Service-Based Cybercrime Seeks Persistence in IoT

Episode Transcript

John Vecchi:

Hello everybody. You’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. We’ve got a really special guest today. Let me just bring him on board on the call. DJ Goldsworthy, how are you?

DJ Goldsworthy:

Hey, doing great, Brian. How are you John? Good to see you.

John Vecchi:

Welcome.

Brian Contos:

Yeah, we’re real excited to have you back. DJ, it’s been a couple years I think since we’ve been on the show together and was really, really looking forward to bringing you on again. Tell you what, as we get the audience a little bit more acquainted with you, maybe you could give everybody a little bit of detail about your background in cyber and kind of how you came up and what your current roles and responsibilities are today.

DJ Goldsworthy:

Sure. Yeah, I’ve been in cybersecurity for almost two decades now. It’s kind of crazy to think about. Started in managed security services providing outsource cybersecurity at about a thousand US financial institutions. In my latter time there I was running research and development, so got a lot of exposure to cybersecurity trends, what vendors were doing in the solutioning space, and then determining who we wanted to partner with to bring products into our portfolio. That kind of grew me up in terms of getting a lot of exposure to many different areas of cyber. More recently I’ve been at Aflac, building up the cybersecurity capabilities there with some great teams over security operations, threat management, and security engineering. That’s a mouthful there. That’s pretty close to my actual title. I have eight teams in the part of the organization that I’m responsible for, doing most of the operational security stuff. Vulnerability management, pen testing, engineering, so all the build and operate functions, and then security operations, so the monetary respond functions as well. A lot of the interesting frontline stuff.

Brian Contos:

DJ, what I’ve always liked about you, at least as of a couple years ago when we last spoke is, certainly you’re a leader, you run many teams, you’ve got a large organization under you at Aflac and prior to Aflac, but you’re also really hands on. I mean you’re in there scripting and coding and actually creating this stuff down in the trenches, which is kind of unusual once people start running larger organizations like yours. Are you still able to do that today or are you still able to get down there into the code?

DJ Goldsworthy:

Yeah, not as much in the code. My team would give a chuckle if I said I was in their coding with them. I do try to stay very technical. It’s a personal goal of mine. I feel like to be in a leadership position in cyber, you really have to have your technical edge because things are changing so fast. You need to know what skill sets you need on your team. You need to be able to spot trends. You need to be able to spot good versus not so good technology. To do that, I think staying hands on, it’s a big advantage. I definitely have the luxury of getting to pick and choose, to a certain extent, what I’m going to delve into. There’s no shortage of interesting things for me to get hands on with. I’m very fortunate in this role and I’ve got a great team who educates me on it all. Get to shortcut some of the learning by working with really smart people who can bring me up to speed on stuff quickly as well. Just a great situation.

John Vecchi:

DJ, it’s interesting, you have a lot of different teams. It’s kind of fascinating sometimes to see you covered things like security operations and your security engineering and all the others. Can you talk a little bit about, do those teams interface with each other? Are they very involved with each other? Do you tackle the same kinds of projects together? How does that work with that many varying diverse teams today in the cyber threat landscape that you’re dealing with every day?

DJ Goldsworthy:

Yeah, I think probably the best way that I would describe it is it’s like a Venn diagram. There’s definitely areas that very heavily overlap. Then there’s a cross section where everything comes together. That cross section is generally more on the strategy side, “Which direction are we going to enable the business? What are our adversaries doing and what are the big trends,” and aligning all the different things that we’re doing, to make sure that we’re on the right side of those trends and moving the program collectively in the right direction. Then you have these logical connections with the teams where there’s a lot of synergy. Take engineering and administration as an example. Engineering builds, they hand it off to administration. Those teams are very closely intertwined. Security operations and threat management. Threat management, sort of the tip of the spear, looking at what’s happening out there, and obviously have to collaborate with the security operations folks to make sure we’re understanding what techniques and tactics are out there and happening and that we’re able to detect them.

You get all these really interesting intersections across the teams and synergies, that we really try to amplify by the way we structure the leadership. We’ve left the organization pretty fluid. We’ve restructured things multiple times to make sure that the alignment makes sense. DevOps was really disruptive to the previous structures, in terms of how the teams were constructed. That’s led to some changes in how we structure, even up to who’s reporting to who. It’s definitely an interesting dynamic having multiple teams and figure out how to make the setup work as efficiently as possible.

John Vecchi:

Sorry, Brian, is the budget equal across those or do you find budgets being allocated to certain teams far more than others? That was kind of an interesting thought I had. Is that the case or is it fairly well dispersed among all those teams?

DJ Goldsworthy:

We really let the strategy drive investment. That means that there isn’t a straightforward answer to that. It could be at points in time, pretty evenly distributed. It could be at times, overwhelmingly concentrated in certain areas. As you do things like embrace public cloud and make a transition towards public cloud, your operating models change and different teams need substantially different tooling, operational processes, maybe more resources. You do see ebbs and flows in the concentration of investment. From a FinOps standpoint, you try to manage our operating budget at the top of the house and controlling our investments to make sure we’re being good stewards of our company’s dollars, but making sure that the areas that need it are getting it. It does ebb and flow some.

Brian Contos:

Now, I’m guessing that your team was already pretty distributed before Covid came around, and that of course Covid was so impactful on so many organizations where people were working from home and teams weren’t getting together every day. How did that impact you? I mean, again, you have so many different groups, that synergy between them, as you mentioned, is so critical. Was there a negative impact or because you were already in a distributed model, did it really impact what you did day to day at all?

DJ Goldsworthy:

Yeah, we really didn’t feel, I would say hardly any impact. I mean there’s of course the social connections and you try to find a way to work around the constraints of the pandemic, as it relates to just keeping our personal relationships. We already had a really good team dynamic through all the different communication tools at our disposal. We were already on WebEx and Teams and tools like that, that allowed us to collaborate very efficiently. When it happened from an operational standpoint, it was barely a bump in the road. I would say even for the company as a whole, we were very well positioned for it because prior to the pandemic, our philosophy was regardless of whether you’re at home, in a coffee shop, or in the office, you should have a similar experience and you should have the same level of security and visibility. We’d already shifted to a secure access service edge type of model.

When the pandemic hit and more people went remote on a percentage basis, it was really more of just like, “Well, we need to scale up that infrastructure.” It was already built scalable, so it was just pretty much increasing the number of systems in a cluster and we were good to go. We were very fortunate in that regard to be very well positioned for it. I mean, it was good planning by the leadership to fund that and allow us to move that direction. I know a lot of companies didn’t have quite as smooth of a process. From a team dynamic standpoint, we’ve, at our company, have been blessed with the ability to go out geographically for talent acquisition. We’ve been hiring around the country for a while now to address the cybersecurity labor shortages. We were already geographically dispersed by our operations in Northern Ireland and Japan. We had to have that culture for operations to work prior to Covid. Again, it felt like a pretty natural transition.

John Vecchi:

Well, DJ, obviously the podcast is focused on IoT security. We call it the extended internet of things, but even from just the general, and of course XIoT is part of the overall threat landscape. When you think, and you mention the focus there, one of your focus points and priorities is to address the threat landscape. How do you view that today? We’re just finishing 2022, going into a new year. When you think in term of the landscape itself, what constitutes it? What are some of the threats and trends? How does that then relate to your priorities? What does that look like for you?

DJ Goldsworthy:

Well, I mean what we’re seeing I think is what a lot of companies are seeing, is just a dramatic increase in sophistication of, what I would say is largely commoditized threats. Your typical cyber criminal type of activities, extortion schemes, things of that nature. They’re no longer poorly worded emails with links connecting you to servers and obviously dangerous hosting locations that are easy to block from a threat intel standpoint.

John Vecchi:

Mm-hmm.

DJ Goldsworthy:

The level of sophistication’s grown. We’ve seen the emergence of crime as a service, where the cyber criminal organizations had already started becoming more specialized, but with crime as a service, they can actually have outsourced capabilities where they’re very finely tuned, whether it’s social engineering, money muling, whatever. They need to complete the piece of am equation to be able to facilitate attack. There’s highly optimized, very good services out there, that they can hire to accomplish things. What that means is you’re going to have very well worded phish emails.

John Vecchi:

Mm-hmm.

DJ Goldsworthy:

They’re going to have machine learning engines that scrape all your social media profiles and then tailor those phish emails to your personal experience and professional background. All that makes it harder for things that look for those oddities to say that, “This is likely bad.” We have to keep stepping up our game in response to that increase in sophistication. At the same time, the business is, I don’t think we’re unique in this, accelerating the use of new technologies and more advanced technologies to get to market faster, to improve the user experience, to reach prospective clients with more targeted and personalized product offerings. All that requires more technology that’s cloud-like, more models that are more like DevOps, and all that means everything’s happening faster.

John Vecchi:

Mm-hmm.

DJ Goldsworthy:

The threat landscape’s getting more sophisticated, the business is moving faster. That creates an interesting and challenging dynamic at times to make sure that we’re securing. What that means for us is, strategically security has to move closer to our developers who are making these changes very quickly and taking more responsibility on the infrastructure side. Never dull moment and a lot of very significant trends at play here, keeping us constantly looking at our strategy.

Brian Contos:

You mentioned the maturation of crime as a service. I find that really interesting. I just got back from a multi-week tour throwout the Middle East in Europe. Some of the attackers are creating these crime of service capabilities for their customers, that given how much they’re paying each week or each month for this service, they could even get 24/7 technical support through email or through chat, to really help them hone and refine what they’re doing. On the XIoT side, what we’re finding is these criminals will get into traditional IoT devices. Let’s say it’s a security camera, printer, door lock, what have you, sometimes some SCADA devices, OT systems, industrial control systems, and sometimes some network devices, network attached storage, switches, load balancers, things of that nature. Essentially what these devices have in common, is they’re all purpose-built pieces of firmware and hardware that print things or record things or open doors or control flow, what have you, but you can’t put endpoint security on them. They’re usually Linux or Android or VxWorks or BSD. They’re relatively well known operating systems.

What I was finding that was interesting is, these criminals would get onto these types of devices because they know they can maintain persistence and evade detection if they compromise a printer or a camera, juxtaposed to a workstation, a server, or a laptop and go relatively undetected for quite a long amount of time. They’re actually selling access to these devices, which is more expensive than access to traditional IT devices because you’re like, “Look, you might be able to hang out here for two years and scan the network and download data and exfiltrate over ICMP whatever you want. If I give you access to a laptop, maybe you’ve got a few days, maybe you’ve got a few weeks, but you probably don’t have a very long time.” It just kind of shows you how quickly the space has evolved because go back just a few years ago, I don’t think anybody was thinking about that level of persistence and invasions as it relates to XIoT devices. Is that something that you had had exposure to historically?

DJ Goldsworthy:

It’s definitely a paradigm and concern and the risk or threat matrix that we’ve considered, not something that I’ve directly been exposed to, but I think in the cybersecurity world, professionals have thought about IoT OT as a attack surface that’s very different in terms of how you provide protection and overlay security. It’s definitely a concern in something that you need to be factoring in to how your overlay your overarching strategy, acknowledging that those are operating systems, those are computers. Whether it’s a monitor or a refrigerator, the same capabilities exist, network communications, persistence and so forth. It definitely expands the surface that we have to protect dramatically.

Brian Contos:

As I mentioned before, you’re in a unique position where you’re leading large teams and you’re been and maintained very hands on as well. Do you think at that upper echelon, that executive level, maybe even board level, that that’s really being understood that, “Hey, we might have 50, a hundred thousand more XIoT devices in our organization. Do we understand that this is a pretty big attack surface?” Having all these devices, probably default passwords, probably old firmware, probably lots of vulnerabilities. Are non-technical, non-security business leaders, do you think, aware of this threat at potentially the level that you think maybe they need to be?

DJ Goldsworthy:

I think the non-technical teams and leaders are probably vaguely aware and uncomfortable. Probably just a sense of uneasiness about it, but probably don’t quite grasp the detailed nature of the risks and the threats. I think when you get OT, SCADA, critical infrastructure, that I think is probably different because there’s operational risk and that’s very well communicated. I think that there’s kind of a general understanding there, that those are going to be targets and the impact to the business is substantial. But when you kind of bleed over to the IoT side of embedded operating systems running on all these small devices, I don’t think that that risk is probably very well understood, other than the few articles that they’ve read about interesting DDoS type of things that have happened with thermostats and stuff like that. They kind of know that there’s some threat there, but don’t really know, “How does that apply to us?” In the sea of things that we’re trying to compete for attention on, I think IoT probably gets overlooked a fair amount.

John Vecchi:

Yeah. We often say, Brian and I, some of the statistics that we’ve seen through our research and looking at millions of these kinds of devices, and Brian mentioned several of them, I mean you’ve got half of these devices deployed with default credentials. The other half, maybe they’ve been changed once when they were deployed. You’ve got firmware on average seven years old, you’ve got a host of ports and protocols, extraneous ports and protocols that are wide open, Telnet, SSH, you’ve got loads of vulnerabilities, many of these ship with the devices. The idea that you just plug it in, it’s already ready to exploit you or be exploited. From a pure cyber security perspective, it’s a horrible failure. Brian and I often say that we feel like we’re back in the nineties with the state of XIoT security and you think about where we were with just IT security back in the nineties, we kind of like that there.

Brian Contos:

Yeah, change your password, patch your devices, right?

John Vecchi:

Right. Yeah.

Brian Contos:

Good luck with that.

John Vecchi:

Right, right. Exactly. I mean all the basic things, but yet with XIoT, it’s just kind of inherent in it and it’s just there. We can all guess probably why that is and why, as you said, some of the business and even maybe even some of the security leaders don’t quite yet see that as a real big piece of the threat landscape or something that should be addressed. Why do you think that? Is it simply because we haven’t had enough exploits? There hasn’t been enough pain around it? Is it an understanding issue? Is it a host of those things? Why do you think that is for you?

DJ Goldsworthy:

Yeah, I’m going to go with D, all the above. Yeah, I think there’s some willful ignorance probably where some leaders probably just assume they’re taking care of it, the team’s got that, or these incorrect assumptions that, “Well, it’s behind the firewall and so it’s okay,” or at least it’s lower priority. Then, as we’ve discussed, all the things competing for our attention, you kind of get drawn to endpoint security, you get drawn to email security, where’s the front line? That doesn’t mean that the other areas aren’t still an attack surface and things that need attention, it’s just a disproportionate amount of attention shifts towards where most of the action is.

I think IoTs reminds me a lot of mobile where, you get these flashes in the pan where it’s there’s IOT exploits or some breach that happened where they were maintaining persistence through an IoT device and it’s like, “Ah, see that is something that we need to be paying attention to.? Then it kind of fizzles away and it’s back to ransomware and point stuff, phishing and so forth. There’s a lot of distraction that kind of pulls attention away from it. I think it’s a combination of all those things. Frankly, the reality is there’s probably some scenarios where it’s a hard problem to solve and some people just don’t want to even face it. “If I turn my head and don’t look, maybe it’ll go away.” Yeah, I’m sure that with how much work teams have to resolve things, they’re looking at that priority.

Brian Contos:

Yeah, I really think you hit the nail on the head with that last portion, which is, “If I don’t know about it, maybe it will just go away and I don’t have to worry about it.” If you think about it, just voiceover IP phones and door locks for most companies, that’s in the tens of thousands and you’re going to send somebody around probably to one device at a time to patch it, to change the firmware, to harden it, maybe manage the certificates. It becomes a really big scalability issue and it becomes an issue where you need automation. “Now I don’t just need to do door locks, but I need to do a hundred different types of IoT devices and versions and types and flavors.”

We work with a major hotel chain that has hotels globally and they have a tremendous amount of XIoT devices. One of them that they have a lot of, are printers. They have over 40,000 printers, just printers. Not talking about any other devices they have. All shape sizes and flavors of printers. If they were going to send somebody around to update the firmware on those, they have to arm them with a paper clip and hire an army of people to go around. It’s just not going to be done because there’s no manual way to do that. I think historically that was one of the big problems. I think that’s also why a lot of nation states and cyber criminals are saying, “Hey guys, this is a really good area for us to focus on because once we’re into the IoT device,” and quite frankly most of these devices they get in through traditional phishing means, they’ll get in through a laptop compromise or a compromise in a workstation.

From there, they’ll search out XIoT, they’ll install their tools, they’ll gain access, and then they’ll use that to then attack IT devices and probably siphon sensitive data, whatever it is they want to do. A lot of times they’re making API calls to local exchange or Office 365 in the cloud and stealing data that way. Again, because no one’s looking, because they’re easy to compromise, because they can maintain persistence, it’s one of the best vectors I think to attack IT, is by hanging out in XIoT. Again, the bad guys, they know this and they’re counting on organizations to be passive. They’re hoping no one’s going to pay attention because historically it was a very slow, arduous process, which meant that it just wasn’t going to be done. Yeah, it’s just one of those crazy things. DJ, I know you see a lot of different things when it comes to threats and trends and business priorities. What are some of the new interesting attacks or war stories or use cases or lesson learned or whatever, that you’ve seen maybe in the last couple years that says, “Wow, this is quite different?”

DJ Goldsworthy:

Yeah. I kind of go back to the sophistication. From a novel standpoint, not a whole lot, it’s very much just continuing to find new and interesting ways to socially engineer people or to scale attacks. You see things like the MFA fatigue attacks where it’s like, “Well you have MFA. Getting in the middle of the exchange is very difficult. How about we just hammer weight with requests until the person finally goes, well why do I keep getting these and just says, okay.” Then now the adversary is multi-factored. They’re just getting more persistent, more creative for that type of stuff.

I would say one of the interesting things from a defensive standpoint, we’ve been working on programs like this for a while, but I think it’s still just beginning to scratch the surface in terms of potential, is deception technology, which when you talk about things like IoT, great use case for it. Basically if you’re able to, whether it’s virtually or with physical appliances or whatnot, put enough decoys into an environment. When I say decoys, it can mean artificial systems. If you have an IoT subnet for IP cameras or voiceover IP systems, saturate that VLAN with decoys in that way if anybody ever is poking around, I try to say, make your environment like mine sweeper. Click in the little dots and you don’t know what’s behind that. “Is that a mine or is it a blank space?” Eventually you click long enough, you find mine sweepers really hard to not click on a mine eventually. The more mines you have out there, the harder it gets. We need to be putting more mines out there.

As we’ve had scenarios where we’ve been able to increase the saturation of deceptive artifacts, whether it’s decoy systems or lures on the endpoints, credentials and LSAs, fake desktop connections and file shares. Anything somebody’s going to try to live off the land on, you increase the probability of detecting them regardless of what type of tactics they’re using. I think that’s an interesting paradigm. I like elegant technologies like that. I think we continue to see more interesting things like that coming out. Zero trust is another area that I think offers a lot of potential. That’s how I’m looking at it is, “How do we make fundamental shifts in our strategy to improve the economics of cyber?” It can’t be just more controls, more controls, more controls, because that means more staff to run those. Talent is obviously a challenge for companies to acquire and it’s getting more expensive. Something’s got to give and I think it’s going to come in the form of being more innovative as an industry. That’s how I like to look at those types of problems.

Brian Contos:

Yeah. Just put the economic burden on the bad guys. I mean they’re going to have to spend more time, more resources, have more sets of tools to help attack these devices and then they’re like, “Ugh, it was another honey pot,” right? It’s almost like when you get these text messages that say, “Hey, it’s your boss and I’m stuck in a meeting and I need you to get some Google gift cards and send it to me right away. Can you do that?” You keep them on the line, you want to mess with them, then they’re wasting their time. Do that at scale. No, that’s awesome. It’s funny using tools like Shodan, I remember type in voiceover IP or printer or camera, you just get a ton. The one that just blew me away were UPS systems. UPS systems, usually you have one because you have something really important plugged into it, whether it’s an APC UPS system or whatever.

I think the last time I was on Shodan, there was something like 15,000 or 20,000 that were internet accessible where it should be probably zero. I’m like, “Wow, that’s amazing that these are,” but I always wonder how many of those are actually deception technology. I guess there’s a percentage, I hope it’s a hundred percent, but I’m guessing it’s probably closer to four or 5%. The sad fact is, and most of these UPS systems like take APC, it’s the most famous UPS system out there. If you Google default credentials for APC UPS system, it’s APC APC and no one’s ever changed the password and username at that since the beginning of time. The fact that they’re internet accessible, you can knock them offline. Man, I hope these are all deception technologies out there. I haven’t logged into any of them.

DJ Goldsworthy:

Unfortunately, I would wager that the percentage is zero ’cause I don’t know many deception programs that are exposing things to the internet. The whole point of deception is it needs to be a low or no alert technology to really work. If stuff’s wrapping on it all the time, then you don’t know what’s real and what’s not. Maybe researchers, have a few out there, to just see who’s hitting these things and how I’m sure that’s some percentage of it. As far as decoys specifically for enterprises to throw off adversaries, unfortunately, I think these are probably just misconfigured things, which IoT I guess makes more important, the need to have really good attack surface management from an external standpoint.

John Vecchi:

Mm-hmm.

DJ Goldsworthy:

You got to know what’s out there and exposed from your organization. Goes back to that whole, things are changing faster. You’ve got to be able to detect exposures more quickly because mistakes can and will happen and you need to be the first to discover them. Internet facing should definitely be a priority and nothing like that should ever be facing the internet.

John Vecchi:

Mm-hmm. I talk a lot about that kind of what you mentioned there from an XIoT perspective, we need to think of these right along and as part of some of the major kind of areas that people have from a project perspective. Take an attack surface management and we talk about XIoT attack surface management, given that I’ve had conversations with some CISOs and security leaders that say, “When I really think about it, up to 30% potentially of my attack surfaces these devices.” It’s a big piece. We need to think in terms of when you think of attack surface management, it just automatically includes XIoT. When you think of hardening and remediation proactive technologies, and I think one of the challenges with XIoT is, there really hasn’t been any way to proactively remediate these things and fix a lot of the problems we’ve been discussing. When you think of hardening remediation technologies, XIoT needs to be there.

From a SecOps perspective, you’ve got a SecOps team and you’re leading it from a detection and response perspective, same thing. We need to actually, as you monitor and maintain other endpoints from an XIoT perspective, we need to maintain state on those and take a look at those. It’s XIoT detection and response. We think of those three things altogether. Is that something that you think would help with just as, so I have a project for an attack surface management and we can say, “Well, XIoT should be a part of that,” and same for hardening remediation and detection and response,” is that a way that we might be able to get inserted into those kinds of projects and strategies? What are your thoughts on that?

DJ Goldsworthy:

Yeah, I think so. Back to what I was saying about the trying to change the paradigms, what I think we should be doing more as an industry, is starting with the aspirational goals and then working our way backwards and figuring out how close can we get to it.

John Vecchi:

Yeah.

DJ Goldsworthy:

For example, we shouldn’t have to patch. Patching is a very arduous task. It’s efficacy is a perpetual challenge for companies and so forth. We also should have a zero attack surface goal as an aspirational. How do you achieve that? There’s architectures and things that are starting to move us in that direction. If you look at the opportunities of zero trust combined with machine learning, if you have machine learning overlaying and all the communications in your environment, you see what talks to what and do some enumeration and start to say, “Hey, these look like IoT devices based on the network traffic or other information,” and can start to classify, build archetypes, and then say, “IoT devices only communicate with these.” You start to reduce the attack surface. The behaviors for IoT devices should be very consistent, should be updates or wherever it’s calling to, or SNMP or print services or whatever the device is, it’s got this fixed thing that it’s doing. Any deviation from that should be immediate cause for concern.

John Vecchi:

Yeah.

Brian Contos:

API calls to Office 365, probably not needed from your security camera.

DJ Goldsworthy:

Yeah. If your printer is initiating an HTB connection internally, you have a problem.

John Vecchi:

Yeah.

Brian Contos:

Yep.

DJ Goldsworthy:

Yeah, it’s just things like that, that I think there’s a potential there. Technology’s churning and getting us closer. I think that’s really how we should be focusing at it. I don’t think we can take the conventional ways and figure out, “How do we jam that into an IoT paradigm?” We have to look at it quite differently and say, “These devices are going to remain hard to patch, the operating systems are going to be embedded. We can’t necessarily trust the supply chain,” which creates a whole other set of heartaches.

John Vecchi:

Mm-hmm.

DJ Goldsworthy:

In that environment, with those considerations, how do you secure it. It takes a very different approach. I think zero trust could get us a lot closer. Machine learning and baselining and adaptive response type of things could get us closer. Those are the types of things that we’re looking at as areas of investment. I think that’s the way the industry’s going and needs to go. Hopefully we can stay limber and creative and keep coming up with fundamental ways to solve these problems more broadly.

Brian Contos:

Yeah, that’s such a key point. I mean, I’ve look at the world of XIoT as step one, attack surface management. You’ve got to know what you’ve got and you have to know what it’s doing. Just managing from the internet, “Who can talk to my XIoT devices,” which should be very minimal if any. “Which one of those XIoT devices has to talk out to the internet?” If they are, in what format? That’s kind of step one. Then harden those devices, they’re so promiscuous. A lot of printers are, they’re wired, they’re wired lists, they’re Bluetooth, they’re http, https, tftp, ftp. “Just connect to me please, any way you can.” They’re out there. Certs are often self-signed, expired. They’re TLS 1.1 or 1.2. They’re just cryptologically unsound.

That’s the patching thing that you mention. It’s just to stay on top of that, it’s such a bear. When it gets into XIoT, it’s like a super bear. I don’t know if that’s a thing. It’s really, really hard because they’re so different and they all want to be updated different ways. It’s just the complexity of that. Again, it’s the reason that I think cyber criminals and nation states are taking such interest in this. It’s the whole reason that Russia had the front end XIoT hacking tool built for it for the FSB. It’s essentially a tool that finds your attack surface and that exploits the fact that they haven’t been patched, they haven’t been hardened, they’re running bad certs. I mean, it’s the flip side to what organizations are trying to do, secure these devices. I think they’re going right after that weakness that you’ve just outlined there. I think that was spot on DJ.

DJ Goldsworthy:

Yeah, we were onto it very early as an industry or a profession with segmentation and all these aspirations for micro segmentation. The technology and the architectures were just too arduous. So many companies tried to do micro segmentation and very few got even close. I think the advances in technology related to machine learning and some of the reverse proxy technologies, secure service edge, is a good place to look at policy. We have better tools, we’re equipped better. I think we’re kind of on the cusp of making some meaningful progress. The whole thing about trust, we should be able to, as an industry, enumerate that, “This is a printer.” We should be able to say, as an archetype printer, “Here’s the types of things that are allowed and the things that are disallowed.” If it’s exposed to the internet, it’s even less trusted and just be able to do some policy enforcement that way. I think it’s going that direction. I’m definitely an optimist with how much investments flowing to cyber like this, to see the VC money come pouring in.

John Vecchi:

Mm-hmm.

DJ Goldsworthy:

It’s driving a lot of innovation. I think we’ll continue to see progress. Meantime, we can’t sit back and pretend this problem isn’t here and doesn’t need to be addressed. We need to be solving as best we can with what we have today.

John Vecchi:

Yeah. DJ, as we kind of come to the end of our time with you, it’s really amazing. There are a lot of listeners and many of them may be kind of new to their leadership roles in cyber. When you think in terms of the things you’re doing, the landscape we have, the pace of the business, all the priorities, the balance, all those things, what would be some words of advice for new practitioners coming in, listening to you with all your experience that you might give them in dealing with cyber in today’s world?

DJ Goldsworthy:

Probably one of the key things I focus on, it’s not very exciting. If everyone was waiting for some really edgy response, probably going to be let down. I was in cyber long enough to see cyber kind of with IT then become its own thing and now reconverge. I would say the whole cloud and DevOps macro trends are they’re here to stay. I think that’s something to make sure you embrace. Do not ignore or resist that trend. Learning DevOps, getting closer to the code, and getting to know cloud technologies is going to be fundamental for security going forward. All the opportunity to get security aligned to IT, is kind of moving into the development pipelines.

The closer we are to our application teams as they move towards DevOps and cloud, the more opportunity we have to embed security as code, to make it intrinsic to the things that they’re deploying. I think that’s going to be very key to the success of programs. The ones who crack the code on that, are going to have a lot more success comparatively. That’s what I would encourage is, spend some time getting to know how you want to fit into a security organization or if you’re in a leadership position, how you want to drive strategy towards getting your team closer to the code and those deployments and have a seat at the table to influence how all that’s being done.

John Vecchi:

Fantastic discussion. DJ, thanks so much for joining us today. For those of our listeners, DJ, that might want to follow you, are there any social channels that you’re vocal on? Are there any channels where our followers might want to see what you’re thinking and anything that you might want to tell them where to find you?

DJ Goldsworthy:

I’m on LinkedIn as a PR person. I’ve been on hiatus lately, staying busy. I certainly try to be out public speaking and engaged in conferences and things of that nature. Hopefully we have opportunities to cross paths there. Otherwise, if someone just has questions, wants to talk, you can certainly reach out to me on LinkedIn. Be glad to connect with anybody there.

John Vecchi:

Thanks again to Brian, our host and our guest, DJ Goldsworthy.

Brian Contos:

Thanks John. Another awesome show.

DJ Goldsworthy:

Yeah, thanks everybody. It’s a great opportunity. Appreciate it.

John Vecchi:

Remember everyone, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive, full scope security for the extended internet of things. Until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi: 

See you next time on Phosphorus Radio.