Granite State News Collaborative

View Original

Get Tech Smart: Breaking into cybersecurity

By Flo Nicolas, Get Tech Smart

See this content in the original post

Cybersecurity is a buzzword we’ve all heard, but what does it exactly entail? What is the state of digital security at the start of 2023, and how can the average person best protect themselves against cyber threats?




For this episode of Get Tech Smart, we invited CEO Patrick Hynds and CTO Duane Laflotte of Pulsar Security to shed some light on the world of cybersecurity and provide tips on staying safe online.





This interview has been lightly edited for length and clarity.





Flo Nicolas:

Do you think that our new dependency on technology has any impact with what's going on in the cybersecurity world?




Patrick Hynds:

Patrick Hynds. Courtesy

The more things change, the more they stay the same. So every innovation that we've had in science, we've turned into weapons. Every medicine, we've turned into poisons. It's just the nature of the beast. Everything that we can use for better banking, we can use for better hacking. AI is similar, but we're in the very, very advanced piece of AI but it's still the beginning. I don't think we're close to the middle or the end. So there's still a lot of vulnerability, and we're seeing this with OpenAI GPT - garbage in, garbage out. If you put in something that is bad, flawed, wrong, you'll get out something that's bad, flawed, wrong. And so AI isn't magical, we still don't have conscious AI - if we had conscious AI–different game. We'd be fighting the Terminator Wars and all that stuff - we're still a long ways away from that. So right now we have domain-specific AI that can find things and can write viruses.





One of the problems that we have is, most people understand physical security. We all made it out of adolescence, so we know when to lock our doors, when to stay off the street, we know how to not get hit by a bus. And everyone is pretty well suited to that. We now need the same kind of street-sense in the cyber world for everyone. We didn't need that before. And that's again, because the threats are starting to metastasize in more ways. AI is a fantastic tool, but it's not a panacea for defense or for attack.





Flo Nicolas:

I think I saw something posted that Uber was hacked again through a third party, so that kind of raises a question about people who are doing businesses with third parties. How can they protect themselves? If I'm hiring a third party and I'm collecting really sensitive customer data, what are the things that I should ask before I even start working with that third party?





Duane Laflotte. Courtesy

Duane Laflotte:

That's a really good question. That bleeds a lot into what we call supply chain protection, or supply chain attacks. We see a lot of these supply chain attacks where you purchase a piece of software and it's cloud oriented, and you put in all your data, now it's up in the cloud. Well, somebody else has access to that. It's the company you purchased it through and you're paying the monthly subscription or whatever it may be. We've seen attackers in nation states now starting to target those heavily because why breach one customer when I can breach this supply chain and have access to hundreds of customers worth of data? There are some very simple questions. We always educate our customers on things you should ask, like if you have a pretty good relationship where you have customer data, financial information or whatnot, you should be able to ask the company things like, do you have security code reviews? You don't need to be the person who can read through all the code and make sure they're secure, but how often are they done? Are you guys actually having someone look at the code to make sure it's secure? How often do you have red team engagements or pen tests? Who tests your security and how often does that happen? Those simple questions, what's the vendor doing in terms of security. But one of the other things I always like to put in there is, how long does my data exist on your network if I stop being a customer? Would you get rid of it? Is it removed from all the backups? Is it still there? Because 10 years from now, if you get breached, I don't want my data to be able to be accessed. And who at your company has access to my data? These are great questions to ask any third party you're dealing with.





Flo Nicolas:

One article I read said there's a global shortage of cyber security professionals. But I had a gentleman who was looking for a job, had all his certifications, but he was struggling to get work. Then I was talking to the head of computer science at Manchester Community College, and he has students right now who are struggling to get an interview. So I'm a little confused in terms of the numbers. What’s going on?





Patrick Hynds:

So the problem is that there's lots of different nooks and crannies in cyber and there's lots of demand, but the demand is uneven and the demand is in some cases unrealistic. The job postings want someone who has cybersecurity experience and knows Okta well, or they want a cybersecurity person who knows SIM and has experience of at least x number of years with SIM. They don't want an intern who they have to teach everything because there's no one to teach them; they don't have the staff. They need the skill. And so what we should say is there's 700,000 open jobs for experienced cybersecurity people. And we can't make experienced people without internships. 





Duane Laflotte:

The other thing is, cybersecurity is a big topic. Lots of people go, “I wanna get into cyber”. And you go, “Great. Do you wanna be blue team, which is defensive? Do you wanna be a red team, which is offensive? Do you wanna be purple team, which is a little bit of both? Do you wanna be compliance, which is understanding laws of regulations and that sort of stuff? Do you wanna be an auditor? There's hundreds of different subsections of jobs inside of cybersecurity, so when people go, “There's this massive shortage in cybersecurity,” you're like, but where? You could specifically say, “I want to be a blue teamer (defense) and I want to just write YARA rules to understand what's being pushed off our network” - you could be hyper specific and find jobs all over the place I'm sure. Part of that I think is the trouble is people are pretty general, which is good, but then nobody wants to hire them cuz then they don’t have experience.





Patrick Hynds:

I think they have to declare what they want to do. And that’s hard, because they don’t know what they want to do.





Flo Nicolas:

What are some of the myths with cybersecurity that we need to know about?





Patrick Hynds:

How many hours is this show? <laughs> So the first one we've already exposed, which is that you can just go get a job in cyber and be a hacker and be all this stuff. It’s a myth that there are armies and legions of really good hackers. Most of the companies that do what we do have a couple of really good people, and they have a bunch of people who run tools and say, what's this mean? Real hackers aren't everywhere.





Duane Laflotte:

One of the other myths we run into is, “Well I bought it from a company, it must be secure,” or “I bought my Ring doorbell from Amazon, it's gotta be secure, right? I'm sure Amazon looks at the security of that.” Well, chances are when you're buying like IoT devices, like your refrigerator that connects to the wifi, your camera that connects to wifi, you-name-it that connects to wifi - there's no guarantee that the company you purchased that from has any idea what they're doing in cybersecurity or has ever reviewed it. Now they don't want to be the one with the bad mark on them, that there was some sort of hack that allowed them to breach your home. But it doesn't necessarily mean they're pouring millions of dollars into it. So I've seen that as a fallacy when I talk to companies, we've talked to some banks where they're like, “Hey, we bought those IP cameras. I'm sure they're secure and fine.” And we're like, okay, but did you ask them? Did you go through that process? Did you test them? Just because you bought it from even a reputable company, there are still steps you need to do to make sure that you can put them in securely.





Patrick Hynds

Just because an app is in the app store does not mean it’s safe. Here's another one. I hate to give this advice, but it's the real advice. When you get a new phone, it’s so convenient to download from the cloud and just replace that phone, but it's more secure to install the apps one by one. Because if someone gets on your phone, they're not gonna get off if you just copy over all the apps from backup. The same is true of computers. When I get a new computer, I rebuild it from scratch. I install all the applications from scratch, I get a faster, better system, but I also get rid of anything that I might have picked up along the way. “Only the paranoid survive” is a little bit too extreme, but if it's convenient, it's probably hurting your security.





Flo Nicolas:

How do ordinary people like Flo and other residents protect themselves better? What are three things?





Duane Laflotte:

Number one I would say is password managers. A lot of the very well-known password managers encrypt the data with your own private keys so that data can't be read by the company. Most of the password managers will say, “We don't have access to your passwords.” If you lose your password, you're outta luck. You're gonna have to go reset it everywhere. But the password manager is one of my biggest recommendations to anybody. Have it on your phone, have it on your computer.





If whatever service you're using supports multi factor authentication, turn it on. Make sure you're using either the Google Authenticator or SMS to your phone or something along those lines. It's now the bare minimum to turn on multi factor authentication.





If you receive an email and you feel like you have to jump through a lot of hoops to get that invoice or whatever it is, don't do it. Never click on anything in email.





Patrick Hynds:

When you are asked by anyone, whether you know them or not, to do something, to call a number that you don't know, to click on something, to open a document, to do anything - use a second avenue of communication and ask them, “Did you send this? I got an email from you with the latest invoice. Did you send it?”






Flo Nicolas is a technologist, lawyer, speaker, mentor, writer, tech startup Founder/CEO of CheapCheep & Director, and Creator of Get Tech Smart. She is a dedicated professional with a passion for technology and creative innovation, intent on helping her community to become more tech-savvy and forward-thinking. Get Tech Smart is being shred with members of The Granite State News Collaborative