Technology has evolved at a dizzying pace, and with it, the opportunities both for companies and for society. Pablo González Pérez, Technical Manager and Security Researcher at Telefónica, and former expert at ElevenPaths, Telefónica’s cybersecurity unit, observes that these advances have also brought with them new risks and threats in the cybersecurity sector.

Pablo, with a broad experience in the industry, is the director of the Master’s Degree in Information and Communication Technologies Security at the European University of Madrid, Microsoft MVP in 2017-2018 and 2018-2018, and author of such books as Ethical Hacking: Theory and Practice for Pen Testing.

What trends do you think have been important over the last few years in the cybersecurity landscape?

In my opinion, these are the most relevant trends:

  • Criminals are taking advantage of cryptocurrencies to make a profit from malicious activities. Just a few years ago they were going completely unnoticed.
  • The appearance of ransomware and the business model behind it has marked a before and after. Society has also begun to understand this kind of threat, since people are starting to notice the kinds of risks that are found on the Internet.
  • The cases of data theft in companies. This is something that has grown and that, unfortunately, we will continue to see in the future.
  • The appearance of the new data regulations designed to protect citizens.
  • Attacks on critical infrastructures.
  • The application of artificial intelligence in the field of cybersecurity. Without a doubt, within the next few years, cybersecurity and AI will go hand in hand.
  • The increase in knowledge and awareness. This is something that is already happening gradually, and is starting to be noticeable, especially in younger generations.

What differences have you seen in the types of attacks and threats?

Pablo González (Telefónica)
Pablo González (Telefónica)

The main difference is the use of the different technologies that have become available. A simple example is the case of phishing. It’s something that’s always been around, but these days we see how, thanks to QRLJacking or the use of OAuth apps, there’s a different focus to the scam, and it’s gaining access to accounts, in these cases, without even needing a password. With each new technology that comes along, new risks, or an evolution of the existing risks, come with it.

Is it possible to prevent security breaches like the recent case at Facebook, where the personal information of 50 million users was exposed?

There’s a saying that many professionals in the industry like to repeat, which is “everything is hackable”. In other words, every company can fall victim to some kind of security incident. It’s important that society and companies bear this in mind, and that they understand it. Establishing prevention measures in order to reduce the risk as much as possible is vital these days, but not everything can be preventive: there must be an alignment of risks between preventive and reactive measures. There’s no such thing as 100% security, and so we must keep working iteratively on the ways that companies protect themselves. We must also add preventive measures, align reactive measures, and create a base in which people that belong to the organization are involved in the organization’s security.

The IoT will increase the attack vectors. How can we protect a world in which everything is connected?

Protection must be shared between the provider and the consumer. In my opinion, security mustn’t be tackled by just one role, since in the equation there are at least two roles. If both parts take on their responsibility in terms of protecting information, we’d be much more robust when it came to risks.

On one hand, including security from capturing requirements, from the design of the systems, is something that would provide a major level of maturity to the process. This is something that has a direct effect on the manufacturing costs, but that in the long run benefits everyone, and provides a quantifiable return. A secure development life-cycle brings maturity to the process, which is the minimum we should aim for. At each stage of the process, elements such as the following can be added:

  • The gathering of security requirements.
  • Threat modelling.
  • Analysis of the attack surface.
  • Static and dynamic analysis.
  • Code revisions.
  • Pen testing.
  • Strengthening secure settings.

Logically, the elements discussed pop up in the different phases of this kind of methodology, and bring an extremely interesting value to the creation of software and systems. The idea is simple: think of security from the very beginning. On the other hand, when the consumer makes use of the system, they must understand the risks and threats to which they are exposed simply by using this technology. This is something that society is learning, though not at the speed with which new threats and risks are appearing in our lives.

As Pablo highlights, the IoT and other technological advances are generating new attack vectors, and causing these vectors to evolve. In order to put an end to these threats, the expert underlines the need to apply artificial intelligence in the cybersecurity environment, and to increase the level of awareness. These are two of the main subjects that we will discuss in the second part of this interview. Be sure not to miss it!