What I know about cyber security and humans: Matt Suiche
The user is not the weakest link, says hacker and entrepreneur ‘msuiche’.
If you’re not down with the hackers and don’t know his handle then you should remember him as Matt Suiche.
Before moving to Dubai with his new cyber security company Comae Technologies, he was on the west coast of America with his previous startup Cloudvolumes, which was acquired by Dell subsidiary Vmware in 2014.
Specializing in memory forensics (that’s the analysing of your computer or phone’s memory), Comae Technologies has just signed a partnership with Dubai’s police force to develop forensic memory solutions while based at the Dubai Future Accelerators.
Are humans the constant crutch when it comes to the security of our smart devices and company networks?
Threats in the landscape are spreading. More connected devices means more threats. The security measures put in place in modern operating systems are efficient, but they’re too complex for the average person and even for some IT administrators who often have zero software expertise. A lot of those security measures are missing in the devices that fall under the header, Internet of Things. The latest DDOS attack (distributed denial of service, a.k.a internet outage) was done using IoT devices because their security is weak, and the attackers managed to take control of hundreds of thousands of devices due to default passwords.
The weakest link is often your software. A lot of the time an employee might be the risk but an attacker will look for the weakest link, and if he or she can see your software is five years old, then the likelihood is that you’ll be behind on security updates. And that is your weakest link.
Lose the talent, lose the security. In San Francisco’s Bay Area, the way a company promotes its engineers is in a way that enables those engineers to keep on making the products needed. In this part of the world and in Europe, you’ll find engineers being promoted but just to often become bad managers. This decreases the probability of good products being made. When you apply this to the cyber security industry it means you’re going to be falling behind when it comes to creating products that keep your company and users safe. The lack of talent is increased. Security products are not being developed.
Passwords are not the answer. People keep talking about improving passwords because realistically, from a technical point of view, that’s the only thing they can understand. Focusing on the issue of passwords is redundant. Very few vendors are putting in the proper security mitigations on their products. Whether you’re in UAE or NYC, it makes no difference, you’re going to be vulnerable. But artificial intelligence (AI) can be used: you can train devices to take better decisions for you. As humans we have a short memory, and can't remember everything. A computer can.
Lack of transparency is a problem. People need to be honest. In the US it is the law to report a breach, especially if you’re a public company. In some European countries it’s also a law. What does this mean? It means that your budget for cyber security won’t be increased because you won’t be fully aware of the problems. JP Morgan just doubled theirs to $500 million. Here in the Middle East no company is publishing their budgets. If you look at smart cities. Are they keeping security in mind while building their smart city? You need integration between multiple services and data is being exchanged, some might say ‘oh but we’re not a bank’, it doesn’t matter. It’s very time consuming from a business point of view. But it’s getting better.
The end-user is not the problem. If my mum is going to use an iPad I’m not going to tell her you need to do XYZ. She’s a user, she’ll never do it, and it’s complicated. People have jobs for that. The way I see it is it’s not the responsibility of the end user. The providers of the solutions and vendors should be responsible. As a company you need to make sure employees are using the proper products, softwares, devices, but as an end user there is bare minimum you can do, it’s like two percent of the issue.
BYOD is not wise. This idea of getting your employees to bring their own laptops to work, their own devices, like USBs, you’re increasing your chance of attacks. You don’t know if they’re running the most recent version of an operating system, applying latest security patches or using standard security products. You simply can’t keep everything secure this way. Snowden at the NSA is the perfect example. He walked in and out with a external USB device.
Social media is a hacking tool. People leak personal information on social media. You know those security questions to be answered if you "forgot" your password? ‘What's your mother’s maiden name?’ or ‘What's your birth date?’. Before you were the only person supposed to know the answer, but lots of people leak them in their social media, or when they receive a new credit card they brag about it on Twitter.
Weaknesses will be the same. The weaknesses you see attracting attackers will remain the same, you’ll just see patterns. A lot of solutions would be too technical for the main public to notice, or acknowledge, but we’ll see more usage of AI in preventing and coping with security issues.
Feature image via Pexels.com