Meet Bruno Rubin, Ethical Hacker at Telindus

What are the main cybersecurity trends? How can companies protect themselves?

From the point of view of an ethical hacker, we can clearly see that the last two years have been rich in ransomware / crypto locker waves through the world with new infection techniques (and a pretty good way to make money), never exploited at this level. This attack often occurs using a fake/spoofed sender mail address which allows hackers to easily gain access to company’s networks. Here in Luxembourg more and more security oriented companies propose security awareness sessions to their customers to train employees to detect this kind of attacks.

Another growing trend since five - ten years concerns the exploitation of mobile devices which are actually now used more than computers to connect to the internet. Hackers target those devices through infected applications for iOS and Android devices. For companies, a good starting point to avoid data stealing or spying and keep hackers from breaking into internal networks is the installation of Mobile Device Management solutions (aka MDM). When correctly configured, these solutions greatly improve security and privacy, especially when we think about the recent disclosure of NSA’s false « clean » software used to investigate smartphones. Such things could be avoided by managing installed application using such MDM solution.

Can you tell us more about your professional carrier? Were you actually attracted to cybersecurity before joining Telindus?

My professional carrier in cybersecurity is mainly my experience at Telindus as I ended my study three and a half years ago. Telindus proposed me to become an ethical hacker after my six-month end-of-study internship in its Cyber Security Department. Since then, I do my best to become more and more skilled every day, to help my team being a reference for our customers in terms of cybersecurity. I started my carrier as a junior security consultant learning the art of hacking which takes a lot of time to master and requires specific skills: deep understanding of how classical informatics materials are working together, precision when talking about complex mechanisms, explaining and popularizing really complex concepts to any public.

Cybersecurity attracted me early in my studies. I first met it from its governance side more than the ethical hacking one during my master degree. In general, I have always been curious and I always try to go deeper and not only scratch the surface of the things I learn. So it was logical to me to start my carrier by going thoroughly in the technical side and then expand my field of knowledge in several years by slowly migrating to the governance side of cybersecurity

What are your daily tasks and mission?

In a nutshell, my work consists in tracking security issues on customer’s assets and infrastructure while keeping in touch with security related to current affairs like new vulnerabilities and attack technics, new tools to help me in my work.

My mission goes from looking for exposition of a customer from the Internet (finding assets and assessing them) through assessing customer’s mail server facing Internet to technology specific web application assessment, as well as assessing customer’s internal networks. It is important to be flexible and adapt to customer’s needs. It’s important to fit customer needs by being proactive and finding dedicated solutions.

Inside Telindus, I put all my knowledge and skills at the service of employees to help them being aware of security good practices and advise them in case of uncertainty, for example by conducting security awareness sessions to explain how to detect phishing or why having strong passwords is really important for privacy. Being there to help coworkers when it comes to cybersecurity inside the company I work for is essential to me.

Which megatrends are impacting cybersecurity? How?

Something which immediately comes in mind is Internet of Things (aka IoT) which are incredibly popular these days (fridge that gives you the external temperature, TV connected to Internet and so on). From self-talking devices on the Internet to those helping you to control your home remotely, (home-automation gadgets) people often misunderstand that such devices, when incorrectly configured, can also be really useful for hackers to break into their home networks. We clearly remember the Mirai Botnet which used misconfigured IoT to produce Distributed Denial of Service against the famous hosting platform OVH.

Also, the growing of mobile devices like connected watches, tablets and smartphones gives hackers a lot of opportunities to break into people’s privacy. This clearly brings us, as security experts, the absolute need to explain people how things work and why they can really be at risk by being careless.

What do you expect from students competing in the cybersecurity project which will take place during the Morpheus Cup?

First, it’s important for them to read carefully and pay attentions to details in this kind of competition. The real stopper here is the limited time to perform a lot of challenges, some of them are really challenging. Being talented but blocked on one hard challenge is not a good choice compared to being average and succeed in a lot of average challenges. Several challenges also require particular skills on Linux (understanding correctly user rights) and others on attacking websites. Having played previously with websites proposing challenges will clearly be helpful for them. Finally, they should keep in mind that this challenge has been made to be played by a team, with good mood and hacked for fun!

Has the approach of younger generations changed when it comes to cybersecurity? How to deal with them?

We see more and more IT oriented TV series these days about cybersecurity with epic talks and obscure attack / defense technics that can easily let younger generations think that succeeding in cybersecurity is only a matter of launching the right hacking tools and that everything in this domain can be made or defeated easily. This is wrong and one way to understand is by learning computer science and being curious.

People that actually learned IT, especially those in cybersecurity, will tell you that technologies constantly evolve and an instant success if often not possible. Everyone needs to adapt to the rapidly changing digital world, even students and teachers. Often younger people I meet tell me about a stunning new tool, technology or device they learn during their studies that I’m not familiar with. When this happens, I usually dig around the subject by myself to be more performing in my job. It is important to stay humble and to reassess oneself every time.