Sunday, November 15, 2015

"There are many companies spending a lot in security without thinking"

Juan Antonio Calles. Cyber Security Senior Manager in KPMG Spain

Juan Antonio Calles (on the left in the pic) and Pablo González, who we talked with in this same section a about two months ago, form an unusual friendship tandem in the individualist world of the cyber security. Juan Antonio, Juanan for friends, began in this world when he started as an intern in the company Informática64, today Eleven Paths. But Juanan toke many years playing with computers, specifically and this isn’t a joke, since he was 4 years old, when his uncle Juan Luís gave him an Amstrad CPC 464. His uncle didn’t stop and kept on giving him his used computers, as well as the necessary knowledge. 

Actually, explains Juan Antonio, today 28 years old and living in Mostoles, what always attracted his attention was “being an undercarriage designer, like Scaglietti or Pininfariina, I spent all day drawing cars”. But the influence of his uncle was stronger and, on top of that, his friend since he was 8 years old, Pablo, is dedicated to computing too. So he was condemned: Juanan signed in the university while working. In March 2014 he created his own company, Zink Security, which was sold to the multinational KPMG six months ago.

- Are you here for money or there are other motivations?

- I’m here because I love it with no doubt. If I worked in another job I wouldn’t wake up at 7 a.m with a smile, and that’s not paid with money. Working in what you love is the best motivation and I feel very lucky for dedicating myself professionally to cyber security, when this is just a hobby for many people.

- Of the wide world of cyber security, which part do you love more?

- The truth is I dedicate to so many things… Sometimes I have to collaborate in a pentest, support to a colleague analyzing a malware, developing an script or coordinate the answer to an incident. But if I have to choose something, which I love most is developing software oriented to the audits of ethic hacking.

- I see in LinkedIn you’ve been a minimum of 4 years working for the law enforcement state corps, banks, insurance companies… what kind of services buy these sectors to specialists like you?

- I know you expect a funny and different answer but the truth is all of our clients always ask for similar things, checking their system´s security to discover its security failures, and when we find them helping them to solve it. We also support them when there are incidences in the security, helping them to contain them and making the forensic analysis if necessary, and checking again the security of these systems so similar incidents won’t happen again.

- I guess they also buy your discretion but… how you qualify the level of cyber security in these sectors?

- Total security doesn’t exist, it’s a myth “like the water falling from the sky without knowing exactly why”};P And all the sectors, without exception, have similar problems. However, as always, the companies that invest more money in security tend to be more secure. And this is the case of banks, because  security is vital for their business. But I want qualify the “tehey tend”, because there are companies that spend a lot in security, but without thinking. We have to how to choose the basket to put all our eggs in, and where is the balance between investing in security, and the value of the data and the services that would be protected with this investment. The classic ROI.

-  In  last year RootedCon, you and Pablo presented a curious idea: the creation of botnets as weapon for the cyberwar.

- This research was made by Pablo González, our friend Alberto Sánchez and I. We investigated the development of malware for Android, but adding evasion techniques and an integration with Metasploit. The cyberwar touch seemed curious to us because it was a “low cost” way for the countries with low resources to fight in a possible cyberwar against the great global potencies which invest thousands of million in cyberattack systems.

- Twenty years ago, the principal world hacker groups signed a joint declaration against the Cyberwar where urged to hackers not work for the cybernetic war. So… :) Do you have something to say?

- Twenty years ago I was in the schoolyard playing “tazos” :P, I can’t say anything! But jokes apart, our chat was a simple concept test without more transcendence that showing the world the abilities of a botnet in a cyberwar from an academic point of view .

- Pablo and you have a common proyect: Flu Project

-We started to talk about it in 2009: both worked a lot with malware and we decided to develop one with the educational purpose of watching how they worked and improving the antimalware systems. In 2010 we found time to develop a Trojan horse undetectable for the antivirus. We built a website to share the development with the community, to improve it, using it in formations so people could learnt from it. Few days after creating Flu Project, their readers asked us to build a blog, and we started to share not only things referred to Flu Trojan horse, but we began to talk about security in networks, operative systems, tools too, and now he have almost 1.500 articles in 5 years.

- You have yet another hat, which is volunteer collaborator in X1RedMasSecura.

- The X1RedMasSegura sessions were born three years ago because my great friend Angelucho. On the occasion of the first anniversary of his personal blog sent us an email to some friends asking us to help him to make “something” with the objective of educating about cyber security on Internet. During a month we discussed about what we wanted to build, how, where… and then we couldn´t control it! We created an event with more than 100 assistants. We loved the experience and had repeated it the next years. there’s a team of great professionals and friends behind it: Josep, Fernando, Ángel, Blanca, Olga, David, Longinos, Virtu, Pat, Inma… you’re GREAT.

- -How many hours do you spend daily on cybersecurity?

- I work from 9:00 to 19:00, which means 9 hours. Add the hour of driving wich I spend thinking in projects and having some telephone meetings and, it’s very common to dedicate at least one or two hours at home answering emails, finishing some reports or preparing articles for Flu Proyect. We can say that when I don’t sleep… I dedicate to cyber security!

- And the last one :) Do you have any favourite quote that haven´t used yet as a password?

- I usually use a quote said by an old work collegue and constantly repeated by the great Andrés Montes: “Enjoy your life, because the life can be wonderful!" And the truth is I try remember it often to encourage the people around me.

Texto: Mercè Molist


Post a Comment