross-site scripting works and dozens of others. It’s one of the best capture-the-flag apps out there.”

To hear the entire interview with Avi please listen to the full podcast here. You can follow Avi on Twitter @sec_tigger. To sign up for OWASP Appsec Israel visit https://appsecil.org/

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More
Podcast Ep.4 - Blog-min
Beyond The Perimeter Podcast, Episode 04: Your Security Strategy Is Only as Strong as Your Security Hygiene
Reading Time: 4 minutes

Listen to this podcast on iTunesSpotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we discussed the Promo.com data breach and interviewed Sivan Tehila, our very own Director of Solution Architecture,  to gain her insights about security hygiene. 

Breach of The Month: Promo.com

On July 21st, Israeli marketing video creation site Promo.com announced that a database, which contained over 22 million user records, was hacked and leaked for free on a hacker forum.

The data included users’ email addresses, names, genders, geographic location, and 2.6 million of the users, their passwords. This leak included 1.4 million cracked passwords, which is when passwords are decrypted and could immediately be used by attackers.

After the public leaking of their database, Promo.com announced a data breach notification saying they became aware of a vulnerability on a third-party partner’s service that affected their data. If you are a customer of Promo.com, I suggest you should immediately change your password to one that is strong and unique.

If you use that same password on other sites, it is strongly advised that you change your password to a unique one at those sites as well. A password manager can make it much easier to use unique passwords at every site and is highly recommended.

In this episode, I talked to Sivan Tehila to get a better understanding of the importance of proper security hygiene and why it’s a shared responsibility between employees and organizations. 

Military Experience Shaped Her Career

Many career coaches will bring up the idea that your life experiences will help mold your professional career over time. This was especially true for Sivan when it came to her time in the IDF. “I started my security journey in the Israeli Defense Forces as a cybersecurity specialist. If you would ask me before I joined the army, if I would work in cybersecurity as a career, I would say no way. But thanks to the IDF I was exposed to the fascinating world of cyber and the fact that I had a chance to participate in cybersecurity operations and to get that perspective from the army, I fell in love with the dynamic profession. It makes it even more interesting to me and that’s why I love the cybersecurity world, that no day looks like the day before.”

When asked which cybersecurity tendencies she uses in her day to day life in cybersecurity professionally, Sivan discussed how people need to embrace the day to day uncertainty in cybersecurity. “The fundamental thing in cybersecurity is to understand that no day looks the same as the day before. By people understanding and embracing uncertainty it will help them to manage their day to day life.”

Sivan believes the same approach should be taken when it comes to cybersecurity strategies. “I believe that by building a cybersecurity strategy, it’s the right thing to do before you start any project in cybersecurity. You need to understand the environment, threat factors and the attack factors. By having a better understanding of the situation, you will be able to manage and build different solutions for each environment while still being able to operate in such a dynamic environment and responding in real-time in case of an incident. We’re seeing it now with the current situation with the pandemic and the fact that many companies are practicing for the first time their business continuity plan.

“If you have a strong strategy and an updated business continuity plan, you could succeed and get over this crisis. But if you don’t have it, it just takes more time and more effort to be able to overcome this challenge.”

Organizations Are Not Thinking About Security  

The lack of security hygiene for organizations and its employees isn’t new especially when it comes to modern cybersecurity. According to Sivan, the current pandemic highlighted most organizational security mistakes. “When COVID-19 came most companies focused more on the communication between their employees and the company and less on security. Organizations were more worried about how they could communicate via Zoom. I think many of them left the security procedures behind and when they understood that they had to worry about security, for some of them, it was late. It was the regulations that enforced them to apply security procedures and policies.”

When asked about where she learned her security insights and how organizations can implement them, Sivan mentioned how most organizations lack security awareness. “I experienced many security incidents during my service in the army and when I worked for different defense industries in the private sector. The most common issue I experienced was that most organizations lack cybersecurity awareness. The best way to learn and improve awareness is by building a stronger security strategy. An example I experienced was when I built security campaigns and I created a phishing campaign in one of the companies that I worked with. When I scheduled a phishing campaign and I got an email the morning later with the campaign that I created and I did such a great job. So I was the one who clicked the phishing email. I think that was a moment when I understood that it can happen to everyone and that we all are vulnerable.“

Security Hygiene at the Forefront 

When discussing if employee security hygiene is strong, Sivan commented on how employees need to be properly trained. “I think it’s an ongoing process. I mean it’s never enough to just do one time an awareness workshop in a company. It’s something that you need to train your employees all the time. Awareness is something that you should build over time while you need to make sure you keep your employees aware.

“In order to make sure your employees are up to date, training is not enough. For example, organizations should run quarterly phishing campaigns and quarterly workshops that remind employees all the time that security and hackers never sleep. Security awareness has to be always in their mind.”

Sivan emphasized how hackers easily trick employees. “My prevention tips for employees are they shouldn’t just click on a link or open attachments from emails you are not expecting or from unknown senders. Even if you know the sender, still check it twice. Make sure that the sender is someone you know and you were expecting to get that email. Check the URL of the sender to make sure that it’s a legitimate address and remember that companies like banks and the government won’t put a web link in their email to you. They will usually instead advise you to visit their web page and log in through the web page.”

To hear the entire interview with Sivan please listen to the full podcast here. You can follow Sivan on Twitter @securitywitch

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More
Podcast-Ep.3-
Beyond The Perimeter Podcast, Episode 03: Hacking with a Purpose: Life as a White Hat Hacker
Reading Time: 6 minutes

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we discussed the Twitter hack which saw many famous celebrity accounts being hijacked which resulted in spreading a cryptocurrency scam. We also interviewed Len Noe who is a white hat hacker and cyber security specialist.

Breach of The Month: Twitter Hack

On July 15th we saw one of the most high profile breaches of the year. At least one hacker known for hijacking high-profile Twitter usernames gained access to an internal “admin” tool on Twitter’s network, hijacked a ton of celebrity accounts — Joe Biden, Bill Gates, and Elon Musk to name a few — to spread a cryptocurrency scam. The hacker made over $120,000 in just a few hours. But how the hacker got in and whether an employee helped remains a mystery. It is likely the hacker found their way into Twitter’s Slack account where they found a set of credentials. 

Twitter announced that the hack was done through social engineering. In this type of attack, hackers tend to trick their victims into providing their login credentials for access. Some 130 accounts were affected by the breaches. Twitter later said eight users had their data downloaded — including their DMs. But the company refused to say if the hacker read anyone else’s DMs — even though they’re believed to have had access. The breach could’ve been so much worse, even having serious implications for national security, given that this is an administration that frequently uses Twitter to dictate policy. On July 31st, authorities arrested the  17-year-old hacker who was behind the hack.

In this episode,  I talked to white hat hacker Len Noe to get a better understanding of why hackers might transition into becoming a white hat hacker and why organizations should look into implementing white hacker programs, 

Attracted to the Art of Hacking Early On  

Most hackers will tell you that their interest in hacking started at a young age. In Noe’s case, it started when he learned he could make small code edits which would change the outcome of a program. “I got into hacking early on. It all started for me back in the Commodore 64 days and the truth is there was a magazine that you could get that would actually give you some very simple, rudimentary programs that you could write for your Commodore 64 and the one that got me was Frogger, the old video game.

“During the time where I was trying to code the game, I messed up some of the code while I was programming and for some reason my frog would not die. It just opened up a whole new world to me if you do something in the background, it can affect what’s going to happen. So that was kind of what really sparked it for me was the idea that I was in control and even though the way that the game was supposed to be played, I could play the game the way I wanted to play it.”

Unlike today where hackers can easily find online different how-to guides and learn from other hackers, back in the ‘80s, Noe had to learn the trade through trial and error. “It was mostly trial and error. I mean you got to remember, this was back in like the pre-Pentium days. We’re talking 386 DX2, 486 with the math coprocessors so you could have the floating decimal point. There were a lot of bulletin board systems and many techniques came from a good understanding that I don’t think a lot of people get these days.

When I was going through this originally, this was when the personal computers were first coming out. You learned how to use a terminal and it was before any real GUI, before OS was available. I just knew how things worked and it was a lot of trial and error and logging in to other like-minded individuals like myself who are into this kind of thing and it was kind of the pre-birth of the hacker collectives. I mean we weren’t hackers at the time because there really wasn’t a term. At the time, we were just geeks.”

Evolving From a Black Hat Hacker to a White Hat Hacker

Life as a black hat hacker early on wasn’t as dangerous as it is known today according to Noe. “Being a black hat was simpler, at the time, there was no real hacker. There wasn’t any kind of GDPR or any type of disclosure laws in the US. You know, if you got caught hacking, they would slap your hand. Maybe you weren’t allowed to use a computer until you were 18. But it wasn’t until after the 9/11 incident in the United States where any type of hacking really started to become a major issue and started to command heavy jail times and fines.I was always very interested in hacking and I always have had that innate sense of wanting to know not just the fact that it worked but how it works. My father was a mechanic and always told me if you understand the basics, then any of the complicated things become very simple if you break it down to its rudimentary form.”

When asked why he transitioned from a black hat hacker to a white hacker it was simple for Noe. “I don’t like the idea of state-funded vacations. The idea of being locked away just really didn’t appeal to me. I mean I’ve never been one of those – even when I was a black hat, I was never one of those kinds of guys that would go after people and try to steal their personal information or try to ransomware somebody or blackmail somebody. For me, it has always been more about just the puzzle and I like those people who always say, ‘I’m secure.’ Really? Let’s test that theory and I’m a firm believer. If you think you can get into my stuff, come on. If you can get past the securities and the preventative measures that I’ve put in place, then you deserve it.

“For me, it was always am I smarter than the guy that set up the security? I know there are people better than me and there’s an old expression, Those who exalt themselves will be humbled but those who humble themselves will be exalted. Be humble with your security. Know what you’re doing and don’t brag. I’ve seen it so many times in my life where they’re those people who are basically taunted to attack and they always wind up sorry for it in the end.” 

Implementing White Hat Hacker Programs 

Over the past decade, we are seeing more organizations stepping up their internal security team. Noel believes implementing white hat hackers in the internal security teams comes with its advantages. “I think having a red team and white hats on staff is a great idea. It keeps you fluent. It keeps people updated on the types of attack factors that are new and it’s going to keep fresh eyes and people that are actually in this community. 

“But at the same time, I also think that even if you do implement a red team or a white hat on your payroll, I think once a year, it’s still a good idea to get an external pen test done or invoke the services of a third party just to keep everybody honest. Always look at security from the sense that it is going to always be as strong – only as strong as your weakest link. Get those fresh eyes and unbiased opinions every now and then. Keep your red teams and your white hats on staff just because these are people that are going to be tuned into what’s going on and what’s current.”

Endless Amount of  Resources Available 

When asked what his advice is for young security enthusiasts looking to become a white hat hacker, Noe emphasized on the importance of taking advantage of the numerous resources online. “ Play, get out there. YouTube is an amazing resource. But study up on YouTube. The one thing I will say about the cybersecurity community is for the most part, we are pretty open with our information. Go to our GitHubs. Go to our YouTube channels. You will find gists of information. You will find example videos of different attack scenarios and different attack applications. 

“I have a GitHub repo on my GitHub that is just links for new cybersecurity people. You know, sites like Packet Storm, Vulnhub. One of my biggest recommendations for newbies and a lot of people think I’m stupid for making this recommendation. Vulnhub, if you’re not familiar with it, is a site where you can just go download premade capture-the-flag VMs for VMWare or VirtualBox and a lot of the times, you can actually go to Google or DuckDuckGo and you can search for a walkthrough of that capture-the-flag. For newbies, it’s a great way to actually see and walk through the entire process and at the end of it, you actually are able to complete the capture-the-flag.”

To hear the entire interview with Len please listen to the full podcast here. You can follow Len on Twitter, Github, Youtube and SlideShare. 

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More
Podcast Ep.2
Beyond The Perimeter Podcast, Episode 02: Young Startup: Are You Ready for a CISO Onboard?
Reading Time: 6 minutes

Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content.

In this edition of the Beyond the Perimeter Podcast, we explained how millions of Chrome users might be affected by the Google Chrome security breach and we interviewed Ms. Reut Weitzman who is the COO and Cybersecurity Consultant at QMasters to learn about her experience and insights as a CISO at a startup. 

 

Breach of The Month: Google Chrome Browser  

On June 18th security researchers at Awake Security reported to Reuters that millions of Chrome users were exposed to a record spyware breach linked to extensions downloaded from Google’s official Web Store. The discovery is believed to be one of the biggest attacks of its kind and resulted in Google removing more than 70 malicious extensions.

Most of the free browser extensions – downloaded about 32 million times – claimed to warn users about unsafe websites or convert files from one format to another. Instead, they were accessing users’ browsing history and website logins. It is still unclear who was behind this attack as the developers of the Chrome extensions supplied fake contact information when they submitted the extensions to Google.

Our suggestion when downloading third-party Chrome extensions is not to grant access to data or other information on your machine or device. Google can not guarantee 100% security on all of their third-party add-ons so you must be careful.

To learn more about being a CISO at a startup, I interviewed Ms. Reut Weitzman who shed light on the CISO challenges in lean startup, where the budget is low, people are techies and security is an afterthought.

Reut specializes in designing complicated cyber-defense architecture aligned with business and technology strategy, that is up to date with emerging cyber threats and vulnerabilities. One of her leading projects is providing on-going CISO service for a cryptocurrency startup.

Learning and Being Mentored Early On  

Cybersecurity has become the trendiest topic in the news today. From cyber attacks, data breaches, ransomware and election hacking, everyone wants to be part of cybersecurity. Luckily for Reut, she has been part of the security industry from early on. Learning and experiencing the security industry helped Reut become who she is today as CISO. “When I started my career in cybersecurity, the dot net had just bloomed and I was young, curious and eager to learn everything possible about this exciting industry. So I took courses, read a lot, researched, asked and learned on the job of course.”

Reut described how fellow colleagues and mentors helped her early on. “I was lucky to work with talented, supportive people, and being a people person myself, I kept in touch with many of them over the years. I actually still keep in touch with my first boss from 20 years ago. So I found that this helped me a lot in my career. I always had someone to consult with and whether it was professional or career issues and since it’s such a small industry in Israel, I worked with many of my previous peers and colleagues again and again in different projects and different companies. I always had someone to speak with and ask questions and consult. In some aspects of my career, I always found someone to talk to. So it really helped.”

Becoming a CISO 

After years of working in the field, Reut started the transition to CISO. Her years of experience in cybersecurity and tech brought her the insights and knowledge to the position. “I was consulting and working with different sectors, I’ve seen how every organization has a different approach when it comes to cybersecurity management and over the years. I saw how organizations handled cyber-attacks, how they managed cyber operations and different approaches to security strategies. I learned from project to project to gain experience and that allowed me to feel confident in my knowledge and ability to spot vulnerabilities and needs.”

After experiencing different roles in cybersecurity and her business background it was the perfect time for Reut to become a CISO. “With the years came the experience. So it goes hand in hand and also I had some business – I had a lot of business background. I did a strategy project and management project. So it’s all combined together. I also have – in addition to all the technology experience and certificates, I also have an MBA. So it worked perfectly together.”

First 90 Days As a CISO 

You’ve just been given the responsibility to lead the security transformation in your organization. Where do you begin? How will you approach the situation? For Reut, it started with a strategy to protect the organization’s data. “ My duty as a CISO was to develop a strategy to protect the company’s data. This should always be done by working with IT and business teams. Full cooperation is required to identify, develop, implement and maintain cyber policy and processes across an organization.  So for the first 30 days, I worked on establishing relationships and trust. I took the time to understand organizational structure, who is who, how they used to work, what technology do they use, where’s the data. Do they print? Do they have access to data from mobile phones? Since they already encountered a security incident, I ask different people what happened and how they feel about it and so on.”

Reut mentioned trust was a key factor for security success in her role. “It was important to me to get my peers to trust me and get on board for the good of the company. One of the things that I emphasized was that this is not an audit and I’m not looking for fraud. I’m looking to understand how they are used to work, so I could assist them to do it in a secure way.”

In the final two months, Reut spent most of her time working with the IT team to find where the holes were” For the following 60 days, I worked in security assessment and gap analysis. I worked with the business unit managers and with leading personnel in those units to map the critical business processes and find cyber vulnerabilities.

The Challenges 

Every new job comes with challenges. Reut didn’t let those challenges affect her work, but the help of her colleagues made the process easier. “The biggest challenge I experienced was inventory. Data systems, storage and physical devices. The little documentation that they actually had wasn’t updated. So in fact I had to start from scratch and I had assistance from department heads for data. I asked the IT manager to help with systems and applications. DevOps helped me with storage information and I asked the office manager for help with all the physical assets.”

To help internal security awareness, Reut implemented security training for the company’s employees which in the end helped employees become more comfortable to bring up security questions or comments to Reut.  “I started raising cyber risk and security awareness, I sent periodic updates of cyber incidents relevant to the industry and sent do and don’t tips and so on. So at that time, everyone already knew who I was and started consulting with me about phishing emails, mobile security questions and also some personal questions such as how to know if the gaming application that our kids are using is actually safe.” 

Reut quickly caught that security hygiene was very limited within the employees. “People at startups are tech-savvy. They’re agile. They’re in front of tech news. Nevertheless, I found out their cyber risk awareness is very limited. It shows little things such as leaving the workstation unlocked when they take a break or mobile phone passcode is one to six. Everyone knows what – that there is something called phishing. But most of them will fall for a spear-phishing attack that would be slightly more sophisticated than the usual spam.”

How Startups Can Avoid Security Challenges

Most startups can easily fall to prey when it comes to security challenges. Reut explains how it can be avoided with the right processes.” They say in security, we divide everything to – according to the golden triangle of challenges before process and technology. So in terms of processes, it is rare to find a startup with structured security policies or procedures. The work procedures are not consistent and are usually open to interpretation and new employees just learn how things work from their buddies and not in a formal way.”

Reut highlighted that a major challenge for startups is proper user permission and access to resources.” One of the biggest challenges for me was lack of consistency in – that there was no one central domain to manage user’s permissions and access to data resources. Also, the lack of group policy, with every change of configuration or any OS or application updates required an IT person to take each and every computer and install or update manually.

Reut suggested that most starts provide freedom to their employees to install or do whatever they want which causes a lack of visibility when it comes to security.” In many cases, employees have the main rights on their computers and they could just install whatever they want freely. Well, in fact, software installation should be done by IT professionals and also be documented. So the company will have an updated inventory.” 

To hear the entire interview with Reut please listen to the full podcast here. You can follow Reut on Twitter @reutweitzman.

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.

Read More
Podcast Ep.1
Beyond The Perimeter Podcast: Episode 01 – Turning a Hobby Into a Career
Reading Time: 4 minutes

Listen to this podcast on Spotify, Soundcloud or wherever you find your favorite audio content.

We’re excited to have launched the Beyond The Perimeter Podcast: the podcast where we discuss everything security. 

Each week, we will discuss the latest and biggest breaches to hit the news and talk to different security experts to learn about their experiences in the security industry. In this edition of the Beyond the Perimeter Podcast, we tackle the EasyJet Breach and learn from independent security researcher Ryan Nolette how he made a hobby into his career.  

Breach of The Month: EasyJet 

On May 19th, British low-cost airline group EasyJet announced that they had suffered a data breach. They declared that the highly sophisticated cyber-attack affected over nine million customers. Details from the breach included full names, email addresses and travel data such as departure, arrival and booking dates. While the breach itself occurred in January 2020, EasyJet notified the UK’s Information Commissioner’s Office at that time, but waited four months to notify its customers. EasyJet did not immediately give details on how the breach occurred, but said it had “closed off this unauthorized access”. It’s most probable that a phishing attack was the culprit of the breach.  Our advice for all EasyJet customers is to change their passwords and check for any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further personal information.

For more security tips and insights, I interviewed independent security researcher Ryan Nolette who explained his experience with information security at a young age and how it formed his career today. Ryan has held roles in the InfoSec field and consulted on threat research, incident response, and every level of security operations. He is an active speaker and writer on threat hunting, cloud security, and endpoint security.

Attracted To Information Security From an Early Age

If you ask security enthusiasts, many of them will tell you that their interest in security started at a young age. In Nolette’s case, movies and books about hackers, as well as early discussions with his school IT worker, sparked his interest in Information Security. “Infosec has always kind of been an interest to me. The movies that I was starting to watch, the Hackers trilogy and The Art of Deception by Kevin Mitnick came out and a colleague of my dad at the time told me to go check out that book and it was very interesting actually reading about the experience, the stuff that he went through and then how that related to the movies there.”

Initial introduction sparked into more of personal interest to Nolette. “From there it just kind of really – the interest grew and grew as I started researching the topic more and more. We started off with people doing pranks to each other in class and whatnot. You know, pop out the CD-ROM of your neighbor’s computer, things along those lines and it kind of escalated to well, you take those concepts and now we expand them out into these overarching, more in-depth topics that are enterprise-level and now instead of your adversary being your classmate, now your adversary is whoever the attacker is in the world and it’s just a change in scope and severity. I had a pretty interesting IT or a general worker for our school system that I went to had an open conversation about technology in general and we’ve learned an awful lot about my school’s network and the town network worked through that.”

Learning From Security Experts over the Years

In the late 1980s and early 1990s, the number of places to learn about networks and security was limited. Nolette described how he learned on the go and through experiences. “It was more of a silo for me. I didn’t know those forums existed at the time. How I learned things was from some of my schoolmates who were interested in computers and operating systems. It was definitely an interesting experience and unfortunately, at that time, it was very hard to get the information, to gather if you didn’t know where to go look.

The times have changed and now it’s much easier to learn security practices from experts around the world. “Now it’s significantly easier since I started in the industry and I’m really, really a big fan of that and that kind of leads into – if you want to get started in the industry, just go to a conference. There are free and cheap ones all over the world. I’m on the East Coast of the United States and there’s a BSides conference in pretty much every state and that’s a wonderful, affordable conference to go to and they handle a very large group of attendees, whether they’re the presenters or the attendees on their own. They really foster a collaborative environment. So you can go in and ask questions. You can attend one day of a conference and learn about 10 or 20 different vectors of security and that kind of lets you figure out what you’re actually interested in.”

Endless amount of Security Content While Remote  

With the majority of the world working remotely, the face to face events have been canceled. Nolette highlights the different virtual opportunities for security minds like himself to learn remotely. “One of the best things that came about from this is I’m a big Reddit fan. So there’s a couple of different security subReddits and they have curated lists of virtual conferences, free online training and discounted tools and training. They’ve kept them pretty up-to-date and it’s just spreadsheets of these different resources that are available to you. So definitely check that out as a starting point and get a bunch of things online.”

With the current remote situation, the security community has gotten a bit creative to spread their knowledge. “While I know there are a few new conferences that even launched because of the work from home and the virtual conference idea. A new conference is basically going to put all the attendees on a Zoom call without any of the security restrictions on it and just kind of see what happens. So there should be some fun stuff like that.”

You can follow Ryan on Twitter and read his latest content on his Github page.  

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on Soundcloud or wherever you listen.

Read More