Dorota Kozlowska always dreamed of working in IT and studying computer science. As a certified cybersecurity specialist, she shares why she established herself in the cybersecurity industry – for the maximum challenge! She is also eager to empower others to enter the industry and become cybersecurity specialists, which is why she shares her learning journey and tips on how she became a cybersecurity professional to give a point of reference and help others build the courage to follow their dreams. Year 2023 was important as she has received the Cyber Woman Hope trophy by CEFCYS, was selected as one of the 40 under 40 in Cybersecurity 2023 by the Top Cyber News Magazine, and she has enjoyed sharing knowledge and insights as an international keynote speaker during the Forum in Cyber conference in Montreal.
Recently, in an exclusive interview with Digital First Magazine, Dorota shared her professional trajectory, insights on the common myths’ companies have in their mind while dealing with cybersecurity, the secret mantra behind her success, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Dorota. Please share your background and areas of interest.
I am recognized with the Cyber Woman Hope trophy by CEFCYS, and as one of the talented 40 under 40 in Cybersecurity 2023 by the Top Cyber News Magazine, and I enjoy sharing my knowledge and insights as an international keynote speaker.
As a Penetration Tester, I help clients test their security posture through a structured cyber attack simulation with a predefined and agreed-on scope. I have over two years of experience in offensive security, with the ability to think like an adversary and identify and exploit security gaps and vulnerabilities on endpoint devices, applications, and networks. I also provide reports enumerating the existing vulnerabilities and remediation to mitigate them.
I am passionate about cybersecurity and learning new skills and technologies. I have a strong investigative mindset with attention to detail and great communication skills, ensuring assignments are delivered confidently and promptly. I have degrees in Economics, Management and Marketing, and Computer Science, and I am certified with CompTIA Security+, ISTQB Foundation, and ITIL.
When does an organization need to get a pen test, and how often should they renew it?
Depending on the size of the company it is advised that at least one manual Pentest per year, perhaps twice depending on your budget. If the company is small, that could be less often than that.
What are the myths companies have in their mind while dealing with Cybersecurity?
You can acquire this knowledge by first learning what isn’t true, starting with these cybersecurity myths and their corresponding facts.
Myth: Only certain people and organizations are targets.
High-profile financial and government institutions are absolutely targets for wide-ranging cyber-attacks. However, not all instances of cybercrime are major organizational data breaches. In fact, the most common types of cyber-attacks include phishing, spoofing, and identity-based attacks that are used to target individuals over companies.
Myth: It’s okay to use the same password and username combination across multiple accounts.
Although it may be more convenient to choose one strong password to use across multiple accounts and devices, cybercriminals have long since caught on to this habit. With the help of bots and other AI tools, hackers can compromise your data in seconds with a credential stuffing attack: entering one known username and password combination across dozens of popular apps to obtain payment and other personal information.
Instead, use a password manager tool to keep track of unique passwords across your accounts.
Myth: Phishing emails and SMS messages masquerading as a trusted source are always obvious.
This was true some time ago but is certainly no longer the case. With access to company logos and other visual marketing collateral, names and email addresses of those known to you, and other familiar features, phishing links can now be cleverly embedded within legitimate-looking messages.
Avoid phishing attacks by double-checking sender information and signing into that organization’s account separately to confirm any messages sent to your email or texts. Never click the link sent to you and be sure to report the message immediately if it’s fraudulent.
Myth: Public wifi is secure to use with your personal devices—especially if it’s password-protected.
This one is simple: sensitive information shared over a public wifi network is more likely to be intercepted than it would be on a private connection. Plus, while many guest wifi offerings are encrypted, it’s still possible for cybercriminals to install malware via any shared network.
Consider investing in your own VPN (Virtual Private Network) to ensure your data remains protected even when using public wifi.
Myth: Any data that’s been deleted is not susceptible to hackers.
Data that’s been deleted may still be at risk of being extracted by hackers—both within cloud drives and hard drives. Using file restoration programs, cyber attackers can retrieve files after gaining remote access to your hard drive, while cloud-stored files often remain accessible on your account for 30 days or more.
Myth: Apple Mac computers are invulnerable to malware.
While operating systems are an important differentiator between Mac and PC computers for consumers with varying needs, both are vulnerable to malware. Malware is an umbrella term representing the full gamut of malicious software, including adware, viruses, ransomware, and more.
Myth: Data stored via the cloud is automatically secure—with built-in protection from potential breaches.
Just as deleted data can be accessed via both hard drive and the cloud, live data can also be accessed through both storage locations. The difference lies in how cloud data is accessed.
Myth: Multi-factor authentication is unnecessary.
According to a March 2023 report by Microsoft, over 99.9% of the account compromise reports they deal with could have been prevented by multi-factor identification. Plus, considering many devices, apps, and email providers offer built-in MFA functionality, there’s really no reason not to use them.
In your opinion, what upcoming challenges do you see for a Penetration Tester as per the current security postures of companies?
Companies are cutting costs so they might resign from investing in Cybersecurity all together in the future, but that wouldn’t be a smart move.
What’s your favorite part of the penetration testing process?
Reporting. The final stage is Reporting, where the tester compiles a comprehensive report detailing their findings. This includes the vulnerabilities discovered, data exploited, and the success of the simulated breach.
The meaning of leadership can change from one era to the other, how would you define the meaning of leadership today?
Leadership is the art of motivating a group of people to act toward achieving a common goal, that is the definition. The nature of leadership is evolving. We are moving from authority to trust; from hierarchy to networking; from decision-making to inspiration.
The workplace has changed dramatically over the last few years, with the increase of remote work and the growing importance placed on employee touchpoints, such as diversity, equity and inclusion.
How to be a better Leader?
Become more self-aware. Great leaders know their strengths, weaknesses and effects on the people they lead. They set a good example and model good behavior. One way to become more self-aware is to seek feedback from those people.
Refine communication skills. Leaders should be effective and clear in their communication; they must also be good listeners. Communication should be based in openness, honesty and transparency. This involves setting clear goals and expectations and giving regular feedback to employees.
Connect with team members. Connections build trust, understanding and bonds that are critical for successful leadership. The best leaders should get to know the personalities and capabilities of their team members.
Encourage growth. The best leaders encourage their own, their colleagues’ and their employees’ or followers’ personal and professional growth. Encouraging growth strengthens bonds and trust between leaders and team members and increases what teams can accomplish.
Be open to change. Change is inevitable in business; being open to it and encouraging new ideas and perspectives from team members can help leaders become more effective.
Develop positive attitudes. Responding to negative situations and problems with positive approaches and encouragement is a great way to model and improve problem-solving skills.
Seek out growth opportunities. Great leaders look for opportunities for continuous improvement and education. This can involve attending conferences, finding a mentor and reading books on leadership.
Is there a particular person you are grateful for who helped get you to where you are?
That would be me. No one helped me, it was all my hard work and long hours studying. But an honorable mention would be given to Ludmila Morozova-Buss, as she allowed me to write my first published article and that was a push I needed to be later on selected as one of the 40 under 40 in Cyber 2023 by the Top Cyber News MAGAZINE.
You have been recognized with prestigious awards and accolades such as the Cyber Woman Hope trophy by CEFCYS, One of the Talented 40 under 40 in Cybersecurity 2023 by the Top Cyber News Magazine among others. Our readers would love to know the secret mantra behind your success.
Find your passion, and be a nice, helpful person to others. Give back to the community.
How do you like to spend your time when you are not working?
I am on my bike cycling – preferably in the woods. I am trying to spend time surrounded by nature to let my mind rest.
Where do you see yourself in the next five years?
I see myself as a Red Teamer, as I still have a lot to learn to get there or leading a team of Pentesters.
Any last words of advice for organizations that need a pen test?
Understand Your Objectives: Be clear about what you want to achieve from the penetration test. This could range from identifying vulnerabilities to testing the effectiveness of your incident response team. Choose the Right Type of Penetration Test: There are different types of pentests such as network services, web application, client-side, and wireless. Depending on your objectives, choose the right type. Hire a Reputable Pentest Firm: Ensure the firm has a strong track record and relevant certifications. The quality of the pentest is largely dependent on the expertise of the pentesters. Prepare Your Team: Make sure your IT team is ready to support the pentest. This includes providing necessary access, being available to address issues that might arise, and being ready to remediate identified vulnerabilities. Document the Test: Make sure to document everything including the scope of the test, the methods used, any vulnerabilities found, and the recommended remediations. Follow Up: After the pentest, review the findings and implement the recommended remediations. Also, consider scheduling regular pentests to ensure ongoing security.
References
https://www.fullstackacademy.com/blog/10-common-cybersecurity-myths-debunked
https://www.techtarget.com/searchcio/definition/leadership