12 days of security: Day 7

00:00:00

Speaker 1: Hi, everybody. Welcome to the 12 days of Security with Bright Security. My name is Akira Brand. I am your host for today. Today I am joined by Senad Cavkusic and Senad  i’m curious if you can tell us what you do here at Bright a little bit and give us a little bit of your background.

00:00:23

Speaker 2: Okay. Currently, I work as senior security researcher pentester. Previously, I work for MOD of Bosnia Herzegovina. I work in a cyber security department. I also work as a developer for some time. I think it’s really important for security if you have some coding skills. So I tried to put it all together in one way. But that would be probably… nice.

00:00:54

Speaker 1: Yeah, I hear you on the needing to have coding skills, especially in application security. If you’re speaking with developers, it’s good to be able to speak their language.

00:01:03

Speaker 2: Yes, so many so many courses. If you want to try to get in this area, push yourself for example, like CH course or some others, they will tell you that coding skills is not that necessary. But I don’t agree with this because how would you be able to breach into something if you are not able to read it?

00:01:31

Speaker 1: Right. Exactly. Like, how can you remediate these problems if you can’t find them in the first place? That makes perfect sense. So Senad tell me what happened this year in cybersecurity that really stood out to you?

00:01:46

Speaker 2: It’s really hard to tell that something is really steady because from Stuxnet. From my point of view, Stuxnet is the largest cyber attack that ever happened because it produced kinetic disasters. So if we look around ourselves, we can see that this year was, in my opinion, one of the year where we faced the most serious attack. And those attacks are just brute force attacks, or attacks where you try to push something in force, but for much less attacks, you have to push your brains more into that, like logical attacks or something like that. So we see that there are better, if I remember, they were breach on Twitter. They stole more than 5 million data. Their labs set back. They’re all huge attacks. But it’s just those attacks just become something like convenient. Yeah. Right. Something which, which produce the war effect. Because we live with that. It’s kind of normal thing today. What is the more interesting thing in all this is that organizations are become more aware of those kind of breaches, those kinds of attacks from 2019 from where COVID started. Those kind of attacks are getting much, let’s say, Broadband.

00:03:45

Speaker 1: Yeah.

00:03:46

Speaker 2: Yeah.

00:03:47

Speaker 1: It sounds like. Oh, go ahead. Sorry.

00:03:49

Speaker 2: Yeah.

00:03:50

Speaker 1: What I was going to say is it sounds like there’s these sort of brute force attacks and then

00:03:57

Speaker 1: now

00:03:59

Speaker 1: Businesses are becoming aware of this. So it’s not as much of a… not that it’s not a big deal, but there’s more safeguards, right?

00:04:08

Speaker 2: Yeah.

00:04:09

Speaker 1: And meanwhile, you have these more and more sophisticated attacks that businesses are maybe not necessarily prepared for. And that’s that’s very interesting to kind of watch the progression of brute force to sophisticated logic based attacks.

00:04:22

Speaker 2: Yes. But I mentioned Stuxnet. Even Stuxnet started with social engineering. But after that, they were included much sophisticated attack in the way of logic because they had to change machines to PLC device and something like that. They had changed logic of the whole thing, of the whole infrastructure, how it works. But if we talks about the DDoS attacks like brute forcing, it’s just send requests and try to get it through.

00:05:07

Speaker 1: Mm hmm. Yeah. Those brute force attacks are no joke.

00:05:13

Speaker 2: Yeah, I agree. But it’s not very often that they just, that they are successful.

00:05:22

Speaker 1: Yeah, that’s very true. Yeah, they are. They’re definitely a little bit. They’re not. You’re right. They’re not as successful. People are more equipped for them and yeah.

00:05:33

Speaker 2: It’s much easier if you, if you try to do something like phishing attack where people will give you access to it.

00:05:43

Speaker 1: Yeah, absolutely.

00:05:45

Speaker 2: Because this chain man is the biggest target and always it’s much easier to hack man to hack people to hack human than to hack machine.

00:06:00

Speaker 1: Yeah, absolutely. That human element can be a very serious point of failure.

00:06:05

Speaker 2: Yeah, definitely. Yeah. Because we are playing on emotion.

00:06:10

Speaker 1: Yes.

00:06:11

Speaker 2: That kind of attack.

00:06:13

Speaker 1: Yeah. And people don’t necessarily make decisions based on logic. They make decisions based on emotion. And so kind of on that note, maybe this will be a challenge that you face. I’m not sure, but I’m curious what challenges that you faced this year and how did you overcome those challenges?

00:06:36

Speaker 2: Well, when you work in this area, in pentesting or security researching, you have challenges every day, all the time. And those challenges push you through it because you have to learn new stuff every day. So that’s the main challenge. If you want to be on track, you have to learn to read every day and you there is no thing that you can say, okay, I learned it, I know it, and that’s it. Because every day someone may came with new payload, new stuff, new way of attack. So every day is a challenge in this. In this, in this field. So.

00:07:23

Speaker 1: Sounds like kind of that continuous learning.

00:07:26

Speaker 2: Yeah, it’s kind of a loop. Yeah, it’s kind of loop, and if you want to be somewhere in this business, you’re not able to go out of this loop.

00:07:43

Speaker 1: Yeah. No, totally. You can’t just check out. You’ve got to be current. I’m curious, actually, what kinds of things that you like to read and how you like to stay on top of these on top of this new information.

00:07:56

Speaker 2: Well, first of all, you Google is the most important thing because you can find everything on Google. So that. In my opinion, the most important thing in all this thing is to know what you want to find and what you know how to search for things. And if you if you’re able to stay to fit into something that like like you cannot be expert in development expert in the pentesting, expert in everything. I try to be expert in one thing and and you will success in it. Just you have to give yourself, yourself some time. And by the time if you pushed hard, if you’re learned to do stuff every day, you will you will be there. Definitely.

00:08:52

Speaker 1: That makes sense. Like you have to have that laser focus combined with a lot of patience.

00:08:58

Speaker 2: Yeah, exactly.

00:08:59

Speaker 1: That makes, that makes sense. So as far as next year goes, this upcoming year, 2023, what do you predict is going to happen in the cyber world?

00:09:10

Speaker 2: Well, it’s ,it’s really hard to predict anything today because stuff changes every day. But if we go back to the World War Two, we can see that they were running for the nuclear power. But today it’s AI by my opinion. So AI becomes something that is involved, that will be involved in all branches and also in the cybersecurity things. So now we have kind of scanners that work on base coding. But tomorrow we will have AI scanners, AI stuff that will be able to search something just like human. That’s that’s my that’s that’s just how I feel. We face the change. It’s really interesting thing. But I think that after some time, it will be much, much higher.

00:10:18

Speaker 1: Yeah, I know AI is a very hot topic right now because there’s the one extreme that says AI is coming for all of us, is going to take all our jobs and. Yeah. And then there’s the other extreme, which is AI is just really basic, essentially statistic modeling, and it’s not anything that’s all that groundbreaking. So I’m curious if you fall in between these two extremes and maybe you can tell us a bit about your opinion of like the good parts of AI and the bad parts of AI?

00:10:55

Speaker 2: Well, by my opinion, good, good points of AI is that we can use it  to make our life easier, just like we use current technology, just like we use IT in current jobs and stuff like that. So we now we can easier do many stuff then we our parents could do before in any kind of of business, in any kind of branch, but. And that’s where the AI will give it contributing to push it more. So I think that we will be more reliable on that than we are now on current IT. What is the bad thing in all this is, like Elon Musk said, that AI could beat us in some way. So if it gets to that level point, it would be a disaster.

00:12:06

Speaker 1: Yeah, I think that there’s that kind of. The word is the singularity, right. And if we cross that threshold, then humans sort of become irrelevant.

00:12:17

Speaker 2: Yeah, I agree. Totally.

00:12:19

Speaker 1: Yeah. So my last question for you is what security gift do you want for the holidays?

00:12:28

Speaker 2: What security gift. I don’t know. It’s really hard question because. I spent so much time with this and I really cannot say that I want that. But I want that Bright become first DAST tool, DAST scanner, in the world in the next year. Maybe that. 

00:12:59

Speaker 1: That seems like a good one. Hey, And it would benefit all of us, so.

00:13:03

Speaker 2: Yeah. Exactly. Absolutely.

00:13:06

Speaker 1: All right. Well, Senad, thank you so much for your time. To our listeners, we’ve been we’ve been speaking with Senad. And thank you again so much for tuning in to our 12 days of security. And we will see you all next time. Thanks again.

00:13:21

Speaker 2: Thank you. Bye.