Omer Hamerman of ProdOps: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
…Most important tip in my opinion is the cliché “put yourself in the attacker’s shoes”. Think how you would break your own system. Is the data transfer encrypted all the way? Can you intercept it on your own? Are their exposed components that shouldn’t be? Can you access them just for a POC? Do you have policies or plain simple culture of secure communication and data sharing in your team? Try searching your email or chat-history for the term “password” or “secret” and see how they were shared.
This is the one field you should always be paranoid about. Always assume you are under prying eyes and try to hit the 20% of actions that would produce 80% of the effect.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Omer Hamerman.
Omer is a Senior DevSecOps Architect at ProdOps.io, a global consulting firm specializing in building automated solutions for cloud infrastructure. Currently living in London, he is leading major projects with various companies that aspire to channel his unique expertise integrating security from end to end through the DevOps framework. In addition to consulting, Omer is in charge of implementing data privacy and cybersecurity methods, assisting ProdOps clients to secure their internet facing applications and defending their back-end systems from malicious activity. Additionally, Omer believes in knowledge sharing within the technological community, a cause to which he contributes by composing numerous blogposts. In his free time, Omer is a passionate rock climber and traveler.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a small village in the southern part of Israel. As a child and a teenager, I was always into computers and everything related to them. I finished school majoring in software development with twice the amount of points needed to fulfill all the requirements. I was not interested in any other field.
It took me more than a decade to rediscover the joy of nature and the outdoors, both of which were part of my childhood environment. Nowadays I am an avid climber and love long hikes and the quiet countryside. I believe it helps me maintain my mental clarity and aids me in solving complex situations when I’m back in front of the computer.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it. ⁹
I can’t say why, but I was always attracted to the field of security and drawn to building systems as well as to finding their weak spots and ways to break them. I can’t pinpoint a singular moment or event, but I can say that throughout the years, I spent a lot of my spare time reading security books and hacker manuals. “The hacker’s handbook” was near my bedside for many nights.
Can you share the most interesting story that happened to you since you began this fascinating career?
As I was building one of the back-end services for a startup I was part of, I learned a new way to scan and detect IDORs (insecure direct object reference) in publicly facing web applications. For fun, I started scanning our own application, and low and behold — I found a serious production vulnerability where a registered user could take over a same-level account just by knowing the account ID. While not easy to perform as an attacker, I was very “happy” with my finding; I fixed the bug on the spot. It was very exciting to know that due to my diligence none of the systems were compromised. Personally, learning a technique and then applying it while impacting our own system’s security was a special experience. This is one of the reasons I have chosen to work for ProdOps: The proficiency of the firm made me feel that such breaches would be prevented and that my time is purely spent on solving other companies’ DevSecOps challenges.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I don’t have a particular person, but I would use this opportunity to give a massive shout-out to two fantastic resources I keep learning from. The first being the “Darknet Diaries” podcast. While not an educational resource per-se, the stories brought on the show are mind-blowing and many times inspiring. More than once I learned about a new technique or resource that greatly aided me along the way. The second is the Bug Bounty Community, which offers as much information and learning material as one can hope for. The best resource I’ve found and read probably three times over was “Web Hacking 101” by Peter Yarovsky. The book goes in-depth describing vulnerabilities and famous cases in which they served as an opening for a bug bounty hunter.
Are you working on any exciting new projects now? How do you think that will help people?
As part of my work with one of ProdOps clients from the healthcare industry, I’m building an AWS security scanner with custom functionality as requested by the CISO. The tool can be deployed on any platform and has the ability to authenticate any of the company’s accounts and scan for inactive or suspicious users, keys, and roles. The idea is having visibility over the “gate” of AWS through which users and applications can access private resources in the cloud. I plan to open source it once it’s approved. I’m sure it can do a great job protecting and alerting the users on abnormal activity in their accounts, allowing our client to enjoy a stable, simplified and cost-efficient solution.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
This is a great question. As someone who had felt “burnt out” more than once, I can say it is ok to feel like that; and if you feel burnt out don’t fight it. Your mind needs a break, it could be a day or a month. Change the focus at work and use your time out of work to engage in physical activities and experience the world beyond the screens. That’s what did the trick for me.
In regard to being preventative, I’d recommend limiting the hours spent on a project even when it’s hard. When I’m committed to a project I can find myself working full nights and weekends, just because I want to. When I have a goal, it can be totally time-consuming as I don’t think of anything else, much like an addiction. Over the years I’ve figured I have to fight the urge and do something else in between — to me, it was always climbing. Of course, any other place where you can feel relaxed on the one hand but fully engaged to what you’re doing on the other can assist, both in alleviating stress and preventing you from burning out. You might say it helps to “cool down” the part of the brain you’re so engaged with.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
My expertise is cloud systems, and my cybersecurity experience revolves around application security. Usually, I am dealing with publicly facing web applications. ProdOps, which is a leader in the Israeli DevOps community and assists global enterprises, allows me to experience various cybersecurity and application security aspects. The ProdOps team specialty is to design and implement solutions that are resilient to attacks, self-healing, robust and scalable to serve any number of requests while quickly responding to changes in requirements. Since our clients vary from top tier 1 to SMBs and startups, the amount of expertise my colleagues and I encounter is extensive; we have to self-learn a lot. This is why what excites me the most is the community that’s building in different fields and the will to share knowledge in various ways. I see many influencers dedicate time and effort teaching, sharing code and tools, and generally doing good to help and promote the field. I’m referring to completely free resources that people can obviously keep secret and use to their own benefit but choose to open source, allowing them to share and receive from others as well. This is heartwarming to see.
I’m also excited to see web application companies think out of the box when protecting themselves by reaching out to bug bounty hunters through their platforms and are willing to pay for the service.
Lastly, I can say I’m excited about the different cloud platforms solutions that keep being released. At ProdOps we get to interact closely with all of the major platforms, so we maintain a close relationship with them and their new developments. We start seeing solutions that actively scan, alert and even heal on their own security holes and mitigating risks as they rise. I hope these will contribute to the general security efforts and making all of us as consumers of technology, safer.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
With the rise of remote working, I feel many companies were forced to change their ways without dedicating enough resources to securing their new pipelines. Companies that were primarily office-centered and which did not allow external communication are the ones especially threatened. Ironically, these companies have gone from being the most secured, both physically and virtually, to being vulnerable to the new hazards inherent in sharing data and the deployment of applications. This includes employee communication among other related things. As in finance — when there is a demand — there is a new production and the stakes rise. To put the analogy in concrete terms, hackers realize that the new companys’ working methods are many times left exposed and not fully thought through. Attackers then are able to utilize this to find holes to allow for illicit access. I think it is important to be aware of this issue. We must make sure we are prepared and working on understanding the risks as well as educating ourselves on ways of mitigating these threats.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I’d like to share a recent story which seems to be unimportant or negligible, nonetheless, this is exactly the reason I think it is important. A medium size startup from the ad-tech industry I worked with, gave free access to its developers to use the root DNS domain records of the company should they need it. One of the developers decided to use a subdomain for a readme service for one of their applications. He had set up a subdomain “readme.company.com” and pointed it at one of the known readme services on the internet with the name of the company. What the developer failed to do was to create the readme service side of things; he stopped working on the project and did not actually go through creating the readme account for his company, essentially leaving a public subdomain pointing at the endpoint ready for grabs. I discovered this during one of my regular scans, and explained that it falls under the category of “Subdomain Hijacking” but they were not impressed. Since it was important for me to walk them through the potential risk, I explained what a skillful attacker can do with their subdomain. Not only tricking their customers or even stealing from them, the worst that can happen is their reputation will suffer. Sometimes companies of this kind do not manage to recover from this. I explained that these things start with not managing permissions, even to the most “naive” resources, and continue with unfocused engineers using them recklessly.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
It’s hard to list all of them but I’ll try to focus on the main ones.
First and foremost — Burpsuit. This is a proxy tool by PortSwigger, which is an application security researcher’s best friend. It allows you to see in and outgoing requests, manipulating them in various ways and even automating the process, which is usually a way to find interesting results. There are lots of different and great plugins. The only flaw is that it’s Java-based, and is therefore very intensive on your machine’s resources, so be prepared.
Another well-known and very powerful tool is OWASP’s Amass. I’d say it’s more of a platform then a single tool. Amass is great at finding attack surfaces and discovering assets. It’s one of the more useful reconnaissance tools I know.
My last recommendation is to take a peek at Tom Hudson’s tools (github.com/tomnomnom): “assetfinder” “httprobe”, “meg” to name a few, are ultra-fast and easy to use tools, which are even more powerful when combined. Look for Tom’s YouTube video of a live demonstration.
I would be remiss if I ended the list without naming “SecLists” (github.com/danielmiessler/SecLists) which is an ever-changing repository of wordlists for any kind of scanning use-case. With a touch of creativity, those lists become extremely powerful, and one of the more useful researcher’s companions.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
What I do think they have to do is name responsible personnel who are in charge of the platform security in the company. People who understand the risks and options and know their way around attack surfaces and protection. From my experience over the last five years with startups, they not only never discussed the subject with a professional, they didn’t even have anyone who was responsible for it. I think the “DevOps” or the “Ops” team can be the ones responsible, but this must be settled beforehand. It’s the CTO’s or VP R&D’s job to make sure the responsibilities are distributed and followed.
Beyond that, it’s important to keep in mind that small teams, naturally, have fewer systems to protect. The bigger a company is, the more complexity, legacy components, and holes may open up in their systems.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
When something is done incorrectly, the first thing one can see is supposedly confidential information can be read in cleartext. Usually, these are keys and passwords that are being pushed together with the code under the belief that private repositories’ codes will never be discovered or exposed. This also means that there’s no central management of secret information and that private systems in the company can be rapidly compromised. This is the first thing anyone can flag out.
Another simple indicator is being able to access private resources with no authentication or encryption process such as a VPN or going through some kind of networking tunnel. For example, if I can access systems like a Pool of Secrets or a database directly (God forbid) without using a VPN first, or using multi-factor authentication (usually a random 6 digit code provided after the login password) — something is off.
I expect from anyone in a software company, including executives of all fields, to understand the risk of not using multi-factor authentication to any system, of not using a VPN to access their sensitive data and to ask the relevant questions and get satisfying answers. When in doubt, consult a professional, look for the information on your own and educate yourself. Security of information affects our private lives as much as, if not more, than our professional lives.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Identifying the breach is a big step of the way. Understand that if a breach has been discovered, you should assume it is ongoing and may have happened before. Therefore, stop the leak as soon as possible; assume that the attackers have other doors, and furthermore a backdoor was left behind. The latter is usually part of more sophisticated attacks and the assessment should utilize an experienced professional to review the system. Needless to say, this is a great opportunity to make security a priority and ramping up everything around it, including making short and long term plans. As far as customers go, think first about data and how to make sure it’s secured; accessibility and encryption both at transit and at rest, and do not overlook the application’s security. A system with access control and the best encryption mechanisms is worthless when the API exposes data of unintended users, for example.
Viewing the matter personally, I think these laws and regulations are there to protect us all. As a user of the internet I could not be happier. Yes, it involves extra effort by teams and requires specific features that have to be implemented like “the right to be forgotten”, but once implemented, we as a team should be happy that our customers’ privacy is better secured and managed. Privacy and security should be our concern: we should always do our best to protect our data. Not only for the customers themselves but for the business too; a data leak could break an organization’s reputation to a level it might be impossible to repair.
What are the most common data security and cybersecurity mistakes you have seen companies make?
It always starts with the simple things, which makes them hackers’ “goldmines”. Insecure plaintext secrets and keys in the code, simplistic passwords shared over insecure emails or chats, and personal keys shared amongst teams are probably the most common ones. What I’m trying to do when I meet a new client is to invest in the 20% most effective security actions that will have the 80% value. I believe those are:
- Using a central login gate delegated to all other systems. E.g. using Gsuit to login to any other platform in the organization.
- Using multi-factor authentication for everything.
- Using a central secrets management system to read and write secrets to and from, both by users and applications.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
I did not see for myself, but I have heard of a rise in cases in the industry. Attackers are aware of the various new attack vectors opened to them and they are taking advantage of it. Opened zoom calls that can be eavesdropped; insecure connections to cloud resources without using VPN or any kind of tunneling; leaving open connection ports so employees can connect to all kinds of backend components from their homes — these are just a fraction of many possible examples. To make a lemonade from the “lemon” that is Covid: take your security up a notch. A security ramp up, both of access, secret management and security of communications can do wonders.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
I’ll share this in accordance with a post I’ve recently authored that discusses ways hackers use to “steal” secrets and vulnerable information from companies.
- Hackers use GitHub. By Github, I’m also referring to all git based platforms like Bitbucket, Gitlab and others. It’s hard to control what team members do, so I believe the best approach is to:
a. Constantly scan code as part of the CI process to find bits that shouldn’t be there.
b. Culture — educate your teams on security, employ peer reviews and share the security mindset.
c. Use a system to store keys and passwords so that “where should I store key X” is never a question.
One client I’ve worked with early 2019 had an employee that by mistake forked a company repo and made it public. The repo had API keys used to interact with paid service in the core of their product. We accidentally found it and stopped the leak and rotated the keys.
- Hackers use social media cross-referenced with historical password dumps. This does not imply everyone needs to rotate their passwords indefinitely. It does mean that those rotations should be:
a. Thought of in terms of period of rotation.
b. Managed with a password manager and private vaults for each developers-team.
c. Prefer human-readable yet long password phrases over complex ones. e.g.: “the-orange-monkey-of-November-wins” is far better than “2kj!z$#pass”.
A team leader in one of our client-companies was targeted through LinkedIn and with an old password leak in iMesh (remember that service from the early 2000's?) that he had been still using for almost all of his profiles, they managed to access his email account and from there to his cloud profile at AWS.
- Cloud platforms don’t always provide the best practices for deployment of infrastructure. Make sure your platform is secure; make sure your databases (and data by extension) are held privately, that backend systems are disconnected to direct incoming traffic from the outside world and the only gateway to them is a secure tunnel like a VPN.
Recently AWS provided a health-care client of ours HIPAA-compliant templates to create his infrastructure automatically. After deploying them, he had found that there’s no VPN installed and that his application server was created in an exposed environment. Not because AWS made a mistake, but because the template required further configuration in order to finalize it correctly and make it production ready. It did not come with instructions or detailed manual, and when we first reviewed it we were alarmed to see how the wiring went wrong.
Make sure you either know exactly what you are doing when it comes to architecting your infrastructure, or have a professional on board to build or review the work.
- Think encryption — this simple concept can be used almost anywhere; from how you store your passwords and secrets, through how information is transferred to-and-from your systems and how data is eventually stored. If you see clear text sensitive information make sure you see that on a system that was designed to protect that information, like a secret manager. If that’s not the case, flag the issue with the security responsibles.
- The fifth and most important tip in my opinion is the cliché “put yourself in the attacker’s shoes”. Think how you would break your own system. Is the data transfer encrypted all the way? Can you intercept it on your own? Are their exposed components that shouldn’t be? Can you access them just for a POC? Do you have policies or plain simple culture of secure communication and data sharing in your team? Try searching your email or chat-history for the term “password” or “secret” and see how they were shared.
This is the one field you should always be paranoid about. Always assume you are under prying eyes and try to hit the 20% of actions that would produce 80% of the effect.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Here’s one simple tool I believe anyone on the internet should use. Not only would it change your vulnerability to hacks and personal data theft, but as an extension you’d be protecting any company you’ve ever worked with. Don’t be the gate through which hackers can access information, and don’t be the victim of identity theft. Use a personal password manager. One that generates unique and complex passwords for each of your internet accounts and remembers them. Use that in combination with MFA wherever you log in to and your level of personal security would be ramped up by miles.
This secures your profiles online and simplifies everything around them; you no longer need to type in passwords, remember credentials or reach for your phone for the 6 digits code of the MFA. The app does it all for you: with one authentication (can be delegated to a fingerprint reader if exists) login information is filled out for you, and MFA codes are being held at the clipboard for you to paste them in. The excuse for using such an app can be sheer laziness and would still be worth the money spent.
If there’s service anyone should ever pay for, I suggest it would be that.
Personally, I use 1Password (full disclosure — I’m not affiliated with them in any shape or form; their competitors can provide solutions just as good).
How can our readers further follow your work online?
I used to write for different Medium publications including our own at ProdOps, then expanded to dev.to and Hackernoon and sometimes to private ones. All of my history posts are published at my own blog: omerxx.com. In addition, you can find more information about the varied projects my colleagues and I encounter on @devopsprodops, as well as on ProdOps LinkedIn.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!