Tune in to this episode of Ask A CISO to hear:
- If there are similarities and differences between cybersecurity in general and in the crypto industry
- What is Coinhako and what makes it unique as an exchange
- Crypto and DeFi hacks, and how nefarious actors have carried out attacks
- Pasi's book Smiling Security
- How you can protect your crypto investments
- Pasi's take on how the market will evolve and grow after emerging from the winter
About The Guest: Pasi Koistinen
Pasi Koistinen is Chief Information Security Officer at Coinhako, a Singapore-based cryptocurrency platform.
Prior to joining Coinhako in January this year, Pasi was the Strategy Lead Consultant at Ensign Infosecurity.
Pasi has 20 years of experience as Head of Information Security and Operations in cybersecurity companies and extensive leadership experience managing cybersecurity teams and services.
Pasi is also the co-author of the book Smiling Security: The Cybersecurity Manager’s Road To Success published in 2020, and a much sought-after public speaker.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Transcript
Paul
Hi, everyone. Welcome to the Ask A CISO podcast sponsored by Horangi. Today we have with us Pasi Kostinen, who is the Chief Information Security Officer at Coinhako, a Singapore- based cryptocurrency platform.
Prior to joining Coinhako in January this year, Pasi was the strategy lead consultant at Ensign Infosecurity.
Pasi has 20 years of experience as Head of Information Security and Operations in cybersecurity companies, and extensive leadership experience managing cybersecurity teams and services. Pasi is also the co-author of the book Smiling Security: The Cybersecurity Manager's Road to Success published in 2020, and a much sought-after public speaker.
Thanks for attending today, Pasi.
Pasi
My pleasure, Paul, my pleasure.
Paul
Yeah, it's great to have you on the podcast. And again, thanks for taking the time outta your schedule. Anything you'd like to add to the introduction that I glossed over or missed?
Pasi
Oh, that was perfect. Thank you.
Just a disclaimer: whatever I say is not financial advice. I think we're talking about the cryptocurrencies and such, but I'm not a financial advisor, so with that grain of salt, let's get ...
Paul
Cool. We'll focus a bit more on the security side of things, but good to have that to clear the air.
So yeah, Pasi, you spent about 20 years of your career in cybersecurity companies. What made you join Coinhako and what got you started in crypto?
Pasi
I dunno. It's probably something that I've always been interested in. So it's 23 years in, in cybersecurity and CISO and entrepreneur and so on. You know, it's crypto is, is expanding fast. It's a promising new industry. It's something I've never tried before, but I've been wondering about it. So ... and there was also the company, the Coinhako team, which actually turned the tide for me, that was the last nail in the coffin or broke the camel's back and I just decided to jump on, you know, and great, great team. Really, really amazing.
Paul
Yeah, definitely. I met Gerry and Yusho a couple of times and some of the other team members as well, and yeah, very great people. I've been doing it for a while. I've been in the industry since the very beginning, so quite cool stuff and glad to see them so successful, so that's awesome.
One thing that's quite interesting is you spend a lot of time working in more traditional industries, and now you have moved into crypto. What are kind of the differences is that you see from a security perspective?
Pasi
Differences? Oh, well, it is financial industry. Crypto in its sense, we are talking about same kinds of threats, same kinds of controls as the financial industry in general.
I think there are differences as well. It's greatly reliant on something called cryptographic keys and cryptography. I think crypto comes from that word. So it's basically an art of encrypting decrypting data back in the history. That's where it comes from, then somebody figured out that, Hey, let's put this thing together or take these algorithms and keys and make a blockchain out of them. And then start putting assets on this blockchain and put value on the chain. And that's how cryptocurrencies came about.
A lot of the security is centered around those keys that we have, keys that are supposed to remain secret only in the hands of the owner of them, owner of those assets and they're the core of the security in many ways. Plus on top of that, we have that traditional security layer, the company, the organizational and technical controls that everybody else must take care of as well.
So same, same, same different different.
Paul
Yeah, definitely it is challenging cuz you have like the whole sort of like new security problem or newer security problem, and then you have all the traditional stuff that you have to deal with as well. So it's a different level of security there.
I think that part's quite interesting is, is some of the new stuff and yeah, I think one of the reasons, least, most people I feel like are in securities, it's constantly changing, right? Cuz it is part of tech. So new is ...
Pasi
Yeah. And you know, I've had a lot of introspection lately about what is same, what is different? And what is the history of all the things and looking at the year 2000, we had a great technological boom before the turn of the century and the tech bubble and tech industry. Then we get got those Amazons and other tech giants being born. And I was thinking what was the key that gave rise to the industry?
In the middle of that, I think that it could not have been made without the cryptography as well. There was the TLS protocols and such that protect our privacy and security in the internet currently. Without that innovation and technological progress, we wouldn't have that industry in the same extent as today. We couldn't trust what we do online on online bankingonline banking, for example, relying on a lot of that.
And with blockchain, I feel that we are in the middle of similar things. It might take time, but it's going to probably change a lot of things that we have today.
Paul
Yeah, I completely agree. And I mean, in college I used to work at a bank and I was a bank teller. And I remember like back then, this was been like 2004 and I remember most of the customers did not want to use online banking cuz they were scared, right? This is still like, I mean, kind of after the boom that you were talking about a little bit, but still most people were scared to use online banking and we had a lot of people coming to the branch just to like do like very easy transactions, just transferring monies between accounts and things like that.
It's funny how that's changed and now basically I haven't been in a bank branch in multiple years. I think it's kind of funny how fast things change and people get used to new technology and potentially take for granted and that's an interesting thing.
So tell us more about Coinhako and you kind of alluded to one of the things that stands out among the rest. What else do you think makes it stand out amongst other exchanges?
Pasi
Well, so first of all, we're in Singapore here. I'm in Singapore. Coinhako is a Singapore company in its heart. Coinhako has been around a bit longer than most of the other operators or exchanges in the market. I believe it was around 2014 when this company was started.
Latest milestone was full licensing and approval by Monetary Authority of Singapore in May this year. Major milestone, of course, being recognized as a full player on the market where basically there were none others in the same segment. So that's a cryptocurrency exchange.
I think what stands out is that it may not be the largest player in the market, most well-known brand, but it's been always having that that focus around protecting the customer, the investor's assets and taking less risk in that sense. Maybe that doesn't get me something like massive growth, but allowed it to get this approval and standing here.
Paul
Yeah, definitely congrats on that.
I remember when I read that article, it's super, super exciting and I think one of the first, if not the first to get it also, right? So I think I'm sure you know better than me, but, yeah, very cool to see that happen and exciting to see companies taking regulation seriously, cuz you know, obviously both of us having been in security most of our careers, we understand why regulation is in place.
Security perspective can be painful and costly, but, ultimately it does make the ecosystem safer for the individuals that are investing in it, but it's challenging to say the least.
Pasi
Yeah, I think that we have seen similar kind of ripening of industries and different kinds of sectors.
Let's take micro loans, for example, which used to be a wild wild west, but now it's very regulated in many, many Western countries, at least so, and any new businesses can see this maturing of the industries and increase in regulation. I'm not surprised, honestly. Just happy that one I'm on board of the company who, who's not thinking that there's gonna be a wild, wild west forever.
Paul
Yeah.
Pasi
Which is not the case. It cannot be, you have to trust the companies where you put your money into. I wouldn't put my money in the company that I can't trust, right?
Paul
Yeah.
Pasi
Out of my own pocket. So, yeah ...
Paul
Yeah.
Pasi
So, and I guess joining this company as a CISO, so I thought that, yeah, I can trust that.
Paul
Yeah. That's quite cool and definitely, trust is, you know, what security's built on and, of course, anytime you're storing financial assets of any kind with an organization, you of course need to trust them.
And regulation is one way that kind of gives you that like hurdle of trust for existing and new customers.
So you know, we read a lot in the news about crypto theft and, you know, February this year is kind of reported that, or was reported that one of the most popular cross-blockchain bridges was hacked for over 326 million. How do you think these like, attacks kind of happen? And then like what, what should companies do to kind of prevent it?
Pasi
Right. There's many types of different kinds of hacks.
I would say that they exist in traditional financial industry and also in crypto equally. And within the crypto space, we have different kinds of hacks.
There's hacks of exchanges. There's scams of individuals. There's rug pulls of, just major scams of large number of individuals. There's these decentralized finance hacks as well.
I think you are referring to one of those.
So, if we take an example, a few months ago, we had an operative called Ronin Bridge DeFi hack, which I believe it was around 600 million actually. So it wasn't so surprising. We've had this mega trend of DeFi hacks recently there. They're the latest evolution in cryptocurrency schemes and the technologies. Nothing wrong with the technology in itself, but when you have something new like this there's bound to be flaws in it.
It's not maybe inherently secure, it hasn't be thrown thoroughly beta-tested, audited, and so forth, so on.
So what happened in that case was that they had a system where you had multi-signature cryptographic system were nine keys were needed and five keys of nine were enough to authorize transactions and five were compromised. Five out of nine, which means that the attacker was able to, to pretty much pull out the trick out of his hat and hack that system. 600 million was lost and a lot of things must have gone wrong for that to happen.
And there are smaller hacks measured in millions typically. But I think it boils down to this central idea of cryptographic keys being compromised, people who use or have access to those keys or the whole system around and technology around those keys being designed in a way that doesn't maybe hold the water when somebody and an advanced hacker tries to attack it.
So I think that's the leading thought that they have at the moment about cryptocurrencies, cryptosystems, DeFi hacks, and their security.
Paul
Yeah. Yeah. We've seen a couple over the past year or two and it's been interesting to see it. I think it's just like banking, how banking evolved.
I talked about this a lot in the traditional security context, but like, you know, first banks, they didn't really have any forms of security, but then they started getting broken into. Then they had like bars in the windows and then they like barred in the tellers. Then they had like guards. And then people like started bringing guns and they started having video cameras and all the stuff the industry evolved because bad things happen and then they put mitigation in place to stop it, right?
And I think it's no different in the crypto space because it's new. Like a lot of the things haven't been thought about at least in the newer stuff. And things will happen and mitigation will have to happen like over time. But that's kinda just the way it is, right? With any ...
Pasi
Yeah, let's just take one example of these attack types. They're not really that surprising to me. It's not always the keys. For example, let's take the concept of DeFi attacks and pricing Oracles. So DeFi attacks have been, or hacks have been that the biggest amount of monetary loss or financial loss in the last year.
So pricing Oracle is something that a DeFi system, decentralized finance systems, cryptographic systems use, so when you decentralize something and then you try to find a common price for this decentralized system, you have to have some mechanism to tell what's the latest value. What's the price of an asset?
Let's say you're buying and selling all the time over there. And pricing Oracle is the answer. So you have to bring an algorithmic mechanism to deduce what is the price and be able to tell it to everybody around the thing. So pricing Oracle attacks, where you can delay or deny that price or push it up or down, so time-wise, or just set it off a little bit price-wise and then do arbitrage on what's it worth elsewhere against what it's worth according to the latest price Oracle. You can just pull out a lot of funds from that decentralized system by that, just one example.
Paul
Yeah. Yeah. It's super interesting to see that stuff because it is, I mean, stuff that we don't think about, I think in the traditional finance but could also happen there. I mean, there has been some sort of currency busts in the history of finance as well. I think there was one fairly recently with that, like back in the day. These concepts exist in crypto too, and you can do it faster, right?
Because it's tech. So I guess like from to move from companies to the individuals that are investing in crypto, what do you think are some tips that can kind of help them prevent incidents?
Pasi
Looking at, from individual perspective, let's say you are an individual who's already in this market. So the number one thing is that you should be doing your business with a partner who is reliable. That's the number one thing, because if you're, let's say working with an exchange, they are in charge of so much of that security. You probably trade online and having that good partner is crucial. They will provide the technological tools. They audit the codeaudit the code that you use to transact. They are the gatekeepers for a lot of that, providing the anti-money laundering and such controls and know your customer controls.
So beyond that point, of course, you can take care of a lot of things by yourself. Most of these operators, they do enable you to use two-factor authentication. It's not just good passwords and usernames. It's also 2FA, a must. This is like number one thing. A must. Enable it. First thing.
Second thing is that, think about your wallets and think about the kinds of value that there is, what sort of assets, how much it's worth. So basically there are two kinds of wallets, hot and cold and custodial or, or your own. Custodial means that your trading partner takes care of everything. That's where the trust comes in or cold wallets where maybe you take, you take part of your funds or major portion of them. Non-custodial cold wallets. Let's say a hardware device and put your cryptocurrency in that or assets in that. So, think about the wallet things.
I know that some of these exchanges have designed a system where only a tiny, tiny portion of the funds are actually online, where they are reachable by online threats. And then the majority is in a cold wallet somewhere else, behind locks, even in a different custodial system and service. Think of it as a, sort of like a private central bank that puts them in the vault.
So ... That's pretty much your choices with regards to wallets plus everything that you can do about your endpoint devices that you use to interact with those exchanges.
We've seen rogue apps for mobile that look like, just like your Metamask or other wallet solutions. And malware that copy-pastes your strings like crypto keys from your desktop. When you copy-paste your wallet to and from addresses, we've seen a lot of these end-user threats emerging in latest use. So it takes a bit of awareness and that's where the partner comes along.
They ... I think as a CISO in such a exchange, I feel that it's our responsibility to provide those articles, videos, help to our customers and customer support. Can we get it?
Paul
Yeah, definitely. I also agree and I mean, you see the banks, the more traditional banks doing this as well, because, ultimately, it is important for them to educate their customers. Oh, it's a big part of security, right?
Pasi
Awareness can't decide that, that it's humans with machines.
Paul
Yeah. Yeah. A hundred percent agree.
So to switch kind of topics a bit, wanna talk about your book.
So can you tell us a bit more about your book, Smiling Security and who should read it and also why?
Pasi
Right. So Smiling Security: Cybersecurity Manager's Success, it's so is on hot job. That was the purpose why me and my partner at that time decided to make the book.
So we noticed that there is a shortage of cybersecurity talent in the market and not just quantity of people, but also the quality. And there's a lot of different skill sets and being a cybersecurity manager is one of them, among the many cybersecurity roles in organizations. And it's a two-way problem.
First of all, you have to know how to work in that role. Let's say you start your job in as a cybersecurity manager or Information Security manager. And I'm sure there's a lot of talent on the market, but the other side of the coin is that when
564 you have a company, let's say a startup and you have to hire one. How do you know what sort of talent you need? Whom should you hire? What is crucial when you interview one, and to marry these two things together to get the right kind of a person in this right kind of a fitting role is the focus of the book. It should answer the question to the business reader in general, who's hiring this person, am I getting the right one? And once that guy starts over, when he's looking back at that book, he should be able to reflect on his own, am I just actually doing the right things here, providing the right value for the right people and to the stakeholders?
Paul
Yeah. Yeah. I agree. And you know, it is hard to, especially depending on the type of company, right?
Like I think in, in your space, it's very obvious, like the value that you provide. But in some other businesses, like it's hard as a security professional to kind of show value, right? It's like, can be difficult, especially in a very big business. So the book sounds quite interesting and curious to check it out myself.
I think it is important too. Like, as you mentioned, there is a lack of talent globally, I think in cybersecurity. But here in Asia, it is a bit more acute. I think there's plenty of studies out there describing the shortage of cybersecurity and engineering talent in Asia. So I think your book will, will go to good use and helping people kind of build out their career, starting to see more folks investing in this space but it's still a long way go, I think, in my opinion, to getting them to the right place and getting the amount of people that will be needed, especially as technology evolves, right?
Cuz it's only, only gonna need more as these technologies grow.
Pasi
And yeah, it's, it's also an experience accumulation process that you need to have these individuals on the field a number of years before they become proficient, you know, so...
Paul
Yeah, sure. You definitely learn by experience. Yeah. And environments in organizations too, right? Like different organizations are gonna have different cultures around security which I think is, in my opinion, one of the most important things that you can do as a business owner is create a sort of cultureculture of security in your org.
I think in, in crypto, hopefully it's, it's sort of there by default, but I'm sure you're focused on kind of bringing more training and sort of awareness to the users as well, but in a lot of businesses we see that they don't like, invest in creating a security culture, which I think is one of the cheapest ways to make the biggest security influence in a business.
Just have everyone kind of thinking that there could be a threat to them and questioning things. And I think that that level of just asking questions when, when something looks weird is, is a really powerful one to kind of, helps save a lot of security issues.
Pasi
Yeah. Understanding what's going on and having the awareness is requirement for behavioral change. Definitely kind of happen without it lack change.
Paul
Yeah. Agreed. I think crypto's no different, like you gotta, like when you're out there investing in crypto and stuff, you kind of gotta like pay attention, you know, check things twice. like those types of things, which I still get a little nervous every time I send money. But I do that with banks as well, so I still like double check everything and ensure it, and crypto's no different, I think from that asset, cuz it, it is real money, right?
Pasi
That's right!
Paul
So you gotta be gotta be careful.
Pasi
I still check my reference numbers twice before paying in my web bank.
Paul
Yeah. Yeah, exactly. Same.
It's, yeah, can be scary. And like, I mean it's interesting. So maybe kind of like wrap it up and ask the last question.
Like what do you kind of see for the future of the crypto industry? Obviously the market is, you know, not as great as it was a little while ago, but still growing. So what do you think is the future in terms of like crypto in of itself, but also like security in crypto?
Pasi
Right, right. Yeah, we are now going through something called crypto winter. It started a few months ago, maybe around Jan of 2022. In any case, it's not the first crypto winter in the history of cryptos. There's been a few before this. Nothing special about it, I guess.
What's going to be different?
So first of all, I think I'm reliving my childhood as a, as a nerd now, in a way. Let me explain a bit more. When I was a kid, it was a time of 90s. Web banking came along. I was soon teaching my parents what web banking is about.
Paul
Yeah.
Pasi
You know, dial-up modem and things like that. ASCII graphic interface of the first web banks. I feel that we are living that through now and I'm just expecting my daughter to come along and, and teach me how to, how she made her own NFT for the first time at the age of 12, and daddy, daddy, look what I did.
And then, then I would be like, yeah, daddy's a hacker, now wait, wait a minute. That's something I haven't done. So, I feel a lot of younger people will be adopting things first and then, and the older folks will follow. Natural evolution of technology, I guess.
Security wise, what will happen probably is the core of the crypto industry infrastructure will see less and less of these major attacks because of just maturing. We learn how to put things in a box better, secure our customers better. The regulation will improve or, or turn the industry into more mature way and that will probably take a while and it's going to be better in that sense, but on the fringes before that happens, we are going to see some more hacks happening around unproven concepts.
So as long as we don't have that dos and don'ts regulation out of it outside of it, then those limits will not be there. And I believe that there's going to be some of these misbehaviors in the industry going forward until we can weed that out as an industry. But, overall the progress will be towards more trustworthiness, more compliancecompliance, more international adoption of standards, towards compliance and consistency with the rest of the financial industry.
Looking at those central banks around the world, every single one has some sort of a project going on for their own central bank. Some sort of a digital currency or digital asset blockchain implementation, same as all the big banks. Or most of them anyway.
So I'm not seeing this mega-trend going away anywhere, anytime soon. That, that ... it's just how this planet and the innovation goes forward.
Paul
Yeah, totally agree. And definitely like, yeah, I mean, there, there, there obviously is a crypto winter, but you know, been a couple already.
Yeah, I think the technology is constantly evolving. It's getting better. I think it will be. I don't know how long it'll be and I don't think anyone knows, but hopefully sure. But you know, something that is inevitable to happen just like the sort of traditional economy is not doing so great right now either, right?
Pasi
So right.
Paul
Not much difference going on between the two ... From the emergence of the first web banks to the actual adoption, it took many years.
Paul
Yeah, yeah, yeah, of course.
Pasi
And here we are, with all of those banks.
Paul
Exactly right. It took hundreds of years, right? Which is interesting.
Yeah. Cool. Well, thanks for attending the podcast, Pasi, really be great to have you, and hope everyone can check out his book, Smile Security, and we'll share the link for that when we post this.
Thanks for coming on the podcast.
Pasi
Thank you, Paul. It's been my pleasure.
Paul
Okay. All right, Bye, everyone.
Pasi
Ciao!
