I'm committed to protecting our freedoms and way of life in cyber space
Cyber Security Consultant and PKI Specialist Frank Satterwhite is working for among others for NATO. As a key speaker at Cloud & Cyber Security Expo in Frankfurt, he will talk about people's important role for Cyber Security and offers exciting insights about this topic in this interview before.
Title: People: The key to a holistic, effective, security approach.
Location: Cloud & Cyber Security Keynote Theatre
Time: 10.15 - 10.40
Click here to register for your free ticket today!
Question: At Cloud & Cyber Security Expo, you will talk about people as key to a holistic, effective security approach. What are the main problems and why must the workforce become more educated?
Frank Satterwhite: Humans are an organizations biggest cyber security vulnerability. Making society in general more Cyber Aware is critical. That is why I have formed a strategic relationship with ISACA and I am an Authorized Trainer. Immediately when you think about Cyber Security Vulnerabilities, you imagine some terrorist cell controlling a botnet, initiating multiple attacks on its target. The truth is that scenario is the exception when it comes to which vulnerabilities are exploited most frequently. I believe that up to 90 % of Cyber Attacks can be traced back to malicious activities by insiders or human errors. And when you consider that technical staff such as IT Admins have extensive access to an organization's infrastructure, a small mistake can turn into something catastrophic. For example IT admins sharing a single root password and login across an entire organization's infrastructure. Once compromised the entire organization is compromised. Not smart. Education that provides both the theory and hard technical skills to protect must be prioritized by organizations. Hackers count on staff making mistakes to reach their objectives. And most of these mistakes are the ones that can be prevented through education.
Question: What else can companies and organisations do to minimize Cyber Security risks?
Frank Satterwhite: There are many things that an organization can do to minimize Cyber Security Risks. Remember though, every organization is different. The first thing is, with the support of Executive leadership, doing a comprehensive review of the existing Information Security Program. A key aspect of this review is a Risk Assessment. During the Risk Assessment the organization will go through the process of identifying, analyzing, and evaluating the risks that pose the greatest threat. Proper Risk Management ensures that the cyber security controls you choose are appropriate to the risks the organization faces. I have been fortunate in the last couple of years to connect with some organizations I feel have cutting edge cyber security technology and controls that significantly reduce the risk associated with Humans. I will talk about some very cool technology during my speech. Nerd talk is always fun!
Question: Can we expect an eternal race between Cyber attacking forces and Security Specialists?
Frank Satterwhite: Yes, Yes, Yes. In today's society the line between cyber space and modern society is blurred. We have seen political election outcomes influenced, personal identities stolen ruining lives, and businesses and organizations robbed of hundreds of millions of dollars. These crimes and threats to democracy, and are all done by anonymous criminals that often go without being held accountable. Cyber Attackers are motivated by many, many things, whether it be financial gain, political reasons, revenge, etc. These ever present motivations, that can be part of human nature, will always lead to more cyber attacks. I'm committed to protecting our freedoms and way of life in cyber space. And my commitment extends beyond being an Independent Consultant and Cyber Specialist for NATO and the Military. Defense and protection must extend to everyday life. There will always be a need for other security specialists who share this commitment. As long as there are criminals in the world that desire personal or political gain there will be a need for more Cyber Security Specialists. It's not a race, it's a marathon.
Question: Which could be major Cyber Security risks in ten years and which industries will be particularly at risk?
Frank Satterwhite: Much sooner than in 10 years unfortunately. I'm concerned with the Cyber Security risks associated with Artificial Intelligence(AI) and Industrial Internet of Things (IIoT). The misuse of AI could exponentially expand current existing threats. AI could create more bad actors that are intelligent enough to adapt and successfully navigate cyber defense mechanism and controls. Think how AI and underlying algorithms were used to profile and influence voters in America on Facebook. It is then logical to assume that AI could be used to quickly develop new social engineering attacks that identify a population and associated vulnerabilities. Another uncomfortable thought is that AI could be used to weaponize drones or military devices. I know this seems more like a Hollywood action film plot than a real world cyber threat, but the pace at which AI is developing makes this scenario realistic. Then consider Industrial Control Systems (ICS). Once upon a time, ICS operated, in its own silo. In this isolated environment requirements and solutions for Safety and Availability vs Confidentiality existed peacefully. Think the Operational IT environment that controlled Nuclear Power Plants. But the world has changed dramatically. Now an Operational environment has to be seen as an extension of the SOC. You can't just understand and defend against the risks of IIoT devices. A Holistic Approach is needed that also requires traditional information security professionals and operational IT security professionals to work together. The final Cyber Security Solutions must consider everything these IIoT devices are connected to. Because now you have smart devices and real-time intelligence straight from the plant floor - no more silos, and significantly increased attack surfaces.
Question: What can we do to make attacking a less profitable and rewarding business for attackers?
Frank Satterwhite: People must take steps to take more control over their personal data. Don't be so quick to put everything on Facebook or Snapchat. Back up your data and securely store it. Regularly change passwords, and do not change passwords on public networks without security keys. I think developing and following good data privacy policies and practices can significantly lower the profits of criminals.