A Most Valuable Professional (MVP) and experienced ethical hacker shares her views on cybercrime and the most effective ways to fight them.
Paula Januszkiewicz is one of the most reputable security experts of our time. A Microsoft MVP and ethical hacker, she was a featured speaker at ITBN ‘22. We asked her about current trends in cybersecurity and her favorite solutions.
Despite her young age, Paula Januszkiewicz has been ethically hacking companies for 18 years. She has gained so much expertise and reputation in this trade that she is now one of the few security experts in the world who have access to Windows source codes. She was invited to this year’s ITBN conference in Hungary, where she gave an entertaining yet exceptionally informative presentation about the current state of cybercrime and how organizations can take action against it. Paula recalled an incident where she used her feminine wiles to trick a security guard into entering a company office where she easily accessed to a workstation and potential sensitive data. “It happened many times in my career and I have never been caught”, she said artfully smiling. Later, she spoke about how deceptive emails and viruses can access corporate networks by bypassing firewalls and MFAs (Multi-factor Authentication) and the importance of increasing lines of defense against viruses to protect data. She quoted data saying damage caused by cyberattacks to productivity and growth is at 3 billion dollars worldwide.
After her presentation, we asked Paula about the main characteristic of today’s cyberattacks. “80-90 percent of cyberattacks are financially motivated”, she said. “The number of organizations opting for a mobile-first, cloud-based operation grew significantly during the pandemic, which enticed hackers to launch more, mostly phishing campaigns. This development had put a higher focus on cybersecurity and made such hyper-size clouds as Azure even more demanded because they provided the protection companies required. The more organizations operating in the cloud, the more money is out there in the cyberspace for the hackers to get. The number of cyberattacks has increased tremendously during the pandemic when networks and employees became free game for hackers.”
They can target any organization completely at random. “But the more profits hackers hope to make, the more vulnerabilities they detect, the more likely they will hit”, added Paula. “We see the number of phishing campaigns growing since the COVID pandemic. FBI recorded a 300 percent increase in cyberattacks since then. They can pick a bank, but banks are usually well protected, then they prey on factories or hospitals, entities that do not invest much into cybersecurity and run outdated systems. That’s what happened a few years ago in Los Angeles when those devastating attacks hit the news.”
Can hackers give inspiration to cybersecurity experts to come up with new ideas?
“Yes, all the time”, said Paula. “For example, the simplest possible way to attack is through macro. So, you click on a macro in Excel or Word, and you become a target of an attack. We know the characteristics of this kind of activity: a child process is usually created allowing malicious codes to run. So, we created an Attack Surface Reduction Rule to block such activities prohibiting Excel to create child processes. Then the hackers changed their tactic and ran their malicious codes inside Excel, so that they can circumvent blocking activity. This is an existing exploitation of the system. Therefore, cybersecurity came up with yet another solution, called Exploit Guard, blocking this already known technique, too. There is always an inspiration and there is always a solution coming sooner or later.”
According to Paula we should let the experts take care of our security. They know how to shield networks and can provide solutions consistent with business efficiency. That’s why one of our most valuable security experts considers professional cloud a safer and more cost-effective solution for data storage and protection than onsite data centers. “The cloud gives a solution to both skills-gaps and business efficiency, because these two must go hand-in-hand”, she pointed out. Hackers are hyper sophisticated and can fire a good load of attacks at individuals and organizations: there are 7 phishing attacks every minute. Therefore, a hyperscale cloud like the one Microsoft has is needed to prevent damage being done. This is the only reasonable solution in terms of economies of scale too.
Paula said workstation security is the very first line of defense. “Endpoint security is a must because attacks are mostly delivered through phishing. A phishing email is not supposed to get to you at the first place, but even if it does, the code it contains is not supposed to run, so it should be smartly recognized by the installed security solution.”
The second line of defense is therefore code tracking. “If the attack slips through the first line, you must be able to monitor the identity of codes to prevent damage. Therefore, the defense needs to have more than one line”, she explains. “Without a central monitoring system, you end up having an infrastructure that keeps hiding from you what is going on inside. You must be able to detect where and how a user logs in, how the user’s identity travels. That needs to be under control. So, if an attack starts spreading and a malicious code uses the user’s identity to connect to a server, the CM reveals that activity.” Essentially, the physical line of defense needs to be complemented by a logical line that identifies cybersecurity vulnerabilities regardless of geographical location, as hackers do not know or respect borders.
Attack Surface Reduction Rules and Defender Exploit Guard capable of recognizing and blocking anomalies are Paula’s favorites. For an efficient system monitoring system, she recommends Azure Sentinel. These solutions provide a highly effective protection against a wide variety of attacks.
“That would make my day!”, said Paula laughing at the comment what if she was hacked. As an ethical hacker, she has hacked many companies during her career but, she stressed, her job is not like James Bond’s as she is very much restricted by the law. Even if she were to snitch on somebody who sabotaged an organization, she would always be very careful not to break privacy rules or other laws.
“Cybersecurity is about knowledge and I’m a very curious person”, said Paula recalling why she chose to be an IT specialist and a security expert. “When I got my first computer as a little girl, I just wanted to understand how it works. And fortunately, I was surrounded by family members who could give me answers and teach me how to approach things from a mathematical, logical point of view.”
We finally came to the conclusion that if we ever decided to hack someone, getting caught by such a skilled agent as Paula Januszkiewicz would brighten our day.