Interview with Eyal Estrin
Email interview held on 15th September 2017 – as follows between Alan Radley (questioner) and Eyal Estrin (relator):
1. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?
A. The major risk I see today for the home consumers are ransomware attacks, due to lack of understanding the risk result of clicking on links and avoiding common practice such as patch management, backups, etc.
B. Another topic that is receiving many headlines these days is IoT – from medical devices, to smart homes, until autonomous cars. They all share the same fundamental problem – they were developed without security in mind and as a result, we see how easy it is to break those devices, due to default passwords, almost no encryption, etc., and use them for harm humans and for distributed denial of service attacks.
C. The major problem for organizations is the skills shortage – it is very challenging task to find relevant cyber-security expert with broad knowledge in many areas – both hands-on experience, speaking the language of risk, good presenter in front of senior management and a good writer (from policies, guidelines, till management reports)
2. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?At the end of the day, we are still facing breaches due to human errors, organizations failed to do the basics such as patch management, configuration management, auditing, etc.
A. An average enterprise has so many systems to maintain and combining with mobile worker, cloud services and shadow IT, the chances of the CISO or the IT manager to be able to get relevant information in real-time and be able to prioritize the relevant events that needs immediate attention in-order to response in short time to possible breach are very low.
B. From my point of view, the information security world has not changed much from what we knew 10 years ago.
3. Where do you go to find your “science” of cybersecurity?
- The preferred method from my experience is to be able to present senior management with couple of alternatives and be able to speak about the pros and cons of each alternative.
- This requires multidisciplinary knowledge in many areas of expertise (from technical, infrastructure, architectural, business related, legal, etc.)
- The “science” in my point of view is to be able to review business requirements against the risk to the organization (breach, legal, reputation, etc.) and be able to come up with creative ideas how to enable the business to grow and be innovative, while keeping the risk to a minimum acceptable level.
4. Do you recommend a particular cybersecurity blog that our readers could follow?
- I recommend reviewing the following cybersecurity blogs:
- Cloud Security Alliance blog – https://blog.cloudsecurityalliance.org
- Security Affairs – http://securityaffairs.co/wordpress
- Brian Krebs blog (Krebs on Security) – http://krebsonsecurity.com
5. What keeps you up at night in the context of the cyber environment that the world finds itself in?
As a cloud security expert, I am having allot of conversations with major cloud service providers, and I find it strange to see that even major providers lack transparency, they may be auditing every transaction, but they fail to expose API’s to allow customers to pull event logs and self-investigation.
Mature cloud service provider will have no problem allowing his customers access to audit logs, external audit reports (such as SOC2 Type 2), allowing his customers to schedule and conduct penetration test against the systems that store/process his customers’ data.
Another major problem is difficulty to understand contracts – you need to be a lawyer in-order to read the small letters and understand what you are agreeing on, and what are the cloud service provider’s commitments.
Thank you kindly Eyal Estrin for taking the time out of what must be a busy schedule to answer our questions in such a purposeful way.
Interviewee: Eyal Estrin,
CISSP, CISM, CISA, RHCE, CCSK, Security+, MCSE:Security, MCITP:Enterprise Admin