Tune in to this episode of Ask A CISO to hear:
- What the Russian invasion of Ukraine tells us of the global cybersecurity landscape
- Why Samuel sees phishing as a "good thing"
- Samuel's recommendation for solving the manpower crunch in cybersecurity
- How the Hong Kong government is helping to solve the manpower shortage and encouraging innovation in cybersecurity, and what is the ABCD approach?
About the Guest: Samuel Ng
Passion fuelled cybersecurity professional with leadership trained by armed forces, Samuel has extensive experience in all cybersecurity domains from both technical and management perspectives. He brought value to organizations by balancing governance, controls, and business strategies ultimately upholding the CIA Triad (Confidentiality, Integrity, Availability) at the highest standards.
As a 14-years Malaysian army veteran with a master’s degree and multiple infosec-recognized certifications, he progressed his career to Hong Kong and contributed to various sectors including banking, telecommunication, cloud, IT infrastructures, start-ups, etc. Currently exercising his expertise in Hong Kong Applied Science and Technology Research Institute (ASTRI), responsible for strategic planning and leading research directions of cybersecurity and data analytics.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Hey, hello, morning, Samuel!
Hey, good morning, Sky.
Hi. Thanks for taking time to do this Ask A CISO podcast with us. Actually I've been meaning to get you onto this podcast for quite some time, but I know you're pretty busy. Yeah, so probably, I mean, for the benefit of the audience let me just do a quick introduction of Samuel, who is our latest guest on this podcast.
Samuel is actually one of the cybersecurity practitioner I've known for quite a bit of time. Samuel actually has a pretty interesting background. He actually started his career in the Malaysian military that span over 14 years period, taking on roles in Signals, artillery, transport, infantry, then I guess from there given Samuel's deep-rooted interest in technology and cyber, he embarked on his journey into the private sector with a pretty daring and bold move moving into a new country totally, in Hong Kong, and assumed the role of a senior security consultant in PWC.
Of course, with Samuel's caliber and capability, turned in a very stellar performance, and then was actually approached by WeLab Bank to head up their cybersecurity team. But I guess that's a different kind of challenge for Samuel because he started with a very small organization and then built the team up into the well-oiled machine that it is today within a span of 1.5 to 2 years.
And then last but not least his latest adventure with ASTRI. Samuel is now the Director of Cybersecurity and Analytics at ASTRI, and he is really helping, you know, generally like the industry using technology, discovering more stuff to help the cyber industry in general.
And of course, more importantly, to help address a global concern, right, which is a talent deficit in cybersecurity, specifically within Hong Kong. But yeah, I mean, that's, that's the illustrious background that we have with a capable person like Samuel and, you know, extremely, extremely honored to have you on the podcast with us today.
That's a remarkable introduction, and I feel flattered and appreciate the opportunity for your invitation for sharing. Thank you, Sky, and thank you, Horangi.
I think like what you have done over the last 15, 20 years is really, like we mentioned it went through a lot of different journeys, right? Starting from the military then, because of your interest in tech, your constant upgrading, getting your Masters and so on and so forth, and then moving into the cyber space.
I mean, across your very widely traveled career, what do you see has been the evolving trends, general insights and yourself, previously as CISO at WeLab Bank, like how does all this resonate to you?
Well, let's start from the journey-wise.
I mean, it's a lot of ups and downs along the years, but basically, I'm having fun because cybersecurity is a passion. I started hacking since I was a kid. So I did some bad things, and now we should do some good things to compensate, right?
So the passion is the drive that drives you through the hard times. So that's ... means when you're going through hard times but you're still having fun, so it's basically the motivation. So, having the time and opportunity to deal with a lot of cybersecurity incidents and stuff, it's all my interests.
And a lot of things I see is still, you know, generally, there are two types of big attacks. Like they're trying to exploiting our web servers and stuff. And the other way is social engineering. I mean, until today, phishing is still widely being used.
And that, on the positive side, when you see a lot of phishing, it's kind of like a good news. It means that they cannot easily, with a push of a button and then to hack in your server, they need to go around that, to use people. So I see it from the positive side.
So I have been following a lot of global trends and I think the best example that we can use currently, in the current situation, is the Russian invasion, right?
I'm going to leave all the politics out from this talk and I will just demonstrate a little bit about the timeline of the Russian invasion and cybersecurity. So I have been following closely on this Russian invasion. So it happens on the 24th of February.
So, if you look at the news, within a week or two, you can see a lot of news has been published that this government website or this government website was hacked, that government website was hacked, all this, like all this information. While some of this might be just fake news or just trying to stir things up, but because it's my interest, so I actually went to look into it and there's a government website called Roskomnadzor. It's basically a Russian federal service for supervision of communication, IT, and mass media.
So that happens within two to three weeks. So, and I, because of interest, I went to see, other hackers actually leaked something out, leaked more than five, a lot of gigabytes of data out from the organization itself. So the point here is, look at the timeline: within two or three weeks, they can actually exfiltrate so many data out.
So out of interest, I actually went to find all those data. There's a place called DDOS. It's not the usual DDoS that we know. It's ... that website is called Distributed Denial of Secrets, where a lot of hackers actually publish things out there. So, because it's my passion, so I went to actually download the data and actually have a look.
It seems that it ... the data was got from an internal network exfiltrated out from active directory environment because we can see SMBs and stuff like that.
So now the timeline. So let's come back to the main point here. So within two or three weeks, it, so many data was exfiltrated out. Right? So what does that mean? It means that either someone was already in there previously before even the invasion happens, or there are a lot of unknown exploits still lying around, right?
And the third point is: a lot of systems hasn't been patched. So these are the few things that we look at it so far. So that would explain actually the global landscape of a cyber attack.
Yeah, I think you brought up a good point, right? Like even with the recent Log4J issue, like, I think patching has always been like one of the most tedious and troublesome parts of enterprise IT, right? I think ... Being a seasoned cyber practitioner. I think you probably have a lot of conversations, very tough conversations with a lot of your colleagues in the whole project team, and people tend to forget the most simplest oversight may lead to the most disastrous outcomes. Right?
Like I think like in the SolarWinds case as well, there was a backdoor, you know, I mean, people put in the patches because you know, they do what's released. Yeah. Things happened, but I think generally what, like what you mentioned, right, I think it's important to kind of understand like the attack-defense simulation kind of stuff, right?
Because as the defenders, we can put up as much defense technologies that we can understand the business objectives and try to make the most informed decision and then protect our organization the best, but you know, like what you rightly mentioned, right, it's also important, in fact, it's equally important to understand potential attack techniques that can be deployed.
And then from there, once you understand attack techniques better, you kind of can make better decisions on how to lay up your defenses, which I think goes a lot back into your background as a security consultant, and that adds a lot more insights to your portfolio when you were trying to build up the team in WeLab Bank, right?
And I think like what you rightly mentioned, your religious following of the whole Russian invasion. That's very impressive actually. I mean that also kind of points to supply chain attacks. And then I think everyone's very mindful of.
Any insights or any suggestions that you may have for organizations that are guarding against supply chain attacks or in general, attacks from motivated adversaries?
Building a team from scratch and to comply to strict regulations by the financial industry, which is, I mean, hiring and stuff that, and like you said, a lot of tedious work and vulnerability management.
Sometimes you have to beg people to actually, to even just install and patch, because I do understand the IT infrastructures side of story because they have a lot of other priorities. We have to support the business and stuff.
But as a cybersecurity practitioner, you're always at the light side of things, but the attackers come from the dark side. So we have to be lucky everytime and the threat actors only have to be lucky once.
So like you said, a lot of burnouts from the engineers that I have, dealing with all these operations, phishing emails, patch management, and stuff, and tons of tons of alerts that you have to deal with every day. And like you said, a lot of burnouts in talent.
So, I would recommend to fix things from the bottom up. It starts from the talent side, point number one. Point number two: using new technology like AI and machine learning. But in the same time, I wouldn't say that it's fairly new, but maturity should be improved, right? Like what we are doing here in the research centers that we have recorded more than 40 thousands of attack traffic, malware samples and stuff, and try to train the defense systems, improve the maturity of AI and machine learning and stuff.
So that will come in a two- way approach to actually fix the talent shortage or talent burnouts and stuff like that. So to motivate the talents, we need to have some cool things, you know, wow, we have AI helping us, you know. When they feel that they are doing something cool, they will stay on and then it makes them happy, you know.
I would like to hear from your side of the story as well, Sky.
Yeah. I think you mentioned two very pertinent topics in cyber today.
Number one, for sure, talent deficit is something that all organizations have to deal with. Be it from an end user perspective or from a service provider perspective. I think this is actually one of the most practical issues that everyone is dealing. And I've, I was reading through an article from Forbes recently. And I think it was like quite aligned with what we have been talking about, right?
It was actually captured by Korn Ferry, like one of the big consultancy firms on the market. The average tenure of a CEO is 8.1 years in an organization, thereabouts. General C-suites should be around five to six years. CIOs, the big guys handling the entire enterprise IT, about 4 years. But the very telling statistic is that a CISO usually only lasts around two years.
So like what you mentioned, so it's a bottom up issue, right? Talent deficit leads to fatigue in work and as a CISO yourself, as someone who runs cyber, it kind of increases the strain for yourself and your team and when this happens, right, and we have lack of new blood joining the industry, it kind of becomes like a vicious cycle.
So I guess, like you rightly mentioned, it has to be something that we need to address from a broad, bottom up perspective. While governments, organizations, service providers, end users, we have been trying to attract talents to join this industry, but I think the war against the threat actors cannot be understated and it's increasing on a daily basis.
So this is something that I think in general, we are all trying to address, right? To get more people to join us. And that ties very closely to the second topic that you mentioned about machine learning and AI. In cyber, I don't think that's ... I don't think it's feasible for us to do everything manually or ourselves.
Of course, human expertise is definitely required because that differentiates good from best. So as much as we can, we should use technology to automate most of the stuff that we can do. And then where human expertise is being called in, that's where the experiences against bad guys will help. Like yourself, right? You have been a lot. That's where your expertise will help.
But I'm just curious to pick your mind, you know, like, have you done, in your current role, right, in ASTRI, like, were there any interesting technology, were there any interesting programs that you as the director there has been researching on, developing on, to, like I mentioned, to bring in the cool toys for more folks to join us in the cyber industry?
Hey, you're right. A very good question. I have three answers for that.
So one is the Hong Kong government has actually put in a lot of effort in building the talents. So in ASTRI, in this Hong Kong research center, we have very attractive talent programs that we are trying to build the new talents. So I understand that in cybersecurity, a lot of certifications will actually scare a lot of entry level positions, a lot of scare a lot of, you know, like, the fresh grads, they are, they will be saying that, Hey, I don't have a certification, that I have to take a 24 hours exam to actually be certified.
So, what we are currently doing that we have few efforts is number one, the talent program.
Number two is we kind of lower the bar of joining into cybersecurity. So security is something that, you know the basics and then you try to work it out. It's like picking a lock. Before you pick a lock, you need to know how a lock works, right? So that's ...
Once you know the basics and then you know how to work around with it, you know how to play with it. Right.
So that's what we are trying to do. We are trying to find talents like from IT infrastructure, IT network, so it means they know well about TCP/IP, OSI network and stuff. And that's how we train them from that onwards.
So we have a good talent program and we try to lower the bar and then try to absorb more IT fresh grads and try to train them up from there.
So the third answer will be, it's kind of like working in parallel. So to try to improve the AI and machine learning maturity. And of course using things like what we call ABCD: AI machine learning, B is blockchain, right. C is cybersecurity then D is Data Analytics.
So we try to work on these four items. And recently we have been using blockchain to build a secure import system where we're using IOTs and stuff where, so the example is like this: when they're trying to move the cold food from China to Hong Kong, so all the IOT devices, we have heat sensors and stuff, temperature sensors, GPS sensors, and then to detect ... all the data for all is fixed in the blockchain.
So when we think about blockchain, we always think about Bitcoins, right? So we are trying to do it's a blockchain beyond Bitcoins, so that privacy and or whatever data security, it's implant in the system itself, without you thinking about network segmentation, secured database and stuff like that. So, right. We're trying to use things in a different way and try to do things by secure by design.
So in the same time, if secure by design, it means less fatigue on the engineers. So that's what we are trying to do. So imagine that we can import cold food from China to Hong Kong, it's all in blockchain and it's temperature sensitive, it has to be monitored all along the way. Imagine that you can have that system in the COVID vaccines. COVID vaccines are all temperature sensitive as well.
So we are trying to think more new ideas to build things up, right? And another thing is we try to get out of the box. Like cybersecurity detection has always been, you know, log management and, you know, and SIEM and stuff. So have you ever thought about detecting malware using electromagnetic wave generated from the CPU itself when the malware has been executed?
Imagine, because there's a paper published that talks about each malware being executed will generate different signature of the electromagnetic wave. So try to imagine if you put a device in your data center and then when someone run Mimikatz or whatever malware tools in your server and then you can detect from the electromagnetic wave side.
So these are the other things that we are trying to think out of the box, you see. So hopefully it will help Sky to fix that a talent deficit problem with all the new technologies and stuff.
Yeah. I think that was actually a very interesting topic that you highlighted, like different applications of what we were previously familiar of. Like you mentioned, right, actually the possibilities of blockchain is limitless.
Like even ourselves, we have worked with clients who use blockchain for a different use case besides the standard stuff that we know, like, I mean the crypto space is not doing well this couple of days, but yeah, I mean, using blockchain, using DLT, to kind of like give more assurance how things can be more securely designed in the first place, that kind of like reduces the operational and maintenance support that's required subsequently, right? To a certain extent.
So, but of course, then there will be a different conversation coming up.
Also, how can you ensure that your blockchain is secure? Like it's always a chicken and egg thing. And then ... That's exactly what makes cyber interesting, right? Like things are changing on a daily basis. We always learn new stuff and that's actually the beauty of this industry, but of course, given that you have to learn new stuff every day, it's tiring and it burns people out.
So, and the other thing that you mentioned about the electromagnetic wave, that is actually something very interesting. I've not heard that before at all. Is that something that you guys are actually doing research on right now? After you saw the article?
Yeah, we have been actively looking for new ways and new ideas and stuff. So I think this is very feasible and so it's called Hong Kong applied science. The difference between Applied science and theoretical science is that applied science uses the theory and bring it on the ground so that it works. It brings value and stuff.
So that's the difference of applied science.
And really, I like the word you were using the metaphor of chicken and egg. And that reminds me that whatever that we are enjoying today, it's a seed planted by the previous generations, right? So, like you said, I have a lot of questions that are being asked that why should I use blockchain? Why can't I just use a traditional database and stuff? Right?
So that's kind of a hard question, but if we think forward, if you think five to 10 years in advance, so you will be like laying the ground first when you start using blockchain and stuff, and then the scalability and the effectiveness will come later in time.
So that's how we should actually plant the seed right now, so that the future generations can enjoy our fruit. So that's the few points and electromagnetic wave, it's kind of a think-out-of-the-box idea.
And we love all the papers. We have been reading a lot of papers everyday and we try to find theoretical things that work and bring down to our clients or staff. And the best thing about Hong Kong government is, a lot of this innovation fund that you can apply, It's a go... The funding scheme can go up to 70%, 50% of a funding scheme. So that explains how the government is committed to actually push innovation forward.
Yeah, I think that's something that you have mentioned that I think is critical to help develop that industry, right? Because in general, I think to have the government's support, having funding available, you know, sometimes people are stopped in their tracks because it's just a lack of funding or a little lack of a push from someone from the big brothers and, Hey, don't worry. Just go ahead and try. Take that theory, try to apply it and see whether it makes sense. And if it's something that works right, we can try to continue to refine, enhance it to something that is usable commonly in five, 10 years down the road.
I really liked the portion about like planting the seeds right now, because I think blockchain as a ... citing it as a specific example, blockchain, people still have some wrong or negative connotation about blockchain in general. I mean, at Horangi ourselves, we are big believers of blockchain and we have been working with a lot of firms who has been using blockchain extensively.
So definitely on our end, we do understand the beauty, but I think in general, be it end users, be it providers, be it governments, federations, associations, I think it's important that we kind of continue working in the goals that we believe in and plant the seeds today, bring it down 10 years. Fast-forward 10 years, fast forward 15 years then everyone will kind of see, oh, actually blockchain makes sense.
This started like, maybe 20 years ago when people were still on cable, right? We started moving into IP. So, it's something that I guess it makes sense for us to do it, put in the hard work now and pay it forward so that the future generation can kind of like have an uplift in terms of the technology. Totally agree with what you mentioned.
I'm very interested on a point you said. So tell me, you were saying on the negative comments and stuff. Sometimes I see negative comments as a new opportunity. So what kind of details have you heard, I mean, it might be a bit different what we are doing things in Hong Kong and Singapore, you know, I would really be interested to know about it.
Definitely. Like, I mean they will be comments like, Hey, how do I know that the public blockchain is secured if I have no say at all, so open ... Am I supposed to be concerned if I'm passing part of my data or the meta data is transmitting through a blockchain which I totally have no idea. I totally have no full control about it. I mean that's where like traditional enterprise IT's mentality has to kind of like ... take some understanding about why blockchain is something that can complement.
We are not removing enterprise IT, right? There was no intention to remove enterprise IT. The key idea is that, Hey, there's actually another cool kid on the ground, like in the playground, do you guys want to just mingle with him and see how we can play together?
Like, I think that's a key idea that believers of blockchain is having, so I think that's something that in general, we should be a bit more open-minded. And like you mentioned, with all these fun toys to play with, right? It kind of makes the job more bearable, more interesting. And if you're really doing something that you have passion in, right, I don't think you'll find it as work. You'll probably want to come to ... you will want to turn on your laptop everyday because there's new stuff that you can play with. There's interesting things that you can experiment with. And that makes cyber a lot more refreshing, a lot more challenging. That's a drive and motivation for us to pick up our work and start running again every single day.
Well, I hear something common that what I've heard here in Hong Kong as well. I think it's all about trust. When we put data in blockchain, like you said, how can I trust the public blockchain and stuff? The trust is just like money. We trust Hong Kong dollar. We trust Singapore dollar. That's why it has value. If not, it's just only paper. Right?
So I think blockchain is fully customizable. You can have public blockchain. If you don't trust, you can have your own private blockchain, and we have cloud. It can be, you can fire up a node in such a short time and different consensus protocol and stuff we can do so I think it's fully customized to tailor to humans trust that's what I've been thinking. It's not only papers, like what we have in our wallet.
For sure. Yeah. I mean, yeah, that's something that yeah, I mean, that's something that we can keep in mind and see how things develop. Really excited to see this space actually. Yeah, I mean, mindful of time, I don't want to hold you back too long, Samuel.
As closing, right, I think we mentioned a few pointers, like how the cybersecurity trend and landscape has been changing, especially in the last 12 months. The talent deficit, which is very, very real even for ourselves as a consultancy firm, we feel it very keenly. I think it's gonna be even worse in end-user environment because you guys have to handle different parties every single day.
But as a CISO, I'm pretty sure you felt the strain and the drain before, but please hang in there. Then comes the fun part about using technology. Right? I like the ABCD portion, AI machine learning, blockchain, cybersecurity, data analytics, it kind of like makes a very complicated topic into like four letters, but I like the way you did it. It's different. And that's something that I think we need to be all very aware of because it will just become stagnant if we keep looking at things in the same perspective.
So when you kind of wrap it as ABCD, kind of like brings us into a different perspective and it allows us to understand things better from a different light and that potentially can be a brainstorming session to come up with new ideas. So I really liked that a lot. Last but not least is, like what you mentioned about that extremely interesting topic that I think I'm going to catch you up after the call, the electromagnetic waves portion. I think that is extremely cool.
And, you know, the real difference that you guys are making, right, from converting from theories into applied sciences. Making a prototype, making sure that it works, and eventually making it into publicly available technology. So I guess, that was the four things we spoke about. I hope that the listeners actually kind of have a different view towards cyber. It's not everyday about cloud security, not everyday about EDR, not about SIEM.
Cyber is a changing thing evolving on a daily basis. We kind of need to add a more human aspect to it. Not just on how we want to be the bad guys, how we want to prevent the bad guys from coming, but as defenders like you guys, the talents, even our consultants, I think we need to understand that human aspect of things. And when the humans believe in that same direction, that firm belief, that can actually help us drive forward in a more positive manner.
And eventually, the cyber industry will benefit in the long run.
Right. Okay. Less is more.
Appreciate this discussion. I think we had a fruitful discussion, man.
Let me catch you up on the EM wave part. I'm really very, very interested in that, but I shall not hold you back further.
Thanks for taking time to join us for this session. Appreciate your time. If there's a chance, let's do this again.