Podcast

Data Security: Eric Adams’ Journey into Fintech and FedRAMP

In this episode, Brian and John speak with Eric Adams, a 25-year security veteran. Eric embarks on a journey to protect data from attackers, navigating the complex process of FedRAMP Authorization and cyber liability insurance to ensure secure access for government and military personnel.

“Data is like the new gold. You’re able to do a lot of powerful things. Look at it on the positive side from the consumer.”

Eric Adams is a cybersecurity illuminator with 25 years of experience in the industry. He has worked with HP and IBM on FedRAMP Authorization, Treasury Management, and Data Aggregation.

Eric Adams had worked at HP for 19 years and in different security areas for the last 25 years of his career. Through his experience, he learned the importance of data security and the need to document systems and understand security controls. He experienced first-hand the military’s strict security measures and the power of data. After his experience, he discovered that understanding data security, its controls and its compliance was essential for companies to be secure and remain resilient. Eric Adams was now aware of how to protect data, the new gold.

In this episode, you will learn the following:
1. Discovering the “new gold” of data and the importance of protecting access to it.
2. The length and complexity of the FedRAMP authorization process.
3. The role of cyber liability insurance in strengthening a company’s security.

John Vecchi:

Hey everybody. You’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. And we have an amazing guest today, Mr. Eric Adams. Welcome to the show, Eric.

Eric Adams:

Hey, Brian and John, thanks for having me.

John Vecchi:

Welcome.

Eric Adams:

And thanks for saying amazing. Wow, I haven’t heard that. That’s really cool. Thank you.

Brian Contos:

That’s what you sent me in the email in your writer. Oh, was that my out loud voice? Sorry. So we were just talking before the show. I think the first time we were able to get together with the Phosphorus team was over at FS-ISAC in Florida. Boy, now it’s like seven months ago, right?

Eric Adams:

Yeah, it seems like two years ago. But that was awesome. That was a great event because that was the first time for a lot of people to be back at a conference and everybody was just excited to be at a conference seeing other human beings in real life. So really awesome event.

Brian Contos:

What I’m actually excited about is when I go to conferences now, everyone’s not just saying, “Hey, this is my first time out.” So now it seems like people have, they’ve been out a few times. Life is pretty much back to normal, which is great to see.

Eric Adams:

It’s nice.

Brian Contos:

So Eric, you’re a cybersecurity luminary. You’ve been in this space for quite a while. For those of our listeners who don’t know you, I was hoping you’d give a little bit about your background, your journey, and how you came up in the space.

Eric Adams:

Yeah, just a brief summary, worked for HP for 19 years. Started out at the data center in HP and then just worked in different security areas for about the last 25 years, in total of my career. But worked there till about 2015. Went through a really big program with FedRAMP authorization, which was the first SaaS authorization, a product called Fortify, which is static application security testing. And it was a really big deal because government got to use this capability, which was very needed in cloud. And so I was really happy to be a part of that and then see other agencies adopted as well.

From there, I went to IBM for just under three years. The same thing, being a FedRAMP strategist, bringing that FedRAMP capability training and learning how to go through the process for about 30 different business units, was really excited to work doing that. Then I saw an opportunity to get into FinTech about 2018, and for about the last five years I’ve been doing FinTech, once for Kyriba, which is treasury management, and then the second one was MX. It’s more data aggregation, kind of like Plaid, some of those areas.

Brian Contos:

Absolutely. So out of curiosity, so through HP and later IBM working with folks moving into the cloud and leveraging FedRAMP, what were some of the biggest security challenges you saw as people were making that? And I’m sure if you talk to a hundred companies, you’ll get a hundred different responses. But you had this really broad perspective of people making kind of their big entryway into the cloud. What were they running into? What were the hot buttons?

Eric Adams:

Well, a lot of it is finding out things that you think you know that don’t know. And what that means is documenting your systems and going through security controls that are required because you can make your best assessment at what needs to be done secure wise on a system. But one of my good friends that I worked with, he said, “Look, the FedRAMP program, when you go through it, there’s no stone that’s unturned.” And so you’re able to see everything that really needs to be done. And then beyond that, there’s continuous monitoring. So it doesn’t stop at the assessment. There are things that you have to do at a scheduled cadence. And so really, what I observed, which is super powerful, is getting these teams together on workshops and going through a one-week onsite workshop, going through controls, being able to document them, being able to document diagrams and data flow diagrams, network landscape diagrams, and discovering devices.

And that’s one thing Phosphorus, I got to put a plugin for Phosphorus, that’s what Phosphorus does is discovers devices, IoT and OT, and then is able to understand what needs to be done with the security configuration of those, but also is able to remediate those, which is huge. So I think that’s one of the biggest things is understanding what you have, documenting it, making a baseline of where you’re at, and then understanding a plan of where you need to be, and then being able to figure out how to build up those capabilities, whether it’s technical capabilities or people or processes or a combination of all of those in order to meet those controls.

John Vecchi:

And Eric, FedRAMP is an incredibly laborious, long, difficult, expensive process. Many people don’t make it or take a very long time to get FedRAMP authorization. So how long did it take you. And is it safe to say that achieving your authorization for FedRAMP, that entire process, as you said, no stone unturned, helped really embed your overall security posture and implementation by going through that? Is that safe to say?

Eric Adams:

Yeah, totally. And the way that I look at it, so a couple different things is how long did it take? Well, when I first understood that customers that worked for government and military wanted to use cloud services was about 2012. And I was onsite at Fort Knox just south of Louisville, and I was there three different times doing training and also setting up on-premise systems for the US Army, so for active duty military and also civilian personnel. And they said, “Look.” This was at the human resources command, which is a very large area of that complex. And they said, “We want to focus on our core capabilities and that’s developing our software, which is part of the war fighter system, and we want to use cloud systems. But we can’t get this authority to operate,” what’s called ATO. And then literally a couple months after, FedRAMP came out. And I looked at it and I said, “Wow, I’ve worked on NIST 800-53 systems before with HP’s cms.gov contract doing security configuration.” I looked at it and I said, “Oh, we can do this.”

And I didn’t realize it, but it was like, wow, you’re really taking a bite out of this elephant. And later on, looking back, it’s like, yeah, you had to eat that elephant one bite at a time. But I started out billing draft paperwork, and I thought, “Oh wow, this is a lot bigger than I thought.” And I finally got through that, submitted it, and then there were a few delays, which turned out to be good. But we started off with a kickoff meeting in Washington, DC at GSA headquarters in 2014 in February, and it took a year to go through a FedRAMP joint authorization board, a JAB authorization, and get approved in February, 2015. So that’s pretty uncommon, but you have to take a step back and look at the firepower that I was able to pull from at HP at the time.

So there were capabilities and teams who had things like disaster recovery. We had infrastructure as a service in IS center in Orlando. We had a backup one in Colorado Springs. So we were able to build things that didn’t really exist by utilizing those centers and meeting federal requirements because the people knew federal requirements. They were a little bit different, but they were also, I was able to talk through the FedRAMP process with them, say, “Okay, here’s what we got to do for this control family.”

And then the same thing with monitoring. HP owned ArcSight. And so we were able to build up the monitoring capabilities. We were able to work with engineer and development of our SaaS cloud server, or system, and we were able to then modify the code to be able to build the correct logging for the system. So a lot of these things just sheerly didn’t exist.

But this is what I also learned afterwards, going to IBM and saying, “Okay, this is what I observed. You’re going to go through here and you’re going to go through the controls. Some of these you’re going to have implemented, some of them partially implemented, some of them not at all.” And so you just get that baseline, and from there, you’re able to analyze how much work in terms of time, effort, cost, is this going to take. And then you’re able to push that into project management and budgeting and return on investment.

This is probably the most important part of this, and you mentioned it earlier, how long does it take and also, the second part of that is how long do you bring on customers, realizing US public sector sales and operations is different. It is a slower process. Commercial, you can spin up a cloud service, you could sell it to anybody. They like it, they do a proof of concept, they use it, it’s great. You write a contract, it goes through their legal, your legal, and it’s done. You do a one-year deal or a two or three year deal. Now it’s a little bit different with government. They have their processes, they’re very obviously safe and secure processes that they have to use. And so the good part about that is once you get those customers, they can be customers for almost lifetime, as long as you’re fulfilling what you’re supposed to be doing with the requirements. So anyway, long answer to that, but had a lot to input.

Brian Contos:

That was really valuable. And I’m just wondering, when you were at Fort Knox, how much of a threat was there to somebody breaking in by launching some kind of aerosol spray and then making all the gold radioactive so that it couldn’t be traded anymore because that was the plot to Goldfinger, spoiler alert, the James Bond movie, and I just want, are they prepared for that?

Eric Adams:

I have a couple of different interesting scenarios from that that I can tell you about. No, I actually asked, well, I didn’t ask the question. I was around when somebody was talking about it and they said, is there really gold here? And some people are like, “No, that’s like a myth.” And then somebody’s like, “No, we think there is.” Over by the highway that goes through town and the site is off to the east of there, but there’s a white building on one of the exits. And they’re like, “No, we think it’s under that white building.” So nobody knows.

Brian Contos:

People walking around with shovels and metal detectors everywhere.

Eric Adams:

It would be interesting just to try that. But I’m sure someone would be out there immediately. One thing that I did find out is when I was doing training in a training room, all of the doors, people have to have a badge on their lanyard or their belt clip to be able to authorize to get in. And so everything is authorized by roles based access control and all of that. Even being able to, and I was there 10 years ago, so things might have changed to be better, obviously. But anything that they access, of course, you’d put your PIV CAC card into your keyboard slot and be able to be authorized, which is really great. But they said, “Look, whatever you do, if you’ve got a presentation, you use this computer and you use the presentation you’ve given to us. Do not put a USB stick in this computer, or there will be an armed guard here within about 20 seconds.” And yeah, I left all my USB sticks at the hotel after that.

Brian Contos:

I remember when I was with DISA, they actually went around and put epoxy in all the USB slots.

Eric Adams:

Sure.

Brian Contos:

I thought, okay, there you go.

Eric Adams:

Yeah, no direct memory access or anything. Yeah, it’s all shut down. Same thing also with, I noticed too, again, this 10 years ago, but with cell phone coverage. I was using my GPS to figure out how to get there, and then all of a sudden nothing works except for voice and text, that’s it. So everything is shut down, and it should be, it’s a secure facility. And you can hear artillery. There’s the M1 Abrams tanks shooting artillery all the time, and it’s pretty cool. It was really fun.

And then I think it was like 7:30 in the morning, they would play the music over the loudspeaker, the trumpet, and everyone would stop on the base and salute the flag. So if you’re driving your car, you literally stop, you get out of your vehicle and salute the flag. And then later in the day, I think four o’clock, it was pretty awesome. And another thing, do not use your cell phone. Don’t raise your cell phone up to your ear to use it. Go on speaker or the MPs will come get you.

Brian Contos:

Wow.

Eric Adams:

That was back then when smartphones were kind of new-ish still, and so people were driving around. Now, that’s kind of a law. So it’s a secure facility and it should be. But yeah, they take obviously information security very seriously there.

Brian Contos:

Well, very cool. Let’s pivot a little bit away from FedRAMP, and I want to talk about financial services for a bit because you’ve worked for a few different companies that have really focused on that arena. I’m just wondering, over the years that you’ve been involved with FinTech and that whole world, what seems to be the leading cybersecurity threats at this point? Because generally speaking, when I think of financial services, they’re kind of tip of the spear because people want to rob them and they’re a big target. So they get hit by a lot of nation states and cyber criminals, and they tend to see the more sophisticated attacks, in general. So what is it that’s kind of piquing their interest right now in terms of cybersecurity threats?

Eric Adams:

Well, if I could put it down to one thing that I want to protect on the defensive side, it’s the data. And if you look at this, and so what I explained before is mostly system type two, lockdown the systems. But then the way I visualize it is there’s another layer above that, and that’s the data layer. But it’s really protecting data and access to data. Data is the new gold. You’re able to do a lot of powerful things. Look at it on the positive side, from the consumer. Before, if you wanted to get credit approval, you would fill out a form, you would mail, it would take a week or two, and then it’d say, “Oh, wow, it’s great. You’re approved,” or maybe you’re not, you’re denied. But now there’s instant verifications because of the power of that data is you can get instantly approved for something.

So if you think about that, and there’s different levels of approval based on your credit worthiness, maybe there’s factors like income, how well you’ve paid your previous bills, what type of credit you already have, what accounts you already have, different things like that. So really the attackers, they’re going after that data. They want to know that data. It’s super powerful. And so that’s really the thought process I have when I’m looking at systems is, okay, where do we propagate data to? How long do people have access to it? You look at things like APIs, what is going across the APIs? And then there’s also a compliance layer on top of that. Is there a PII going across that, is there CVV or CVV2 going across it? How are we protecting all of that? So in the FinTech world, I think the FinTech world is really getting a lot better at looking at this.

But what I’ve done too, is after the experience going through the federal controls, NIST 800-53 controls is saying, wow, that gave me an experience to then look at a different type of industry and say, “We’re going to select really important things to us.” And again, back in FinTech, it’s data. And so those controls that are really closely around data, those are going to be really important. And so that’s where you kind of build your own security controls framework. And then obviously, you’ve got your other compliances like PCI compliance or SOC compliance or cloud. But really, if you’re able to explain that to an auditor and those are the ones you’re putting a lot of thought into, I think that makes your system very resilient.

John Vecchi:

Yeah. And it sounds like, which is understandable, that going through FedRAMP kind of broadened in some way, maybe technologies that you needed to have as an infrastructure to get your ATO, let’s say. And it sounds like then you would take that with you say into the FinTech world and perhaps use some of that knowledge and expertise to better protect data, protect PII. What were some of the technologies maybe that even came from the FedRAMP side that you leveraged in the FinTech side to help with the data and PII side of things?

Eric Adams:

That is a great question. And kind of the methodology and going back to working at a large company and we make a lot of these things, but then also understanding and even going to the next large company, but then watching the evolution of this of, look, a lot of companies now are built up of mergers and acquisitions. And so they’ve acquired a lot of different companies, different capabilities, different products that they’re using. And so really, those companies now are focusing on only that and they’re really leveraging a lot of third party. And now you’re seeing… You guys have been to the last RSA conferences, FS-ISAC conferences, Black Hat, all of these, look at all the security vendors out there. It’s like multiplied both in depth and width. You go in there and you’re overwhelmed and there’s all sorts of things.

So really, you see a lot of these different capabilities. And so throughout the year, I feel it’s really important for security leaders to understand which ones they should be looking at in terms of their risk, and then speak to them and speak to others in that market, competitors in that market and understand the type of capabilities that you really need. So there are some right now with, like I said, APIs and being able to understand, discovering your APIs, cataloging your APIs, having API reuse, understand what’s going across that. I think that’s really where it’s at for companies to be on the leading edge of security is to be able to really manage that. And also the procurement cycle. I’ve seen some really good things in the industry to where the finance departments of a company and their security departments work really close together.

And the finance departments that are very security savvy that understand these capabilities and to say, okay, here’s here is our strategy. Maybe we’re going to displace some older products. Maybe we’re going to use a product line that has maybe some wider capabilities, or maybe they don’t do so well in some of those wider ones, and we’re going to choose not to buy that this year and to buy something else. So I see that as a really big up and coming area where companies can really strengthen themselves.

And also, one more point to add to this, cyber liability insurance. Wow, it’s gone way up, right? And so every year going through this review of cyber liability insurance, and again, plug to Phosphorus, because I feel that’s a capability that just goes out for anywhere from small to medium to large companies. And to be able to say, “Here’s what we really got. Here’s the state of it, here’s the things we remediated,” and you can show that to an underwriter and it should, theoretically, lower your premiums and also your increase in your amount of coverage should, I would feel, increase as well.

Brian Contos:

So Eric, we mentioned at the onset of the podcast that we had connected at FS-ISAC, Financial Services ISAC, which of course was filled with financial services companies. And the dinner we were at there was back-to-back discussions about xIoT and problems and issues with it and how to address it, et cetera. It seems to me like maybe about a year ago, perhaps a little bit more, a little bit less, a lot of organizations woke up and said, “You know what? We have a lot of these devices in our environment. And not like we have hundreds, we have tens of thousands, if not hundreds of thousands or more in a lot of these organizations across IoT, OT, and network devices.” And then they found out that, you know what? These things are mostly Linux and Android and BSD, and they’re running Telnet and SSH, and they’ve got all the common ports and protocols and big hard drives and input output and wifi and wired ethernet.

They’re basically a laptop, a lot of these, in some cases, much more powerful. And then they say, “What tools do we have to address this?” And they’re looking at their huge list, again, these are financial services companies, they’re a huge list of cybersecurity tools that they have. And they’re like, “Oh shoot, we don’t really have anything to address this.” So my question to you is why do you think historically, has the xIoT space maybe been ignored or has just the addressing xIoT just been too complicated or why hasn’t it been addressed earlier? Because it’s not like it’s new, it’s been around for a while, but what happened?

Eric Adams:

Well, you’re probably thinking about what I’m going to tell you because I think we’ve talked about this before. But when I was at HP, we used a product that, a guy here where I live in the Boise, Idaho area built, and it was called Web Jetadmin. And this thing was for its time, I think he built it in 1998 or 7 or something like that. But using a browser, not using software, but a browser, non-proprietary, you were able to go out and discover network connected printers and realizing, okay, companies were starting to really do this and they had an enterprise of all of these systems everywhere. And we talked to some of the top companies that we’re doing this. I believe Delta was one of the customers back then, State Farm, some of these big ones. And they had printers everywhere, multiple sites, multiple cities.

And managing them, they discovered was a really big headache and the security state, upgrading firmware. And now you’ve got all sorts of things like certificates on these devices. You’ve got firmware, you’ve got security configuration settings. Back then, you could Telnet to these things. Then the evolution of being able to SSH to them. So you’re turning off these older insecure protocols. And so it’s very interesting. I asked myself the same question because in that example also, you were able to use management information based, the MIBs of other devices, and also find not only printers of that company of HP, you were able to find other printers as well. And so really I thought, “Wow, this is going to be the way. Somebody’s going to do this. Some smart cookie will figure out how to do this for all devices.” And it didn’t happen.

So when I was a security architect back in 2006 through 2010, there was another security architect for the imaging and printing group. And his favorite thing would be to get in the middle, man in the middle attack things. And so at the site, there was a television, he is like, oh, this is going to be so easy. And he fires up like Burp Suite or something and is an IoT type of TV. Totally insecure, I think it had default passwords. It was awful. So really that didn’t happen. But what I feel is there’s all of these other companies, look at cloud security posture management, they do something really incredible. But I think that’s the shiny object right now. And it is needed, absolutely needed. But if we look at other things, we look at the IoT, OT type of discovery configuration remediation, yeah, that’s super powerful. I mean, that’s amazing. It’s an amazing capability. Everybody should be running a Phosphorus capability, I feel.

John Vecchi:

And do you think, Eric, that it starts with discovery? So on the remediation side, and we talked about the issue with these devices, over 50% of them are deployed with the default passwords. If they have been changed, they were changed only when they were installed with some basic password and left, never touched again. There’s firmware six, seven years old, there’s loads of ports and protocols open Telnet, SSH, all these things. The certificates self-signed, they’re out of date. You’ve got a lot of issues. But is it the remediation set? Does it start with discovery? You mentioned it, right? A lot of times, we don’t even know, upwards of 40 to 60% of all the enterprises we talked to really don’t have an idea of how many of these devices they have. So I’m wondering, do you think it starts with just the ability to even find them and discover them and then we can talk about remediation? It’s kind of a chicken or the egg? Which one do you think it is?

Eric Adams:

Oh, yeah. Well, here’s what you guys I’m sure have seen, and here’s what I typically see is when you fire up a capability like this people think, they’re like, “Oh yeah, we got these things covered,” because maybe they’re keeping an accounting of them in their head or in some sort of system or Excel spreadsheet or something. They’re like, “Oh yeah, we’re good.” And then they run something like this and it’s a whole new world. It’s like, “Nope, that’s not what I thought.” It’s shocking, basically. And I’ve talked about this before with artificial intelligence in things like using that for security operations, like a SIM platform. Really, you get these type of capabilities that do discovery or do something that humans overlook. They think like, “Okay, we’ve got this covered,” and really they don’t.

And also, here’s a second part to this. I was in a CISO group meeting, I think this was just last week, and we were looking at where are companies focusing their budgeting for next year? I don’t want to bag on cloud security posture management, but that was one of the top ones. I’m like, yeah, that’s important. That’s super important. If you’re building cloud or you’re hybrid, you’ve got on-prem cloud, super important. But everybody sees that.

And then near the bottom was asset management. And there’s two other CISOs and myself, and we’re just like, “Wow, okay.” Because I might be an old school person, but I believe in the ITIL process where you’ve got a configuration management database, and that’s one of your first things is understanding everything you have, and not by spreadsheet. It’s by actually going out doing discovery, validating that, and then re-validating it at an iteration so that you know what you have. And that’s one of the NIST controls too, is that I think it’s in the configuration management side where you understand what you have, you have that baseline, but then also you’re iteratively doing it, whether it’s daily or hourly or whatever it is. So really, there’s got to be that part of asset management and configuration management, but then also securing things. So like CIS level one baselines, ensuring that you’re meeting some sort of a minimum threshold of security configuration settings.

Brian Contos:

Yeah. It’s moving from assumption based security to evidence-based security. So you actually know what you’ve got and what it’s doing. You said something that I want to drill down on a little bit, because I think it’s really interesting. A lot of organizations, one, you mentioned they don’t know what they have. And then they underestimate the impact that, that device can have. And one of the areas that I really see this are devices that help manage other devices in It. So not the cameras or the printers or the door locks, those are very important. But things that people often overlook are the KVM switches, lights-out management, UPS, racks, storage cabinets. These things, they’re not as sexy. I get it, as a security camera, that’s going to spy on you. But at the end of the day, if you connect to a lights-out management console, you can spawn a Shell, a virtual terminal, shut the machine down, change settings, upload malware, and it’s a little Linux server. Usually, they’re Ubuntu. Usually, they’re Ubuntu, like version 10 from a decade ago.

So who cares what, to your point earlier about data security, you could have spent a lot of network security, data security, endpoint security, app security, but here’s somebody that just got in because there’s no password set on your lights-out-management and just opened up a Shell and now they’re copying or destroying or modifying all your sensitive data. I don’t even want to talk about business leaders. Do you think security leaders are now grasping that, “Boy, my threat landscape is actually a lot bigger than I initially thought”?

Eric Adams:

So I think that security leaders need to do a better job of explaining this in a business context to the rest of the executives and the board, and also in terms of risk. So I used to build, 20, 25 years ago, I used to build systems with integrated lights out cards that they would just send the systems to anywhere in the world. And so I would get access to them and I had access to that card. And if it’s admin, admin and somebody’s able to scan and find this, it’s game over. Because you can upload your own ISO file. It could be a Linux distribution, it could be anything. And then you’ve got command and control using that. You’ve got a control point using that server. And then you could probably do it undetected as well.

So really, I think that it’s important to understand the hierarchy and the priority of IoT devices. Because there might be things like fish tank sensors, there was the hack with a fish tank sensor, and there might be those. But those are less common than things like a lights out card or something like that. So there is a prioritization model that should be seen that says, “Yeah, these are higher risk, these things have got to be locked down,” and then you work your way down.

John Vecchi:

Eric, are there certain types of attacks in, let’s just say in the FinTech world or your work there, from an xIoT perspective that you worry about maybe more than others? For example, I know in many attacks now they might initially target an IT asset with a traditional attack, phishing attack or something, and then pivot to find an xIoT device to hang out there for a long time and maintain persistence. And some of the malware we’re seeing is focused on exfil. Are those attacks you worry about, or is there any type of attack from an xIoT perspective in particular that you, considering you are well-knowledged about this, worry about?

Eric Adams:

Yeah. And it mostly comes down to things for convenience or for being able to do a particular capability, like an office capability. Look at maybe things that are designed to check people in or out that have network internet access or to have room availability so they schedule conference rooms. Those are great, they’re awesome. You can block out a room, you can do it through your calendar software, you can do it right there. But those things have to be evaluated because if somebody’s able to get on your network, let’s say through wifi or whatever, and they’re able to get into that, and then they’re able to pivot, like you said, and be able to get into other systems, then do a credential spraying attack and be able to get credentials, and then get credentials that are important, that are system administrator level, and then be able to reuse those on other systems.

And somehow, there should be obviously a separation of networks between your business office operational environment and your product hosting environment. But if they’re able to reuse any of those. And so those are the biggest fears that I guess people like me think about when they’re thinking about IoT devices, is all of that type of scenario that I just explained is, you got to think in that hacker mindset of what are they trying to find? And once they’re able to get in there, are they then running a scan to look and see if there’s unencrypted traffic? They might find an LDAP server that’s not running LDAPS, and then they’re able to listen to that traffic and then find an entry point and then exfiltrate data back. Yeah, just again, it’s being able to discover all of these things and then evaluate them on a priority and then be able to ensure they’re locked down.

Brian Contos:

Yeah. That’s great. And I think that example goes right after, whether it’s an LDAP server or some type of unstructured data store or whatever it is, these are important devices. And if you’re on an xIoT device and no one’s paying attention to it, and you’re using that to cherry-pick what devices to make a API calls ad or enumerate shares or whatever it is you’re going to do against these devices, chances are you’re not going to get detected and you’re going to be able to hang out and do what you want and try and again for potentially years.

So with that, Eric, as we wrap up here, you’ve been in the industry for a long time, you’ve seen a lot of things go wrong, you’ve seen a lot of things go right, what words of advice would you like to leave with our listeners that are thinking about xIoT security or other areas in cybersecurity where they’re just trying to get their arms around it? Any kind of takeaways for them?

Eric Adams:

Yeah. I would say obviously, there’s a lot of things on people’s minds and there’s the newest things out there to take a look at. And obviously, those are important. But also, don’t ignore the basic things. Again, it comes down to configuration management and ITIL principles of understanding everything that you have. Understand what you have in production, understand things that you have in pre-production or in sandbox testing, whatever it might be, because those can also be attack vectors. Maybe there’s things that you thought you decommissioned that didn’t get unracked or didn’t get the drives taken out and properly disposed of. And so really, understanding all of that and being able to, like I said, scan things like IoT devices, being able to use those capabilities that can lock them down. Those are super important. So I think really having hardware inventory, software inventory, being able to have that updated at all times, being able to reconcile that to a visual diagram, understanding configuration state, that’s all super important.

John Vecchi:

Yeah, amazing advice and fantastic discussion. It’s so great to have you with us today. So again, thanks to our host, Brian and our guest, Eric Adams. Eric, thanks so much for joining us today on the podcast.

Eric Adams:

Yeah, thank you guys.

John Vecchi:

And just remember everybody, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive, full scope security for the extended internet of things. And until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

We’ll see you next time on Phosphorus Radio.

Author

Phosphorus Cybersecurity

Phosphorus Cybersecurity® is the leading xTended Security of Things™ platform designed to find, fix, and monitor the rapidly growing and often unmonitored Things of the enterprise xIoT landscape.