When you're trying to learn how to stay safe online, the best way to go about it is to get advice from those cybersec veterans that have seen it all, done it all, and know how to guide you. Thycotic's Chief Security Scientist and Advisory CISO - Joseph Carson is one of those people who knows what he's talking about.
With over 25 years of experience in security, Joseph is an active member of the cybersec community and often speaks at dedicated events across the world. We had a chat with him about the dangers we face nowadays from a security standpoint, the things we can do to help the younger generation navigate the threats we face online, and many more.
TechNadu: Let's start with something light. Tell us something about yourself... What are two things in your career that you are most proud of?
Joseph Carson: I’m very technical and love gadgets. However, my special skill is that I can take something that is very complicated and explain it in a simple way that makes sense to most people. I use this special skill to explain the challenges and best practices of cybersecurity to executives who have no prior security knowledge. Several things I am most proud of include being awarded the ISC2 Information Security Leadership Award in 2018 for cybersecurity awareness and also helping share my knowledge with an amazing team at Thycotic, helping our latest talented employees gain new skills.
TechNadu: Your company offers privileged access management solutions. How bad are things for the companies that hire Thycotic to sort their systems out? How exposed are they?
Joseph Carson: Thycotic offers privileged access management (PAM) solutions and those companies who engage with us are either beginning their journey to securing privileged access or have already previously started that journey and now looking to Thycotic for guidance on how to get more value and maturity with PAM. Companies who engage with Thycotic vary from all types of company sizes and business needs. Some of the most common need to be compliant with several of the major regulations or industry compliances such as PCI and ISO, the need to reduce the risks from cyber attacks improving access security or resulting from major breaches and privileged access is one of the most important priorities to reduce the business risks from becoming a victim again in the future.
TechNadu: What do you see as the largest threat to our security nowadays?
Joseph Carson: The largest threat to our security is the failure to take action. We understand that most cyber attacks are not sophisticated, nor do they all come from nation-states, and we have many best practices that help companies reduce the risks of becoming a victim of cybercrime. Becoming proactive and doing a thorough cyber business impact assessment and putting strong best practice security controls in place such as privileged access management will help most companies become more secure reducing the risk of most common cyber attacks as well as becoming more resilient.
TechNadu: You're an ethical hacker yourself so you are already in the mindset of looking for chinks in the armor of various companies. What are the most common points of entry?
Joseph Carson: The most common points of entry today are abusing the trust of employees and, most commonly, through the suppliers as they typically have much less security in place.
TechNadu: Bug bounty programs have grown quite a bit in recent years. Do you think there are now more hackers changing hats and leaving the "dark side" now that there are more legal ways to earn money with their skills?
Joseph Carson: Many people follow the money as a motivation. Where money is available for legitimate purposes, it can turn some criminal hackers to using their hacker skills for good purposes. However, it is mostly an ethical decision and not a monetary decision that stops hackers from becoming criminals. Actually, a majority of hackers are good citizens, using their skills to help companies be better at cybersecurity. There are only a few criminals hackers that focus on personal gain and financial profit, and they are typically located in countries where it is not considered a crime.
TechNadu: There's a whole generation of kids growing up with smartphones and tablets and laptops and the Internet. What do you think are the best ways to teach them to be safe online? Do we have a chance to raise an entire generation to be more security conscious when so many adults still reply to Nigerian princes?
Joseph Carson: It needs to start early at home, in society, and within education. If society fails to raise the security issues, and education does not include it as a basic lesson, then we get into the habit of trying to add security on after it has already failed. Security should be by design, not just in IoT, but in society and in life.
TechNadu: You're a security advisor to various governments across the world. How vulnerable are these super important infrastructures to cyber-attacks, based on the assessments you've done?
Joseph Carson: Critical Infrastructure is seriously vulnerable as more devices are connected at lightning speeds than ever before. Taking old legacy equipment and making them available online only means more vulnerable systems that can be exploited. Not only are they vulnerable, but we also fail to educate the human using those systems with the basic cybersecurity hygiene needed to keep them safe from criminal hackers.
TechNadu: Lastly, what advice do you have to give to kids who are just now starting to flex their hacking muscles?
Joseph Carson: Many online-safe platforms, such as capture the flag challenges, provide kids with safe environments that allow them to enhance their hacking skills without breaking any laws. It’s important that we teach them how to do it ethically and we also need to introduce a mentorship platform that allows experienced ethical hackers to educate the next generation and help keep them on the good side of the law.
What do you think about what Joseph has said? Let us know by dropping a note in the comments section below and please share the article online so others can find it too. Follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.