Christmas Calendar, Day 3: Getting into ATMs is quite exciting and stressful at the same time
Who are you and what do you do at F-Secure?
I’m Tom Van de Wiele. I work in the Cyber Security Services delivery team as a Principal Security Consultant performing ethical hacking in the form of red teaming, penetration testing, risk assessments, coaching, workshops, and presentation work for our bigger customers. I joined the company when F-Secure acquired nSense in 2015. I am an intronaut and security geek, chocolate aficionado and retro videogame player, frisbeetarian and half centaur. I enjoy long walks inside your computer. You should clean your webcam lens. And your house.
What has been the most interesting project you’ve worked on at F-Secure? Tell us a bit about it.
Getting into the ATMs of various banking customers in various places is quite exciting and stressful at the same time. The plan means nothing, planning is everything.
What was the most memorable cyber security event / incident in 2017, and what should companies learn from it?
The NotPetya ransomware was yet another wake-up call for companies to learn to understand that application security cannot compensate for network security that has basically been neglected for so many years. That any outside interaction such as browsing the web or email must not end in the heart of the company but rather in an untrusted zone. Information security is not about trust, it’s about access. The employees encrypting file servers and generally just wiping out company networks were trusted by the company to do the right thing. But counting on the fact that no incident will ever take place is misjudging the reality we are seeing every day as part of our work. Trust and hope is for the lottery. For everything else you need processes, and verification that those processes work and do what they are supposed to do.
What are the most important trends that you believe will impact cyber security in the next 3-5 years?
The continued lowering of prices when it comes to IT resources combined with increased capabilities in automation and computing will result in certain attacks becoming feasible for attackers when it comes to bruteforcing or analysis. Examples include cloud technology, machine learning specific hardware and services, and speed in processing data. We have seen this as well with OpenAI’s bot being able to play an e-sports game like Dota2, DeepMind beating the reigning Go champions, or just any student nowadays running AI and machine learning libraries on their own home computer. Things are going to start moving fast really soon.
On top of this, more things will be connected as part of IoT, and more incidents will happen with these devices. This will result in data leakages of different kinds that we will have to deal with. As connected devices become more personal, so does the data that can leak. It will get a lot worse before it gets better. Keeping in mind our personal, business, medical, and financial data: at what price will we start to act and elect people in local and federal governments who will take a stance on this? Leaks will happen, data becomes more private as different devices are getting closer to us, our privacy is invaded, and our data is being sold at secondary markets through IoT and mobile apps. Now add to that mix the continued lowering of prices for data analysis and artificial intelligence/machine learning to start correlating all that data and re-selling the results. The future is going to be very interesting indeed for anyone into technology or infosec.
What are your top 3 tips for companies looking at improving their cyber security in 2018 and beyond?
- If you haven’t verified or tested a process, you are basing yourself on assumptions. And we all know what assumptions do to people.
- Find out and understand what data is valuable to protect, and start with a gap analysis of where you are and where you want to be. Boost your monitoring capabilities as part of your defensive strategy. Understand the attacks that are out there. All the rest will follow.
- Ask yourself the hard questions before anyone else does, and do not be afraid of the answers. This stuff isn’t easy. But that is why we do it.
What’s on your wish list to Santa Claus this year?
- A new luxury set of lockpicks
- A selection of cyberpunk, philosophy, and IT books
- Videogames of all sorts for various systems
- Portable espresso maker
- More books
- The Bitcoin interest money that Santa still owes me. P.S. Your password sucks, Santa!
What’s your favorite information source on cyber security?
There is usually not only one source that will be able to cover all topics, but the special and sometimes unexpected combined reports or specials coming out of Vogue (yes, Vogue) and Motherboard, for example “The Motherboard Guide to Not Getting Hacked”, are refreshing surprises on security awareness for the masses. Not just the “why” but also the “how”. If the rest of us are not learning about infosec, then we have failed as an industry, so I like these initiatives that make infosec understandable and tangible with a lot of topics grouped into one place, including recommendations on what to actually do and buy.
If you’d have to recommend people to follow one cyber security influencer, who would she/he be?
Almost impossible to name just one. But right now probably Katie Moussouris (@k8em0) for her bug bounty work and raising the bar for companies.
But it’s impossible to leave it to just one. Charlie Miller for raising awareness on the dangers of car infrastructure and hacking. Moxie Marlinspike for his work in boosting transport security, Limor “Lady Ada” Fried for bringing down the cost of hardware hacking for the masses, Samy Kamkar for his hacking creativity, Dan Geer because Dan Geer, Mudge, Michael Zalewski and The Grugq for general infosec topics and insight, Michael Ossmann, Hector Martin and Micah Elizabeth Scott for hardware hacking – and then a whole bunch more.
Thanks, Tom! We hope you’ve been good this year and Santa fulfills all your wishes!