Cybersecurity

Welcome to Building Better Developers, the Developer Nord podcast, where we work on getting better step by step, professionally and personally. Let's get started. Well, hello and welcome back. We are into a new interview and we're going to be speaking with Jenny Karam. And I'm hoping I got that right, but I probably didn't quite. He will correct me shortly. We're going to be talking about security. We're going to talk about sort of security awareness, but really it's more about cybersecurity in general and how to do it better, how to be secure, where you need to be aware of attackers and some things you can do to help yourself out from somebody that does this day in and day out, a long term professional. So let's get right into our conversation. I think you're going to quite a bit from this interview. Well, welcome back. Today we're going to talk about cybersecurity. We've done this a couple of times, but now we're going to talk to somebody that's been in this for a while. We're going to talk about how it impacts you, how it impacts your business, whether it's small, medium, large, and get a little sense of how things have progressed over the years, particularly if you're in, you know, have an interest in it. If you need to look into it, then you can sort of see some of those trends that are out there. So we are speaking with Evgeny Karam and we're going to have a good conversation here. So I want to toss it over to you and say thank you for coming on to the show. And if you want to give us a little bit of your background, then we'll dive in. Definitely, Rob. Thank you very much. Very happy to be here today. I've been around for quite a while, around 20 years. I started my career in the Navy, in the Eastern Navy. It's more about IT, but it gave me a very, very good perspective and also groundwork. You work with Windows, you work with Linux, networking, cables. And I had the opportunity to understand the basic, basic stuff for a number of years. Later on, when I finished my Navy, I went to a company called Chakpo in back in Israel and I did quality assurance, QA work, to basically test firewalls. During this time, I was pretty new in cyber. So for me, it was interesting and I was thinking it's all about cyber. When I moved to Canada, I realized the corporate world and the world when you work for a cybersecurity company is way different. You're actually not going very deep in debugging. You're not going very deep understanding what's happening. The majority of the people are more high level. They're creating the policies, they're creating the rules. They're kind of understanding what's happening, but they're not going deeper. So I went from a very deep understanding how systems are working to a higher level. And later on, I moved to architecture and design and I learned how different systems working together, how we can pair between them, how they can change information between them. For me, I'm a geek by trade, I guess. I always tell people I like technology, security is part of technology and I always like security. Having said this, with time and I went moving up and becoming VP of architecture with many enterprises, I learned that beside technology and security, there is also governments, there is also policies, there is also other things like business. And if you're not adopting your security to the business need, then you're not helping the company. You become a showstopper. It's an interesting journey. And what I also learned that doesn't matter where you are, there will be another level where you can climb and learn something. Wow, that's so I guess first I want to start with is sort of the last thing there is how do you how do you see the differences in where different companies should look at how they should examine their security or how they should approach cybersecurity? It's a good question, as we say in the industry and also we say in the industry depends. Because when you don't know what's happening, you probably want to understand and sometimes you call it gap assessment or some kind of maturity assessment, or just in general, which is a common assessment. If you move to a new house, what do you do? You call someone and you do an assessment of the house and they tell you the house is good, but there's an issue in the basement, there's some leaky roof and some other stuff. If you live for a house for a long time and like, oh, you want to do renovation? I would like to do kitchen. I would like to do my bathroom. And if you don't know where to start, again, you call somebody an expert, say we want to do renovation. This is the ideas we have. And they will come and say, this is a good idea, but I will not advise you to start with your kitchen because you have an issue on the second floor or issue with the basement. So start there, build your foundation and then go from there. And I always like to give examples of real world because sometimes the issues in cybersecurity or other fields are very complex. So when a company wants to understand what they need to do, I always advise to do an assessment, understand what we're trying to protect. Assets, what do we have? What are we creating? Are going to be fundamental. Go back to the house idea. If I want to protect my house, I probably want to understand how many doors do I have, how many windows do I have? Is there any other ways to get into my house and stuff like that? With the company, I also want to understand what are my crown jewels. If I let's say I'm a small company and I'm doing insurance or maybe I'm a marketing company, but do something else. I'm a marketing company. I'm creating marketing for my customers. And if you think about it, okay, there's not a big deal. You know, I can work from anywhere. I can probably do anything I want. Why do you need cybersecurity? So what will prevent a marketing person doing your job? Maybe they don't have a laptop. Maybe they don't have access to the programs like a Photoshop or Adobe or something else that they need the job to do. Or maybe they have a database of images or maybe they have a database of the customer information. So if you don't have access to this information, now they cannot effectively do the job because they're missing images, icons, logos, or whatever it is. So by them not doing the job, it will prevent from company to making money, not delivering and losing money. Now, why I mentioned this, because if you have a ransomware attack, basically some thing got on your laptop or your servers and all the information got encrypted, it's going to prevent you from doing the job. Maybe your internet is down. Maybe your network is down. There's multiple, multiple examples of what can go down or break, prevent from doing the job. And this is part of your assessment that you want to understand. What do you need to protect? Again, every company will be a bit different and they will know what is the need to understand and to protect. It could be a simple question, or it could be a number of conversation with number of people in the companies, try to understand and prioritize what's important. Beside this, there's also a reputation. So back to marketing company, something happened to your company. It got hacked and able to do it. If you're a big companies will go to the news or you need to go tell you customers, Mr. customer, I'm sorry, I cannot deliver my work because I lost all my files. Or as a marketing company or maybe a PR company, public resume company, you have a lot of information about your customers is that something potentially very important and confidential information. So now you lost your files and you lost your company customers files as well. So what happened with your reputation? Would you go again to this company? Would you switch company later on? There's a lot of levels like a metrics movie and go inside, inside, inside of the complexity. What happened to cyber security? Now you've been doing this for a while, so I guess it's sort of staying at a high level. Have you seen, have you seen companies and customers that you're in potential customers? Are they for back at life, are they more savvy now? Do they seem to understand a little bit more? Are you able to start at maybe a higher level or are you still finding a lot of situations where you really have to almost start at ground floor and talk about security and some of the things you mentioned, like, you know, concern about privacy or just bad reputation if you, you know, if, cause you got hacked and then, you know, ransomware or some of those things that are out there that are, you know, maybe a little more direct kinds of damage attacks where you, you know, you have to pay somebody off to get your data back versus it may just ruin your reputation or cause some loss in business. I think overall people are more savvy. People understand more what's happening. And the main reason from my perspective is like, you know, when you play this fire, you get burning and you know about this, but here it's actually the cyber the insurance companies are seeing the main motivation and the goal. Why? Because go back to marketing company, just for example, with your marketing company, you want to work with Rob or you're getting on a deal and you're going to involve information and confidential information. If the other company is more mature from cybersecurity perspective, they're going to ask you, Hey Rob, you're a good marketing company. Do you guys have insurance? You're like, Oh yeah. Do you have cyber insurance? You're like, what? What's cyber insurance? So cyber insurance become almost a status quo, not for everyone, but it basically other people pushing you to have cyber insurance and insurance company. When they insure you, they also ask you, do you need cyber insurance? And when you do cyber insurance, you're not automatically getting short. Same with the cars or houses. They ask, Hey, did you have any damages and incidents and the tickets violation? The insurance companies want to send you a document with, do you have a firewall? Do you have protection for your devices and stuff like that? This market has been around for several years. I cannot claim it's fully, fully, fully mature. There are still deviations between cyber insurance companies versus the car and housing insurance is pretty standard. You know, it's all the same questions. There is not a lot of changes. Maybe in the car, sometimes people tell us, Hey, if you put a transponder or special device in your car, you see how well you drive, lower your insurance. With cyber it's mainly here as a document filled in. So to fill this document, you need to understand what's happening. You have multi-factor authentication. What do you do with your password rotation? Do you have a firewall? So the CIOs, the CTOs, the CFOs will have to be more mature or the IT directors to understand more about cyber to be able to feel it, even if you're SMB. SMB is the one that having more problems in my mind from the maturity perspective. So I guess, and this is just a side note, but I know because a lot of people deal with, you know, you deal with security no matter where you are, you're, you're logging into something, you've got a password, multi-factor authentication has sort of become the standard for, for almost everywhere. So for somebody that says, and this is particularly goes back to, I think, part of why we have multi-factor authentication in the first place, you know, somebody that doesn't protect their password, they're just like, I'll use password one, two, three, or something like that, it says, well, now I've got multi-factor, so there's, you know, I'm safe, it doesn't matter what my password is, what would you say to those kinds of people or that situation? First of all, unfortunately, still not every company support multi-factor authentication. So it's not just the complexity of the password, but also are you reusing the same password everywhere. So if you use one, two, three, you're going to use it somewhere else. Fortunately enough, majority of the companies will not let you put one, two, three, they will say your complexity is minimum eight characters, one lowercase, you know, special characters, stuff like that. So you're not able even to use and you'll be able to repeat the password you use and you're able to use simple password. So the companies themselves making it harder, but we don't want to reuse the passwords. Now the problem may become if I use multi-factor authentication and I have a simple password, where do I use it? What is the chance of somebody else going to get access to your password? And they will try to disable your multi-factor authentication because somehow they are able to get to your email or somehow they can get to your device. So there's multiple ways to do this there, but you definitely don't want to repeat the same passwords. You don't definitely don't want to do this. And you ideally want to use password management as well, because I use password management, so I don't really care about the password. It's gibberish to me right now. It's like 12 characters, something that I cannot even pronounce, but it's there. So I would not advise to use it from several ideas that what if it's got disabled somehow, what if it's being used somewhere that doesn't have MFA as well. Yeah, that's good. And that's, you brought up some good points there is that I think that's, that's where some people still you run into that where there's like that, that introductory knowledge of, of security and cybersecurity and some of the things that you have to worry about, but it's like you said, it gets into those details. There's a, there's another level there that's like, well, yeah, you can, you can be protected in this way, or you can look at it that way, but then there's going to be people, they're going to look at it slightly different. And now there's a different, you know, there's a different plan of attack for them. And I want to add to this. If we read online, there were several attacks of bypassing multifactor authentication, because some, some, what's the authentication common in the software, some common way of SMS text message or something else. There was issue about SIM swapping for company in U S and other ways where basically you get the second factor of indication somewhere else or easy as well. So we're not saying MFA is absolute right now. It doesn't exist right now. No, no, it's still very, very effective and there is not so easy to overcome it, but there are still attacks. So don't let the bad guys make the life easier. So what, one of the things I would say is that, you know, I think that one of the things I would like, because you've had a lot of experience and you started out, I said, you started out in the military and beginning very much that, that foundation of knowledge, and then have been in this for, for many years since, how have you seen cybersecurity progress and where do you see it going in the, in the near future? Like in the next year or two. When I started, when I moved to Canada and I started, I guess my enterprise cybersecurity, there was not a lot of complexity for the tools perspective. We had like five, six, eight different tools. We had the firewalls, we had the antivirus. There was a rise of anti-spam and anti-spam messages. But with years, and when I started, we probably were around 500 companies in cybersecurity, maybe 800 maximum. Right now we count almost 4,000 vendors inside of security. And the reason why, because the domains of cybersecurity became bigger. The problems became bigger. 20 years ago, there was no cloud pretty much. So everything cloud related and all the domains in the cloud and security in the cloud didn't exist. There was less focus on development. If I'm developing an application, there was not a lot of focus of, or do I need to secure the application? Do I need to make it more strong? I shouldn't be using open source files and I'm not familiar with. So the maturity was not there in a way. It was a bit easier. Also don't forget 10, 15 years ago, even the connectivity, the internet was like what two megs, five Mac, 10 Mac from home right now, I have a gig and majority of people has a gig. So with the speed we operate is much faster. The amount of files we can do is much bigger. There's a lot of things change on the amount of data as well. And if you look on interesting part, we creating a solutions in IT and technology in general. And then after a certain time, we like what we did, but then the bad guys figure out how to use it for back examples. DNS DNS is a basic protocol. DNS DNS is a basic protocol where basically when you type a name, it's understand on the backend and doing dynamic name resolution and give us an AP. So if you go to CNN, Facebook, LinkedIn, and all this, all the sites on the back end is actually an IP address. And there's very big infrastructure and the internet are doing this. It's a protocol that help us, but the bad guys found how to play with it and give you different results. For example, it's called DNS poisoning SMTP. It's a protocol for email exchange. Also made for convenient bad guys found a way to use it. HTTP, it's a protocol for you to browse, but there's almost no HTTP right now. Everything is HTTPS with the C with security, because you want to encrypt the traffic, nobody wants to alternate your traffic when you're browsing and give you different results or potentially steal the information as going over the wire. And there's many examples like this, including chat GPT that was announced last October and everybody were happy for two months. And then they realize, Oh, now we can use it for evil. What happened if you do that? Oh, it was just actually issue is compliance. What have I put my information there? What happened to this? And this is basically a trend that we create something for good smart cars, even, and now we hug the cars and then the bad guys find a way to overcome this and use it for evil as well. I kind of give an example. If I take a knife, nothing bad about the knife. I can prepare a meal. I can cook. I can maybe do carving, but I can also use it for bad. So same tool can be using in different ways. And we will pause right there. We'll be back next episode. We're going to pick right up. We're going to have part two of our discussion and see where it goes. It's going to be actually a lot more of the same. So just be ready to continue your notes about some of the things that maybe you should think about to make sure that your application, your, really your cyber life is secure or at least as protected as, as makes sense. So you don't make yourself a target. I want to thank him for his time, but not completely because he's coming back for more next episode. Hopefully you will too. And we'll see you then. So go out there until next time. Have yourself a great day, a great week, and we will talk to you next time. Thank you for listening to building better developers, the developer nor podcast. You can subscribe on Apple podcasts, Stitcher, Amazon, anywhere that you can find podcasts. We are there. And remember just a little bit of effort every day ends up adding into great momentum and great success. Hi, this is Rob from building better developers, the developer nor podcast. We're excited to be on Alexa. Now you can enable us by simply saying Alexa enable building better developers. And we will be there ready for you. Every time you want to listen to your now favorite podcast, whether we are your favorite podcast or not, we would love to hear from you. So please leave a review on Amazon.