Security Expert Interview Series: Leonardo Antichi

In this interview, Leonardo Antichi talked about his career in cyber security, answered our questions that revolve around the threats to the security of personal data on the Internet today, how most industrial facilities prevent attacks and etc. Leaonardo is a Senior Cyber Specialist and Cyber Risk Advisor at Deloitte Switzerland where he directed overall activities involved in planning, designing, and development of efficient strategies, and conducted regular quality assurance checks to mitigate any potential risks or security vulnerabilities . Now, enjoy reading the full interview below.

Security Expert Interview Series #21: Leonardo Antichi

1. When did you first think of “Cyber Security” as a career?

As with many things in life, it happened by chance. I always loved tech, whether it was helping out friends with their PC issues or setting up my personal room-surveillance-system (yes, my parents did not get it easy). However, I never really thought of Cyber as a career until the last year of my master’s degree. My university was offering an optional course called “Information Security” where I decided to enroll to satisfy my juvenile curiosity. It was to my great surprise that the subjects that seem so easy to me were not as straightforward to everyone else and that companies were also looking for these skills. It came to me as a breakthrough: my passion could become my work, for real! 

2. Please tell us, what motivates you to keep pushing ahead every day in the security field.

Attackers never sleep. Every day some brand new techniques, new attack vectors are discovered and put into practice. Hence, defenders need to adapt as well to respond to those threats. The same way you update your antivirus signatures every day, a good cyber defender needs to update and fine-tune his techniques.

3. Let’s talk a bit about businesses. Do small and medium-sized businesses face the same risks today as the larger companies we are seeing being hacked in the headlines?

As a short answer, no they are not. However, this does not mean that protection is useless. The very first rule to understand about security is that there are no such things as a “perfectly secured system”, and it always comes down to a balance between making for the attacker so expansive to crack a security system to vanish the benefits from the outcome itself. In a nutshell, when the attacker thinks of the question: “Is it worth it?” you want them to think “No, it is not”. However, differently from the physical world, malicious hackers can here engineer broad viruses to affect a multitude of systems.

So, coming back to the original question, while small and medium-sized companies might want to protect only from “non-targeted” attacks, high profile companies requires also protected from the so-called “Advanced Persistent Threat” or targeted attacks. This is, in essence, the difference between setting up a security system for your home or creating a bank vault. The question is always the same for the client or the hacker: “Is it worth it?”

4. What are some examples of how small businesses can do a better job of protecting themselves against cyber-attacks?

At the cost of being boring, I would say once more: training. The user is still the first line of defence against a threat, as social engineering is still the most dangerous and spread attack vector. What is the point of having a top-notch security door, if you leave the key under the carpet? Moreover, it is fundamental to keep up-to-date your systems, this is the very first “technical” requirement.

Most small clients use the Microsoft ecosystem, and during the year the operating system evolved to be as self-contained as possible. They added an anti-virus (quite decent also) to it, mandatory security updates and so forth, but I have seen too many clients (and not only the “small” ones) still using Windows Server 2008, or systems with Windows XP. Microsoft is putting a lot of effort to patch security vulnerabilities with their “Patch Tuesday” so let’s help, otherwise is like a vaccine without anyone getting vaccinated.

5. What are the most dangerous threats to the security of personal data on the Internet today, and how can we protect ourselves from them?

I won’t bore you this time with what you probably already know, as “do not reuse your password”, create an “11+ alphanumeric characters password” and so forth as you know them by heart even not being a security professional. I want to state out that an attacker is not necessarily a nerd guy behind a PC in an internet point (speaking from experience).

The “Alice” and “Bob” in the picture can be everyone depending on their intent, for instance, the attacker can be Facebook and you can be the defendant. From my point of view, the amount of profiling and tracking (which is also “theoretically” being limited by GDPR) is outrageous, and the way JavaScripts are embedded into a variety of different webpages resemble the same strategies adopted by the abovementioned hacker guy.

Hence, the threat I saw growing more and more for common users is an analytics and big data. The impact is so strong of this AI data analytics that we can predict with an accuracy of almost 90% the user profile typing and navigating a webpage. To give you an example, you go to an internet point, start using Google (and you have NOT signed in) thinking to be “anonymous”, and I track you down. How? Just by how you type or move the cursor on the page. It is called behavioral biometrics, and as for guns or every other “tool” can be used for good or evil purposes.

I would like to say that we have an “easy” way to protect from these kinds of attacks, but the truth is there is none. We need to carefully evaluate every situation and make a decision, based on a risk tolerance that we need to set for ourselves. So my advice is: even when you think no one is looking, think that he COULD.

6. Hundreds of industrial organisations received a piece of malware called Sunburst, as part of the supply chain attack. How do most industrial facilities prevent attack and why is that not working?

Supply chain attacks are not as uncommon as you might think. Something similar happened some years ago with CCleaner where normal users downloaded an infected version of the software from the original website or the automated update tool. How this happens varies from attack to attack, most of the time you hack the source and you put the malicious code in there with a waterfall approach. If you poison the water on top of a mountain, you will get all the people in the village which is way more effective than taking them one by one.

However, the solution to the problem is more complex than one may think. This problem relies on the underlying problem of “trust”, and how to ensure that a “trusted” entity is actually to be trusted. This is why the concept of zero-trust in security is growing so fast, we need to reduce to a minimum the number of “trusted” entities in our protocols to reduce the attack vectors, but the 0 in the definition is still far away.

Another approach that the majority of companies are adopting to fight supply chain attacks specifically is the behavioural analysis of package updates. However, most of the malware is sophisticated enough to detect sandboxing, and the usual battle between the best sandbox vs the best malware holds.

7. Could you walk us through your forecast of the cyber security landscape for the rest of 2021?

COVID is definitely strongly impacting the cyber landscape. It did it for 2020 and will keep doing it for 2021. If companies were moving to the cloud and bringing your own device approach slowly, the current situation gave an extreme boost to that trend, making pointless the legacy concept of “perimetral security” (and no, VPNs do not make you “inside” the perimeter). We saw that the number of data leaks increased over 2020, with a lot of breaches that are still to be discovered and this will probably increase during 2021. Companies are trying to respond to that by providing smart tools to access company resources remotely, but every new tool also adds new vulnerabilities.

8. What is your smartest productivity hack?

If you are a windows user, Power Automated Desktop is free software from Microsoft that allows you to create various automation with a code-free tool. It is a scheduling task on steroids with Powershell. I use it to backup my local database to a cloud resource, automatically check the network connection and so forth. It is really a powerful tool.

9. What are your 2 pieces of career advice you would like to give to people who are just getting out of university and are interested in a career in cyber security?

Cyber is an extremely growing field, hence if you are passionate about security you should definitely consider applying for a cyber-oriented position. However, you must ask yourself this question: do you see yourself as a heavy-technical-focused professional, or you also enjoy having conversations with clients while keeping an eye on the business as well? This will help you understand if you are more oriented for a consulting career or an engineering one.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.