CyberWire Daily - Bonus: Afternoon Cyber Tea: IoT-Based Infrastructures
Episode Date: February 21, 2022Afternoon Cyber Tea with Ann Johnson is a CyberWire Network podcast created by Microsoft Security. It's a bi-weekly show that comes out every other Tuesday. We thought you would enjoy this episode in ...particular and hope you consider subscribing in your favorite podcast app. Diana Kelly, the co-founder, and CTO of SecurityCurve, a cybersecurity consulting firm, joins Ann Johnson on this episode of Afternoon Cyber Tea. Diana is a globally known security expert who donates much of her time volunteering in the cybersecurity community while also serving on the Association for Computing Machinery Ethics and Plagiarism Committee. Diana talks with Ann about helping inexperienced organizations get up to speed on the cybersecurity landscape, some of the current significant security and privacy hurdles currently plaguing the field, and some of the best practices to assist network defenders and users trying to combat botnet threats.    In This Episode You Will Learn:     How companies can protect themselves from new unsecure devices  When security risks correspond with access management and IoT devices Why we need security programs to grow to a new level   Some Questions We Ask: How should network defenders and users combat botnet threats? What types of universal IoT standards need to be created?  What privacy hurdles are currently plaguing the field of IoT-connected devices?   Resources:   View Diana Kelly on LinkedIn View Ann Johnson on LinkedIn  Related:  Listen to: Security Unlocked: CISO Series with Bret Arsenault    Listen to: Security Unlocked  Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of The CyberWire Network.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Today, I am joined by my friend and colleague, Diana Kelly.
Diana is truly a cybersecurity industry icon.
Not only is she a globally known security expert, she is also the co-founder and CTO of SecurityCurve,
a cybersecurity consulting firm who donates much of her time to volunteer work
in the cybersecurity community, including on the Association for Computing Machinery Ethics and
Plagiarism Committee. Diana has served as the field CTO at Microsoft, the global executive
security advisor at IBM Security, general manager at Symantec, VP at Burton Group, which is now
Gartner. And last year, Diana was awarded the
Executive Women's Forum's Executive of the Year and one of Cybersecurity Venture's 100 Fascinating
Females Fighting Cybercrime. Welcome to Afternoon Cyber Tea, Diana. Oh, thank you so much, Anne.
It's really great to be here. So, Diana, obviously we know each other. You've been the strategic
advisor. You've been a cybersecurity writer for many years. You've focused know each other. You've been the strategic advisor.
You've been a cybersecurity writer for many years.
You've focused on IT security.
You've done things in risk management, compliance, and network architecture development. And you've seen the security landscape change really quickly from attacks of methods to the marketplace.
So, how do you help organizations who don't have the experience you do get up to speed in the cybersecurity landscape?
Yeah, that is such a good question.
And I have to say, one of the things I've realized in all these many years that you and I have both been in IT is that the rapid pace of change in technology and the attack techniques can really feel a lot more manageable when it's grounded and balanced by principles and technical
realities. You know, we can forget how long a lot of these concepts have been around, like RACF,
which is the Resource Access Control Facility. It was introduced to the market in 1976.
So that means that people have been thinking about identity and access control for like 50 years. So once you
start to get a feel for what the baselines are of security and what's important, confidentiality,
integrity, availability, then suddenly the current landscape, it feels a little bit less
overwhelming so that they can get up to speed faster when they understand what it means
to have the brakes on the car,
what those brakes do, whether the brakes are working.
So that is really, for me, just a big one is to give them that baseline.
But then you have to start having conversations with the people about what the real problems are, helping them to prioritize.
And I find that a security assessment can really help there.
Because when you're doing an assessment, you're talking to all the key stakeholders.
And as you're having those interviews with them, you start talking to them about why you're asking certain questions.
You know, a CEO may be like, why does it matter what I do when I get into my email?
And that's a great opportunity to explain business email compromise to them and how attackers are getting in that ransomware, you know, going through phishing as one of the big attack vectors.
So that, I think, is another big part of that puzzle is getting them the baseline, having
the assessment, having that conversation in the real business, you know, the way that
the business communicates with the business stakeholders.
Now they've got a really good platform from which to hear and to read all of these headlines
that are coming every day about
changes and tactics and techniques. And hopefully they've got a better base to hear that from so
that the delta is going to be smaller between understanding and hopefully all that noise is
going to be less alarming and overwhelming. So when you start with a customer, right,
and you start with someone and you want to actually do that landscape overview for them or that assessment, where do you suggest they start or is it different depending on the organization?
Well, to do assessments, we actually use something that we base off of the 27,000 series.
So, we take a look at the 27,000 series, what would apply to that organization.
thousand series, what would apply to that organization? If that organization is in healthcare, for example, and they're getting ready for HIPAA, then obviously we're going to bring in
some of the questions that pertain to HIPAA, if it's NERC, it's got to pertain to energy.
After looking at that and assessing what the company is, we read all the policies that the
company has already so that we can start to get a feel for where they think they are versus where
they should be. And then we go through the assessment interviews and have the conversations. And now
we've got a really good handle on what the company is, who their partners are, who their customers
are. And then using that against a really strong, well-known framework like ISO 27000 gives a good
starting point. But some companies, they prefer to use NIST 853,
for example. Any well-known framework can be a really good starting point.
Okay. Let's talk for a minute about IoT.
Okay.
So, we've seen a proliferation of IoT devices. It's been reported that by the end of 2018,
there were 22 billion IoT-connected devices in use. Yeah, 22 billion. And that was three years ago.
So as the sophistication of hardware and software
and consumer electronics skyrockets,
there's this increasing share of the electronic devices
produced around the world that have internet connectivity.
I got in my car the other day, and by the way,
I need to do a software update before I could drive it.
So that was interesting.
Anyway, but forecasts suggest that was interesting. Anyway, but forecasts
suggest that by the year 2030, around 50 billion of these IoT devices will be in use around the
world. So this is a massive web of all these interconnected devices, spanning everything
from smartphones to kitchen appliances to cars. We now know that manufacturers are going to
continue to compete on who gets the latest device in your hands first, right? You know, in this household, I'm always the last one to get a new phone
because I literally hate upgrading my phone.
But my other two gadget-driven household members always want the newest one, right?
As soon as they're eligible for upgrade, they're running out to get something.
So let me ask you a couple questions.
What do you believe are the most significant security and privacy concerns
plaguing the field of IoT-connected devices?
And what is your guidance to organizations as more and more workers are starting to bring
their own devices to work?
Yeah, you know, it's funny when you talk about, you know, IoT is everywhere.
I think I know we're both huge, huge dog lovers and all of these different collars that they've
got for dogs now that have GPS in them and we're turning our dogs into IoT devices too
with them.
It's really, it matters, right?
There are a lot of significant security and privacy hurdles for IoT,
and it can be really hard to figure out where to start.
So actually, when I was at IBM, I developed something called
Five Indisputable Facts About IoT,
and it really distilled the major concerns into five umbrella categories.
And the first one is that devices are going to operate in hostile environments, which is kind of a known, right?
If it's around your dog's neck, it's going to be running through the woods with your dog.
If it's a smart meter outside your house, it's got the wind and the rain.
So we have to think about security and privacy in that context.
Software security is going to degrade over time.
In other words, what do we do about patching these systems? You just had to patch your car, right? So it had an over-the-air update.
But there were some car manufacturers that were talking about using USB sticks to update cars,
which as you could imagine, right, that could be a security vulnerability because maybe anybody
getting into your car could just have put that USB stick in. So how do we update these systems?
The shared secrets do not remain secret. And this is a really big one in IoT. If you remember the
Mirai attack that took down Dyn, the DNS server, and then that brought down a lot of their customers
with them, including Twitter, that was in part able to be launched because people don't change
their passwords that are the default with the IoT device. And as the IoT device ships,
some manufacturers, maybe not wisely, had the same user ID and password to get into every single
device of that brand that shipped out. So then people were publishing them. So they became
known. So these shared secrets do not
remain secret. Configurations will persist. If you ship something that's in a completely open state,
the most likely action from the consumer is to leave it in that completely open state, right?
People aren't security experts. So why should we expect them to lock things down? And then as data
accumulates, exposure will increase. And this is really where
that privacy comes in. IoT devices are gathering huge amounts of data. And it may not seem like
they've got information about us. But as we aggregate it, sometimes when you layer data,
you get more able to laser focus on who that data is connected to. The other thing is that data that
we might not think is personal could be personal. And one thing that stuck sticks with me as I was
talking to a CISO, an electric company, and he was very concerned about the electric records being
available. And I said, why? And he said, well, it's a privacy issue. And I said, is it because
when people are going on vacation, maybe they use less energy. And he said, what could even tell you religion?
Because if the electrical use at a house goes way down at sunset every Friday,
that could tell me something about the religion of that household.
And I realized, yeah, you know, there's a lot.
We don't always think how this data about us,
these little data breadcrumbs could indicate more about ourselves. So those things are a really good way
to initially think about what the big buckets of security are. And then beyond that, thinking about
how attackers are using IoT. I had mentioned the Mirai botnet, and they are absolutely weaponizing
IoT devices. When you grab an IoT device and you pwn it or you own it, now you've got something that's
going to be able to go out and do something for you, whether it's send denial of service,
like in a volumetric attack, or if it's a device that has the capability to do email, for example,
you could do email with it. Some devices have full processors and they can be used in crypto
jacking where they're used to mine Bitcoin or other cryptocurrency.
So looking at how we lock these systems down to prevent attackers, not only from those other big buckets, but also from weaponizing our IoT.
And Mariah is not the only big botnet that happened.
Mozi just occurred over the summer.
And that was a big one.
Again, it was doing IoT devices, gateways and DVRs,
and again, exploiting weak passwords. There's a great Microsoft Security Threat Intelligence Center post on this. I absolutely loved it. They really broke it down really well and explained
how the denial of service was launched and also about how ransomware payloads were being
launched after the attack. That's a whole lot of information and it's fascinating, right? And I think that,
so start with the dogs, you know, I was commenting, it's so funny you said that because
last week I was commenting, we're truly a tech household because we have redundancy. So the dogs,
they all have a chip, you know, from the vet, my phone number is on their collars,
and now they have this GPS fitness tracker. So, you know, it's three levels of redundancy to not losing my dogs. So, if one factor fails, we have a couple
others we can rely on. But I also was thinking about this device that's on their neck, right?
Because it is an IoT device, and it's giving the dog fitness data. And I doubt that there's,
you know, I shouldn't say this. There's probably not an attack vector where someone's too worried about the fitness of my dog, but most humans I
know also carry fitness trackers. And I know you've seen, you know, the opportunity for potentially
like healthcare blackmail. You know, do you want that information out there? And one of the, you
know, concerns people have with having so much information electronically. And I always think
about what's the next threat.
And are those fitness trackers going to be a big attack vector in the future?
You know, it's funny that you say that because I did this weird side stage thing at TED.
It was the actual TED conference in Vancouver, but I wasn't on the main TED stage.
I was off in a workshop room.
But in any case, that was exactly, it was about threat modeling.
And I did two use cases to threat model with the group. And the first one was on implantable medical devices
like pacemakers. And then we also threat modeled a fitness tracker, a risk-based fitness tracker.
And at first, everybody just, the thinking in the room was, well, there's a lot you can do
with a pacemaker, but this fitness tracker, it's just getting some heartbeat information, blood pressure, maybe information. And you're
so right. As they started threat modeling, they came up with some really interesting misuse cases
on the risk-based health tracker. And look, if you're a CEO or a high-level executive
at a big company, then your health actually could matter to an attacker and could potentially be blackmail material.
Yeah, I think that.
And, you know, speaking of that, we had a few seasons ago, we had Dr. Andrea Matwishan on, who's one of the leading experts in what she calls Internet of Bodies.
So things like all of those embedded devices that have connectivity.
So things like all of those embedded devices that have connectivity, and we've been doing that for probably now 15 to 20 years, by the way, and people didn't even realize that, you know, first it was certificate-based authentication to do patches and updates to your pacemaker.
Now we've moved on to something different, but the threat vector has been there for a very long time.
All right, let's go back to something, well, maybe not cheerier, but let's go back to something well maybe not cheerier but let's go back to enterprise iot so i have two questions and i'll leave it with you but can can you talk us through two things
what are some security practices that could help network defenders and users combat iot threats
particularly botnets and how can the industry help them by creating more standards for you know
security for iot devices and the creation and
production of IoT devices? Yeah. So, you know, I'm kind of a stan when it comes to NIST, but I've
been really, really excited at how much NIST has stepped in here and started to lead the charge.
They've been doing a lot of publications and thinking and also working with people outside.
Some of the publications they've worked with, Rebecca Harreld, for example, who's the privacy professor. So they're also reaching
out and working with folks outside of the government. And they've really got a lot of
incredibly good guidance that can be a baseline. And sometimes people will say, well, why are you
recommending NIST? It's really for the government. But a lot of the NIST, the special publications and the
NISTERs, which are the interagency reports, are fantastic baselines that can be used by both the
government, but also by consumers and by enterprises. So a couple of the ones I'm really
happy to have seen got published recently, and some are in draft and some have been finalized.
But one is 8228, which is considerations for managing IoT,
cybersecurity, and privacy risks, which is a really good baseline, I think, and a great
overview for people that are getting started. On May 12th, Biden administration came out with an
executive order about improving the nation's cybersecurity. So NIST came out with a lot of
really good baselines on security criteria for IoT devices, including the consumer devices.
And one of the things that I really like about where they're thinking is that they're not
just saying devices themselves, but they're looking at IoT products.
And when I first heard that, I was like, what?
What's the difference between a product and a device?
But what they mean is that the device is going to work within a system.
But what they mean is that the device is going to work within a system.
So as you're assessing the security of that IoT solution, don't forget that it's working in a system.
So that would mean the hub it's connected to, the gateways.
If you've got a smart light bulb, what's the hub that's managing that smart light bulb? And what about the mobile device that you're then connecting to to manage the hub?
So I like those.
mobile device that you're then connecting to to manage the hub. So I like those. There's also a special pub 800-213, again, about the device and the guidance that I think can really help people
get a handle. So a lot of really great stuff coming out in this that I strongly recommend people go.
And you can start with the ones I mentioned, but they're really baselining and helping us all
think about how to do this really well. And then we get into some other strong
guidance, like changing those default passwords that I talked about earlier, using multi-factor
authentication wherever you can. You want to update and patch your systems. And then, sorry,
I don't mean to buzzword people, but zero trust and looking at adopting a zero trust access
architecture. That can help a lot because the core of that
is looking at your network segmentation and network segmentation really helps when attacks
are underway.
If you've got an attack, then you've got a strong segment.
You're going to stop the lateral movement.
You're going to stop that attack moving through your organization.
So that can help quite a bit.
And then identity, because when we talk
about identity management, of course, we think about ourselves and individuals, but it's also
workload to workload, application to an application, and device to device. So that can help
too, where if you're locking down and keeping a management of your identity and seeing those
internet of things as IoT, as having their own
identities. That can really help a lot. And for that, again, for that DDoS, I think this is a
great opportunity for any company that hasn't looked into the really dynamic, scalable DDoS
protection that you can get from cloud providers. Now is the time and extend that DDoS protection to your IoT and your IoT environment.
Yeah, I think that those are all really, really good ideas. And I'm a bit of a niss stand also.
So it's also, we try to give practical guidance on the show. We're talking about big topics,
and we do try to give some practical guidance. And I'll give you an opportunity at the end.
But before we go there, a couple more things. Remote work.
Bring your own device.
So a little different than IoT.
But how do you suggest employers get a handle on all the different laptops people are working on maybe at home and they're sharing with their kid or their spouse doing work?
And that may introduce malware to the device.
And then bringing the actual remote device to the office even potentially.
Yeah. and then bringing the actual remote device to the office even potentially. Yeah, it's one of the things I started working on with companies is as we're going to be in this WFA, work from anywhere environment,
what is it that we're, how can we strengthen that?
How can we strengthen our programs?
And I think creating policies around helping to set up a hygienic work from home environment
and giving people
either the tools to do it, so either maybe you give them the router you want to use at home,
or giving them a quick start guide can help a lot. Because to your example there, what happens
when we're all on the same network? Well, we don't have to be. It's really easy to set up
different wireless VLANs. And then you can have your smart locks and your washer and your kids
playing their games. They can be on a separate VLAN. Or if they have a wired house, it could
be a separate wired VLAN too if they're kicking it old school. But helping people understand how
to set up segmentation and the wireless tools now for home use are really actually very,
very user-friendly. But a lot of people just need a little bit of guidance
on how to set that up.
And so helping employees understand how to do that,
how they can secure their smart devices,
helping them understand about the default passwords,
how to keep those devices, how to keep them patched.
And then Zero Trust, again,
coming in with better identity control.
And on the corporate side,
as people do come back into the corporate network,
making sure you've got that really robust
identity lifecycle going
so that when people do leave,
you can remove access for them
or access for their devices,
especially if they are BYOD.
And I just love that there have been
so many technical advances
that make it easier to manage identity
and segmentation in complex multi-cloud environments.
So those are sort of the main things, but again, widespread availability of MFA and turning it on.
Managed endpoint protection, this is another one, and endpoint detection and response.
Get some sort of visibility into what's happening with those devices. Even if it's BYOD, you can
still install a management
agent on that device to give you a little bit more control and transparency from the corporate
viewpoint. And then the last thing that I'm really excited about is conditional access and just how
much smarter we are about monitoring access and making smart decisions about who's doing what
and stepping up that control if you need to when you see activity that's unusual
or if you see people going to touch highly sensitive resources either from their home
or even from the corporate network. That's all really, really great advice. And I think the one
thing that you said that resonates outside of zero trust, and I don't want to play buzzword
bingo also, but there's a lot of value in a zero-trust identity architecture, is that the consumer tools
are becoming simpler. And we need to keep driving consumer tooling to be simpler so people can be
inherently more secure. Yes. Yeah. All right. Let's pivot for a second and talk about the shows
you produce. So, you produce My Cyber Why series and Bright Talks, the Security Balancing Act.
And these programs are fantastic, right? They provide so much insight
to the industry. And I know I learn a lot from every guest I have on Afternoon Cyber Tea.
So what is your favorite part of hosting the shows you host?
Oh, you're so nice. With my cyber why, I actually got the idea from Tommy Salmanpah,
who is, he was one of the first guests and he does cybersecurity for Finnish Traficom
Aviation. And he was telling me about his job. And Anne, I was just blown away because I didn't
understand, A, how much cybersecurity went into the aviation industry. I mean, I knew that
for the planes themselves, we had to make sure the software was secure, but even the communication
internationally,
because as we fly, we fly over different airspace and different geos and control over the airspace.
And it just blew me away. So I said, Tomi, I think everybody needs to know what you do,
because it's such a wonderful thing to keep people safe. And that was the genesis of my cyber why, was just to celebrate people doing really cool things in cyber that a lot of us,
or at least me, I didn't know about.
So I love, as you do, I love learning from people
and also just being able to celebrate all these different ways people work in cybersecurity.
We just recently had Ellen Zhu, who's a high schooler, and she's incredible.
She's got her own podcast, and she's just kicking it
as one of the top Capture the flag students in the country.
And then all the way to Craig Jones, who he leads cybersecurity for Interpol, but he started as a beat cop in the UK.
So just these wonderful stories.
And I love hearing the stories and I love being able to share them with others.
And then the Security Balancing Act, because it is really about how do we balance security and privacy, but keep our organizations still very competitive.
And I just love this sort of surprise element of each month, the folks at Bright Talk will bring different people into the conversation.
So sometimes we source guests together, but they also bring in guests.
And so I never know who's going to be on the show until they give me the list of who's
going to be on there.
And then we have this wonderful, our first call to get ready for the actual show itself.
And just the different dynamic and hearing the different viewpoints from people and then
pulling it all together into an organic conversation is just a whole lot of fun.
And then on Security Balancing Act, we're also live.
So we get a lot of audience questions that really kind of gooses how the conversation goes.
And it has to keep me on my toes.
We were doing election security and whether elections were secure.
We happened to be doing that on January 19th or 20th of this year was when we were running that show.
So it was when Biden was being sworn in.
And I really had to be at my toes with the questions that day because there was a lot of people had opinions that day about election security.
Yeah.
So Diana, you're never standing still.
So can you share a bit with our listeners about what you're working on currently?
Okay, Anne.
our listeners about what you're working on currently? Okay, Anne. So, as you know, when I left Microsoft, I had intended to volunteer about 50 to 60 percent of my time for technical
nonprofits. And then I was thinking about an animal shelter for elderly companion animals
that didn't have a home. So, that was sort of where my thinking was last year. And the really good news is that
I do devote 50 to 60% of my time
to cyber nonprofit work.
So that's, I feel really happy about that.
I'm on the executive board for WESIS.
You had mentioned what I do with ACM.
I'm lead the inclusion working group at WESIS.
Sightline security I work at.
I'm on the board at Cyber Future Foundation.
Cyber advisory board for CompTIA.
I work with Bartlett College of Science and Mathematics at BSU. So a lot of stuff that I
had really wanted to be able to devote time to, and I feel so grateful that I have the time.
But for the rest of the time in the day, people kept asking me to do things, and I keep doing
them. So the shelter for the companion animals is on hold. And the other
part of my time, I'm working with SaltCyber and I do vCISO work through SaltCyber. I'm also a
principal consulting analyst with TechVision Research, which is a lot of the former Burton
Group folks. And I do startup mentorship and advisory and executive advisory for CISOs and CSOs.
That's all?
Oh, you know, I don't know how you do all that.
Well, I missed one because I'm the conference chair for EWF, but you and I are both on the
advisory board there.
So that's awesome.
Yeah, that is.
And then you have the pups.
So I know you spend a lot of time with your pups too.
I do. And I don't know, have you seen Bunny, the dog that talks with buttons? Because
I got, have you seen her?
I have seen her. I just can't figure out how to get my dogs to even, well, nevermind.
They're not that well-trained.
So, you know, I have Nick and Nora, and Nora is really, she's just the,
she's a more motivated dog, let me put it that way. So, she's got inside and outside with her
doorbell buttons, and she can do some communication with her buttons, and Nick is very, very,
very grudgingly will put his paw on the button to come back in when he wants to come in.
I think I could get Mariah to do that.
I just need to spend some time with her.
Well, thanks so much, Diana.
We want to send our listeners off with one or two key takeaways about how you think we
can overcome the threats we're seeing and why you're hopeful about the future of cybersecurity.
So I think we can overcome because when we all work together and anybody who's not a
criminal trying to steal from someone
in the cyber realm is we're all on the same team. I think the more that we can communicate and share
information with each other, the stronger we're going to be. And there's a lot more information
sharing that's going on. So that makes me very hopeful. And I think in order for us to be able
to do that as a group, as an entity, is to just
remember to take a deep breath, not let the attackers weaponize our fear.
They're playing on that we're going to get scared, that we're going to go into crouch
and defense mode instead of into, we got this.
We just need to work together and plan and roll things out in a way that's going to keep
us all stronger and more resilient.
So we can do this and working together is the key.
Excellent.
Well, thank you so much
and have a wonderful rest of your day.
Thank you so much, Anne.
It was great to be here.
And thank you to our listeners
and join us again for the next episode
of Afternoon Cyber Tea.
So I chose Diana Kelly because I've known her a while and she is just this immense resource for knowledge. She is one of the most knowledgeable people across a wide variety
of cybersecurity topics and incredibly deep and also just this great person who volunteers time
to help make the industry better. Very personable.
I always learn whenever I talk to her. And she was just this awesome guest on Afternoon Cyber Tea. It's one of my favorite episodes. So I say that about every episode.