Andrei Avadanei is the Head of Cyber Security within SwissClass Trade AG. He himself has worked in the field of „White Hat Hacking”and Security Consulting since he was 13 years old. He is one of the leading Cyber consultants for new technologies, which clearly comes from his youthful spirit to explore latest technologies and break them apart to find the flaws in the system.
We wanted to ask Andrei about a sector, which is basically the backbone of the Swiss economy. Of course we are talking about KMU’s and we wanted to know from Andrei what the biggest threats are that this sector faces and what the biggest mistakes are from those companies in regards to IT Security.
Hi Andrei, thanks for taking the time again to sit down with us for another topic.
I know you have seen KMU IT Infrastructures and Networks probably more than you were allowed to, based on the premises of Cyber Security of course. What is a typical setup for such a KMU?
Yes, I’ve seen lot of approaches for IT KMU infrastructures, some of them with a really good design while others without even minimal responsibility for their assets. A KMU company usually has several domains & subdomains used to showcase products and services, few offices linked together with a VPN connection, internal applications used for CRM, HR, PR & Marketing & Overall Management etc, Wifi for Guests and also for employees, workstations or dedicated laptops, a single ISP, smart devices, email server, maybe several backup servers and most important, employees.
What are the common nominators within all those KMU IT Infrastructures and what have been the easiest ways to exploit them in the past?
If you look closely to my previous list of assets which are usually found in a standard KMU you’ll discover that I’ve actually described point of failures which can be used by an attacker to obtain access in restricted areas. Hackers will always tend to find the easiest attack vector, and in some cases it might be the company’s website while in others it could be a mix of small security issues but when they are combined, it give full access to the company assets. In others cases it might be needed a physical presence in one of the company’s offices. Moreover, one of the significant risks for any company are their employees. People are the easiest link in the chain when you plan to attack an IT Infrastructure and departments such as HR, PR & Marketing, Sales which interact often with external people are so vulnerable. To understand how serious this issue is, in all Social Engineering attacks we’ve done, 30-80% of the employees remotely targeted were infected.
How long would it take someone with enough motivation to intrude into their network?
This is actually a really good question. First we should know that all companies should understand that they are targets, some of them are in the eyes of organised cyber crime, while others are attractive for smaller groups or even individuals.
Second we need to understand that the most important asset for hackers is the time, and they have all the time in the world to find a breach while for a company it’s enough a single point of failure to lose years of work, clients, assets, partners etc. Last, a hacker can gain unauthorised access from just a few seconds to months.
Moreover, reports suggest that a company discovers they were hacked after 250-300 days and this happens mostly because of a third-party report.
So, when a company says they are too small, insignificant for hackers or didn’t experienced security incidents, they must check infrastructure right away because almost certain it security vulnerabilities exists and it is just a matter of time, if not happened already, to become a victim.
What are the easiest ways to prevent this?
Be proactive. Contact security specialists in order to evaluate your infrastructure, prioritize assets, discover vulnerabilities using professional services such as white & black box penetration testing and help you mitigate all findings. Develop Business Continuity Processes, Disaster Recovery Plans for critical assets, Backup Procedures, Vulnerability Scanning Schedules & Procedures and Data Leakage Prevention in order to stay one step ahead and be ready for worse.
How should you evaluate your security partner? What kind of elements and certifications should you look for?
If you plan to evaluate a potential security partner, you should pay attention to several aspects such as: how detailed is the methodology proposed, does he has previous experience in similar projects, how willing is to help and not only to get his paycheck.
On top of that, for Penetration Testing services, specialists with Offensive Security certifications such as OSCE, OSCP, OSWP etc are gurus in their field while certifications like CISA, CISSP can indicate you work with a professional security partner which can handle the procedures & compliance services. Moreover, if you learn that the company specialists are involved in really hands-on actions such as Capture the Flag competitions, Research & IT Security Bounties or regularly write content in public channels, you should definitely give them a chance.
Now I know you have been in the cybersecurity world for quite some time now, where do you think that the biggest mistakes happened from a security provider to the customers?
Companies misunderstand how important is to have a proactive approach regarding the security of their assets and consider that their work is not important for hackers. From this dangerous mindset, many related issues rise up which can make the difference between several thousands spend wisely to protect the company millions lost from of a simple mistake. To have an idea, a study from Ponemon Institute suggests that the total cost of a security breach in 2016 is $4 million. The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information is now $158 but the cost per record
breached ranges from $355 for healthcare organizations to $172 for retail industry and $129 for transportation companies. The same study suggests that 1 of 4 companies will be one of next victims in the following 24 months.