Interview with Cybersecurity Specialist, John Bambenek

Tell us about the business you represent, what is their vision & goals?

I started Bambenek Consulting, LTD. to provide high quality threat intelligence, mostly to other security companies. What is more important to me though, is I also give data away to non-profits and other organizations that help provide security to the broader public and groups that don’t have the resources to pay for high-end security tools that large companies have. I’ve created a way that I can do well while also doing good.

What inspires and energises you within your work?

At least when I am focusing on security issues for end users and consumers, I can take pride in knowing that I’m helping otherwise innocent people be a little bit safer online. In general, there is always a new problem or puzzle in cybersecurity. I hate being bored and there is always a challenge that let’s me apply my technical knowledge too.

Can you share a little bit about yourself and how you got into cybersecurity?

I got my first computer when I was 6 years old and started writing basic computer programs shortly thereafter. Not too long after that, I started playing video games, particularly role-playing games. I hated the “grinding” part of RPGs, so I learned how to use a hex editor to cheat and give myself gold or whatever so I could focus on the story and not the boring parts of the game.

How would you explain your role to a non-technical audience?

The human race has been lying, stealing, and engaging in criminal behavior since our earliest documented history. Computers simply provide another outlet for this long-standing human tendency towards steal from our neighbors. I try to make technical means to make these criminal attacks less successful.

What advice would you give to someone wishing to start their career in cybersecurity?

Never lose your curiosity and always strive to learn new things. You may be stuck in a job with “lather, rinse, repeat” tasks, but try to learn underlying technologies and how they work. When you get further along in your career, knowing the underbelly of tools will help you solve more complicated problems. Tools make it easy to not have to really know how things work, don’t accept this temptation and always look under the hood.

Can you give an example of security issues at your jobs, and how you and your team fixed them?

Right now I’m working with a client on records digitization who is concerned about security and ransomware. It’s a smaller organization that cannot afford much security so just throwing products at them isn’t the answer. The question really revolves around when the owner wants to retire and what they’ll do with the business and issues that aren’t really connected to security. It’s always better to craft solutions around the long-term direction of a business and sometimes more technology isn’t the answer.

Can you walk me through a recent cybersecurity project you worked on?

Currently my big project is my PhD thesis in cybersecurity machine learning. If you look at Google scholar, much of the academic study is around creating classifiers around domain generation algorithms, ironically based on a data set that I created for an entirely different purpose. My thesis is around the concept that classifying a malicious domain is really about determining features that indicate individual decisions an individual makes in setting up infrastructure and how those decisions can help indicate malicious or benign intent and hopefully the tools created will help the industry move forward in using machine learning in a more productive and less error-prone way.

Does your organisation use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?

In my case, I use this information to research how an attack happened and recover from it. If I have the log data, the problem is simply. My business bills by the hour, without logs I often can still get the answers but it takes much longer which means a higher bill amount. I actually prefer not to grind to get data that should be immediately available so I can focus on solving the problem instead of trying to figure out how I can reverse engineer what happened.

Beyond that, for almost every client I’ve had, if they keep good logs I can both see blindspots in their organization and items they need to improve on. Lately, I’ve been focusing on helping organizations security their identity solution and to correctly implement multi-factor authentication. Since so much of attacks start with co-opting the identity of an otherwise authorized user, sealing this window prevents many problems from occurring in the first place.

What are common weaknesses in IT security strategies that companies often overlook?

In the rush to implement new technologies, very few organizations actually look at the true risks that come along with them. AI is a great, current example. Many organizations are figuring out how to use AI and much of the conversation about the risks or fictional and unrealistic (i.e. that ChatGPT will become self-aware and decide to kill off humanity).

An exercise I’ve gone through my students with is to think of an emerging technology and then consider how you could truly get someone killed with it, and this is hard even for security professionals. These decisions are made by technology generalists or business leaders and security is struggling to keep up.

What are your thoughts on companies looking to prepare for CMMC compliance?

Like all frameworks, it’s a good practical starting point that has an approximation of metrics so you can show progress. If that’s a tool that will help an organization be more secure and it gets leadership buy-in, that’s great. No business is operating for the sake of security, they are operating to sell whatever product or service they sell... security is overhead. Whatever tool gets an organization to move the ball forward in security should be embraced and it has always helped to point to something external from an authoritative source than it is for a security professional to give their well-formed opinion without something outside of their word to back it up.

Would you like to share any cybersecurity forecasts or predictions of your own with our readers?

The one risk that I think is real and not well-considered is the drive to implement AI solutions means those providers will have an insatiable desire for more data. Creating AI models is a data intensive task that requires feeding more and more data into them for refinement. What this means in practical security and privacy terms is that these providers will vacuum up every bit of data they can get their hands on which criminals will start to target so they can further attack organizations. We’ve seen with SolarWinds and other technology providers, that these types of entities become under focused attack and we’ll soon see this for AI/ML companies.

If you've enjoyed this article why not read our Interview with CTO, Jamie Howard or Why Are Firewalls Important for Cybersecurity next?