Meet Satya Gupta, Virsec’s visionary, who has more than 25 years of expertise in embedded systems, network security and systems architecture. Prior to focusing Virsec to a product orientation, Gupta built Virsec as a software design and consulting business and targeted data networking, application security and industrial automation projects. Prior to this, he was Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd.
Gupta holds 14 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.
Here, we talk to Gupta about the impact that COVID-19 and remote work policies has had on critical infrastructure organizations.
Security magazine: What is your title and background?
Satya Gupta: As the Chief Technology Officer at Virsec currently and in my professional career spanning 35 years, I have built a range of hardware, embedded and software products used by millions of people worldwide. I have 14 issued patents that cover a range of subjects such as networking, wireless, micro kernels, interpreted code vulnerabilities, memory integrity vulnerabilities etc.
Security magazine: How has COVID-19 and the surge in remote work impacted industrial and critical infrastructure companies (Fin Serv, healthcare, government/defense, etc.) themselves?
Gupta: The Cybersecurity & Infrastructure Security Agency (CISA) has identified sixteen sectors as critical infrastructure of our nation. Organizations in these sectors have largely followed guidance from the CISA which starts off by making a risk assessment for their staff.
The organization makes every attempt to identify and encourage those people who can potentially work from home without affecting their productivity to work from home.
From a spend perspective, the organization must accelerate software initiatives that were part of a longer-term digital transformation strategy. Some examples of such new software and hardware initiates include collaboration tools, VPN, VDI etc. Funding these initiates has caused avoidable economic strain on organizations especially those whose cash low positions may not be very strong.
One consequence of deploying a lot of new software in a hurry is that best practices for securing the new software tend to get ignored. IT organizations cannot patch vulnerable software as fast as the vulnerabilities are growing. One can see that the number of new vulnerabilities and attacks such as ransomware attacks are growing rapidly.
Many users who may not have had previous exposure to software tools are now forced to grapple with subtle nuances in the new software. If some of these people have elevated privileges in the organization, the intellectual property, confidential information, and business continuity can come under serious risk from phishing and vishing attacks.
Security magazine: How can these companies effectively stay secure amid increasing threats during remote work and with an increase in cyberattacks (i.e. phishing and ransomware)?
Gupta: The old saying that haste makes waste is particularly significant here. IT organizations must properly architect their new software rollouts to ensure they are not trading productivity for risk. Deployment procedures including tightening configurations for software and following best practices should not be short circuited.
A very important initiative must be to train staff on protecting themselves from phishing and vishing attacks. Companies must fund and launch red team initiatives to “test” their staff and train those who happen to fall victim to simulated phishing attacks.
Another initiative organization can undertake is to invite pen-testers to assess the risk exposure of their software infrastructure. Organizations can invest in automated attack simulators to ensure they discover the weak links in their deployed software before attackers do.
Yet another initiative organizations’ can undertake is to patch their infrastructure and application code on as short a schedule as possible. Vulnerabilities in the infrastructure code as well as in-house code must be identified and remediated at the earliest opportunity.
An extremely important initiative must be to replace older security controls; especially point solution because they do not give a holistic view of the attacker kill chain and only result in “expense” in depth. Instead, IT must look for security controls that are full stack, highly deterministic and do not require an army of analysts to deploy and maintain. By adding more staff, not only would the organization incur unnecessary expense but would be making matters worse in these Covid 19 pandemic times.
Security magazine: How has COVID-19/remote work forced critical infrastructure to fast-track digital transformation, and how can they effectively stay secure with new security tech while embracing this new tech?
Gupta: As mentioned earlier, many longer-term digital transformation steps must be fast tracked. IT needs to make sure several security best practices described above are followed so that security is not traded for speed. Shortcuts in configuring new software, not patching fast enough and using security controls that are behavioral in nature even when deterministic solutions exist are some of the steps IT must take in order to reduce the risk to the organization.
Security magazine: What does the future of distributed cybersecurity teams looks like post-COVID and with remote work now the norm?
Gupta: As principles of natural selection have shown in the past, those software vendors who produce more secure code and security control vendors who harden the applications will drop by the wayside.