Dr. Zahid Anwar of Fontbonne University: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Jason Remillard

Plan ahead. When it comes to cyberattacks, it is not a matter of if, but when. There are always going to be weak links prone to unseen threats, so it is important to plan for the inevitable data breach. In case of an attack, organizations should have an incident response plan in place. This planning will allow designated individuals that are part of the incident response team to follow a series of steps to remediate and recover from an abnormal situation in a way that minimizes losses. Regularly backing up data should be a part of this planning.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dr. Zahid Anwar, a cybersecurity expert and an associate professor at Fontbonne University in St. Louis. After graduating from the University of Illinois at Urbana-Champaign, he has worked as a software engineer and researcher at Motorola, IBM, Intel, National Center for Supercomputing Applications (NCSA), xFlow Research and CERN on various projects related to information security and data analytics. Dr. Anwar has authored more than 80 technical articles in his domain and is Security+ certified. His research interests include cyber threat intelligence and the security of the Internet of Things.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

When I was growing up in Pakistan, there was a dearth of opportunities for learning and entertainment. In the total absence of libraries, my favorite hangouts were three old book shops where I would spend hours browsing and reading. I would read the shorter books in one sitting, but I would return several times to complete the longer ones. The store owners eventually caught on and removed all the furniture to force the customers to buy the merchandise. This struggle made me savor what I had, and as it turned out, repeated readings of the same books improved my language proficiency.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Back in the 1990s, technology adoption was slow in Pakistan, but that is not the case anymore. A boy in our neighborhood fixed computers in his father’s basement to pay for his college tuition. After school, I would frequently visit his workplace, and one day I asked him to take me on as a student. There, I learned DOS, WordStar, Lotus 1–2–3 and Basic, spreadsheet and programming language, and word processor, which was the only prevalent operating system at the time. With help from my parents and some coaching from my mentor, I put together my first Intel 80286 computer.

After my first year in college, I got an unpaid summer internship at Alcatel. During the three months of my internship, all I did was stack up circuit boards in telephone exchange cabinets and wire up power cables. On my last day when I visited the manager’s office to get my experience letter, I overhead him throwing a fit at an employee over losing track of expensive inventory items due to a buggy inventory management software. After talking to the data entry operator, I learned that the company they bought the software from had a limit on how many items it could store, and it was dropping inventory records at random from the list. The developer had cunningly put a lock on the database so no one could export the records or use it with another software.

Because the operator had no knowledge of software, feared losing his job, and the company was in jeopardy, I offered to help. The manager packed the software on six floppy disks (yes, it was the mid-1990s, and we used three-inch floppies at the time) and handed them over to me.

Over the next 36 hours I toiled trying to break the code. I found it to be a thrilling experience. Finally, the FoxPro database gave in to my efforts, and I returned the unencrypted database to the manager. He was ecstatic, but he still needed software to manage the database. For the next three weeks in my free time, I developed basic data entry and retrieval software for the company.

Four years later, the manager called me to express his gratitude and said the company was still using the software I had developed. My timely effort had saved the entire manufacturing department from a lot of issues. I knew then that I had found my calling.

Can you share the most interesting story that happened to you since you began this fascinating career?

In my role as a cybersecurity instructor, I come across a variety of students with different skillsets. I remember one student who had average grades in class. I was pleasantly surprised when he asked me to mentor him for an offensive security project that involved hacking a car. The goal was to retrofit a radio to take control of a toy car’s remote controller to prove how vulnerable unsecured Wi-Fi can be. After a month of struggling with three different toy cars, he just couldn’t figure out how to generate the frequencies.

Three days before his final presentation, he burst into my office, saying, “Hey professor, guess what? I couldn’t figure out the frequency to the toy car, but I was able to hack my own car with the radio we made. And it works on my girlfriend’s car, too.” Using recorded frequencies from his car key fob, he was able to produce the desired attack. He eagerly led me to the school’s parking lot for a demonstration, and I couldn’t help but think what amazing things determined hackers can do.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

My parents were self-made people who had worked hard to get where they were. My father was in government service and my mother was in school administration. My father grew up in a rural area and moved to the city for higher education and job prospects. As the oldest son, he had to take care of all of his siblings, helping them move to and adjust to city life. Similarly, my mother walked six miles to school and back because of a lack of transportation. I inherited the trait of hard work from them and consider life as a staircase.

Are you working on any exciting new projects now? How do you think that will help people?

I’m excited to give you a teaser for my upcoming project. My studies have revealed that attackers continue to succeed by repeatedly utilizing the same tools with minor variations. Consider the point of sale (POS) malware used in the attack on Target in 2013 where RAM scrapping was used to scan a POS terminal’s memory for credit card numbers and then transmit them to the attacker. In 2014, the same malware was used on Home Depot, only with a few improvements. That malware with the same underlying code base is active even today.

So why can’t we block it? Well, it is mainly because organizations shy away from sharing details about how they get hacked. According to Verizon DBIR, 40 percent of attacks hit a second organization within an hour. If organizations work together and share experiences in a timely and accurate manner, it would make hackers’ jobs more difficult. Now, due to prompting from the government and industry, organizations have started sharing data regarding incidents; however, the data is mostly textual with a lot of redundancy. My goal is to use artificial intelligence (AI) so that machines can clean and categorize data to give us insights into the current threat landscape.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

In many ways, cybersecurity professionals are the nation’s digital first responders. The fact there are not enough of us to go around and that some of us constantly fear of the next security incident can cause it to be a very stressful industry with a lot of burnout. My advice to my colleagues is:

1. Examine the positive impact your work has on the lives of other people. Redefining your goals will provide a fresh perspective and reduce your chances of burning out.
2. Give to others. Selfless and small acts of kindness such as complimenting, forgiving or simply smiling at others will make a big difference in keeping you refreshed at work.
3. Exercise regularly. This will increase your energy and productivity. Instead of having a second cup of coffee, take a power nap of 20 minutes.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

The idea is not to fight when in the arena but to focus on strengthening defenses so that the fight never takes place.

1. It is a constantly evolving field. There is a lot of variety with something for everyone.

With the digitization that has engulfed the world and with each new wave of technology, fresh risks are created every day. Cybersecurity professionals must remain a step ahead. Think of it like a digital sport where one has to regularly train and learn new moves to keep ahead of other players. Cybersecurity presents a high growth potential, both in career paths and for learning opportunities extending from senior management positions to dozens of different roles like penetration testing and cyber incident response.

2. Cracking cyber security problems is the ultimate challenge.

In cybersecurity, there is a reliance on some tried and true principles, but the tactics need to evolve constantly. Each situation is a unique puzzle and a fresh opportunity to rise to the challenge.

3. It gives you the chance to work for the greater good.

Cybersecurity is all about stopping the “bad guys” and making the world a safer place. This job has real impact, such as protecting elderly patients with pacemakers from vulnerabilities, keeping children from being preyed upon by cyber stalkers, preventing online financial frauds and even defending your country against those who wish to cause harm.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Attackers leverage technology to expand their arsenals. They weaponize artificial intelligence to learn and reuse techniques used in successful attacks. They will poison data so machine learning algorithms make wrong predictions and utilize the speed of 5G networks to broaden their attack surface.

We will see a dramatic improvement in the quality of deep fake videos, photos and audio that will challenge our intelligence regarding whether the entity on the other side of the communication is real.

Identity theft and ransomware attacks will rise to new heights. Remote workers will be a prime target through compromise of home devices and social engineering via phishing emails, texts, instant messaging and third-party applications. Social media attacks developed to find an entry point into remote workers’ businesses will also occur more frequently. As attackers’ arsenals increase, it is imperative for companies to shore up their security defenses.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

The incident that comes to mind is a ransomware attack I recently responded to. A ransomware is a malicious software that spreads through a network to infect computers, encrypt important files and demand a fee in exchange for the password to unlock the system.

It was a Saturday afternoon when I received a call about a ransomware that had taken control of some computers, and I was asked how to inhibit its spread. It was a particularly stealthy and targeted strain of ransomware called RYUK, which was spreading like wildfire infecting computers and cloud storage. Instead of turning off computers in every office, my advice was to turn off the network switches on the infected domains. Ransomware, especially this strain, has the ability to use a Wake-on-Lan feature to infect devices that are powered off. In addition, it is better not to reboot a computer when it is infected because if the ransomware was blocked in certain circumstances, then it would start encrypting once again. The company’s best bet best was to turn off the network itself instead of the computers.

The main takeaway from this story is that ransomware attacks generally take place at night or over weekends because there is limited IT staff on duty and there is no timely response. Substantial cost and damage may be avoided if the initial infection can be detected and mitigated at an early stage. Always remember to take backups, as this will save you a lot of pain down the road if you get targeted by ransomware.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Just as the venerable pocketknife has a plethora of tools to handle almost any survival task, a cybersecurity professional should be conversant with certain tools of the trade for common tasks that arise in the IT environment. I use several tools for my day-to-day tasks, but I will limit the list I provide here to ones that are either open source or have free versions available.

For network security monitoring and real-time analytics, Nagios, Splunk and OSSEC are good tools. I scan my website for vulnerabilities using Burp Suite, Nikto and Zap, find weak spots in my network with Nmap and Nessus and test mobile apps using Drozer. For penetration testing server operating systems, I use Metasploit, Kali Linux and OpenVAS. Similarly, you can audit your credentials, network traffic and wireless using John the Ripper, Wireshark and Aircrack. To protect your stored data from prying eyes, look into BitLocker and 7-Zip. Avoid surveillance and profiling by using Tor and DuckDuckGo, send secure emails via GNU Privacy Guard, and manage your passwords using LastPass.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Small businesses are under the illusion that hackers will not be attracted to them because they believe there isn’t as much that can be stolen. Unfortunately, they are often an easy target because they have less secure networks. Instead of setting up a full InfoSec team, small business owners should first look into vulnerabilities themselves or through a one-time consultation and then take one small step at a time to fix them.

This involves implementing basic company-wide protocols, applying system patches, refreshing employees on regulations, and checking for security holes routinely. A very basic set of security tools and training is sufficient in keeping the more commonplace attacks such as phishing, password stealing, financial fraud and malware downloads at bay. The U.S. Small Business Administration and the Federal Communications Commission provide online resources to help small businesses create customized cybersecurity plans. There is also a growing set of security services and tools available for small businesses in case more advanced measures are needed.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

People should be on the lookout for the following:

1. Login issues. This happens when a hacker has tried to access your account unsuccessfully too many times, which causes the system to lock. You also may experience problems if a hacker has successfully accessed and changed your password.
2. Computers behaving strangely. Popup messages, antivirus warnings, new toolbars appearing in your internet browser, flashing command terminals, and the mouse cursor moving by itself are common signs that your system may have been compromised.
3. Slow network. If your machine is sluggish without apparent reason or you are unable to access online resources in a timely manner, this may be an indication that someone is transferring files outside of your network. It could also mean someone is logged into your network from an unusual location.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Although data breaches strike fear into the heart of every business manager, many will have to deal with them at some point. There are certain crucial steps that you should take that could save your business:

1. Start by patching the vulnerabilities and securing the network to avoid additional data compromise. Change access codes and take affected equipment offline.
2. Examine local state as well as federal laws regarding notification requirements for your particular business and type of information breached to determine your legal course of action.
3. Notify the following entities:

Law enforcement agencies like the local police department, the FBI or U.S. Secret Service.

Affected businesses so that they can take timely action for detecting any fraudulent activity on compromised accounts.

Your customers to minimize the risk of their personal information being misused.

4. Designate a well-informed point person in your company for providing consistent information.

5. Respond to customer and employee issues and questions in an honest and timely fashion. This will go a long way in maintaining good relationships.

6. You can win back some of your affected customers’ trust by offering identity protection services at your expense.

Promptness and thoroughness are of the essence in these circumstances.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

These laws are essentially designed to protect consumer privacy and the security of data collected by an organization. They also guarantee more rights to individuals to know about the personal information businesses collect about them and how it is used and shared. Companies should be thoughtful about the data they acquire and also handle it appropriately. Companies have already started managing data because it is becoming more costly and risky. They will have to acquire technicians for mapping data and anonymizing it. It would be premature to say anything about the real effect of these laws at this time.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Companies rely too much on their network defenses and security tools, but tools don’t make people smarter. Tools don’t teach a surgeon how to operate or a teacher how to teach. Human error is a weak link when it comes to cybersecurity. A small number of organizations actually train their employees on security awareness and data protection regulations, as untrained employees are more prone to falling victim to phishing emails, exposing company-owned devices to the perils of public Wi-Fi, and being subjected to unauthorized access due to poor screen lock habits and failure to use strong passwords.

Organizations also fail to assign responsibility for safeguarding sensitive data. Even though organizations collect and use data from customers, many lack understanding of the flow of this data in their organizations. Concrete data backup plans, policies on encryption, and proper storage are lacking because many companies don’t take the time to map the data within their organizations.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

History is a testament to the fact criminals take advantage of natural disasters and emergencies. Not surprisingly, cyberattacks have sharply increased during the pandemic.

Many organizations do not have the infrastructure, collaborative tools and software, and the capacity to facilitate working from home. When managing work from home life along with domestic hustle and bustle, cybersecurity concerns often are not the top priority. Additionally, there is an increased reliance on virtual meetings and digital commerce. Negligent workers using personal devices and unsecure Wi-Fi become soft targets and increase the chances of an attacker infiltrating a network and compromising sensitive information. While there are certain legitimate websites containing the terms “corona-virus” and “covid-19,” cyber criminals are creating new websites using the same keywords every day to carry out spam campaigns.

Mass communication regarding Covid-19 is being used by hackers as a stealthy delivery mechanism for malware. Ransomware lures include emails and notifications supposedly containing information about commodities in short supply like masks, sanitizers or government assisted payments and free downloads for video conferencing and technical solutions. Health care and financial services are also targeted, so we have seen a rise in identity theft.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. It is important to outline clear use policies.

It is healthy, progressive and useful to have an inclusive culture. This brings diversity of ideas, knowledge, skills and talents. Equally important is to make sure employees are on the same page regarding acceptable policy guidelines. They should be given clear understanding regarding use of social media and non-work-related applications like BitTorrent, as these bring added risk of viruses. They should be well-versed in appropriate use of computer systems, email, internet and networks.

2. Invest in employee training.

Employees have a major part to play in maintaining or breaking the security posture of an organization. The attacker only needs one weak link to get in. The best defense is to have a training program regarding safe and unsafe computing behavior. Training should not only be general, but also role specific. Additionally, there should be monitoring and retraining if required.

3. Limit employee access to data.

Employee access to data should depend upon their role. Require computers to automatically lock after a set period of inactivity. Employees will have to sign in again when they return to their desk, which reduces the risk of unauthorized access. Clearly state the allowable methods and locations for remotely connecting to a company network and its software. Access to an organization is a privilege that should be extended to relevant individuals only. Use of biometric technology to reduce unnecessary access to physical spaces can also be a good security measure. When offboarding or transferring roles, communicate changes quickly and modify access to account privileges.

4. Take a proactive approach to cybersecurity.

Have a collaborative culture in your organization. Reward effort and recognize progression to foster teamwork and employee satisfaction. Happy workers are more dedicated and sincere, and they reduce the chances of insider threats such as the transfer of data to rival companies. Consider using systems like user and file activity monitoring and data loss prevention to monitor different channels from which data may be extracted.

Having a handle on external threats is equally important. Using software like threat intelligence platforms (TIP) can provide real-time access to the bigger picture of active concerns. This software can inform you about malware campaigns targeting rival companies and provide appropriate insights to applying patches to your systems.

5. Plan ahead.

When it comes to cyberattacks, it is not a matter of if, but when. There are always going to be weak links prone to unseen threats, so it is important to plan for the inevitable data breach. In case of an attack, organizations should have an incident response plan in place. This planning will allow designated individuals that are part of the incident response team to follow a series of steps to remediate and recover from an abnormal situation in a way that minimizes losses. Regularly backing up data should be a part of this planning.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

Some years back, an opportunity for summer research arose when I was given the chance to visit the famous particle accelerator at CERN, the European Organization for Nuclear Research in Switzerland where a renowned group of scientists are making discoveries in quantum computing. Although I had no formal education in high energy physics and the opportunity was not directly connected to my field of cybersecurity, I still decided to give it a try. It was a productive experience. In addition to other insights, I got to learn about their novel technological innovations in various fields. This visit also opened up avenues for many of my students and led to collaborative research in the years that followed.

There is an endless cycle of ideas, inventions, experiments and research. Settling for what we already know would lead to complacency and boredom. It is the curious mind that expands forever, so my advice to people is to read, research, connect and seek out opportunities for growth, and make the effort to improve in wisdom as well as in person.

How can our readers further follow your work online?

Visit my blog at http://www.zahid.blog/ or www.fontbonne.edu/staff/zahid-anwar/.

You can also follow me on LinkedIn at www.linkedin.com/in/drzahidanwar/.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.

Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.

Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.