[00:00:41] Tom Garrison: Welcome to the Cyber Security Inside Podcast. I’m your host, Tom Garrison here for a special edition of the podcast with my co-host Camille Morhardt. Hi Camille.
[00:00.54] Camille Morhardt: Hi Tom. This is one of our last episodes in 2021, and we decided to look back at some of the conversations we’ve had this year. I think it’s interesting. We’re looking at some of the very practical tips that some of our guests had for companies and manufacturers to secure their systems.
[00:01:01] Tom Garrison: Yeah. And it’s probably no surprise that we’d start with one of the biggest cyber security stories of the year. And that’d be the SolarWinds attack.
[00:01:16:] Eric Cole: So at a high level, there’s really two components to the SolarWinds attack. The first one is the attack against SolarWinds to modify their source code for their Orion product. And the second piece is the distribution of a malicious update to all of their clients that then created a back door.
[00:01:40] Tom Garrison: That was Dr. Eric Cole, CEO and Founder at Secure Anchor Consulting.
[00:00:52] Camille Morhardt: And Eric suggested we all operate as if we’re going to be hit with something like SolarWinds–this type of compromise–in the future. He provided some steps companies should take to protect themselves.
[00:01:57] Eric Cole: The first one would be to take all third party servers that contain vendor software and put them on a separate isolated segment. Don’t plug them directly into my private network, put them through a firewall or a filtering device to limit and control the access. Second, is test and verify the current software that you have today to make sure it’s stable. Put monitoring software sniffers to make sure there’s no extraneous activity or connections.
Third, make sure you’re very careful and deliberate about updates. A lot of vendor software updates are functionality that you don’t need an add complexity. So have a strict rule that you’re only going to update after verification and validation. And then the last one is put proxying in place for all outbound connections–so anything leaving your organization, you’re going to put proxy in place and turn on automatic anomaly detection. So if all of a sudden the number of connections, type of connections, or volume of connections changes by a certain percent, you’re going to get an immediate automated alert.
Camille Morhardt: I guess I would have kind of a parallel or a complimentary question, which is if you’re a supplier how can you give them some sort of assurance that you’re well protected?
Eric Cole: Uh, it would really be to two big areas. The first one is processes for software development and deployment. So if I was a software developer, I would go in and immediately document my environment. I would show that we have air gap set up where we’re controlling and managing it as a trade secret, our source code–cause that’s what it is. We have it isolated and separate. We do verification and validation and we do robust testing before we roll it out to the vendor.
Then I would give all my customers a referenced architecture and how they should deploy my software within their environment. I would never recommend my client directly plug my server or software onto their network. I would give them an architecture to say, “here’s how you should set it up. Here’s the firewalls.” And then I would also provide them a list of all authorized connections so they can go in and properly firewall it. And then if they see anything outside of those connections, they instantly know it’s an attack.
And then finally, I would offer for them as a service for us to be able to do monitoring of their network for my component, that if we see anomalous connections or anything unusual that we can get an alert so we can respond quickly.
[00:04:33 ] Tom Garrison: That was Dr. Eric Cole, CEO, and founder at Secure Anchor Consulting, talking about how suppliers and their customers can protect themselves against the SolarWinds type of attack.
[00:04:50] Camille Morhardt: Tom, I remember when the SolarWinds story broke and I kept coming across headlines and news coverage that said the attack was a “wake-up call.” What’s your perspective on that?
[00:05:00] Tom Garrison: Well, I thought it was pretty humorous actually because the coverage around it sounded like it was so innovative and groundbreaking and, and so forth. And, and the people that I know that are in the security industry have been saying for so long that it’s just a matter of time. This wasn’t actually a groundbreaking attack at all, other than it was a large enough scale attack to where it was newsworthy and people that really hadn’t been paying attention that were kind of sleeping, finally got shaken by the shoulders and said, Hey, this could happen to you. In fact, maybe it just did.
[00:05:39] Camille Morhardt: Yeah, not really a wake-up call when it’s the fifth time you’ve hit the snooze button on your alarm.
[00:05:45] Tom Garrison: Exactly. That’s a great, that’s a great analogy.
[00:05:48] Camille Morhardt: And our next look back is Malcolm Harkins. He’s one of our guests this season who had a very strong opinion on this. He’s Chief Security and Trust Officer at Epiphany Systems and he’s also a former Vice President and Chief Security and Privacy Officer at Intel.
I remember him in our conversation saying if SolarWinds woke you up, you weren’t paying attention.
[00:06:11] Tom Garrison: Yeah. And Malcolm addressed how companies can mitigate risks on a number of levels.
[00:06:15]Malcolm Harkins: I’m a big believer that in some cases, and this may sound contrary to most people’s view I think in some cases we’re overstepped on information security. I think we are doing band-aids bubble gum and bailing wire making up for dated security technologies and other technologies that don’t work; they’re insufficient and flawed controls. And what we’ve got to start doing is weeding and feeding our environment. Go look at the effectiveness and the efficiency of control, and if it’s not effective and efficient, shut it off, get rid of it and buy something better. We’ve got to hold CISOs more accountable to real outcome-based metrics on risk, total cost and control friction. And in doing that, they also need to drive accountability back to the security industry and what we should be doing when a real breach like this occurs–whether it be Target, Anthem, Home Depot, Colonial, SolarWinds–we need to do almost like a National Transportation Safety Board type review. And go, “what controls failed?” and then publicly label it, including the company who sold you, the control that didn’t work.
Camille Morhardt: Right. To get better instead of kind of pinpointing it on a single company looking at the overall controls and processes and saying, what is the greater industry need to learn and apply. Because I, I have a question about blame. Okay. So can we, uh, for a lot of these things, one of the ways in for ransomware is say a phishing attack–could even be a, a text message, um, that you respond to. So do we drop all the fancy stuff, technology and software and helpfulness and do we just invest in training people?
Malcolm: Yeah, I’m a big believer in training people. And that’s necessary. It’s not sufficient. That whole approach has turned into blaming the users for using computing. “Be careful on what you click on.” “Don’t open these attachments.” Now on the one hand, I want employees to be cautious of that. It’s like the, do not talk to strangers. But how do I use my computer? I click on things. I opened things, right. If I’m afraid to go do that, I’ve just reduced, what computing is about and how I use it and how I engage it. So we’ve got to tell people to be cautious, but if every time before I opened an attachment, that looked like it came from Tom, because we happened to work at Intel, but I didn’t know we was going to send it to me, I had to call him, think how inefficient that would be.
I think this is where we’ve got to start spending real time, deeply understanding the control environment and then moving to advanced technologies that can prove they can mitigate and manage the risk. But since technology is ever changing, usage models are ever changing, threatened vulnerabilities are ever changing, you kind of have to be on the forefront of emerging security technologies, because if you’re not, you’re falling behind.
Tom Garrison: Yeah. I, I agree. And, and I think the, you know, one of the talking points that I’ve had with folks is when it comes to security, do the basics. And starting with the basics are things like, do you update your machines? Do you make sure that you’ve got the latest, greatest, you know, vulnerability fixes and so forth across your entire infrastructure? Because how many times have we heard about exploits that are taking advantage of things that have been known for five or 10 years? These are not brand new exploits that just happened. These are things that the industry has known about for five or 10 years, but the bad guys are counting on the fact that you didn’t fix it.
And then number two is- I agree with you–you shouldn’t blame the user, but you can prevent a lot of bad results, if you have employees that are sort of trained to be, at least be cautious.
Malcolm: Yeah, I agree with you, Tom. And you think of the lion’s share of training that’s occurring it’s with the general user population. And in reality, we should probably be spending more training on the technical population–the IT professionals, the app developers, the people who manage the websites. If we have them better skilled, technically in security and how to manage the configurations, how to do these things, we’d probably have a higher payoff.
[00:10:55] Camille Morhardt: That was Malcolm Harkins, Chief Security and Trust Officer at Epiphany Systems.
[00:11:08] Tom Garrison: Well, SolarWinds certainly grabbed a lot of attention in cyber security, particularly in the early part of the year. But the security issues around work from home have been a year-long struggle–well, actually almost two years now. And they’re not going away anytime soon.
[00:11:22] Camille Morhardt: That’s true. There’s been an entire culture shift in many companies where they’re embracing a hybrid model.
[00:11:29] Tom Garrison: Yeah. And you know, if you think back to this whole work from home movement that started with COVID a couple of years ago now, the first thing that people realized was just performance in general. And it was, “oh my gosh, I’m working remotely. My PC is just not up to the task.” And so we saw as an industry, we saw a lot of PCs being updated and upgraded, and that was great, but that introduced a whole new set of now security challenges–because you have your devices in your home environment, probably hooked up to your consumer router, your consumer printer, other devices around the house that open up all different types of potential attacks surfaces for what was before a relatively pristine work environment.
[00:12:21] Camille Morhardt: Right. You have all of these devices, you’re now using at home and probably sharing with students and a spouse, possibly. And they’re not necessarily managed by IT. And then besides that, when you talk about the upgrades or replacements of devices like PCs, you know, over the last couple of years, a lot of those were happening with a new rollout model. So it wasn’t going through an IT shop and getting imaged. And a lot of cases, these devices were being sent straight to, you know, the employee or the executive at their house, and then provisioned there.
[00:12:52] Tom Garrison: That’s true. Usually it was executives in the past, or road warriors in the sales force, something like that, where it might send a device directly to them that was not already previsioned. But now in mass, where you had these devices showing up on people’s doorstep, that didn’t have an ounce of software loaded on them and IT had to find a way to safely provision those devices and get them up and running quickly.
[00:13:21] Camille Morhardt: Yeah. And you know, one other thing to note in some of these recent conversations that we’ve had, uh, looking at infrastructure bills, it’s kind of become clear that critical infrastructure is going to be redefined over the next few years here. And it’s not going to be as limited probably as it has been to when we think of sort of energy grids or pipelines or things like that, telecommunications, a lot of times, you know. We can actually think of consumer devices as able to provide insight into the masses of a population that could very well be considered critical infrastructure in the future.
[00:13:59] Tom Garrison: Yeah. I mean, just think of your phone, you know, which is a relatively. generally speaking, it’s a consumer device, but how much data exists on that device? And you can think about it from a privacy standpoint, you know, personal data, but also if you were a nation state and you wanted to spy on people, now consumer devices are a pretty interesting target to go after as opposed to more hardened targets that might be assigned to the corporate environment. It might be easier for you to just go after these consumer devices and get lots and lots of information about people.
[00:14:41] Camille Morhardt: Yeah, I think we’re going to be, you know, definitely having to explore that as we go forward. And so for this conversation, we invited Carolina Milanese who’s an analyst at Creative Strategies and we had a conversation with her, asking her to share her wisdom from several decades of research focused on the intersection between consumer tech and business.
So this is very relevant right now, and she told us among other things that working from home, there’s going to need to be some give and take, but ultimately it’s the company’s job to find security solutions.
[00:15:16] Carolina Milanese: When you look at, for instance, PCs, the easiest way to solve part of that is actually not having a PC that is a corporate PC sitting on my home network. So thinking for instance, at the ability for an organization to deploy a PC that has cellular connectivity built into it. And so you have more control over that, than not forcing me to upgrade my wifi connection and use, you know, an encrypted connection or a firewall and all the other things that tend to end up actually making my life miserable from it from a throughput perspective, right?
So, you know, one thing that we definitely have seen OEMs and enterprise ask for more is connectivity embedded in laptops. that cuts out any of that idea of, “okay, I have an IT Department now in my home managing my network.” Uh, and instead is managing the PC as they always done. You know, that’s no different than what we did before.
Tom G: So that says either the IT shops going to have to dictate what kind of networking and what type of printer you should buy and what type of, you know, all of the other infrastructure. Or tell you, “no, you need a direct connection cellular connection, and therefore you’re going to get different kind of PC.”
Carolina M: Yeah, I, I think the latter is going to be easier because it’s solving two problems, as well. There’s a security issue to it and then there is a, um, just the overload that you have, uh, from a work environment. Your broadband will be still, uh, strained by just even having one person working remotely. Once we are in the position to go back to the office and there’s going to be a choice to stay home, I think there’s going to be a set of requirements that organization will have, even down to, “if you’re working from home, you’re going to have to have a certain chair and a certain workspace. “ Um, you know, working from the sofa is not going to be something that corporation will be happy with because there is a liability, right? There are people that are complaining about neck and back pain during this, months we’ve been working remotely.
Tom G: To me, intuitively, I want to get your position on this intuitively to me, there’s sort of two approaches that accompany can take with regards to the division of work and home. And one is they can lock their work device completely down. And so the only thing you can do on that device is work. The other approach obviously is to maintain flexibility and I think users would probably in most cases like that more. What do you expect with your experience in terms of how do you deal with that privacy angle of consumer data that has nothing to do with work and how our company is going to deal with that sort of merging within devices?
Carolina M: Yeah, I think the device is the easier thing to fix, to be honest, and at the same time, I worry that focusing on the device, um, might give you a false sense of security because the issue is the data and the fact that we are moving more and more into a cloud world–I’m talking, not cloud from just, you know, where our information is stored, but really from a workflow perspective. So it doesn’t really matter what device I’m using because I can access what I need to access. And that to me speaks more and more about securing the data. And also to be honest, teaching people how valuable that data, that information is so, so that there’s more an understanding of how I use it, where I use it, what kind of device I use it to access it and so forth. But securing the device, I think will get you in trouble sooner rather than later–only the device I’m talking about.
[00:19:39 ] Camille Morhardt: That was Carolina Milanese, an Analyst at Creative Strategies.
[00:19:50] Tom Garrison: We couldn’t wrap up this episode on practical tips for security without exploring products and ways companies can build security into those products. I know at Intel we’ve really embraced this from the perspective that security gets built in not as a sort of afterthought or not just as a feature, but really into all aspects of the device. And that starts years prior to when it actually becomes an actual product–you know, through our research that we do and, uh, engaging with outside companies. And then also through what we learn from prior security vulnerabilities that are found on, let’s say previous products. We take what we learned from those issues and we build that into the products moving forward.
And I think that mindset is something that not every company has really come to grips with, but starting really over the last year or two, I think more and more companies are realizing that security is not something that can be treated as an afterthought. It really does need to be thought of from day one of product inception.
[00:21:06] Camille Morhardt: Yeah. And obviously each device or application or technology is going to have its own intended use cases. And of course also potential unintended use cases that could potentially cause security concerns over its life cycle. But there is a broad approach for designing for security that’s known as threat modeling. And in the, what that means episode conversation I had on this topic, it happened to be one of our most popular episodes. So this is something people are interested in. So in the spirit of what that means, I’m going to let the guests explain threat modeling. I spoke with Johnny Valamehr a Principal Engineer in the Security Architecture and Engineering Group at Intel and Dina Treves who is Architect and Silicon Design Engineer of WiFi Client Solutions at Intel.
[00:21:58] Dina Treves: In order to understand threat modeling, we need to understand three basic terms. One of them is an asset, which is something that we care about and we want to protect. Let’s consider medical information, for example, we want to keep it confidential. We also want to make sure that no one can change it unless they’re authorized to do so, because if you’re tampering with information such as deleting allergy information or modifying medication dosage, this may result in life-threatening scenarios.
Now we need to consider adversaries. An adversary someone that has skills and motive to get to our asset–either to find out information, damage it, or deny us the service. And attack surface, which is some sort of opening that the attacker will use to get into our system. Threat modeling is basically taking those three elements and start playing what “what if?” And when we’ve come up with all kinds of “what ifs” we start thinking of mitigation, how to protect our system.
Camille Morhardt: Johnny does threat modeling differ depending on use case or depending on product?
Johnny Valamehr: Yes, absolutely. Camille, it does. So the threat modeling activity is very dependent a system’s use case, the system’s assets as Dina mentioned; where the system will be deployed. Uh, who will be using it, what will be connected to so on and so forth. And so using this information allows the individuals who are developing the threat model to place threats as “in scope” or “out of scope.” When this threat is in scope, that means that’s something that we want to protect against that we think may actually happen out in the wild. When something is out of scope, we’re typically not going to place any attention to it and try to fix it–whether that’s because it’s likely not to happen or whether that is something that is not in the use case and whatnot. So that’s really, the first thing you do is you place threats as in-scope or out-of-scope, and then you prioritize those threats accordingly.
And so every system is different and used for different purpose. Thus every threat model is unique and deserves its own diligence and attention.
Camille Morhardt: Do we ever consider people to be a threat?
Dina Treves: When you think like an attacker, this is also modeling people because you need to think what a person would be interested in, what would he go for? How would they do that? And also think like your customer. What is important to them? Sometimes they may not be aware even of things that, uh, may be problematic in terms of security that they did not give you as a security requirements from them. But you should think what is important to them and then you may come up with more security issues that are important to them.
Camille Morhardt: Is there sort of one thing in all the trainings you do, if you people could walk out with one takeaway, what would that be?
Dina Treves: Security should be part of everybody’s job and everything that you do you need to think, is there security impact to what you’re doing, even if it doesn’t seem like that in the beginning?
Johnny Valamehr: I would say that threat modeling needs to be done early and it needs to be iterative. And as Dina said, everyone should know about the threat models so that every design decision and every trade-off that’s made is understood with the security implications that are gonna be affected.
[00:25:28] Tom Garrison: That was Camille in conversation with Johnny Valamehr and Dina Treves both from Intel. Well, Camille, it was nice to look back on some of these important topics that we covered on security. And you and I have really been talking a lot about some pretty interesting topics throughout the year. We’ve covered a lot of ground.
[00:25:49] Camille Morhardt: Yeah, I’m particularly looking forward to the episode that we’re going to be doing early next year, where you and I just talk about some of the trends that we really think have, you know, are bubbling up as the next thing to watch over the next few years. So I think that’s going to be a really interesting conversation.
[0026:07] Tom Garrison: I agree.
[00:26:09] Camille Morhardt: Thanks for listening to today’s episode. You’ll find links for the full conversation we featured today in the show notes.
[00:26:16] Tom Garrison: And please feel free to reach out to either Camille or me on LinkedIn with topic ideas. We love hearing from you.