{"id":3450,"date":"2017-12-24T14:33:28","date_gmt":"2017-12-24T14:33:28","guid":{"rendered":"https:\/\/www.walkme.com\/blog\/?p=3450"},"modified":"2017-12-24T14:33:28","modified_gmt":"2017-12-24T14:33:28","slug":"security-walkme-in-the-life-daniel","status":"publish","type":"post","link":"https:\/\/www.walkme.com\/blog\/security-walkme-in-the-life-daniel\/","title":{"rendered":"Security Breach? It Won\u2019t Happen To Me They Said"},"content":{"rendered":"

A few months ago, WalkMe employees received a seemingly routine email in their inbox, notifying them of an impending expiration of their Gmail account password. \u00a0<\/span><\/p>\r\n

 <\/p>\r\n

\"\"<\/p>\r\n

 <\/p>\r\n

But, if we take a closer look, something about the email was fishy \u2014 or should we say phishy.<\/span><\/p>\r\n

 <\/p>\r\n

 <\/p>\r\n

Upon closer inspection, it can be seen that the description of the email contained discrepancies from the subject line.<\/span><\/p>\r\n

 <\/p>\r\n

\"\"<\/p>\r\n

 <\/p>\r\n

 <\/p>\r\n

Additionally, the slug contained a subtle but out of place dot under the letter \u201cm.\u201d<\/span><\/p>\r\n

 <\/p>\r\n

 <\/p>\r\n

 <\/p>\r\n

\"\"<\/p>\r\n

WalkMe employees are not easily fooled, however, and it wasn\u2019t long before someone blew the whistle and we found our perpetrator. <\/span><\/p>\r\n

 <\/p>\r\n

All signs pointed to Daniel, WalkMe\u2019s Chief Information Security Officer.\u00a0<\/strong><\/p>\r\n

 <\/p>\r\n

No typo there. This was all a carefully devised plan, to keep WalkMe employees on their toes. <\/span><\/p>\r\n

This test was meant to bring awareness to potential security threats and their significance as the dangers of cybercrime continue to rise.\u00a0<\/span><\/p>\r\n

With an <\/span>estimated damage expected to hit $6 trillion by 2021<\/span><\/a>, it got us thinking about the role of our security team keeping WalkMe\u2019s employees and our thousands of enterprise users safe and sound. <\/span><\/p>\r\n

 <\/p>\r\n

We turned to the mastermind himself for insider information. No password needed.<\/span><\/p>\r\n

 <\/p>\r\n

WalkMe: Daniel, Can you tell us a little about the fake phishing email test?<\/em><\/strong><\/h3>\r\n

 <\/p>\r\n

Daniel:<\/strong> The purpose of the email was to test the awareness of WalkMe employees and push them to pay closer attention to details. The phishing test was nearly identical to a legitimate email. <\/span><\/p>\r\n

 <\/p>\r\n

I recreated a plausible scenario of an attacker that managed to take control over the WalkMe mailing list service and send a phishing email to all our employees. The phishing itself was not 100% accurate, as we tried to exploit the “vulnerability” of <\/span>phishing unicode domains<\/span><\/a>, which created a big hype in the security industry \u2014 \u00a0even though it is an older strategy. In addition, we placed the attack strictly internally so we could not target those outside the company\u00a0\u2014 that is how we were able to utilize an official Gmail domain.<\/span><\/p>\r\n

 <\/p>\r\n

The one fact people don’t know is that I tested it first on our senior management<\/a>. I sent this email to our CEO, Dan Adika, and President, Rafi Sweary. A day later I sent this email during an R&D Meeting to our CTO while I was sitting right next to him. I wanted to see his response and how he would face such an incident. They all caught on to the scam, which was very impressive. <\/span><\/p>\r\n

 <\/p>\r\n

After the email went live, the first people to identify the phishing attempt not only avoided clicking the link,\u00a0but also reported it and created an internal channel to warn others within their office. For me, this was a great success.<\/span><\/p>\r\n

\"walkme<\/p>\r\n

WalkMe: Besides office prankster, can you give us insight into your role as CISO at WalkMe?<\/em><\/strong> <\/span><\/h3>\r\n

 <\/p>\r\n

Daniel:\u00a0<\/strong>As CISO, I am responsible for the security of IT. My main goals are to secure the company and the product itself. This includes building a secure development lifecycle and ensuring our safety policies are constantly enforced. <\/span><\/p>\r\n

 <\/p>\r\n

This spans from design and architecture development to QA testing and publishing. We continuously analyze our security procedures and undergo third-party audits to protect our customers’ data and private data from within. <\/span><\/p>\r\n

 <\/p>\r\n

It is also my role to ensure internal security of our data and maintain our security culture. Every employee plays a valuable part in creating a strong security culture. <\/span><\/p>\r\n

 <\/p>\r\n

We set out to make sure that everyone understands how important it is to be knowledgeable, aware, and most importantly, vocal of these types of situations. <\/span><\/p>\r\n

That is why the test we ran was important; it helped all employees to understand that security is a group effort.<\/span><\/p>\r\n

 <\/p>\r\n

WalkMe: WalkMe is a swiftly growing software company, doubling its employees in a year. How do you lead the security team to keep up with the privacy of data? \u00a0<\/em><\/strong><\/span><\/h3>\r\n

 <\/p>\r\n

Daniel:\u00a0<\/strong>There’s no denying that it’s definitely an ongoing challenge, not just for the CISO, but for the entire company. Some of the most dangerous threats are internal. The first step is to get management on board, make them understand the importance of security and also the business benefits of delivering a secured product.<\/span><\/p>\r\n

 <\/p>\r\n

The larger task is to continuously communicate the importance of security to the rest of the company. It is vital that all employees, no matter what department, understand how to perform daily tasks while keeping their data secure.<\/span><\/p>\r\n

\"walkme<\/p>\r\n

 <\/p>\r\n

WalkMe: What certifications does WalkMe hold and what is their significance?<\/em><\/strong><\/h3>\r\n

 <\/p>\r\n

Daniel:\u00a0<\/strong>One of the most important tools of a CISO and any company, in general, is to work according to security industry best practices. <\/span><\/p>\r\n

 <\/p>\r\n

We don’t need to reinvent the wheel in order to be a secure company. One of the most familiar security certifications is the ISO 27001, which is very important for every software product \u2014 especially SaaS<\/a>. It covers all the security sections and measures the company every year to ensure security is always improving. <\/span><\/p>\r\n

 <\/p>\r\n

Another security certification is SOC 2, which has become very popular in the past couple of years. Unlike the ISO certification, the output of the SOC 2 (TYPE II) is a report that includes a deep explanation of the company, the product, and a list of security controls that were examined by the auditors, as well as the results of each test. This report provides the customer with good visibility of the security in practice.<\/span><\/p>\r\n

 <\/p>\r\n

In addition, we are: <\/span><\/p>\r\n

 <\/p>\r\n

    \r\n\t
  1. \r\n