In this edition of the Beyond the Perimeter Podcast, we explained how millions of Chrome users might be affected by the Google Chrome security breach and we interviewed Ms. Reut Weitzman who is the COO and Cybersecurity Consultant at QMasters to learn about her experience and insights as a CISO at a startup.
Breach of The Month: Google Chrome Browser
On June 18th security researchers at Awake Security reported to Reuters that millions of Chrome users were exposed to a record spyware breach linked to extensions downloaded from Google’s official Web Store. The discovery is believed to be one of the biggest attacks of its kind and resulted in Google removing more than 70 malicious extensions.
Most of the free browser extensions – downloaded about 32 million times – claimed to warn users about unsafe websites or convert files from one format to another. Instead, they were accessing users’ browsing history and website logins. It is still unclear who was behind this attack as the developers of the Chrome extensions supplied fake contact information when they submitted the extensions to Google.
Our suggestion when downloading third-party Chrome extensions is not to grant access to data or other information on your machine or device. Google can not guarantee 100% security on all of their third-party add-ons so you must be careful.
To learn more about being a CISO at a startup, I interviewed Ms. Reut Weitzman who shed light on the CISO challenges in lean startup, where the budget is low, people are techies and security is an afterthought.
Reut specializes in designing complicated cyber-defense architecture aligned with business and technology strategy, that is up to date with emerging cyber threats and vulnerabilities. One of her leading projects is providing on-going CISO service for a cryptocurrency startup.
Learning and Being Mentored Early On
Cybersecurity has become the trendiest topic in the news today. From cyber attacks, data breaches, ransomware and election hacking, everyone wants to be part of cybersecurity. Luckily for Reut, she has been part of the security industry from early on. Learning and experiencing the security industry helped Reut become who she is today as CISO. “When I started my career in cybersecurity, the dot net had just bloomed and I was young, curious and eager to learn everything possible about this exciting industry. So I took courses, read a lot, researched, asked and learned on the job of course.”
Reut described how fellow colleagues and mentors helped her early on. “I was lucky to work with talented, supportive people, and being a people person myself, I kept in touch with many of them over the years. I actually still keep in touch with my first boss from 20 years ago. So I found that this helped me a lot in my career. I always had someone to consult with and whether it was professional or career issues and since it’s such a small industry in Israel, I worked with many of my previous peers and colleagues again and again in different projects and different companies. I always had someone to speak with and ask questions and consult. In some aspects of my career, I always found someone to talk to. So it really helped.”
Becoming a CISO
After years of working in the field, Reut started the transition to CISO. Her years of experience in cybersecurity and tech brought her the insights and knowledge to the position. “I was consulting and working with different sectors, I’ve seen how every organization has a different approach when it comes to cybersecurity management and over the years. I saw how organizations handled cyber-attacks, how they managed cyber operations and different approaches to security strategies. I learned from project to project to gain experience and that allowed me to feel confident in my knowledge and ability to spot vulnerabilities and needs.”
After experiencing different roles in cybersecurity and her business background it was the perfect time for Reut to become a CISO. “With the years came the experience. So it goes hand in hand and also I had some business – I had a lot of business background. I did a strategy project and management project. So it’s all combined together. I also have – in addition to all the technology experience and certificates, I also have an MBA. So it worked perfectly together.”
First 90 Days As a CISO
You’ve just been given the responsibility to lead the security transformation in your organization. Where do you begin? How will you approach the situation? For Reut, it started with a strategy to protect the organization’s data. “ My duty as a CISO was to develop a strategy to protect the company’s data. This should always be done by working with IT and business teams. Full cooperation is required to identify, develop, implement and maintain cyber policy and processes across an organization. So for the first 30 days, I worked on establishing relationships and trust. I took the time to understand organizational structure, who is who, how they used to work, what technology do they use, where’s the data. Do they print? Do they have access to data from mobile phones? Since they already encountered a security incident, I ask different people what happened and how they feel about it and so on.”
Reut mentioned trust was a key factor for security success in her role. “It was important to me to get my peers to trust me and get on board for the good of the company. One of the things that I emphasized was that this is not an audit and I’m not looking for fraud. I’m looking to understand how they are used to work, so I could assist them to do it in a secure way.”
In the final two months, Reut spent most of her time working with the IT team to find where the holes were” For the following 60 days, I worked in security assessment and gap analysis. I worked with the business unit managers and with leading personnel in those units to map the critical business processes and find cyber vulnerabilities.
Every new job comes with challenges. Reut didn’t let those challenges affect her work, but the help of her colleagues made the process easier. “The biggest challenge I experienced was inventory. Data systems, storage and physical devices. The little documentation that they actually had wasn’t updated. So in fact I had to start from scratch and I had assistance from department heads for data. I asked the IT manager to help with systems and applications. DevOps helped me with storage information and I asked the office manager for help with all the physical assets.”
To help internal security awareness, Reut implemented security training for the company’s employees which in the end helped employees become more comfortable to bring up security questions or comments to Reut. “I started raising cyber risk and security awareness, I sent periodic updates of cyber incidents relevant to the industry and sent do and don’t tips and so on. So at that time, everyone already knew who I was and started consulting with me about phishing emails, mobile security questions and also some personal questions such as how to know if the gaming application that our kids are using is actually safe.”
Reut quickly caught that security hygiene was very limited within the employees. “People at startups are tech-savvy. They’re agile. They’re in front of tech news. Nevertheless, I found out their cyber risk awareness is very limited. It shows little things such as leaving the workstation unlocked when they take a break or mobile phone passcode is one to six. Everyone knows what – that there is something called phishing. But most of them will fall for a spear-phishing attack that would be slightly more sophisticated than the usual spam.”
How Startups Can Avoid Security Challenges
Most startups can easily fall to prey when it comes to security challenges. Reut explains how it can be avoided with the right processes.” They say in security, we divide everything to – according to the golden triangle of challenges before process and technology. So in terms of processes, it is rare to find a startup with structured security policies or procedures. The work procedures are not consistent and are usually open to interpretation and new employees just learn how things work from their buddies and not in a formal way.”
Reut highlighted that a major challenge for startups is proper user permission and access to resources.” One of the biggest challenges for me was lack of consistency in – that there was no one central domain to manage user’s permissions and access to data resources. Also, the lack of group policy, with every change of configuration or any OS or application updates required an IT person to take each and every computer and install or update manually.
Reut suggested that most starts provide freedom to their employees to install or do whatever they want which causes a lack of visibility when it comes to security.” In many cases, employees have the main rights on their computers and they could just install whatever they want freely. Well, in fact, software installation should be done by IT professionals and also be documented. So the company will have an updated inventory.”
If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.