Cyber Security World - Expert interview - Adj. Professor Jason Lau, CISO at Crypto.com
As a CISO, what tips would you give to employees for this period and moving towards recovery?
Skill up! Having a growth mindset is always good, but this is an opportunity to reach out and get the certifications you always wanted, but didn’t have the time, or train up in some other special interest areas. Whether you want to go deeper into particular expertise within security, or you want to broaden your skills, I think now is the time to do so. There are some great certifications which are coming of age in the Blockchain, AI and Big Data space, but areas which are hot right now are in the field of data privacy. I would encourage staff to look into the newly refurbished Certified Information Privacy Technologist (CIPT) from the International Association of Privacy Professionals (IAPP) as well as the just-released Certified Data Privacy Solutions Engineer (CDPSE) from ISACA.
Cyber attacks via email or software are increasing since working from home. What are the most trusted software or app do you use to protect your work and personal devices?
All applications could have vulnerabilities. From your day-to-day use of WhatsApp through to the underlying operating system and even native apps like the Mail app on iOS. The Mail app was found to have zero-day vulnerabilities dating back many years and (as of early May 2020), the patch has not been released (should be in the up-coming 13.4.5 build)
Then there a whole host of applications on Android which may be unintentionally vulnerable through to many which are intentionally malicious being uploaded by hackers. The best way is to stay vigilant, and practice good security hygiene by having strong passwords, password manager, Multi-Factor Authentication through to using a VPN to connect to the internet (especially if you need to use public WiFi). You should also take this opportunity to patch your home WiFi router firmware as this is the gateway through to your home network so make sure you have a strong password and also add additional layers of defence such as MAC address allow-list for your approved devices.
The debates around which video-conferencing provider to rely on is one of the trending topics due to loads of news about situations like data breaching. Which one do you prefer and what procedure would do implement?
This is a good question as the debate has been around Google, Microsoft Teams and Zoom. None of them are 100% perfect, and Zoom has come under a lot of scrutiny for many reasons and to their credit, they have been transparent with their improvement process and have regular updates on the new security features being put in. Microsoft Teams also recently had a critical flaw, where attackers could hijack a user’s account with a combination of a sub-domain takeover vulnerability and a malicious GIF to capture user data and move laterally to take over the organisation’s Teams account. Again, follow best practices and turn on the optional security features, as well as making sure your versions are always patched. HKCERT has provided 10 best practices for securing Zoom meetings which you can view on their website.
Your forecast of the cybersecurity landscape in Hong Kong for the rest of 2020?
I think the rest of 2020 will be focussed around healthcare and the financial sector. With COVID19, we have seen a dramatic rise in the number of phishing attempts and attacks on healthcare institutions both large and small on a global scale. I have been part of the CTI-League (COVID19 Cyber Threat Intelligence League) which started off with 400 global experts to contribute our spare time to help global healthcare providers to detect vulnerabilities and offer advice on how to address the external threats which they may face. If COVID19 is here to stay for the foreseeable future, then my prediction would be that healthcare and agencies which have medical research data would be ongoing targets.
With the financial sector, we are seeing a growing number of companies focussing into virtual banking, FinTech services, and other mobile app services leveraging OpenAPI and other technologies to offer new disruptive value-added services to their clients. The risk here is that without proper cybersecurity governance, these companies may be targets for hackers in the short term while these start-ups are too focussed into product building, and security often having to take a back-seat.
Any new security development from Crypto.com?
Many. With the launch of our Crypto.com Exchange at the end of 2019, we are seeing a growing number of users and record registrations as there has been a strong interest in cryptocurrencies in general as an alternative investment vehicle in the current economic times, and also because of the much-anticipated Bitcoin halving in May 2020. As this brings more people to our platform, security and data privacy continue to be the cornerstone of our company and as the first crypto company in the world to get ISO27001:2013 and PCI:DSS 3.2.1 (Level 1) certifications, we definitely won’t stop here and you will be seeing more news on our up-coming security and privacy compliance projects. With our Non-Custodial Wallet application, this gives the security back to the users and this has been a much sought after feature where serious crypto users are wanting to take back control over their own private keys. 2020 is going to be a big year for us in security and privacy so look forward to sharing more with you in 2021!