Alexander Falatovich of Identity Digital: 5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity

Know where your data is. This goes double for personally identifiable information and sensitive, business- critical assets. This is even more important with companies and employees being more distributed and remote than ever. If you don’t know where your data is, you can’t fully protect it, and it’s often only a matter of time before something happens.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity”, I had the pleasure of interviewing Alexander Falatovich, Senior Cyber Security Threat Analyst, Identity Digital.

Alexander Falatovich (Fal-uh-toh-vich) of Identity Digital brings over a decade of experience from the domain name space, having led large legacy gTLD anti-abuse programs as well as facilitated the successful launch of dozens of descriptive TLD domain abuse programs. He is a member of multiple industry groups and collaboratives, such as APWG and InfraGard. He has earned his Certified Ethical Hacker, Certified Incident Handler, and Certified Cyber Security Architect certifications to accompany his bachelor’s degree in intelligence analysis from Mercyhurst University with a minor in Asian studies and a graduate certificate in Homeland Security & Defense from Pennsylvania State University.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I’m from a small town in Northeast Pennsylvania, about as far from anything one associates with cyberspace or information technology. My parents were teachers. They gave me many opportunities to try activities I enjoyed, like basketball, while ensuring I put forth the effort in school. I did well in math and science but really enjoyed the social sciences. I eventually went to college at Mercyhurst University, at the time Mercyhurst College, to study Intelligence Studies because I wanted to work in the US Intelligence Community. While I spent four years enjoying all the natural wonders of Erie, Pennsylvania (Spoiler: snow and cold), I added an Asia Studies minor that allowed me to mix the logical-centric elements of intelligence analysis with the more spiritual components of many Asian cultures. The job market wasn’t great when I graduated, so I did some temp work before eventually getting my first job, not in government like I had planned, but in cybersecurity near Philadelphia. Since then, I bounced to Baltimore for a little while before ending up where I am now.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it. ?

So funny enough, I never intended to pursue cybersecurity growing up or even in undergrad. I got into it out of necessity. But there was something that really struck me that made me stay. About two years into my career I was talking to friends and former classmates (some went on to fill positions I had previously wanted) when I realized just how much of a difference working in cybersecurity and the impact some of the anti-cybercrime work I was doing had and could make. I grew up with some technology but seeing how society was moving, even back in 2013, I knew that if I wanted to help the public, staying in cybersecurity was the right thing for me.

Can you share the most interesting story that happened to you since you began this fascinating career? I don’t know if I could pick one specific story, but I’d like to highlight just some of the amazing places I’ve had the opportunity to visit and meet amazing people. I’ve been graced with the chance to travel to six countries to discuss cybersecurity with peers, sometimes speaking on a panel or to a group of professionals. What’s so interesting about that is that virtually no matter where you go, everyone is eager to try to find ways to solve the problems facing us. I think it’s easy to get caught up in “the games” of any industry, but when you sit down with folks over drinks away from the office and have a chance to talk frankly about the challenges being faced, it’s a refreshing reminder that at the core of it, we’re all on the same side.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

One particular person I’m grateful to is a long-ago coworker, Greg, who trained me when I first started in the industry. I’ve never forgotten the help he gave me. From the training and insights about certain types of investigations we conducted through introducing me to the right people at industry events, Greg helped me start on a path that spearheaded my career, and I’ll always be grateful for that.

Are you working on any exciting new projects now? How do you think that will help people?

Without getting too into the details, yes, some exciting projects are in the works on how to take advantage of some of the registry and DNS data that we have access to, data that nobody else has in such volume and as comprehensive in scope. It involves the ability to more rapidly and accurately identify domain names registered for cybercrimes, such as phishing, and learning where legitimate domains may be compromised to be used in similar abusive behavior. This will help people by reducing the uptime of malicious content. Studies repeatedly show that most of the damage in cyber attacks happens within the first few hours of a domain being deployed. Faster, accurate detection can lead to faster mitigation and, by extension, fewer victims of cybercrime.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Cybersecurity is a collective effort. No single person will drive back the inky dark of cyber attacks. You could stay awake 24/7 and never stop every attack or every cybercrime event. The cybersecurity community needs its members to physically, mentally, and emotionally care for themselves so they can be in their best form to contribute to the larger whole. Take up a hobby, find something that recharges you, and don’t get burned out. There will always be more work to do in this field. You don’t need to do it all “now.”

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

It’s a very exciting time for the cybersecurity industry and the implications beyond. What excites me most is how accessible it is despite some negative elements in some communities. It is also increasingly diverse as one of the few areas where someone with no experience in technology can become a practitioner using free, open-source materials. This allows people from all kinds of backgrounds with different perspectives to join. I see the community adding needed voices via initiatives on social media like #sharethemicincyber and organizations of women in ccybersecurity. Those voices will have profound impacts on creating a more fair and unbiased technological future.

The second thing that excites me is the growth potential in cybersecurity. You don’t need to look far to see the constant demand for more cybersecurity professionals, including in companies and spaces that you wouldn’t have just a few years ago. A report in CyberSeek underscores this, stating that nine of the ten top months for cybersecurity demand for the last decade came in the previous year. There’s a tremendous opportunity to find your niche and make an impact.

And finally, the third thing I’d single out is how amazing it is to be part of an industry when there is so much potential revolutionary technology starting to hit the mainstream that needs securing and protecting. Whether I’m looking at one of the many text-to-image AI generators or visiting a website using a descriptive domain with a top-level domain I don’t commonly see, we’re constantly being presented with new cybersecurity challenges. To me, that’s a gratifying part of cybersecurity work.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Even though many threats are on the horizon, a couple stand out to me. First, hyper-realistic misinformation and disinformation campaigns are targeting organizations, investors, and customers. With advances in machine learning and AI-generated content, particularly videos involving synthetic media, hostile actors can spread damaging stories about an organization that can lead to financial pressure. This could take the form of consumer boycotts or even violence from lone wolves of fringe ideologies. If an organization doesn’t have the means to identify and respond to this risk scenario, it will struggle to react if the threat becomes real.

Another current and growing threat involves attacks on multi-factor authentication. The “Oktapus” phishing attacks are an example. This large-scale campaign targeted Twilio, Okta, and other companies to receive text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, which harvested Okta credentials and two-factor authentication (2-FA) codes. Many companies and vendors are using either less secure second factors like SMS OTP or have likely not educated their users on how hackers may target both their traditional credentials, such as username and password, as well as their second-factor authentication. Even though these security measures are better than nothing, companies must move away from these weaker second factors and adopt social engineering-resistant solutions such as hardware tokens and WebAuthn. Many companies, even major organizations that likely know better, still use these less secure mechanisms. Most companies are just lucky because there are still plenty of non-MFA-enabled accounts. Because of that, attackers haven’t had to switch over to targeting MFA-enabled accounts for many attacks.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

ibm

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

On any given day, these tools get used regularly:

1. URLscan.io — This wonderful tool lets you check suspicious links, get screenshots of a site without going to it, and review some of its content structure. I recommend it to anyone who isn’t sure where a link goes. All you have to do is copy-paste the URL into the field, and the tool will scan it and bring back the results. There are more advanced options with an account, and skilled users can play around with those.
2. VirusTotal — A go-to for many in the domain name space and anyone dealing with various types of cyber attacks. It provides a straightforward way of doing a quick assessment for malicious activity. Users submit either a file or a URL and VirusTotal will scan it against a collection of anti-virus products and other detection services. It’s not perfect for more experienced threat hunters, but for those new to the space or the general public, it can provide some idea of the nature of a threat.
3. Internet Archive Wayback Machine — Because a lot of my investigative work involves determining whether the infrastructure used is legitimate or likely operated by a malicious actor, seeing how a domain has looked over time can be immensely useful. More generally, the tool provides the ability to search back through the vast indexed internet archives.. This helps with research projects, finding previous statements made by individuals, and all sorts of other gems that were thought lost to the sands of time.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

A company should contract out security if they aren’t committed to investing in internal hires to cover at least the core cybersecurity fundamentals. For instance, if a company’s resources perform at a Level One Maturity on the ACSC Essential Eight or reach Tier 1 for the NIST CyberSecurity Framework. If a company can’t complete the basics, it should consider contracting outside support. If they can do the basics, all the more complex, enhanced efforts need to be evaluated in alignment with the risks the company faces. Many small and medium businesses can run cybersecurity efforts without investing in expensive defense systems, but ultimately it is on a case-by-case basis. Investment in cybersecurity personnel and tools should align with the amount of risk exposure you are looking to mitigate. An organization is in a precarious place if it spends significantly more on protection than the maximum likely loss from a security event.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

This is so true; IBM released a finding that in 2022 it is taking almost 9 months to identify and contain a breach, so there’s an excellent chance someone other than the company may notice first. For the layperson, a breach identification can be challenging because they need to determine whether it is isolated (i.e., the user’s account was compromised) or organization-wide. However, it is doable if you’re attentive to details. One way is to use available services that check for compromised assets in data dumps. Many identity protection services offer some form of monitoring. But there are other free options, such as ‘Have I Been Pwned’ that can give individuals some insight into whether their credentials were posted following a breach. Another way an average user may discover a violation is if they notice strange account activity. This can include more serious actions like unauthorized purchases or more subtle things like outgoing messages you didn’t send. Alternatively, If the individual is getting spammed with account notifications, particularly if they have MFA enabled, there is likely something amiss. It might be just that their account was compromised, but if they use a long, strong, unique passphrase, that may be unlikely, short of a data breach.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Companies aware of a breach should initiate their incident-response playbooks, which should include plans for involving legal and public relations personnel. The organization should try to understand what they are dealing with and avoid making incomplete assessments or downplaying the incidents. This could muddy the waters as customers and observers follow the event. If appropriate, working with law enforcement can bring additional support and resources and should be considered for critical infrastructure. One key element that helps protect customers is being clear about what is happening and what steps have been taken to secure their data. When you leave your customers in the dark or provide unclear updates about what has been done, you leave them more susceptible to scams and attackers looking to exploit your already painful situation. An example of this was the Equifax breach, and their eventual site to allow users to check if they were impacted, spawned multiple phishing campaigns and scams because the messaging wasn’t unified.

What are the most common data security and cybersecurity mistakes you have seen companies make?

One of the most common mistakes is for companies to have a false sense of security with only one security tool or feature deployed. There’s a lot of “fire and forget” regarding cybersecurity efforts, and the reality couldn’t be further from the truth. The DMAR Record a company has deployed will not stop criminals from spoofing its domain to customers if it has the policy configuration set to “none,” and that fancy threat intelligence platform it bought isn’t “Mission Accomplished” once in its environment; it requires ongoing maintenance and tweaking. Threat actors are constantly updating their approaches, poking and prodding our defenses. This means companies need to actively maintain their defenses. One way to avoid this mistake is to ask a few questions about anything you’re doing for cybersecurity:

1. What are we seeking to protect against with this?
2. Is that happening with how we are currently using it?
3. What is it *not* providing us with?

Asking these questions will at least allow the company to have an understanding of current cybersecurity maturity so it can determine if that’s acceptable to its risk appetite or if it may need to invest in additional measures.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

There’s been an increase in cyber attacks due to the Pandemic, causing changes in how companies operate. These attacks have brought to light cybersecurity and privacy gaps in many companies. Even though we’re now multiple years into the Pandemic’s disruption of centralized work locations, the controls around data and security are still a significant challenge for many organizations. However, some of the potential issues are nearly impossible to avoid completely. You can have all the technical controls in place, but ultimately a company can’t stop a family member from overhearing a conversation or possibly glancing at a spreadsheet momentarily. While monitoring (DLP solutions can help in some areas), ultimately, this comes down to working with your staff, so they understand the gravity of risks that can arise if they are not working in a secure location, not locking their machines when unattended, leaving non-staff to use the device, insecurely disposing of printed documents, and many other activities. So has there been an uptick? Almost certainly. Can it be stopped? It can be reduced, but there will always be some residual risk remaining as long as companies continue to be dispersed.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Even companies with competent programs can benefit from self-reflection and gauge whether there are ways to improve. For newer organizations, the cybersecurity and data privacy landscape can seem intimidating. Here are five things I believe every company can benefit from:

1. Know where your data is. This goes double for personally identifiable information and sensitive, business- critical assets. This is even more important with companies and employees being more distributed and remote than ever. If you don’t know where your data is, you can’t fully protect it, and it’s often only a matter of time before something happens.
2. Follow the 3–2–1 backup rule. This means creating three backups (a primary and two copies), saving them on two different types of media, and keeping at least one backup file offsite. This provides redundancy so you have at least one backup in the event of ransomware or some other significant loss in availability of your data. Remember to backup frequently and test periodically to know they work.
3. If it’s worth your time, it’s worth documenting. Many people find documentation writing tedious and painful work. Still, it brings significant benefits to your programs. Training processes can be developed and referenced based on the knowledge, so they are repeatable and produce expected results. The documentation also provides useful information on how to respond to a ransomware incident or what to do if private data is posted publicly (corporate website) instead of just with the individuals who may eventually leave. Institutionalize your knowledge and reap the benefits.
4. “We’re going back to fundamentals.” As the character George Knox in Angels in the Outfield highlights, sometimes we neglect fundamentals to our detriment. Any company evaluating whether to add another tool or service should make sure they are covering the basics. It doesn’t do much good to detect a super rare and unique strain of malware if you aren’t stopping phishers from spoofing emails to your employees or aren’t properly encrypting data. Remember that most APTs (advanced persistent threats) are more persistent than advanced.
5. Risk management will help prioritize and determine how to spend your resources. Resources are always finite. You should make sure to invest in systems that prevent major pains for your organization. From a data privacy standpoint, that could be mitigating the risk of a data breach. Do you have PII (personally identifiable data)? How likely is a breach to happen based on your infrastructure and systems? On cybersecurity, are insecure coding or configurations putting you at an increased risk of social engineering or technical threats like malware or unauthorized access? Your human and fiscal resource investments are being used inefficiently if you are not addressing those top risks.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!) COPY FROM FIRST ARTICLE WHEN APPROVED

For me, the human is at the core of all interactions, and I think in the current environment, in the US and globally, we’ve lost that. People can withstand a lot but being supported and validated by others can be immensely powerful and life-changing, lifesaving even. I would challenge people to ask themselves, “Have you validated someone today?” I don’t mean insincere validation but real, core validation. It isn’t “you’re perfect” or anything so grand. Sometimes people need to hear someone tell them that their feelings are valid, that their presence here is appreciated, and other things that sound so simple but can be so powerful. It’s a challenge because if someone says they have no validation to give, I think they have some room for personal growth and maybe they can start with themselves. At the core of this is a healthy, empathetic, supportive society.

How can our readers further follow your work online?

If readers want to connect, they can find me on LinkedIn. Otherwise, they can watch for new offerings I’m working on with Identity Digital at our company site, www.identity.digital.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!