Asaf Cidon, Barracuda Networks: Malware Isn’t the Biggest Worry Nowadays, Credential Theft Is
The digital world is a treacherous one, and our emails are often the target of attacks, especially those we use for professional purposes. Asaf Cidon, Vice President of Email Security at Barracuda Networks, agreed to chat with TechNadu about online security, Artificial Intelligence, and the mistakes we make online.
Before becoming VP at Barracuda Networks, Asaf Cidon co-founded Sookasa, which was acquired in 2016. Previously, he worked at Google Israel. He has a Ph.D. and MS in Electrical Engineering from Stanford and a BS in Computer and Software Engineering Cum Laude from Technion.
TechNadu: We are all under attack on a daily basis - both as individuals and as employees. How can we do a better job at protecting ourselves?
Asaf Cidon: Are you asking as an employee in a business setting or as a consumer?
TechNadu: I'm angling more towards consumers because if you know how to protect yourself in your personal life, you can do that in your professional one too
Asaf Cidon: It's interesting because we see the attacks that are hitting businesses are a little bit different than the attacks that are hitting consumers. So, for example, business email compromise attacks or account takeovers are more common with business users, and their goals are rather different as they usually try to get sensitive business information, something that consumers are less likely to do.
But there are some things that both as a consumer and as a business user you can do to be more secure. The gist of things is general email security principles like setting a strong password, ideally using a password manager. Specifically not reusing passwords so that the passwords to your email systems should really not be used anywhere else. A lot of times attackers hack into email systems because they steal a password from some other system that was attacked and they just reuse it. So that's one step.
Another one is setting up multifactor authentication which is also really important so that even if someone steals your password you have an extra layer of defense. And then, for business users, there are products that can really help you be more secure from email security and filtering to products that actually use artificial intelligence to understand anonymous emails. And then, finally, the last piece which is also more true for the business users is security awareness training. More and more are implementing security training for their employees to make sure they simulate the attack scenarios, make sure that their employees have seen these attacks before and don't click on them. Those are kind of the main steps.
TechNadu: What about the smaller companies that aren't exactly the ones that are going to invest a lot of money in security solutions?
Asaf Cidon: I think multifactor authentication and a strong password or passwords managers are the minimum to having a good password policy in the company will take companies a long way. Those are the basics.
Even if you are a small business and don't want to invest any money in security tools - that's where I'd start. I would say, though, that all these security tools are priced on a per-user basis. At Barracuda we have 5-10 person companies that are customers of ours and it's not such a high cost since they're paying per user, so there are a lot of tools for small business as well, not just big companies. I would say that small companies do get attacked a lot, so it's not like it's only a problem for big, multinational companies.
TechNadu: One major problem in security is awareness of the users about the problem that they're facing. So how can we increase the awareness of the issue at hand and the safety steps everyone can take.
Asaf Cidon: Generally speaking, I think it's important to talk about these attacks and their impact. The attacks have been getting to the news a lot in different place. In the US, obviously the elections, I think people heard about these targeted phishing attacks that were very prominently in the news. I think that's an important aspect of it, to talk about it and show the impact.
I think a lot of us have actually - when I talk to friends, outside of my professional capacity in working in email security - there are a lot of people I know that have been affected by email attacks. A lot of people that we know have received these attacks on their personal emails or many people have had their passwords stolen, or have had their password involved in a breach.
Just this week Facebook has had a massive security breach and asked people to reset their passwords, which I think is a really good example. I think it's important to be vigilant and when you're talking to friends and family make sure they are taking steps to secure their online life.
TechNadu: In your experience do you believe that the awareness actually exists among users, because most often we see this "it can't happen to me" attitude?
Asaf Cidon: It's just a matter of time. It's not "if", it's "when". Especially if you're using weak passwords or reusing them. If you're using a weak password on a popular email system, or reusing your password, you will get hit. It's not even a question.
We had huge hacks from Yahoo a few years ago, Dropbox, Slack, LinkedIn, Facebook now. All these major platforms have vulnerabilities. So, if you reuse your password on any of these platforms, your password right now is out in the open.
People can also use PWNED (Have I Been Pwned) where people put in their email addresses and it will tell them whether their credentials have been used, have been stolen in a prior hack. So that's a free service that's a really good idea for people to try out and see. A lot of time that's eye-opening for people and they'll realize that their credentials have been exposed multiple times in the past because of these recent hacks.
They're doing great work. Generally, our team and our company are focused more on business hacks, but I think there are differences but also similarities between businesses and consumer users - the way the attackers get in initially is because people will reuse passwords for Yahoo and their corporate email account, for example. So the breach wasn't on any corporate system, but once you start reusing passwords the company is at risk.
TechNadu: What do you consider to be the biggest threat to our cybersecurity? Is it some kind of malware, ransomware, or something else?
Asaf Cidon: By far, the biggest risk, in my opinion, is account takeover. Malware and ransomware are totally not the biggest risk. It was the biggest risk a couple of years back, but companies have gotten a lot better at stopping ransomware. Sandboxing is becoming really commonplace. And there's a lot of good antimalware solutions out there.
Generally speaking, when I talk to our customers, malware is not the top of their concerns. We barely hear about ransomware these days. A much bigger concern is credential theft. We are seeing a significant rise in attacks where attackers steal credentials from one of the employees and then use those credentials to log in to their email system and use that as a base of attack against other employees or other companies. Once you get in the door and you're stealing credentials, you can do whatever you want in a lot of these companies. They don't have multifactor authentication and there's really nobody that's even looking at internal communication, so once you get into the network you can kind of do whatever you want.
By far, when I talk to customers, that is the biggest threat. It's something they're sometimes spending dozens of hours per week trying to deal with. One account getting compromised - and then ten other accounts getting compromised and so on. It's almost like a game of whack-a-mole trying to spot which one is compromised, so it's a really big pain for our customers.
TechNadu: AI is being increasingly used in tools we use on a daily basis. Could it also be the solution to our cybersecurity?
Asaf Cidon: We actually have a product that was the first AI product, as far as I know in the market for email security and it's doing really really well. So, absolutely, AI is a cornerstone of defense in cybersecurity, these days. AI is kind of a scary term for a lot of people, but the basic idea is pretty simple. What attackers have done in the past few years is make their attacks much more targeted so they realized that just spamming a million people or sending ransomware to a lot of people was just not effective because once you patch one of those attacks it's very easy, using signatures or using blacklists, to stop the other attacks. So what attackers have been doing instead is using a much more targeted approach - they go after specific companies with very customized messages.
Often times, these messages don't even have a malicious link attached to the email, they're just using social engineering to trick the recipient, impersonating the CEO and asking for a wire transfer, for instance. To stop these type of attacks it's really really hard for a traditional security system that's usually based on blacklists or on reputation or various rules because attackers will just bypass these rules and know to customize their message for their targets.
And that's really where AI is at an advantage because with AI we can be more flexible in the way we stop these attacks. The AI can learn the really unique communication patterns of each company and kind of apply a unique set of rules for that company. You can train the AI, for example, to recognize the CEO always uses this type of email addresses, they always communicate in these hours, these are the people they normally communicate with, this is the type of text he would use. And then the AI can make a much better determination than me and like 20 or 100 humans trying to guess how the attacker is going to craft their attack. It learns the communication pattern and it can really customize the defense for each customer, which if I had to do manually it would take me thousands or tens of thousands of hours to do.
TechNadu: I was at a tech conference last year and the cybersec experts were discussing that someday soon AI will be able to write its own code, both for cybersecurity purposes and for malware. Should we be concerned? Do you think this is a possibility?
Asaf Cidon: First of all, I'm a little skeptical about AI writing code anytime soon. The question is "what is code?" Here's the way I would think about it - let's take an email security system. An email security system needs to make a very simple determination - is this email malicious or not? It's a binary decision - yes or no. AI definitely, today - if you look at Barracuda Sentinel AI product, it's able to make that determination in a way that is unique to each customer and each customer's communication pattern. It's like the AI has a different rule set that is very complicated for each and every customer and each and every employee of that company. I don't know exactly what 'writing it's own code means' but I'm a little skeptical that AI will start writing Python code anytime soon. For being able to do a determination, to create rules, that's something that already exists today.
And then there's the question on whether attackers will use AI. There's been a lot of media reports about that and I suppose they can. I'll be honest - I'm a little skeptical about that. I think attackers today - if you're sitting in a place that is relatively cheap you can hire low-cost labor and there's a lot you can still do with a person like looking over social media accounts and crafting personalized attacks. The payoffs of these attacks is so high that you don't even need AI - all you need is someone who can look into LikedIn or Facebook for five minutes and create a personalized attack.
Sure, one day, attackers will be able to use AI; there's nothing magical about AI, everybody can take a course and learn how to do some basic things, but I think they don't need to. They can do much simpler things and have people that create personalized attacks like they're doing today. That's what I'm actually more worried about than attackers using AI.
TechNadu: Since we were discussing online safety and even privacy, should all Internet users use end-to-end encryption on all their communication tools and avoid those that don't?
Asaf Cidon:Â I feel like encryption doesn't help you for a lot of these attacks. Encryption is only good from stopping the provider from getting hacked, but if someone steals your password E2E encryption doesn't help you in any way. Honestly, for a lot of these attacks, end-to-end encryption wouldn't help at all. If someone is impersonating your boss, or steals the credentials of your boss to email you, end-to-end will not help you. End to end encryption is a nice thing but people think that it's something it's going to solve all the Internet's problems and I'm actually really skeptical. The problem is not that your email provider will get hacked and they're going to steal your communications. That's never happened so far with Gmail. The problem is that someone impersonates your boss and sends you an email that looks like your boss and even if that email is perfectly encrypted, it's not going to help you that much.
End-to-end encryption doesn't really play a big role in email security. Sure, it's nice to have, but it's not going to stop 99% of the attacks.
TechNadu: I also had a question about the efforts made by governments to undermine encryption and privacy tools like VPNs. What should be done to combat this?
Asaf Cidon: It depends on where you live and what type of country you live in and the regime, but I think for a lot of email users, that's not the issue. I think for a lot of us the issue is a criminal stealing our passwords and using it to buy something on Amazon, or on the Internet, or someone going and tricking my company and trying to steal hundreds of thousands of dollars.
So, end-to-end encryption simply doesn't play into that. 99% of email attacks have nothing to do with encryption standards or governments. If you're really worried about a government, sure, there are end-to-end encryption applications out there, like Proton Mail, or using WhatsApp is probably a good idea because they use end-to-end encryption and they can't access the messages.
TechNadu: In light of the latest Facebook system, many voices in the industry are requesting the possibility to pay for services like Google and Facebook in exchange for their privacy. Do you think we'll ever see such a change?
Asaf Cidon: I'm skeptical that the providers will want to do that. I've been expressing this personal opinion in here, but their whole business model is built on that. I'm skeptical that they'd want to bifurcate their users like that. Then, it's possible that some of the people who would be willing to pay for such a service are the people who are maybe the best targets for the ads because they're probably higher-earning, maybe more educated people that actually advertisers would want to target more.
I think if privacy was something that was easy to monetize, you would have seen a lot of these alternate services. There are alternatives like search engine DuckDuckGo, that offer higher privacy and I don't think they're succeeding that well, or nowhere near Google. So I think that shows that people aren't really that willing to pay for privacy. If that were such an important thing for users, we would have already seen more private alternatives to Facebook and Google that are much more successful.
The hack has nothing to do with privacy because we've seen companies that have paid services that also have been hacked. LinkedIn had a big hack and they're much more of a paid service than Facebook. The fact that some of these services will get hacked is a reality that we need to live with whether they're a free service or a paid service. And users need to have the assumption that any service they use online could get hacked and it's important to not reuse passwords, use multifactor authentication and a password manager no matter what service they use.
How cautious are you about your email accounts? Do you use a password manager? Let us know in the comments section below and please share the interview online. Come chat with us in TechNadu's social pages on Facebook and Twitter. Thanks!