Interviews from The Underground Economy Conference – Part 5, IoT Security

From Las Vegas:

We recently returned to hosting our live conferences! We have missed you, and we’re happy some of you were able to join us this past week!

This RISE-USA conference did not disappoint! Our conference presentations were poignant and timely, engaging and informative. From the most impactful takedown in recent history to state-sponsored espionage; attribution to ransomware; human trafficking to cobalt strike! Our information and agendas are what you expect from us and only Team Cymru conferences can provide!

More than that, it is our distinct honor and privilege that you are among our friends and partners. Thank you. We can not overstate our admiration and genuine love for this community. Be safe and well!

We are excited to announce that we have just opened registration to RISE Germany on February 15-17, 2022. Register now as space will be extremely limited at RISE Germany.

 

This is yet another in the series from our interviews at the Underground Economy Conference in 2019. UE returns in 2022.

WHAT WE ASKED…

There are several initiatives to bring more women into the security field, why do we still see low numbers of women engaged?

What are your thoughts on IoT Security?

How can the community work to reduce the time for takedowns? What is missing that keeps phishing/malware/bots online for way too long?

 

Q: There are several initiatives to bring more women into the security field, why do we still see low numbers of women engaged? 

 

A: “I think one of the reasons that there aren’t so many women in this field dovetails off of what I just said my advice for a new people in the field is.  You come in and you don’t know a lot and you have to learn a lot and I think society kind of conditions women to not feel as comfortable at asking questions and not to be as comfortable presenting themselves as experts when there are things that they don’t know.  My advice off of this would be for women who are in the field and for our male allies to be kind of cognizant of the fact that a younger woman entering might be a little bit more insecure about where she stands than maybe some of her male colleagues would and to kind of nurture that and be understanding of that.”

Liv Rowley – Liv is a Threat Intelligence Analyst at Blueliv which is a Barcelona Threat Intelligence based company.  A lot of her research is based around the dark web and how cybercriminals are using that to interact with one another and what they’re talking about. https://www.linkedin.com/in/livrowley/ @OLRowley

 

A: “Today there are a lot of project regarding women for cyber, women in cyber security, and so on. I think a lot of women, now a days, are maybe scared about entering this kind of field. But I know the other part of women, who would like to enter. A lot of time, plenty of the time, we will receive some scared comments about, why are you here, are you a lawyer? No, I’m a technical guide, I’m a forenscer. But we can do more, because this kind of security field is so closed just for men. So, when I saw new girl with this kind of new approach, okay you would like to enter cybersecurity? Yes, you can enter into cybersecurity field and have respect of your colleague.”

Selene Guipponi – Selene has worked in the digital forensics’ environment in cyber security for more than 10 years.

 

 

A: “I think that’s one of the biggest missed opportunities in the high-tech industry in general and in cyber security specifically.  There’s absolutely no reason for women not to join this area.  They can function and contribute as well as men if not even better.  I am very passionate about this and hope that many more women will join this area.  I can say that like many other security teams, I don’t have that many women working on my team but the ones that I have are excellent employees – very smart and contributing employees.  Two of them are even team managers and they who do an excellent job in their positions.  They are highly appreciated by the organization.  So, as I said, there is absolutely no reason for women to not join this area and those that are going to join will find out this is a highly interesting and compelling area that pays well.”

Ziv Mador – Ziv Mador, is the VP of Security Research at TrustWave.  Ziv has been in this business for over 20 years leading a global security research team with many intelligent people. https://www.linkedin.com/in/ziv-mador-a9bab2/

 

 

A: “A lot of initiatives are being taken in the industry to promote diversity in cybersecurity, but also to have more women in the industry as it’s traditionally been a male dominated industry. I have been privileged to work with some of the smartest women in our industry throughout my career. Over the last five to 10 years, things have evolved with more women taking up cyber security as their career. We need to grow that, but I need to highlight that many women researchers, entrepreneurs and leaders in the cyber security industry are very successful and in turn have become role models for the future of women in cyber. We definitely need to do more to celebrate the sheroes of our industry and share their success stories so more girls in schools and colleges consider this as a challenging and rewarding career.”

Vicky Ray – Vicky is a principal researcher for the Unit 42 team of Palo Alto Networks. Vicky manages the Asia Pacific region on all threat intel initiatives for Palo Alto Networks. Having a large part of work in Asia Pacific involves collaborating with both public and private sectors. https://www.linkedin.com/in/vickray @0xVK

 

Q: What are your thoughts on IoT Security? 

 

A: “One of the areas that concerns me a lot is IOT (Internet of Things). These devices we’re connecting, whether it’s our toaster, refrigerator, washing machine, heating and cooling systems in the building, or whatever that we’re connecting to the global Internet, concerns me a lot. Many of these devices are devices that are designed and built to minimal specifications and have certain inherent limitations – only so much memory can be fit inside of a small device only so much processing power, etc. People want to put these devices out as quickly as possible but are not thinking about the security of those devices. We are not thinking about what happens if that device gets compromised, so globally we’re increasing our threat landscape and we’re increasing our attack surface area by depending on these quick little widgets that we can throw into the network. So, I encourage not only networking folks in the community to be more involved with what’s happening with IoT but I also encourage the HV AC air conditioning, cooling, plumbing, and other building systems folks to really start to understand what IoT is in a commercial space or even in a residential space and to make sure that proper kinds of risk and safeguard analyses are done when implementing these IoT devices. IoT devices give us a tremendous amount of capability and tremendous amount of information and power but with that comes higher level of responsibility that we need to have as a whole industry to protect this new infrastructure.”

John Brown – John is a part of an internet service provider business called CityLink Telecommunications that is based in Albuquerque, New Mexico. https://www.linkedin.com/in/john-brown-cissp-020135

 

 

A: “The IoT wave brings many challenges.  One of the main reasons is because many vendors that used to provide those or manufactured those devices for a very long time started adding that computer code to those devices and administration interfaces that administrators can use to connect and configure.  Many of them don’t have really have expertise in computer security and their code has vulnerabilities and they don’t pentest those devices.  So, what we end up with is many vulnerable devices being installed or set up in people’s homes that can get attacked.  We do vulnerability research, and we reach out to vendors where we find vulnerabilities to let them know about those issues.  We had cases where we reached out to some of those vendors and mentioned vulnerabilities in their product.  Some of them didn’t even understand the term “vulnerability”.  They didn’t understand why they should be concerned about this.  Some did not touch the issue fully and we had to over and over show them how to fix the issue more fully. So, it is an issue.  Certainly, I would first encourage every vendor that wants to add computer code to their products to do some level of training to understand the issues and make sure their developers are trained about that.  Use penetration testers to test their products but also as an industry, we have to come up with solutions to better protect environments from those threats.”

 

– Ziv Mador, is the VP of Security Research at TrustWave.  Ziv has been in this business for over 20 years leading a global security research team with many intelligent people. https://www.linkedin.com/in/ziv-mador-a9bab2/

 

 

A: “I have fairly bad thoughts about IoT, because we’re making all the same mistakes that we made back in the 1990s with PCs. It was like, this is a perfectly reasonable computer and security costs extra so we’re not going to worry about it. Just in the way that 20 or 25 years ago PCs were riddled with viruses and stuff because they’re just weren’t any defenses and it’s just this time not excusable that we’re making the same mistake with IoT now. And, although I would hope that the industry could work it out on its own, I don’t think it’s going to happen. I think that the most likely route to having things work better is going to be both industry certification sort of analogous to CE or UL that makes sure that electrical device won’t burn the house down when you plug it in, and I think we’re going to see certification like that. It’s not going to be legally mandatory but there’s going to be a lot of people who will say, “if it doesn’t have this certification, I won’t buy it”. Then beyond that, there’s going to be cooperation at different levels, and I know people working in at large router vendors who have a technology where a device manufacturer can publish a profile and say this is the only kind of traffic this device should be sending or receiving, so then the local router can basically firewall the device so it even if it’s infected it won’t do bad traffic, and since it’s already firewalled, it’s less likely to be infected. So, I think the combination of his technical approaches but mostly the certification and people looking for certification can make things better. But I’m afraid that, we all heard about the Mirai botnet and we all know about other IoT botnets, so I’m afraid it’s gonna get worse before it gets better.”

John Levine portrait, IETF 96 at Intercontinental Hotel, Berlin, Germany.

John Levine – John is the president of CAUCE North America, which is a grassroots anti-spam organization, He is also a member of the ICANN stability and security advisory committee.  John is a senior technical advisor for MAAWG and is on the board of the Internet Society, and manages to manage to get a little bit work done between all those things… https://www.linkedin.com/in/johnlevine @spamvikktim

 

A: “So IoT security is in my opinion nonexistent. It seems that older technologies, such as telnet, from which comes from the 1960s early 70s, but all these old technologies are being brought back and used on smaller devices. Whereas in the past where you need to have rooms of equipment, now you can put telnet on a small little box and that’s what’s happening. So, we have billions of deployments of legacy technology just sitting out there on the open Internet and a lot of it’s consumer based and people take it out of the box plug it in and it works so they’re happy with it. That has created an attack landscape like never before and that we’ve kind of seen the fallout from, like the Mirai botnet and the centrauri botnet and I think those are just the beginning.”

Alexander Heid – Alexander is the chief research officer of Security Scorecard and the co-founder of the Hack Miami organization.

 

Q: How can the community work to reduce the time for takedowns? What is missing that keeps phishing/malware/bots online for way too long?

 

A: “They think community has done pretty well historically for looking for these criminal networks, trying to stop and take down some of the infrastructure. Things that we could do to speed it up, is continuing to build that relationship with law enforcement, because these takedowns are ineffective unless you can get to the actors, so we really need to speed it up by facilitating getting information to enforcement, so they can identify the actors because that’s really the only way that these takedowns are effective.”

Stephen Boyer – Steven is the co-founder and CTO at Bitsight, a company based in the United States, but Stephen works globally.

Please check out our events page for a list of upcoming events for 2022.