Ekaterina Khrustaleva, ImmuniWeb: There’s No Silver Bullet for IoT Security
ImmuniWeb, or High Tech Bridge, as the company was named before the recent rebranding is a top security firm in the world. Its COO, Ekaterina Khrustaleva, has agreed to give TechNadu an interview in which we discussed the current security risks we all face online, the abysmal security levels in IoT, ImmuniWeb's work, and more.
Ekaterina Khrustaleva has been with ImmuniWeb for over nine years as a sales manager and has since climbed up the ladder before being appointed COO in 2013. In this time she has managed to amass quite a bit of knowledge of what it means to be a key player in the security world.
TechNadu: Let's start with a bit of an introduction. Tell us something about yourself, ImmuniWeb and the products you're proud of.Â
Ekaterina Khrustaleva: First of all, I am proud of my team at ImmuniWeb. I started my executive career in cybersecurity almost ten years ago, notably in complex project management, and have a pleasure to work with dynamic, creative and erudite people at ImmuniWeb. We create the award-winning ImmuniWeb products for application security testing and risk scoring and deliver value, innovation, and excellence to our growing customer base. Since starting my role as COO in 2014, I have been responsible for global sales and partnerships including PwC, but I am also familiar with some technical aspects of our work. For example, sometimes you should be able to convincingly explain why SQL injection is usually more dangerous than an XSS.
TechNadu: How can ImmuniWeb help a company stay safe?
Ekaterina Khrustaleva: Users often start with our free asset discovery and risk scoring via ImmuniWeb Discovery, which is a crucial step to properly identifying, assessing and prioritizing risks, apportioning budget and mitigating threats.
Once an attack surface is visible and measured, we offer continuous and on-demand security testing and defense services for web, mobile, API and IoT applications. All of this can be fully integrated into your existing DevSecOps and S-SDLC processes.
TechNadu: How do you see the current security landscape? What is it that we need to fear?
Ekaterina Khrustaleva: Lack of visibility and short-sighted cybersecurity strategy seem to dominate the current security landscape. Many organizations are excessively focused on the trees while continuing to be in full ignorance of the forest. They cure a couple of trees but lose ten green hectares to a forest fire.
Inventory of your digital assets is the starting point for any cybersecurity program, but if you omit it, virtually all your spending will be poured down the drain. Risk assessment is equally indispensable to ensure well-thought and risk-based planning. Last, but not least, people are the most valuable asset. If your people are demotivated by a poor atmosphere and don’t care about protecting the organization, no technology will ever help. Therefore, select your team carefully, lead it, and be sure to encourage and motivate.
TechNadu: ImmuniWeb deals a lot with companies that use web apps, WordPress, and others in their business, tools that can be quite problematic security-wise. How can your company help and how can businesses and individuals help themselves to stay safe?
Ekaterina Khrustaleva: For a WordPress website, ImmuniWeb offers a free website security test. It thoroughly verifies CMS plugins and versions, searching for vulnerable and outdated versions. It will also meticulously go through web server configuration and Content Security Policy. For corporate clients, we offer our unique Multilayer application security testing technology that combines Machine Learning and human intelligence for rapid, scalable and cost-efficient application penetration testing.
TechNadu: We've seen a lot of chatter about the IoT industry and the abysmal security some of these devices have and how governments of the world should step in and set down some kind of regulations. Do you think that's something that needs to happen or should the industry regulate itself?
Ekaterina Khrustaleva: One of the biggest problems of the IoT market today is that very few IoT manufacturers take security seriously. Most IoT devices are built without the most trivial security features, such as the possibility to update software, use strong and unique passwords, or connect to the device via an encrypted channel. Many IoT devices are not just insecure but dangerous by design and there is no possibility to fix them. Even if fixable – it’s often cheaper to re-build the device from scratch.
Against this background, governments do need to step in but regulation should, be reasonable and encouraging rather than punitive. Self-regulation is certainly another approach as in the globalized world and in the era of acrimonious political conflicts it may be difficult to agree on a global standard in a timely manner
TechNadu: What about yourself? Do you trust such devices into your home and how do you pick them? What advice do you have?
Ekaterina Khrustaleva: Fortunately, my colleagues help me test all IoT devices that I possess, in my car and at home. These gadgets are tremendously practical and help tackle numerous burdensome daily tasks if properly configured and wisely used.
Most of the IoT devices cannot be accessed remotely and thus require attackers to be physically located near the device making the probability of cyber-attacks akin to theft or physical damage to the device. One can obviously imagine a chained attack on an IoT device managed by the voice from another hacked device connected to the network, but those threats are rather theoretical than practical for the majority of cases.
There is no silver bullet for IoT security but I would recommend following the fundamentals of cybersecurity: updatable software, strong passwords, encrypted channels, and the possibility to reduce external access to the device as much as practical via a basic firewall or strong authentication.
TechNadu: The cybersec industry isn't exactly the most welcoming for women, and yet you've spent the better part of the past decade working your way up at ImmuniWeb. What made you switch from private banking into cybersec?
Ekaterina Khrustaleva: I had the same opinion when I just started, and honestly, it was not an easy move for me. However, today I believe it was one of the best decisions I have ever made. The industry may appear cold and even hostile from the outside, but my male colleagues, clients, and partners serve a laudable example of courtesy, politeness and mutual respect. I’d say a career in cybersecurity is an excellent choice for ambitious women today.
TechNadu: How difficult has the road so far been for you? Have you encountered that toxic attitude that most women in cybersec complain about?
Ekaterina Khrustaleva: Omitting a couple of exceptions present in every industry and city, my memories have mostly been spectacularly positive and inspiring. While learning cybersecurity at the University of Oxford, I connected with exceptional female leaders in cybersecurity and risk management. The sharpness of their minds and sheer creativity have only encouraged me to continue with my studies and professional development.
TechNadu: Do you think the tech industry is opening up and welcoming women more easily into its folds? How do you see the future for women in IT?Â
Ekaterina Khrustaleva: Over the last five years, while there has been a concerted effort by organizations to increase the numbers of senior women in the tech community, we still have a way to go.
I think working with schools and empowering girls early on is the key to balancing the inequality within the tech sector.
TechNadu: What advice do you have for girls who are told to avoid STEM topics or not encouraged enough to step into this direction?
Ekaterina Khrustaleva: The best piece of advice that I can give is for those girls to find their own way, to listen to their hearts and minds, to believe into their well-deserved success and to follow whatever career path that interests them with confidence.
So, what do you think of Khrustaleva's advice? Let us know in the comments section below and please share the interview online so others can read it too. Follow TechNadu on our socials - Facebook and Twitter - for more tech news, interviews, guides, and reviews.