Cyber Defense: Ev Kontsevoy of Teleport On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack
Get rid of passwords: Every secret, every secret key, every password is a liability for your business because it exposes your organization to human errors. Passwords can be lost, stolen, or even sold. There are marketplaces for corporate credentials on the dark web. Secure vaults and encryption in general helps, but the mere existence of passwords or any other forms of secrets is an ongoing liability and it’s not going to end well. The question is not if, the question is when.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As the CEO and Co-Founder of Teleport, Ev understands that growing complexity is the #1 cause of security breaches. That said, he believes that instead of focusing on how to get rid of it altogether, IT teams should acknowledge that growth is inevitable, but the trick to security is focusing on how you scale. Ev co-founded Teleport in 2015 to create the Access Plane; a cloud-native identity-based access solution that is a modern approach to privileged access that makes it easy for engineers to access the infrastructure they need to do their jobs, while at the same time enabling companies to meet their security and compliance obligations.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in the former Soviet Union, where there was a widely-held perception that a person became a computer scientist only after they failed at being a real scientist. Computer science was never treated as its own branch of what we now know as STEM education, and we didn’t really spend much time in front of computers at school.
I was fascinated by electronics when I was a kid, so I built “toys” that looked like audio amplifiers, or really primitive radios. From there, I moved onto computers, and I started to write code. My early software projects were all about doing fancy things with hardware; I would experiment with monitor video modes or the motor noises of the floppy drives that used to go into older machines.
For example, I wrote code that allowed you to play “music” by moving floppy drive magnetic heads. This meant that I had to learn how to program in assembly language — the lowest, most direct way of giving instructions for a computer for what to do. All of my initial programs were basically pranks.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I was maybe 12 when three unrelated things happened at the same time. I saw the first Terminator movie, started to learn object-oriented programming, and learned about the Morris Worm. These events felt incredibly connected to me and they made a huge impact on my thinking. I realized that a computer program can be more life-like than I had previously thought, and it became pretty apparent that the distant future when the machines will do the “attacking” and someone will have to build the “defenders” is not that distant anymore. The Morris Warm wasn’t exactly Skynet, but it was an obvious demonstration of what computers can already do.
Can you share the most interesting story that happened to you since you began this fascinating career?
Perhaps not a story, but a remarkable observation made by an exceptionally brilliant young computer scientist at my university. He said: “every bug in your code is a security vulnerability”. I couldn’t believe it. I asked “even a division by zero?”, to which he replied “yes, even a division by zero”. It was one of these humbling moments when it’s tempting to dismiss a statement as preposterous or even pompous just because you don’t understand it. But over the years, I understood. And yes, indeed, every successful hack starts with a creative exploitation of a human error, and almost always the error’s security implications aren’t obvious. To this day I am astonished that someone so young and not focused on computer security understood this so well and so early, this was pre-Internet and we both were maybe 19 or 20 at the time.
So if a younger person were to ask me “what’s cyber security should be about?” my response will be: “cyber security should be about minimizing, or even eliminating, the probability of humans making errors when interacting with complex computer systems”.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Not paying too much attention to overly generalized advice is definitely one of them! But on a more serious note, and I am not just describing myself, I am describing successful leaders that I got a chance to meet and draw inspiration from, the elephant in the room is their natural curiosity and obsession with what they’re doing. Even if the world didn’t care, I would have been doing Teleport in my free time. In a way, I am very fortunate that plenty of people derive value from what we’re doing. This one is definitely a must have.
You also have to enjoy selling. Building anything is impossible without selling. Building great products requires teams, so you must attract the best people to join you by selling them on the idea, then sell it to investors, customers, and so on. This is particularly important because your selling must work on people who are smarter than you. You can’t do anything truly great without those people.
And finally, you have to get lucky. As I said earlier, every new technology has an exceptionally narrow time window to be introduced to the world. A little too early, or a little too late and the impact won’t be the same. Sometimes we’re talking about months. I doubt it’s possible to innovate on schedule with high timing precision, you have to be lucky with timing.
Are you working on any exciting new projects now? How do you think that will help people?
Teleport has always been ambitious in its product development, releasing quarterly updates based on what customers want. Teleport 9, released this month, introduced Machine ID. This delivers identity-based access and audit capabilities for machine-to-machine access including servers and databases, CI/CD automation, service accounts and custom code in applications such as microservices. This protects customers against two leading causes of cyberattacks — human error and exploitation of application vulnerabilities.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
I’m astounded by both the growing complexity of cloud computing and the detrimental impact it’s having on developer productivity and security. This led me to co-found Teleport in 2015 (formerly known as Gravitational). Our first project was the creation of the Access Plane: a cloud-native identity-based access solution that consolidates four essential infrastructure access capabilities — connectivity, authentication, authorization and audit.
We are delivering a modern approach to access that makes it easy for engineers and machines to access the infrastructure they need to do their jobs, while enabling necessary security and compliance.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
Stolen or hacked information. Ransomware. Password guessing. Recording of keystrokes. Phishing. Malware or Virus. Distributed Denial-of-Service (DDoS)
I think most people, and certainly all companies, are familiar with these attacks, given that we’ve all fallen prey to them in one way or another. What we often see from organizations is that they “fix” these holistically by adding complicated password systems on top of single access passwords, and ask users to change passwords often, not use the same password twice, etc. This not only creates headaches for users, but ignores other complex issues like short term accessibility, machine-to-machine communications, and other forms of identity-based access points.
It’s also important to note that cyberattacks caused by human error are the ones I feel most strongly about. Human error is the foundation of every successful hacking attempt, and the probability of a preventable mistake grows higher as complexity in the tech stack increases.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Both. Of course, all businesses need to be concerned when a cyberattack occurs, because confidential data, often customer data, has been leaked. When a company is attacked, it’s also worried about downtime, customer trust, the cost of the breach, and damage to its brand. People are primarily worried about compromised identity and present and future financial loss. Needless to say, nobody likes to be stolen from or hacked.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
Once a company discovers an attack, the first call should be to the FBI (or equivalent government agency). The U.S Senate recently passed legislation that requires entities to report an incident within 72 hours — the Strengthening American Cybersecurity Act of 2022 — and this is a clear sign that breaches are getting the attention they require.
This legislation encourages organizations to stop cutting corners when it comes to reporting breaches, which gives CISA the background information needed to issue warnings about attacks. Not to mention, this type of legislation officially authorized FedRAMP, forcing federal agencies to comply with its requirements for the third-party products and services they buy.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The ongoing migration of everything to the cloud and ubiquitous presence of malicious actors shine an unwelcome spotlight on where companies are vulnerable. Much of this relates to a need for secure access. We tend to think about humans getting access to applications and infrastructure resources, but the real security blind spot is within the computing infrastructure, i.e. the machines themselves. Current machine-to-machine communication operates on outdated and very complex security modules — the use of static credentials, for instance — and reliance on both shared credentials and perimeter security. Security policies should view machines in the same way they do humans, using identity-based access to prevent attacks.
By implementing identity-based access, companies can eliminate passwords, which is especially important as we see even the strongest, most unique passwords being compromised. Take a look at last year’s GoDaddy breach, for example. Because it is possible to guess passwords through brute force, and they are incredibly vulnerable to human error. IT teams should use privileged purpose-built security devices that use public key cryptography and verify presence and identify through biometrics.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Because complex systems are hard to secure, they’re vulnerable to cyberattacks. While the cybersecurity community has made valiant attempts to safeguard infrastructure against threat actors, many of their strategies revolve around zero trust. What many security professionals fail to understand is that zero trust is not a true solution; instead, it’s an architectural pattern that operates on the belief that every computing resource must distrust all clients equally.
That said, IT teams should recognize that a strong identity-based access management policy is crucial to successfully deploying zero-trust architecture. In my experience, organizations built on cloud-native environments are already moving toward identity-based access; this means every employee is authenticated into a computing resource as themselves, instead of being distrusted equally, no matter whether you’re inside or outside the perimeter.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
1– Get rid of passwords:
Every secret, every secret key, every password is a liability for your business because it exposes your organization to human errors. Passwords can be lost, stolen, or even sold. There are marketplaces for corporate credentials on the dark web. Secure vaults and encryption in general helps, but the mere existence of passwords or any other forms of secrets is an ongoing liability and it’s not going to end well. The question is not if, the question is when.
2– Implement identity-based access:
The best way to move away from secrets is to use identity-based authentication and authorization for everything. This is far better than using passwords or any other form of static secrets. Identities cannot be stolen, or shared, or sold on a hacker marketplace. It is critical, however, to have a single source of truth for all identities, instead of having silos. There needs to be a single sign on (SSO) access flow for every computing resource in your organization.
Moreover, identities must be issued not only to humans, but also to machines and to software. Too often organizations invest in identity access solutions for their workforce, but they forget that their own applications and infrastructure can also be used as springboards for hackers.
3– Leave perimeter security behind
The industry has been talking about Zero Trust for years, yet very little progress has been made. Every computer in your organization must be set up as if it’s on a public internet, so if an attacker gets into your LAN, VLAN or a VPC they shouldn’t get any additional privileges just because they’re on an “internal network”. Risking sounding like a broken record, I will say that every attack is an exploitation of a human error followed by pivoting to other resources. By relying on perimeter security, you are making it easier for criminals to pivot. Don’t do this. Networks are not worth protecting. You will be outgunned. Protect computing resources instead: computers, applications, databases, etc.
4– Bolster DevSecOps:
I am not a fan of buzzwords, but there’s usually a nugget of wisdom behind them. DevSecOps simply recognizes that security must not be forced down the engineers’ throats. In a cloud-native environment where infrastructure is provisioned with code, it’s unrealistic to expect a magical straight jacked preventing engineers from doing insecure things. Organizations who do that always end up with backdoors built by their own engineering teams. Instead, engineers must take security considerations seriously and this only happens with trust: give them the responsibility and let them pick an appropriate solution to implement it. Another buzzword that explains this is “shift left security”.
5– Acknowledge the complexity:
The computing industry in general has a complicated relationship with legacy systems. Replacing what’s working and throwing away backwards compatibility is painful. But remember that not doing so carries a significant security risk. The more layers of technology you’re piling on top of each other, the more complexity you incur, and the probability of bugs and other forms of human errors goes up, leading to a less secure state overall. And, just like my brilliant 19-year-old friend said years ago: every bug is a security vulnerability. By growing your tech stack taller, you’re growing the number of vulnerabilities, so keep the overall complexity in check.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
I am fascinated by the concept of curiosity. Intuitively it feels like the fundamental building block of intelligence and the driving force behind technological progress. I find it strange that we tend to focus on intelligence more, being obsessed with IQ scores, for example. Curiosity is more interesting. Understanding curiosity will help us build GAI and will help us realize our own potential. Focus on curiosity in kids: what causes it? Why does it decline with age? Imagine the consequences of inventing a “curiosity pill” on humanity.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!