Q&A with Mirko Zorz, editor-in-chief, Help Net Security
TPG: What are the biggest technical security challenges organizations are facing?
MZ: We can divide all challenges organization are facing today in two categories: human and technical. To make things more complicated, these are also interconnected and often interdependent.
On the human side, you have users that need to do their jobs while navigating a set of (sometimes difficult) cybersecurity rules. For example: the security team tells employees not to click any links in emails, but they need to be able to do that in order to do their daily work. So, they click anyway, or use workarounds, and then problems arise.
On the technical side, a large network will have legacy systems that can’t be patched, weak access control, unpatched servers and workstations, unidentified BYOD on the network, and the list goes on and on.
Vendors tend to promise that a shiny box can solve all problems, but that’s not how things work in the real world. Humans are the weakest link and no technology is able to fix that.
TPG: What needs to happen with IoT cybersecurity legislation and regulation?
MZ: Researchers have been exposing IoT security vulnerabilities for years. With more widespread enterprise adoption and attempts at regulation, the future looks bright, at least on paper.
We’re still a long way from seeing any meaningful impact of any IoT cybersecurity legislation until it becomes mandatory and enforceable. Enterprises should have policies that ensure every single IoT device adheres to certain security guidelines and, since they have dedicated security teams, this is not out of the realm of possibility.
How can the average person who wants a smart key for their apartment make sure the device they’re installing is really secure? It’s all a guessing game at this point. I would stick with traditional, hardware security solutions that are not connected to the Internet for the foreseeable future.
We haven't seen a critical IoT security incident with long-lasting damage impact the enterprise, but you can be absolutely sure attackers are looking to exploit every possible avenue, and the surge of IoT adoption could enable them to take advantage of overlooked security holes.
I wouldn’t be surprised if we see ransomware target IoT devices in a meaningful way.
TPG: What's the one piece of technology you couldn't live without?
MZ: My smartphone. I’ve been doing this for more than two decades now, but I still remember a time when I couldn’t just answer emails on the go, or even add to a story while on a flight. Some days it feels like I spend more time on my smartphone than my desktop computer and still manage to get so much work done.
TPG: How did you get your start in information security?
MZ: I always had an interest to learn how things work behind the scenes. Let’s say you’re at a music festival. Most people are probably wondering when the next act is coming up. I’m wondering what the logistics are for the unloading of the equipment for the 15 bands playing that day, or how the lights are synced for every single act, what software is running on those systems, and how one could access those systems.
This way of thinking drove me away from computer games pretty early and my focus was on exploring the ins and outs of everything a computer does, and with time I became interested in cybersecurity.
The growing interest in vulnerabilities and how systems can be secured drove me to join Help Net Security in the late 1990s. I was also working as a security consultant for a few years, but after that, I quickly focused exclusively on Help Net Security.
TPG: What was your first computer?
MZ: My first computer was a Commodore 64 back in the mid 1980s, and it’s the main reason I got into computing altogether.
Those were much different days. You couldn’t just use a search engine to find something, there were no online chat rooms populated with millions of experienced users you could ask for tips. You had a book or two, maybe, and if you were lucky there was someone in the neighborhood that could offer advice. That meant you had to prod for yourself, discover the ins and outs with no guidance. This lack of outside support or step-by-step instructions made sure I had to use my creativity to solve a variety of problems. I was hooked on exploring everything and anything right from the start, and I loved every minute of it.
TPG: What will be the most important technology issues of 2020?
MZ: CES is a good harbinger of what’s coming. If we look at what were the most showcased categories, we can anticipate where most of the issues will be coming from.
Unsurprisingly, the most popular products were in the following categories: smart home, wearables, digital health, biometrics, smart cities, and vehicle technologies.
- Voice assistants are omnipresent. How long before attackers manage to exploit them on a massive scale?
- Your smartwatch is a goldmine. The tech you wear everyday contains a myriad of personal information, often in several apps. How long before these are compromised, and your data sold?
- Increasingly connected vehicles. Your GPS data, your contacts, your apps – all synced and readily available. The convenience is there, but how long before this data is exfiltrated? Would you be comfortable with someone having access to the data from your car?
TPG: What will be hot at RSA Conference 2020?
MZ: I’ve been coming to RSAC for nearly 20 years and it’s definitely the place where you can find out what industry leaders are thinking. I anticipate that the following topics will get a lot of attention this year:
- Voting, election security and the impact of disinformation campaigns.
- Using machine learning and artificial intelligence.
- IoT, the insecurity of medical devices, car hacking.
- The implications of GDPR and the introduction of CCPA.
- The insecurity of Industrial Control Systems and the increased convergence of IT and OT.
- The impact of open source tools on product security.
What I especially like at RSA Conference is the seemingly endless amount of networking opportunities. They even have Engagement Zone which offers various formats to facilitate discussions and meeting new people.
TPG: Any cybersecurity predictions for 2020?
MZ: This year is going to be similar to previous years, as we still haven’t solved the basic issues driving a great deal of threats.
Organizations of all sizes are going to continue ignoring basic security hygiene practices. Systems are going to remain unpatched despite readily available fixes, unused legacy technology will invite cybercriminals into networks, large databases will be left unprotected and freely available for download.
I expect even more data breaches than in 2019, but also more high-profile compliance-related fines for all the silly security mistakes organizations keep making.
The cybersecurity skills shortage will continue to have a significant impact and salaries in the cybersecurity industry will continue to rise.