Equip office computers with Antivirus software: It might seem old school, but Antivirus programs are super important even today. Even though VPNs are enough to deter any hacker from injecting malware on to your company-owned devices, but what if any employee accidentally clicks on a suspicious link online. All of the computers in our company are equipped with Kaspersky which offers powerful endpoint security. The good thing about this software is that it gets updated quite frequently.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Abdul Rehman. Ever since his humble beginning, he has always enjoyed taking things apart just for the hell of it. The word “why” never seemed to leave his side. Naturally being a tech worm and having a passion for how things work, he majored in computer science to further pursue his career in Cybersecurity.
Throughout his academic journey, he realized that he also had a neck for technical writing, and being an outspoken person that he was, writing provided him with a perfect medium to express his boiling views and opinions regarding the world of online privacy and security.
Rehman is an aspiring online privacy advocate and sympathizes deeply with the Anonymous group. He believes the internet should be a place to express one’s inner opinions and thoughts without being victimized by the dictatorship of online bullies.
Other than being an online privacy narc 5 days a week, Rehman also enjoys fishing, long walks by the beach, and relaxing with his beloved dog on the weekends.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Karachi, a metropolitan city in Pakistan in the 90s. Growing up, I never really had any direction about what I wanted to do when I grow up. But ever since I was probably 8 years old, I became fascinated with taking things apart. I remember I used to tear down RC cars that my dad used to get me as a kid.
I used to pull out their motors, transmitters, and receivers and made weird contraptions out of them. I was just a little kid when I hooked up a motor and a receiver from my RC car to our home security camera and controlled it through its controller. This was the time when a lot of people didn’t even have internet connections. I learned everything myself.
Needless to say, my dad was super proud of me.
The general curiosity of how things worked eventually got me into an engineering school, which by the way, I graduated with straight A’s. When it was time to apply for higher education, I sort of had a clue of what I wanted to get into.
Since I always wanted to keep myself updated, I opted to go for Software Engineering (BSE). I graduated from my university back in 2017 and then I moved to the U.K for my master’s degree in Cybersecurity. Currently, I’m the head of my cybersecurity research team with more than a dozen co-workers working under my leadership.
And the rest, as they say, is history.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
It might sound funny, but I got into Cybersecurity when a friend of mine in university pranked me with a phishing website that looked exactly like Facebook. Our computer lab had firewall restrictions that prevented students from accessing social media websites.
When I saw my friend accessing the login screen of Facebook, I pushed him to the side and typed in my credentials just to kill time. As soon as I did that, my friend started laughing hysterically and showed my username and password for my Facebook account.
After that incident, I got fascinated with the world of Cybersecurity. For the whole 4 year program of my bachelor’s degree, I taught myself ethical hacking. I once found a bug in my university’s online attendance portal which allowed me to fill in my attendance without actually attending the class. I got extra credit for reporting it to the university’s IT and Networking team.
Later on, to perfect my skills, I also started participating in different events hosted by other universities for ethical hacking and penetration testing. As I became more intrigued by all the Cybersecurity vulnerabilities that developers leave behind, I knew that this is what I want to pursue as a full-time career.
Can you share the most interesting story that happened to you since you began this fascinating career?
When I started working full time as a Cybersecurity specialist at a company that dealt with car insurance, I interacted with the CEO on daily basis. It was a small company with only 5 employees managing the technical backend of their website. Quite often, the company’s website would get taken down by hackers and a ransom would be paid to get the website back online.
After analyzing how things worked for around a month during my probation period, I asked the CEO to allow me to create a disaster recovery strategy to overcome the issue of constantly paying hefty ransoms. After getting a go-ahead signal, I went ahead and spent hours implementing cloud backup storage options.
Once I was done with that, I noticed that none of the employees managing the back end of the company’s website logged in with their own set of credentials. So, I provided each employee with their unique credentials. After a while, the website again got taken down, but when I checked through the logs, I noticed that one of our employees was responsible for taking down the company website and demanding ransom.
With proper proof, I was able to identify the culprit and managed to save my company from facing another such loss in the future. So yeah, this was my most interesting story.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Obviously yes. When I moved to the U.K for my Cybersecurity master’s degree, one of my teachers Professor John McCarty, mentored me into a person I’m now today. Although practical work was never an issue for me, I did have trouble finding directions, focusing, and prioritizing work. Under his mentorship, I learned a lot.
Perhaps the reason why I’m now managing a pretty significant team of highly capable individuals is because of Professor John McCarty. He taught me things that you can’t find in books. Because of him, I know how to deal with peers and drive results.
I can recall one incident where I had to submit a research paper by the end of the week. But because I was juggling part-time work and school at the same time, I got so frustrated that I even considered dropping the course altogether.
Fortunately, I got in contact with John just in time. After nagging me a bit, he allotted me extra time so I could properly work my research paper and not flunk the course. I owe a lot to him.
Are you working on any exciting new projects now? How do you think that will help people?
At the moment I’m working on routine work, couching new team members, developing new strategies, assigning goals, and stuff like that. But I’m going to be working on machine learning to automate a lot of our business processes in the future.
Cybersecurity automation is the future. Modern cyberattacks have become automated. To defend against automated attacks, a manual approach is going to be futile. So what I’m going to be working on in the future is automating data correlation through Artificial intelligence. If I’m able to collect enough threat data promptly, then I would be able to run dynamic threat analysis to accurately detect sophisticated never before seen threats.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Hmm, that’s a tricky question. One advice that stuck with me recently was from Charles Feller and it went something like this:
“Dive in with both feet and don’t look back. You’re going to make mistakes but don’t dwell on them, focus on the positives”.
Cybersecurity can be an overwhelming career choice. Anyone who’s looking to get into Cybersecurity must be willing to give their best. You’ll need to constantly keep yourself updated with emerging trends otherwise you’ll become outdated and the industry will just through you back out.
These are the three advice I always give to my new colleagues:
- Build a portfolio documenting your success and referrals.
- Don’t stay quiet, identify complex issues to build trust.
- Adapt yourself to change and always be eager to learn something new.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Cybersecurity is without a doubt an interesting field, to say the least. The three things that most excite me about the Cybersecurity industry are:
- I love that Cybersecurity is an ever-evolving career. I constantly find myself implementing new tools to enhance the security of our company’s network. I love that my job doesn’t require me to work on the same repetitive tasks every day. Instead, I read a lot daily and keep myself updated with whatever is cooking up in the Cybersecurity industry.
- Secondly, I love breaking down application codes. It might seem boring to nontechnical folks, but it makes me feel I’m solving some sort of intricate crime. Finding vulnerabilities with my team line by line is very satisfying for me.
- Lastly, what I love most about my Cybersecurity career is penetration testing. I love stress testing applications and networks to find potential loopholes and vulnerabilities. Finding weak links is like an adrenaline rush for me. I’m sure others from my filed can relate.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Excellent question. The biggest threat to Cybersecurity in the near future is automated Cyberattacks. Through AI and machine learning, hackers can launch dozens of powerful attacks that can go unnoticed and cause substantial damages. Although AI is a blessing for us, however, if misused, it can wreak more havoc than any human hacker can ever think of.
Another challenge to Cybersecurity is the increasing number of PowerShell based attacks. Instead of targetting any company’s network, hackers can directly target servers holding tons of data by running malware scripts.
Last but not least, companies should be prepared to have their cloud backups hacked or compromised. Hackers are no longer interested in hacking into a company’s network. Instead, their new target is the cloud. Therefore, companies should work on creating risk assessment and disaster recovery plans.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
There has been only one such incident in which a hacker managed to legitimately threaten my company. But to be honest, it was more of a human error then flaws in our security.
I won’t go into specifics because of obvious reasons, but one day, a blog post was published by one of our writers in our company, targeting hackers. After a couple of days, it went viral. Soon after that, a hacker reached out to our company via our official email and asked to take down the blog, otherwise, he’ll take down the entire website.
At first, we all thought it was nothing. But little did we know that he had already contacted the writer well before he demanded to take down the blog. He then started to send screenshots of Skype conversation from the writer’s phone. That’s when we realized that this was no joke.
Because the writer had clicked on some malicious link, the hacker was able to compromise his phone and source out information such as where he lived, where his brother worked, and stuff of that nature.
Though we ended up taking down the blog post, we were able to run a full audit of our company’s network and determine that no other employee was targeted. Basically, the writer was naïve and the hacker just got lucky that day.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Routinely, I use Wireshark to analyze our company’s network for any anomalies. Wireshark is an open-source software that allows you to inspect data on live networks in real-time. Wireshark is a must-have tool for any penetration tester.
Burpsuite is another tool that I use quite frequently for web application penetration testing. Burpsuite has everything you need to break into web applications. One of the best thing I love about Burpsuite is its ability to launch full-fledged Man-in-the-middle operations for stress testing.
Although my list consists of some ten different Cybersecurity tools that I use daily, I’m going to keep it short and talk about just three. The last tool I’m going to share with you is called John the Ripper. It is essentially a tool I use to crack passwords during app stress testing. What I love about it is that it is fast and runs against both SHA and MD5.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Good question. It all depends on how well known your company is. Just like celebrities hang out with bodyguards and you don’t, there’s a reason why a lot of small businesses don’t hire Cybersecurity agencies.
If your business is small but you’re still concerned about Cybersecurity, over the counter Cybersecurity software can prove helpful and still save you a ton of money. Even hiring a single Cybersecurity executive to implement security procedures and run periodical audits can prove fruitful.
But if your business has a global presence, getting a reputable Cybersecutiy agency or Chief Information Security Officer on board would be the right choice. It will be more expensive, however, it’ll be extremely crucial for data privacy. Take for example Microsoft. As per Satya Nadella, CEO at Microsoft, the company will invest more than 1 billion dollars each year for Cybersecurity.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Unlike Cybersecurity professionals, a layperson might not even know for days sometimes even weeks that they’ve been hacked. Sadly, that’s the reality. But, there are ways through which anyone can tell that they’ve been potentially hacked.
For starters, you should check your mailbox frequently. If someone has hacked you, they’ll likely reach out to you via email and demand ransom. So, instead of living in the dark for days, you can address the issue promptly and work on a recovery plan.
Another telltale sign that some have comprised your privacy is that your passwords will stop working. That should be a call to action for you to change your password if your recovery accounts are still safe. You can visit Have I Been Pwned to find out if someone has stolen your passwords.
If you use a Windows computer, it can be pretty easy to figure out if someone has hacked your system. You can simply begin by checking whether your Antivirus and Firewall is enabled or disabled. If you haven’t disabled any of it yourself, this could mean that someone has hacked your system. Additionally, checking your web browser for sketchy plugins and your system for spyware can be helpful too.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Whoever first encounters the threat must immediately inform the IT staff. The IT staff must then disconnect all computers from the LAN network to contain the attack from spreading. Once that’s done, as a standard procedure, the IT staff must go through their backups and make sure that it has not been compromised. This is crucial for the continuity of business operations once the attack is over.
Once the attack is over, the IT staff can begin deploying the company’s pre-planned Cybersecurity response plan. After that, the company should release a proper statement educating the employee about the breach and necessary precautions.
The IT staff can then use special tools like Comodo Endpoint Security to trace malware and security vulnerabilities that might still be lurking around. This is where the responsibility of the IT staff ends.
Now the incident response team begins their work. They’ll be responsible for leading the investigation and coordinating with the company’s stakeholders. The incident response team will segregate the part of the network that had been comprised to prevent further spreading. Once that’s done, the team can then run detection tools to sniff out any additional threats in the system.
Everything that the team identifies during the investigation is documented for future reference. Their goal would be to figure out the root cause of the attack and prevent it from happening in the future.
Once the threat is dealt with and backups are restored, the incident response team will notify law enforcement and the public regarding the breach. This activity usually gets carried out after a detailed discussion with the public relations expert representing the company.
Everyone has the right to their privacy. Before laws like CCPA or GDPR were implemented, businesses we’re given a free hand to do whatever they want with their customer’s data. All this has now changed. The law gives people the power to sue businesses if their personal information is ever compromised.
This puts small business and even my own company where I work in a tough spot. We have to now critically think about what data we can collect from our visitors and customers that can benefit our business. We have to now deploy endpoint protection and encryption just to ensure no data gets compromised. All this can be expensive to maintain. For small businesses, this means investing a ton of their revenue in implementing safe data harvesting techniques to comply with the law.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The biggest mistake I’ve seen companies make regarding Cybersecurity is skipping on the disaster recovery plan. Companies don’t like to think that something can ever go wrong. That’s just absurd to think. No matter the size of your company, there’s no telling when someone can target you. The best way to deal with such eventualities is to always be prepared for the worst.
Another basic mistake that companies make is not educating their employees about Cybersecurity risks. You’re not going to believe how many people don’t even know that they should never click on suspicious links. If employees are given proper training, there’s no way that they’ll make silly mistakes that can then cause their company thousands of dollars in losses.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
In my company, before the whole pandemic incident took place, the HR department sought our help in conducting multiple sessions to educate employees on how to securely work from home. We briefed the IT staff in setting up different restrictions and installing endpoint security software like Kaspersky to ensure no one could remotely hack into our office issued laptops.
Because of our preemptive measures, we haven’t encountered any single incident ever since the lockdown where any of our employees got hacked.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. Restrict employees from password sharing:
Employers should discourage employees from sharing passwords. When I first joined the company where I work now, my lead would just share credentials via skype. And that used to be the case for many months. But ever since one of our employee’s phone got hacked and his skype conversations got compromised, we shifted to password managers like PassPack. The access to the master password remains just with the manager and he’s the one responsible for sharing credentials now. The whole process has gotten streamlined and there’s very little margin for human error now.
2. Provide employees with VPNs:
If your employees are still working remotely due to COVID-19, your employees should follow certain SOPs. For instance, in my company, employees must access company resources through a company-issued VPN. Doing so will prevent anyone looking to intercept unencrypted network packets going to and from any employee’s home network. Using a VPN also gives your employees a little more freedom when it comes to working online from a train station, cafe, or from any place where they can get access to public Wi-Fi connections. I carry an internet dongle device with me whenever I travel about so using a VPN has become like a daily habit of mine.
3. Equip office computers with Antivirus software:
It might seem old school, but Antivirus programs are super important even today. Even though VPNs are enough to deter any hacker from injecting malware on to your company-owned devices, but what if any employee accidentally clicks on a suspicious link online. All of the computers in our company are equipped with Kaspersky which offers powerful endpoint security. The good thing about this software is that it gets updated quite frequently.
4. Backup data regularly:
You never know when some when someone will make you a target of a gruesome cyberattack. Therefore, it is always a good idea to be prepared. Hackers like to streal your data and then demand a ransom for it. But if your IT department runs remote backups every day, they can stay one step ahead of the game. This way, even if some were to launch an attack on your company, you guys can run a full backup at the end of the day.
5. Run employee awareness programs:
Frequently run employee awareness programs to educated your workforce regarding emerging threats and safe practices. I often give speeches regarding how to detect and avoid suspicious links. As a result, its been ages since any of our employees reported getting hacked.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Since I work in the Cybersecurity industry and a lot of my work depends on accurate data, it would be super helpful if everyone could pitch in and report different Cybersecurity threats that they’ve encountered from their end into a centralized database.
To streamline the process, a simple website would enough. People could just visit the website and report whatever Cyberattack they’ve witnessed with a brief description. I think something of that nature would be really beneficial for the Cybersecurity industry.
How can our readers further follow your work online?
To be honest with you, I’m not too outspoken. I only speak when I’m spoken to. But to address real-world issues or convey something that might be of help to my readers, I share my thoughts on Twitter. You can follow my work on @iiarehman. You can also read some of the blog posts that I write on VPNRanks as well.
“Think twice before you speak, because your words and influence will plant the seed of either success or failure in the mind of another”
This was very inspiring and informative. Thank you so much for the time you spent with this interview!