Mar 24, 2023

Dealing with Social Engineering Attacks with Emily Zakkak

Host: Hi, everyone. Thanks for tuning into another episode of Scale to Zero. I’m Purusottam, Co-founder and CTO of Cloudanix. ScaletoZero is a forum where we invite security experts to learn about their journey, discuss on security topics, and get answers to questions from security professionals.

For today’s episode, we have Emily Zakkak with us. Emily is working as a cybersecurity specialist at Senowit, a global managed security services provider which is dedicated to protecting their client's organization from cyber threats using IAM security Operations Center and social engineering defense capabilities. Emily is a first-generation computer science student studying at San Diego State University. Emily, it’s wonderful to have you in the show for our viewers. Do you want to briefly share about your journey?

Emily: Of course. Thank you. Puru, so a little bit about my journey. I actually really got into cybersecurity last summer, the summer of 2022, and I started developing all of those skills. I did a lot of training in cybersecurity. I was using a lot of websites such as, like Try Hack Me and Fortinet and doing all this security awareness training as well as learning about things like Active Directory. So with all of this training, I was also really doing a lot of job searching, searching for internships or full time positions. And honestly, I am so lucky to be here at Senovate. and Senovate just they took a chance on me. They’re doing a bunch of training with me and making me into the best cybersecurity professional possible. And I am learning so much on the job here, and I am just so happy to be here with you today as well.

Host: Absolutely. It’s lovely to have you here as well. I’m looking forward to the conversation where we can learn at least I can learn few things from what you have learned in past year. Right?

So I want to start the discussion with phishing attacks or social engineering attacks. It’s mostly inevitable, like, we cannot avoid that.

So what are the best ways for organizations to collect data about these incidents, identify what is happening and notify their security staff?

Emily: Yes, you are completely right that social engineering attacks are sadly inevitable. There will always come those emails where people are trying to get you to click on a link or have an offer like, oh, you’re going to win $1,000. It’s very bad, and a lot of people will fall for it, unfortunately. So there will always be threat actors out there trying to steal all of this sensitive information. So the best way to handle these incidents, I would say, is to have a plan prepared, like an incident response plan. And having an incident response plan is very important for any organization just because it gives you a structured way to respond to those incidents. A lot of organizations, they currently say, like, oh, we’ll just deal with this incident when it comes up and the incident happens, and they suddenly do not know what to do, or they don’t have good communication. So definitely, as well as an incident response plan, it’s very good to have good communication between all of your workers, no matter which sector they’re working in. Like, even the lawyers and the people working in the law aspect of your organization still need to be connected with the security team and the It team in your organization to really have that incident response plan and make it work. And as well as that, all of these incidents, they can be collected through logs, and these logs generate alerts.

And when these alerts come in, you can find out where suspicious things are happening. And this usually stems from, for example, someone might get an email and they click on, for example, let’s say it’s a download link. They download it, and in the back end, something will be, for example, running. Like it will be a malicious file, for example, and it will start doing something very suspicious. And the logs will collect this alert and they will start to see, oh, where did this come from? Which IP address? Who downloaded this file that is starting this malicious activity? So that’s definitely a way for the security team in any organization to keep track of where those incidents are coming from.

Host: Okay, that makes a lot of sense. I have a follow up question on this. Can organizations anticipate and prevent these attacks? Is there a way to do it?

Emily: Yes, absolutely. With this new generation of technology, there’s all of these threats, of course, and everyone needs to be aware of these threats, not just the security team needs to be aware. Everybody in their organization should be aware. For example, security awareness training is a must for any organization in any industry. And no matter which industry you’re working in, it’s still going to be important for your assets to be secured, for your data to be secured. So everyone needs to understand that security is the responsibility of everybody in the organization. It’s not just one person or a group of people, it’s the entire organizations leading on this security awareness, because all it takes is one person to open a malicious file or download something or click a link, and everything will be destroyed and it will just start a disaster to happen in any company. So, for example, like our company here at Senovate, we work with Webroot, and it provides us to manage a service for our clients, for example, to lead social engineering defense. So we do phishing simulation. We do all of this training and educational videos to help our clients understand that security is everyone’s job. It’s not just a security team’s job.

You need to be very careful before clicking on a link or doing something suspicious, especially on a company-owned machine, for example, because all it takes is one mess up and the entire attack will begin to propagate and it could become something very big, like, for example, a data breach or just stealing all of these machines and attacking them.

Host: Right, I like the two things that you highlighted. One is it’s not just the security team’s responsibility to make sure that the whole is secure. Right? And the second part is the training aspect because most of the times it feels like, yeah, it’s the security team, they will take care of it, I don’t need to know anything, I’m okay. Right, but it’s not about that. It’s about training your employees so that they know if something looks fishy, how to act on it, how to maybe reach out to your security team saying that, hey, it looks fishy, maybe take a look at it.

So having that training and the communication channel between the security team and the other parts of the organization. So yeah, that makes a lot of sense. You highlighted incident response planning, right? A little bit. So I want to talk about that. So every organization sets up some plan as part of their security program set up. And I believe SOC2 highly recommends that you should have necessary controls in place for incident response plan.

So what are the three areas according to you, should be considered when defining the security controls around, let’s say, vulnerabilities or incidents?

Emily: So for me, I believe that these top three areas should encompass monitoring, detecting, and responding to the incident because all of these problems, they need to be found so we can’t really respond to a problem if it’s not found. A lot of companies, they might not have a security operations center, for example, if they don’t have a security operations center, how will they find out where the suspicious attacks are coming from? So that’s just one piece of what I think and definitely as well as that response and reporting is very important for the incidents response plan because it gives you a structured way to see all of the things that happened and definitely it helps with the lessons learned after an incident has happened and then it’s been remediated. Your company should definitely learn these lessons and see what should change for next time.

Host: So do you have any suggestions on maybe what process or procedures to be followed? Let’s say there is an incident happening, what procedures should be followed to address the incident?

Emily: So I would like to also talk about something that I find super important, which is a security operations center, or SOC for short. Well, in traditional socks, a human goes in and does all of this monitoring and detection manually. But now that we’re in the new generation, there are new-gen stocks as well. So now there are much more alerts than actual stock analysts to go in and look at all these alerts and remediate them. So the best way to get the most out of your sock is now to utilize Openxdr, which is also known as Open Extended Detection and Response. And at Senovate. We also provide this platform called the Openxdr Platform and it’s powered by our partner Stellar Cyber, and it integrates with all applications and it provides extended visibility over all of the endpoints cloud identity SaaS based applications.

It collects all of the logs from all of these different aspects and it puts them into one platform. And also with this platform, it’s not only 360-degree visibility but also it uses now artificial intelligence and machine learning to do all the detection and correlation between events. For example, if we have an event happening in, for example, let’s say the firewall, someone is trying to attack the firewall and get in. Well, what if there is an event that’s happening from, let’s say a login, like someone is trying to log in and it keeps failing? And if they’re both from the same IP address, the artificial intelligence and machine learning will do this correlation and say, oh, these two events are definitely related. So then you can really pinpoint where the true threats are in the organization and work to remediate it. So definitely before there’s something called these legacy platforms, which let’s give an example like Splunk.

If we use Splunk and then we pile on a bunch of other platforms, it’s just going to cost a lot for the organization. Small to mid-sized companies, they can’t really afford spend millions of dollars. Yeah, exactly. They can’t really afford all of these different platforms. And then when you have all these different platforms and they’re all separate, they’re not integrated together. You need a specific team for each single platform and they’re all separate. But with Openxdr you have that visibility, it brings everything into one platform where you can do the detection which is automatically done and you can do the response both in one platform.

So as the years continue to go, I definitely see more companies turning to Open extended detection and response just because it’s much more efficient in doing the detection and response. The traditional security operations center will be completely reinvented and all of those, like for example, people can get up to 3000 alerts per day and then by the time all of your sock analysts, they go through all of these alerts, there’s going to be even more alerts on top of it. So then they might just give up trying to find where the true threat is. But this way it’s completely new, completely modern and it really helps out sock analysts and the security team as well.

Host: Okay, so the message that I’m getting from your response is that you invest in the right tooling rather than having 20 different tools. Maybe if you can bring everything to one SOC platform then that helps the sock team analyze faster and that also helps in remediation of those faster as well.

Emily: Absolutely.

Host: Yeah, that makes a lot of sense, particularly nowadays where we have so many tools, right, you pick any area and you have so many tools to choose from. So yeah, that’s absolutely on the money.

I want to talk about. I am a little bit so most organizations when they are, let’s say, building applications or platforms or tools, they incorporate trust capabilities, implicit trust capability. And when I say implicit trust you sign into one of the systems, you are remembered right. So you are not always asked to verify your identity.

Can this access be compromised so that it affects the security of the organization?

So what challenges do you see when the organization is trying to make sure that both the systems are alive, they are connecting to each other and how do you manage permissions in that case? Like who has access to what and what are the challenges and how can those be addressed?

Emily: Yeah, absolutely. So some of the main challenges that I see associated with this is the seamless integration between on premise of course, and cloud and identity and access management and compliance. So with the challenges to this on premise and cloud combining them, definitely it is very important to have a unified identity and access management solution. So there are actually a lot of identity and access management solutions out there that give that integration now more than ever because they started to realize that the on premise and cloud, they both need to be secure. We can’t just secure the cloud and not have the on premise secure. So they’re starting to give this integration and additionally, definitely the compliance side. Due to compliance, you also need to have identity and access management just to follow those guidelines and regulations for any industry. Every industry has their own compliance laws, so it’s very important to follow those.

So another thing that we can do to manage both cloud and on premise systems is by also using encryption, which I’m pretty sure that’s already very obvious that we should use encryption because you don’t want your data being sent over from on premise to cloud and back and forth without the proper encryption method and without doing it in a secure way. If you send over these messages in, let’s say plain text, it’s going to be possible to intercept it and then see what that information is which can be really detrimental to your company’s data. And I definitely say definitely always secure, always secure your information using encryption and all of that data sharing that’s happening definitely also needs to be encrypted.

Host: Makes a lot of sense. And I love your pointers right. For each of these areas, what actions should be taken? So, yeah, that’s a great way to end the security discussion.

Summary

Here are a few important points that stood out for me.

Incident Response Plan is a must in order to fight phishing or social engineering attacks.
Security is the responsibility of the entire and not just of the security team to bring awareness. Security awareness training should be conducted with other teams in the organization.
Whenever possible, implement MFA across applications and avoid implicit trust across applications. This would help in avoiding large scale data breaches.

Rapid Fire:

Host: We have the rapid fire section now.

So the first question that I have for you is, if you were a superhero of cybersecurity, which power would you choose to have in you?

Emily: I actually really like this question. So if I was a cybersecurity superhero, I would want to be, for example, similar to there’s this character in one of these shows that I used to like as a kid called the Teen Titans. And I would want to be similar to Cyborg because he can actually go into every single computer and see all of these computers because he’s like half robot. So he can go into all of these computers and see what’s going on, see all the information, and I would actually use those powers to stop cyber attacks.

Host: Yeah, that would be yeah, absolutely. The next question is what’s the biggest lie you have heard in cybersecurity?

Emily: So the biggest lie I’ve heard in cybersecurity is that you can’t get into cybersecurity unless you’re like a specific age, which I think is really funny because it just doesn’t make any sense. Anyone can get into cybersecurity if you just have the necessary training, do the self learning, get some certifications, and that’s really all it takes. It doesn’t matter how old or young you are, it doesn’t really change your ability to learn. Cybersecurity is all about learning and just growing and getting better at securing the world. So anyone can do it. Even if you’re very old, even if you’re, like me, 20 years old, you can do all of these best practices just by learning and getting that hands on experience and getting that training. So, yeah, that’s the biggest lie I’ve heard in cybersecurity.

It just doesn’t make any sense to me and it never will make any sense to me.

Host: Yeah, no, I totally agree on that. So little follow up on that. What are some of the blogs or books or websites that you go to to stay up to date?

Emily: So some of the things that I use to stay up to date in cybersecurity is a bunch of newsletters. I see a lot of newsletters in LinkedIn, and one of my favorite ones is the one from my own company has a really good newsletter and they provide a lot of important statistics on all these cybersecurity data breaches, for example, and how it was before, how it’s increasing, what needs to change. So I find that really informative and really good to get that awareness out there. And another one that I really like is the Hacker Feed app. I have it downloaded on my phone. I like to sometimes scroll through it when I’m not doing anything else, just because I want to see what’s happening in the world, what’s getting breached, what are hackers doing? For example, penetration testing. Some people post on there about penetration testing. Some of them are just real attacks made by real threat actors.

So I find it very interesting to also get that awareness as well through the Hacker Feed app because definitely, if you’re working on, let’s say if you’re working on a blue team, you definitely need to know how the red team works. And if you’re working on a red team, you definitely need to know how the blue team works. Yeah, and one more is I like to also follow a lot of security cybersecurity professionals on LinkedIn. So I definitely get a lot of information through them and I definitely dedicate my current success and the way that I’m continuing to move up to them just because they always really helped me stay informed. They really helped me get those resources that I needed when I was really starting out in cybersecurity. So now I’m starting to gain that awareness and know even more and really apply that to the job that I’m currently in. So I find that really insightful and amazing.

Host: Lovely. So what we’ll do is when we publish this video, we’ll tag some of these blogs or newsletters that you highlighted so that our viewers can also take advantage of those. Yeah, that’s amazing.

Emily: I also have some specific people on LinkedIn that I really want to share with the world. Like some really amazing people that really helped me, really gave me those resources, and just are continuing to always support me in everything that I do.

Host: Yeah, we’d love to give a shout out to those folks as well, if you feel comfortable sharing their names. Yeah, absolutely.

Emily: Yeah, of course. Definitely. One of them is David Meecy. He’s really prevalent in cybersecurity and he really enjoys helping people break into cybersecurity. Just like myself. He was like one of the first people that I followed on LinkedIn. He was really inspiring and motivating to me and he is one of the reasons why I am where I am, and just also one of the reasons why I do what I do. So I really would recommend him to a lot of people out there.

Host: Okay, absolutely. We’ll give him a shout out and we’ll say thanks for sure.

Emily: Yeah, that’s amazing.

Host: Yeah, that’s a great way to end the episode. Thank you so much, Emily, for coming to the show, and it was lovely speaking with you. There are many things that I learned and I’m hoping that our viewers or listeners will learn something new from it as well. So thank you so much for coming to the show.

Emily: Yeah, thank you so much, Puru. I was so happy to be here and share my insight in cybersecurity.

Host: Absolutely. Thank you so much. And to our viewers, thank you for watching. Hope you learned something new from today’s episode. If you have any questions around security, share those at scaletozero.com and we’ll get those answered by an expert in the security space. See you in the next episode. Thank you.