Don’t Be the Weakest Link in the Blockchain: Shira Rubinoff Talks Cybersecurity in 2018
As Shira Rubinoff earned her expertise through navigating cybersecurity issues in the early 2000s, she has developed a keen eye for system weaknesses. While initially daunting from a technical standpoint, you’ll soon find out that in many cases it’s the human factor that ends up being the weakest link in the chain. Moving along the same metaphor, Rubinoff also sees the promise in blockchains, immutability, and how data-sharing in 2018 will still hinge on the users who attempt to leverage these innovations.
This combination of easily accessible security alternatives is absolutely a product of Rubinoff’s philosophy on the entire sector; make software safe and easy-to-use for anyone.
Our conversation covers the nexus of psychology, business fundamentals, security, and the lucrative business that the advent of cryptocurrencies has created for hackers.
When you moved from Green Armor to SecureMySocial, was there a deliberate transition between these two companies, or was it simply moving from one opportunity to the next?
Just as I started at SecureMySocial, I was very involved in the whole startup area and advising startups as well as other companies. Even before SecureMySocial, I was going into larger companies hired to look at the companies as a whole and help streamline them, make them more and more efficient, see where talents weren’t being utilized and find out where they were overlaying people.
Sometimes companies were hiring too many people for the same job. So that kind of thing, more streamlining businesses and business development and then went into Green Armor Solutions. As it started taking off, I was doing a lot of advising and growth for companies as well in the area before I got into SecureMySocial.
Was that Principally in New York or a Bit All Over?
New York and the tri-state area but also in the greater US. We started expanding across the country. I recently launched a tech incubator in New York City as well. From here, I was getting involved in the whole influencer media marketing field as well and helping amplify security companies from a human perspective using my expertise in the sector
In many ways, this is where you have established yourself, in the field of cybersecurity while coming from it from a business-psychology perspective. Ultimately, it’s about making sure that companies are best utilizing their resources.
I was working at the place where the human factors of technology and cybersecurity intersect. If you think about cyber security as a whole, there are many aspects you have to look at. Not just technological, but also where the weakest link of the chain is which is the human.
People de facto make errors. People are used to moving quickly, certainly in this day and age. Just throwing out information where they need to. As the millennial generation is growing, this is how they communicate just pumping out information across social channels. Easily sharing, easily trusting. So there’s a lot that has to be done and tightened up around, let’s call it the human factor piece, whether it’s an interior or exterior threat.
And when would you say you began working on this kind of thing? If someone wanted to get a timeline of this sort of thing.
I started getting involved more in the human factors of technology back in 2003 or 2004. I had a lot of interest in the whole technology space as it was starting to grow in many areas. It was just a natural movement for me.
And when you think about the time between now and 2003, have your opinions on the human factors of security and even your role in the space, changed? Or are there some fundamental principles that have always been here since the beginning of the internet?
I think as time grew and our social media channels took popularity and became the way that pretty much the whole generation today communicates, it opened up many more avenues for infiltration from organizations. Whether it be tricking people from getting information off spaces, or spear phishing, phishing attacks, and people putting information where they shouldn’t be.
I think it created many more problems that an organization has to face today. They have to be much more diligent regarding figuring out ways and utilizing resources to tighten the ship across their organization. It definitely became a much harder thing to tackle. There’s tons of technology out there, and layering layers of the same technology over each other doesn’t do the job. You have to take a holistic approach and look at it from every aspect.
Do you think that that comes down consumer education and educating the individual on what’s at stake?
Correct. I think that it becomes a personal thing. You have to look at an organization as well as the people that are working there too. They have a lot of risks. When you talk about data loss prevention, you talk about reputational risk. It also boils down to a person’s career. If they’re in a relevant industry, an organization needs to be telling them about these risks and training them too.
So, I think ongoing training needs to happen and also constant reminders about the technology. This was part of the reason why I created SecureMySocial. It offers a technology-assisted self-monitoring tool for employers to give employees to self-monitor across social media and is based on compliance with regulations of the organization with real-time warnings and auto-delete capabilities.
Basically, the organization is giving the employee a tool to let them self-monitor themselves if they, by mistake, leak information across social media about the organization that will give them almost that tap on the shoulder saying “do you really want to do this.” Because at the end of the day, most people aren’t looking to harm the organizations, they’re not looking to leak information, they’re not looking to do reputational damage, they’re not looking to open up doors for attacks whether that be data breaches, phishing attacks, or any segway into the organization from the smallest little window. So, tightening the ship around the technology and getting people involved and educating them as well is very important.
Would you say this is the most common mistake that an organization makes, that they fail to enlighten their staff of these kinds of security breaches?
All the studies pretty much point to the human being the weakest link in the chain. People could argue then, who is that human? Is it the one that’s gotten breached? Is it the one that accepted a LinkedIn connection from somebody they didn’t know, which became a trusted source where they allowed information to get out? Was it the person that clicked the wrong link on an email and lanced phishing attacks against the organization? It’s about the human, but it’s also about the technology, and they have to work hand-in-hand. You can’t do one without the other.
The sensitivity of data these days is a big topic. Especially personal data, tax details, health records, etc. But now the rise of cryptocurrencies has created another type of honeypot. So, my question is as follows, how much have you specifically encountered this as a subject? Or is it still quite far off in the distance?
Cybersecurity is a critical component of every cryptocurrency and blockchain project. So, cryptos have also created all sorts of new opportunities for criminals. And as such, defending against these kinds of attacks is obviously critical. If you think about the blockchain and the security around that, especially at exchanges and the implementation of blockchains on exchanges, now present another area of vulnerability. The institutions themselves, which enable traders to buy and sell crypto, they most likely contain databases holding the trader’s wallets or even trader’s online wallets themselves. So, yes, it opened up a whole new area.
Further to that, have you made any sort of formal transition into the sector or are you just expanding your cybersecurity awareness and beginning to include things like cryptocurrencies and blockchain. Is there something specific that you’re working on in this field?
I think that looking at the whole blockchain area, cybersecurity is a very integral part of keeping things tightened up and safe, and it’s important to put them together. There’s going to be a lot of talk around that, a lot of articles written, and a lot of things in areas around breaches that are going to come out insisting that cybersecurity become a big part of it. So, many people are getting involved in this as well, but not enough.
There’s a general shortage of cybersecurity professionals and even a bigger shortage of those focusing on cyber and cryptos. You have to understand that cryptos are relatively new, which means that the total universe of experienced cybersecurity professionals that are focusing on technologies for five or more years in this space is already tiny, to begin with. That said, there are cybersecurity professionals who are focusing on blockchain tech. Myself, as well as some other colleagues, that have branched out and are taking a big stand in them.
Would you agree that a lot of your colleagues are starting to consider this in a very serious way?
I wouldn’t say a lot, but I would say the ones that do you’ll find it to be a very important piece of, let’s call it, the “Cybersecurity Chain.” I almost look at cybersecurity as a big umbrella over many technologies whether you call it IoT, AI, AR, VR, just name it. Cybersecurity is a big piece of it. As blockchain technology is becoming the forefront of smart contracts, cryptos, everything else, they definitely need to go hand-in-hand, and it’s certainly a segway that I see myself moving into.
Do you see ways in which blockchain technologies are solving some of the traditional cyber threats from 2003 and 2004 or even later into 2016, 2017, 2018?
So, we’re going to see all sorts of applications of a blockchain trying to solve security problems. What we see now is only the tip of the iceberg. Systems that are now distributed, for example, have fewer points of failure and offer greater resilience against DDoS attacks and the like. Blockchain tech can also provide greater anonymity for VPN type technologies, which is crucial. Also, it offers better assurance for federated identity and KYC.
Just a side note, as your also based in New York, have you noticed that because of things like the BitLicense and a couple of other difficult regulations in New York, you find that a lot of blockchain startups are leaving the state?
I think that it’s still very early adoption of the blockchain. As regulations are going to tighten up, we will see them move out of New York, yes.
More related to the privacy aspect of things, do you have an effective mental model of how we should be thinking about our presence online in the modern day? Whether it’s on Facebook or LinkedIn or Twitter, do you have just a few sentences that could capture the modern concerns regarding privacy?
Certainly. My whole take on your presence online is that you have to assume your information is out there. I think people have this false sense of security that if they don’t accept certain people into their networks that their information is safe. People need to think twice before putting anything on social media, and if they do, they have to assume that everybody can see it.
We’ve seen what happened with the Facebook data leaks. There was a whole article around what Google can see from you. They can see everything. Anything you put out is seen. So, don’t put out things you don’t want people to know.
On the contrary, do you think that the layman’s attempt at simplifying the problem, the idea that once a bit of data from you is released, it doesn’t matter anymore? Or do you think that we could be a bit more specific about how we’re sharing ourselves online?
People’s lives don’t have to be lived completely online. If you have a thought in your head, you don’t need to spit it out. If it’s going to tell people that you’re going on vacation, then you’re opening yourself up to a “robbery” of different sorts, or “data grabs.” I wouldn’t tell people you’re looking for a job, for instance. Or if you got a new job, don’t announce the details of it specifically, or you risk opening yourself up for phishing attacks either personally or whether through an organization.
I think that if you assume that your stuff is out there and you take the approach of “anything I’m putting out here from here on in, It’s still going to be grabbed,” then you realize that not everybody needs to know everything. And if you’re going to operate the way, let’s call it the “Millennial Minds” might be operating today, of “spit it out, think later. We’re about sharing; we’re about living online. That’s how we communicate,” then we’re going to be in for big trouble. That’s why lots of technologies out there exist and are reminding people that your information is yours. Try to keep it in a safe way. Don’t overshare. Oversharing is “leaking” and again, the weakest link.
Do you see any equivalents of Facebook that may be more secure? If we consider this “Millennial Mindset,” do you think that we’ll see a secure product that matches this perspective, or do you think that there will first be a complete shift in mindset?
I don’t think the mindset is going to change because if we think about the way that technology has advanced even over the last five or six years with things like Snapchat, Instagram, Facebook, LinkedIn, and Twitter, there are so many avenues and people almost classify them in different areas of their life on how they need to have a presence. And it’s almost the mindset that “if I’m not there and sharing, then I don’t exist.” So, I don’t think that’s going to be changed. It’s going to continue to advance in many different areas certainly around the whole AR/VR space and integrating different types of technologies around it to make it more realistic. This is going to be very interesting to see.
Even when you think about smart homes and the whole IoT space. Coming back to the social media portion, no, I don’t cybersecurity the mindsets are going to change. I’m hoping that people see how many breaches are occurring time and time again. Things like the Facebook data in Cambridge Analytica, Equifax, the Yahoo breach, Chipotle. It’s almost every month, it seems. And I think people are starting to get nervous.
The question is how that’s going to play out over the next number of years. Will it change their mindset? No. But will technology be implemented somewhere to tighten it up? I do believe that will happen in some way.
And in the next couple of years, how do you see cybersecurity and what you’re working on changing over the next couple of years? Specifically in regards to blockchain and cryptocurrencies. Do you see anything on the horizon that a journalist or other experts in other fields wouldn’t be able to see?
Around the whole blockchain space, cybersecurity is going to become an arm of it, and it’s going to be a very integral part of the technology, as I mentioned. If you think about crypto exchanges, there’s still many areas of infiltration there. So you can almost see blockchain and cybersecurity go hand-in-hand to be secure. The blockchain is going to be used for everything, even after the crypto markets. It’s being talked about in pretty much every sector. So, where’s the weakest link that chain? That will have to be looked at through a cyber security lens.
As we do indeed hear blockchain everywhere these days, do you get the feeling that a lot of it is hype? Or do you think that there’s a reality here as well?
In the beginning, it definitely was hype. Think about how every year that technology has advanced, people jump on the bandwagon of the latest trend. But I think once they really understand it, it becomes a reality in this space. I think people were screaming cybersecurity before they even knew what it was. It was very similar to blockchain tech. It is going to be used in healthcare and finance. It’s the mathematical structure for storing data in a way that’s almost impossible to fake, right? So, it can be utilized for pretty much every sector to keep it secure.
We spoke a little bit about generational and demographic aspects of cybersecurity, but if you’re not from the millennial generation and you don’t have this millennial mindset, are you still at risk of the same cyber threats?
Yes. If you do any online banking, you can be spoofed very easily through a phishing email. You can be spoofed by cycling to the wrong site, giving over the wrong information. You could have a malicious agent asking you and asking you for specific information to gain entry correctly. Those are called Man-In-The-Middle attacks. Even shopping online, getting someone’s credit card details.
Think about the Chipotle data breach. These people weren’t doing anything security-wise, they were just eating at a restaurant. I think everybody’s susceptible to it. I think keeping a good handle on your scores around your financial stuff and just being very diligent about what you’re doing. What I would suggest is never click the link that you’re given an email, but type it out by hand knowing the right corrected email address for the bank because these links are easily spoofed now.
Just the type of phishing emails that exist today, it didn’t exist before when I started my career. There was different words or letters that weren’t spelled right, or it looked a little odd. Now it could look perfect. So, being very diligent about what you’re doing. If someone calls, from your bank, don’t give over information. Ask for a number and call them back. You know it is taking that extra step to ensure that you’re actually dealing with the right party.
And I think it’s pretty clear that this field is changing quickly. How do you stay up to date with new phishing schemes or different types of attacks and things that didn’t exist in 2003, but are now very prevalent? How can we protect ourselves and become sort of futureproof to different cyber attacks?
Just to repeat from before, being very diligent about what you’re doing online. Even if you don’t have the social media accounts, even if you don’t download all these apps on your phone, still being aware of potential threats. Taking that extra time to know what you’re doing. Don’t be in such a rush to push out your information because you could make yourself susceptible to more problems.
And finally, the rise of cryptocurrencies means we now have this clear price point for data. So, with virtual currencies, certain data might equate to X number of dollars, and that creates a much more concrete incentive to steal things from people. Are you finding that this is becoming big business?
Yes, very much so. Cryptocurrencies have enabled multiple major flavors of monetizing hacking. Hackers can attack exchanges and steal large sums of money easily redeemable, and it also makes laundering cryptocurrency much easier. So, think of cryptocurrency-focused malware is quickly issue and ransomware is not a new problem.
We’ve had it for a very long time, but the ability to collect ransoms in cryptocurrency rather than via physically mailed payments or to an address somewhere in the third world, that was like the early ransomware, or sent via something like Western Union, can afford criminals a much better chance of both being paid quickly and successfully. They also have a better chance of getting away with the crime as they aren’t tracked, and it can actually scale it a lot better.
Then there is crypto mining, which is another area of opportunity for criminals. In the past, cyber attackers could monetize the processing power of CPUs. They could demand payment for theses CPUs in exchange for not running DDoS attacks with zombies. But this was an inefficient use of stolen resources. Cryptomining basically allows for amazing efficiency of use for stolen CPU cycles.
As an influencer, your online presence is really important. Have you ever been subject to any kind of attack on Twitter or impersonator?
Funny you should ask, that just happened to me a few days ago. So my handle is @ShirasTweet, and they did a number of accounts. They did @ShirasTweet with two “s” in the middle. They did @ShirasTweet with an “e” next to the “s.” They were telling people with my name, my Twitter handle, and they made a link to my LinkedIn with my face, and I was pushing people to buy this particular crypto.
I immediately contacted Twitter and filed a report. Then I reached out to my network of influencers and people that I’m connected to on Twitter and asked them to block that account. I blocked the account as well because they were putting candles of my connections in their tweet so it would look more legitimate. Then I had multiple people reporting it, and I have to say, Twitter shut them down very fast.
This was definitely a big problem back in December 2017.
Well, it worked. During this crypto craze and when bitcoin was nearly touching $20,000, people were so afraid of not getting in early, and at any opportunity, they tried and got in quick. People don’t think about the security behind it or who they’re dealing with. They act quickly and think second. It’s a human problem of the psyche that becomes the major issue. And it translates into different areas of technology. It’s a big problem.
For interested parties, Rubinoff is also available for speaking engagements and advising in the subjects of blockchain and cybersecurity. On June 11-12, 2018, Rubinoff will be speaking on the cybersecurity panel at the BCI Summit in New York.