Digital Pond EP #9 Anders Reeves — Mastering Cyber Security & Ethical hacking
In this episode, we’re joined by Anders Reeves, the Founder and CEO of CovertSwarm.
CovertSwarm was founded to help aid organisations in exposing vulnerabilities in their digital ecosystem and security strategy. They achieved this through an innovative platform that is one of a kind when suffering ethical hacking and pen testing.
During the podcast we discuss how public breaches Sony PlayStation, Olympic helped Anders to recognise the need for a new approach to InfoSec. We discuss why the recent instability and Russian aggression in Ukraine is causing major headaches for website owners all over the world and finally, we discuss the importance of why a culture and diversity is so important for effective digital security.
You can listen to the podcast in full on Spotify and Apple Podcasts.
You can find the full transcript for the podcast below.
Transcript
Danny Bluestone
So, Anders Reeves from CovertSwarm, it’s great to have you on the Digital pond podcast, welcome.
Anders Reeves
Thank you very much. It’s great to be here.
Danny Bluestone
Fantastic, and yeah obviously a really exciting space actually, probably one of those spaces that many people think about all the time, but don’t necessarily invest enough in, which is the world of cybersecurity InfoSec.
It’s something that impacts all of us both as businesses, consumers, suppliers, partners, new business, it pretty much impacts the whole supply chain. Tell me a bit more about how you got into this space? And why you’re in it?
Anders Reeves
Yeah, it’s a great question. So, the very short answer will sum up about 20 years of experience and that experience really came, and all of this is in the public domain. Really starting my technology career seriously, at Sony PlayStation and Sony PlayStation was an amazing place to work. I worked in Sony Computer Entertainment Europe for about eight years full time and we were supporting 16, or 17 territories across Europe.
One of the three global PlayStation entities you had Europe, Japan, and America and they were very publicly breached on a number of occasions and that really opened my eyes to the role that we were playing in the technology team and the importance of information security. From there, I moved to moonpig.com, and again, it had suffered its own issues over its life, and this was a thing that I found started to follow me and I guess rather than be too paranoid that it was perhaps all just me, what I did is took a step back and look at the security practices of these companies and of course many others that have all publicly suffered breach. I recognised that they were all doing the same thing to try and remain secure and that thing was to occasionally, like once or twice a year, test a very small subset of the assets that those organisations owned, and the idea was, in their view, if we’re going to test these things that we really care about and we find them to be secure or at least we understand that insecurity so we can fix them, we’ll be safe.
But guess what, everyone still got breached, and so, for me that 20-year journey culminated during COVID back in 2020, when things really began to get very serious and the entrepreneurial bug bit me and I thought, well, perhaps there’s a business here that challenges what we now feel is a really legacy approach to trying to get some kind of assurance that your organisation’s security is fit for purpose and that’s really where CovertSwarm was born.
Danny Bluestone
It’s a really exciting story.
You’ve been obviously exposed to both b2c organisations as well as b2b organisations as well.
As I know from the work that you do with us, it’s on the enterprise It’s on the consumer side. So, it’s a really great track record that you have and it seems to me just obviously, from what we see here at Cyber-Duck in the digital transformation space, web design, web development side of things, that it’s not a question of ”if” it’s a question of “when”, like everybody is exposed to security risks on a daily basis, do you still think that there’s an element of naivety out there that certain organisations have, where they have quite a lot of exploits and some probably arguably, some organisations or small businesses, small to medium sized businesses are doing better jobs than others sort of securing their defences, right?
Anders Reeves
Certainly. We work with about 70 brands and it would be honest to say that each of those brands take security seriously and that’s one of the reasons that they choose to engage with us but of course, there are countless organisations out there of all sizes that put their proverbial head in the sand and go, it’s never going to happen to us. I have spoken to prospects, where they’ve said, that we love what you’re doing but we just don’t really have time for security right now because we’re so busy innovating, and you think, wow! okay, well, I look forward to reading about you in the headlines someday, because it’s that mentality where product velocity, the deployment of code to production to achieve commercial objectives as quickly as possible invariably results in that business getting bitten in the backside down the line where perhaps security practices just have been an afterthought or even not been talked about at all.
So, the short answer is, yes, there are certainly a fairly even distribution of organisations that take this deeply seriously and do it more than just checkbox, in order to achieve a certification or some form of compliance and then there are the others who seem to just go, well, we’re probably not interesting targets or therefore we will never invest, and they’re usually the ones that then get hit by something like ransomware, where somebody receives a phishing email, they click on it and suddenly, the entire file system or more is encrypted and then there’s big trouble.
Danny Bluestone
So when I think about 2022, it’s such a…in a way, a different year also familiar, but we’ve just gone through probably the biggest digital transformation and innovation period in history because of again, the pandemic and how many businesses and services had to completely compound their growth online, because everything combined, so that was a result of the pandemic, obviously, it’s continued this year after the pandemic, and then we’ve also got this whole situation, political situation, in a macro situation with Russia, Ukraine, other state actors as well.
Can you see a big rise in the amount of threats out there?
Or is it just business as usual in 2022?
Anders Reeves
It’s interesting, I think, judging from our exposure within our own clients but also looking at what is genuinely being reported even this morning, Jeremy Fleming, Fleming is the head of GCHQ gave a press conference talking about the need for UK businesses to improve their cyber resilience.
I think we’re currently waiting for the storm that is expected to fall out from the Russia Ukraine crisis to really hit the West. So, there are countless sources, Ben Wallace being one of them, the UK defence secretary, who have made the comment that we’ve not yet seen the level of cyber-attacks that have been expected, but we can’t ignore the fact that a month ago, Russian hackers have reported to have come very close to cutting off electricity in Ukraine for about 2 million people, and there’s now evidence coming out, I think today, I read that just prior to Russia’s invasion, there were very widespread attacks on things like wind farms across Europe and general internet service provision. So ViaSat was hit, it’s thought to have been as a result of trying to get to military targets through ViaSat but now they have tens of thousands of terminals that have been affected, but I still think that’s a drop in the ocean.
So, when the rhetoric is now heightening to the point where the head of GCHQ is publicly saying, UK organisations need to take this more seriously and they need to improve cyber resilience.
You’ve got Biden in the US and the UK defence secretary Ben Wallace saying that offensive security measures are things that should be considered to be employed so that we can all pressure test or sync test our own organisation security and critical infrastructure of course, that definitely signals a shift in tone and approach and it’s a way from solutions that are focused on defence and looking more where we now sit and CovertSwarm which is the offensive cyber security.
One of the things that really haunted me for the 20 years that I sat on the defence side of technology was the reality I came to with my team was that we had to imagine a sort of net had been cast over our organisations and our job was to plug every possible gap in this net to prevent bad actors from getting through. The reality is a bad actor has only got to find one hole and everyone in defence has got to plug every hole.
So, I think there’s a lot of sense in what we’re hearing being reported, which is put more focus on the offensive side of what could get into your business because that’s going to help you find the point of bridge more quickly and that’s exactly how we work. We emulate that threat actor in exactly that way, so that we find that one route in that’s going to lead to the thing that is your worst nightmare.
Danny Bluestone
So clearly thinking like an attacker and then obviously not just thinking like an attacker but actually having an agency or organisation or tools that are essentially mimicking attackers, and the various vectors that they would penetrate the organisation is clearly something that you recommend and you can help organisations and clients with that service.
What are the other things because even with the best security in the world, there can still be… even if it’s a little incident or another type of incident, there are other contingency measures that organisations can have, for example, like playbooks, so there was a number of scenarios, what we found and again, it’s being ISO 27,001 certified. Where essentially, we look at risks for ourselves and our clients, we’ll have sort of a number, it’s almost like a playbook.
So, for example, if somebody hits one of our instant messaging tools, regardless whether there’s a security risk or not, even if a service is down, we’ll have a contingency plan. How important are those contingencies in your view? And is this also something where you can see a lot of movement in terms of more organisations starting to talk to you about implementing those types of contingencies in place?
Anders Reeves
So, the short answer is yes.
So, an incident response plan is something that every organisation should have, no matter how short it is in your organisation, that simply says that in case of emergency, do the following, and we could spend an hour alone just talking about those, but I think there are some basic points that will be really helpful for the listeners to be thinking about them taking away from this broadcast. So, I think starting with what is it you are trying to protect, is really the fundamental thing here, because unless you know what you’re trying to protect, it makes everything very fuzzy and fluffy, and there’s lack of clarity over really what you’re trying to achieve and that will be a different thing, or different things for different organisations. So really defining what it is you’re protecting and what the results would be of breach or corruption of that.
So, imagine that there’s some form of data, most likely, what the impact would be to your business, and that’s very much where ISO 27,001 comes in the idea of risk registers and making a decision, a conservative decision as a business and as a board as to your appetite to address those risks. Once you’ve defined those things, then it’s important to monitor and be aware of what is normal behaviour and what is abnormal behaviour when it comes to interaction with those assets.
So, let’s imagine the crown jewels of the business are a customer database, for example, there will be normal levels of interaction with that through API’s and other tooling and there will be very likely easy ways to spot unusual interactions, multiple failed logins, for example, to try and access that database. So, from that, you then start to build alarms and triggers that will alert you to issues and of those you do the “If, This, then That” approach to your incident response.
The important thing is that you have some form of formality in the incident response plan so that people know what they are doing, but more importantly, and this goes back to what we were saying a little bit earlier about offensive security. Its fire drilling those things. It’s great to have a plan but if you haven’t tested it, how do you know it’s going to work? And one of the things that we promote and advise other boards on is actually filming your incident response when you’re fire drilling.
Observe all of the people in your organisation involved in delivering instant response and where can improvements be made either in communication in decision making or other areas, so that when you debrief after running through your playbook or your playbooks, people can see their behaviours, they can see their colleagues behaviours and those behaviours can be reviewed, adjusted and improved, just like you would with code or any other aspects of your business.
I’ve been involved in these, when the incident response plan hasn’t been tested, or perhaps it hasn’t even been created to deal with what you then face.
The FUD, the fear of uncertainty disorder that can really play interesting noise within the team trying to solve a problem can be as disruptive as the issue itself, and so if you are already familiar with incident response plans or you have those playbooks to hand, dust them off and make sure you test them, I would argue at least every six months, just so everybody understands their roles and where they would go.
Danny Bluestone
I think that’s a brilliant advice.
What I’ve seen over the years, is that when you have those processes in place, it’s invaluable, right? So, what’s when something does happen and things do happen, you know how to communicate, you know how to recover and even if there are things that you haven’t expected, in a potentially a bit more kind of left fields because no attack, is the same. At least you’ve got that chain of command in place and from what I’ve seen, is that the individuals themselves ultimately in there, I think the word is creativity to a certain extent here is their experience, intelligence, creativity, really helps when these incidents do happen.
You have individuals in the organisation that can be trusted and promoted to in the future, continue to deal with these particular problems as and when they do occur. So, I think, absolutely, it kind of goes back to people as well and having the right people in the organisation, the right training, which I think is really important, you can leave for SMBs and especially SMEs as well, where there’s probably less, you may not have like a chief security officer or even a security analyst in the business that might go to, for example, an IT manager or a tech lead or someone like that, right?
Anders Reeves
Absolutely, and just to pick up on a couple of points you’ve raised there, if your organisation doesn’t have people at the heart of its security program, strategy, plan, incident response, it will fail.
So, I think there’s too much reliance placed on technology, solving the security problem for organisations, when certainly in the attacks that we deliver ethically against our clients, people are very often the root into the organisations when we attempt to breach them to demonstrate where their vulnerabilities lie.
So, a key takeaway is don’t forget the personnel even if you don’t have people in those big job titles where you have the resources to have dedicated security teams don’t forget the people in your planning and in the strategy.
Anders Reeves
The other point that you just touched upon was the chain of command when things do go wrong, and one piece of advice I would give and this is firmly rooted in experience over many years now is that one of the most effective ways a bad actor will use to disrupt the organisation that they’re attacking, is to break the communication between the chains of command and one of the most effective ways of doing that is to bring down their communications platforms.
So, if you’re an organisation with access to something like Office 365, they may attack that instance to make sure that you cannot email you cannot send messages through teams, for example. Similarly, if you’re a Slack user, they might go after the credentials for that and trying to disrupt that service.
So, one of the questions or pieces of advice I would give is to make sure that you have a hard copy of everybody’s contact details. Ideally, phone and landline if people still have landlines so that you’re not reliant on technology to reach individuals, at least from a phone number perspective, and the second thing is to make sure that you have a pre agreed way of communicating out of band so not using the traditional methods of communication that you might use. So again, for example, if you were an organisation using Microsoft’s tools, perhaps have an out of band system that uses something like signal on your mobile platform, so that you can communicate completely aside from the organisation and re-establish communications, that chain of command and then send the message to everybody, right? This is how we’re now going to communicate going forward to using another platform until services resumed.
A couple of organisations I’ve worked within, I’ve advised and they’ve taken this up, is actually to carry a small card in their wallets with a completely what looks like a nonsensical Twitter hashtag on it, and it’s simply a case of if we all lose communication to the office, go on Twitter, search for this very odd looking hashtag and it will tell you via post where to go next because we may not know in our planning where to go next but we will know when we have to break the glass and start doing something.
So, make sure you’ve got those numbers, make sure you have an out of band agreed way of communicating, and perhaps leverage platforms like social media in slightly different ways to get the message out to staff and they will know where to go for that next message as to how to communicate when the organisation invariably is brought down by hackers.
Danny Bluestone
Yeah, absolutely.
If communication tools go down and they often do go down or for example, you may have a situation where you don’t trust your communication tools because somebody’s actually managed to get into them. Having that contingency playbook of where to go and what to do is essential. So yeah, really great advice there Anders, and there’s different types of attacks on there.
So, there’ll be the more targeted attacks that are by very sophisticated actors and then there’ll be sort of almost like the bot attacks, which are just pretty random and sporadic. In terms of threats to… because obviously, the digital pond a lot of our audience are entrepreneurs very strong kind of digital players that may be running, startups and working in larger organisations as well as… Would you say that they need to have different types of mentalities depending on who’s going to attack them?
Or is it a standard kind of defensive mechanisms that they should be taking, as well as having different contingencies because I imagine that if the attack is far more sophisticated, is as you said earlier, it could well be that they’ll try and obtain a database, but as they’re doing that, they may also bring down their instant messaging tools, and potentially almost like their directory of where they would go to contact each other so they can buy more time.
Whereas if it’s just a random bot, I’m assuming they may just lock the database and that won’t impact the instant messaging set so does that kind of change the Strategic defence approach?
Or not really?
Anders Reeves
Well I think it does. So you make a really interesting point, if we were to think of attacks in those two lights, the very much targeted attacks or the what we called drive by attacks, that opportunistic attacks I would argue that the majority of organisations will be exposed to drive by attacks fairly regularly, if not constantly, to be frank with the automation that can now support those types of attacks.
So, the first elements that think the audience should be considering is simply try to lower how attractive your organisation is, for that sort of drive by attack, and what that attack is looking to do is play through a fairly known list of low hanging vulnerabilities that could signal genuine poor cyber hygiene in the target. So really, the objective should be to make yourself as unattractive as possible to those types of attack, and then aim to slow down an attack that maybe does get interested in you as a target in a way that then it quickly loses interest just because it’s too much of a headache versus it’s attacking the rest of the world which has gotten far more exposed issues. So, I’m happy to give some just very pointed bits of advice and guidance here, and really the first one is don’t ever, ever, ever reuse a password. You’ll hear it everywhere and it is the best advice I can give, no matter what the size of your organisation.
Before this call, I went on to a very well-known and respected website that I’d recommend everybody register on haveIbeenponed.com, and that is an ethical site that allows you to look up whether your email address or phone number has been part of publicly recognised breaches. So, Danny, before this chat, I went on there, I put your email address in there, and unlike most of us, you’ve been in a number of data breaches.
We have the famous one from Adobe back in 2013, there are multiple from LinkedIn, which have all been very publicly discussed. But the reason I talk about never reusing passwords is that if your email address does fall into one of these data breaches, and it happens to be in one that also contains an unencrypted form of your password and you reuse that password, it’s safe to assume that at some point you’re going to get breached. So, the simple answer is register your entire organisational domain on haveIbeenponed.com and do a cyber hygiene check, put your email addresses in there and see, have you been in any recent breaches, the next thing I would do is employ a password manager, really simple, fairly cheap, very effective.
With a password manager, it’s an encrypted store that you keep either locally on your machines or in the cloud, where you have to remember one password, that is it, all your other passwords are protected by it and in fact, created by it. So today I have hundreds of accounts, both personal and business, I don’t know any of their passwords, I just know that one password to get into my password management tool, I use the tool, one password, but many other flavours out there, and the combination of making sure that you’re not reusing passwords and you use a password manager, for me are kind of the gold standard that everybody can adopt with zero to no cost today and avoid issues. That’s number one and number two.
There’s an interesting third one, which I don’t know many people are aware of that I wanted to raise and that is where you’re asked to create accounts and they ask you something like the following questions, please enter the name of your first pet or the name of the street you grew up on or perhaps your best friend’s first name. Never ever, ever provide a real answer to those types of question whenever you’re creating an account.
It’s very much for the same reason, right? If that is known, your first pet’s name is known, there might be weak user flows in other accounts that you have, that could expose your data. It’s actually something that bad actors employ on social media, you’ve probably all seen the Facebook like games where they say right, put the your mother’s maiden name into this and the name of your street you grew up on and it comes up with your you know your actor name, if you’re a Hollywood film star, these little games get circulated widely on social media but they’re often put in place by bad actors who are trying to scrape that data.
So, they can then go on and start to attack genuine accounts, where the bypass mechanism is effectively the answer to those types of questions. So, don’t be caught out by those things. record those answers in your password manager as well. So hopefully that makes sense, Danny?
Danny Bluestone
Yeah, absolutely. I mean, only two days ago, I was actually on one of the UK government’s websites and on one of the accounts that I set up a long time ago and it was asking exactly those questions.
The name of your favourite football team, the name of your first car, of course they put in all kinds of fictional names originally, but yeah, I think it’s bad security to even make it part of a kind of bootstrap registration process, isn’t it? Because it’s kind of encouraging… but I guess this goes back to website designers and their kind of understanding of security best practice. Also, when we last spoke, you mentioned that email addresses, cause kind of a part of 50% of attacks today.
You mentioned that there are things that can be done there as well around using different types of addresses. Is that correct?
Anders Reeves
Well, if you think about an attacker, they need to know typically two pieces of information at least to get going a username and a password. Usually the username is an email address and what most of us do is just use the same email address because well, that’s our email address and then we tried to get smarter by using complex passwords or passphrases.
But if you have really critical things in the organization that you’re looking to protect and perhaps segregate in some way from your usual day to day, why not adopt a different email address when you log on to those things, so that it’s just twice as hard for the attacker to understand how to get in there as you if it was simply, andersCovertSwarm.com on everything, then you already know half of the login and it’s just guessing the password, we haven’t come on to multi factor authentication yet and how that further improves things. But it is a piece of guidance I came across quite recently and I really liked the approach because if you have online banking or something that’s super critical in your business, think about a second email address that you just privately use to access those systems and you’re already raising the bar and again, slowing down the attacker. So, when that drive by attack comes by, perhaps gets interested and then starts to see that they’ve got complex passwords that are 12 characters long or passphrases, which are even better.
Okay, that’s going to be a headache, and Oh! okay, they’ve also got password management in place that’s encrypted everything so we can’t really get beyond this, Oh! and they use multi factor authentication, oh! and they don’t even keep the same email address for everything, it’s going to be too much of a headache and they’ll just move on to the next much easier target and that’s exactly what you want to try and do all the time building those layers to slow them down.
Danny Bluestone
It’s a great way to summarise it, like 50% of the attacker’s knowledge is your email, so then make that 50% as hard as possible. It’s been great to see what Apple have done with the thing… I think they call it iCloud email alias or something, but obviously, they kind of allow you to protect your identity when you use different services now, so that’s something that you’ve seen some of your client’s adopt? Or is it more of a personal use case?
Anders Reeves
I’ve seen it more on the consumer side of things at the moment, but it’s definitely move in the right direction and it just makes logical sense at the end of the day, doesn’t it? That you’re further complicating that slightly easier element of the data that’s needing to be reached to get in.
Danny Bluestone
Yeah, you’ve mentioned multi factor authentication or two factor authentications. I know that they’re very similar and they’re obviously just terminology but essentially, it’s the same thing, isn’t it? It’s just providing your credentials with another way to prove that you are who you are and just make it… put in an extra step that makes life fairly complicated, right?
Anders Reeves
Yeah, that’s true
Danny Bluestone
Yeah, I know that with Office 365.
Like, obviously I’ve seen the SMS being used primarily by Microsoft and is there a way to… Or I guess the question is, is it true that using like an app is like one password, for example, to enable that MFA, is it better than using like an SMS? Because I know that’s a quite controversial topic, isn’t it?
Anders Reeves
I’m not sure if it’s so controversial now, we’ve banned that in our organisation. So, if it’s available to be disabled, we don’t allow SMS as a second factor on any of the platforms or tools that we use and that’s because there are fairly straightforward ways of effectively hijacking people’s telephone numbers. These days, it’s widely reported, there are other security podcasts that go into some detail around this, but usually much more targeted attack, attacking the user’s mobile phones so that you effectively clone their sim and therefore receive that factor of authentication through SMS is a known and publicly exploited way of getting that second factor. So, as you say, something like one password or Google Authenticator or a similar app based authenticator, where you have the scrolling digits that change periodically, in our view is a far safer way of having that second factor.
If you think about multifactor, the simplest way of thinking about it is when you log in, the password is something you know, the multifactor element is something that you have and that’s how you separate those things. So, I could give my username and password on this podcast if I was feeling brave, but the chances of the second factor being breached are incredibly low just because of the layers of security I then have on my mobile device, you could go even further than that, and again that’s something that we choose to do and that is locked down access to all of our corporate estate, to specific IP addresses, we flow those through a VPN, It’s not perfect, It’s not infallible. But again, it’s another layer, beyond strong passwords beyond multifactor, to even further harden our estate.
So we take this incredibly seriously because we hold a great deal of information about the vulnerabilities of our own clients so it’s our job to go what we think is above and beyond, I think for the more traditional SME, good complex password or passphrase, that multifactor authentication approach to everything that will take it and having that flow ideally, off SMS, so on an app based system is really a great belt and braces approach to security.
Danny Bluestone
And obviously, all of these layers of security and complex security mechanisms that we use, I guess there’s two things here isn’t there? Because there’s also making sure that everything is usable in the day to day and it’s not overly complex to a point where it slows people down with productivity. So, that’s one other thing I wanted to explore with you, and then the second thing, which is really important is the people themselves, I know that we’ve mentioned diversity before, so be keen to get your views on those two things.
Anders Reeves
Absolutely. So, just taking the first point and I’ll distill that into, how do you build a great security culture within your organisation?
One of the lessons I’ve learned over my career is that staff engage best with security education, when you make it relevant to them and one of the best ways of doing that is make it as personal as possible.
So, if you think about the conversation we’ve just had, where we’ve talked about complex passwords, password managers, multi factor authentication. Pretty much likely, four or five years ago, people would have kind of glazed over, if you’d sat in a room and presented them this idea about how to secure the corporate infrastructure.
However, when we did choose to do this and other organisations I’ve supported over the last few years, we chose to do it in a slightly different way and we’d invite people to talks where we’d say, here’s how to secure Google Mail at home and suddenly, people are interested because it’s like, okay this is something I can learn but I can also go and tell my parents and my other members of my family, etc. And almost by stealth, you’re making it personally relevant. Therefore, people show up to work with a slightly different security mindset, and I think that’s something that has to be carried through in as much of the cyber education organisations run to lift the knowledge base, and the general awareness of security across their estate.
So, I think education needs to happen on your own estate, learn about the vulnerabilities in your own codebase in your own app design, in your own architecture.
Learn about how secure your own front reception is, I think watching videos, which are fairly vanilla and generic, generally just turn people off, and it’s much more interesting when they say, if as we’ve done today, we’ve broken into one of our clients today, I was getting a live feed, war high vis jacket got into the office, we eventually will get into the server room, we managed to leave one of our calling cards exactly where we were told we’d never be able to get and we walked out and what we’ll be doing is debriefing that organisational how we deliver that attack in detail. What we find whenever we do this type of thing is people are super engaged because they see it in their front door, they see it was their desk where we got a bit of information from basic, it’s personal.
The key when you do that sort of thing, however, is you never vilify, you never punish, you never single out or beat up individuals for in some way, having failed the organisation, it’s really important that you use it, any sort of demonstration like that to show the holistic state of security in a business, you then are able I think, to get permission to have the conversation and then replay some of the attacks down the line of where the intention is for everybody to show that things are improving.
I’ve seen it too many times where a proud CTO or proud CISOs on stage talking about how they’ll reprimand somebody for having clicked on the test phishing email that was sent out and I put my head in my hands when I hear that because I think what sort of security culture are you going to be fostering, one that really doesn’t want to report genuine attacks when they come in because they’re frightened It might be a test that they’re going get in trouble for.
So, from a security culture perspective, it’s very much the methodology we follow. It’s also something that we promote. So hopefully that answers your question, at least for that first part.
Danny Bluestone: (00:40:41)
Yeah, absolutely. I think almost like making it more of a game.
So, I’ve seen internally at Cyber-Duck, we’ve sort of built some of our own quizzes, because particularly around things like data security, GDPR, as well as InfoSec principles and making sure that people understand the culture of ISO 27,001 and with our own quizzes, we don’t even look at the results, we just want to make sure that the team want to improve their own scores in their own time, if that makes sense. I’ve seen other organisations like Censornet, Mimecast, provide email kind of security tools that protects you from phishing attacks. I’ve seen sort of things like, education centres and comedy videos, talking about securities, again trying to make it much more fun as opposed to something that is a chore and really boring, so that’s really interesting, and yeah, I guess people is a winning strategy, like getting the people upskilled, right?
And to the second point, me and you were talking about diversity as well. So how important is diversity? Because obviously, entrepreneurs and creative businesses will naturally want to… it’s all the buzz and rage at the moment is diversity, right? But from a security standpoint, how do you see it fit in?
Anders Reeves
It’s critical, and I say that in big, bold letters. I think one of the most significant risks accepting that certainly in our case, where we breach clients, we often breach the human element to get at least that first step in on the attack chain that we follow. The worst thing you can do as an organisation is have many people who all act, think and behave in the same way that sheep mentality, that kind of groupthink, it’s inherently dangerous because you have a lack of diversity in that behaviour, which means that it’s inherently predictable, and the challenge for an organisation then is that if an attacker knows pretty much any one of your employees is going to behave in more or less the same way, it really opens the playing field a lot further for them to find a routine.
I won’t pretend that we’ve solved this for our own organisation but it’s something I’m incredibly vocal about. I have to be honest, I heard it articulated in this way, quite recently, but I and either you as well probably don’t even know we won the birth lottery, right? We are white, we are straight males born into the Western world and it should be part of…and it certainly is part of my drive to make sure that I use what is effectively accidental privilege to make sure that we address imbalances in our society and in our workforce.
If we think of technology as being one where… certainly from a gender perspective, there’s always been a bias towards male employees, cyber is a subset of that even further still and so I think there’s a lot that can be done to not only improve the diversity of our organisations and make them therefore inherently more secure, through the unpredictability of how individuals within it will act, but also, for the greater good there’s an important element that we should be bringing, certainly in positions like mine, where we are now actively encouraging applications for women and from minority backgrounds, we want to do away with the sort of… I would argue educational elitism that’s out there. So, we now support students and facilities that are pre-University in terms of stage so that we’re not naturally falling into a bias that’s kind of self-selecting as a result of university educated people, and I think we need to look at mental health and cognitive diversity in a very different way, where we see diversity in those areas as positive traits to be employing for because, again, they help us avoid groupthink as organisations, which helps us competitively commercially, and again maintains an unpredictability about how we will act as an organisation as a body of people, that makes us inherently more secure.
So, as you can probably tell, I’m quite passionate about this and it’s something I really want to make as much noise about as possible because I don’t think enough is being done or at least it’s all happening too slowly still.
Danny Bluestone
No, absolutely. I think obviously, both in terms of the… where you think about your… as a small business or a website kind of team, the more diverse they are, the more creativity they’ll probably have when they review their security policies I can only imagine, right? If you have people from different generations, like millennials, and Genexis, and Gen zedders, they may be aware of things that let’s say one generation isn’t aware of and equally, obviously, different genders and races will have different experiences set. So, as well as people with disabilities as well.
I mean, it’s interesting, we’re doing at Cyber-Duck quite a lot of work around accessibility and how, for example, visually impaired users will log in to a website… might be that we’re using different technologies, for example, let’s say a user that isn’t visually impaired, so I can imagine that because of that there may be different routes into kind of the application as well. So, yeah, fascinating! You’re certainly one of the first people, at least that I’ve heard of that have spoken about diversity in the context of security. So, it’s really refreshing to hear that type of thinking.
So, this is where I think educating one’s kind of culture on the importance of security and making it part of the DNA, especially in a digital organisation is obviously going to be really, really important. So, in terms of CovertSwarm, clearly, you’re in a quite a privileged place in the market, you’re obviously really innovative organisation, it comes across on your website as well.
How you… when we last spoke, you said you’re more than just the platform that you helped bring the right type of thinking and offensive based culture to the table. Can you just tell us a bit more about what you’re doing now? CovertSwarm and how you see the next three years? And certainly, you and your clients?
Anders Reeves
Certainly, well thank you for the opportunity.
So, the way I like to position CovertSwarm is that we are our clients worst nightmare, but we’re on their side, and our ambition is to break in and find the invariable route to breach but then a bit like a magician revealing their tricks to their client upskill our clients so that when we repeat our cycle because we’re a subscription business, we find it harder and harder to break in because we are continually improving their knowledge and therefore their security posture as organisations, and rather perversely we’re in a sort of arms race with our own clients, with our moral values pinned to the fact that we want to ultimately make ourselves redundant because we want to get to the point where we can’t break in any further.
So, we adopt a position of employing fully employed, highly skilled, very diverse, ethical hackers, so that we work to find points of compromise but then help lift the security culture for businesses that we work with. So again, rather than beat them over the head with a stick and say, right, we found a way in, aren’t you terrible? We say that we found a way in and we found it first, let’s now work together and help you close that risk so that when we go again, we find something new and interesting that a genuine bad actor is going to be interested to drill in and exploit.
To put it in raw numbers, we’re just entering our third year now and with no sales or marketing, to note at all, in terms of invested resource we’re now trading in 27 countries, we have employees in seven countries, two continents, we’ve just founded CovertSwarm in the USA, which we’re going to be making a public statement about shortly, and we’re working with something like 70 Plus brands now PLCs, unicorns, and I would argue some of the top 10 brands in the States and they all recognise that what we do addresses a fundamental problem, which the market just haven’t kept up with, and that is… that as I said, at the very start of this call.
Organisations were kidding themselves, the occasional test on a limited scope was enough to gain assurance that they’re secure and the reality is, I’m sure that your business Danny, you thrive on the ability to change and so do all the time and when you change, you create fuzzy edges to your business that may contain vulnerability that could be exploited, and so by being our clients worst nightmare, we’ve always got eyes on them to find out, has the new employee that’s just posted on LinkedIn that they work with the chief executive, are they easy to fish?
Let’s go and find out, and if they are, let’s use that as something that we can educate the HR team on how to better onboard people, for example, and we’re really changing the conversation, and I think our success today indicates that we’re on to something, and that this challenger approach that I wanted to bring to market a few years ago now, is gaining traction and reshaping the way people think in a much more positive way about how security can benefit their business and not just the breaks that everyone used to think they were.
Danny Bluestone
Now brilliant, and I know that we’re working together now with one of our clients on some large digital real estate. So, it’s great to hear the vision and to work with you as well. I’ve really enjoyed the conversation. It would be great to bring it back soon, because there’s many more kind of questions and points, but I’m just conscious of the 45 minutes or so.
So, yeah, thanks so much Anders Reeves from CovertSwarm and chat you soon.
Danny Bluestone
Thanks so much for listening. If you’re interested in learning more about the work that Anders and CovertSwarm does, you can visit their website CovertSwarm.com or follow them on Twitter and LinkedIn.
You can find Cyber-Duck on all major social media channels, including Twitter, we’re @ cyberduck_uk and Instagram which is @ cyberduckuk, our website cyber-duck.co.uk. Tune in next time and see you soon.
