October is the European Cyber security Month. Just like every previous year, EXATEL uses this time to popularise the knowledge about the safety in cyber space. Our goal is to not only warn against potential threats, but also to promote responsible use of the network. As part of my podcast series, I will talk with experts from the cyber security department, about the trends and threats in the security area and how EXATEL deals with them. Sylwia Buźniak, Senior HR Business Partner EXATEL. Let’s begin.
[00:00:35]
Hello everyone. In today’s episode, our guest is Kamil Suska, deputy director of the cyber security and IT department at EXATEL. Hi Kamil.
- Hi Sylwia, good morning everyone.
Kamil, I invited you because I would like to talk about the trends in cyber security. A hot topic, but I find your perspective and assessment of today’s market very interesting.
- I would like to talk about three trends today. The first one I observe is the shift toward systematizing vulnerability management.
What does it mean?
- It’s a process, a very important one, which is simply based on identifying the programming of the components of this software in the infrastructure and their versions. Thanks to this the customer knows what vulnerabilities there are, while we are able to indicate the prioritization of the most urgent mitigations. This greatly, greatly improves the level of security. As the best example of why this is important, I could point out the vulnerability in the Log4j component from last December. Log4j is an Apache component, often used in software to record event logs, and an interesting fact is that in the first seventy-two hours after the vulnerability was published, more than eight hundred thousand infections worldwide were identified using this vulnerability, and more than sixty exploits appeared on GitHub.
Truly an interesting example. Since you just mentioned these Log4j exploit attacks, how could vulnerability management prevent this?
- If a customer had a properly implemented and supported vulnerability management system, they would immediately have access to information on what elements of their infrastructure have the vulnerable component and they could make quick decisions on eliminating or minimizing the risk. In a situation where such a system is not in place, what really happens then is panic searching, wondering, reviewing the documentation, or doing scans and this wastes more time, and time then is very important, just like in this example indicated – eight hundred thousand infections in seventy-two hours.
Ok, that’s one. Could we move on to the next trend?
- I think the second important one is the popularisation of the Zero Trust approach.
Not even the principle of limited trust but straight forward shift to zero trust?
- This is an approach that has been around for many years, but has recently been gaining popularity. We assume that there are no elements of our infrastructure that we can fully trust. We need to remember, however weird it may seem, people are also the infrastructure’s element.
And how do we face it?
- The basis is to build awareness, but in order to talk about building employee awareness in our organization, we must first begin to build this awareness among the management and technical staff. And we have a service that aims precisely to build this managerial and technical awareness – the security reconnaissance.
Could you briefly, since it’s one of our most popular services also mentioned on our website, describe what it is?
- This is a low-cost service in which we send a team of Pentesters with a process-procedural Auditor to the customer. This team tries to identify the customer’s most dangerous problems in the shortest possible time.
Sure. Do we do anything else additionally?
- If you say… if we already have this awareness among the management and technical staff, then we can move to the next stage, which is to build awareness throughout the organization and here we offer training activities. We can separate three such activities. The first, well, these are phishing tests, that is, we send a message that is supposed to look as real as possible, but in this message we hide-
[00:05:12]
Yhm.
- Single elements by which employees can figure out that this is phishing and then we also present a short training material in the e-mail, in which, employees can identify where they made a mistake. And also the awareness trainings. These, in turn we offer in two models, the first one is the traditional training, which is conducted by an experienced coach.
Yhm.
- And the second model is a training platform where employees can train themselves. Of course, all three elements are best combined to work complementarily, nevertheless, well that’s what we offer.
I understand. And how does this relate to the market?
- Phishing attacks, according to a report by CERT Poland, account for almost seventy-seven percent of all incidents, so here the field is, it is definitely large, and a great deal of known incidents started with phishing, or speed phishing.
Sure, thank you. Well the process, the very process of building awareness is not an episode, it is, those are systematic, continuous, and often long-term activities, right? It is important to refresh the knowledge, systematize it and well, and to review it. And the third trend. What do you say is the third trend in the cyber area?
- Attacks on supply chains have been a hot topic lately.
So I understand that this is a trend concerning the logistics industry.
- Not necessarily. If we talk about cyber security then, in our supply chain it would be every external component. That is, all the subcontractors who indirectly or directly provide us with software or with services in our infrastructure. They all belong to our chain, our supply chain. And in fact, if you would think about it, this trend also corresponds very much with the previous trend we talked about, the Zero Trust approach.
And why do attackers target suppliers instead of directly hitting the organizations?
- Well the first two main motives that come to my mind are, first, the desire to achieve a large-scale attack, that is, by attacking one company, one entity, we can distribute this attack to all its customers, to whom the particular component we infect is provided.
Yhm.
- And the second motive could be wanting to make it easier to get into a secured infrastructure. In a situation where we have an organization that is very well secured and an attacker is trying to break into it.
Smart.
- They approach may be that since they are not able to break in directly, then they will break into some supplier’s infrastructure and thus achieve the main goal.
Interesting. Could you give some examples here, or what are the trends in the market, is there an upward trend for these types of attacks?
- Argon Security was working on a report in which, compared between the year 2021 and 2020, the increase was of three hundred percent.
That’s three times as much, that’s a lot, ok.
- And if you’re asking for examples, it’s important to mention a very popular and high-profile attack that took place in December of 2019, the attack on SolarWinds – a global IT solutions provider. In this case the attackers infected a Dell library used in software delivered to customers, so that this effect of scale, as well as the entry into many well-secured organizations was achieved. And the second example, we don’t know much, but this is exactly what we are talking about – an attempt to breach the well secured infrastructure. This was an attack targeted at the supplier of the software for the F-35 aircraft.
Well this trend is particularly interesting, isn’t it? Because on the one hand, it is a challenge for subcontractors, and on the other, for the customers. Where can we look, for the source, the root of the problem?
- Again, we return to the lack of awareness.
Yhm.
- In this case, to the lack of customers’ awareness. They often focus on price, functionality, but forget about the specifications, the requirements for suppliers in terms of cyber security. However, this trend is slowly changing and as it does, we are presented with a challenge for the suppliers, who have to meet the increasingly strict requirements of customers.
After discussing this trends… Do you see, like, any moments or points that are common? Do these trends interweave with each other?
- Yes, yes, yes, really. I mean all these three trends interweave. If we were to take the top ten trends, they would do so as well, because cyber security is a process that we need to approach holistically, on-the-spot action can only give us the illusion of doing something, while a comprehensive action realistically increases our chances of securing ourselves against an attacker.
Yhm. Any conclusions? What challenges does the cyber industry have to face then?
- In my opinion, the biggest challenge right now is the limited access to staff and that’s a challenge that all organisations are facing. This is why the challenge also interweaves with these trends that we’ve been talking about. It’s a challenge of choosing a vendor that has the qualified staff, takes care of its own cyber security, well, and is also one that you can trust, a trusted partner.
Thanks. This was a very pleasant conversation.
- Thanks Sylwia. Goodbye everyone.