{"id":1795,"date":"2021-05-04T13:50:00","date_gmt":"2021-05-04T11:50:00","guid":{"rendered":"http:\/\/i360.trejka05.pl\/?p=1795"},"modified":"2021-06-15T15:41:06","modified_gmt":"2021-06-15T13:41:06","slug":"transcript-cybersecurity-in-the-context-of-loyalty-programmes","status":"publish","type":"post","link":"https:\/\/i360.com.pl\/en\/transkrypcja-cyberbezpieczenstwo-w-aspekcie-programow-lojalnosciowych\/","title":{"rendered":"Transcript \u2013 Cybersecurity in the context of loyalty schemes"},"content":{"rendered":"<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Dobry wiecz\u00f3r. Katarzyna Nawrocka &#8222;O programach lojalno\u015bciowych noc\u0105&#8221;. W dzisiejszym odcinku naszego programu poruszamy bardzo wa\u017cny i bardzo aktualny temat &#8211; Cyberbezpiecze\u0144stwo. I ekspertem od tego cyberbezpiecze\u0144stwa jest w\u0142a\u015bnie m\u00f3j dzisiejszy go\u015b\u0107 &#8211; Pawe\u0142 Wa\u0142uszko.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> Good evening. My name is Pawe\u0142 Wa\u0142uszko. I am a graduate of the University of California, Berkeley, and Stanford University. I am currently working with TestArmy Cyberforces. I specialise in educating end users in the field of cybersecurity.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Mr Pawel, we\u2019ll be talking primarily about how to protect loyalty programme databases. So, as my first question, I\u2019d like to ask you: what are the main types of attacks on IT systems, and how can we protect ourselves against them?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> Temat jest bardzo z\u0142o\u017cony tak naprawd\u0119, poniewa\u017c s\u0105 dwa typy atak\u00f3w, do kt\u00f3rych musimy si\u0119 ju\u017c przygotowa\u0107 na pocz\u0105tek. Pierwsze typu atak\u00f3w s\u0105 to ataki typu na przyk\u0142ad ransomware. To s\u0105 ataki, kt\u00f3re pr\u00f3buj\u0105 np. przyk\u0142ad zaszyfrowa\u0107 nasze dane lub uszkodzi\u0107 nasze us\u0142ugi, kt\u00f3re funkcjonuj\u0105. Drugim typem ataku to s\u0105 ataki typu denial of service &#8211; DOS. S\u0105 to ataki, w kt\u00f3rych np. hakerzy generuj\u0105 ogromny ruch, kt\u00f3ry przechodzi na nasze systemy informatyczne, przeci\u0105\u017ca te systemy i powoduje tzw. down time, czyli po prostu brak funkcjonalno\u015bci tych system\u00f3w.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> You mentioned data breaches caused by ransomware. What happens to that data?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> I mean, traditionally, ransomware didn\u2019t actually cause that many data breaches; it simply encrypted the data. Ransomware is a type of malware that usually finds its way into our IT systems through human error. It can arrive, for example, in the form of an unpaid invoice. A hacker sends us such an invoice. Of course, this invoice isn\u2019t addressed to us, but someone will open it. We then receive a tiny file which begins to encrypt all the data on our computer without us noticing. Whilst it\u2019s encrypting this data, we naturally won\u2019t realise what\u2019s happening. This ransomware encrypts every file and automatically spreads across network drives to encrypt and attack further systems, with the aim of forcing us to pay a ransom, usually specified in Bitcoin. As for the ransom, it can actually vary. The amount can be very small or very large, because the ransomware is programmed to recognise the environment it is in. So, if it is a corporate environment, or a production environment, the ransomware will certainly recognise this and increase the ransom amount. Up until around 2020, this was the traditional way ransomware operated, but not everyone is actually motivated enough to pay the ransom to the hackers. Let\u2019s remember that these are cybercriminals, so paying the ransom does not guarantee that we will get our data back. So the hackers came up with a second idea: the moment this ransomware infiltrates our IT systems, it automatically contacts the hacker and sends copies of the data to them, so that the hacker can blackmail us with that data. And there are many ways in which we can be blackmailed. Firstly, if we do not pay the ransom to decrypt the data, the hacker may send us a message threatening, for example, to make all our confidential documents or the contents of our contracts public. Firstly, this could damage our company\u2019s reputation and could result in customers simply losing trust in us. And, of course, let\u2019s not forget about the GDPR, because if a data breach occurs, we are now legally obliged to inform the relevant authorities of this fact.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> First and foremost, we are obliged to protect data, as you mentioned the GDPR. But I wanted to move on smoothly to the next point, because we already know how vulnerable we are to this malicious, sophisticated virus encrypting our data \u2013 but is there any way we can protect ourselves against it?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> We can. But in reality, protecting ourselves against these viruses depends on a great many factors. Firstly, let\u2019s consider the so-called human factor. According to all the statistics \u2013 if we look at the figures published by Canon in 2019, which are released annually \u2013 Roughly 52 to 59% of all data breaches are caused by the so-called human factor. What is the human factor? The human factor refers to configuration errors and simple mistakes that happen to everyone. We are not robots, so naturally we sometimes send an email to the wrong person. It also includes so-called \u2018insiders\u2019 \u2013 people who sometimes aren\u2019t even aware that they\u2019re interacting with a hacker who, for example, is using social engineering \u2013 a form of psychological manipulation \u2013 to try to contact them and gain their cooperation. Such collaboration might involve, for example, someone temporarily disabling their antivirus software. Someone might, for instance, open a file they shouldn\u2019t have opened. They might accidentally share a password without even realising it, thinking they are carrying out their tasks correctly. So, in reality, this human factor is a major problem, and the only way, so to speak, to protect against such data breaches is through social engineering tests and audits of the company\u2019s resilience to such attacks. And, of course, security awareness training. Please bear in mind that IT security systems cannot guarantee 100 per cent security. Even if we find a solution that claims to guarantee security 100%, believe me, that is not a realistic claim. In cybersecurity, there is no such thing as a 100 per cent guarantee of data retention or security. But we can certainly get closer to it. So if we train our staff \u2013 the people who work with us every day \u2013 and explain to them what cyber-attacks involve, what to look out for, what phishing looks like, and what methods are used to extract data from us, We immediately improve the effectiveness of these systems, in which we have already invested a great deal of money. The second aspect, of course, is various types of security audits. We\u2019re also talking here about automated tests, manual tests, and services such as Rettim, where real hackers, of course with our consent and under appropriate contracts, actually attempt to break into these systems and try to bypass all the defences we have in place. With our permission, of course.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Should data security be monitored continuously, and how should this be done? Is there a way to automate this?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> Monitoring data security is, in fact, in our own best interests. Let\u2019s not forget that this is data for which we could face quite a hefty fine. If a data breach occurs \u2013 any kind, really \u2013 we must expect to face GDPR penalties. We could lose our customers\u2019 trust, and we certainly do not want our own or our employees\u2019 personal data to be floating around the internet, so this monitoring is absolutely essential. When it comes to monitoring, we can talk here about behavioural monitoring \u2013 that is, how employees behave and whether they might, even unwittingly, be collaborating with a hacker. Various systems are used for this, ranging from IPS to IDS. These are Intrusion Prevention Systems and Intrusion Detection Systems, which can alert us that something is amiss within our company; however, there are also more complex systems such as Siem. These are alert and monitoring systems, so they are capable of detecting that something is amiss and generating an alert \u2013 that is, informing the IT specialist that something is happening that shouldn\u2019t be happening. Let me give you an example. For instance, a login at two o\u2019clock in the morning \u2013 a valid login. What might such a login indicate? Firstly, it could mean that someone is simply working remotely, perhaps in a different time zone, so they\u2019ve simply connected to our network and are now using it \u2013 which is perfectly normal behaviour. The second possibility is that someone is simply working from home; perhaps they\u2019ve had three cups of coffee and can\u2019t sleep at this hour, so at two in the morning, it\u2019s perfectly possible that someone is still working. However, the third possibility is, unfortunately, that there may have been a password leak, so even if someone logs into our network correctly at two in the morning, we should take note of it in some way. And these Siem systems can, at this point \u2013 particularly as they\u2019re equipped with artificial intelligence \u2013 make certain decisions. We\u2019re talking here about alert systems. An alert is simply sending someone a notification \u2013 a message, which could be, for example, a text message, an email, or a ticket in a helpdesk system such as Gira \u2013 informing us that something has happened and the system has detected it. But let\u2019s add to this the proactive aspect offered by artificial intelligence, which, for example, can make certain decisions. So if it detects an unusual login \u2013 even with the correct username and password, but at an unusual time \u2013 the artificial intelligence might, as a precaution, block that account, for example. Of course, this may result in us actually disrupting someone\u2019s work, but from a cybersecurity perspective, it is better to interrupt such an employee whilst they are working and simply speak to them a few hours later, rather than simply leaving such a loophole in our systems, only for it to later transpire that a password leak has indeed occurred and that a hacker may well have been using our systems for several hours, doing whatever they pleased with them.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> But what if we don\u2019t want to invest in artificial intelligence?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> To bardzo trafne pytanie, poniewa\u017c sztuczna inteligencja, rozwi\u0105zania oparte o sztuczn\u0105 inteligencj\u0119, na razie s\u0105 do\u015b\u0107 drogie i b\u0105d\u017amy szczerzy &#8211; nie ka\u017cdy sobie mo\u017ce na to pozwoli\u0107. Ale niedawno prowadzi\u0142em wyk\u0142ad na temat tego, jak mo\u017cna stworzy\u0107 w\u0142asny system Siem niekoniecznie oparty o jak\u0105\u015b sztuczn\u0105 inteligencj\u0119, ale o pewne zasady. Wi\u0119c tak jak m\u00f3wi\u0142em, systemy siem posiadaj\u0105 ten komponent alartuj\u0105cy, ale r\u00f3\u017cne systemy monitorowania np. NMS &#8211; Network Monitoring Software w momencie, kiedy zauwa\u017c\u0105 co\u015b albo Lock Parcere, czyli te rozwi\u0105zania, kt\u00f3re sczytuj\u0105 dzienniki, co si\u0119 dzieje w naszych serwerach, co si\u0119 dzieje w naszych komputerach, zauwa\u017c\u0105 co\u015b dziwnego. One maj\u0105 cz\u0119sto opcj\u0119 informowania nas. Czyli jaki\u015b skrypt mo\u017ce by\u0107, ju\u017c tak powiem kolokwialnie m\u00f3wi\u0105c, odpalony. Nic nie stoi nam na przeszkodzie, \u017ceby nie po\u0142\u0105czy\u0107 te systemy alertuj\u0105ce np. z w\u0142asnym autorskim skryptem napisanym w Bashu albo w Power Shell, kt\u00f3ry np. zablokuje konto, je\u017celi zauwa\u017cy takie a nie inne zachowanie. Wi\u0119c tutaj zale\u017cy to naprawd\u0119 od administratora. Ile administrator pracy chce w\u0142o\u017cy\u0107 w zdefiniowanie takich zasad takiej polityki, zdefiniowanie co jest normalnym zachowaniem, a co ju\u017c nie jest naturalnym zachowaniem. Podam kolejny przyk\u0142ad. Powiedzmy, \u017ce mamy kilka login\u00f3w i kilka pr\u00f3b zalogowania si\u0119 do jednego systemu na raz. Powiedzmy, \u017ce np. kto\u015b w ci\u0105gu jednej minuty trzykrotnie wpisa\u0142 niepoprawny login i has\u0142o. Co to znaczy? To mo\u017ce znaczy\u0107 po prostu, \u017ce komu\u015b powin\u0105\u0142 si\u0119 palec na klawiaturze, mi si\u0119 to cz\u0119sto zdarza, i po prostu wtedy dostaj\u0119 informacj\u0119 &#8222;login failed&#8221;, czyli nie da\u0142o si\u0119 zalogowa\u0107. Ale np. je\u017celi widzimy trzy pr\u00f3by zalogowania si\u0119 w ci\u0105gu jednej sekundy &#8211; nie wierz\u0119 w to, \u017ce kto\u015b tak szybko potrafi pisa\u0107 na klawiaturze, wi\u0119c prawdopodobnie mamy tutaj ju\u017c do czynienia z zachowaniem skryptowym. Wi\u0119c my jako administratorzy mo\u017cemy sobie tak naprawd\u0119 ustali\u0107 co uwa\u017camy za zachowanie normalne, a co za zautomatyzowane. I wtedy ustawi\u0107 te systemy monitoruj\u0105co-alertuj\u0105ce, \u017ce jak zauwa\u017c\u0105 t\u0105 r\u00f3\u017cnic\u0119, \u017ce je\u017celi zauwa\u017cymy np. trzy loginy w ci\u0105gu jednej sekundy to ju\u017c jest prawdopodobnie bot. To jest zachowanie nienaturalne. Wtedy blokujemy takie konto. To samo z tym przyk\u0142adem poprawnego zalogowania si\u0119 o drugiej w nocy. Je\u017celi u nas wyst\u0119puje praca zdalna o tej porze &#8211; jest to jak najbardziej normalne, w innych firmach, kt\u00f3re np. codziennie funkcjonuj\u0105 od 9 do 17 i wiedz\u0105, \u017ce nie maj\u0105 u\u017cytkownik\u00f3w, kt\u00f3rzy \u0142\u0105cz\u0105 si\u0119 gdzie\u015b z domu przez VPN, nie pracuj\u0105 w og\u00f3le w innej strefie czasowej. Wiadomo, \u017ce nawet poprawne zalogowanie si\u0119 po godzinie 17 mo\u017ce \u015bwiadczy\u0107 o czym\u015b z\u0142ym. Wi\u0119c te skrypty mog\u0105 by\u0107 ustalone i zamiast nas alertowa\u0107, mog\u0105 poza wysy\u0142aniem maila do nas, poza wys\u0142aniem SMSa do nas, od razu zablokowa\u0107 takie konta. Tylko znowu wymaga to pewnego nak\u0142adu pracy ze strony administratora, \u017ceby taki system monitoruj\u0105co-alartuj\u0105cy przygotowa\u0107 we w\u0142asnym zakresie.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Mr Pawel, what security aspects should we bear in mind when planning loyalty schemes?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> Je\u017celi chodzi o programy lojalno\u015bciowe prosz\u0119 zwr\u00f3ci\u0107 uwag\u0119 na to, \u017ce te programy z natury przetwarzaj\u0105 bardzo du\u017c\u0105 ilo\u015b\u0107 danych poufnych. Nie wiemy, w kt\u00f3rym miejscu tak naprawd\u0119 te punkty, powiedzmy nawet kolokwialnie m\u00f3wi\u0105c, s\u0105 nabijane, w jakim momencie dochodzi do tych transakcji, wi\u0119c mo\u017ce si\u0119 okaza\u0107, \u017ce te programy lojalno\u015bciowe np. wype\u0142nia si\u0119 przez jaki\u015b formularz na stronie internetowej. To jest jedna kwestia bezpiecze\u0144stwa, ale powiedzmy na przyk\u0142ad, \u017ce w terminalu p\u0142atniczym r\u00f3wnie\u017c mo\u017cemy skorzysta\u0107 z niekt\u00f3rych punkt\u00f3w. To s\u0105 zupe\u0142nie inne poziomy bezpiecze\u0144stwa, a wi\u0119c jest kilka rzeczy o kt\u00f3rych musimy pomy\u015ble\u0107. Po pierwsze, jaki typ oprogramowania wybierzemy. Poniewa\u017c nie ka\u017cde oprogramowanie mo\u017ce by\u0107 w \u0142atwy spos\u00f3b zinterfejsowane. Czy tutaj ta wymiana danych b\u0119dzie wysy\u0142ana przez API, czy ta wymiana danych b\u0119dzie w jakikolwiek inny spos\u00f3b wprowadzona. To jest jedna rzecz, wi\u0119cej interfejsowanie, czy kompatybilno\u015b\u0107 z naszymi obecnymi systemami ju\u017c jest wgrana. Numer dwa, pami\u0119tajmy o tym, \u017ce niekt\u00f3re oprogramowanie mo\u017ce nie spe\u0142nia\u0107 pewnych wymog\u00f3w bezpiecze\u0144stwa. Je\u017celi instalujemy oprogramowanie np. na komputerze, czyli na stacji POS, czyli Point Of Sell, czyli tych, kt\u00f3rych rzeczywi\u015bcie dochodzi do sprzeda\u017cy &#8211; kasach fiskalnych. To jest to oprogramowanie, kt\u00f3re powinno spe\u0142nia\u0107 niekt\u00f3re wymogi. Np. Stany Zjednoczone pomog\u0142y PC ITSS, czyli ka\u017cde oprogramowanie, kt\u00f3re znajduje si\u0119 na takim urz\u0105dzeniu powinno spe\u0142nia\u0107 wymagania w\u0142a\u015bnie bezpiecze\u0144stwa danych, na kt\u00f3rych danych kart kredytowych, wi\u0119c zupe\u0142nie inny poziom. Wybieraj\u0105c odpowiednie oprogramowanie musimy zwr\u00f3ci\u0107 uwag\u0119 po pierwsze na bezpiecze\u0144stwo nie tylko danych przesy\u0142u, ale jak te dane s\u0105 archiwizowane. Powinni\u015bmy zwr\u00f3ci\u0107 uwag\u0119 na polityk\u0119, w sensie je\u017celi dojdzie do wyciek\u00f3w danych nie daj B\u00f3g, kto b\u0119dzie za to odpowiedzialny. Czy dostajemy jakie\u015b gwarancje, \u017ce te dane s\u0105 w prawid\u0142owy spos\u00f3b przechowywane, s\u0105 w prawid\u0142owy spos\u00f3b przetwarzane. I oczywi\u015bcie ta kompatybilno\u015b\u0107, o kt\u00f3rej m\u00f3wi\u0142em. Ka\u017cda firma ma swoje systemy, wi\u0119c musimy zwr\u00f3ci\u0107 uwag\u0119 na fakt, w jaki spos\u00f3b te systemy b\u0119d\u0105, numer 1, bezpiecznie wymienia\u0142y si\u0119 tymi danymi.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Mr Pawel, what exactly are penetration tests?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> Penetration testing is, in essence, a permitted attack on the infrastructure. So it starts with the client simply choosing a company to test their software or solution. An NDA is always signed in advance, along with a number of other agreements. We set out the terms and conditions under which we will carry out the test. And this is how it works. Firstly, there are automated tests, where we check for things such as exploits and known vulnerabilities. We also try to assess the software\u2019s stability and security. We check for any configuration flaws and whether the programme has been properly designed and built from the ground up. We check whether it is possible to automatically bypass the security measures the programme already has in place. This is generally known as \u2018Yap Box Testing\u2019, which is a test where we already possess some knowledge from the manufacturer about the solution. There is also something known as Black Box Testing, in which we actually engage certified hackers who attempt to breach these systems from a hacker\u2019s perspective. Because it\u2019s one thing to scan these systems and automatically check whether they\u2019re vulnerable to any kind of exploit \u2013 that is, scripts which, so to speak, find a way round these security measures. It\u2019s a completely different matter to look at it through the lens of a hacker, who draws on their knowledge, experience and, quite often, abstract thinking to try to break into these systems and see how far they can go. As I mentioned, these penetration tests naturally take place with the manufacturer\u2019s consent and are very specific, as we do not want to cause any damage; we simply want to see how vulnerable a given product is to an external attack.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> They are a sort of simulation designed to teach us how to act in a way that makes us feel safe.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> In fact, this should lead to some recommendations as to how this hacker actually gained access to the system and what we can do, for example, to secure it.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Does implementing a penetration test mean we\u2019ll be secure forever?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> Not exactly. Please bear in mind that carrying out any audit or test essentially certifies that, at that particular moment, the software is reasonably secure. But that\u2019s not really the end of the story, as I\u2019ll illustrate using the example of a car. We buy a car, don\u2019t we? And when we take delivery of that car, the manufacturer guarantees that, more or less, it will work. Because that car is made up of many components manufactured by many different manufacturers, isn\u2019t it? One manufacturer supplies the clutch, another some small screws and other components. It should all work perfectly. When such a car is manufactured, the manufacturer checks that everything is working, and if so, it simply passes through quality assurance \u2013 that is, the quality test. The car is then sold. But what might actually happen in practice, down the line? It may turn out that one of these components is faulty. The same thing happens with software. Software is actually built from various libraries. Let me give the example of OpenSSL. This was an encryption library used by a great many companies for many years. What happened? Despite the fact that it was considered very secure software, someone nevertheless found a vulnerability. And exploited that library. So, even if a software developer had created a programme using that library and it had successfully passed a penetration test, and it appeared it was secure, this does not at all mean that, a year later, one of the libraries used to create that programme won\u2019t turn out to have been full of holes, faulty, and with its security measures easily bypassed. So, well-secured software is tested repeatedly. The developer should undergo regular audits and security tests to ensure that nothing has actually changed. All the components used to create the software are still considered secure, and it is not possible to \u2018break\u2019 the software, so to speak, in an automated manner. And this is the number one method hackers use to try and find vulnerabilities: automated testing. Only when these automated tests fail to find any vulnerabilities do hackers actually attempt to breach the security systems using manual methods.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Mr Pawel, what role do ISO standards play in a safety management system?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> There is something called ISO 27001, which is essentially a standard certification that confirms that the manufacturer has, first and foremost, raised its employees\u2019 awareness of cybersecurity, the various types of attacks they may face, and the need to alert the relevant people in the event of a data breach. It confirms that the manufacturer has established appropriate data protection and security policies, and that it also updates all systems to the latest configurations and versions in accordance with a specific policy. So it simply guarantees that the software produced by a given manufacturer is developed in a more secure environment than, for example, its equivalent.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> As we\u2019re coming to the end of our conversation, I\u2019d like to return briefly to your professional work and ask: what does TestArmy do?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> TestArmy is, in fact, probably the largest testing company in Poland. We have our own laboratory in Wroc\u0142aw. We actually test a wide range of things, from stability to WCAG, right through to quality assurance. We specialise in automated, penetration and social engineering testing. We also run training courses for VIPs and on cybersecurity. So, in essence, we are a one-stop shop \u2013 a place that can test not only software functionality but also all aspects of software security. We also have over 10 years\u2019 experience in the Polish market. We serve clients ranging from small businesses to truly large corporations, and we train a very large number of testers.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> So how do you become a tester like that?<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> I mean, apart from formal education, you can also have a look at our website, testuj.pl, which offers a huge range of training courses for beginner testers. We\u2019re always open to working with any qualified individual. Of course, you can start with basic certifications and work your way up to, for example, CEH (Certified Ethical Hacker) certifications \u2013 we also employ people with these qualifications. And here, a good place to start, alongside formal education, is always to aim for the relevant certifications.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> Mr Pawel, thank you very much for being my guest today and for sharing your invaluable knowledge with us.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> Thank you very much.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> I hope to see you there.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>PW:<\/strong> See you later.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><strong>KN:<\/strong> And we look forward to seeing you for the next episode.<\/p>\n<p style=\"margin-top: 0pt; padding-top: 0px; margin-bottom: 0pt; padding-bottom: 0px; line-height: 1.6; text-align: justify;\"><span style=\"display: inline-block; height: 1em;\"><span style=\"display: none;\">.<\/span><\/span><\/p>","protected":false},"excerpt":{"rendered":"<p>KN: Dobry wiecz\u00f3r. Katarzyna Nawrocka &#8222;O programach lojalno\u015bciowych noc\u0105&#8221;. W dzisiejszym odcinku naszego programu poruszamy bardzo wa\u017cny i bardzo aktualny temat &#8211; Cyberbezpiecze\u0144stwo. I ekspertem od tego cyberbezpiecze\u0144stwa jest w\u0142a\u015bnie m\u00f3j dzisiejszy go\u015b\u0107 &#8211; Pawe\u0142 Wa\u0142uszko. . PW: Dobry wiecz\u00f3r. Nazywam si\u0119 Pawe\u0142 Wa\u0142uszko. Jestem absolwentem Uniwersytetu Kalifornijskiego w Berkeley, Uniwersytetu Stanforda. Teraz wsp\u00f3\u0142pracuj\u0119 z&#8230;<\/p>","protected":false},"author":2,"featured_media":1796,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[67],"tags":[],"class_list":["post-1795","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-o-programach-lojalnosciowych-noca"],"taxonomy_info":{"category":[{"value":67,"label":"O programach lojalno\u015bciowych noc\u0105"}]},"featured_image_src_large":["https:\/\/i360.com.pl\/wp-content\/uploads\/2021\/05\/19_Pawel_Waluszko_Cyberbezpieczenstwo_PLANSZA-1024x576.jpg",1024,576,true],"author_info":{"display_name":"Tomasz Makaruk","author_link":"https:\/\/i360.com.pl\/en\/author\/autor\/"},"comment_info":0,"category_info":[{"term_id":67,"name":"O programach lojalno\u015bciowych noc\u0105","slug":"o-programach-lojalnosciowych-noca","term_group":0,"term_taxonomy_id":67,"taxonomy":"category","description":"","parent":0,"count":26,"filter":"raw","term_order":"0","cat_ID":67,"category_count":26,"category_description":"","cat_name":"O programach lojalno\u015bciowych noc\u0105","category_nicename":"o-programach-lojalnosciowych-noca","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts\/1795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/comments?post=1795"}],"version-history":[{"count":0,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts\/1795\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/media\/1796"}],"wp:attachment":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/media?parent=1795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/categories?post=1795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/tags?post=1795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}