Aviva Zacks of Safety Detective had the pleasure of sitting down with Yossi Shenhav, Komodo’s CEO. She found out how he uses his hacking abilities for good and how he’s watching out for all the “script kiddies” out there.
Safety Detective: What interests you about cybersecurity?
Yossi Shenhav: It never gets boring because it is necessary for many different technologies and environments. For instance, we can work with new startups that are developing technology and innovating technology for the cloud, and the next day we’ll work with a bank that is deploying the mainframe system that was built in the 70s. You always get to learn new things, and I think this is the reason I started working in the cyber security industry.
SD: How did you get the idea to start Komodo?
YS: I started my career as an application security consultant, and then as an application security architect. Later, I was a leader of an ethical hacking team. After several years of working in the industry, I felt it was time for me to start something on my own.
SD: What does Komodo do to protect the end user and companies from cyberthreats?
YS: We have two types of clients. The first one who we help to build secure software, and the other one—the organizations, and enterprises that have very large IT departments—who we help to improve their network IT security.
One of the most important services that we offer is called the Red Team (or Friendly Hacking Team). In this exercise, we help organizations make the most out of their security system because we simulate an external attack; we perform a real-life attack and they need to identify the source of the attack. By doing this, they begin to understand what works well and what needs to be improved.
SD: Can you explain more about Komodo’s services and how they work?
YS: Aside from the Red Team, which is one of the top services that we provide, there is also the application security field that we have been working with for quite a while now. We work with vendors, participating in the design phase, in deciding how to build the architecture, and deciding what type of defense is to implement inside the system. We are also involved in the end testing, which is also the code level. We perform security code reviews and penetration testing.
We have also done several projects to help us contribute to the community. We built several utilities that are open source and can be downloaded on GitHub.
We built a CTF (Capture the Flag) challenge which is also open source and available for everyone to learn and to experience web hacking. There is another free game we built called HackTale. It lets you participate as if you are an investigator of a cyber event that happened in an organization and you get to learn how to investigate and how to perform forensics. It’s only in the beginning stages, but it’s already online and can be used.
SD: What kind of cyberattack is the most successful?
YS: There are phishing attacks and there are also spear phishing attacks. Spear phishing is when an attacker targets a specific person and sends this person an email that they have a good feeling that he will respond to positively. For instance, if you receive an email from a coworker, you would most likely not find it suspicious. And if this person asks you to look at something on a website, you would probably do it before if you realize that it’s a scam. When we do these types of tests on organizations, the number of people who fall for it is very high.
SD: How do you see cybersecurity developing in the next five years?
YS: We’re seeing a lot of movement towards cloud infrastructure, which poses difficulties when trying to enumerate the list of assets of the target organization (which is the first step of every real-world cyber-attack). Furthermore, the cloud infrastructure itself is changing and moving towards new ideas and architecture concepts, such as containers and serverless code. That means that traditional hacking concepts need to adapt also. But that doesn’t mean organizations that move to the cloud are immediately more secure; it is not enough to move to the cloud to get more security—it just brings new challenges.
To put this in context, today we are seeing a lot of what we called “script kiddies,” which is a way of describing people who have a low understanding about hacking, but know how to utilize security tools to exploit traditional vulnerabilities. I believe these tools will give little value against new cloud architecture like serverless applications and containers, so I assume we’ll see much more sophisticated attacks and much less script-based attacks.