Security Journal UK discusses the future of cybersecurity with Jeremiah Grossman, professional hacker and CEO of Bit Discovery.
A common reaction for many people when updating a password is to reach for a scrap of paper and jot down their new, memorable phrase for safekeeping. Worse than this, save it on their desktop or email it to themselves. However, with global threat levels rising and sensitive information becoming increasingly vulnerable to hostile actors, how long can businesses and individuals stay rooted in such poor cyber-practices?
With the likes of SolarWinds and Microsoft Exchange suffering major hacks in 2021 alone, the need to effectively manage cybersecurity is not only an ongoing issue for SMEs, but for major organisations in their own right. And as cyber-challenges continue to escalate as a result of the COVID-19 pandemic – with much of the global workforce having to make the switch to remote working – the need for better cybersecurity management at every level of the corporate ladder has been shoved into the spotlight.
Reflecting on the occurrence of new threats and the most effective ways in which to combat them, Security Journal UK sat down with Jeremiah Grossman, CEO of Bit Discovery and Founder of WhiteHat Security, to discuss his journey in information security and what he is predicting for the future. Prior to his role at Bit Discovery, Grossman was Chief of Security Strategy at Sentinel One, founder of WhiteHat Security, was the “hacker yahoo” at Yahoo!, and has spent much of the last 20 years pioneering the application security industry.
Ensuring effective cybersecurity
Since every organisation has its own unique assets and vulnerabilities, it is important to consider that implementing the right cybersecurity strategy is not something that can be achieved by simply flicking a switch. When considering the best approach therefore, Grossman highlights the importance of evaluating, specifically, what it is that needs to be protected: “It is really funny because when I hear conversations relating to the simplest yet effective ways of managing cybersecurity, I have an immediate reflexive answer.
“However, I also think about companies who have given our industry $120bn dollars a year and the only return is everybody getting hacked. I sometimes still question whether we actually know how to do security well. It’s a reasonable question. Even if we doubled the spend on that right now, our results would not necessarily reduce the breaches by half. We must think differently.
“No matter what though, everybody must know what it is that they have to protect – whether it is data, systems or people. This is the one thing we do not do. If you ask pretty much every company what assets they have which are connected to the internet, they really don’t know or everyone internally has a different answer; at this point, it becomes impossible to secure what it is that you don’t know you own.”
Assessing the cyber landscape
The rise in cyber-criminal activity over the past few years has made two things very apparent: nobody is safe and nobody is un-hackable. Consequently, as the methods of hostile actors continue to change in response to new defence strategies, there also needs to be a shift in the way in which we all individually evaluate our online presence.
Grossman explains: “There are certain threat actors that target specific companies and then there are cyber-criminals who go after the least common denominator using the most widespread vulnerabilities.
“Targeted groups are going to go after government and military contractors as well as social media platforms such as Facebook and Twitter; these organisations are going to have to do the best they can to deal with professional adversaries. Inevitably, no matter what they do, breaches will happen, so fast detection and response is the name of the game. This goes for everyone.
“For smaller businesses and organisations, they mostly have to focus on protecting themselves against cyber-criminals – however, it is conceptually simple to defeat them. Your average security has to be better than that of your peers and you have to increase the cost on the adversary to conduct their operations. If you do things such as multi-factor authentication, stay up to date on patches, have a solid endpoint protection solution, backup your systems and close down systems you no longer need, you are going to be more resilient than 90% of companies in similar positions. It sounds simple, but the basics never truly are.”
With preparation vital to protecting assets, Grossman also highlights how pertinent cybersecurity is when establishing business relationships and how cyber insurance is changing the industry. He adds: “When a company is doing business with another company, it’s common that they will ask about security policy and whether a review and assessment has been done and if there is a minimum level of cyber insurance attached to your organisation.
“The next step past these checks has to do with the insurance carriers and their minimum standards. As a result, cybersecurity becomes a more common topic in the boardroom not just because of security, but to also satisfy customers, regulators and insurance companies. Cyber insurance is already changing the way the entire security industry operates. Cyber insurance carriers are going to tell businesses what to do, how to allocate funds and soon the types of solutions (the actual company names) they are going to be allowed to buy by category.
“If you are a security professional, be aware of cyber insurance, try and learn all you can about it and go ask your CFO if you can see the cyber insurance policy the company has so you can see what is in it. You might be surprised.”
Until you know everything, you can’t patch anything
As businesses develop and new online identities are created for employees, internet-based assets become extremely difficult to manage. When this pattern is multiplied and mirrored by businesses across the globe, it also becomes increasingly difficult to spot vulnerabilities and mitigate the risk of attacks. Where there are growing challenges however, there is room for innovative solutions. Grossman explains: “The first thing every company should do is figure out what they own. You should know what these assets are and what they are worth.
“Bit Discovery helps companies create an inventory and an attack surface of everything that is publically available. Until you know everything, you can’t scan everything and you can’t patch everything.”
Like many leaders and influencers working in their respective industries, Grossman has been forced to swap public speaking roles and networking events for virtual meetings and webinars as a result of the pandemic. In spite of the changes to circumstance however, he always has an eye out for the next big challenge.
“Personally, I chase problems and I like going after the biggest ones I can find and try to solve them. Attack surface management, the area I am working on now, I find to be the largest and most important issue. Prior to this, I was at a company called Sentinel One that did end-point detection; in 2015-16 I saw the ransomware problem coming so I joined them and they did well.
“Although we can’t reveal any big announcements just yet for Bit Discovery, we are always working on some very cool things. When you have access to a copy of the internet, you learn a lot about it, what is out there and what people are doing at different points.
“I have done some virtual events, but all the in-person ones I have been trying to attend have been cancelled! Right now, I am just trying to stay in touch with CISOs and heads of security across the industry to learn about the most pressing challenges. What I miss a lot are the conferences, of which I would attend five or six a year.
“Talks are great of course, but the hallway track and listening to my peers is where I learned a lot; it was kind of like our water cooler. It is really hard when you can only connect on Twitter and Zoom.”
Although it is unlikely there will ever be a complete solution that protects businesses and organisations from cyber-criminals, the next best thing is to accept this reality, mitigate risks and prepare for worst case scenarios. In doing so, perhaps we can eventually get one step ahead of threat actors.
This article was originally published in the October edition of Security Journal UK. To read your FREE digital edition, click here.