Recently, the latest batch of cybersecurity experts was trained in Amsterdam by the SANS Institute. For Techzine it was a good moment to talk to one of the instructors delivering cybersecurity training at the event. What is most important? Where is more attention needed?
We talked to Chris Dale, who heads the Cyber Security team at Netsecurity in Norway. He is also a certified SANS Instructor, providing training to prepare new cybersecurity experts for work in the real world. He delivered the SEC504 training, Hacker Tools, Techniques, Exploits, and Incident Handling in Amsterdam. An intensive six-day training course from early in the morning until around 6 pm.
Can we beat cybercrime?
Cybercrime is something we encounter daily and is affecting more and more companies. We asked Dale how he views developments and if we can stop this form of crime.
Dale’s answer is clear: we can’t stop it, it’s comparable to the war on drugs. In one country it’s a bigger problem than another, but it will probably never disappear completely. Also, cybercrime is more lucrative than drug trafficking and less risky. The chance of being caught for cybercrime is much smaller.
“We can’t continue like this”
Cybercriminals are getting smarter every day. We have to move faster; we have to be at least as fast as the cybercriminals. We can’t continue like this because we’ll lose the fight. Cybercrime is the largest business sector there is.
Change of mindset and education
According to Dale, we need to move away from statements like “our users aren’t smart enough for this” and “this harms the user experience”. Dale regularly gives training to the army and police in which he also presents these kinds of excuses. “According to your leadership team, you are too stupid to use a password manager”, and then gives a demonstration of how simple a password manager is. Or “according to your leadership team, you are too stupid to use a VPN”, and then shows a VPN client with a big green button with the word ‘Connect’. Security doesn’t have to be all that difficult; with the right tools and the right basic security a lot can be prevented. A burglar in the street usually picks the house with the worst locks and not the one with the best locks. The more time a criminal needs to spend to gain access, the bigger the risk of being caught.
“Stop making excuses about user experience and complexity”
His advice to companies is to stop making excuses and make sure basic safety goes up. Things like an IP address, bandwidth, CPU power and storage are equal to money for a cybercriminal. So you have to make sure they don’t get access to them.
Don’t aim for 100% security, as it will ruin the user-experience, but try to figure out an acceptable compromise between usability/user-experience and security. Keep the users happy but at the same time make sure systems are secure enough. A good example of this is multi-factor authentication. It would be a pain in the neck to input codes all the time when logging in, instead, a more acceptable solution could be to only ask for multi-factor codes when the user has changed in a significant way, e.g. logging in from a different country, using a different client application or behaving suspiciously in any other way.
Planting evidence on the victim
Of course, there have been some gains in recent years. Law enforcement has become smarter, but so have the cybercriminals. Dale is seeing that cybercriminals are beginning to cover their tracks a lot better or even planting evidence to mislead the authorities. For example, when someone’s PC is used as a proxy to perform a hack, evidence can be left in the browser history or in a document about the company that is hacked. If the authorities then raid the home address of the proxy and seize all computers, they will find the evidence on the computers. If the cybercriminal has covered his tracks properly and even removed the malware which gave access to the system, the authorities will probably file charges against the owner of the computer.
Only a forensic IT company can often find the evidence that the computer was used as a proxy and the owner is not guilty. However, in most situations, a forensic investigation is not performed. Such an investigation is extremely expensive. Techzine previously learned from an anonymous source that rates of 750 euros per hour for forensic IT investigations are pretty common. As a person or small company that can be a huge price to pay.
Security industry must be reliable and embrace standards
We also asked Dale about the extensive security industry in which thousands of companies operate. This industry is so big because a lot of money is made by companies that do security well or by playing on the fear of people and businesses. Unfortunately, the motives of these companies are not always entirely pure. For example, we pointed Dale to the recent Citrix vulnerabilities, in which the company did not get the time to develop a patch. There was also recently a company that offers DDoS-protection, which then carried out DDoS attacks itself to gain customers.
Dale points to the standard procedures that the industry has developed. Everyone should adhere to those procedures. A good example of such a procedure is responsible disclosure, where you don’t immediately bring out all the details when you find a security leak in a large software solution. You first make sure that the vulnerability is mitigated. We asked him how Netsecurity deals with this when they find a big vulnerability because companies don’t always react positively when you find something in their software.
Dale says that the way they deal with it varies from company to company. Some companies have procedures and are happy with the report, and others want to keep you out as much as possible and immediately present a non-disclosure agreement with financial penalty clauses. At Netsecurity, where Dale works, they primarily inform their client. With that information, the customer can then protect themselves. However, that customer can, in turn, be a customer of the software that contains the leak. Netsecurity does not get paid to take further action on the vulnerability, because that is not in the interest of the customer.
What Netsecurity usually does with small software vendors is to inform them directly so they can work on a fix. In most cases, however, these are large solutions from big vendors. Netsecurity will then skip the conversation with the vendor and send all the data to a local CERT (Computer Emergency Response Team). Each country has its own CERT, and they all work together with other countries. All those CERTS together can make a strong case against a vendor and make sure vulnerabilities will be patched quickly and responsibly. The CERTS are in most cases sponsored by the government and follow industry procedures. They also warn companies and governments when a vulnerability gets out of control and immediate action is required.
How do you train the cyber expert of the future?
We also asked Dale how to train a cyber expert in six days, how can you prepare them for criminals who are constantly improving and changing the way they work. Dale says you need to make them think like cybercriminals. So you also need to teach them how to hack and show them how systems can be shut down. If you know how a hacker operates, how a cybercriminal searches for ways to get access to systems, then you can do the same as a security expert. With those findings, you can close those gaps and increase security.
With the basic knowledge about hacking and the right tools, you can give a cybersecurity expert a good starting point. It remains a cat-and-mouse game in which the development of hacks, malware and security are rapidly evolving. There is no comprehensive package which makes the perfect security solution or expert. A cybersecurity expert has to develop their specialised knowledge by gaining experience. They just need the right foundation. The best cybersecurity experts are also those who can relate to hackers and think out-of-the-box to penetrate a system. Other security experts then learn from this. We also asked Dale if he hires people who follow his courses; he said that in addition to following the SANS training, the GIAC certification is of course also important. You have to pass an exam to gain this. Netsecurity has hired three people that have taken SANS training. In Amsterdam one of his colleagues was also present to follow the training. If you are looking for a new career as a pentester or something else in cybersecurity, Dale’s training might be a good starting point.