I’m excited about Security Field Day next week. I had an opportunity to catch up with Christopher Kusek, CTO at Xiologix and lifelong security advocate. Christopher shares easy ways people to protect themselves online. Follow Christopher on Twitter at @CXI.
Jamie Easley: When you’re not at Security Field Day, what’s your day job?
Christopher Kusek: I’m the CTO at Xiologix, an IT solutions provider in Portland, OR. I’ve been there for a little over four years. Before that, I was in Afghanistan running data center, storage and virtualization operations for the CJOA (Combined Joint Operations Area).
JE: How did you get into security and technology?
CK: I got my start as a security researcher in the early ‘90s. Security is a part of who and what I am. I’m always looking at the security implications, whether it’s a network security project, a data center, or in a home.
If we don’t do something about it, someone else will and it’s usually not in our best interest.
JE: What motivates you to do what you do every day?
CK: I choose to use my powers for good and not evil.
I spend a lot of time thinking and solving problems – usually other people’s problems. I could literally do anything, but I enjoy what I do.
When I was in Afghanistan, we worked 12 hours a day, seven days a week, 180 days in a row before we had an eight day R&R. And repeat. You can’t do that if you don’t like what you do.
JE: What’s a pro security tip for people in their personal lives?
CK: When I do security presentations, I like to talk about how security applies to your business and to people as individuals. You should have two-factor authentication in your personal life to protect your own banking, retirement and other assets. You can adopt it for free, and anyone can do it.
Not all security is about business. Some things are about you. If you lose your credit card, you can call the bank and they’ll take care of things. But if you lose your wallet, someone may find it, and the money may or may not be left in your wallet. They can use your ID for identity theft. Make sure you mitigate and protect the assets under your control.
JE: What’s your favorite security related gadget?
CK: Do you use Google Authenticator? You should. Authy is the exact same thing, except if you lose your phone, you don’t lose access to all your accounts. It’s free and it’s great.
JE: Do you use smart devices in your home? What about the privacy implications?
CK: Assume you don’t have any privacy. I’ve got an Amazon device in my office. I have 12 of them at home and multiple Google Home things. I’ve got a smart TV and various cameras. I don’t touch light switches anymore.
Alexa is listening but it’s not really listening. You can drop a bug anywhere and do the same thing.
If I need to have sensitive conversation, I make sure there are no electronic devices nearby and preferably we go into a Faraday cage. If I control the release of my information, I know where it came from.
JE: What’s the biggest risk in security that you see?
CK: It’s cliché but true: The biggest threat to security is people.
Take every major breach over the last several years, and in 100% of those scenarios, they had up-to-date antivirus, but credentials were stolen. That’s not to say that there aren’t cases where an exploitation in a system has made something vulnerable so people could get behind the scenes.
But the majority of the time, it’s people, whether through an accident or lack of education. Let’s say a guy in HR who does recruiting finds an email in junk mail, moves it to his inbox, opens the attachment, gets infected by an APT, and compromises the environment over the course of 180 days, and the FBI has to be called in. The guy made a poor choice. It wasn’t like the system said, “Let’s execute this.”
JE: That sounds like a true story.
CK: Can’t say.
Small, midsize and large enterprises ask what they can do to protect their resources when banks with hundreds of millions of dollars of investment in IT can’t protect their information. What can a smaller, more agile organization do? They can make better choices, educate their people and protect their systems more.
JE: There’s a lot of discussion in the industry that there aren’t enough security experts. Do you see a skills shortage?
CE: There is and there isn’t.
A lot of people treat security like an insurance policy. It’s not. If I have cybersecurity insurance as an organization, it will protect me from some consequences of a breach, like having to reissue credit cards. If we are breached and have to go public, it might tarnish our reputation and people will not want to use our business anymore. Where’s the insurance for that?
Too many organizations think they can take care of the problem after it occurs. It’s like locking the door to my house after I’ve been robbed, and then asking why my stuff isn’t back.
JE: How do you think AI will play out in security? Will it be used for good or evil?
CK: The important focus is why are security professionals using AI now. Botnets and ransomware have been around for a long time. These are criminal operations, well-funded businesses. They’ve been using botnets, AI, and sophisticated mechanisms for DDoS for 20 years.
In the cybersecurity game, we’re finally catching up. We’ve realized it’s a great idea to build an established network of devices to analyze what’s going on and act on our behalf.
Will AI be used for good or evil? It’s been used for evil for a long time, and maybe now it will be used for good.
JE: What is your current favorite meme/GIF?
CK: This.
Christopher is a delegate at the Security Field Day on Fri., Dec. 14 at 9am PST. Watch the live stream here.
Meet the Other Delegates
