“We do our research on the dark side”
In this interview, we continue our interview series from Aufschwung-Messe in the Frankfurt Stock Exchange building. In this 3rd interview we are talking to David Kelm (https://www.linkedin.com/in/david-kelm-it-seal/), CEO of IT-Seal (Social Engineering Analytics Laboratory https://it-seal.de/), which is a cybersecurity company helping corporates to train their employees in IT security, especially phishing emails. David started out with the company with his master thesis, for which he just wanted to generate quantitative data on social engineering.
“To be a bad guy, you need to be creative”
“we are looking for Venture Capital Investors – We are in the middle between Seed and Series A”
Learn more about our Affiliated Marketing here: https://www.startuprad.io/blog/affiliate-marketing-at-startuprad-io/
“Websites like Glassdoor and kununu are really interesting for attackers”
Find all the Instagram postings from Joe here on our Instagram account:
View this post on Instagram
See the #foodtrucks to the left? Lunch break was amazing, #burger #burritos🌯 and #vegan options. Now we do a few more interviews and call it a day … in a few hours 😉 #podcast #startupradio #startups #Frankfurt #food #fair #aufschwungmesse #rheinmainrocks #frmstartupscene #Vlog #youtube #entrepreneur #VentureCapital #itsecurity #phising #cybersecurity #BusinessAngels
“… on your LinkedIn profile, you should not make your contacts publicly available”
During the interview we talk about:
- BSI – The German “Federal Office for Information Security” https://www.bsi.bund.de/EN/Home/home_node.html
- Workers Council https://en.wikipedia.org/wiki/Workers%27_council
“At the beginning of the training, the management level klicks the most [on phishing links]”
This interview is part of a series of interviews done at the Aufschwung Messe in Frankfurt, one of the large startup and entrepreneur fairs in Germany, with the backing of multiple sponsors and public institutions. You can learn more about the fair here (German only): https://www.aufschwung-messe.de/ and don’t forget the founder of the fair, Burkhard. Burkhard runs one of Germany’s most frequented and renown business blogs, where he introduces his readers to one new business model a day in German, adding up to more than 7.750 in 5.00 days (almost 14 years). Learn more here https://www.best-practice-business.de/
Narrator: Welcome to startuprad.io. Your podcast and YouTube blog covering the German startup scene with news, interviews and live events.
Joe: Hello and welcome everybody. This is Joe from startuprad.io, your startup podcasts and YouTube blog from Germany. I’m here as you may see from the background as well as hear from the noise, I’m still here around at Aufschwung Messe in lovely Frankfurt in the very nice and very old Stock Exchange building that I posted some pictures on down here in the show notes on Instagram. Today, I do have a real ‘seal’ with me, an IT SEAL. And your name is?
David: My name is David Kelm. I’m from IT SEAL, a startup in the area of cybersecurity but we are not Navy SEALs.
Joe: It was it was the first thing that came to my mind when you wrote me an email. But it’s actually for Social Engineering Analytics Lab.
David: Yes, that’s correct yes.
Joe: And the viewers can already guess, you do social engineering stuff, right?
David: Yes, that’s correct so we try to trick humans, trick employees. Manipulate them somehow
into opening things, into handing out information or letting us into a building for example or transferring money into a different bank account. These are these things that real attackers do these days and we try to do them as well and try to train the people to get more secure against this.
Joe: I see. And actually, you’re not going to take the money, you’re not taking anything outside of the building but actually, your cybersecurity firm is acting as an intruder and actually helping people to learn, understand and be aware of what they’re doing right?
David: Exactly, yes. We’re the good guys.
Joe: You’re the good guys. And actually, your SEAL career started with the Masters’ Thesis. So, you told me, right?
David: That’s correct. Yes. I think it was 2014 at the Technical University in Darmstadt and I did my master’s about that topic to see how vulnerable a company is and to measure that. And for you to measure that, obviously, you have to simulate these attacks and see how the people react. And then in the next step, we can start and see how we can train these people to get more secure, to behave more secure in these times.
Joe: So, I’m a little bit curious. Where do you get the ideas of how to be bad? I’ve been working in some parts where you actually have forensics or stuff like that. And the guys who are working there who have to get the real criminals, they would be amazing criminals. So how do you train yourself? Do you surf a lot on the darknet?
David: Yes, of course. We research the dark side, let’s say. So, on the one hand, we see what texts are really made public by the victims so that we can see what the most frequent attacks are. But on the other hand, we also collaborate with the PSE for example. The Federal Government Office for IT security.
Joe: Federal Office of IT Security. ‘Bundesamt für Sicherheit in der Informationstechnik’ for everyone who does know German.
David: Yes. we know some people there and have some contact. So, from time to time we can see and talk there to some real criminals as well and see how they think. But in the end, it’s all about being creative. So, you have to come up with your own ideas. What people fall for, for example, we talk to our customers and ask them for ideas of what would be a real scenario, what could happen, what would be successful for that company. Because of course, for every industry area you have different kinds of attacks, different cover stories that you can talk about. If you go to a chemical company, it’s different than a hospital, it’s different than some public service organizations.
Joe: That’s a quote mate, to promote this video. “To be a bad guy, you need to be creative.” I love that one.
David: Especially in the area of social engineering. That’s all. You need to be creative. And it’s just about being flexible enough and tricking people into something.
Joe: But it doesn’t work all the time, right? So, you think about a certain methodology, everybody is aware of it and you have to come up with some new manipulation, right?
David: Yes. That’s correct, of course. We focus on training people. So, they get more secure with time. And of course, the attackers change, so we want to simulate the real attacks. We have to change as well. We have to adjust our attack areas.
Joe: From what I understand about your business, you basically crawl through all the publicly available data of certain groups of employees.
David: Correct, yes.
Joe: You try then to tailor phishing messages and get people to click on certain links and every time they do that, there’s a number that pops up on your monitor and you know people in this area need a little bit more training.
David: Yes, so we crawl, for example, especially job review websites like Glassdoor and Wynonna are really interesting for us real checkers. And also, these HR websites sites like LinkedIn, for example. Their checkers can find a lot of information about the companies. So, that’s what we do basically as well. We research what information we can get there and then we tailor the attacks individually to the people.
Joe: Just out of curiosity, what would be your recommendation as to what should not be included in your LinkedIn profile?
David: So, you should definitely not make publicly available your contacts. Because the contacts are really interesting for the checkers. I can just send you an email in the name of a contact “hey, didn’t we just talk about that in the link?” And if you really have been in contact, it can be very, very hard to identify this. Furthermore, to have private information such as; you’re going on a vacation or your hobbies, what are you interested in. That can be really a lot of information. It’s okay to share this with your contacts, with the people you know but do not make them publicly available. That’s really, really dangerous.
Joe: I am curious, what are you getting for example, as a potential cyber attacker from websites like Glassdoor? What did they tell you?
David: So, they tell us something about the benefits. How the company works internally. What do their processes look like? For example, do they have an internal doctor? Do they have a cafeteria? Do they have some insurance things?
Joe: Can you bring your pets along?
David: Exactly. These are things that, in the next step, we can use when we create the attack and we just send an email in the name of the CEO. And then we know what she should announce, for example, a new sports course for yoga or for Business House or something.
Joe: I had in mind when I looked through; the company that would have pets. I would just send out an email “there is a dog at the reception. Who knows it? Please click here”
David: Yes. That’s quite a good idea. I like it.
Joe: Oh, I would be such a good criminal.
David: We always ask our customers, as I said because everybody has some good ideas on how to trick people. And as you see, it’s quite fun to think about these. But of course, it’s very important that’s one of our company policies says we want to stay respectful. We do not want to put the people under too much pressure. We do not want to make them have too much fear because that’s what’s criminal often do. But, in the end, we do not want people to go home with a bad feeling and they are pissed off at their company or the employer and everything is bad. We do not want to make things worse.
Joe: So, from what I understand, you group the employees of the respective companies and then basically you are analyzing the security behavior of those bigger or smaller groups, right?
David: Exactly. Everything is anonymous. So, we cannot say ‘you clicked, so we’ll kick you out” and we are more secure. That’s exactly the thing that we do not want to happen, so everything is anonymous. Especially in Germany, that’s really important because we talk a lot to workers Council, and there are many, many questions come there because they are really worried that their employees, that their coworkers are not secure and have some disadvantages in the end, but we always say, okay, “ it’s about the training” and for everybody is important even in the private area. Everybody needs this, needs to get more secure than in the end of worker Councils on our site usually as well.
Joe: And funny thing because the workers council is so worried is, you told me at the beginning, it’s usually the executives who are most receptive for the fishing at least in the beginning of your training, right?
David: Yeah. That’s true, management level they click the most in the beginning. It’s definitely true, but we also see since our training that usually over several months, we see they learn faster. So, they get more secure after like three four months. We see they click less, they started to get it and they start to pay attention for their emails and that’s what we work for. That people just pay attention, think two seconds about the email you get; if you know where to work? Where to look at? How to spot the signs? You will be far more secure by these two seconds, it’s all we fight for.
Joe: Great, before we get towards the end. I would just like to ask you which of the areas; the business areas, the categories of companies, which is the least secure and which is the most secure?
David: So, for the industries we have like the public sector is really, really quite vulnerable. There’s a lot of things to do, a lot of work for us, but the same is true for hospitals because they are… I mean we have a lot of people; they have a lot of stress and it’s not their business to redeem it. I mean I can understand. Within companies, we see that the that especially the finance department and the HR department. They are quite secure; you wouldn’t imagine that because it takes us often send out fake invoices or fake applications. That’s one of the you most usual patterns because you need to open the attachment there, but still probably that’s the reason because they these people are more used to watching out if they if this email is real, if they really should click it and in the end we have a far harder time to make these people click. Instead, if you look like at the IT people, developers’ admins, they are not that secure as they think usually. So, they do not look at their emails, that’s well, that specific.
Joe: And we talked before strong recommendation from your side is always do two factor authentications.
David: Yeah, that’s definitely a good idea.
Joe: So, always two-factor authentication and 1,2,3 is not a secure password, right?
David: It’s really not. Password should be definitely longer, but I can really recommend you to use a password manager. We talked about it before and the chance really to have strong long passwords and you don’t have to remember if all of them, it’s just yeah if they’re all safely secured.
Joe: Only, password for your password manager and 1,2,3 is not secure password there, right? David: Yeah, exactly. There should be the real strong, longer password as well and that one you would really have to remember then. If not, you have really have a problem. It happens sometimes.
Joe: Yeah, actually what I realize because sometimes I run my passwords through some testing engines and what’s usually very good is when you use local dialect, for example, Frankfurt dialect, I do believe there is not one engine out there that tries to crack passwords with Frankfurt dialect, [inaudible-13:00].
David: Okay and maybe, I always use a whole sentence and always use the first letter or try to exchange it with a number sometimes and then just really faster type and really easy to remember that.
Joe: I see, that is good and we are here at Aufschwung-Messe in the Frankfurt and what are you guys looking for here and in general?
David: Well in general, currently we are looking for an investment. So, we’re searching for financing round these days.
Joe: Like Seed, Precede, Series A, what are you looking for?
David: We’re like, in the middle of, between ‘Seed’ and ‘Series A’ because recently we haven’t had an investment so far and so we are just funded by our own growth, our own revenue.
Joe: Yeah, right.
David: Yeah, that’s right exactly. So, and we are already quite big we have now 8 employees and we are growing quite well. So, we are not really big enough for ‘Series A,’ so it’s something in the middle and it can be quite hard in Germany to find them some investors for that size.
Joe: So, a larger seed financing round you’re looking for.
David: Yes, we are searching for around 800K. So yeah, it’s not big enough for a Series A, for VC as you can see, but for big business centers or strategic investors that where we are talking to currently because there are many IT companies, you know, okay, you have customers who have to ask them about topics like this and then they come to us and ask if they can get partners us? And of course, we talked with them about the investment.
Joe: Great and everybody who would like to learn more about IT Seals, go down here in the show notes. There is linked to your LinkedIn profile with not a lot of personal information, plus the company website where you can basically order their services.
David: Yeah, that’s true.
Joe: Is your program just working in German or also English speakers?
David: And currently the languages we supporters German, English and French but more language to come because of course many German company they are international worldwide. So, we get many questions for Spanish and Mandarin and things like this. So, we will support more languages soon.
Joe: Great, it was a pleasure having you here. Thank you very much.
Narrator: That’s all folks, find more news, streams, events and interviews at www.startuprad.io. Remember, “sharing is caring.”