Podcast

Shifting Left: Vendor Responsibility for Cybersecurity ft. Kathleen Moriarty

“Discover how to hold vendors accountable for their cybersecurity responsibility and protect your business from attack.”

In this episode, Brian and John are back, this time with Kathleen Moriarty discussing how to hold vendors accountable for their cybersecurity responsibility and protect your business from attack.

Kathleen Moriarty is a cybersecurity expert with over 25 years of experience in the field. She has served as a CISO multiple times and is currently the Chief Technology Officer at the Center for Internet Security. Kathleen is an IETF Security Area Director and author of the book “Transforming Information Security.”

Kathleen Moriarty learned about vendor responsibility for cybersecurity through her experience as an Internet Service Provider in 1995. She noticed that vendors are pushing for security as code, which involves managing security at scale and setting up policies for posture assessments, configuration requirements, and more. She works for the Center for Internet Security, which supports under-resourced state, local, tribal, and territorial organizations. They are developing a document that provides general guidance for IoT vendors to be held more accountable and ensure the devices they provide are secure. There is a need for a tool to make sure that updates are provided, and vendors should rely on something other than the end user to ensure their device is secure. She is also working on standards to help the vendor responsible for cybersecurity, and ultimately help protect people from the sophisticated threat actors out there today.

“We have to take a step back, look at how we have done security for the past 30 years and say, can we change it now as we implement these new requirements? We have to push security back to vendors with architectural patterns that scale.”

In this episode, Brian and John discuss with Kathleen:
1. How can vendors be held more accountable for delivering secure products?
2. What strategies can organizations use to build resiliency into their infrastructure?
3. What techniques can be employed to reduce the burden of manual system maintenance?

John Vecchi:

Hello, everybody. You’re listening to the IoT Security Podcast, live on Phosphorus Radio, and I’m John Vecchi.

Brian Contos:

And I’m Brian Contos, and we have an amazing guest, the one, the only, Kathleen Moriarty. Hi, Kathleen.

John Vecchi:

Welcome, Kathleen.

Kathleen Moriarty:

Thank you so much for having me. I’m looking forward to the conversation.

Brian Contos:

Oh, I just love talking with you, Kathleen. Your perspective is so much different than our general operators, our vendors or other people that we have on there. You just come at this from a really different angle. But if you wouldn’t mind maybe giving our listeners a little background about you and how you came up and got into cyber and what it is that you do today.

Kathleen Moriarty:

Great, thank you. Let’s see. I began working back in 1995 at an internet service provider, which was just an awesome opportunity because we weren’t siloed then and I was able to get exposure into lots of different areas before I went into security; so system administration, networking, configuring BGP, and then dove more into security. So I had more of a feel through that experience of a bigger picture, which I’ve oscillated back and forth between a narrow focus and a wider focus throughout my career. It’s been really interesting being able to do that and being able to make some turns in my career that might not have been possible otherwise. So let’s see. I’ve served as a CISO several times and had the opportunity to do consulting and get into hundreds of companies and just learn the differences between applying security at one organization versus another and how the industry differences really impact the decisions you should make to align to your business risk and not just following a program.

Then while I was at Dell in the office of the CTO and EMC before that, I had this great opportunity. I was nominated to serve as an IETF security area director, and then actually was elected into the position, which was a huge honor and had the opportunity to serve two terms. What was really interesting about this was, it was 2014, March 2014, you remember what happened a year before that, Snowden Revelations. So this was a really important time in the IETF time period because we were thinking about how do we have strong encryption everywhere, so it was quite transformative. Being an area director, you’re reading every paper published throughout the entire IETF.

Looking at security problems for that time period, so over four years, every other week I was reading 400 pages and seeing who was doing what and how might security evolve in the years to come because oftentimes, standards are a little bit ahead because they’re developed and ratified before they’re implemented in many cases. So this gave me some interesting insights. At the same time, I worked with an operator AT&T, Al Morton and worked on this draft at the time, which is now RFC 8404, which turned out to be really controversial and it wasn’t intended to be on the impact of encryption to operators. We were just documenting what’s going to break as we have more encryption.

Because unless you know what you’re going to be faced with, you’re not going to plow through that problem and get to good, strong end-to-end encryption, right? You’ll encounter too many obstacles if people can’t plan for it. So this altogether, I wound up changing how I thought and took that large body of information and said, “Wait a second, we’re going about this all wrong,” to your point, Brian, “we have to take a step back. We can’t continue to push security to the end organizations. We have to push it back to vendors with architectural patterns that scale and this push for encryption is going to change how we manage security anyway.So it’s a really good time to take a step back, look at how we have done security for the past 30 years and say, ‘Can we change it now as we implement these new requirements and we push security to the end point with end-to-end encryption?

Can we have the vendor do more? Can we not just shift left, but shift left where they manage security over time at scale?'” There were some good patterns that emerged like the Manufacturer Usage Description Protocol, which I’m sure you’re familiar with at Phosphorus that allows for scale and set an example. So this resulted in a book and resulted in a job change. Now I’m at the Center for Internet Security as the chief technology officer. We support state, local, tribal, and territorial organizations who quite frankly, are oftentimes under-resourced. So it’s a great place to be in order to try to push this message of, we have to do more with the vendor so that each organization really can survive and not be held responsible to secure products after the fact because they can’t do it.

Brian Contos:

Yeah, I remember when we spoke last and it was right about when the book was coming out and just the controversy that was around everything, that was just basically at the end of the day it boiled down to, vendors do better. That was a lot of it. It’s funny to me that there was pushback around that, but you know what? If it wasn’t real change, there wouldn’t be people getting a little bit upset about it. So obviously what you suggested, and I think you were right on point, is definitely moving this battleship that’s stuck in the mud and moves very slowly to get into the right direction. I just love the fact that that is coupled with your early days of configuring BG port 4 routers. Because I remember back in the day when I was living in Brazil, I was working for Bell Labs at the time and we were doing assessment on their telecom backbone.

 We were looking at all their BGP settings. The biggest problem from a security perspective is every single router had the same password, and the password was pinga, P-I-N-G-A, which is a very popular drink in Brazil. I’m like “If somebody gets this little very simple-to-guess password, they can basically take out South America,” and that’s not an exaggeration. So the fact that you went from that core, very techy, hands-on all the way up to the visionary status today, that’s fantastic, and working on, of course, RFPs and internet drafts. Of course, my FRI favorite RFP of all time has to be 2549, which I don’t know if you remember that one, but it’s IP over Avion Carriers, which is-

Kathleen Moriarty:

Yes.

Brian Contos:

… TCPIP packets over pigeons, essentially, so not to say there isn’t a sense of humor in RFCs.

Kathleen Moriarty:

Yeah, there’s usually a good April 1st one each year.

Brian Contos:

Absolutely. Absolutely.

Kathleen Moriarty:

That one holds its fame.

John Vecchi:

So Kathleen, the history you just outlined it’s so rich with just so many areas we could dive into. But again, keeping the focus a little bit on your book and the focus on vendors, has it made a difference? Where are we now?bviously that was big. It was a little controversial, it was edgy. Where are we now? Have people got that message? Are you seeing a change or not?

Kathleen Moriarty:

I’m definitely seeing a change. So a year ago McKinsey posted a paper with coining a term called security as code, which is essentially a whole bunch of this where you set out policies for things like posture assessments, configuration requirements, really setting what your policy is and then having it maintained to that over time. So I didn’t describe it quite as elegantly with a nice coined term, but a year later they coined this term, and I’m hearing that term everywhere.

John Vecchi:

Yes.

Kathleen Moriarty:

So every time I moderate a panel, I hear the panelists talk about that and vendors talk about implementing it. We had those types of things tested out with the NIST NCCOE more than a decade ago. So these types of things were possible, but I think now more people are seeing it and are asking for it. There’s projects between vendors and nonprofits such as the Cloud Security Alliance and Google are pushing for security as code and working toward that as a solution, which is really awesome. That’s what we need to see more of.

John Vecchi:

Yeah. Do you see difference in the types of vendors adopting this, and what would your observations be around that, if there are any?

Kathleen Moriarty:

Yeah. I’d say the example I gave with Google is a good one. I don’t think that’s a big change for them because they have really pushed this type of theme. Other vendors I’ve spoken with are inching towards this. You could see with Microsoft Defender, while those are at cost, there is more baked in. They are including things like allow listing for applications, and that’s a big change because if you can allow list what code is expected on your system, then you can automatically not allow anything else, and that’s a very large step. Conversations with them too on FutureWork has been quite promising. They’re not quite there yet in terms of making it easy, but I think they are very open to this and working towards it seems.

In terms of other vendors, yes, there’s a few others that I’ve been talking to who are implementing security as code for market sectors. One gave a presentation at the Cloud Security Alliance, and that was IBM working for the financial sector to implement policy as code. I’m trying to think what else is public knowledge that I can share and that at least I can point to a public presentation that was given. But Dell, with their Apex service, that’s another example where you could have secured cloud storage and they’d either manage on-prem or multi-cloud type scenarios so that your storage is managed securely to your expected configuration set without you as an organization having to do anything.

Being able to burst storage and have those types of capabilities is important, so there are several vendors. You know what? VMware too longstanding, they’ve had their Workspace ONE offering where you can buy traditional infrastructure from most of the large traditional infrastructure vendors. So that includes Dell, HP, Lenovo, so it’s configured and managed to the CIS benchmarks over time, which is a huge win for organizations with very few resources. So yes, these trends are really picking up. Are we there yet? No, there’s going to be a few more years of work. Things like the supply chain work is still very early, so that will take about two to five years before we start seeing major gains in this. But I think the general push is in this direction so that it’s managed at scale.

Brian Contos:

I really liked how you mentioned organizations with limited resources because sometimes, not always, but sometimes, especially from a vendor perspective, you think that there’s just hundreds and hundreds of security folks out there within the organization just waiting to use your product. They’re just sitting on their hands waiting for you to come in and save the day and they don’t have a day job, which is never the case. Often, there’s organizations that have very, very few people that I think about healthcare providers specifically, and not necessarily the big name brand hospitals that we might think of, but some of the smaller ones in clinics where they have just a couple IT people, maybe one, and they’re also managing the phone services. They’re also managing the security cameras and the door locks, and they’re the folks that make sure the soda machine’s stocked.

They have a zillion different jobs and it can be very challenging for them to try to get there, because a lot of the times they have the same risks. They have the same problems, they just don’t have the same budget and they don’t have the same resources, so I’m so glad that there’s focus on that from your side. What I’m wondering, Kathleen, as the CTO for the Center of Internet Security, you have a view and a perspective that’s quite a bit broader than a single vendor or a single organization. So I’m wondering, when you think of the threat landscape and threats and trends and priorities, what are you seeing? What’s happening, and how has it changed, if it has changed at all, maybe over the last few years?

Kathleen Moriarty:

What’s remained the same is that attackers look for the weak link, right?

Brian Contos:

Mm-hmm.

Kathleen Moriarty:

I’d say though, in the past couple of years, what we’ve seen is not just supply chain attacks, but ones that hit so many entities merely causing collateral damage when they, in fact, likely do have a target that they’re after. So if you think to SolarWinds, thousands of companies were hit, yet, the number that were further infiltrated was much smaller than the large swath of organizations hit. Then even smaller was the set that had data exfiltrated, but huge collateral damage where the general advice was, “Wipe and re-image your systems.” So it’s pushing for resiliency in infrastructure because you don’t know when you’re going to be hit again, and that’s a big ask for under-resourced organizations, but really a call for change in terms of when we rethink how we manage security that we have to do it at scale, and we have to build in resiliency because we need to be able to rebuild our systems pretty quickly and try not to have our business down for too long.

Then we also have to think about ransomware because that has increased greatly too over the past couple of years. There’s a financial motivator there on the attacker side, and for the end entity, they don’t want to feed the attacker so that they can conduct more attacks, and they also want to recover their business quickly. So we have some pretty big challenges at the moment, and it’s because we really put too much of a burden on every single organization. So there are holes, there are ways that people can get into organizations, either configuration problems, which is one of the biggest problems in cloud-hosted environments right now. I think 80% was a number quoted to me from one large vendor, and that can be eliminated. We can do a lot better there.

John Vecchi:

Yeah. For our listeners, Kathleen, who maybe they’ve heard of CIS, maybe they haven’t, how do you go about pulling together the information that you publish and that you share with organizations? What does that look like? What’s that process like for you?

Kathleen Moriarty:

Sure. So some of the core products are the CIS best practices, and that’s out of our best practice division. They work with experts throughout the community. For the CIS controls, there is a set of industry experts that collaborate and help to prioritize which controls are the most important. So you can use the CIS controls either on their own or against another framework so that you can say, “Oh, wait a second, these safeguards are going to block the most seen attacks, and so I’m going to implement these first because it’ll take care of the low-hanging fruit,” or, “Because of the CIS controls, I can justify to my board that I need to implement against these safeguards because the five biggest attacks are addressed if I do these steps first,” so there is a group of experts. Then after the process of normalizing the controls and figuring out what the priority is of the safeguards under the controls, they map each of the safeguards to the MITRE ATT&CK framework and then map in all of the vendor reports for breaches from the past year.

Then that’s a validation on the ordering of those recommendations so that we truly are with our implementation group one addressing the five biggest attacks, so that’s one set of standards. Another set that comes out of that same group are the CIS benchmarks. There’s over 100 of them available. They’re for devices, operating systems, applications, and essentially, these are driven by demand. So there are some that have higher demand and get more attention, and there are some that don’t get as much attention because the demand isn’t there. So if you see one falling off and you need it to get more attention, we need to get that feedback. We also would love to have more volunteers to work on those particular benchmarks. So this is another case where we are driven through a consensus process of industry experts that contribute to the benchmarks and to their maintenance, so those are important sets of standards. Then my team is in process of developing one that we hope to have released in the new year for IoT.

Now what we’re trying to do here is a little bit different, and it may get handed off to our security best practices team at some point in time, or perhaps it leads to them doing specific benchmarks in IoT. But what we’re going after is general guidance for IoT aimed at the vendor instead of the organization is we’d like to shift left what is done. In talking to some of our reviewers in the process who are at large IoT companies, one of them made the point that the partners they work with do a good job of security, but what this document might fill the gap for at least them would be their OEM partners who don’t necessarily have someone on staff with this level of expertise to bake security in. So the team dissected the protocol stacks prevalent for IoT devices and provided guidance on each of those protocol stacks as well as general IoT guidance. Then we reached out to a whole bunch of industry experts to weigh in on the recommendations and to make sure that we are targeting this correctly and have good solid sound advice.

Brian Contos:

Yeah. Kathleen, I was lucky enough to get some eyes on this document during the draft process and just a very detailed document. I think the industry is going to be very appreciative of it, certainly the users of these devices, if these steps are taken. One of the things that we’ve been noticing at Phosphorus in the field is that there’s a lot of white labeling and shared libraries amongst the different, we’ll call them xIoT vendors ’cause we do see this on the traditional IoT printers, cameras, door locks, but we also see it on the SCADA side with OT devices. We even see it on the network devices, switches, NAS, load balancers, what have you, anything that really has embedded firmware on the device.

Those shared libraries, and that white labeling means that a vulnerability or a misconfiguration or something flawed within that firmware that’s on a printer might actually show up on a voiceover IP phone as well, or some kind of similar device. So because of that, the developers, a lot of them don’t follow a security development life cycle. A lot of these developers, they don’t have any security background. They just need to get the device out there quick with lots of blinky lights to make it very nice and shiny for the end consumer, as they should. But security is such an afterthought that they’re shipping with vulnerabilities is already baked in from completely different products out there, and they’re just borrowing those libraries. That seems to be everywhere all the time, always. I just wanted to get your hot take on that.

Kathleen Moriarty:

That’s really frightening, first off, right?

Brian Contos:

Yeah.

Kathleen Moriarty:

Because these devices are deployed for long periods of time. If you can’t update them readily, then it’s a large problem. I guess my personal take is that my heating system is not online.

Brian Contos:

Yeah. Well, you look around your house and just at enterprise, so here’s a funny statistic. I don’t love quoting stats, but I’ll just share one. When we go into an organization, what we find is there’s about three to five xIoT devices per employee, so 10,000 people, somewhere between 30 to 50,000, which is a lot and more than most people expect. We always ask at the beginning of our discovery process, “How many devices do you think you might have?” It’s almost always 40 to 60% less than reality. “Oh, we forgot about the cameras.” “Oh, that’s right. We have those door locks, KVM switches, lights out management, HVAC, elevators, fire suppression,” the list goes on and on, and there’s just so many of these.

Then you ask somebody about their home, their heating system, their washer and dryer, their printers, their robotic vacuum cleaners, you can get to 30, 40, 50 devices easy in most modern homes today. If the firmware’s six-years-old or end-of-life default passwords, level eight, nine, and 10 vulnerabilities, which are super, super common on these devices because of that white labeling and shared libraries and they’re just copying and pasting vulnerable code, it puts it into the perspective that the risk posture has increased quietly and substantially over the last few years just because of xIoT.

Kathleen Moriarty:

It’s frightening. Yes. I don’t have any good answers. Gateways are one solution in use to try to barricade these or not putting them online, but to your point, a lot of them just have to be online to work, and so it creates inherent vulnerability. Then even some of them, like the Sidewalk, so is it Amazon Sidewalk where they mesh network together and might expose your internal network to your external network, so it’s worrying.

Brian Contos:

Why do you think that historically anyways, the world of xIoT, so IoT, OT, network devices, this has been such a complicated issue to address? Because if we step back to, I don’t know, you and I were doing this in the mid-’90s you step back to that point, we were starting at that point to get our arms around IT security. We were doing some patching. It wasn’t the best. We were doing some credential management wasn’t the best vulnerability scanning, but it was kind of there. But in this world, it’s like xIoT security today is like IT security in the early 1990s. Why has it been so hard for us to get over that hump?

Kathleen Moriarty:

I guess the perception that it doesn’t have the same risk level as other devices. People aren’t seeing them connected in the same ways. Because if I think back to the ’90s and working at a service provider, eCommerce was just starting, and we were working with organizations that were putting up stores that you really couldn’t buy anything yet, so there was no monetary impact. Then in terms of the attackers, I remember working on a DDoS attack and it was a script kitty. It wasn’t a nation state threat actor, so a lot has changed in terms of the sophistication of threat actors, the organization of threat actors.

They work 9:00 to 5:00, they have siloed positions and they’re experts at what they do. They might only have to do the reconnaissance part and somebody else builds the exploit and somebody else runs the command in control. We had script kitties. We were worried about 16-year-olds who were bored. It’s a big difference. So I think part of it was the value. We weren’t seeing that there was huge value in what might be attacked on the internet in the mid-’90s, and maybe that perception is here now, which is interesting because we had that target attack I don’t even know how long ago that they got in through an HVAC system, right?

Brian Contos:

Mm-hmm.

Kathleen Moriarty:

So we’re aware of this threat. We’re aware of the interconnectedness of systems. I’m not sure, I think it’s the utility people are weighing the utility of the devices over the threats.

John Vecchi:

Yeah, I think as well, I think often organizations don’t understand or even know how to address them particularly. I think it’s when it’s an IT asset, it’s a little bit more direct. They understand there’s lots of tools that can secure these devices. When it comes to xIoT, oftentimes, they don’t really know that they can fix them or how to fix them, which I think is why it’s interesting with your paper and your best practice that to begin to address this and educate people, let’s talk to the vendors. Let’s see if we can address some of this in the supply chain.

I that begins a conversation, begins education that yes, we can work with vendors and manufacturers. We can also help educate companies, enterprises, organizations, government agencies, you name it, to help them understand how they can actually protect these devices. This paper, it’s very important. It’s going to come out, as you said, beginning of the year. Is that in your mind a start of the conversation? Do you see this expanding, evolving into more guidance, more best practices moving into organizations and enterprises as well? Do you see that?

Kathleen Moriarty:

I actually, I hope it does begin a conversation to provide a tool so that vendors can be held more accountable, that they are more required so that they are required to deliver something that is secure. If updates are needed, they could use something like the manufacturer usage description. They can get firmware out and that users shouldn’t have to do anything. This makes me think of a conversation I had with people who run DNS for all of the internet. This wasn’t too long ago where someone on the call said that someone on the call said, “We just have to train users. We have to train them so they don’t make mistakes.” I don’t know about you, but my parents are getting older, so I’m seeing what happens as parents get older. My response to the guy at the time was, “There might come a time where you are not thinking as clearly and you click on that link.” His response was, “Touché.”

So it got him to think that we cannot rely on the end user, it has to be baked in more. We can’t rely on training the organization. We are putting too big of a burden on them. So we mentioned under-resourced and right away you think of small organizations, but one of the things that happened at the time of SolarWinds was other large companies were similarly hit. I’m not sure if you’ve heard about this, but I’ve talked to two very large organizations who had their development environments hit and both of them had to wipe re-image systems and get them up and running again. Individually, both conveyed to me that it made them think how do they rebuild systems without having to touch each one? How do they reduce the requirement of having this hands-on touch to every single system? So if these large vendors are beginning to think like this, that’s good news because if they’re going to build that into their own environment, hopefully they’re thinking about how they can have that impact for their customers as well.

Brian Contos:

Yeah, that’s a fantastic point. So many things came rushing to my head when you were talking about moving left. I’ve heard some people refer to it as left of boom before the actual incident occurs, taken from a military perspective. But it almost makes me think of recycling a little bit and how it was, “Well, you’re drinking the soda can or you’re drinking the bottle of water, you’re the one that’s responsible for the recycling process at that point,” juxtaposed to, “Maybe the people that are making containers for soda and water and things like that need to rethink their containers,” or something of that nature. It moves that onus of responsibility. It’s a refreshing way to think about, “Hey, the vendors need to take a little bit more proactive step in making sure this is reliable,” because at Phosphorus we’re focused on the enterprise.

We’re not focused on the consumer side, but a lot of the times, it’s the same devices, the security cameras, the printers, things of this nature. Even some of the physical security digital devices are the same. I certainly wouldn’t expect my parents to run around trying to figure out how to update firmware and validate vulnerability issues and manage credentials on their home devices. I’m sure that’s the case for most people around the world, so it’s great to hear somebody at your level speak about it like this. One of the questions that I have is for business leaders within organizations, not necessarily the CSO or director of security, anything like that, but just general business leaders, do you think that they grasp the fact that we talked about earlier 10,000 people, maybe 50,000 devices?

Do they understand the size and do you think they understand that there really isn’t a big difference between these xIoT devices and a server? A lot of them are running Linux or Android or BSD or VxWorks on the OT side, but they’ve got the same operating systems and ports and protocols and storage. Essentially, they’re laptops that just do one thing. They print or they record video. Do you think they understand just at a high level that these are 50,000 assets that are network connected and pose a potential risk, or do you think there’s still, it’s just a printer, does it even have an operating system? Do you think there’s still a gap there?

Kathleen Moriarty:

I think there most certainly is a gap because if, let’s say, you’re sitting on a board and you ask what are the largest risks? You don’t say what are all of the risks? ‘Cause the board doesn’t have time for that. So unless it’s framed to them with that fuller understanding, you can’t expect them to grasp it. Perhaps they’re sectioned off. Perhaps they have their own network, perhaps there’s some mitigations in place, so it might be viewed as a lower risk even though we had that HVAC incident from Target years ago.

John Vecchi:

So your inspiration for the IoT best practices, was it somewhat based on the fear of, or perhaps some larger attacks? We have attacks, we’ve got botnet, there’s Mirai botnet, we’ve got Fronton, which is the Russian FSB built this nation state tool to pretty much hack any xIoT device. It’s a very sophisticated piece of software by the way. You have attacks that are targeting it and then pivoting to an xIoT device for exfil. So we have a tax today, but do you anticipate more? Is that what it, is that part of what it will take to get business leaders to pay attention?

Kathleen Moriarty:

I think so. The motivation for it, or inspiration for it to your question or the beginning of your question was taking a look and seeing what resources are there. So CIS, we have an IOT version of the CIS controls, and I reviewed that and it’s a great resource, but it’s aimed at the enterprise because that’s a lot of the standards that we do. In some cases, our standards are implemented at the vendor so that the enterprise benefits. But in this case, it’s really aimed at the enterprise to shore up all of their IoT resources. But in some cases, those resources might not have the capabilities recommended in the control set.

So it was really taking a step back to say, “Wait a second, what exists?” Then looking around and seeing it’s disjointed. It’s probably really hard for an engineer without resources to figure out, “What do I do? How do I go about securing this device? How do I even pick the right protocol stack and what do I do to secure that protocol stack?” Then thinking, “Well, maybe at CIS we could do something to help fill this gap because if we’d like to see things shifting left, we have to have resources that help vendors to do for them to implement that shift left.”

Brian Contos:

Yeah, I love that because I firmly believe, and I’m seeing this, that cyber criminals and nation states, John mentioned front end and for every front end that we know about, there’s dozens of nation state built tools that we don’t know about, probably hundreds. They know that organizations are still focused on IT threats because right now, they have tools and processes and training to help address those. The xIoT stuff is being left untouched. Maybe there’s a little bit of V landing, a little bit of this, a little bit of that, but not across all 50,000 devices that you have. Certainly, if you just think of the scope, and that’s really the big issue here is scale when it comes to xIoT, they’re not addressing it.

So they’re saying, “Wow, this is a great way in. I can use cameras to spy on you, capture your audio and video. I can unlock doors, change power settings, whatever,” or, “I can just add you to a botnet like Mirai or something else to do DDoS attacks,” or like John mentioned, these new pivot attacks work. “I get in through a phishing attack, get onto a laptop, look for an xIoT device, hide there. I can maintain persistence, evade detection, then attack your IT assets either local in the cloud, exfiltrate that data off.

It’s just a Linux server, the only difference is now instead of being on one, I’m on 10,000 and instead of finding me in a couple hours or a couple days, you don’t find me for a couple of years,” and from an attacker’s perspective, they just found a pot of gold. So I guess my question to that is, do you see this as being this wave that’s coming? I hate to use the term wave. We just got through with our midterm elections here. I think that term was overused, but are we going to start seeing a sea change in attackers wanting to go after these devices because they know there’s a lot? There’s a big tech surface and people just aren’t paying attention to them as closely as they should be.

Kathleen Moriarty:

I think you’re definitely on to something there; however, they still have a really ripe opportunity with authentication that could be attacked. There is a very small percentage, I think it was about 33, conveyed to me by an expert following the authentication space closely earlier today, 33% of cloud services, some of the major vendors that actually keep track and report on MFA usage. I’m sorry, so organizations using these cloud services, only about 33% of them are using MFA.

Brian Contos:

Wow.

Kathleen Moriarty:

Then even the MFA types matter. So the federal government has a push for non-phishable types, which boils down to two, public infrastructure, which can be really difficult to implement. I have maintained a PKI in my past. You may have as well ’cause you’re old enough, so the other one is web off end or the phyto framework standards, and so those offer quite a bit of opportunity. CIS is publishing a web off end market analysis on what applications are ready for web off end to help with this push for that adoption. So I think we have to see more focus on authentication first, and then we’ll see this target. Once we shore up authentication, IoT will be a bigger target.

Brian Contos:

What’s interesting about that is what we have found in our research is about 50% of the xIoT devices across the board, whether they’re switches, printers, UPS, OT devices, what have you, the passwords are default. The ones that are changed, they were changed because it was a force changed by the firm where at time of install. They weren’t changed by security people, they were changed by someone that shows up with a truck that has to bolt in a bunch of security cameras to a wall. So the passwords are always password or password with an exclamation point at the end ’cause they’re super secure, then they’re never changed. They’re sitting there forever. So I always tell folks, “You don’t really need to hack anything. You simply just need to log on. Thankfully, they’re all running Telnet, SSH, FTP, HTP, HTTPS, and every other protocol you can think about to get in.”

When you mentioned 2FA, it’s funny, well, it’s not funny, it’s a little sad. We were working with a financial services organization that had set up their 2FA, and after three incorrect tries, it would just default to no two-factor authentication, which as you know, a lot of these 2FAs can be set up with that as a configuration parameter. They’re just like, Look, our support costs are too high if we change this. We try to do it, and if it doesn’t go through a few times, all right, go back to the old method,” or “We’re getting bombarded by calls day in and day out,” so you’re absolutely right. Everything’s integrated and interlaced in this world of ours and certainly, authentication’s a big, big piece of this and continues to be a thorn in the shoe for most people, right?

Kathleen Moriarty:

I don’t know if I’m going to sleep tonight, Brian.

Brian Contos:

Well, Kathleen, as we wrap up here, I do have one question for you, but before I get to that, I just wanted to call, if people want to get a copy of your book, where is the best place to go for that?

Kathleen Moriarty:

Oh, it’s on several sources, Amazon, Google, university bookstores. If you’re a student, it might be in your university library online for free.

Brian Contos:

What’s the name of the book for our listeners?

Kathleen Moriarty:

Oh, great, thank you. It’s Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain.

Brian Contos:

Okay. Is there a longer title too? No, I’m just kidding. No-

Kathleen Moriarty:

I know, it’s too long.

Brian Contos:

No, as you know, when we talked a little while I had read it. It’s really an excellent read, so we suggest everybody pick up a copy of that. So closing thoughts, Kathleen, what advice do you give to our listeners that are working in cybersecurity? They’re trying to wrestle the cybersecurity based, what’s just some general words of advice or encouragement?

Kathleen Moriarty:

I’d say to really think about your vendor selection. Factor in, as you do select vendors, how much they secure the product before they hand it off to you what they are responsible for. What does their shared responsibility model look like today, and what are their plans for that? Because some are changing that shared responsibility model so that the vendor takes on more. So really do some analysis in terms of what’s expected of you later on and with IoT security. Think about how you have it configured today. Think about, is it sectioned off on the network minimally? Can it be protected better? Are there more things that you could do to implement security? Can you push on those vendors to start doing more? So how much can you shift left is the general theme and can we implement architectural patterns that scale so that security’s manageable? I really appreciate the time, John and Brian, to be able to come on and chat with you and talk about some of these big challenges and wonder if I’m going to sleep tonight.

John Vecchi:

Well, there’s so much to talk about. It was such an insightful, interesting conversation and just wonderful to have you. We are going to have to stay close to you on the IoT side specifically, and we may have to come back with you again after that. Again, thanks, Brian, our host, and thanks very, very much Kathleen Moriarty for joining us today and being our guest.

Kathleen Moriarty:

Thank you so much. It’s been an absolute pleasure.

John Vecchi:

Remember everybody, the IoT Security Podcast is brought to you by Phosphorus, a leading provider of proactive full-scope security for the extended internet of things. Until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

See you next time on Phosphorus Radio.

Author

Phosphorus Cybersecurity

Phosphorus Cybersecurity® is the leading xTended Security of Things™ platform designed to find, fix, and monitor the rapidly growing and often unmonitored Things of the enterprise xIoT landscape.