Thanks to Pritesh for sharing his knowledge with our nationwide group of information security leaders, the SecureWorld community, in this question and answer session.
What made you get involved in InfoSec?
My mindset has always been more about breaking things than building things! When I had my first computer, I opened it up, tore it apart to try to figure out what it was, and then reassembled it. I did the same with Windows 95, my first operating system: I dug in to find networking hacks and security flaws. So it’s probably not surprising that I started my security career as a developer writing code—but quickly discovered that I was able to hack the very code I was writing. It turned out that hacking the code was my passion more so than building it.
From developing, I moved into network administration and system administration, running servers and network devices. This led me to my current security work. My background enables me to see security flaws—from the code to the systems level up through the network level—and gives me a deep and wide perspective on security from both an engineering and a technology operations standpoint.
In your opinion, how do you see current threats evolving over the next year?
IoT is one of the main security threats of 2017. I believe that we’ve only just begun to see the massive security challenges presented by the internet of things. In the world of IoT security, we’re essentially where we were 10 years ago with network security. At that time, networking vendors weren’t proactive about security, but now most networking devices default to a reasonable level of security right out of the box. 2017 is the year for IoT to catch up with connected devices, to move beyond default credentials, and to speed up and ramp up security practices.
IoT vendors need to assume a defensive posture to help detect intrusion and malicious traffic patterns on their devices. Vendors also need to take into consideration both digital and physical security at every phase of the development process so as to reduce attack points from the very beginning. Communication between devices needs to have strong authentication. Only necessary personal data should be collected and all sensitive personal data must be encrypted at rest and in transit. IoT vendors should practice vulnerability management and use secure means to remotely deploy security software updates.
Do you feel there is enough threat 'intel' being shared within the InfoSec community? If not, how do we fix this?
I’m a big believer in the importance of peer-to-peer sharing. I work closely with other industry security leaders to share what we’re seeing in our networks and who the bad actors are. Of course, it’s important to maintain confidentiality of your customers, but, even so, it’s still possible to share useful information throughout the cybersecurity community. Crowdsourcing our collective knowledge is key to fighting against security threats.
On a broader note, I also think that there needs to be more sharing of threat information between the private and public sector. Currently, the private sector operates separately from the public sector, with both sectors receiving many threats. It would be of great benefit to both sectors if they could come together to share information and thoughts around security, including opening lines of communications around policy initiatives. We need to find more ways and channels to bridge this gap and inspire more cross collaboration.
What do you like to do outside of security for fun?
Play baseball with my kids.