Ondrej Krehel, CEO & Founder of LIFARS is recognized world-wide for his Digital Forensic expertise and Ethical Hacking. He actively participates in many high-profile engagements around the world whereby his proprietary methodology is leveraged to achieve the most rapid root-cause analysis and remediation. This Interview With Ondrej Krehel is the first part in the four-part series. So, stay tuned for more!
Note: Originally published in NEXTECH magazine and republished with the kind permission of Mr. Martin Drobny.
NXT: Cybersecurity is a never-ending story. Is it possible to achieve a condition where companies will be fully protected against any current or future cyberthreats?
Ondrej Krehel: There is a saying: Everybody makes folly within the limits of his own common sense. Digital systems are programmed by talented people but even they have their limits. We even give consequences of those limits a name: flaws of the system. There will always be weak points. A fully protected system will never exist – from the cybersecurity point of view there is always a possibility that a system will be exposed to threats. Every system can be endangered with different severity – ranging from simple flu to cyber cancer.
You need to keep in mind that tactics, techniques and procedures of attackers are ever-changing and evolving, new threats are emerging, new vulnerabilities are found, and therefore it is inevitable to periodically evaluate cybersecurity, analyze and enhance it. Only with this approach can we stay one step beyond the intruders who currently are, and unfortunately always will be, one step ahead of us.
However, it is possible to maintain such an attitude towards security by reducing the head start of attackers to an acceptable level. This can be achieved through a combination of the customer’s security needs assessment (taking into consideration the value of protected assets) and the risk level that the customer is willing to accept. By implementing defense in depth, it is possible to provide redundancy of security controls. This means that even if the attacker overcomes one security control, the other will stop him. If he overcomes this next hurdle, there will again be one more to stop him.
NXT: What is the inevitable minimum of products or services that every company should use to have at least a basic protection against the attacks and be able to promptly react to them?
Ondrej Krehel: First of all, companies should know and define their security needs and the value of their assets. Their investment in security should be relative to this value. The result should always be a combination of more types of security controls. More specifically, those controls are divided into categories of preventive, detective, corrective, and compensatory controls.
From the category of preventive controls I consider the following items to be the necessary minimum: firewalls, IPS, access control with two-factor authentication, antivirus protection, strong passwords, timely software updates, encryption, data backups, regular employee training, security policies and procedures. For organizations that could be a target of an advanced attack, I recommend application allowlisting, implementing defense in depth, and of course EDR.
Detective controls are very important for the early identification of vulnerabilities in the network and information systems as well as for the detection of cyber incidents. Without these controls, it is impossible to detect an incident on time and react to it. The following items belong to the group of detective controls: pentests, network monitoring, SIEM, SOC, and security audits.
Corrective controls aim to restrict the impact of deficiencies or incidents and restore the secure state of the system. The following items belong to this group: restoration from backups, incident handling and response, updates, applying security patches.
To conclude, companies should use a variety of controls for basic attack protection and incident handling. These tools and controls should harmonize with each other like musical instruments in the orchestra. Planning, coordination, and fine-tuning of these controls often pose a challenge for many companies that do not have an experienced expert for cybersecurity and thus invest money in ad hoc solutions and so-called security appliances. The vendor sells them a magic box that promises a complex solution for their security and they easily fall victim to this false sense of security. Consequently, if they get attacked by ransomware that encrypts their data, they suddenly do not know what to do, because they lack backups and incident response plans.