Interview with Steve Tcherchian – XYPRO

Roberto Popolizio Roberto Popolizio
Published on: January 9, 2023

SafetyDetective had the chance to talk to Steve Tcherchian, CISO of Simi Valley-based XYPRO.com, a cybersecurity solutions company. We got his expert insights on the current and future trends of cybersecurity (and ransomware more specifically), plus some actionable tips to protect businesses data.

What’s the story behind Xypro: How did it all start, and how has it changed during the years?

XYPRO started in the early 1980s in Simi Valley, California on the dining room table of our founders as a small financial services consulting company that evolved into engineering software banking applications to automate functions like collections, letter generation and loan origination.  Thanks to the vision of XYPRO’s founders, we pivoted our focus to Cybersecurity in the early 1990s. We were definitely early players in the space, way before security was considered mainstream. Other than a small blip in 1994, our business and grown at a steady and exciting pace.

The market for our solutions is a niche mainframe server used in very high speed, high volume online transaction processing trusted by retailers, banks and credit card companies. Our customers are B2B, Fortune 500 companies that keep the world’s infrastructure working – and we secure all of it. Our customers include Banks, Retailers, Telecomms, Medical, Food services, Supply Chain and more spread across 6 continents..

Partnered with Hewlett Packard Enterprise, we’ve been the dominant vendor in our market for years.  That stability has given us the opportunity to expand our offerings into new product lines and markets and continue to deliver value and security to our customers.

Our newest offerings include cybersecurity compliance and monitoring for SAP HANA and Linux environments.

What kind of cybersecurity services do you offer, and what makes them stand out?

XYPRO has been a staple in the mission critical computing space for decades. Our technology protects our customers data as if it were our own – because ultimately it is. We secure the entire mission critical technology stack from top to bottom. We focus on auditing and compliance, authentication, authorization, security hardening, real time monitoring and have a patent on contextualizing security intelligence and analytics. Because of our patent, we can generate and evaluate security data for actionable response in a way that no other security provider can. This ensure we can detect indicators of a breach as fast as possible – before ransomware takes hold or your data is stolen.

Can you share your top tips for businesses to protect their websites from hackers?

Train your employees and implement multi-factor authentication EVERYWHERE

In the not-so-distant past, security awareness was mostly handled internally the IT team or the most tech savvy employee. This works when you’re small. But as the company grows, new hires come on board – this isn’t sustainable. Threats are continuously evolving and modernizing, you need a way to scale and automate this process. For example, in our industry and the nature of our customers, we are now required to certify our employees are completing regular training. We had to consider the user experience, ease of use, automation, reporting and metrics – and it was key for us to ensure we could certify the training.

Automating security awareness allows you to set it and forget it – so no more skipped training or manual effort.

The user experience allows to group people into teams and gamify the experience. This type of healthy competition engages everyone into the process.

Reporting and metrics allow to identify gaps and areas for improvement, as well as measure multiple KPIs and adjust as needed

For this to work, support is needed from the top down. Meaning C level (CEO, CISO etc). Trying to sell and implement security awareness modernization from the bottom up becomes a challenge – and a quick way to screw this up. This is easier if the business views the lack of employee security awareness as a business risk. Customers requiring this be part of their vendors process also helps add those necessary business drivers to ensure this gets attention and support at the highest levels.

Experts have been preaching for years about the benefits of multi factor authentication. It’s one of the biggest bangs for your buck in terms of cyber protection, yet the excuses for why it’s not implemented, never end.

According to Microsoft, 81% of data breaches occur because of weak, default or stolen credentials and 99% of these attacks can be blocked by implementing MFA.

MFA is an authentication method where a user is granted access only after successfully presenting two or more of the following pieces of information:

•             Something you know (password)

•             Something you have (security token)

•             Something you are (biometrics)

All it takes is one compromised account to one website to cause a ransomware attack to catapult a company negatively into the headlines. With the unfortunate increase in COVID-19 phishing scams, there is no better time to implement multi-factor authentication across your websites, applications, servers and services. If we continue to delay, that time will pass and there will be no excuses left, only ransomware and companies that are going out of business

And what is your suggested course of action if a website gets hacked?

If you get hacked nowadays, its likely going to be ransomware.

Your company’s security or IT department should be your first point of contact. Then your company’s incident response plan should kick in – you have an incident response plan, don’t you??

If your company doesn’t have one, make sure you set a goal to have an incident response plan in place this year. This plan should outline everyone’s roles, hierarchy, whom to contact when and what the communication channels should be. That way when (not if) disaster strikes, it’s not panic and pandemonium. One of your first calls should be to your local FBI field office for assistance. In a lot of cases, they may have already seen the type of ransomware you’ve encountered and likely track the organization responsible for it. There may also be decrypters available. But in any event, having a plan on who does what and who communicates with whom is key.

Is There Any Recent Cyber-Attack That Concerned You More Than Others?

The Uber hack ought to serve as a warning to all businesses. This is how simple it is to compromise security. The hacker, who was apparently a teenager, pretended to be a fellow co-worker in order to attack an Uber employee. The hacker used a little bit of social engineering to coerce the UBER employee into logging into a fake UBER website. Quickly seizing the entered credentials, the hacker gained access VPN and 2FA. Once the hacker successfully logged into UBER’s network, the fun really begins.

Upon entering the VPN, the attacker searched the network for any shares and found one that contained powershell scripts. One of the powershell scripts contained a hard-coded PLAIN TEXT administrator password to Thycotic, UBER’s Enterprise Password Vault(EPV). An EPV is a digital equivalent of a safe. They essentially control the keys to kingdom. UBER’s vault contained logins to VMWare, AWS, Google, Microsoft, Slack, and other systems they wished to keep safe from hackers.

With unfettered access to the vault, the hacker had free reign to all credentials stored in the vault, including the security break glass accounts which are used for emergency purposes only. However, this was an emergency and the break glass accounts were already compromised. The UBER cybersecurity response team couldn’t utilize the break glass accounts to lock the hacker out.

Although UBER insists that no consumer data was compromised, screenshots from the attacker seem to indicate they had access to customer data.

If you run a business or are in charge of security, make sure you identify scripts, configuration files, automation jobs, etc… that include plain text passwords – put them in a secure vault and encrypt them. I guarantee that this already affects your business. The majority of these type of scripts were created years ago at the initial deployment of an application or system, and due to the possibility of “breaking something,” the passwords for these accounts are seldom changed, probably shared, and incorrectly maintained. One of the most frequent ways for hackers to infiltrate your firm is through privileged accounts compromise.

What cybersecurity trends do you think will be crucial in the near future?

Ransomware as a Service is a subscription based model that lets anyone use ready made ransomware tools to launch an attack. There is no need to develop your own ransomware or even be technically proficient. Using the platform, someone can launch the attack and share the profits. An entire industry has cropped up to support ransomware as a legitimate business model – including crypto exchanges and “cyber security” companies. Most of these crypto exchanges are fronts to launder money, and the “cyber security” companies who “negotiate” with the malicious actors on a customer’s behalf are also part of the ploy.

There is currently no technology that eliminates or completely blocks ransomware. If that were the case, ransomware wouldn’t be profitable and would not exist. Disturbingly, it’s growing faster than ever. Ransomware is here to stay – because most industries make it so easy to become targets. The best way to combat ransomware is to implement security best practices, verify and re-verify that there are working backups, and real time monitoring.

In the event the ransomware is successful, unfortunately most of the time, the only way to get data back is to pay the ransom. This is a hard pill to swallow. Even the FBI strongly recommends not paying ransoms, but in a time of crisis all options are on the table and the number of victims paying the ransom is increasing year over year. According to Sophos, 32% of companies hit with ransomware paid a ransom in 2021, up from 26% in 2020.

These stats are high mainly due to the decrease in properly performed and verified backups and other responsible methods used to recover from ransomware and other data-compromising disasters.  Because backups aren’t verified to be working,  either due to technology failures or not being set up properly in the first place, this leaves the company with few options. Unfortunately in these cases, paying the ransom, although not encouraged, may be the shortest route to get data back. Of the 32% that paid the ransom, 96% of them were able to get some of their data back. But recovered data is inherently compromised going forward.

There are steps you can take now to avoid paying a ransom and becoming a statistic.

  • Ensure you have implemented security best practices
  • Verify your backups
  • Train your staff
  • Implement  real time monitoring.
  • BE PREPARED!

And what about your future? What is next for Xypro?

Our tight nit partnership with Hewlett Packard Enterprise has given us the ability to expand our expertise into new technology and markets in the last several years – primarily focused on SAP HANA and Linux environments.

In most mission-critical environments, SAP HANA is the lifeblood of an organization. SAP HANA (High-performance ANalytic Appliance) is a highly performant, highly scalable in-memory database that serves as a platform for enterprise resource planning (ERP) applications and other business workloads that need to analyze data in real-time.

Hewlett Packard Enterprise (HPE) is the #1 system provider for SAP HANA* with over 40 percent market share—more than the next three vendors combined—and is the leader in deployments of SAP HANA appliances, tailored data center integration (TDI), SAP® BW/4HANA®, and SAP S/4HANA®. With nearly 25,000 customers and over 34,000 servers running SAP applications on HPE hardware HPE bring a unique understanding of SAP and SAP HANA environments for customers of all sizes and with all types of workloads.

When deploying SAP HANA, adherence to the SAP HANA security guidelines is a monumental and expensive effort. The SAP security guide for hardening SAP HANA now exceeds 800 pages. This doesn’t include hardening the RedHat or SUSE Linux operating system to meet Center of Internet Security (CIS) compliance benchmarks. HPE research has found that out-of-box Linux distributions are less than 50% compliant with industry standards. To achieve full compliance, organizations are required to harden systems with manual effort and scripts. Performing these processes manually across multiple systems in multiple locations is burdensome to IT teams as they are cumbersome, prone to human error, and can consume months of staff time to evaluate, remediate, deploy, and maintain security compliance.

With decades of expertise in securing the most critical and demanding IT environments in the world, XYPRO Technology, together with Hewlett Packard Enterprise has strengthened its mission-critical security offerings with a unique security compliance solution for Linux® and SAP HANA® workloads—Workload Aware Security Layer (WASL). WASL is designed to provide efficient, industry-standard compliance at the operating system and application levels. Unlike other products in the market that rely on security services or require manual effort and custom scripting, WASL automates the security compliance process. WASL reduces security compliance deployment time for Linux operating systems and SAP HANA® workloads from months to minutes.

With a single click, WASL hardens both the Linux operating system and the SAP HANA workload to achieve over 90% security compliance. The remaining effort requires minimal input, such as a password or log file location.WASL unburdens IT, teams, fortifying the business, and lowering costs to achieve quick time to value. Through a single-pane-of-glass, WASL quickly assesses the security posture of your SAP HANA environment and exposure to threats.

About the Author
Roberto Popolizio
Published on: January 9, 2023

About the Author

SEO consultant with a knack for building partnerships with top publications. He has managed the SEO teams of top cybersecurity blogs and generated over 6000 backlinks through Digital PR and 200+ linkbuilding techniques that he keeps testing to this day. In his (little) free time he goes riding anything on two wheels around Asia.