We talked with Vlad Styran, Co-founder and CEO at Berezha Security Group, about penetration testing, and the positives that remote work has brought in the cybersecurity field.
1. How did you end up in the cybersecurity field? Or in other words, did you choose cybersecurity, or did it choose you?
I think many of my colleagues of this age didn’t exactly choose to be in the cybersecurity field. That’s because around 20 years ago, there were no university programs specifically for this field. There were just general IT programs, infrastructure, and software development. I’m coming from applied mathematics and mechanics – this was close enough to application software, but still too far from cybersecurity.
I worked in the IT department first for a few years and then pivoted to cybersecurity because the company I worked for got hacked. I had to be on the front line of that incident response and investigation, and I learned a lot from that experience.
During the next year, I managed to bootstrap a security function and improve the security of the company. Then I moved to another job dedicated to cybersecurity and never came back to general IT.
2. When your company got hacked, was that the moment you first started thinking about penetration testing?
Not exactly. When you work in IT and have access to all this equipment (that was 20 years ago), you start to think about how stuff can get hacked. You check systems for vulnerabilities one at a time, then fix, patch, and harden it and move on to another asset.
If you don’t extend the security practices to all the assets, then something bad will happen eventually. And then it happened: someone hacked a server that was not yet hardened. That was when I finally saw that there might be a business case for IT security, particularly for small and medium companies.
In a large enterprise, you have compliance and many other requirements. But for SMEs it wasn’t so obvious or well budgeted and invested in at the time. There was a demand that was not yet apparent. This is how I saw that it could be a professional path.
3. Your company focuses mainly on penetration testing. What’s the difference between penetration testing and other security services like compromise assessment or malware analysis?
In simple words, pen testing is a vaccine. It’s not like a real hack, but it gets you the feeling of it. It also gets you an essential understanding of what you’re lacking, and it gives you a roadmap on how to get there and not lack those things anymore.
The real malady is getting hacked. That’s a cybersecurity incident, and you need to do incident response as a treatment, and various PR exercises around it as a form of rehabilitation.
But regular pen testing is just like getting vaccinated. That’s the best metaphor that I can come up with.
There are other things, like red team or adversary simulation. That is a security program that trains your company and your cyber defense team to be a harder target. If you are ready for things like these and you can afford it – maybe it’s time.
But generally, it all depends on your threat model. You need to understand what cyber threats could realistically harm you and pick the appropriate type of security assessment. Sometimes, it’s just pen testing, sometimes it’s something more sophisticated and advanced. You need to learn to decide what you need to do and how much you need to invest in it.
Once you do, you continuously improve. Either permanently with red teaming, but for that, you at least need to have a blue team already. Or in a more discreet manner, just doing regular pen-tests annually or semi-annually.
4. Do you do these tests at the company’s physical location, or can it be done remotely too?
It depends. We like to present ourselves in a more general way. We do business consulting mostly around application security and penetration testing, but that doesn’t mean that we cannot get you up to speed with security standards or prepare you to certify to some external regulation. We can do that, but people don’t think it’s fun.
That’s not the most exciting part of this industry. The exciting thing is what gives you a quick win. In pen testing we do not just tell you what’s wrong, we support the statement by hard evidence. It is not an auditor’s assertion that you have a compliance gap.
It’s a proven fact: ‘We got in; this is how we did it. And this is how you can make it, so that we won’t get in again next time. And now, you’ll have to implement the remedial actions. We’ll re-test you in a few months and see if the remediation was efficient or not.’
This is how it works, but not everyone is ready for this kind of stress.
If the client needs us to get in physically, like in their organization, that’s not a problem. But we just need to feel that they’re ready for that kind of attention.
There’s no need to dig that deep and be that flexible for a large enterprise that never had a penetration test before. You just perform a standard set of exercises around a target, and you already provide value.
Suppose it’s an enterprise with a dedicated cyber security function and a very well-formed organizational structure around security, like an IT security division, a blue team as sub-division, and a security management function under a CISO (Chief Information Security Officer) – who have a lot of experience. In this case, we can go as far as required and be as realistic as needed.
5. Remote work has created a whole new spectrum of cyber-attacks. What do you believe is the most dangerous one?
First of all, I do not agree with that statement. Remote work brought up the long-standing issues that we needed to fix for a very long time. And now, as we couldn’t continue procrastinating, these issues got resolved.
This is what we can see in the companies that we are working with, that have a mature cybersecurity function. For a long time, we had only “usual” engagements, now we have work-from-home pen-tests, and we see how they’ve enhanced their practices; this is obvious. There are still some things that people don’t see as an issue. For instance, they believe in the panacea of the 2FA (two-factor authentication). 2FA is much better than not having it, but it is not enough to just enable it.
The phishing risks remain, and social engineering cyber-attacks are still possible, they just get trickier. And “believing” that 2FA will save you from phishing is a false sense of security that we as security professionals have created. The mantra goes like this: ‘pick a strong password, get software updates, enable 2FA, and you’ll be invincible!’ But it is simply not true. You can still get attacked via a supply chain backdoor in an update, and your employees can be phished for 2FA codes as well as their super-strong passwords.
There’s no such thing as panacea. If I tell you that there is now, in a few months or years, some new attack technique or hack will be invented and, I’ll be that guy who taught you to do this one thing that someone else has managed to get around. This happened to the HTTPS padlock in the browser, automatic security updates, and time-based 2FA codes. It will happen again.
So, it is better to approach these topics systemically. For instance, for this particular issue of user authentication, there is the Consumer Authentication Strength Maturity Model (CASMM) [https://danielmiessler.com/blog/casmm-consumer-authentication-security-maturity-model/], Daniel Miessler did a great job arranging it as an infographic. It’s like the stairs to better authentication.
You start with using unique passwords everywhere and a password manager. Then you use 2FA, a very basic one, like SMS. Then you start using software tokens, like Google Authenticator. Then hardware tokens like Yubikey. This is how you progress. And to start you have to identify where you are now and to what level you want to get.
For instance, the first step for a company is to prevent users from having the same password everywhere. Start by checking haveibeenpawned.com every time they log in and check if their password has been already compromised somewhere.
So 2FA is not the first step. The first step is giving every resource you use a unique password. You cannot get to CASMM level 5 if you are still at level 2. You have to take these levels one by one. Otherwise, it will simply not work.
And authentication security is just the first step in securing the remote work environment. The main idea is that you learn available good practices for security, and you follow them.
6. Do you believe human error is a top cybersecurity risk? If it is, do you see any solutions to it?
Statistically, that’s not the main risk. It may be a root cause of almost everything because people don’t plan enough, don’t think of all the details. But it’s kind of silly to think about everything this way. That’s a root cause you can’t eliminate, so you need to think about something else.
The good way is to think, ‘how come people make mistakes?’ People make mistakes when the environment is complicated, so you need to make it less so. Security is achieved with time and training and simplifying the environments we use.
7. What is the good side of the pandemic in the cybersecurity field?
It’s all good. Where do I start? Obviously, the bad thing is that people suffer. The good thing is that people are finally getting their hands on trying to fix things.
Organization-wise, it’s pretty simple, we spend more time working, less time commuting. There’s more efficient communication because you can have small talk in the office, but in a Zoom meeting where everyone is present and focused, that’s not a good thing to have. So, efficiency has increased. If you can control it, if you have created a healthy environment, an organizational culture that facilitates and gives incentives to productive communication and collaboration, then everything is good.
When it comes to working with customers, it’s even more so because now there are much fewer clients who reject us for being in a certain time zone, for instance. The ways to do this job remotely are now generally available, so rejecting a firm just based on you ‘not being there’ is seen as a kind of discrimination.
Economically, it’s all good. Unfortunately, culturally, we can say that we can’t go on anymore. We cannot continue like this; we need to do something. Everyone has to get vaccinated, and this madness has to stop. It’s just not good for your health; you need to be socially and physically present. When you come to the office every day, you do it naturally, and you have to move.
So, maybe after this drill, we can go back and be more efficient when we have improved our business activities. It would be best to take all these new skills and habits back to our normal environment.
Maybe we have learned something from this pandemic that we can bring back home to our normal mode of operation and improve it a lot.
Any final thoughts or advice?
Be scrupulous, rigid, and attentive to details because it’s a jungle out there. You need to sit tight and pay attention. And most probably, you can imagine all the possible things that can go wrong and deal with them one by one before they even happen. This is how you survive. Do some threat-modelling, and think about what your specific adversary would be.