Podcast

Cybercriminals and Nation-States Look to IoT as the New Frontline

Episode-02--IoT-Security-Podcast-Phosphorus@2x-100

Cybercriminals and Nation-States Look to IoT as the New Frontline with Richard Stiennon

Podcast--DJ-Headshot-2022Richard Stiennon, Chief Research Analyst for IT-Harvest, joins us for The Return: Episode 2. Author of the recent Security Yearbook 2022, Richard started his career before cyber was cyber, a story he originally shared with Brian on a walk along some train tracks. How does a guy go from an ISP start-up to Gartner to IT-Harvest and being a bestselling author?

Richard started IT-Harvest to literally harvest data, and that’s resulted in his latest project, an app for data obsessives called the Analyst Dashboard. He talks about what it took to get there and some surprising results he’s discovered from the tool.

The cybersecurity space, he’s found, has focused and refocused and reframed and refocused again. Now, it’s apparent globally that cybercriminals and nation-states are looking at IoT as the new frontline. When new technologies come up, they’re developed with no thought to security, says Richard. Now we’re reaping what was sown. 

More ways to listen: Apple Podcasts | Amazon Music | Spotify | View All

Episode Transcript

John Vecchi: 

Hello, everyone. You’re listening to the IOT Security podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. And we’ve got a very, very special guest today who’s also extremely famous. He wanted me to let everybody know. And his name is Richard Stiennon. Richard.

Richard Stiennon:

Hey, Brian. Hey, John. Good to hear you guys.

John Vecchi:

Welcome, Richard. Great to have you.

Brian Contos:

So Richard, John and I have known you for, gosh, I guess, decades. And we’ve spent a lot of time together over the years talking and I think the very first time you and I did any kind of video or podcast we’re actually in the Detroit area and we were walking on a railroad track and you had found some iron railroad ties and you’re like, “Hey, I’m going to take these back home.” And you have a forage in your backyard and you actually turn those into implements, which I thought was pretty cool.

But one of the things we discussed on that walk was you didn’t get your start initially in cyber. You kind of had a really unique start?

Richard Stiennon:

There was no cyber when I got started. There was just computers and I was a computer user doing crash simulations for General Motors and so heavy computer user but then along ’92 timeframe I discovered the internet. By the end of the year I had started an ISP, and over the next 12 months it was a crash course in networking. So had to learn how to type in net masks and all the ins and outs of establishing a point of presence in Detroit at a printing plant, oddly enough, because back then you had to pay for every phone line and every minute on every phone line.

Brian Contos:

You had this story that you told me about when you were working in the automotive industry and it was about risk tolerance and quality control and this whole juxtaposition of that with sort of cybersecurity and how we look at things. But maybe you could re-share that story about how Japanese vehicles at that time compared to some of the vehicles that were being made in the United States and those differences and how that evolved?

Richard Stiennon:

In the 80s, it was always my theory that Japanese brilliantly entered our market. So they entered with very, very small cars. You remember them. I remember me and my buddies picking up my friend’s Honda Civic and moving onto the grass. Just four people could pick up a car.

Brian Contos:

I had a 1984 Dodge Colt with a 1.4 liter engine and a hatchback. And women loved it. They loved it.

Richard Stiennon:

It works great for anybody who’s 50 percentile. Sorry, Brian. So basically they didn’t introduce vehicles that fit everybody. They just introduced vehicles because they’re only going to sell 20 or 30,000 of them when they first entered the markets. And they established a reputation for quality. And of course, the Japanese were the masters of producing quality, and that was like a land and expand. And now their vehicles are almost as big as US vehicles. And they drove quality, and that changed the automotive industry dramatically. Their tolerances were measured in millimeters. They were measured in, when I was working at GM throughout the eighties, pretty much we could deal with three quarter inch variants, one component to the next or the way they stacked up. And that was just ridiculous. It was intolerable. So that’s how the Japanese did so well in the auto industry.

John Vecchi:

Wow. And like Brian said, we go back a long way with you, and Richard, a lot of our guests will know you primarily for all of the work you’ve done in the cyber side, and you’re a Gartner analyst and now you’ve got IT Harvest. You’re just a very common, everyone knows you and you’re still just running strong. But for those who maybe want to fill in some of the pieces, talk about how you went from that to cyber and then into Gartner and then from there. That’s such a fascinating story. Let’s hear about it.

Richard Stiennon:

Back then probably my 20th startup was an ISP, but it was the first one that just took off. I learned rapid growth. We had 11 employees within six months and I had learned important things like PR is more effective than advertising. And of course if you think back to those days, the internet was in the news every day. The television and newspapers loved reporting on it. And they always drove out to my office in West Bloomfield to interview the guy. So I kind of got media training on the job at the same time. But I didn’t manage to hold onto the company. I was ousted and I knew I was being ousted. So I sent a message to the other ISP in town and I said, because I had decided there’s no way I’m going back to automotive. I love the internet and the cycle time.

And it changed. Every six months, it was a completely new thing. And the auto industry change changes, if at all, every 10 years. So they said, “Yeah, come on over. You’re hired. So I went to the other one, I was a ninth employee at a company called Netrix, and Netrix was a Sun and Cisco and Checkpoint reseller. And they came up with this concept of, “Hey, you know what? We got to sell security with these internet connections.” So when I joined them, technically I was a salesperson, I was responsible for automotive. So I sold Ford their first firewall and I got ITT Automotive on the internet the first time and did all this stuff for Lear Seating. And that was my introduction to security.

So I learned on the job, was in the very first class of certified checkpoint security engineers. And luckily in the process we did a big project with Volkswagen with PricewaterhouseCoopers. And the day that Netrix asked me to do cold call Tuesdays and gave me the few letters in the yellow pages to start calling is the day I quit because I’m a horrible salesperson and I just don’t do that.

And so I went to PwC, and PwC gave me my introduction to large enterprise organization as well as their security postures. And I got to do a lot of security assessments or pen testing of little companies like Dell and BNSF Railroad People’s Gas Out of Milwaukee, SunTrust Bank in Georgia. And it was great because you’d always find stuff. It’s just like an attacker. You succeed in your security assessment if you find one thing, and there’s millions of things. So of course you’re going to find something. So that gave me that exposure.

I foolishly still wanted to be an entrepreneur. So one of our clients had this concept for a e-commerce solution and believe it or not, I was the e-commerce go-to guy at PricewaterhouseCoopers ’cause nobody else even knew about the internet. And he had two models. One was using a newly funded company that had all these Microsoft things to do E-commerce except credit cards and a payment gateway and all that. The other one was more modern with open source systems. And I chose the open source one of course. And the partner said, “Okay, let’s get on the phone with the client,” Isaiah Thomas, who of course in Detroit is a legend, right? I almost named my second son Isaiah ’cause he was just that influential, the captain of the Detroit Pistons.

Got on the phone with him, explained all this and he says, “Well, can you come with us to New York to talk to the web developers?” Bolt was the name of the company. I said yeah, sure. “Okay, meet us at the Troy airport tomorrow morning.” So I go to the airport, I’m on private jet with Isaiah and his team, and on the plane he offered me a job to head up this isaiah.com and its subsidiary, Igift for gift certificates. It was cool, but it was end of the .com boom. So it busted, and I was looking for a job and I found something at Gartner and I talked to them and went out for the famous Gartner interview where they just put you in a room and you got to defend some report that you wrote in the two hours beforehand. And they just pummeled me. It was kind of embarrassing.

But they came back and gave me an offer. But it wasn’t the offer I asked for. I’d asked, well I’ll just be transparent, I’d asked for $187,000 salary. I’ve learned over the years, I don’t care what the bonus is or what the benefits are, you never get those.

So they came back and gave me, they said, “Oh, we got you your number $187,000 package.” So I said, “No, sorry, just can’t do it,” because at the time it was still 2000 and I still thought the internet was a big thing and it was going to come back. And so they said, “Okay, sorry.” But I got a call from Bob Hefner. He said, “Just checking to make sure the only reason is money.” I said, “Yeah, that’s it.” Three months later, I’m getting off an airplane talking to yet another startup that wants me to be their CEO as soon as they get funding, which is, I’ve heard that story so many times over the years and it was Bob Hefner, “Hey we’ve looked at a lot of people, and you’re the best candidate. Do you still want to join?” And I’m like pumping my fists going, “ka-ching”. Yeah. So that’s how I joined Gartner in 2000.

John Vecchi:

Wow.

Brian Contos:

That’s really, really interesting. So I know a lot of people, Richard, know you from Gartner and you’ve done a number of great tech companies as well and then, with that entrepreneurial spirit that you had of course, built IT Harvest, and the Security Yearbook I think is just becoming this thing now that people look forward to every year. And Covid kind of jumped in there a little bit when it was first coming out, but I love it. I love looking through it.

But I’d really like to talk to you about your newest project, not that the Security Yearbook is over of course, but your analyst dashboard. And this has been getting so much buzz. I know we’re big consumers of it. We use it quite a bit. But tell everybody a little bit about that and I’d love to hear about, there’s so many facts and figures and stats that you put together and I love how you relate it to, there’s layoffs in the industry, but what does that really mean? I love how you tie that together. But tell us a little bit about the analyst dashboard and maybe some cool things that you’ve discovered or some interesting stats or figures.

Richard Stiennon:

So pulling together the Security Yearbook three years in a row now, I’m working on the next year’s edition right now, gave me confidence my data was getting pretty concise and clear, and it’s been through editing three times. So the actual names of the companies are all spelled, et cetera. And in the back of my head, I always wanted to go back to why I started IT Harvest. If you think about the name, I literally launched IT Harvest in 2005 to harvest all the data on the cybersecurity industry and have it at my fingertips because I was so frustrated at Gartner that Gartner’s data quest, which was supposed to be doing that was already fading away when I joined. And I love Data Quest. It was just a constant flow of information because I love information. I love data, very distracting, maybe I got an addiction problem.

I had actually tried doing that in 2005, but fast forward to 2022 and it’s a lot easier to build an app, you can build a modern web app fairly quickly and simply. So I started all through 2021. I was looking for development teams to build it and I was so frustrated because going back to my automotive experience where I designed automotive components and mechanisms for trunk latches and car seat recliners and seat tracks, you’d never just specified exactly what it looked like and how much weight and what it did. You’d have to prototype it. And I learned in through that experience that the more times, more prototype cycles you build in, the more likely that your production product will pass all the tests and weigh the right amount and be the right expense, et cetera. Every single development team I’ve ever approached says, “Yeah, it sounds like something we can do. Give us the specs.” And by specs they mean “give us complete Figma wire frames of every single page and give us the exact description of what every single function does.”

And I’ve built a website and I’ve done it in WordPress where it’s what you see is what you get so you just moves stuff around. But I can’t tell you what an app is going to look like until I’ve had customers using it. They tell me what it should look like. So it almost seems like none of what I learned as a mechanical engineer is translated over to software engineering. But luckily in the meantime, something has come along called No Code. No Code, way to think about it is WordPress for building apps. So instead of deciding where the text box goes, you’re deciding the functions and the workflows. If somebody clicks here and they’re a subscriber, then they get to do this and you. We’ve got now 1500 workflows in our app.

I hired an amazing, amazing intern out in California and he just totally enamored with the whole thing, the whole process. He’s never written a line of code and yet he has built the entire app, which you guys have seen and he spends ridiculous amount of hours on it, pulling two nighters, and so far the record I think is a three nighter and he still functions. I can talk to him afterwards.

And we launched the MVP. It took a week for me to transition off of all the spreadsheets I use all the time because having a database and the ability to query it is much better than a spreadsheet and much, much faster. And then we just iterate it over and over. We’ve rebuilt it three times practically from the bottom up in, we only launched in March, so it’s seven or eight months.

John Vecchi:

Wow. It is quite an incredible tool. And mean, you’ve been around this industry a long time, obviously. You work a lot of the startup community. You follow startups in any way with your yearbooks. You’re following all of that. When you think about the dashboard, what are some things in there that even surprise you? And again, some of the things we’ll talk about, you write on things about there really isn’t consolidation in the security industry. I mean, look at all the companies and things like this. I mean, you write about those, but what are some things that just like, wow, completely surprised even you after all of these years in this industry when you started building that dashboard?

Richard Stiennon:

Well, first of all, one cool one is we extracted the founding year for all the companies and lined them up on a bar chart and it’s not just up and to the right. It’s kind of like a bell curve with a peak about six years ago. And of course that’s the case because they don’t have historical data. So I can’t tell you for each year how many companies started. I can just tell you for each year how many companies that are still around were started. And so we created this graph and it had this huge tail stretching off to the left to 1763. And I said, “Oh man, somebody fat fingered a founding date.”

So I just went to the app, looked up what company that was, and lo and behold, it was a real company in Germany. It really was founded in 1763 to make parts for printing presses. And then German companies are long lived. They don’t have the active acquisition thing going on and they just pivoted until all of a sudden they’re an identity and access management vendor.

John Vecchi:

Wow.

Richard Stiennon:

Just crazy. Just crazy. There are a lot of other companies still around that were founded in the nineties, still some endpoint security vendors of course and network security vendors.

Brian Contos:

What are some of the hot trends right now? What are some of the big groups of companies that have formed over the last few years or sectors within cybersecurity that have really come to be?

Richard Stiennon:

Yeah, so I break the industry into 17 sectors, but the 17th one when I started realize was getting a lot of activity. Some of the early indicators are big funding rounds for multiple players who offer the same solution. And the one that just jumped out at me was API Security. So here you’ve got a subset of application security, which I’ve been tracking forever, but all of a sudden it’s getting all this attention. So I pulled it out as its total separate category so I can watch that. Last year it grew 60% in headcount. So far this year through November 1st it’s grown 35%, and there weren’t any huge rounds this year. So now the hiring that’s going on is real hiring. They’re hiring people because they’re growing and get the revenue to support it.

And then I’m going to do that to vulnerability management, too. The vulnerability management vendors do not the fact that I treat vulnerability management as part of GRC because nobody wants to be part of GRC unless your customer happens to be the risk management people. The only thing that requires you to do, vulnerability management, is your compliance regime. That’s the number one thing. And every time I hear somebody talking about risk management, they say, “You got to discover all your assets. And then you got to rank them based on their… Score them based on their value.” And then you got to find the vulnerabilities and patch them.

And you know my feelings about how useless all that is. But all of a sudden I’m talking to startups and I go, “Wait a minute, you’re a brand new startup. You’re doubling in size every six months and you do vulnerability management.” I thought everybody either used Nessus, Tenable or Qualisys or Rapid7. What’s going on? We got totally established players that are doing the same thing I did at PwC with Cyber Cop, or ISS for that matter. What are you doing that’s better than them? There’re only so many knowing vulnerabilities and everybody finds them all.

Well, they’re doing it for Cloud and assets that the Qualisys and Tenables can’t see or find. So I’m going to make everybody happy and put them in their own category and then we’ll have a big vulnerability management and then we’ll have cloud vulnerability management and in-memory vulnerability management, whatever the categories break down to.

John Vecchi:

Sure. Interesting.

Brian Contos:

Well that’s actually a good segue because talking about how the space has matured and focused and refocused and focused and refocused and really to define what it is. We’ve been talking about XIOT for a while, you and I, and IOT devices, the printers, the cameras, the voice over IP phones, OT devices, the scada, the manufacturing devices, and then network devices, NAS, wireless access points, load balancers, you name it, all these purpose-built devices with embedded firmware that do specialized things. It’s becoming very apparent globally that this is one of the areas that cyber criminals and nation states are starting to focus a lot of time on. And I kind of wanted to get your hot take on why is that. Why is XIOT now the new frontline, if you will, in the cyber arena? Because quite honestly, go back three, four years wasn’t really a lot of talk about this.

Richard Stiennon:

No, no, there wasn’t. And I look at it… For me, IOT is actually the model for a lot of, when there’s a new trend in technology, it tends to get deployed with no thought of security. So when you’re first developing your conference phone system, you don’t think of hackers attacking it. And later on when your smart engineers figure out how to add wifi to it or wherever and connect it to the wired network, then they just, “Oh, there’s never been an attack on it.” So they’re not thinking about what could happen. And over years that just created all this security debt in all the devices.

I first started hearing about IOT security from Israeli startups because they were seeing the attacks. As a matter of fact, of course in Israel, if everybody comes out at 8,200, they were engaging in those attacks against their adversaries. So they’ve got an idea for, well, people should do something about that. And the cool thing is that the IOT security ecosystem mirrors the overall IT security ecosystem. There’s network, there’s endpoint, there’s vulnerability management and patching, there’s scanning, just everything, there’s identity and access and everything that we had before now applied to a bunch of stuff, which is really invaluable things, right? $50 things all over the place, and there just happened to be several billion of them that are uncontrolled unpatched, unpatchable in some cases and connected to the network. So it’s a perfect storm.

John Vecchi:

So that’s interesting because the way we look at it as well, Richard, is that it’s part of, when you talk about the attack surface, XIOT is part of the attack surface, can be up to 30% of it, and you look at things like approaching technologies that can help remediate and harden things and be preventative and proactive. XIOT should be part of that as well and all of the detection and response and all those kinds of things. But it isn’t necessarily, is it? And what do you think it is that today when someone thinks attack surface management or technologies that I’m going to deploy to help harden and remediate things that XIOT, those devices are not yet included in that? Why is that?

Richard Stiennon:

Yeah, that’s true. I think there will always be this divide in thinking in organizations between their work responsibilities, and the IT department is responsible in the most part for security. And so they think about IT assets and that’s just all they focus on. So when you entered a new thing, it takes a long time for them to understand that, no, this new thing is part of your remit as well. Cloud was just like that. It’s like, “Well this cloud stuff, whatever.” And now, eventually all workloads will probably be in the cloud or a private data center that’s cloud-like. They were encompassing it.

The one thing that they’re almost barred from touching is OT. It’s really hard to walk into a manufacturing plant or steel mill and tell them that, “Hey, I’m from IT, and we’re going to impose these controls in how you do things. We’re going to slow down your processes.” Very similar to what the quality guys experienced in manufacturing plants in the past. It was like, “Yeah, sure, whatever, but just don’t slow us down. As soon as you slow us down, we’re going to kick you out the door.” And it’s just history all over again.

Brian Contos:

And that’s precisely what I think the cyber criminals and nation states are counting on because they know this is a big back door. As John was alluding to earlier, the attack surface size, we’re seeing that there’s roughly three to five XIOT devices per employee in a company. So 10,000 people, 30 to 50,000 devices. And then you step back and go, “Well wait a second, what exactly are these devices? Well, they’re Linux servers or Android or BSD or VX Works if it’s on the OT side or some other real time operating system. So in some cases, some of these higher-end security cameras, they’re more powerful and capable than your laptop. They’ve got bigger storage, they’ve got just the same protocols running. They’re running Linux. You can SSH into them. You can load tools. You can scan for IT assets, you can download sensitive data. You can exfiltrate it. It’s just like a laptop.

The only difference is one, no one’s looking at. It’s not being managed. And two, you can’t deploy endpoint security controls on these guys. And the thing that just blows me away is if I told you that 50,000 of your Linux servers in your environment had no password, were running high-level vulnerabilities, had old firmware, you’d go address it right away. And I think it’s changing. Well, I know it’s changing because I’ve spent enough time with customers in the field now where I’m actually seeing their like, “Wow, you’re right. We need to address this.” But do you feel that business leaders today, and I’m not even talking about of CSOs and other security professionals, but business leaders, do you think that they have grasped that these network security door controllers and things?

Richard Stiennon:

Nope.

Brian Contos:

Not at all?

Richard Stiennon:

Not even close.

Brian Contos:

Not even close.

Richard Stiennon:

Yeah. I mean, they may see the popular articles about car hacks, right? It’s like, “Oh, I’ve seen that movie.” But they don’t just see all the network connected devices around them every day and wonder if those are vulnerable, and they’ll buy the latest cool smart TV and never worry with where’s everything you say in the room going to a thing that can respond when you talk to it.

Brian Contos:

And you think that’s just a function of, you said, I saw that movie, I saw that, what happened to the Jeep? Or I saw this thing and are they waiting for that big incident? And then, “Okay, now we get it. It’s important.”

Richard Stiennon:

If only it was a big incident that woke everybody up. A lot of things I’ve learned over the years, one, when there’s new vulnerability, you can’t yell at the top of your voice patch everything because I did that when I was a neophyte at Gartner. All of a sudden I was getting all these calls from CIOs telling me I was an idiot. You can’t patch a critical vulnerability in Solaris, was the one I’m thinking of, because they’ve got 2000 machines that have to be scheduled to be taken offline, patched, tested to make sure they didn’t break anything and then put back online. That takes months. And by the time they’ve done that, there’s another critical vulnerability. And that’s always going to be the case with the exception of the cloud, where it’s much, much easier to patch things in the cloud.

The other thing that I’ve learned is nobody pays any attention to devastating attacks on other companies or other organizations. It’s always, “That’s them. That’s not us.” And I always predicted when everybody in the critical infrastructure world have always been waiting for the major tech on power grids and then we’ll all wake up and Congress will meet and we’ll have a new funding for fixing the power grid. Well that happened. It happened in Ukraine. It happened twice, like nine months apart. And we know who did it. We know how they did it, and books have been written about it. And people say, “Oh that’s Ukraine. That’s not the United States. Can’t happen here,” even though we see evidence of the same tools from the GRU in Russia floating about our power grids and other control systems. Nobody does anything about it, and they’re still not going to.

What will happen is there will be a devastating power outage here in the United States and the power companies and the grid operators and everybody else will say, “Not our problem. We told you we need to be more skew and you never gave us more money or let us increase our rates to the subscribers to our power.” And Congress will have a whole bunch of sessions and hearings, and they’ll pass some ridiculously lame law that doesn’t fix the problem, signs a bunch of committees to study stuff and all the rest and then it just goes on and on. The only way it gets fixed is the individuals, the individual companies that get hacked, the executives are so upset about being hacked and embarrassed because it is. It’s like being physically attacked by an adversary. And once they feel that in their gut, then they react and they start applying the resources to fix it.

So I also will get on a high horse and talk about why security awareness training is completely useless except for the security awareness training that the hackers are engaging in. They’re going, “I’m not testing whether you’ll click on a Phishing email, I am getting you to click on a phish email, and then you are going to suffer for it. You’re going to have to pay me something in Bitcoin or I’m going to post your images online in public and embarrass you, and you’re going to have to tell all your friends that you were hacked, that you aren’t really selling Ray ban sunglasses on Facebook.”

John Vecchi:

No, exactly. And it’s interesting, we see various attacks that are happening in many organizations might not even know that you got the MRI botnet, you’ve got botnets, you’ve got [inaudible 00:34:25], talked about the quiet exit where they’re going to attack you with traditional methods, maybe a phishing attack and then they’ll quickly pivot to, say, a printer or a [inaudible 00:34:35], even a programmable logic controller or some other type of OT tech device. And they’re just going to sit there forever and do what they want to do and either siphon terabytes of data off and funnel it back with without you knowing or just very sophisticated botnets.

Those are there. Many organizations might not even know that device has been compromised. But does it mean that we kind of need a Melissa Virus or a Slammer Worm or something to get people’s attention? We see this all the time. We see devices that they’ve been compromised by Marai. I mean it’s very all over. Fronton is out there. I mean this thing can hack any XIOT device on the planet. It’s a very sophisticated piece of nation state software. These things are there but isn’t really making a dent. Do we just need a really big attack to happen?

Richard Stiennon:

You need the text to be just so constant that they have to do something. You can’t get your conference phones back online because as soon as you plug them in, they get compromised and you got to start over or you have to constantly replace them. If your only solution is buy the new one, that’s going to get expensive over time. So yeah, the big attacks, slammer and I love you and all that, did change things, but the change came from the vendors that came along with the solution and the startups that say, “Hey, the old way is no good, we got to do new way.” And that’s how we got network and mission control, which luckily never worked because it was stupid. But we still see vestiges of that, right?

In the zero trust world, they say, “Hey, if your device that you’re logging in on doesn’t have the latest software patches, we’re not going to let them on or we’re going to trust them less,” and same thing. It’s like, come on. Every hacker in the world knows that you can make the device that you’ve compromised say anything you want to the network. Totally patched here. We’re good to go.

Brian Contos:

Earlier you were talking about Cyber Cop and ISS and it made me think back to my early days of running Satan and Tone Loc and installing, God, I think the first time I ran Checkpoint it was actually on three and a half inch floppies and I was loading it Solaris 2.6 on a Spark One Plus station.

Richard Stiennon:

It always amazes me what 12 year olds can do.

Brian Contos:

But I think back to then and credential management back then what it was like and hardening, and it was very early days. And John and I were talking about this the other day, how it feels like XIOT security today is kind of like IT security in the mid 90s.

Richard Stiennon:

Totally, totally. It’s all over again.

Brian Contos:

Yeah, we’re walking in, “Oh you mean I should change the password on my 5,000 printers? Oh, it shouldn’t just be set to whatever, Joe came with a van full of printers and plugged them in.” He doesn’t care. He doesn’t have a security development life cycle. He’s just physically installing these things. And then just the level of services that are running, they’ve got TelNet and FTP and TFTP and SSH and HTP and HTPS and Wire, Wireless and Bluetooth. They’ve got everything up and running and their firmware, is in some cases it’s end of life. In a lot of cases, it’s six, seven years old. In every case, it’s full of vulnerabilities.

I mean these are basic things. Manage your passwords, harden your devices, patch them and update them. But I think what’s different here is it’s a question about automation and scale because like we said, three to five devices per employee, if you say, “Go patch 50,000 devices,” like those CIOs that used to call you when you were at Gartner, they’re saying, “Dude, are we supposed to arm everybody with a paper clip and they’re going to go walk around and reset these devices? What are we going to do?

Richard Stiennon:

Yeah. When Chris Rulin first briefed me on Phosphorus, I remember going, “Huh, yeah. What a no brainer startup idea” because we’ve seen it all before. We know exactly what has to be done and the solution is a lot of work, just the heavy lifting of classifying devices, having the latest firmware for them coming up with a way to deploy 5,000 unique passwords to 5,000 devices and then find them again when you need to get back in to update the firmware. I say, “Wow, this is so simple to conceptualize,” extremely difficult to do, but it’s the solution. That’s what these large organizations have to do. So you’re just giving them the tools to do it.

Brian Contos:

Richard, I got back from this long tour through the Middle East and Europe and North American. It was all kind of about the time that Open SSL was announcing, “Hey, there’s a new Open SSL software package because, well, it was originally a critical level vulnerability, which got downgraded to a high level vulnerability.” But open SSL affects a lot of things, both IT and XIOT. And some of our customers are like, “Oh my God, how big of an issue is this going to be for XIOT?” And I wrote a little blog about it, but the kind of short notes for it are, is it something you should think about? Yes, it is. But you know what? You’ve got your password set to the default password on 25,000 of your devices already and you’re running firmware from 2006.

So let’s put this in perspective. How big of an issue is this? And it’s just, there’s so many problems that can be fixed with some actual really simple things. Like you said, find out what I’ve got, patch what I’ve got, harden what I’ve got, manage the certs, manage the credentials. And again, these aren’t crazy ideas. If you’re just following that, and we always say this in security, but if you get back to the basics when it comes to XIOT, you’ve alleviated 95% of how that attack surface can be leveraged against you in terms of what cyber criminals and nation states are doing. But it’s just getting to that point. And like you said, in your early conversations with Chris, it’s about scale, it’s about automation, it’s about being able to do this safely. And that becomes really amplified when you’re talking about now doing this in industrial control system environments where availability is absolutely key.

And what I was really taken aback with was when I was in the Middle East, they’re very eager to start rolling this out with industrial control systems. And the only big difference I really saw, and one of them might just be there’s a certain mentality in some organizations on the OT side whether or not they want to do any type of updates and password management, et cetera. But over there, a lot of their industrial control systems, they’re brand spanking new. They’ve just taken them out of their bubble tape, they’ve just installed them, they’ve unwrapped. They’re really new. They’re not 20 years old and they’re depreciating like a turbine right over the next 20 years.

So they’re very eager to say, “Hey, I’ve got all this stuff. It’s all connected. It’s all online. Let’s secure it.” And they seem very open to moving that way in a very rapid way. Not to say it’s not being done in the US. I’m seeing it as well, but boy, they’re going after it with a hunger, it seems to me, on the OT side throughout the Middle East. Is that something that you’ve experienced and you’ve seen of in your communications?

Richard Stiennon:

I have in other realms, not in IOT in particular. Back when I was doing speaking circuit stuff, I’d be in Brazil and Columbia and I was always amazed because they’re talking about bringing broadband to people, and they would have phenomenal cellular in infrastructure compared to the US because they didn’t have the wired infrastructure to begin with and they just leap frogged. And Estonia is the best example of that where they have more cell phones than population, and everybody’s got one or two cell phones.

And I see that in young and emerging countries that they’re investing, and they have everybody’s experience to learn from. The one thing I want to know is if they’re putting in manual overrides, because we should be learning from Ukraine. They got back online because they could deploy people to throw switches, which US has been getting away from.

John Vecchi:

And the interesting thing, going back to when we started the early conversation, you were talking about vulnerability management and that market and how here it comes again. And one of the things, observations that I like to note in security is a lot of billions of dollars of VC money and companies discovering assets, whether it’s from a vulnerability management side or an end bad side or enterprise asset discovery, all of this stuff.

And one of the hypotheses I have there is that all of those investments and all of those companies doing that have also convinced a lot of companies that you really can’t do much more than try to discover these things and see how sick they are. You’ve got loads of vulnerability, seven year old firmware, default credentials, expired self-sign certificates, on and on and on. But there’s a mindset that, “well, you can’t really do anything about it, so let’s just make sure we discover them and show you what’s wrong and then stay there,” where new tools for XIOT, us included, can actually say, “No, no, no, you actually can go fix things.”

And as an example, all the things Brian outlined before, let’s update your credentials, do some simple hardening, let’s update the certificates. We’re not even getting to firmware yet. And look at all the things we can do. Do you think that that mindset from just being told over and over and over again, “you really can’t fix these,” is that also something that we’re kind of trying to get over in this space that people just don’t even think you can do anything about it? Or is that real?

Richard Stiennon:

Yeah, I think, in order to measure their risk, they need to know what they have, which that’s just Rumsfeld speaking from the grave because he introduced this whole idea in the first place. And so the first step is find everything you’ve got and then start measuring stuff about it. And that makes people comfortable to narrow the unknown and knowns and keep doing that, of course. You should know what you have and frankly, CSOs and IT departments are control freaks. So they definitely don’t like shadow IT and people just doing stuff. They want to analyze it and figure out the best product to create that solution that fits in with the rest of their stuff. And they don’t want to violate Microsoft only policies, and they eventually crack when pressured by senior executives that say, “No, I’m going use my Chromebook” or whatever they want.

But I think that’s the case. I think the advantage in IOT is that while these systems are critical, they’re connected because they’re signaling and they’re controlled and they’re doing stuff like that, but with the exception of the power grid, they can’t have cascading effects. So if you take one offline, it’s just not available while it’s offline while you update the firmware, for instance. And if you actually reset a password on an IOT device, nobody’s going to notice because nobody ever logged into it. So you’re not going to get a call from in the Pentagon, it would be the two star who says, “I can’t get into my system. What’d you do to it?” Not going to happen. So you can just do it. And I think it’s almost much closer to a solvable problem than it is with large server networks.

Brian Contos:

I think you’re spot on with that. A lot of our customers that are using our solutions, sometimes the groups are part of the vulnerability assessment team. Sometimes they’re part of the patching team. Sometimes that red and blue team have combined into a purple team, and they both kind of use it. But what we’re finding is how they deploy, how they utilize it and how they automate it. It’s a very quick turn up time. And maybe that’s because I come in from my SIM days where we had POCs that lasted years. There’s probably some that were still going on and I haven’t done it for 15 years. There’s probably still in POC, they were just so long and sticky.

But as we wrap up here, Richard, you’ve done so many things in your career. You’ve been an analyst, you’ve written so many great books. One of my favorite was of course Up and To the Right. Now you’ve got the analyst dashboard that the industry is all a buzz about. And I think you probably more than anybody have here fingers on the pulse of the security industry itself. What’s your crystal ball say for, I don’t even want to say five years, but over the next year or two, what are going to be the new hot themes?

Richard Stiennon:

Yeah, so right now I’m watching the so-called data security posture management. So GRC is seeing a burst of activity, and IOT obviously is right in the middle of that right now. But it’s time to go back to data security. And I’m seeing that with the so called data protection companies who are back up and recovery companies. All of a sudden, they’re getting into security because back up and recovery is the best ransomware defense there is. So they’re getting into security and there’s certain thing in messaging around ransomware, but it’s time to turn the old, stodgy data discovery solutions into security solutions that highlight, once again, it’s the vulnerability approach. It’s discover where your data is and does it need to be there and then create policies around it to protect it and eliminate it if it’s not supposed to be where it is. And that ties into all the privacy legislation.

So I’m thinking that’s going to be a pretty big thing. But in the meantime, on the front lines, countering targeted attackers, we are going to see the so-called supply chain attacks over and over and over. And nothing that [inaudible 00:50:10] is talking about, nothing that NIST is releasing addresses the fundamental problem of you can’t trust a software update. It’s going to be compromised because of course the NSA has done that. Now the GRU has done that. SRV has done that. Everybody knows how to do it. China’s going to do it. North Korea’s going to do it. Iran’s going to do it, and cyber criminals are going to do it. And you can’t just keep hammering the software developers to do a better job. We’ve been doing that for 10 years. We’ve been telling them to shift left, basically stop doing your job and make secure crappy code.

They’re not going to do that. They have to get to market and they have to make money to justify all the investment in them. And some will. And they can say, “We got a stamp of approval from NIST,” and that’s not going to help them. People are still going to buy the product with the feature they want and they won’t care that their CICD doesn’t match this framework. So you have to have something to look at. The software that comes in the door, digitally signed, perfectly encrypted, the hashes are all good match, match, match, good to go, install it. And that will change as soon as the Microsoft update server network is compromised.

John Vecchi:

That’s very insightful. Richard, Brian and I could talk to you all day. It’s such a joy to have you today. We can’t thank you enough for joining us. And Richard, you’ve got books, you’ve got your dashboard. Quickly, how can our listeners go find some of these things? Where do they go to get them and find you and buy your books?

Richard Stiennon:

If you just connect to me or follow me on LinkedIn, you can’t avoid, see all of that.

John Vecchi:

That’s fantastic. Awesome. Well again, thanks to our guests. Thanks Brian, our host and our guest, Richard Stiennon, thanks to you both.

Richard Stiennon:

Thanks, John. Thanks, Brian.

Brian Contos:

Yep, thanks, guys.

John Vecchi:

And remember, the IOT Security podcast is brought to you by Phosphorus, the leading provider of proactive full scope security for the extended internet of things. And until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

See you next time on Phosphorus Radio.

Author

Phosphorus Cybersecurity

Phosphorus Cybersecurity® is the leading xTended Security of Things™ platform designed to find, fix, and monitor the rapidly growing and often unmonitored Things of the enterprise xIoT landscape.