Cyber Defense: Josh Heller of Digi International On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack
Adequate staffing and training; Information security professionals have a very demanding role in organizations, and they need executive-level support to fund these teams appropriately.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Josh Heller.
Josh Heller is Supervisor of Information Security Engineering for Products and Services at Digi International. An enterprise security pioneer and mentor, he has deep experience in critical infrastructure, disaster recovery planning and internal IoT frameworks for both software and hardware development lifecycles, with the ability to identify physical and cyber security threats in many forms. He holds certifications in AWS solutions, Netskope Security Cloud Introductory Training, Tanium Operations and core essentials and received a degree in network management and security from Anoka Technical College.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Since my early teenage years — around 2004 — I have been tinkering with anti-virus. You could say that compromised computer security has been a hobby for quite some time. The tipping point was in 2016 when the elections were suspected to be manipulated by the Russians and, information protection was at risk for the United States. To be in this career, protecting American businesses from cyber adversaries is my way of giving back to my country.
Can you share the most interesting story that happened to you since you began this fascinating career?
My first role in the information security space was as an incident responder. I was responsible for endpoint security for malware and insider threat, and the technology stack was eye-opening on what really happens under the hood when browsing the web. The average user is tricked daily into downloading items that are falsely represented. In some cases, it would still do a task you signed up for what you believed it was accomplishing, but it would all be a cover-up for crypto miners or a keystroke recorder. You start to get good at profiling users and leveraging open-source intelligence. I never thought it would come in handy until my bike was stolen that same year. In using these newfound skills, I was able to track down my stolen bike on Craigslist and find a fake stock image of my bike with a phone number to reach them. I passed off the lead, and the local law enforcement took it from there.
Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Resilience: At the beginning of my career, it was extremely tough to open natural doors. I had to forge through contracting roles to gain industry-standard experience across different domains to achieve a solid reputation. I stayed humble with that approach and, having those experiences has given me a broad understanding of what information security looks like enterprise wide.
Passion: At every step of the way, the extra effort I have given to the roles in this industry has been natural. When you love what you do, success is just a fraction of the outcome of your work. It drove my imagination to places in the binary wilderness you wouldn’t think existed.
Perseverance: The goal in my career has always been about progress, not perfection. Once I changed my perception about what failure really is, progress, the compounded concepts started to stick. It is an absolute grind to understand computing, and you have to be consistent.
Are you working on any exciting new projects now? How do you think that will help people?
At Digi International, there is always an abundance of daring projects happening. Currently in my realm, we are working on improving the common vulnerability lifecycle to enhance our reaction times and the customer experience.
I think we are moving towards a time period where information sharing is becoming not only important but required to happen timely in the vulnerability space. In adding automations, we are looking to improve the expected time to recover and additional time to notify our customers.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
I have been working for 20 years on computing devices and have continued to evolve my understanding of how the landscape has changed. Prior to entering the information security space, I worked with operational technologies that had computers communicating with cars, reactors, and industrial control systems.
Once I applied further studies to the computing world, it opened the floodgates of understanding how modern warfare has expanded into the digital era. In the past decade, I have held security roles up and down the technology, governance, risk, and control stack across several unique industries. Currently, I work for Digi International, where I started out as the lead security engineer and have since moved up to the Product Security Engineering Manager for Digi’s products and services.
What are the different forms of cyber attacks that we need to be cognizant of?
The main concern businesses and independent consumers are currently facing is social engineering. Humans, emotional beings, will always be manipulated with misinformation. It is crucial for companies to spread awareness and training for phishing campaigns. Aside from the direct contact manipulation through email, more adversaries are finding vulnerabilities in how web applications handle requests.
The idea is either for disruption through denial of service or by corrupting memory to gain unauthorized access. Most of these flags are well documented within the OWASP top ten. Businesses need dynamic tests added to their development lifecycle to detect these types of issues before production!
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Businesses are genuinely concerned about business continuity and are moving towards adopting information security staff and insurance as part of normal business operations. Currently, I do not think there is a sweatier group of people than the energy sector. These operational technology networks have been on high alert during our international conflict with Russian and other international APT’s.
I do not think this should overshadow the need for a heightened sense of personal awareness around security controls for at-home computing, though. We live in a society where even modern currency is digital. A diverse array of multi-factor authentication is necessary for personal and professional protection.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
This may be a situational type of response, but it is essential to remember that forensic evidence needs to be handled by the professionals. Otherwise, the data gathered could be thrown out in court. It may be that the local law enforcement has adequate staff for that, but it may depend on the municipality. It may be wise to seek a local cybersecurity expert to facilitate a smoother transition process.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The most common data security and cybersecurity mistakes I have seen companies make would be default or weak password policies, misconfigured cloud accounts, and phishing emails. You may always make human mistakes when it comes down to it, but if you have a good backup, ransomware can be avoided.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
I suggest we remove attachments from email altogether and develop other means of digital file-sharing. If we move towards secure vendor communications with applications like Slack or Teams, we could relinquish the need for exchanging emails entirely. This may be more of a complex transformation for our personal lives. Email as an attack vector has become so poor that it is not worth using anymore.
What are the “5 Things Every American Business Leader Should Do to Shield Themselves From A Cyberattack” and why?
User Awareness Training — Commercial security training is a good start, but an internal security team that develops training custom to the environment is more successful and can create security champions on each team.
Network Segmentation — An understood network topology that uses segmented networks with firewalls, bastion hosts, VPN tunnels, VLANs, separate AD forests, offline backups, and identifying IP is an excellent start to any security posturing.
Incident Response Plan — It’s a matter of when, and you need to prepare your team for how to react by having a proactive plan in place. It’s also crucial to have tabletop exercises to gain experience under pressure.
Cyber Insurance — Businesses will benefit from cyber insurance in place as part of business continuity during a breach. It is also vital to note that businesses are required to demonstrate they have information security programs in place to qualify for this insurance, so be prepared!
Adequate staffing and training; Information security professionals have a very demanding role in organizations, and they need executive-level support to fund these teams appropriately.
If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be?
The world needs to be reminded right now that we are all human. We have become more like androids, and smartphones have become an extension of our human consciousness. Instead of texting your friend or loved one, give them a call and remind them that verbal communication is still alive and well.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
