Craig Olivier, Co-CEO at Genasys Technologies and Leroy Koster, the head of information security at Genasys Technologies, discuss some questions about the fascinating Cybersecurity environment.
COVER: Leroy, it has always been intriguing to me as to who becomes an information security specialist. How did you end up in information security?
Leroy: Although formally, I have only been in information security for the past six or seven years, I have been part of it, or it has been part of my life, since my
school days. It was quite cliché, watching all these movies and series about hackers doing amazing things and what they got right, and seeing the interplay between attacker and defender was very intriguing to me.
When delving into it a bit more, I finally made the decision in 2018 to get professionally certified in the industry. It is an exciting, ever changing environment. Nothing is ever concrete and there is no such thing as 100% safe.
All the above led me to become a defender. It really excites me to see a vulnerability or active attack and stop it then investigate what happened afterward.
COVER: Now getting into the actual cybersecurity environment, Craig, when it comes to cyber risk, and the risk of breaches, where do you see most vulnerabilities with the clients that you deal with?
Craig: Firstly, I think we find ourselves in quite an interesting space, specifically COVID related because before, we wanted to make sure that our internal networks were super secured, that nobody could get in. Then, suddenly with COVID, we had to allow everyone to work remotely. We now basically had to drop all of those walls and look at it from a completely different angle. So, I think, it created quite a challenge for a lot of companies out there. But everybody managed it and managed to deal with the change.
The main area that I see is, firstly, not having a security focus from an organisation perspective. There is not a culture around security and focus within the organisation to actively manage security, which creates vulnerabilities. So, a lot of what Leroy spoke about in his introduction is around finding a protective mechanism to drive the conscious security culture within the organisation.
The second bit around that is also that, often, one of the biggest vulnerabilities is the people you trust in the organisation. You need to have processes and structures and proactive capabilities to manage a potentially disgruntled employee within your existing trust area, within your business. If you watch a lot of the cyber risk and hacking stories, it is often a personal assistant within an organisation that has elevated security because they are acting on behalf of the CTO in the organisation. But they may not be educated around the potential risks of opening emails that they should not open, which then creates a gateway. Leroy, has a couple of inputs maybe to expand on the topic?
Leroy: From what I’ve seen in the industry, not just with our clients, a lot of times it boils down to the following:
- Asset visibility and context – need to know what you have in order to know what and how to protect it effectively. You can’t secure what you don’t understand
- Vulnerability Management – security updates not regularly applied due to downtime, complexity, capacity,
- Security Awareness Training – You could have the best tools and defence in depth strategy, but your weakest link may be one of your staff members. It just takes one uninformed employee to cause a potential breach which is why this topic is of great importance. This training must be provided to all staff with access on the network, not just security and IT staff. From the kitchen staff to the CXO’s. It must also be a continuous exercise, not just once a year, which will assist to ingrain security best practices in people’s minds.
- Protection of PII and data leak prevention – The insurance industry needs to store a lot of personal identifiable information to support its business objectives, and this is sometimes not adequately protected either from a storage (at rest) or in transit.
- AI and ML adoption as a defence strategy – Threat actors are adopting AI and ML techniques to defeat defences and avoid detection at machine speed. With such a vast attack surface, masses of data and shortfalls in the number of skilled cyber professionals, the problem has moved beyond a human-scale problem
COVER: From a remote working environment, suddenly, you have to know exactly who must get access from outside, what type of equipment they are using, what they have on their equipment, how their own equipment is protected, whether the son plays midnight online games on the equipment, etc. What has the remote working environment done to cyber security?
Leroy: In the past remote working was an optional add-on for many companies. After COVID hit, there had to be an overnight shift in this practice and companies were thrown in the deep end.
I think it really disrupted the industry in a big way. I see it as almost a
strategy on the go in that sense. You had a long-term strategy of implementing remote work, fully adopting the cloud, making sure your policies and controls and everything is in place, and now suddenly, that had to happen overnight.
Those with no or little remote capabilities suddenly had to implement something at a rapid speed, and this introduced a lot of risk as it was not always securely applied. People just wanted to get working ASAP
Those who had these capabilities in place already, continued as per usual working from home while the others played catch-up and potentially fell behind for a while
The perception of where the “corporate” network is also had to change. It’s no longer a protected cocoon behind the company firewall, the corporate network essentially became the internet. This means that protection now had to travel with the employee by adoption of technologies such as “SASE” – Secure Access Service Edge – (pronounced SASSY) which incorporates SD-WAN (Software-Defined Wide Area Network), SWG (Secure Web Gateway), FWaaS (Firewall as a Service), CASB (Cloud Access Security Broker) and ZTNA (Zero Trust Network Access) into one cloud native solution.
COVER: Craig, as a platform builder, suddenly everything has become unique. When you get a new client, they would have so many unique needs for security. How do you build that into your platform or do you tailor make it every time you get to new clients?
Craig: Definitely not the second option. From a software provider, like Genasys, I think there are two key areas of focus around security that we need to think about, from a customer perspective, potentially a third. But because we offer the platform as a software as a service capability, we often take ownership of the infrastructure that the platform runs on.
The Genasys solution is a multi-cloud based structure and we support the three large public clouds; Azure, AWS and Google Cloud services. Then what we do, is we make sure that, from an infrastructure security perspective, we have best practices around how we go about deploying those tendencies within the cloud. We utilise tools like Terraform and Ansible, which, well they call it a recipe almost, spins up the environment with a best practice built in. So, there is an infrastructure layer that needs to be secure, and Leroy and his team get quite involved with that, around proactively validating it after those environments are set up.
Then also using cloud technologies to proactively identify vulnerabilities like Qualys, as another example. So, there are great technologies out there to secure the cloud infrastructure environments.
Secondly, the other big area is our responsibility around the application that we deploy. We are obviously writing code, and we are writing the code that compiles into an application that we provide to our customers. So, the Genesis application, as an example, has an API, a REST API that gets published on the internet. We need to ensure that that API is secured, that it does not have vulnerabilities and that people cannot hack our customers via our application. We utilise different tools within our DevOps pipeline process, like sonar cube, and there are various others, that validate, in an automated approach as well as with AI and machine learning, to validate the code written by developers to potentially highlight possible vulnerabilities that we can validate.
Then, importantly for us, we go through external penetration testing, using proper qualified external pentest companies to come in and try and find breaches within the platform and rate those in different severities. We close those out. Typically, we can do that at every major release of the platform.
We also do the same penetration testing on the infrastructure space. Our internal infrastructure as well as our external infrastructure. We are also part of a bounty type platform, which is like HackerOne. Essentially, we are inviting ethical hackers to come and find potential vulnerabilities in the platform, which is obviously a lot wider than the normal kind of structured penetration testing. That even goes as far as a bug bounty type of approach that, depending on severity, that an ethical hacker identifies within the platform. There is a commercial reimbursement to that. There are a variety of these different bug bounty type organisations out there. HackerOne is the one that we are part of, which just creates, again, a more proactive approach.
I think the last point to make then is Genasys, as an organisation, also focused heavily on getting ISO accredited, which just drives a lot of our internal security policies and processes that they are in place, and we go through regular audits. I guess driving a lot of what we spoke about in the beginning around culture, you know we are holding personal information, we need to make sure it is encrypted at rest, and make sure that there is just a general security culture within the organisation.
COVER: If a company is worried about cybersecurity, what are the three most empowering things they should do immediately?
Leroy: First of all, get your security awareness training programme in
place. Make sure your employees are aware of what’s out there and what they need to look out for.
Secondly, make sure you know what/where all your assets are and what information is contained on it in order to protect it according to the risk level pertaining to it. Visibility, not only with north-south traffic but east-west traffic, is key in knowing what’s going on in your network in order to know what to protect.
Also make sure that if you store any PII internally, it’s protected adequately using strong encryption technologies for at rest and in-transit data.
Lastly, attackers are utilising AI (Artificial Intelligence) and ML (Machine Learning) technologies to perform attacks to infiltrate networks and exfiltrate data. You need to counter that with your own AI and ML solutions as a defense strategy. It is no longer a human scale problem and you can’t keep up with machine scale malicious actors with traditional methods.
COVER: I thought, before this interview, that I would be less worried about cyber security afterward, but I think I am more worried now than I was before.