Encrypt data at rest. You should not only know where your data is stored and located physically, but make sure it is encrypted. At one point in my career, I received an alert that one of the hard disks indicated an error on a RAID controller. It went back to a normal state in 10 minutes, but the serial number of the disk was different. After a long chat with the provider, they said they “had to change it”. I was relieved that all the data was encrypted.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Marijus Briedis, a CTO at NordVPN, a leading VPN service provider. Years of web development and system administration eventually led Marijus to become a VPN industry expert. Besides his passion for everything IT, Marijus is a lifetime learner, discovering the world with a positive attitude.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Thank you for having me. I grew up spending most of my summers by the lake or playing basketball. And when I wasn’t doing that, I spent my free time at my computer trying out various software and learning how to program.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My fascination with cybersecurity began when I watched the movie Hackers (1995) for the first time (by now, I’ve lost count of how many times I’ve seen it). Not long after that, I discovered CCC (Chaos Computer Club), IRC channels, Phrack e-zines, BSD operating systems, and other hacker-related things. This “hacker” culture was very popular in my teen years, and naturally I got sucked in.
Can you share the most interesting story that happened to you since you began this fascinating career?
One of my most memorable experiences is having been part of the team that designed, created, and implemented NordLynx — the fastest and most innovative VPN technology built around the WireGuard® protocol. Challenges related to scale, security, and anonymity are the ones I love solving the most.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I totally agree with you on this. The people around us are the key. I would like to say the heartiest thank you to my ex-lead Emanuelis for believing in me and giving me the opportunity to become a part of NordVPN as a Linux SysAdmin. There have been a lot of great challenges along the way ever since, and I’m still enjoying the ride every day.
Are you working on any exciting new projects now? How do you think that will help people?
Actually, I am working on an exciting anti-malware product that protects users’ privacy at the edge of a network. Nord Security (NordVPN’s parent company) is close to completing a proof of concept for an approach that might render antivirus systems useless. We’re exploring technology that might be able to detect malware before it lands on devices, block third-party trackers and cookies, and even more.
Our mission is protection from threat, and we aim at offering a single application that covers all the essential areas of consumer security.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Work-life balance is fundamental. Everyone, even the busiest cybersecurity professionals, need to make time for their friends and family. Spending quality time together, laughing, and enjoying good food for at least one evening a week can work wonders. And, of course, physical activity and sufficient sleep are also crucial.
Another thing that helps me avoid “burning out” is learning something new in the field of cybersecurity. In general, I love challenging myself, so there’s always something new and interesting happening in my life, which helps me keep my mind in check.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Firstly, cybersecurity is a field of innovation and change. Technologies, the way people interact with them, and their security measures are constantly changing. When you’re in this field, you’ll never stop learning new things every day.
The second thing that excites me about cybersecurity is privacy. These days, we can’t imagine our lives without computers and smartphones. But how many of us take surveillance and censorship into account and consider the impact they have on us? How much are they invading our daily lives? Where is the line between what’s legal and what’s not? And what privacy policies should be implemented and why? These questions always make me think.
Lastly, l like all things tech in cybersecurity. I simply enjoy seeing ideas become code and being deployed and used practically, especially at scale. A good example is the fairly new QUIC and HTTP/3 on top of it.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Like defenses, attacks are getting innovative too. We see emerging defense techniques based on behavioral analysis in the endpoint protection market. I think it will be a two-way street. In the near future, we’ll see malware adapting and transforming itself to avoid these defenses. We already have a good example of genetic algorithms and their usage in computer network scenarios.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I do have a story from my own experience. Since the case is sensitive, I wouldn’t want to elaborate on the details, but the main takeaways from it are to be well-prepared for incidents, have a clear plan, and then stick to it while executing the mitigation procedures.
Communication between all of the stakeholders is key too. You have to react to the situation quickly and not hesitate to take action. It is also very important not to bring panic and chaos into the team. That’s why teams usually get proper training on how to deal with data breaches and leaks.
I would recommend tabletop exercises of various levels to any organization that cares about the security of its IT infrastructure.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
It depends on what tasks I perform. For my daily activities, I use Linux, as the operating system provides a lot of good software. I use LUKS (Linux Unified Key Setup) to encrypt my hard drive, while GPG tools help me ensure secure communication through emails.
I can no longer imagine my life without a password manager, which encrypts all my passwords, helps with generating new ones, and stores them all securely in one place.
All the apps I use run in the container environment through bwrap. For browsing, I use Firefox with the NoScript, uBlock Origin, Cookie AutoDelete, and HTTPS Everywhere extensions. DNS queries go through Unbound, which is locally configured to use my own DNS-over-TLS server. If I need to pentest something, I usually fire up Kali Linux in a virtual environment.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
It really depends on how big the company is, and there are several ways to go about it. For companies just starting to look into cybersecurity, I would suggest approaching it from a slightly different perspective. It starts with the weakest link — your employees. You have to make sure everyone’s accustomed to good security practices, have their laptops and phones encrypted, have a clear onboarding/offboarding checklist, use 2FA wherever possible, lock their computers, and use password managers.
For the code you produce, enforce a secure code review checklist, keep secrets away from the code, never do cryptography yourself, and use pre-production analysis tools.
For applications, keep track of dependencies and always run them unprivileged.
For infrastructure, keep your software up to date, isolate assets at the network level, always back up, test your backups, then back up again, and encrypt everything on the wire.
Finally, for the company itself, build a security-friendly culture. You’ll definitely need reliable and experienced people to take care of everything mentioned above, and a CISO could be a great start. When the company gets mature enough, make sure you have dedicated people responsible for security.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Any unexpected traffic from your corporate computers or servers should sound alarming, as that might mean something fishy is going on. Any anomalies with the applications, such as constant crashes or higher CPU load, must not be ignored.
Also, strangers and/or unknown devices in your office can indicate that some kind of red teaming or a real attack is going on. Remember — physical security is important too.
Finally, you shouldn’t brush off major anomalies in everyday operations either.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The initial procedures of identifying and assessing the breach should be followed by containment and eradication. The IT team should determine whether the resources at risk (hardware, software, users, services, etc.) require physical or logical remediation. Resources that pose a significant threat to the continuity of the business should be immediately removed or isolated either physically or logically. Forensic analysis should be done using internal resources or with the help of third-party forensic investigators.
Once all of this is done, the breach notification process should start. Then recovery, if possible, and a postmortem.
Our business has always been privacy-oriented, but the new laws brought more structure into our day-to-day business operations. We’ve updated and created the necessary procedures for implementing various privacy-related rights of our customers. We’ve also made our policies even more transparent and made the best data security practices our main focus.
I must admit that not everything went so smoothly. Like many other businesses, we faced challenges in trying to interpret and understand the laws correctly and completely. Also, we needed to review the way we advertised our business to the customers and try to find new and less personal data-oriented practices. Overall, I think the new privacy laws prompted most businesses to bring more clarity to customers on how their data is processed and to give them more power on deciding what, when, and where data can be handled. I applaud this.
What are the most common data security and cybersecurity mistakes you have seen companies make?
I’d say one of the greatest mistakes is that companies fail to ensure the balance between their product/service and its security. In our fast-moving world, it’s the norm to focus on the product and financial gain it can bring, pushing things like cybersecurity aside. However, when a data breach strikes, financial losses and a damaged reputation are inevitable. Therefore, neglect combined with a low or even non-existent budget for cybersecurity are the greatest risks for companies.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
NordVPN’s research shows that 62% of people use their personal devices to work from home during the pandemic.
Unfortunately, personal computers are usually less secure and much easier to break into, so hackers are quick to exploit old software vulnerabilities that have been known for a while.
Phishing emails have become more ingenious, tricking less experienced employees into clicking on unsafe links or opening malicious .doc files. Sadly, malicious emails pay off, so more and more of them are circulating around, especially those related to COVID-19, offering fake information or even treatment.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1) Know your data flow. It is an amazingly hard task for big organizations, but you should know what data is going where and why. Knowing all the “pipes” and “flows” allows you to inspect, analyze, and detect anomalies faster.
2) Encrypt data in transfer. Using old and unencrypted protocols for data transfers is a straight way to a disaster, even if you use them in isolated environments. The MITM attacks can proceed undetected for a long time, and if the data is sniffed, it can be a gold mine that will allow an attacker to break into other systems. Encrypting data and using modern protocols prevents cyberattacks.
3) Encrypt data at rest. You should not only know where your data is stored and located physically, but make sure it is encrypted. At one point in my career, I received an alert that one of the hard disks indicated an error on a RAID controller. It went back to a normal state in 10 minutes, but the serial number of the disk was different. After a long chat with the provider, they said they “had to change it”. I was relieved that all the data was encrypted.
4) Update the software and technologies your company uses. Keeping software up to date is a no-brainer for anyone in tech, but other technologies tend to change too. Don’t forget that MD5 is not the hash you should still be using to encrypt your passwords in the database — there are better and stronger alternatives.
5) Educate your employees on cybersecurity. Regular training is important for everyone, whether it’s a non-tech accountant or a geeky developer. At the end of the day, the weakest link in cybersecurity is between the chair and the computer.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would love to encourage people to try the 8-day “data detox kit”. It helps realize how much data we generate each day and explains the principles of surveillance capitalism. Once you’re through with the “detox”, your mindset about your digital wellbeing should change drastically, and you’ll consciously seek better protection of your data.
How can our readers further follow your work online?
I’ve never talked about my work publicly due to the nature of the industry I’m in. However, I might start blogging and tweeting to share some of my knowledge with the wider audience in the future. I’ll definitely let you know!
This was very inspiring and informative. Thank you so much for the time you spent with this interview!