Security Starts With You
By Shanuka Kadupitiyage
With the move towards digitisation, technology and our reliance on it for our daily essential functions has become more and more integrated with our lives. As such, the concern for cybersecurity and defence against malicious attacks has continued to increase.
Government and private organisations have realised this threat and have spent millions of rupees to adopt systems that should offer protection against such hacks, yet over and over again, news of hacks and attacks continue to be reported.
Wanting to obtain a better understanding as to why, Ceylon Today had the opportunity to speak with one of Sri Lanka’s most talented experts in cybersecurity and digital forensics, Ranul Deelaka Thantilage who was a former cybersecurity consultant at the Centre for Research and Development, Ministry of Defence, and is currently a PhD researcher on the subject, working with the University College of Dublin, Ireland and as a lecturer along with several other career paths.
Ranul Deelaka Thantilage
Ranul’s interest in tech began from an early age, which translated to him taking part in a number of tech-related extra-curricular activities at his school. However, tech wasn’t the only subject that piqued Ranul’s interest.
“My family is involved in making documentaries of fauna and flora, and from a young age, I was fortunate enough to have a hands-on experience with all the work that they did and the equipment they used for the subject,” he shared.
In fact, when Ranul’s family wanted to record aerial footage of wildlife parks for the Wild Asia documentary series, it was his idea to use drones to capture video, which would not only be more cost-efficient, but would be less intrusive to the animals residing in the national parks as well.
“It was around the year 2010-2011, and at that time, the use of drones was a very foreign concept for Sri Lankans,” he recounted. “The Telecommunications Regulatory Commission (TRC) licence given to the drone we brought in was 001; we had nothing before in the country.”
Ranul continued his interest in using drones for recording footage of wildlife, even during his years in university, which he attended at a young age.
Opting to follow an educational path that would let him circumvent pursuing A/Levels and enter university faster, Ranul soon graduated with a First Class Honours Bachelor’s degree in Computer Networks and Security.
“During my degree, I had the opportunity to work with Dialog in cybersecurity and also had the opportunity to assist in law enforcement for various activities. Once I graduated, my first job was as a Cybersecurity Consultant and Security Analyst for the Ministry of Defence. I was twenty years old then,” he shared.
Working with the ministry
At the Ministry of Defence, Ranul played many roles, one of which was to attempt to breach various Government systems in order to detect vulnerabilities before an actual hacker would be able to exploit them to perform a malicious attack.
Ranul was also heavily involved with digital forensics and contributed his expertise towards law enforcement when it was necessary.
An interest in digital forensics
Ranul worked as a full-time consultant before moving on to work as a consultant. This allowed him to pursue his Masters’ Degree in Forensic Computing and Cyber Crime Investigation.
“It was an interesting experience,” he recalled. “I was the youngest person in my batch to follow the course, and it was a restricted course that allowed only professionals in the defence and law enforcement sector to follow, including high ranking officials in national security from other nations.”
For Ranul, digital forensics was a subject that intrigued him because of its practical nature. And by this time he had already contributed to the intellectual community of the industry through exploring volatile memory forensics, even publishing several liveware, research papers on the subject.
“To sum it all up in simple terms, this entails gathering the data stored in a person’s RAM and getting details and information about a person, including their social media accounts,” Ranul explained.
“Passwords, tweets, status updates, search history, WhatsApp chat history could all be collected just by taking a RAM dump.”
“Although most of these services are end-to-end encrypted, which means only the two devices can understand the communication between each other, the information in the two devices themselves, in their RAM is not encrypted.”
Building on his previous research, Ranul has been working on forensics software that could use a person’s backup data from their mobile phone for gathering information.
Ranul explored methods to copy users’ RAM information simply with the use of plugging in a USB storage device. “All you would need to do is to plug in the USB, and it would automatically copy everything in that computer’s RAM in a matter of minutes. All you have to do then is to go home and decode the data to gather information about the user of that computer.”
“For example, let’s say a young girl was kidnapped,” he explained. “We wouldn’t be able to find much information about the kidnapper because her phone wouldn’t be accessible. She would most likely have been on the phone while being kidnapped. But you have the possibility of accessing backed up data of her mobile phone stored in her computer through iTunes for example. Through this, the police would have the opportunity to possibly gain more information, including chat and call history in order to possibly identify a suspect and find leads for their investigation.”
This research later lead Ranul to be invited to follow a PhD and take part in a research programme in Ireland, which is something he is currently working on. His current area of research is Big Data Analytics, Privacy and Security on Clinical Data Warehousing. He is working at the Insight Centre for Data Analytics on a project of the Eastern Corridor Medical Engineering Centre.
It’s all about the person
Being an expert in the field and industry, we were curious to know about Ranul’s thoughts behind Sri Lanka’s constant cybersecurity compromises and breaches. Is it merely weak protection, or is there something more to it?
“I believe the biggest weakness in Sri Lanka’s cybersecurity is the human element,” he shared. “You could have the most sophisticated software to protect your systems, but if the users of that system don’t have a proper understanding, it creates vulnerability.”
Ranul explained that with the proper expertise, even the simplest software tools to protect oneself from malicious attacks would be enough.
“For example, a person can use basic antivirus software such as Windows Defender, and have zero security compromises,” he shared. “If you are trained well enough to identify a potential threat, the chances of you being vulnerable to a breach would drastically decrease.”
Ranul noted that these threats could come in the form of an email, a message, even a redirect link to a website.
“What I’ve noticed that is on many occasions, the staff had not been properly trained. Organisations would often spend vast amounts of money to implement security measures, only to forgo providing necessary training to the employees.” Something that could potentially render such expensive software solutions pointless.
Ranul also pointed out that existing Government systems take long periods of time before taking action, which is of great detriment in the fast-changing world of cybersecurity.
“Most of the time, because of the hierarchy and the time it takes to get something approved, it’s a long process and in the end, you aren’t able to provide the perfect, up-to-date solution because of the time period,” he explained. This means that any software that is being implemented is vulnerable to a new type of breach that would have been patched with an update; something you wouldn’t want in corporate and Government IT systems.
Security for you
As for the user, Ranul explained the best thing that you can do to protect yourself in this digital environment is to be aware, be educated and to protect yourself.
“More than the machine itself, the live ware (you) are the most important. Software and hardware can be configured, but you need to configure yourself. It’s all to do with the proper training and minimising any potential way a malicious hacker can gain access to your systems.”
Ranul’s message is simple and straightforward. It doesn’t matter how sophisticated the software or system you use is, if you aren’t trained or aware of ways you may be attacked or compromised digitally. Small yet simple habits that you can maintain every day and being aware of cyber security threats and mitigations can go a long way to keep you safe in this interconnected world.
Pix by Ashan Gamage
Location - Uga Residence