Cybersecurity: Sometimes, offense is the best defense

When it comes to cybercriminals, we all know that the days of kids on IRC having internet turf wars, trying to kick each other off of servers and hijacking academic research computers for their computing power are long gone.

But as IT has evolved, so have cybercriminals. For example, in the 90s, online banking was a rarity. Now, you’d be hard pressed to find any aspect of banking that doesn’t have an online component. As a result, a bank’s attack surface is now massive.

In this episode of Cloud Talk, join Rackspace Technology CTO Jeff DeVerter, Gary Alterson, VP of Security Solutions at Rackspace Technology, and Vincent Liu, CEO at Bishop Fox, a large, private professional services firm focused on offensive security testing. Together, they discuss how exactly the cybercrime landscape has evolved, what today’s modern hacker wants to exploit, and you can do to mitigate that.

DeVerter, Alterson and Liu agree that we’ve seen a serious escalation in the capabilities of cybercriminals, and the resources available to them. What’s unsettling is the degree to which nation states are now driving online intrusion techniques forward.

As Vinny Liu explains, one of the biggest vulnerabilities companies have is that they still don’t quite understand the nature of cybercrime, and, therefore, how they can actively combat it.

“When you're talking about bad guys actually going after your systems, a lot of people just think it's like some black box, where  some magic incantation happens, and “voila”, there’s a hack that occurs. It's not that. Ultimately, it's a combination of small problems — a little hole here, a misconfigured file there, a bad password, a missing patch — that open you to attack.”

It's the combination of these misconfigurations, bad passwords, overly exposed attack surfaces, and missing patches, that combine to create a situation where somebody could break in or take advantage of your assets or systems.

If it’s the small things that kill you, then, as Liu explains, knowledge is power and protection. “What most people don't realize is that there's actually quite a bit that you can do, that you can test, to protect yourself from a breach,” he says.

Liu goes on to explain that penetration testing is one of the most effective tools in any company’s toolbox. “Bishop Fox has been around for 16 years, and we’ve have had a singular focus on offensive security testing, which means our experts are actively trying to find ways to break into a customer’s networks, applications, products and infrastructure before the bad guys do,” Liu says.

All three men agree that every issue should be treated as critical, and that you shouldn’t just rely on a vendor to let you know what you need to focus on.

“The vendor will tell you that this vulnerability is critical because it’s so large you could drive a truck through,” explains DeVerter. “And while that’s true, to use another analogy, that small crack in the window that lets a bad guy peer through and glean just enough of your password, just enough of your configuration settings, well, that’s just as critical.”

As Alterson explains, all of this speaks to the fact that defensive security might not be enough anymore. Increasingly, companies are taking an offensive approach to security in an effort to find vulnerabilities and break into their systems before the cybercriminals can. Along with that, these companies are also retraining their focus on performing the simple, basic tasks related to security very well.

“What I would impart to most people is that if you do a few things, and you do them really well, you will have most of the risk solved,” says Alterson. “You have to consistently apply patches. You have to turn on two-factor identification. You have to have secure code development practices. These things aren’t sexy. But they get the job done.”

As Alterson puts it, “You just don't want to be the slowest target for the hungry bear. When you are practicing good hygiene, you’re turning away the opportunistic hackers, and you’re slowing down the determined ones, making them noisier, and giving yourself a better chance at detection.”

DeVerter summed it up well with his point that following this playbook can help ensure you don’t end up on the front page.

Cloud Talk covers topics like multicloud, digital transformation, containers and Kubernetes, IoT, edge computing, data and more. Episodes are short and sweet — around half an hour — and available from Apple Podcasts, Spotify, Stitcher and anywhere else podcasts can be found.