KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Welcome to all attendees to this panel, assuring the security of your enterprise, social engineering and pen testing topics we can probably talk hours about. So the panel is what they are as model step, who is head of it. And cybersecurity at ax, you probably have just been listening to him. Shan was who is sales director at, at sunk and Richard Richard, the social engineer at the end, the social engineer limited.
So an interesting mix, I would say from people who are more on the seasoned lead role to people, more from a vendor perspective and people who are acting as social engineers and stress testing, what organizations are doing. So I I'd like to start with a quick round of introduction anyway, of the three of you. Maybe quickly introduce yourself here, your perspective, maybe on why you are right now, talking about social engineering pen testing. So what your sort of affiliation to the topic is very briefly, very shortly you start and Stefan and Richard, Absolutely. As you said, my name is Esk.
I've been in the it industry for almost 20 years now and the last 10 years more in technology management and with the focus on cybersecurity. And the last years we have seen the, the need to focus more on human side in security. So that is basically why we are talking about this now it's, it's on the rise and, and social engineering. There are so many ways you can be social engineered into doing something you shouldn't do.
So I, I think we, we, it's easy to focus on the technical side, but we should probably focus more on the, the human side of this. Okay. Stefan? Yeah. Hello?
Yeah, Martin, thank you very much for inviting me to this panel. We are happy to join sooner. We are security testing specialist. I'm not an professional for social engineering, but it's, I think in the pandemic times, one of the major challenges and it really personally annoys me so happy to be part of this panel and go deeper in it. Okay. And Richard, Richard. Yeah.
Well, I think, you know, the say in business, pick your niche and, and niche was social engineering. So it's become everything about our business. It is our main source of revenue from, from testing clients. We advise we, we, we try and help out in this industry, but it's a mix of consultancy and auditing and awareness. So our business is all about social engineering. So hopefully we can have some input today. Yeah. Okay.
So, so when we look at the current pandemic, did this change the Strat in terms of social engineering? If so, how did it change it? So from your experience, maybe Stephan, you start, Yes.
You know, we are a security testing company. And what we actually see is a strong increase of testing activities across all industries, like usually finance industries and the focus of cyber attacks. But what personally a nice me really is that another industry is in the spotlight and that's healthcare.
So we, we are actually working with a lot of big laboratories, hospitals, other health organizations, and they are challenged by change processes, additional devices, new hired staff. They have to deliver their, their COVID 19 tests for example, everywhere now. And that is already for it security, a big challenge. But what I heard from CSOs in that companies is on top of that, they see a lot of ransomware malware attacks and why it's really because the people in that space, they are not experienced.
If you compare it with the finance industry, that's a little bit high level fight, but in this industry, they are not used to, to be challenged by that. And a quick example, my wife is in, in the working for one of the biggest social organizations in Bavaria, taking care, delivering services for old home, old people, homes and hospitals. And I had a chat with her this morning and actually she's on holiday and holiday means she's sitting in a kitchen with two notebooks, two phones having one phone online with the, with the health or authorities. And it's a crazy workload for these people.
And I ask her, are you aware about security issues? Are you watching the email address? If you get an information that I had trainings, but I don't have the time to watch. If someone sends me an email and there is a link on that's the next COVID 19 rules, she will click and that's not surprising. So I's a huge risk trust because people are, don't have the time and people are probably, if you take everyone, they are scared. And I think in every organization we have to, these males send out new rules because that happens.
And I think there's also a lot of numbers out there, which say the ransomware attacks was a co context rise massively increased massively, right after the pandemic. Again, maybe ask them, you could bring a little bit of your perspective on that.
Yeah, absolutely. I, I, I think one of the key changes for, for, for us as an organization with working from home for example, is that you don't have your colleague sitting next to you. So if you get a suspicious email, when you're in office, maybe you ask the person next to you, have you gotten this? Does it look strange or something like that, but when you're home, you're, you're going to do that, make that split second decision all by yourself. And if it's like you said, if it's a COVID 19 update, why shouldn't I, I open it.
So just being home by yourself is, is probably a security risk by itself. Yeah.
And I, I also would say the, the, the hurdle, the inhibitor to ask someone is probably even if, if you say, okay, I have this quite frequent contact with the, I, it is a different inhibitor than you have, but when, when the people are trust the side of you or, or in the office, yeah. Fully agree with that.
And, and Richard, so you are all sending out or calling all the people around COVID and sending out mails on that in your social engineering work these days, To an extent, yeah. We're just seeing a complete change.
You know, social engineering, what it does is it wants to identify the processes and it wants to work in this chaos. And what better chaos than the pandemic in, in chaos, we can, we can lie. We can have believable pretext. We can guide people through the confusion and for social engineering. This is like, this is beautiful. We need people to be confused because people have a desire to know what's going on. They have a desire for order, for process, policy, et cetera. And at work, everything seems to be under one roof.
But I think once you start to divide this out and everyone's working from home, there's, there's just so many opportunities recently to interact with them and offer help as a social engineer to assist them through a VPN problem maybe, or to reset a password or to help them, you know, so definitely changing lands, like, you know, like a changing land there, but when it comes to kind of new attack vectors, I'm not particularly seeing anything new, I'm not seeing any new attacks that, that wasn't kind of present five years ago.
But we, we are seeing just the absolute kind of increase in the effectiveness of attacks to help these, these confused people through the chaos. Yeah. It seems are changing.
So, and, and it's it somewhat impressive from how fast that cybercrime industry reacts on everything, which is new, right? So it is, it is also sad that in the us, for instance, on these days, a lot of stuff around election and voting runs because I think it's where people are interested and they automatically come up with, with these things. So we have the situation, we have to face that situation. We have to deal with that situation. And so basically there are two ways maybe to, to look at it, the one would be education. The other would be adding technologies such as MFA.
If, if you have that option there to speak that, where, where would you start and what would you recommend as them? I think obviously technical things like MFA is more or less now needed if you're going to survive in this, in this new area of, of social engineering.
But, but you shouldn't forget training training is important. And for example, to pick up on a fishing email, you need to train regularly. They are getting better and better, and all parts of an organization, fall victim to fishing attempts from time to time.
So then, then you need some MFA and, and other technical security things in place. That's that's for sure.
And, and when we talk about education, maybe Richard, where to start education, what is the theme in education that works for people? Sure. I think over the past decade, we've been bombarded with this check the sender, check the link, analyze the format in, of, of this email. And I think this is becoming less and less kind of pivotal to, to actually keeping in safe online.
I think there's more and more prevalence to, to focus on the actual demand that because everything seems to revolve around a, around the well, the demand with, with modern fishing techniques, you know, even with MFA, even with two factor codes, it's possible to, to bypass these now. And it's a complete change in, in, in how fishing is being conducted, especially over the past couple of years where we're seeing a kind of reverse proxy kind of fish where it's indistinguishable from a real one.
And, you know, the check, the sender becomes less important because more companies are using sang grid and companies and different senders. And everything seems to be focused into this, you know, to this demand. So MFA is obviously gonna help I'm particularly a fan of key based kind of fighter kind of tofa with a key, because conversely, we could, we can actually trick a human humans. We know we can trick, but when it comes to hardware keys, I know particular brand, the hardware keys cannot be tricked. Yeah.
But then we, again, would talk about convenience versus security at some point that that's D problem because the only heart value device, which, which really works well because everyone carries it around all the time is the smartphone. So every other hardware device has its challenges regarding convenience. So Ste you brought up that, that you, you say, but the challenges people sometimes trust don't have the time to, to do what they know they should do.
So, so what would be your advice and for the companies to deal with these situations aside of the fact that for instance of the trauma healthcare system overall, it might be worse to have more it spending and more it security spending there, which is, which is a, a big issue compared for instance, to the us where, where you have far more money for the, in the healthcare system, but side of that, what would be your, your concrete recommendation down in a nutshell? Yes. I agree to Aspen Richard, the trainings, probably a major thing, but also supporting technologies.
And we discussed factor authentication, but also I think a good identity and access management must be in place and follow also good practices, like need to know, but don't forget. Also other vulnerabilities who enable social engineering, like cross site scripting, a responsible company must take care. They don't enable hacker to use a simple vulnerability like that. Yeah. So it is about really sort of doing security, right.
Identity, looking at a common alert, the common types of tech techniques and virtually you brought up or me, I think you brought up or both of you that there's nothing really fundamentally new in, in these attacks. Yes. There might be some new attack factors, but most based on, on the same, same approach as we know for a couple of years right now. So when do you, when you would have to pick your, your number one technology, don't name, your own own products, if you one, what, what type of technology do you still think is the, the most important one to use Stephan than Richard and Aspen?
Oh, for the social and I, I am a solutions. I would leave it to my boss colleagues here to, to answer that that's not my professional area. Okay. Fair enough, Richard.
I think, look, when we, when we focus on social engineering, I think we've already, we've already divided social engineering from, from over security risks. So if we look at social engineering specifically, and we look at the human element, very logical to offer some kind of training that, you know, but is there a particular training provider?
You know, I, I don't think we should. We should over the hairs. I think we should, we should just focus for the one thing to be training for people in any shape. Our guys just, just, just try to start training.
So, so, so you split it up into two areas. If you had, in one, one sense saying the one thing is you need to do training the right way and you need to do it continuously. Yeah. And then there's the other level which is doing security right in the back end to sort of reduce the potential impact of attacks. Because I think we need to be realistic. Attacks are running all the time. Breaches are running, you need to assume you're breached.
So the other part of it is, so on one hand is try to reduce the number of breaches, which are related to both human technology and the other would be, be good in your backend technology to, to mitigate impact Aspen. Would that be you're thinking as well?
Yeah, of course will. I would also like to state that training is important.
And, but if you look at the technical side, not mentioning any systems, but, but keeping all your systems and software up to date when an attack first happens, it will probably less possible ways to pivot through your network. For example, if, if you are up to date then, and that's another challenge with people working from home, for example, if you don't have the right technology in place to make sure that client devices are updated, when they haven't been into your office network for 3, 6, 9, 12 months, how do you solve that?
So that is something that all it organizations should focus on moving forward. Yeah.
So, so one of the things I have in my five minute training is educat people to look at this single single windows security center symbol, and look whether it's green or not. And if not, if it's that green call your it department, but as a simple measure, everyone can do that and you can train people to do it every now and then that's part of it. So we are unfortunately very close already to the end of the time. So maybe 1, 1, 1 last question.
We, we talked more about training and other things. So what importance does pen testing have in all that place? Do you need pen testing? Do you need cyber ranges? Is it what you also need here? Maybe Stephan and Aspen and Richard. Yeah. Yeah. So pen penetration testing, isn't all discipline. It's nothing you and we, what we learned from COVID 19 is testing, testing as a key. And I think it's still also in our industry. It's necessary. We learned that not this conference.
We have very good presentations about the shift left approach, Def sec ops methods, which means you need to include in this new processes, static testing methodologies using source code scanners, but you still have the old problem with too many faults, positive and falses negatives. Many of the technologies have improved over the last years. And many providers for scanning are, are enhancing their capabilities like, like we do as well.
We have also in our solution scanning, and we enrich it by using artificial intelligence or fussing testing, but still it's not mature enough to rely only on technology. So the question is, is human pen testing the better automate in these times where we are working HR to doing a classic pen test in a single point of time with one or a handful of experts will not work anymore will not Be sufficient. Okay. Got It. It it's sufficient to support the deficit ops process. Okay. I think you will need the combination of machine human intelligence powered by more people doing tests by the crowd.
Okay. But that's a long story. Okay. Aspen the Richard. Yeah.
I, I, I can, I can say what I think about pen testing from, from being a customer consuming a lot of different it software and especially software as a service solutions. We, from our vendors, we expect that they come out with new technology and new solutions almost on a weekly basis now. And getting new functionality out in the system often means that you also get new vulnerabilities out in your system.
So I, I, I think that from, from my perspective as a, as a customer, I, I fully expect that pen testing is important for, for software vendors moving forward, But, but it needs to become continuous. So a little bit like, like the, the news, there's no open news and newspaper from yesterday. It is also, there is no, no older pen test than the one you did in your infrastructure, in the state of yesterday.
So to be, you need to get more, more continuous than static in that, that sense, Richard, Richard, last statement from you. And then we have to close the panel. Unfortunately. No worries. So obviously, you know, I think we all in one guys or another provide testing.
So, you know, I think we have an inkling as business people to say testing is very important, but I think as it professionals, as people that understand the topic, I think we just see how this recent change in times is actually making pen testing more relevant than ever over the past five years. We've slowly lulled ourselves into this sense of, you know, security and improved technical improvements. But when it comes to pandemics and changes, it's very much business as usual for the requirement for, for testing.
If you are at business that wants to understand your risk, there's pretty much no other way to ascertain this accurately then actually going out and, and testing. Okay.
So, so let's sum it up. And we, we, we need to, to test, we need to test more far more continuously maybe than, than we did where we, whatever, once a year run a pen test, it must be far more agile approach on that. We need to educate, and we need technology behind, which helps us in both mitigating the impact. And at the end also recovering from we go on. Thank you very much for participating in this panel. We are already a little over time. So a hand back to battle now, and I think we are the only ones between the audience and the break. So back to.
