Daniel Carnes is the CSO at Prairie Cloudware. He has over 25 years of experience in systems and security engineering, and has worked on notable projects such as DPG, Apple Pay and Google Wallet. He holds degrees from the University of Nebraska Omaha and Bellevue University. SPN caught up with Carnes at the Nebraska Security Summit last week sponsored by Cosentry.
SPN: How has the field of cybersecurity changed over the course of your career?
DC: It used to be something we added on. People just threw their computers on networks, and nobody really thought too much about the security until they started getting breached. Then they started thinking more like, “Ok, my computer is on all the time, and it’s on a network. I might want to close some ports and lock up some things.”
Now it’s a gold rush. You can’t get enough security people, you can’t get ahead of the game, the threats are ever present. In the past it was a hobby or it was added on as additional duties for a developer. Now it is your full time job, and it’s not just your day job, it’s your night job to keep up with emerging trends. Ten years ago it was my laptop that was bleeding edge. Seven years ago it was phone. Now it’s my phone, my watch, my TV., etc.
I think the biggest change recently is the change from thinking that doing best practices is enough. That was a very rigid playbook written by people not out there breaking into systems. Bad guys easily got past those best practices and developed their own playbook. And their playbook is way more advanced.
Now there are advocates of red teaming, thinking through things from an adversarial mindset. How would a bad guy take advantage of these systems? The way to really combat them is to figure out how they think.
SPN: With the constant stream of data breaches in the news, there’s the view out there now that everyone will eventually have their data stolen. Do you think that’s an overreaction?
DC: I wish I could remember who said it, but there’s a quote from a couple years ago, “There’s two kinds of companies: Those who’ve been broken into, and those who don’t know they’ve been broken into.” The stats are pretty amazing. You hear about breaches, but there are so many more you don’t hear about. I think on average 123 bank incursions happen in a day around the world. Some are small, hacking an ATM or skimming, but many are very large, especially overseas.
At my company we take the best practices of minimizing services, compartimentalizing risk, shutting everything off you don’t need, and really controling access. That really knocks out your script kiddies, your casual people, even disgruntled employees. What you’re left with are your tier one threats, your organized criminals with lots of time, money and expertise, state-sponsored threats, terrorist groups.
SPN: In cybersecurity is there always the paranoid feeling that you think you’re on the cutting edge but how do you know for sure?
DC: Yeah, but it’s not just being on the cutting edge, you really have to hone your basics, too. Watering hole attacks, phishing attacks—those are decades old, and they still work great. They are still the number one way to get into a company.
You have to be somewhat paranoid, going into it knowing that you don’t know as much as the bad guys do. It’s about continual learning. I literally train, go to classes, read books, and practice all the time. I do some work with CyberPatriots teaching high schoolers about cybersecurity, and I will learn things during those competitions from the kids.
You have to be involved all the time. It’s not just your 9-5, because the bad guys wake up, and it’s all they do until they go to sleep—and you’d be surprised at how little sleep they do. They have systems that run all the time.
Laws have changed now where you can’t just be compliant, because compliance is the lowest bar of security. Target was compliant; Michaels was compliant. They still got breached. They had some bad practices, but they were still compliant.
The new laws being enacted are saying that you could be liable, as the victim, in criminal and civil court for breaches. If it’s found that you were compliant but you didn’t do enough, you are held liable. You can go to jail as the CSO or the CTO. That’s something you have to take seriously.
You’d be surprised how many CEOs don’t understand the technology their company works on
SPN: What are the biggest misconceptions people have about cybersecurity?
DC: That [cyber criminals] are just young people or just geeky people. It goes beyond people who know computers. They are almost like different tribes that do different things in the arena. Some are great at social engineering, some are great at carding, some are great at hacking into systems, some are great at building malware. And those groups work together in concert. It’s a campaign. It’s multi-phase, it’s multiple components.
Threats that used to be isolated events are not isolated events anymore. An isolated event, once you find it 200-some days later, is one part of a bigger campaign. It’s pretty sophisticated. Even the script kiddies can be enlisted by criminals, because if they get caught, they’ll do the time.
SPN: Obviously the need for talent in this sector is going to grow in coming years. What are you looking for when you’re hiring?
DC: The basics I look for for anyone working cybersecurity is critical thinking, problem solving, a desire to learn and pick up things quick. To have that adversarial mindset is good.
I’d also say what’s really important is the ability to communicate clearly and being able to work with people that don’t necessarily understand those complex systems, and help them understand why they should care about it. You’d be surprised how many CEOs don’t understand the technology their company works on.
From the skill set perspective, understanding microelectronics is good these days because as we get into the Internet of Things you have to know the capabilities of the hardware and software things are running on now. Cloud is important. So many systems run on the Amazon Cloud now. If you don’t know how to build secure systems [on Amazon Cloud], you’re at a serious disadvantage.
SPN: For small startup teams with limited resources, what do you recommend for improving security?
DC: First, think about security as Job Zero, ingrain it into your culture, which doesn’t cost you anything. There’s also a lot of good local meetup groups you can take advantage of.
If you’re a startup and you don’t have a lot of money, you’re likely going to be on Amazon’s cloud because it’s cheap. They have a lot resources—security best practices, instant response, coding, partners with AWS like our company that will give you information because it strengthens the whole ecosystem.
The next thing is to bring security into your software development lifecycle. If you’re putting security into your requirements gather phases, your design phases, educating your people, putting that through your whole development lifecycle, then you’re doing it right. You’ll evolve your stance to be proactive rather than reactive.
That’s when the tide starts to shift—not just removing malware but building systems that don’t even give people the chance.
Ryan Pendell is the Managing Editor of Silicon Prairie News.
JOIN THE MOVEMENT!
Sign up to receive daily updates in your inbox.