When it comes to the modern cybersecurity landscape, no one is secure, no matter how large or small a company is. Even if a company puts tremendous resources into securing its systems, hackers will likely still find a way around those defenses. The key is understanding your limitations and putting the right protections in place based on your individual risk.
For our Cybersecurity Awareness Month podcast series, we talked to Carlos Buenano, CTO for operational technology (OT) at Armis, about making cybersecurity a habit, the emergence of artificial intelligence (AI) and an event from his career that still scares him to this day. Listen to the complete podcast here.
The following been edited for clarity.
Tyler Wall: Cybersecurity Awareness Month is highlighting some key behaviors like multifactor authentication, strong passwords, recognizing phishing and more. What do you think people should be focused on this month?
Carlos Buenano: Well, it’s possible all of the above, of course. But that’s actually the more you can do, the better, right? So first of all, password managers are a really, really great tool. People ask me, “Can you share your password?” And I can show them the password with their all-scrambled letters and characters and stuff, and they could never find the password as it is. So that’s actually a really good tool to have.
There’s so many out there in the market. I’m not going to recommend a specific one, but use that. You only need to remember one password to find all the other passwords, and then you can continue on and building it up until you have all your services under that.
Multifactor authentication, of course, is a great tool for securing your access to your systems. But I know that most people can be very conservative and react negatively when it comes to changes and having something else to deal with when it comes to logging into a bank account, or anything else. So it is all about human behaviors. Once you get used to it — you have to do it 26 times, I think that’s the number — once you do it 26 times, you’re used to it. Then you continue on, and it’s like nothing else. You have done it all your life. The changes can be hard, can be drastic, but if you do it, it will pay out.
Gary Cohen: Once you make something like that a habit, it becomes a lot easier. You don’t have to think about it anymore.
Buenano: Correct. The problem is just to get there, to get to building the habit. That’s the hard part. But once it’s there, do it. Get familiar with phishing emails. Me particularly, I never click on a link, ever. So if someone asks me, “Hey, can you look at this?” and it’s legit, I even go to the source, say like Google Drive. Say, “Hey, I modified this file. Can you have a look at it?” I don’t click on the link. I just go to Google Drive and find it and then open it. Even when it comes to banks and things like that, even when the banks send me an email and it’s legit, I just go straight to the bank. Go to the notifications of the bank, and then just find it that way. So I know it’s probably a longer way, but again, once you get used to it, it’s like nothing else.
Cohen: What trends or developments in cybersecurity are you particularly excited about heading into 2024?
Buenano: I’m excited about AI, so I can’t stress it enough. I actually myself found AI six months ago, and I already incorporated into my day-to-day tasks when it comes to investigation, when it comes to understanding several things. I know sometimes it can be outdated, sometimes it can actually be not entirely correct, but it’s a great starting point. We have to be very, very careful how we use it, of course, and who uses it. But it’s actually something that’s definitely going to change the way we work.
Wall: Can you share a memorable experience, or case from your career, that highlights the importance of cybersecurity?
Buenano: There’s several, but one that always sticks in my mind is I was actually working for an energy company in Australia. We were trying to facilitate the concept of zero trust to the company. So this company had 18 facilities. They had 6,000 wells, gas wells. They have every single vendor there, manufacturer there — they’re from Siemens, Honeywell, Yokogawa, all of them. And we wanted to create a specific way for them to connect and then do maintenance, as opposed to getting the specialist to fly over from Germany, or from the U.S., because Australia is really far to get to, and it’s very difficult time zones, shift of day to night, and things like that. So it’s very difficult. What we wanted to do is to provide a mechanism for vendors, engineers and everyone else that needed to legitimately connect to the network and do some maintenance, some support diagnostics, or whatever it is. We wanted to get that in place.
So we implemented a portal where you connect via HTPS and then from there use different jump boxes within the system, and all segmented into reaching a specific part, vendor, technology. The idea was just if Honeywell, or Siemens, or Rockwell wanted to gain access, we wanted to give them the time. We wanted to give the approvals. We also wanted to give them access to only the devices that they needed to get access to. So, again, it was all part of the zero-trust development, or deployment.
So we created everything. We tested everything. Everything was actually up-to-date, ready to go, was working as intended. The last step for us was to publish it to the internet so that they could start accessing it from the internet. The day that we flick the button, we have logs to understand who was logging in, who was actually having trouble logging in and so forth. Within five minutes — and this is actually something that today still scares me — within five minutes of us turning on the system, we had 5,000 hacking attempts to get into the system. The way it was, it was obviously a bot going through all the different user names possible, all the real common passwords and user names like admin/admin, administrator/admin, admin/password, admin/password123, admin/password123bank. It was so scary because it immediately overflowed the logs. Then, for us, it was like, “Wow.” So we definitely need to increase the security as much as possible because within five minutes to get this response was very scary.
Cohen: Speaking of attacks like that, we’ve had quite a few major headline-grabbing attacks in the last few years, whether it was SolarWinds, JBS, Molson Coors, any number of them. What do you think we have learned as an industry from the recent attacks?
Buenano: It probably can sound like a simple answer, but the answer is, no one is secure no matter who it is. And this is actually coming from dealing with customers. Unfortunately, customers are still naive in thinking that they have actually put all the systems in place for them to feel comfortable. But the reality is, you cannot feel comfortable ever. You always need to think about if there is something you’re missing and look for it. There is something that you can do better. The way I explain it to the customers is, imagine a house. You have your own house. You have windows. You have doors. Are you secure? Well, no. You have a door, and someone can kick the door. OK, well, you put up a gate. Are you secure? No, you can just get an angle grinder.
You’re always going to have a tool to protect your house, or a method to protect your house, but attackers will always find a way to overcome that obstacle. This is actually the way I picture it to the customers. It is not about being scared. It’s about being aware of what your limitations are. And you have big names in there, like Dole. You even have big companies, the big government institutions in Ireland for instance, the hospital system that was completely hacked. We have oil companies that were completely hacked. Last year alone, the ones that we sort of focus on, we have like 30 or 40, and we are looking at companies like Nvidia, Foxcom. They are really very thorough companies that have a huge amount of budget. They have a huge amount of effort when it comes to cybersecurity.
But the problem is, the bigger the name is, the bigger the target is going to be. So then you have to be always very aware of what your deficiencies are, making sure that you understand your vulnerabilities. You asked the question about what I’m excited about, what is coming next year? Next year, we are looking at, especially Armis is looking at, vulnerability management. Trying to understand vulnerabilities across all the devices on the network, understanding what the security posture is and what can you do about it. Try not to overwhelm yourself resolving all at once because it’s impossible. Because you have so many devices out there with so many vulnerabilities, break it down. Break it down into which ones are the ones that have been exploited. Resolve those first. Patch those first. If you can’t patch them, create a mechanism for network segmentation.
Only communicate to those devices that are vulnerable when you need them. And whatever the devices that you need, you make sure that if they’re in the IT (information technology) network or they have a direct connection to the internet, make sure that at least those ones are secured with everything, every tool possible that you can. A multifactor authentication, we have EDR vulnerability scanners, even backup systems. Because if you do get attacked, make sure that you have a way to recover from it. And when it comes to backup systems, make sure that the backups are not compromised, either, because that’s another thing. You might think that, “No, don’t worry. I have a backup.”
My brother actually works for a big backup company, and he said to me that sometimes customers get compromised. But it’s already too late, because when they realized where the source of the compromise was, the backup systems already had the vulnerability and the malware. Then, if you’re going to redeploy it, the malware will distribute again. So you need to be very careful, very diligent to your processes and making sure that your processes are completely up-to-date and always aligned to what you want to achieve in your cybersecurity journey.
Wall: What emerging technologies do you see impacting the field of cybersecurity in the near future?
Buenano: Again, I can’t stress enough, AI can be used as a weapon, and it has been already. So you already look at the dark web — I don’t know how you want to call it, the bad guys — they already modify the capability of AI to use it as a weapon. And the idea from what I can see at the moment is that they’re trying to look at those vulnerabilities and exploit the vulnerabilities and find better ways to exploit the vulnerabilities. Which brings me to the next concern that I have is RaaS, ransomware-as-a-service, which is becoming more and more popular.
It is been out for a few years now, but you can actually see that the revenue according to what has been listed is doubling up every year. That’s something that is very concerning because now you have an organized company that is receiving payment from customers to do the exploiting of companies and devices, or of specific targets, whatever the target is. You need to keep an eye on it. Again, we can’t escape out of it, but we need to protect. Then, the next thing is to use not only AI as a mechanism to get more efficient when it comes doing your tasks, but also to become more efficient when it comes to protecting your network.
Cohen: We always like to end with the hardest question of the day. Tyler and I have been having a little debate about whether there are any good cybersecurity TV shows or movies out there. What is your favorite movie or TV show that has something to do with cybersecurity?
Buenano: I spoke to you about one, but that’s actually more funny than anything else. “The IT Crowd” is a very old show, but it’s very funny. It does light up some of the banalities of a team manager. So it is very, very funny. And a serious show, I think “Mr. Robot” has been my top favorite. The reason why it is not is because it is all about cybersecurity and what is possible. It’s the way they approach it. It’s actually quite realistic when it comes to the commands. If you see the commands that they run — I was actually trying to understand how the hackers work.
So essentially research, let’s call it. And I was actually very familiar with Kali Linux and all the commands that you can run to exploit some of the vulnerabilities and so forth. I am a programmer myself. Sometimes, it gives you a snapshot of what they’re doing on the keyboard, and you actually pause it and see the commands, and they’re quite realistic. It is something that they do a lot of research when it comes to the possibilities and how you will do it.