Published on: August 24, 2024
Protecting our online privacy can be so overwhelming. It’s hard for everyday people like me and you to always stay on top of new threats, tools and complex cybersecurity concepts without going nuts.
In this new interview series by Safety Detectives, I am talking to cybersecurity experts and tech leaders who share insights and actionable tips to help you understand the hidden truths of online privacy and how to protect your sensitive data more effectively without losing your sanity.
Vasyl Khmil is the Co-founder and Chief Technology Officer (CTO) of NERDZ LAB, a multi-awarded software development agency with 90+ projects under their belt in development, IT consulting, and various successful startups. He has extensive experience as a developer, having worked at companies like Toptal, N-iX, and ArtyGeek prior to co-founding NERDZ LAB.
What inspired you to pursue a career in cybersecurity? Can you share the story with us?
Cybersecurity is super important for any IT company. At NERDZ LAB, protecting our customers’ data is our top priority. We didn’t start with an exciting cybersecurity story, but we knew right from the beginning that safeguarding information is essential for our business to thrive.
Like many companies, we began with a focus on IT development. But we quickly learned that without cybersecurity, any tech solution loses its value. We’ve always made it a top priority to protect our own data as well as our customers’. It’s not a choice; it’s a must.
This focus heavily influenced our vision to build extensive expertise to handle tricky projects, boost their development and success, and minimize the chance of errors and failures. We aim to support our clients as not just their supplier, but also as a friend and advisor.
What are the most overlooked cyber threats that you see affecting end users in your industry? What makes threats particularly concerning?
API Harvesting
Attackers frequently search for unsecured APIs and exploit vulnerabilities in systems like WordPress to access databases, potentially leading to the exposure of sensitive information. For example, unsecured APIs can provide hackers with direct access to customer data, which they can then sell.
Ransomware Attacks
Particularly perilous for large projects with a substantial user base. Once hackers infiltrate a database, they can threaten to disclose sensitive information or disrupt services unless a ransom is paid. Consider a scenario where a major e-commerce platform is hijacked, resulting in the freezing of all customer data and transactions until a ransom is paid.
DDoS Attacks
These attacks can overwhelm a company’s infrastructure, rendering services unavailable. Even the most robust systems can struggle under the weight of a well-coordinated DDoS attack, potentially leading to significant revenue losses for companies.
Social Engineering
Perhaps one of the most insidious threats. Hackers manipulate individuals into revealing sensitive information through methods such as phishing emails or phone scams. Even the most advanced technical defenses can be rendered ineffective if an employee is tricked into disclosing their login credentials.
Inadequate Database Security
Databases that are accessible on the Internet and not hosted on private networks are easy targets for attackers. This oversight can result in breaches where hackers gain access to sensitive data with ease.
What are the best ways to prevent and react to these threats?
To effectively prevent and respond to these threats, several key principles must be followed:
Monitor and Update your Libraries
Use standard approaches and continuously monitor the reliability of the services and libraries you use. Regularly update them to prevent hackers from exploiting known vulnerabilities. Using outdated software components is like leaving a window open for attackers.
Infrastructure Isolation
All infrastructure should reside in private subnets, with only one public entry point exposed, such as a public API. All other ports should be closed. Public interfaces should be protected by firewalls with well-defined access rules, including specifying regions from which access is allowed or denied.
DDoS Protection
To protect against DDoS attacks, load balancers should be used. However, it is important to note that with large volumes of traffic, the load balancer may start deploying additional infrastructure, which can become costly. Therefore, limiting the number of requests from a single source or MAC address is essential. Additionally, embedding cookies in request headers can help firewalls filter out malicious traffic and prevent video attacks, allowing connections only from the UI or infrastructure and blocking connections from scripts or other unauthorized sources.
Database Security
Databases should be located exclusively in private subnets, with no external access under any circumstances. Regular backups and firewalls with strict access controls are mandatory for securing databases.
Employee Training
Protecting against social engineering is crucial, as many breaches occur due to human error. Hackers increasingly use social engineering techniques, such as sending fake emails from company executives requesting password resets or access to sensitive data. To defend against such attacks, it is essential to establish clear access levels, where each employee has access only to the information they need.
This isn’t about trust but about security: it’s impossible to compromise someone who doesn’t have access to critical information. Two-factor authentication should be mandatory for all employees.
What are some things that people should START doing today that they’re currently not doing to protect their information?
These two actions can help safeguard against approximately 90% of security breaches, in line with the Pareto principle.
1. Everyone needs to use password managers and create unique passwords for each online account. Too many people still make critical mistakes that put their security at risk, such as writing down passwords on paper or PIN codes on cards, actions that significantly increase the risk of a breach.
If one of your accounts is compromised, hackers can easily access your other accounts if the same password is used across multiple services. By creating unique, longer and complex passwords using a password manager (e.g., a 16-character string), the chances of being cracked by brute-force attacks are significantly reduced.
- A four-character password can be cracked in about one hour using a brute force attack
- A 16-character password might take years
It’s unlikely that hackers would spend that much time attempting to crack your password using a brute force attack (where the attacker tries different combinations until they find the correct one).
2.Enable two-factor authentication (2FA). Even if a hacker gains access to one of your passwords, 2FA can act as a final barrier, blocking unauthorized access.
For companies, similar advice applies, but they should also focus on controlling access to their data. Proper access management is essential to minimize risks and protect sensitive information.
What common cybersecurity beliefs and practices do you passionately disagree with? Why?
The belief that you can achieve full protection against all threats is a myth. Cybersecurity is a game of resources and time. If a hacker is determined and has enough resources, they will eventually find a way to breach any system. Therefore, it’s essential not only to protect against known threats but also to be prepared for new and unforeseen challenges.
A simple example is any iOS application – If someone puts in the effort and has a deep understanding of iOS and system infrastructure, they can break into the device and gain direct access to the code. They can see which methods are called, at what moments, and what is stored in memory, and based on that, they can extract all the necessary data from the iOS application.
It’s all a matter of knowledge, resources, and time.
What emerging technologies, trends, and new threats do you believe will have a great impact in the next 5-10 years? How do you plan to adapt to these changes?
Serverless solutions are more difficult to hack because they lack a traditional infrastructure for attackers to target. Although they are more challenging to set up and can be more expensive, they offer a higher level of security.
Serverless computing operates by allocating resources on demand, making it much more difficult for attackers to identify and exploit vulnerabilities. As these technologies continue to evolve, we plan to integrate them into our projects to ensure that our client’s data remains secure in the face of increasingly sophisticated threats.
How can our readers follow your work?
Website: https://nerdzlab.com/
LinkedIn: https://www.linkedin.com/company/nerdzlab/
X: https://x.com/nerdz_lab/