As soon as Georgia Weidman, founder and CTO of Bulb Security and Shevirah, agreed to an interview, Safety Detective’s Aviva Zacks jumped at the chance. She asked whether we need to secure our IoT devices, and here is what she found out.
Safety Detective: How did you get into cybersecurity, and what do you love about it?
Georgia Weidman: My mother earned her Ph.D. in Computer Science, which was my first sentient memory. We always had computers around the house. Even my piano lessons were hooked up to a computer. It was terrible for me because the metronome was computer program perfect and thus could tell if I was off even a tiny bit. We always had computers and I always played video games—the typical stuff for young boys. For me, it was never a gender-based thing; I was interested in technology and encouraged to pursue it by my parents.
I learned about hacking when I was young. I read a book about three different hackers who all ended up in jail. I, therefore, didn’t think that hacking was the right career choice for me because I didn’t know that there were other options like ethical hacking. I didn’t become serious about hacking until I was 18 and in graduate school.
When I was getting an advanced degree in computer science, our cyber defense team played in the Collegiate Cyber Defense Competition. We were the blue team, the defenders, which is a pretty hard job both in the competition and in real life. There was a red team that was made up of professional hackers whose job was to terrorize us, and they did. But I was fascinated by what they were doing. It wasn’t particularly hard stuff. Instead, they were able to put up message boxes and change my background. Still, I really wanted to understand how they did it, so I started down that road.
SD: Tell me about your company’s training services.
GW: I have two companies—Bulb Security and Shevirah Inc. Bulb Security is a consulting firm that does penetration testing, training, research, etc. Shevirah is a product company focusing on mobile security testing. Our products allow you to simulate real-world attacks against mobility and the Internet of Things from phishing, to exploitation, to post-exploitation. We help you understand your organization’s risk and the impact of a successful attack. At Bulb Security, we provide hands-on training on a variety of technical topics—penetration testing, exploit development, reverse engineering, and mobile security, to name a few. We have taught at conferences such as Black Hat and CanSecWest and done private company training all over the world and online. I also wrote the book Penetration Testing: A Hands-On Introduction to Hacking which readers can use independently to educate themselves via the included lab exercises.
When I first started in cybersecurity, I had a pretty solid technical background. I knew how to use a computer and read manuals. But when I was trying to learn hacking, I found that there was more technical knowledge expected in most if not all the whitepapers, tutorials, classes, etc. With my training and my book, I aim to fill in those gaps, without making assumptions about people’s background knowledge. We all come to this from different backgrounds and levels of experience. For example, someone may be a complete expert at finding bugs in web applications but not yet used Linux.
SD: How does your company help protect the end user from cyberthreats?
GW: At Shevirah, we build products that provide vulnerability assessment, simulate phishing and allow impact analysis for mobile and IoT. We allow enterprises to include Bring Your Own Device (BYOD) in penetration testing and security assessments that, hopefully, they are already regularly performing. It’s helping to cut off the open threat vectors of mobility in the enterprise and that hasn’t had a lot of oversight historically in security testing.
SD: What do you think is the worst cyber threat to end-users today?
GW: There are a lot of threats, but I think the worst cyber threat to end-users is phishing. Technical people tend to dismiss phishing as not very hard to do and not technically sophisticated. However, most successful attacks these days have at least some phishing component. Phishing isn’t only through email. Text messages, WhatsApp messages, Facebook messages, any platform where people can be targeted with a link can be used for phishing. Anyone who has been through security awareness training knows that you shouldn’t click on suspicious links in emails. But how many people are wary of suspicious links on Facebook? One big problem is that we can’t fix phishing links; links are meant to be clicked! Another issue is that there’s an explosion of new ways to communicate with people through devices and social media. All of them can be used to phish.
SD: Who do you think is the most vulnerable to phishing attacks?
GW: Everybody is vulnerable to it, even people who think they would never click on a phishing email. Take, for example, my father who is a physicist. He’s very astute and technical, and yet he has as many add-on toolbars on his browser that there is hardly any room for the web page itself to render. But when I go to visit him, and I want to print something, he won’t let me. He’s afraid of hackers seeing what is getting printed through the network.
I think our biggest problem in security is that you almost have to be a security expert to not be completely vulnerable. I believe that we, as an industry, still have a lot of work to do in educating people and making security useable. It should be possible to use end-user devices securely without having to have a Ph.D. in computer security.
SD: How do you see cybersecurity developing in the next five years?
GW: People are starting to think more about security vis-à-vis mobile, IoT, cloud, etc. At the moment, many people think that since there is no sensitive information on our Internet-connected coffee pots, who cares about its security posture? However, they are starting to realize that it is on the same home network as your phone and your computers. Thus, it has direct access to devices that do store your work and personal data.
I hope that we’re going to see users pushing back against vendors who are selling products without built-in security. We’re going to see users starting to take security seriously and forcing the vendors to build with security in mind. I hope that we will move in the direction where we all realize that security is necessary if we’re going to continue to function.