Bob Diachenko is a Cyber Threat Intelligence Director and journalist at SecurityDiscovery.com, a cybersecurity research blog. Bob has over 12 years’ experience working in corporate/product/internal communications with a strong focus on Infosecurity, IT, and technology.
In an exclusive interaction with CISO MAG’s Rudra Srinivas, Bob explains his mission to make the cyber world safer by educating businesses and communities worldwide.
1. Tell us about your journey. What was your idea behind founding SecurityDiscovery.com?
It all started with a data breach. I worked in a company in the PR & Comms department and had little to no knowledge about cybersecurity and how the IoT world works. But when we received a notification from a security researcher who found our database sitting in a publicly accessible server online, I started to learn more about how and why it happened. I was surprised to hear that nobody was able to explain the reasons behind the exposure: “It was just a human error, it happens sometimes”.
Now I understand it was a breaking point in my career. I decided to explore how your corporate and personal data might end up online, and started exploring IoT search engines (Shodan, BinaryEdge, Censys, ZoomEye). Then I started sending my first alerts to the companies whose data I was able to identify. First, I acted on behalf of my company where I worked, then I was just Bob Diachenko, and then it all went down to a platform which we now know as SecurityDiscovery.com. It is not a company, but a non-profit initiative and place to publish public disclosures, and also represent me in emails.
2. What was your transition from an Account Manager at a PR firm to a Security Researcher like? How did you prepare for a complete role transformation?
It did not happen in a day. It took me almost a year to understand that I need to grow and work independently, not just as a representative of my employer. During this time, I never stopped learning and searching for exposed things online.
3. As a security researcher and cybersecurity consultant, what are the challenges you face while reporting the potential vulnerabilities to business owners in organizations?
Challenge No.1 – not all businesses have a proper contact point for communication of security issues–and even if their Privacy Policy contains something like privacy@companyname it does not necessarily mean that this email works or somebody check it.
Challenge No.2 – no replying or no communicating to security researchers, but simply rectifying the issues only with the aim to deny everything later on.
Threats are no longer an issue for me – they were once when I had no name or reputation, but today companies are much more open than before.
4. According to you, how can Artificial Intelligence help in detecting and mitigating cyber threats?
AI can be helpful, but I would not rely on it 100 percent. Even from my experience, I don’t fully automize the search for vulnerable/exposed endpoints and always leave places for manual analysis.
5. With cybercriminals using sophisticated methods to steal data, what can organizations do to stay ahead in the security race?
I always highlight that nothing can be better that an educated employee. An employee who follows cyber hygiene rules (that I promote every time I get an opportunity to speak publicly), and manages data responsibly–in the office and at home. So, the main advice from me to organizations is: invest into education! Even more than you invest into buying protective software and hardware.
6. As a security expert you’ve disclosed numerous critical vulnerabilities. Which one among them do you consider as the most significant discovery?
Really hard to highlight the one but I would consider the most significant are those belonging to criminal or malicious actors: spam cartels, Gootkit trojan, Clash of Clans digital laundry was also a big one. (https://www.vice.com/en_asia/article/xwkyb3/scammers-are-using-clash-of-clans-to-launder-money-from-stolen-credit-cards)
7. As a security researcher at Hacken, what were the security challenges you observed with Blockchain? Tell us about the work you did at Hacken.
I was not that much involved in blockchain while working at Hacken, and it really took me three months to get there. My work and research did not change much while I was there.
