Next up in our Stories From Cybersecurity series, we have an interview with Aaron Zander, Head of IT at HackerOne. HackerOne is a leading bug bounty solutions provider that is dedicated to helping organizations improve their cybersecurity through ethical hacking. As passionate and outspoken ethical hacking proponents ourselves, we were excited to learn more about Aaron's journey into cybersecurity and get his opinions on some industry hot topics. Let's take a look.
How did you get involved in security?
I remember as a kid watching movies about hackers trying to “hack” websites. The "hacking" looked closer to modern Google Dorking than straight hacking. As I grew up and started managing networks and computers, I often found myself on the other side of the computer as it were - trying to prevent security issues from happening, rather than looking for ways in. For example, how to protect school computers from people using pirated tools, or installing malware.
For me though, security became an “everyday” thing when ransomware started to explode in 2013. During this time trying to protect thousands of real and virtual machines from being breached became an everyday exercise. After working in IT for more than a decade, I’ve learned there’s no way to ignore security. Understanding security, creating a safer company, and a safer world are all synonymous in my mind. This is why I fell in love with HackerOne and had to join.
In your opinion, what is the biggest misconception that currently exists regarding cybersecurity?
We still need to get over the hump that vulnerability disclosure is a bad thing. I want investors, company counsels, and customers to see vulnerability reporting and public disclosure as a sign of a good, strong company.
A vulnerability disclosure program tells customers that the company cares about their data and their information. Companies who don’t disclose, or worse yet, who don’t have a way to even receive vulnerabilities will miss out on investment, and customers will look elsewhere.
DDoS attacks have been a major security concern for many years now. What are some current trends you have noticed related to DDoS attacks?
DDOS used to be something that, while not exactly hard, took a lot of resources to do well. In my mind, the modern DDOS era began in 2009 when the Low Orbit Ion Cannon, an open-source tool for testing networks, was repurposed for more than just testing. DDOS attacks started growing exponentially in bandwidth as a result. LOIC attacks were often measured in mb/s, 20/60/100 mb/s, but now the record being set for DDOS attacks is in terabytes per second. Basically, there is a thousand times more data being shot at networks today than 10 years ago.
How do you feel these DDoS attack trends/ threats should be addressed?
DDOS can be prevented or defended against with a mix of tools. Web application firewalls [WAF] can help prevent a lot of these attacks and there are both purchasable and open source products available to help address large influxes of traffic. If you mix this with good alerting and a team prepared to handle incidents, you will have a good line of defense. A prepared team can help remediate and resolve DDOS or other attacks quickly and efficiently, hopefully resulting in little to no downtime.
In what ways do you feel cybersecurity has changed over the past 5 years?
It’s hard not to recognize how many of us have moved out of data centers, out of our IT rooms, out of server racks, and hardware, and into the cloud for all things. Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure and others are generally tools most people are just beginning to secure properly. Security for these tools, while not easy, is something we can control ourselves as IT and security professionals.
What has changed is how many third parties we are giving small chunks of corporate data to and we are ultimately responsible for the protection of that data. Not all SaaS vendors are the same, and many of them see security as an up-sell, not a default. This often forces us, the customers, to make a choice --do I ruin my budget for the year and get the tool at the secure level? Or, do I buy what I can afford and avoid things like Single Sign-On, or encryption, or proper support?
The product used to be a product that you would just simply buy, and maybe you would license out how many cores you’re going to use, or how many instances. But now, the product is chopped into optimal pricing bands and everything has a price tag for some SaaS companies.
What changes do you expect to see in the next 5 years?
California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), these are just the early salvos in what will become the privacy wars. We’re already seeing more companies add-in privacy issues into scopes of their vulnerability disclosure policies. More and more security tools will continue to crop up to help all of us defend against outsider threats and criminals trying to disrupt our businesses.
We now have machine learning, algorithms, and giant databases to help us be hyper-aware of strange new threats. However, no matter how fast these new tools are developed, we will continue to be challenged by the evolution of new threats. Each day there will be a new threat, a new botnet, a new DDoS mechanism, a new bypass and so forth. It’s all evolving.
How much job demand is there for cybersecurity professionals? And how do you expect the demand to change in the coming years?
We’re so deep in the hole on a lack of cybersecurity professionals that there is a huge demand right now. It is an area that is underserved for many organizations that realize they need it, and that’s not even counting the ones who should have security staff but don’t. More and more people are joining the ranks every year, but like many specific STEM fields, cybersecurity is under-taught, undersubscribed and understaffed.
What soft skills do you think are the most important for cybersecurity professionals?
Personal interactions, good attitude, ability to communicate, being a team player, and being a “security coach” are, in my opinion, the most important skills security team members can bring to the table. We’re out in the open more than ever, and it’s on all of us to ensure our coworkers, friends, and family understand the risks of the modern world.
Historically many cybersecurity experts were bristly folks who were hard to approach and overly critical. They were an even scarier version of ‘Nick Burns your company computer guy’ from Saturday Night Live (SNL). But we need people to trust us, to listen to us, to respect us, and that comes with mutual respect and trust. It’s a two-way street. We have to help our non-cybersecurity colleagues get on board, so they will be our eyes, our ears, and our early warning system when things go wrong.
And, it is important that we, as cybersecurity professionals, are empathetic. So that the next time someone alerts us to a phishing email they opened, we should say ‘thanks’ instead of being mad.