On this episode of The Insuring Cyber Podcast, two cybersecurity experts shared their inside view of the current cyber risk landscape.
“While working in the cybersecurity industry for several years, you get to understand the pain points of CISOs (chief information security officers) and, in general, security leaders in organizations,” said Reuven Aronashvili.
While the good news is the cybersecurity experts are learning more everyday with access to new tools and technologies, the bad news is that so are the cyber criminals.
“Think about the attack landscape,” Aronashvili said. “You have the cloud environment, you have [digital] platforms, you have the on-premises environment, you have the IoT (internet of things) devices…”
Aronashvili is the founder and CEO of cybersecurity platform CYE, based in Israel. He is also a founding team member of the Israeli army’s Red Team and Incident Response Team and is certified by the U.S. Department of Homeland Security as an Industrial Control Systems and Supervisory Control and Data Acquisition cybersecurity expert.
At CYE, Aronashvili works as an advisor and a partner to organizations that range from medium-sized to Fortune 1000 and works to plan, design, assess, and optimize their cybersecurity programs. He said his time working in the army taught him some important lessons, including the fact that the timing of cyber criminals is getting faster.
“Things that you see in a government environment, in general, those are usually things that are more advanced than what you see in the commercial world or outside of the army,” he said. “In 2005 in the army, we would see things that only maybe in 2012 or 2013 we started to see in the industry. So it was quite the gap. Today, the gap is getting smaller and smaller.”
He said now, cyber attacks seen in the army are showing up a year or two later in the industry.
“So really, the cycle of things getting commercialized…that’s a very short cycle compared to what we had in the past,” he said.
This means companies, including insurers, will need to keep pace. Aronashvili said the first step is understanding where the weaknesses lie.
“How do you take the technical risk profile of an organization and correlate it directly to the business risk? Meaning, I have a vulnerability…is it critical to my organization? What will be the damage in case of a compromise there?” he said. “Those are questions that are extremely important to answer, because based on that, you know what you need to invest, how much, and what is the effort that is required in order to recover.”
Gregory Hatcher, founder and CEO of White Knight Labs, helps organizations figure out the answers to those questions as well. White Knight Labs is a cybersecurity consultancy that specializes in offensive cyber engagements. Hatcher also has previous experience in the U.S. military and the U.S. government. After transitioning from the military in 2017, he has taught at the National Security Agency and led red teams while contracting for CISA, the U.S. Government’s cybersecurity and infrastructure security agency. In 2021, he joined forces with John Stigerwalt to start White Knight Labs, where he works with a team of engineers to conduct penetration tests and help organizations improve their cybersecurity efforts.
“We work with the client to figure out what is their competitive advantage and how we can hurt it via cyber warfare,” he said. “We pick out two or three objectives, whether it’s stealing PII (personally identifiable information) or through proprietary information.”
It’s not all about hacking into technological systems and writing malicious code, however. He said sometimes, these penetration tests become physical.
“We’ll actually go on site. We’ll do things like dumpster dive. We’ll try to break into the building. We’ll try to clone badges. We’ll do reverse tailgating,” he said.
Reverse tailgating means the team waits for an employee to exit the building and enters behind them without needing access to a badge or building code. He pointed to an example of a recent physical penetration test the team conducted in Boston, Massachusetts.
“Everyone was working from home, so there were only like five people in the building,” he said. “I sat in the parking lot, and we actually did reconnaissance for a couple days. We found out the custodian takes out the trash at like 10:00 a.m. every morning, so I ended up doing a reverse tailgate on the custodian and getting into the building that way.”
With cyber criminals using every path to attack an organization – technological or physical – how can companies keep up? Aronashvili said prioritization is key – another lesson he carries from his time in the army.
“If you are not able to say what is more important, justify that, and act accordingly, practically speaking, you’re not able to protect your organization,” he said. “Very simple, right? All the guesstimation work … based on different frameworks that are considered to be market leaders or market best practices, those are all nice to have. But if you cannot justify, if you cannot back it up with a really scientific approach and scientific formula, that’s not good enough. And from my point of view, that’s what I’ve taken from the army and continue to implement as an approach at CYE.”
With another vector for attack on the horizon – AI chatbots – and their ability to write malware, according to Hatcher, one thing is certain.
“It’s a very interesting time to be in cyber right now,” he said. “AI is going to change everything. It already is.”
Check out the rest of the episode to hear what else Reuven and Gregory had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter.
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
Ford Recalls 668,000 2014 F-150 Pickup Trucks Over Transmission Issue 
QBE to Non-Renew $500M of North American Mid-Market Biz 
Big ‘I’ Report: Independent Agency Channel Placed 62% of Premiums in 2023 
Supreme Court Overturns Chevron Rule in Blow to Regulators 
