Every time you go online, there are many dangers lurking around, security threats that need to be dealt with. While the regular users have some contribution to keeping themselves safe online, it's cybersec specialists that carry the heaviest burden. Nathan Wenzler is the Senior Director of Cybersecurity at Moss Adams, a company that deals with other businesses, helping them out in numerous fields, including cybersec.
Wenzler has been working in the industry for a long time. Before he took on the new job at Moss Adams he was a Chief Security Strategist at AsTech, which merged with Moss Adams in 2018, and an Executive Director of Security for Thycotic before that. Nowadays, he's even a member of the Forbes Technology Council. Given his impressive resume, we wanted to see how he can help us understand the security world better, what the biggest threats are, how safe are IoT device, what we can do to stay safe and how white hat hackers are keeping us safe nowadays.
That being said, here is TechNadu's interview with Nathan Wenzler, Senior Director of Cybersecurity at Moss Adams.
TechNadu: What do you see to be the biggest security threats nowadays? Is it ransomware, social engineering, or maybe data breaches?
Nathan Wenzler: Social engineering attacks, which to me includes ransomware, are definitely the biggest issue I see today. While we’ve seen social engineering attacks for a long time, what’s different now is that the attackers have more personal data at their disposal than ever before, due to all the data breaches we’ve seen in the last few years. This makes it so much easier for them to craft very personally, targeted social engineering attacks, and thus, they’re much more difficult to defend against. As the software and hardware, we employ to protect our networks get better, attackers are more commonly moving to the easier target: people. I expect we’ll be seeing a rise in these kinds of attacks, even if they tend to be quieter, as it will be more profitable for attackers to go after individuals who have access to key financial information or other forms of critical data.
TechNadu: For many years now, IoT security has been a joke and many security pros have been calling for better standards or laws to be created to force these companies to comply. What do you think? Do we need laws or should we let the industry sort itself out?
Nathan Wenzler: Ultimately, we need both. There are still companies developing IoT devices that don’t see the need for spending the extra time and money to build security into their products. So, for them, some form of regulation is likely going to be needed to get them to do it. That said, the regulations we’re seeing coming down the road are limited and won’t have any effect for several more years. Thankfully, we’re seeing more consumers demanding that companies include better protections natively into IoT devices, and that has resulted in many companies doing exactly that. The more that customers want security, the more these companies will do it and the industry will move in that direction. But, it’s going to take both sides to really get to a place where security is truly baked into every IoT device produced.
TechNadu: Speaking of which, do you have any IoT devices in your home? Are there some you'd never allow in?
Nathan Wenzler: I don’t have any IoT devices, myself, and I’m not a big fan of the voice-activated assistants, especially in the wake of several reported glitches and issues where it was demonstrated that these devices are, in fact, listening to conversations. But, we’re at a stage now where nearly everything has that capability, whether it’s your smart TV or your smartphone. Everything is collecting data about you. So, I’m not fully against having IoT devices around, it’s just a matter of determining how much more data about myself I want to give up to these companies. It’s the same tradeoff we’ve been dealing with since the rise of “free” services on the Internet.
TechNadu: Part of your job is to dig through IT systems belonging to companies that work with Moss Adams. What are some of the biggest errors you've found along the way and how did they affect the customers of said companies?
Nathan Wenzler: I’ve got stories like this that go back across my entire career. I’ve seen a single Ethernet cable is plugged into the wrong switch port cause an entire organization to cease functioning, both internally, and for external customers. In another case, a yearly test of a backup generator caused a data center to go dark, as the generator was turned off before they threw the failover switch. The problem with a lot of these stories, though, is that someone missed something fundamental and basic. Systems have gotten so complicated, that it’s common for people to seek out the complicated problem. But Occam’s Razor is still in effect here, and when problems arise, it’s important for IT and InfoSec people to remember to start with the basics when figuring out what’s going wrong.
TechNadu: How many of your penetration tests are successful? How vulnerable are the common IT security systems?
Nathan Wenzler: Most every pentest is successful in some way. A lot of it has to do with how much time is spent trying to break in. Given enough persistence and the trial and error of testing techniques and tools, one can usually find some sort of path to get into a network or an application. This is why defense-in-depth strategies for technology have been recommended for decades now. You’ve got to be able to buy yourself time to respond to threats, while also having multiple defensive techniques that will hopefully stop what another layer of defense could not. Thankfully, we’re getting better at this overall, especially as more companies take security seriously and make real changes to the way their applications are coded and how networks and systems are designed. But, we’ve still got a long way to go, and a lot of companies still need a ton of help getting even the basic vulnerabilities taken care of in their environments.
TechNadu: We've seen a rise in white hats in the past few years, partly thanks to bug bounty programs. How do you see this trend? What do you think motivates these people to engage in ethical hacking?
Nathan Wenzler: Honestly, ethical hackers have been around since the beginning, and they do it from either a sense of curiosity or they come from a place of wanting to do the right thing. Often it’s both. Bug bounty programs have given those ethical hackers a means to safely interact with the company to share what they’ve found, which is much more valuable to a lot of those people than the financial reward itself. In the past, it was not uncommon to have someone find a vulnerability somewhere, and then be unable to find someone within the company to report the finding or who would listen or take them seriously. Bug bounty programs show that a company is, in fact, listening and makes it much easier for researchers to share what they discover.
TechNadu: Many praise the use of VPNs as a way to stay safe online. What do you think of this? Do you use a VPN? What should people look for in such a tool?
Nathan Wenzler: VPNs are a great tool to help secure your public communications, like surfing the net or sending emails. I’m a fan of VPNs and advocate their use for most anyone, even if an individual thinks they don’t really need one. Thankfully, there are plenty of good VPNs out there, including some which are specifically designed for individuals, not massive enterprises. They’re easy to use, flexible to work on any platform, including your phone, and come with a little-to-no cost. The only real argument people have ever had against them is that VPNs do cause a small amount of bandwidth to be used up as overhead for the VPN to operate, but, we’re long past the days of dial-up modems as a primary form of connectivity. The overhead is insignificant today, even for mobile devices, that there’s really no reason not to use a VPN anymore.
TechNadu: You recently became a member of the Forbes Technology Council. What does this mean for you?
Nathan Wenzler: I’m very proud of my recent invitation to join the Forbes Technology Council, and am looking forward to interacting with my peers and colleagues on both the IT and Information Security sides of things about the whole spectrum of issues we’re facing in our industries. It should be an ideal forum to get a lot of different opinions together from people who are all aligned with the goal of improving information security for everyone, whether private sector, government agency or down to the individual users who rely on all this technology on a daily basis. Communication and education are some of the most foundational components for success in an information security program, so the more avenues we have to share information, the better. And with the reach that Forbes has, this will be a fantastic platform to share good security practices and insights going forward.
TechNadu: Lastly, what's the best piece of advice you have for people who want to stay safe online?
Nathan Wenzler: My best piece of advice to anyone trying to stay safe online is an adage that’s been around within InfoSec for a long time: Trust, but verify. We have to trust that companies we interact with online are safe and secure, especially as we conduct more of our financial and personal business online. But, that trust shouldn’t be absolute, and if anything ever seems a little off or not quite right, it’s critical that people ask questions and verify that the email they’re getting is legitimate, or that the website they’re using is supposed to work the way it does. Most companies have gotten really good about providing support around this kind of verification, so it’s easier than ever to just ask if an email or service is legitimate. Trust, but verify.
So there you have it, folks! What do you think? Do you agree with Nathan Wenzler's look at cybersec and safely using the Internet? Let us know by dropping us a note in the comments section below. Also, share the interview online so others can find it too. Follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.