.jpg){kind=tracking}
High Tech - Low Code
High Tech - Low Code
#4 Fighting Cyber Attacks: How to Become a Cyber Security Specialist
Tune in to our discussion about cyber security with executive, public speaker, author and international judge, Francesco Cipollone and successful recruiter, Owanate Bestman in this week's episode of High Tech - Low Code, your podcast for low code and high technology development, presented by Outsprint.
Discover how you can become a cyber security specialist, what risks a cyber security specialist must protect against and how the future of the industry looks like.
Hello and welcome to the high tech low code podcast. In this episode of the podcast, we are joined by Ian Taylor has our co-host. How are you doing, Ian?
Ian Tailor:I'm doing very well. Thank you, Mario.
Mario Cunha:Today's topic is cybersecurity. And for that we have the pleasure of having as our guest speakers Francesco Cipollone and Owanate Bestman. Francesco is an executive, public speaker, published author and international judge, host of the CSPC podcast and has held several roles ranging from a head of application security to head of security architecture, also armed with an extensive experience related to the implementation of security across multi cloud providers such as Amazon, AWS, Microsoft Azure and Google Cloud. Owanate is a successful recruiter, passionate about assisting security leaders and security practitioners alike to meet their career and business goals with an excellent record of staffing high profile regulatory and commercial driven cybersecurity and technology risk programmes globally. Thank you very much, both for giving us this opportunity to have a chat with you. I would like to start by asking how are you and if you'd like to give the listeners intro about yourself?
Owanate Bestman:Go first I'm on. I'm very good. It's been a good week, good month, and no complaints on my part whatsoever. I appreciate the invitation to speak to your audience. In terms of what I do, I'm the founder of Bestman Solutions, which is a recruitment firm dedicated to assisting CISOs and security practitioners within the field of hiring. So I specialise in placing individuals in technical positions such as security architecture, and also non technical security positions such as Policy Governance assurance, what we call GRC. Awaken a global capacity primarily within the mid to senior market. But I also spend a lot of time advising maybe rookies trying to get into the field and location, what they should do, and what good looks like I also spend time speaking to see souls to advise them of the higher needs and how the market might impact the headcount goals and plans moving forward.
Francesco Cipollone:Hey, Mario, hey Ian, and how you doing?
Ian Tailor:Good, thank you.
Francesco Cipollone:I won't list my stuff. Because it's too long. I'm heading up the cloud secure lines for UK not and I'm the podcast, as well. I'm heading up a couple of one startup in a consultancy. So are we doing in a nutshell, I tend to help the cybersecurity space and non cybersecurity space, about securing their application, cloud and so on. And we have technology that backs us up. And we really want to help people getting better at secure coding and getting more people in the industry. I'm a big advocate for diversity and really passionate. I mean, no one knows that I'm really passionate about bringing people from different parts of the industry into cybersecurity and getting the help that I need to get up to start. So that's a little bit about me.
Mario Cunha:That's great. That's great.
Ian Tailor:So could I ask you, let's start with Frank. How did you get to where you are today, kind of talk us through your path and what made you go into the technology side of it?
Francesco Cipollone:It's really a funny story. So I stumbled in cybersecurity by completely by accident. So I started a career in IT fundamentally, and it was studying a university. And I took one optional field that was cyber security and cryptography. And it was really, really cool. And I started getting into it, more into it and then start challenging my professors, the professors that are challenging me, and all of that. They said, you're great at this. I said, am I? So yeah, why don't you, why don't you? Why don't you start working on this tiny piece of work that took a year to bring it up to market. It was a little bit on earliest days of virtualization and secure in the virtualization world. And at that point in time, was absolutely not convenient at all to write. I remember writing like really low code, assembly code mix etc. to actually communicate with the virtual machine from the host machine and who is in the space knows how painful the early days was this. I don't know if you guys wrote in assembly, but it's not fun at all. So I'm really grateful to be in the low code, almost no code because that thing was absolutely dreadful. And then I kind of grow into it day by day, so I started my consultancy and training company back in Italy. Then we sold, we started working with Microsoft and Cisco more and more, and then expand here in the UK, and really jumping from cybersecurity then back in cloud security now in application security. Security is such a nice and wide field to be in. And sometimes it can be scary. That's why me and Owanate have done a lot of episodes, virtually and non virtually to actually help a new startup getting to this field that can be so confusing. And it's confusing for security people, I can imagine for people that are not in this field.
Ian Tailor:Thank you very much. And that is quite an interesting journey for you that. It is. Owanate would you like to give us a kind of how did you kind of lean into this career path?
Owanate Bestman:Well, first off, any any recruiter tells you they wanted to get into recruitment, whilst they went to university or something like that is lying, and I'm going to call them out right. Back so everyone, myself included, I fell into recruitment. First off, so I started placing, I've been in recruitment for a long time now. Well over 15 years, I think my last count was 18 years, I stopped counting, long with a couple of grey hairs. But I started off placing pharmacists, actually in NHS and in pharmaceutical companies. But I was the first one's actually placed a pharmacist within a prison, a locum pharmacist, we call contractors locum. So that's my claim to fame. And I moved out of the public sector, and I placed individuals within it first, second and third line primarily in two banks. And this was the crazy days of recruitment, or I equate the Wolf of Wall Street. So that's all time was it was Wolf of Wall Street. Well, yeah. So and then started refining it somewhat. I moved from organisation to organisation, and I spent the last seven years assisting security professionals, and it was just prior to that as operational risks. So that was a very good transition. Sometimes I described cybersecurity as operational risk, just with a more of it flavour. So it was quite an easy transition. And what's kept me out is some of the interesting, crazy, smart people you meet along the way. So yeah, and here I am, I set my own firm in April. Perfect timing at the very start of the lockdown. So it was..
Francesco Cipollone:..a Corona company.
Owanate Bestman:Yeah, I was in garden leave when it happened. I thought all right, you know, a nice thing to say anyway, so touch with. So far, so good headed in the right direction. And it gives you an opportunity to speak to even, even more people at this time, because you're able to add more value. People are more open to conversations. So all good.
Ian Tailor:Absolutely. Thank you very much.
Mario Cunha:Yeah. I would like to ask, actually, from a recruitment perspective, what an applicant needs to do to position themselves in this competitive climate to secure a role. What certifications are most sought after?
Owanate Bestman:It depends on how much experience they have, if they're just getting into security. Well, first off, nothing beats work experience. If you are able to link what you've done previously, in any sort of security capacity, even if it's physical security. That's very important from a certification perspective, if you're just getting into it. I think the CompTIA Security Plus is a very good certification to have. Now there is no real prerequisites behind it before the CompTIA Security Plus, there's CompTIA network plus CompTIA eight plus but strictly speaking, it's not necessary to complete those certifications before you go to CompTIA Security Plus only a good understanding of IT, and a good understanding of Linux and Unix. Now there, as you progress and gain more experience, there are middle ground intermediate certifications, such as CEH Certified Ethical Hacker, which off the record doesn't actually make you a hacker. It's a good strong security certification to have, but you have two years of experience behind you. Also go back to fundamentals as well as people try and move into security. I think that is, I think people forget some of the fundamentals such as do your research on the company, do your research and what purpose security serves within the organisation realise that whilst in most organisations, it's not a money making area, it is an area in which you save money for the organisation. Either you save money by preventing the organisation as much as you can being hacked, which leads to losses of reputational risk, and also leads to regulatory fines. It's very important, this is a very saturated market, a lot. I mean, if you look at the term cyber security, information security back in the days was IT security is information security, now it´s cyber security. You know what, cyber is a sexy term it sells, it's probably a marketing term. With that you have more individuals interested in it. It's important to network as much as you can, obviously, we're not able to network physically here, there are associations you can join, it's important to do your research is to the organization's impact within the actual industry, what they've done. So and also where you want to go in security, there are non technical areas in security and technical areas in security, it's important to have our goal in mind and research the certifications along with that, but nothing beats, nothing beats experience if you can, if you're not working within security currently, but you are working in an organisation, if you can put your hand up volunteer for any security related programmes, security related projects, find a sponsor within it. And you're able to articulate that and put that into your resume, then you stand in a much better position, or ultimately research.
Mario Cunha:For those certifications do you advise any Institute?
Francesco Cipollone:Maybe I can pitch in because let's not forget that. There is also a lot of open source, there is a lot of open source stuff and a lot of people doing free and available. So certification is great and absolutely agree with Owanate, experience is fantastic. But also there is a lot of stuff. If I can mention the cloud secure lines is doing a lot of stuff on cloud security. We have conferences, we have talks Owanate has been on some and we've done like the full path for DevSecOps, or certification or any kind of these things but also dive in because effectively, right now that all these conference are online, just absorb all this knowledge because it's free, and is available in there. So you don't necessarily need to do the certification. Certifications are great. But they cost money. And right now in this moment of scarcity, where people are out of job, OWASP is a great place where everybody is pushing in. And it's not just about web application security, it was born as an open web application security framework. But it expanded and has a lot of flagship projects and a lot of great people that can guide and share their knowledge and it's for free. So it's go out there search for IC Square or CSA or OWASP they are great or ASA that a great place to network and to get free information.
Mario Cunha:Great. Thank you very much.
Owanate Bestman:Can I just add on to that as well, Mario? You mentioned a good point. I'm a big fan of the term free. I recently compiled 10 free training courses, specifically dedicated to security some aree in cryptography, some are in GRC. Some are in security architecture. These are all free and they role at various levels from intermediate rookie straight through to experts. That's actually on my website and the publication partner Bestman solutions if you go to that I've listed 10 free training courses is also on LinkedIn as well. So go to the publication webpage of Bestmansolutions.com And they're all listed there a number of them some from Open University as well.
Mario Cunha:Okay, okay, so the website just to confirm is bestman.com, right? And we can
Owanate Bestman:No, no, it's bestmansolutions.com. If you go to bestman.com we might take you to a stag company to do that as well, but
Mario Cunha:let's take the bestmansolutions.com, just confirming
Ian Tailor:Branching out into a whole new role. I thought about that. Yeah. Okay, so just to bring it back to cybersecurity. So obviously OutSprint were OutSystems, but taken into the platform's OutSystems powers absolutely the low code, no code type solutions we have out there. And obviously with the pandemic and people have been using these more heavily now. What would you consider the biggest risks that needs to be kept an eye on for these local systems and platforms?
Francesco Cipollone:I will say cybersecurity is first of all, because a lot right now we saw massive cuts in cybersecurity teams and the organisation will still need to deploy. And actually even more right now, people are trying to find different and new clever ways in these terminal scar cities. So I really love the idea of almost no code writing and is in line with Gartner zero code or code Initiative, or citizens code initiative that I really love because it brings everybody from their organisation to actually write code or get that empathy towards engineers, and to bring effectively the prototype to market as fast as you can. But the only problem with that is that everybody that puts together a piece of code or a piece on application, called potentially publish it up, not involved security. And that could lead into first of all, if you are lucky, in a report projects, brand reputational damage, but if you know, lucky, there could be a breach point. So I would say low code is great, but also always involve security in you know, assessing, or maybe test the application in an environment that is safe, where client can come and try it out, but in a very safe way. And if you want to take it outside, take it outside just in a temporary basis, or put MFA plus an authentication, login so that you prevent the occasional hacker or the occasional attacker to breach your application just because you put it there occasionally. So just always be conscious that even even if it's a demo, if it's a prototype, anything, it just affect your brand and affect your organisation or brands and test it, if you take it to production test it, it's like with a vulnerability scan, if you don't want to buy an expensive pen test code and or pen test it, because it's the best way to actually break the logic of an application. And we offer both service. So if you don't know where to go come to us.
Ian Tailor:Very generous of you, we will be looking for the discount.
Francesco Cipollone:Absolutely, we offer discount to authors.
Ian Tailor:Thank you very much.
Mario Cunha:Still using that as a segue and taking into account platforms such as OutSystems, or Power Apps and that the platforms such as these are helping with the current wave of digital transformation that was kickstarted by the pandemic, what would you consider to be the biggest risks that we should keep our eyes on?
Francesco Cipollone:Web assessments, web, I mean, if you look at OutSystem and if you look at any low code is effectively just piece of code put it together to describe a workflow to describe an application. So the traditional Promit piece of code is that you can atomically evaluate an application or a piece of code or anything that is secure by itself, but then you put it together and the different component can operate in a way that makes an application behave in an insecure way. And that's bread and butter for an attacker because they try to break while they try first of all, occasionally, to break application to break into a system using you know the common vulnerability, you have a port open that this may be exposing a web server that is vulnerable or any other occasional stuff that is easy to exploit. But then the next level is they try web application, they try to probe other fields, or try to see if they can steal your cookies if they can still use a session. And that's individually, it's complicated, too. But then the other part is, they try to break the logic of an application. So if you put together a prototype that maybe lead to an internal database with some user information, maybe they try to bypass the authentication, which may be inserting some fields. So it's always better to insert those kinds of testing mentality in all your development lifecycle so that when you bring an application into production, you start thinking it like an attacker, you start trying to break your own application. And if you instil it in your own developer, they can think, first of all on how they can break their own application where they need the testing in a in a more consistent way. I don't know what you guys think?
Mario Cunha:I was thinking about what just said, and most of these local platforms they already offer out of the box, authentication methods and whatnot. I would like to trust those authentication methods to say okay, these are secure enough to at least withstand an attack from a hacker. What's your view on that?
Francesco Cipollone:Yeah, I mean, I think 30% of the attack right now are through credential stuffing. So because there is so many breaches, people are just collecting. I mean, there is collection number one to collection number five, that is like gigs and gigs and gigs of files with username and password. So attacker, any kind of attacker that is worth their name, have those at hand and can try them continuously. So even if normally an attacker or a user use the traditional credentials, it's not about that the authentication system is not safe, is that it's very common that those password might have been used somewhere else. And - I see - you could potentially build a super secure authentication method, but then you lose the consideration that an attacker will not try to break a protocol because people will have tried to secure their protocol to the enth degree. But then they will use the occasional thing that is, do I have the credential, let's try all the credential and maybe crash the application because you try too many credential at the time. And attacker is fundamentally thinking outside of the box. And if you think outside of the box, like an attacker and say, well, I have an authentication system, and then I have multi factor, if you try them both is really, really hard to break it. And that's actually how to get rid of, for example, things like credential stuffing, just pulled multifactor even SMS factor authentication in immediately, you've secured so much better on application with an authentication flow.
Mario Cunha:Never thought about it this way that social engineering could actually be the undoing of my application.
Francesco Cipollone:So you can build the most secure things, and then you break the logic of an application. For example, one thing that we're testing some time ago on a client is they built a very secure application, we vulnerabily assess the application, almost nothing showed up, they were super, super proud. And then you know what? I inserted the admin at the end of the URL. And I bypassed complete the authentication system because it didn't - uh, that must have hurt- but they never thought somebody would have done that. And the authentication system was perfect. They had multifactor, but they forgot to take on the authentication into reauthenticate. So effectively, that was a problem or a more ingenious way will be, you know, what are still a token from a client and a replay the token towards the application. And if the client is an admin, I replay that token, and I'm an admin immediately I stole that session, you need to think outside the box that attackers are getting, like vulnerability into laptop for that specific reason to steal credential to steal cookies to steal tokens, because that's the easy way, that's the easy way you can social engineer somebody say: I'm your boss, I need this email immediately or click on this website, enter the credential, store the credentials, I am your admin, immediately. So you might build the most secure application, but then you forget the human aspect of cybersecurity. And it's usually the weakest link, but it´s the one that works and attacker use it. Yeah, and it's not the user is not the user fault is who design the application that hasn't thought through, or who is effectively the cyber security professionals or responsible for cybersecurity, that doesn't have a solid cybersecurity strategy. With solid cybersecurity strategy. I say look at application security, look at vulnerability assessment, and look at the human aspects of how you can train your user to not react to weird emails or to always question weird emails. And it's as simple as that.
Ian Tailor:Yeah, absolutely. So, as we kind of closing up through this podcast, so I'd like to get what are your thoughts? You know, what is the vision? You know, where do we see cybersecurity going, where we take into account the rapid progress we're making, as smart as hackers are getting? Where do we see this going in the future?
Francesco Cipollone:So let me add just a little bit because, of course, I'm Italian, I've been speaking a lot. It's my bed. But I see, I see almost like everything is getting outside data centre. More is getting into the cloud. And the only thing that we are left with is securing some codes and securing some cloud environment. And that's where we've been investing heavily on in helping our clients secure their code and the cloud because that's where we think that cybersecurity is going to go and everything else will be almost automated or automatable. So the more you secure your code, the more you secure your user behaviour. The more you have a structured strategy, the better you are at cybersecurity.
Owanate Bestman:Yeah, I certainly agree with that, especially around automation and whether or not that is artificial intelligence as well in the progression towards artificial intelligence. So I'm coming from a recruitment perspective. And I think the implementation of artificial intelligence will diversify the job descriptions and diversify the duties of security practitioner in which a lot of the monotonous activities won't be automated. And perhaps we can get back to some of the human elements as well. And to maybe recruit people that think like hacker from a wide diversity from a wide pool of society to reflect the actual hackers, as well. So rather than being more reactive, but to effectively be more proactive. That's my wish. What do I know? Can I do if I justify CISOs? And what to do, right?
Mario Cunha:Thank you very much Francesco, Owanate and Ian for being able to join us and taking time from your schedule to be able to participate in this little chat of ours. Pleasure. Thanks, again. Thank you very much all of you.
Francesco Cipollone:Thank you, Mario. Thank you Ian.
Mario Cunha:And with that, we end up this episode. Thank you very much for listening and hope you join us on our next episode of high tech local podcast, where we will feature another guest and approach yet another topic of extreme importance. See you soon.