TechnologyI'm Erka Koivunen, a Finnish cybersecurity expert. I'm here to answer your questions about #CyberSecMonth, creating a culture of security and what you, your boss, and your boss' boss need to know about being hacked.
Oct 4th 2016 by ekoivune • 25 Questions • 3725 Points
Hi, I am Warren Beatty, actor/producer/director of the upcoming film ‘Rules Don’t Apply.’ - watch the new trailer - as well as films like Splendor in the Grass, Bonnie and Clyde, Shampoo, Heaven Can Wait, Reds, Dick Tracy, Bugsy and Bulworth. So… Ask Me Anything!
Edit: Thank you! This is only the 12,775th time I've ever done something like this!
Most corporate level security devices are sophisticated devices that require subscriptions and get updated frequent and do real time network threat analysis.
Most "home" level security devices are built into a router that is updated once in awhile by the user and are not designed as a security device but more for ease of use, and dont do any realtime network analysis.
Sophos offers a "home" license that limits the devices to 50 IPs. There is also the open source pfsense solution.
So the question is, are there any good home network solutions that provide decent protection? What are your recommendations for securing a home network?
in Dick Tracey, there was a scene where Dick Tracey jumps on top of a pole and slides down. And everytime I watch this movie I notice how hard the stunt double hits the pole. Did you watch this happen?
You are right that most corporate solutions would be too expensive and would be too heavy to deploy and maintain for home use. And yet at the same time, it is not that uncommon to find that members of a family carry dozens of computers, tablets, mobile phones and park a number of other gadgets in their kitchen, living room, study and kids' rooms.
First, there is and will be need for so-called endpoint protection. That is, security software installed on your device. That may be anti-virus, it may be application-aware firewall, it may be VPN and it may be remote management agent. Whatever fits your need. One should really seek to make use of such security features and products if they are available. The licensing schemes are getting much more attractive to acknowledge the needs of connected families. This, in addition with the patch-harden-lock-up and good credential management makes your endpoints a tough nut to crack.
Second, there is an increasing number of devices that you are not able to patch (at least with the frequency that you'd wish) and that offer little in terms of configuration options to secure the system. You cannot install anti-virus or VPN to your smart telly, your cheap NAS or your Wi-Fi operated lightbulbs. These devices expect that the security is provided for them by the surrounding network. And you are correct in recognizing that the home routers are generally speaking not up to the task.
An enterprise level solution would be to segment the networks, deploy lan-to-lan VPNs, IDS and hook the system to SOCs monitoring routine. The home user can segment their networks (use the "guest LAN" if your router allows that) but that's about it. We have a solution up in our sleeve - we expect that it will available at the end of the year.
I am glad to see consumer protection authorities step up their act. If more similar decisions will be handed out, they may even change the way IoT manufacturers approach security. I am not holding my breath, however. More like eating popcorn. :-)
That was me!
From a personal level, what sort of things can we do, other than installing anti-virus software, to make sure our data remains secure? As a secondary point, what's your go to anti-virus software to use, again, on a personal level?
With a career of incredible movies spanning decades, box office successes, magazine covers, talk shows, red carpets, and Oscar nominations... do you sometimes find it overwhelming to be the husband of Annette Bening?
Hi Cousinsal23! Congrats on being the first one to ask a question!
I cannot resist the temptation "go personal" and comment the "personal level" aspect of your question first. :-)
In anything you do in terms of protecting yourself online, please remember that it is increasingly difficult to distinguish between your professional and personal presence. So, if your job requires you to be mindful of what you share online and how to keep hackers out, please be as vigilant in your personal capacity as well. Otherwise you may end up becoming the low-hanging fruit that the attackers exploit in order to get after your employer, its customers or its partners.
Now, having established that, this is what I always do with my personal stuff:
- Everything starts with fresh install. The bloatware just sickens me.
- I patch, harden and lock-down all my gear so that there is as little as possible attack surface to go after
- I use full disk encryption together with strong password protection
- I backup, backup my backups and locate the backups of my backuped backups somewhere else than my home (did I already say about encrypting your backups)
- I keep a record of my family's gear, encryption keys and backups; nobody remembers this by heart
- I am wary of what networks I connect my devices with
- I am conservative on who I let to our home networks. Nobody get in the inner parts of the network.
Needless to say, I am pretty picky on what networked gadgets I am taking into use. My wife absolutely hates it.
The other question was about my personal choice of anti-virus software. Lately, I have been fooling around with our corporate products. Maybe it is because I want to relive my SysAdmin days of the 90's and exercise at least some level of centralized control over my assets.
On some other times I am giving our beta products a go. And when I get really adventurous, I might even try our competitors' products. Or go without AV at all (eek!).
The best thing that ever happened to me is Annette Bening.
I read a lot about different hacks happening to companies. I'm not the most informed computer user in the world, but I'm not sure how concerned about this stuff I should be. Would you say the media tends to blow these things out of proportion, or are reports on stuff like the yahoo hack generally accurate?
What is your best memory about filming Bonnie and Clyde? Best regards for you and your wife from a fan of both in Mexico.
Media is naturally interested in unusual and extraordinary as it is by definition "news". So there is the tendency of using superlatives and concentrating on the out-of-ordinary aspects of the story.
As a journalist I would hate to write about the zillionth of SQL injection if I find something mouth-watering about the way the hack went unnoticed, if the victim notification had caused controversy or if the vulnerabilities appear still unpatched.
There is lots of uncertainty in how incident get discovered and it is not that unusual that some aspects of the breach will never be fully understood. I know from experience how the initial information may later turn out to be inaccurate or even outright false.
In that sense, you might want to be wary of the news hype and seek to find more in-depth articles in periodicals, whitepapers or possible follow-up stories.
The added problem with big headline stories is that there are many stakeholders who will make an attempt to spin the stories to fit it their need. In that sense, cybersecurity has gotten mainstream like politics, economy and entertainment. Wasn't that what we all in this industry wanted..? :-)
That my mother and father visited me on the set for the first time since it was the first movie I produced. My mother was a smoker. She and my father sat in and witnessed a production meeting. I saw her smoking and I asked her in front of the group if she loved me. There was an embarrassing silence. She said to me, ‘Of course, I love you. Why would you ask a question like that?’ I then said, ‘Well if you love me, will you put that cigarette out and never smoke another one?’
She stared down at the cigarette in her hand for a while and then she put it out. She never smoked another cigarette.
Find more in-depth articles in periodicals, whitepapers or possible follow-up stories.
Could you namedrop your favorite one from these?
How sick and tired are you of people asking if Ned Beatty is your brother? Have you two met?
Digital Investigation is one periodical that I used to love to read. It may be due to the fact that I am not forensic investigator myself but it was always fascinating what you can do once you get hold of the device or image of its memory.
All the APT whitepapers one should read to keep one up-to-date with what TTPs the threat actors are using, how to detect their activity and - perhaps - to get a climpse on who they are are and how they operate.
Lately, I have enjoyed the staff report from US homeland security committee titled "Going Dark, Going Forward": https://homeland.house.gov/wp-content/uploads/2016/07/Staff-Report-Going-Dark-Going-Forward.pdf
I actually can't remember someone ever asking me that question. Ned Beatty and I don’t know each other very well but I admire his work.
I listen to a weekly podcast that talks about the latest cyber threats and I am often shocked to hear of the full extent of successful hacks and scams. Do you feel the general public are informed enough of the cyber threats and if not, why not? Do you think the media considers cyber threats to be serious enough to report on or is it so serious that they don't want us to panic?
What inspired you to make Reds?
Let me guess, it is the Risky.biz one, isn't it?
You are right that they seemingly have an endless supply of horror stories and successful breaches to report. However, what I love about Risky.biz is that - even while they are running a fast-paced radio show - they do very good job in dispelling some of the myths behind all those "advanced" and "unstoppable" hacks. Most often, the technical realization or a social engineering aspect of those attacks is actually pretty easy to understand and - what I find fascinating! - even easier to fix if the victims would've had the benefit of hindsight.
In that sense, I often find their podcasts uplifting in the sense that there is something you can do to protect you and your business. And that the attackers are lazy humans who make mistakes too.
Thanks for the reply. I listen to the SurfWatch Cyber Risk Roundup Podcast. I will try the one you mentioned. Cheers.
How does the tabloid press of today compare to 25, and 50 years ago? Is it really that much worse?
I've seen numerous people lately taping over their webcams. I used to think it was for people paranoid about all this new technology, but then I saw Mark Zuckerberg does as well. Do you think this is over the top?
Are you going to be in any Marvel movies or Star Warses?
No but our hilarious and romantic leading man in Rules Don't Apply, Alden Ehrenreich, is the new Han Solo.
When working in cyber security industry like you are, do you feel like being out of the general public knowledge or otherwise being "off from the radar" would be beneficial for some positions in the industry? Have you, as a cyber security advisor and professional had to ever be really careful how you transmit and receive data relating to your work? Do you know of any cases of APTs on you as a person or to someone in a position similar to yours that might have occurred? And lastly, what do you think of LinkedIn as a source for targets?
EDIT: Seems like you answered to some of these points already, but if you still can find something to share regarding these ones, please do.
Are you surprised Mickey One never found a big, cult audience?
Thanks for waiting, p1n0.
The off-the-grid approach is actually what the classified systems are designed around. For instance, a system classified as SECRET cannot be connected to public networks such as internet.
And this is where the spies enter the game: if you truly hold secrets that mean anything to somebody else, they will go after your secrets regardless of how you defend them. You will find that it is really difficult to operate off-the-grid. For economical and human behavioral reasons you want to limit the amount of off-the-grid data and transactions to absolute minimum (of course all the time relating to the value of the secrets that you protect). Otherwise people start to get "innovative" and end up inviting the spies in.
With regard to being mindful of what to transmit over the network: I am always mindful of that.
I know about lots of APT cases. I have high confidence that it was not me that they were after, though. :-)
LinkedIn is great tool for handling one's business connections and excellent tool for marketing and headhunting. These are the qualities that also make it a great tool for reconnaisance and help in successful execution of cyber breaches. I use LinkedIn as I use all my devices, platforms and applications: with caution.
A lot of companies seem to only want to invest in cyber security measures AFTER an incident. It never seems to be a priority. How do we hammer home the importance of security to people with little or no technical experience/knowledge?
Side question: I'm a recent graduate from a Computer Science degree and I have just started an infosec career. I have literally no idea what I want to specialize in or what to focus on going forward. Any tips?
Tell us about working with Lily Collins. She seems like an actress with a lot of talent who hasn't gotten a chance to showcase it. Thoughts?
Excellent observation! Before answering I should point out that I have been involved with incident response side of things throughout my whole professional career in security. It is only natural that I see the world through IR filters. :-)
In digital domain, cybersecurity is a feature of a protocol, software, process or way of doing things. Not a thing in itself. Building security in requires planning, care and due-diligence. Sometimes you even end up having to abandon something cool. Project-wise, security is often seen as a nuisance. Something that an ambitious and results-driven organization only comes to think after they have a day-off from the chaos of running their normal business (which is never).
For most business leaders, the incident is the first time they actually have to take security seriously. Everything leading up to the materialization of the incident will be treated as negotiable.
After an incident there is a serious need for top leadership to do something symbolic and visible to make things right and to help get back to business. The regulators will demand breach notification reports, evidence of mitigation efforts, root cause analysis and plans that help address the problems identified. The customers want compensation and feel let down. The partners upstream and downstream want to know how much they were exposed to the problems. The general public is hungry for scandals and the investors want to assess the extent of economical liability the incident exposes the company to. The staff feels humiliated, too and is fearsome of personal repercussions. The leadership would soon be ex-leadership if they would not take things seriously in such crossfire.
The old saying "never let a good crisis go to waste" bears much wizdom. NOW that you finally have your upper management's attention and now that you can excert external pressure to get things moving in the right direction, you should really come up with a plan for immediate, mid and long term.
If you are clever, you will find a way to approach your leadership so that they can be able to learn from other people's mistakes and mishaps.
Lastly, the career tip: information security is much more effective when applied to specific problem area. Specialize in secure programming or find your career in building automation systems in secure fashion. As I pointed out, cybersecurity is usually a feature. Having said that, if you become the next 1337 h4x0r that can break, fix and transform anything, we might have a position for you..
I feel Lily Collins has an unlimited potential in movies. She makes brave choices, it's hard to take your eyes off of her on screen and her chemistry with Alden Ehrenreich was both hilarious and moving.
I have read in a few places over the internet, that cyber-security has become a top priority today but there is a conspiracy that the Service Providers of cybersecurity are also responsible for a part of that demand. The analogy is apparently similar to the conspiracy of Pharmaceutical companies putting the brakes on research of cheap medicines, for example, to fight cancer so that more expensive treatments like chemo are still viable and in demand in the market. It is also hard to argue the fact that the hackers are responsible for those cyber security providers' bread and butter, and they would never develop a software to negate all kinds of hacking which would prevent any further possibilities for demand (once everyone has it). In other words, there is always a virus which can bypass an AV which makes the software developer to release newer versions, thereby making customers buy/upgrade to the same.
How much of the above is true? Do you think there is the slightest possibility of the above happening, even without your knowledge? Cheers.
If someone made a biopic about your life, which actor would you want to play you and why?
Years ago, I attended a presentation by a minister of communications in India. He explained what their country is doing to modernise infrastructure and provide access for vast number of people. During the presentation he touched on the topic of cybersecurity and cybercrime.
He reminded that for a poor person living in a slum, a chance to con money out of a "rich Westener" does not only look tempting. A successful phishing operation or trojanized mobile app may the poor man's ticket out of the slum. We can be as outraged as we like and we can complain as much as we want about the need to step up our security in the Western world. Our disapproval will do nothing to stop the man from trying.
The really hard question, the minister asked: would you do the same if it was you and your family in the slum with other way out?
It is not that cybersecurity industry is doing a sloppy work and it certainly is that we would be contributing to the criminality ourselves. There are bigger forces moving behind the scenes: an endless supply of people with no legitimate way to earn their living by using their talent.
Ronald Reagan. Or maybe Barack Obama. I might add that Ronald Reagan, who was a friend of mine, once said to me (not joking) that he did not know how anyone could be President now without being an actor.
Hello, thank you for your time in doing this. For someone who might be looking to get into this field as a career path, but having no idea where to start, what or where would you recommend as a good place to start? Whether that be a particular programming language or a good resource, I would be happy for your suggestions. Thank you.
There is a long standing rumor in the imdb trivia section that you were at one time working on a Pokémon movie. Is there any truth to that rumor?
I think that might even be a topic for another AMA. I will take this to Mikko.
In the meanwhile, take a look at what we came up with Helsinki University. You know, that is the Linux University. :-)
You've been such an influence on my personally since Dick Tracy when I was 12. My passion for film and acting are thanks to you. Also your love of politics encouraged me to vote at 18. How do you feel about this years election??
I’ve spent a lot of my life in political activism. I campaigned for Jack Kennedy, I campaigned with Bobby Kennedy and quit movies for a while to work with George McGovern and help him try to get us out of Vietnam. I’ve remained a lifelong Democrat although I have as many friends who are Republicans. What concerns me most at the moment is that the commercialization of the use of technology may be creating a cacophony of opinions that obliterates voices of wisdom.
How was it working with the great Robert Altman? Did you pick up anything from him ?
Bob Altman was a lot of fun to work with. He was brilliantly flexible and improvisational.
I love Virginia but I love where I live – California.
My mother was from Nova Scotia.
Thanks for doing this ama!
Do you see any relation in the character you played Senator Bulworth and Donald Trump? Both guys that didn't give a fuck what they said and somehow get more popular for doing it?
Also what is your opinion of Donald Trump?
What Jay Bulworth is saying is very, very different from that which Mr. Trump is saying.