This week on Cyber Frontiers Christian and Jim talk about the zero trust security paradigm and how COVID-19 has drawn this security model into focus for the enterprise. As corporations accelerate technology adoption timelines to meet the demands of a remote workforce, cybersecurity practices and investments are evolving to secure employees and corporate assets in remote work environments. After diving into key aspects of zero trust, we walk through the recent Twitter security incident and analyze the event through the lens of zero trust. We wrap by discussing the evolving trends for the C-suite security mindset and how these ideas may relate to the average guy maintaining consumer technology.
Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future! Christian Johnson will bring fresh and relevant topics to the show based on the current work he does.
Support the Average Guy: https://www.patreon.com/theaverageguy
You can contact us via email at email@example.com
Full show notes and video at http://theAverageGuy.tv/cf063
Podcast, Cyber Frontiers, Christian Johnson, Maple Grove Partners, Zero Trust, Security, Pandemic, Employee, Network, VPN, Computer, Enterprise
TechRepublic Outlines Microsoft Study on Evolving Cybersecurity Trends During COVID
- Digital empathy: productivity, collaboration, end user experience tools.
- MFA, endpoint protection, anti-phishing, VPN, security education.
- Speed up of Implementing Zero Trust
What is Zero Trust?
Adoption of Zero Trust
“Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”
But… is it still underused?
Shifting to the Cloud during COVID:
Twitter Security Incident
Jim Collison [0:00]
This is The Average Guy Network and you have found Cyber Frontiers show number 63, recorded on August 31 2020.
Here on Cyber Frontiers we explore cyber security big data and technologies that are shaping the future. If you have questions, comments or contributions, you can always send me an email Jim at the average guy TV although might be better to send it to that guy over there Christian at the average guy.tv You can find me on Twitter at a call center Christian Christian is at bored whisper the average guy TV powered by Maple Grove Partners get secure, reliable high speed hosting from people that you know and you trust. Maple Grove partners.com check out all the details. They have plans, Christian still plans as little as $10 for folks to get bucks $10 to get on any. You can do just about anything right?
Christian Johnson [0:52]
And we’re getting ready to launch some pretty exciting capabilities that your average provider wouldn’t give you at that price points.
Jim Collison [1:00]
Stay tuned out No not at all. So check it out if you’re interested in starting a site or you got any questions around that visit Maple Grove partners.com stay up to date with everything that we do live just follow us on twitter it’s probably the best way to do it like we always do these shows last second so follow me on twitter at Jay Carlson. And of course we’d love to see you out here live as well. Christian is back I think we podcasted at the end of April Christian not very many things have happened to you since April right. normal normal
Christian Johnson [1:34]
so moving move you bought a house for four days after a global shut well at least the statewide shut down but pretty much every got it done. They shut down Yeah,
Jim Collison [1:44]
got it down. We got was that pretty stressful.
Christian Johnson [1:47]
I was I definitely stressful trying to close the deal when there is an emergency stay at home order that definitely puts a lot of fear and uncertainty the process for people on the other end of the table but having A socially destined settlement is about as closely weird as a virtual settlement as I get.
Jim Collison [2:07]
So they’ve gotten better at it though. Yeah, they’ve kind of figured it out. They’re figuring it on you. Does that not feel like it was four years ago? At this point?
Christian Johnson [2:15]
It does. Honestly. I have learned that pandemic time, moves at very different paces from normal time.
Jim Collison [2:25]
So not all the time, like, crazy.
Christian Johnson [2:29]
Six months of pandemic time. Feels like two years of your life. Yeah,
Jim Collison [2:32]
like February was 1980. Like, I’m like, what I was talking when I was in London in December, that feels like 100 years.
Christian Johnson [2:41]
What did I do back in the time where humans went out to eat for entertainment? Oh,
Jim Collison [2:46]
we got. We have some updates on that. Tonight. We’ll get to those here in a few minutes. big congratulations to you as well. Christian. I’m getting married. Congratulations, you guys.
Christian Johnson [2:58]
You’re still together. Is that still happening? Pass the 30 day return policy. So as far as we know, we’ll be here for a while.
But it’s gonna
Jim Collison [3:07]
get you guys figured out toothbrushes and sides of the bed and all those other kinds of things.
Christian Johnson [3:13]
You know, really none of those were contentious. I think probably the most contentious one is do you pre rinse dishes before putting them in the dishwasher, but that is a good one, we, you know, I come from a background of fully hand washing your dishes and then putting them in the dishwasher. And others think the dishwasher is where you just dump raw biomass into your dishwasher. And that magically puts it into this, you know, clean sparkly place. So we found this nice middle between, it’s very good,
Jim Collison [3:42]
good. Our dishwasher does have a line into the garbage disposal just for those cases if we can, at the cost and house sometimes it’s fully washed. Sometimes it’s just just kind depends how much you’ve been drinking at dinner. But drinking a lot. This is just somehow end up in there. If you’re If not, so Brian in the chat room says pre rinse I use paper plate.
Christian Johnson [4:05]
Yeah. See, that’s the way to do it.
Jim Collison [4:07]
That’s that’s low yield, though. That’s especially during pandemic time. Um, you know, it has gotten harder to eat out. But have you guys I’m assuming you’re getting some takeout you’re still doing some of those kind of things we’ve had to learn do it during this.
Christian Johnson [4:22]
I have experienced the heartthrob when Uber Eats has its first outage during a pandemic. But yeah, we generally do, you know, take out maybe once a week,
Jim Collison [4:33]
eat a lot less a lot. Yeah,
Christian Johnson [4:35]
I mean, occasionally we’ll eat something outside that is like in a public area, but not not very often. Yeah.
Jim Collison [4:43]
Well, it’s it’s funny how it’s changed patterns. I think everybody immediately started doing since the last time we’ve podcasted everybody’s done some kind of home improvement project of some kind here. Here in Nebraska. It was fences, like everybody got a new thing. All the trees got trimmed like it All that pent are all that you know here in the us all that what we call that thing the money they put out there is escaping me now the pandemic money What did we call that thing? There’s a name didn’t meet that the stimulus package there we go. No Well
Christian Johnson [5:17]
not the stimulus package. It was a that was 2008 Okay,
Jim Collison [5:22]
well, whatever the 20 $400 per couple whatever yeah
seems like that went into fences and tree trimming here at least in Nebraska. We Sammy and I heard a lot of that going on. And so john says audio only Well, okay, interesting. So, Oh, you know what, I never changed. I’m surprised you guys actually found this I’ll have to change this when most people must have got it on YouTube. I bet on the live page. I never changed the the video. So while you’re talking so pretty good. If you’re listening, john, if you listen to the audio,
I’ll get the video changed. here in a second to get it done, Christian, um, so, six months, I’m just gonna call it we’re six months into this as we think about i mean it’s it’s changed we’ve talked about that it’s changed a lot of things is from eating out to how we can use today. Today I went in at noon and work till four and there was no traffic like it is reset traffic for me and a lot of ways as we think about it from a cyber security perspective, have you seen any transitions?
Have you seen any things change? Certainly, it seemed like the bad guys picked up the pace on on things, but how about from your opinion? No, change the life page while you’re talking?
Christian Johnson [6:43]
Yeah, I mean, honestly, from from where we talked about this when we were about one month in on our last show to the pandemic and a lot of the trends that we first started talking about, we suspected might be long term or permanent trends and I think there’s There’s definitely now hindsight being 2020. Not only is that correct, but it seems that there are permanent, both permanent changes happening and acceleration of existing changes happening. And that’s actually one of the areas that I find more interesting about this is just how quickly we seem to be accelerating the cybersecurity implementation horizon for Fortune 500, the enterprise etc.
Most C level executives would not be maybe as far along in their implementation plans in a pre pandemic world as they are currently. And I think a lot of that is driven by the need to be in the best mode of operation possible when the majority of your workforce is from home, right. If you think about how the enterprise is set up, like yeah, everyone’s familiar with the concept of a VPN, right? But when those systems are designed and built in the enterprise, As they usually anticipate maybe, I don’t know 10 to 20% of the workforce at a given time being on your VPN. Now what happens when the default is 90% of your people are on a VPN at a given time and only 10% are in the office and all of a sudden, your traffic shape looks completely different.
The types of devices you need to run your network looks somewhat different. Where is your capacity? So this has started stirring, you know, a bunch of different questions, not just in the kind of practical mundane, like, how do I scale my VPN? But how do I scale my cybersecurity right? Now I’m being asked as a C level executive or as an organization to secure my enterprise from thousands, maybe hundreds of thousands, maybe millions of homes scattered about coming into a connected network. And I think when we compare the security models of what it’s like thinking about an organization, predominantly on sight versus an organization predominantly remote, we’re actually finding that some of the key trends and what would enable a business to be successful and transform itself digitally, are just accelerating way faster than they would have had this not been the mode of coming and work every day.
Jim Collison [9:18]
I’ve heard something like we increased the this this ability, we accelerated by like four or five or six years, something like that. In other words, this kind of forced everybody to begin their plan. But this for a lot of organizations, this kind of forced them to really jam it in pretty quickly. Do you see any consequences to that to the velocity question? In other words, to cut corners on that thing they did. But it would cause I think sometimes some folks to maybe want to accelerate it and put it in faster than there’s time to test it and check it. Do you think that’s going to have any ramifications here in the next couple years?
Christian Johnson [9:56]
Yeah, you know, I think that’s a good question. I think definitely. Speed of business is always critical. And individuals are always going to try and optimize on doing the right thing in the short term while planning for the long term. I think that’s a normal human tendency. I don’t see any of the things that are being proposed though as being kind of these new newfangled ideas that have big risks of going wrong, right? A lot of the technologies that we’re talking about accelerating and putting in the hands of the business at scale are things that have been around for years, but haven’t gotten the budgets or the people prioritize to do them.
So it’s not like it’s a secret necessarily about how to go about it, or it’s not like there’s a huge lack of information in order for companies to be able to implement these things correctly, or just procure them right if I have the budget to and I think now that we’re seeing, you know, a reallocation and reprioritization of how businesses are spending their money. All of a sudden there’s money there that may or may not not been there before for an organization to spend in these areas. And certainly if there’s a larger revenue stream and a larger opportunity to invest,
Jim Collison [11:10]
those investments are accelerating the development and implementation cycle for companies. Christian, most organizations had some type, some type type of thing ready? And maybe it wasn’t rolled out completely for everybody. Was it a matter? Do you think of just scaling up? In other words, taking more of what already existed? Or do you think there were some cases where it had to start from the ground from ground zero?
Christian Johnson [11:34]
Both for sure. I mean, for example, I, you know, VPN would be a trivial but classic example where VPNs have been around for probably well over a decade, if not longer in terms of regular use. And in that case, it’s an exercise of scaling and sometimes it’s not scaling your business. It’s teaching employees how to scale their infrastructure, right? Like if you’ve been on that DSL plan for however long like maybe it’s time to pay for the broadband or maybe it’s time for your employer to pay for a portion of your internet, similar to how they do for cell phones, right, like a lot of employers will reimburse your cell phone usage, because oftentimes, you’re not issued a company phone, but you’re always taking these work calls on your cell phone, right?
So maybe, maybe your own local infrastructure becomes part of that dialogue. But then there’s other things that are not so much like that, right? Like if you are a slow adopter to MFA, chances are, it’s not like you’re just going from a limited trial group to rolling out this broad MFA, right? You’re probably behind the curve. Now saying, hey, I want to catch up, I have the funds to or there’s a mandate to because I’ve never had this many people trying to work from outside the, what we consider to be the secure boundary. And all of a sudden, that’s where there’s a real opportunity for potential employee pain. If you can’t manage and handle that rollout correctly,
Jim Collison [13:06]
we had rolled out, you know, two factor A while ago as an organization and being able to you know, we we’ve been adopting it pretty well. Of course, now we’ve got some new technologies in Windows Hello, that allows us to do screen or and we have a lot of touchscreen. So we’re not doing a lot of that but you know, a camera or a pin or some of those features that come in, that’s actually been rolled out during this time, which has been great. I mean, it’s been very, very convenient to be able to use the camera in a combined with a pen to be able to log in and not have to remember a long password. Although it I’m doing kind of a hybrid environment.
So at my work equipment at home, that’s one way of logging in. And then I have the studio equipment here that I use for podcasting and other things for work that is coming in on the web. And that requires kind of a different kind of authentication. Do you think there’s there’s We may be running. I mean, that’s a lot of that’s a lot of Herky jerky to use that technical term in between systems. It works for me. But do you think going home cause some disturbance in the force for some people at work? And maybe we’re through it by now. But But What’s your feeling on that? As far as that maybe that the two fa, you know, struggling with it. Just all the things we have to do after now four months? The endurance on it’s pretty tough.
Christian Johnson [14:36]
Yeah, it definitely depends where you’re coming from, right. I mean, I’ve been using MFA for years in my job, because that’s an industry that demands it. But if that’s something that’s new for your area, perhaps there’s either a bigger barrier to entry or disturbance in your routine. But I think the disturbance is a short term trend right in the short term, you’re going to have problems but if you’ve done it correctly, and you The right User Education out there and the right rollout, even if you have short term issues, the long term should be pretty clear that this is going to be an advantage. Right? So I would I would not be surprised if businesses took that short term trade off of, Hey, we weren’t quite ready to roll this out. But let’s get it out there now.
And let’s find the pain points early so that we’re not further behind and something that’s accelerating across the across the world really. And that’s one of the aspects that I find really interesting about this whole thing is that, you know, to me, MFA is boring in the sense that it is an old idea. It’s not something new security folks and practitioners have been saying for years, go implement and do MFA. And now that there’s actually in like broad interest and suddenly everyone’s got to do MFA. Well, it’s it’s interesting to compare implementations, right?
What’s good MFA versus great MFA. And how are organizations starting to transform their thinking around what it means to deploy common place security paradigms and their network. And this is something that, I think is really driving that one of the big trends in cybersecurity is this concept of zero trust, right? Like if you’re in the C suite or otherwise, and you’re talking about security, you know, a broad majority your calls, you’re gonna hear zero trust there, trust your trust.
It’s repeated and and maybe a lot of folks who aren’t in those calls or environments would be like, well, what’s that right, but inherently security by default, whether it’s physical, physical security, digital security, etc. operates off of a fundamental platform of trust, right. And the old adage has been, you know, if there’s no trust, there’s no security like, eventually you have to trust something is what we have said. As an enterprise for, you know, the 40 years we’ve been attempting to do computing and some type of enterprise fashion. And
a lot of folks have said, you know, wait a second, this model is kind of broken. We’ve been throwing more and more security tooling and otherwise at the problem and doing it more the traditional way, and yet, our data breaches keep getting bigger and bigger, and the Fallout and the blast radius keeps getting bigger and bigger. So what’s going on? We’ve seen companies adopt better practices, we’ve seen businesses, you know, start to follow guidance more regularly. And yet, you know, we have these diametrically opposed trends.
And one of the main stipulations of zero trust, really the definition of it is it’s a it’s a different way of thinking first and foremost, right? Zero trust is not a product. It’s a it’s a mindset. Now a marketer might try and tell you that zero trust as a product because they’re going to be you over the head with enterprise licenses to buy whatever those your trust XYZ is. But zero trust is predominantly a way of thinking about security, right? And it’s focused on how do you protect your resources both on prem and off Prem in a way that you’re never implicitly granting or assuming trust. Everything is continuously evaluated. And you have to prove who you are and what you say you are every single step of the way.
Now, apply it to a common case scenario like MFA, right? where maybe I’m a company or a new organization. That’s just rolling out MFA. And why do I want to roll out MFA? Well, a default answer might be, you know, the default security answer as well because a password and of itself is insecure, right? With the second factor, I can be more reasonably confident that if that credential were to be compromised, the login in and of itself would still have some credibility, right. But if I think about it from a zero trust perspective, the answer is quite different. It’s actually, yeah, it has something to do with the number of factors. But that’s the NFA.
Part of the definition. The zero trust part of the definition is I have to provide physical presence in a virtual environment, or I have to provide some type of tangible validation that is done, quote continuously and repeatedly, right. So every time I log into a website, I’m re going through that process. And it’s not something like a pin. And this is where we talk about good MFA versus grade MFA, right? Good MFA can give you a second factor. Great MFA can move you towards zero trust security. And when you look at an example of great MFA, it’s hardware based I have to touch a thing, right? It’s not like if someone fishes me and asks me for my MFA pen, I’m going to give that to them over the phone or I’m going to No, no one’s going to pack up there. Hardware token and mail it to someone unless for legitimate purposes, they want to be an insider threat. And when you think about it from that perspective, okay, the barrier to entry of saying who you are has changed.
But there’s other examples all throughout digital security today, where implied Trust has been baked and baked and baked into the layers of the cake, right? When I install a new driver on Windows, and I get that CD from the manufacturer, there’s a certificate on that CD that was signed by some digital authority that says, I as the authority trust this driver and trust really this publisher to do the right thing. And then you go and load that CD on your computer, and your computer has a set of trust stores already loaded on it, and it sees that has a valid signature and all of a sudden you get a nice green checkmark and windows that says hey, you should install this thing, right? At no point. Was there any exchange or validation with me as the user installing that driver That that is like an authenticated and authorized action right.
The only authorization there that occurred was that I had some type of administrator privilege on the box supposedly to install that driver. But there was no process by which I received that CD and was able to a inspect the trust for myself be authenticate the person who wants to do something with my machine by way of installing this thing in a presence Point of Presence type of manner, and see validate the outcome of it after it has been installed and deployed in my box. Similar to how you know certificate architecture in general is very much of the model of I’m going to do a handshake. Folks are going to trust or not trust certificates involved. This is prone to metal man in the middle attacks. Key.
You know, smuggling someone’s private key impersonation, the whole nine yards. But nowhere in that process have we gotten away from these inherent things being baked in where once I’m authenticated on system a, I have this token that I get to follow around the system B, C, D, and E. And the next thing you know is like this one authentication action that I did 48 hours ago is somehow stole the reason why I’m allowed to use a computer. I can keep giving examples all night long, I’m probably going to give one more. So another one is I still a laptop from you, as an employee, you left it at a park bench, etc. And that laptop is already logged in. It’s in a logged in state. And it’s on the corporate network.
Great. So what did I have to do? And maybe we’ll just say there’s some four digit PIN securing it right. And like I socially engineered this person separately. I know what their birthday is. I know that x percentage of Americans used their birthdays, their pin or their wedding anniversary or whatever, right? Yeah. What How could you say that? So I use this, you know, little pin, I’m on this laptop and beautiful. The computer is authenticated to the network, right? The computer checks out great.
It has all the valid certs because it came from the company. It has all the serial numbers, it’s compliant. And it’s in the the IT system is meeting all of its checks for security and software monitoring and otherwise, but the computer did zero things to validate that I am the employee that’s assigned to that machine, right? That’s a classic example of there was an implicit trust. And the security model was that I’m assuming the person behind this thing is the person that the laptop is assigned to. Right.
Jim Collison [23:40]
Yeah, that but that model starts at the very beginning and gives deep trust going exactly to all those systems. Right,
Christian Johnson [23:47]
Jim Collison [23:49]
Christian Johnson [23:49]
So it’s like you you get this very deep trust kind of packaged up to like a birthday present. And then, you know, I where does that re validation occur, right? It’s not like someone shipping you a laptop every day and that old laptop is being sent back to your company. So the, what I call continuous authentication and authorization is really important. Even more important, I think, and where the industry is moving towards is this concept of a, a kind of reason based authentication where, yeah, I trust you as an employee on or ordinary day to day basis. But when you want to do something special, like, I need to know why it is you want to do something special, and it’s not because I don’t trust that there’s a malicious reason.
But like, in addition to me actually doing some deep authentication that it’s you that really wants to do this. And this is, you know, what you want to do, I want to know why it is you want to do it. And most security organizations that’s like we are really good at saying who done it? And when did they do it? And where did they do it? And how did they do it? But for trusted people, we never ask, why are you doing it? Because the default answer is, well, they’re trusted. They must know what they’re doing. This is something that, you know, they’re authorized to do go for it.
But what a reason based authorization gives you something much deeper because now your organization across the spectrum has visibility into a very privileged action. And so, for anyone listening to the show, I probably was not like this huge secret that Twitter had this fantastical breach, you know, and I wouldn’t really call it a breach it was just, it was typical, like weird security assumptions gone wrong, where, you know, Joe Biden and all these big figures are tweeting this Bitcoin scam and turns out to be a teenager who fishes and scams Twitter employees. He’s into giving access to this control panel that lets them do this thing and then it gets to another thing.
Next thing you know, it’s like it. It’s a classic social engineering with a little bit of insider. And you know, it looks like there was an actual I mean, honestly I’m sitting here watching this thing in real time. I’m talking to a bunch of security engineers as we’re watching in real time Twitter get taken by storm by this idiotic Bitcoin scam. And first being amazed how anyone could fall into that scam right? To my mind, it was just like, totally cannot believe that they’re, if you’re smart enough to use Bitcoin, or if you’re technically savvy enough to use Bitcoin, but somehow stupid enough to pay into it. Like I’m, I’m starting to come up with some theories at this point of like, maybe they like put $5 in, they want to see where the money goes. And I just the whole thing was so bizarre. But, you know, it comes back to humorously this concept of zero trust where it’s like, well
Clearly, there were mechanisms were in a really good social phishing scenario. The presence or the authentication aspect of their company had some flaws in it, not necessarily in the technology or the implementation of it, but the policy aspects of how they use that technology. And I think one of the big things that is going to be increasingly popular across the enterprise is the concept of reason based authorization, right?
Let’s say a legitimate trusted user inside Twitter had a legitimate reason to post to Ilan Musk’s Twitter feed. That should be setting off all kinds of alarm bells like you wouldn’t believe like it should automatically be cutting, you know, some type of ticket or notice to the security operations team at Twitter saying this user is doing In this action under this thing, and it’s not just saying what it is, it’s not just reading the news that user x did this thing. It’s that in order for user X to do this thing, they need to write and provide justification. And if the justification or the artifact that they present to the system is nonsense, when that thing gets cut to security, and they see Wait a second, that thing doesn’t like the justification and the artifact doesn’t make sense.
And that’s like something you should be able to identify and like 10 to 30 seconds tops, right? If you see that bogus, you immediately know where to start going to shut down the problem. One of the things that amazed me about this Twitter breach was the reason why a lot of us thought something really bad had happened. The technology stack itself was a how many people were impacted and be how long it took Twitter to get get it together. I mean, it was maybe two plus hours watching this thing, just death spiral. And it took them, I think over an hour and a half to go to read only for select users, which My God, thank you like, I would have done that in five minutes. I mean, maybe it’s the end of the world from a business perspective for people to think,
Oh my god, people can’t like write their tweets. But I would, I would have totally thought the right move there is if you don’t know what’s going on, like in minute marker one. Make all Twitter verified accounts lose the right ability, so at least you preserve the integrity of the accounts. And if you really don’t know what’s going on, at least you have time now to go figure out what’s going on. Right? Sounds like eventually someone got that meme over there because it happened.
But more broadly interesting to me is this concept of it’s not immediately clear and much of what you read online about this event, why it took them so long to thread the needle and I’m not saying threaded all the way back to the team that did the hacking and yada yada. I’m saying specifically thread it back to what employee credentials were the source of the compromise. And what was the capability of the tool being used to make those posts like that should not have been a mystery for that long in the game. And as a as a outside security observer looking on the inside it very much seemed like that’s what was going on.
Jim Collison [30:24]
Interesting. So in to think that so it is a is an owner of an account that you know, I appreciate that like, Hey, I’m almost the two factor on that thing in that I should almost be able to say hey, I physically if it’s going to have me I account and it’s not going to be me. You need to provide some kind of physical proof that it’s that right I’m in it. It’s interesting because you know, from a social media perspective, this the the network’s have always kind of said we got this Like, Hey, no, no, we got this a security worse. They’ve they locked to the front door.
But when the back door was left open, people could could just walk in and do whatever they wanted. And I love that idea like, Hey, you know, no, I think as users, we should actually ask like, why are you updating? Why is a user who’s not me updating my account? That doesn’t happen very often? Like, yeah, it’s not like we have Twitter going in and doing that for people. Right. And maybe there’s there maybe there’s an implications in the API, or that that the ability to do that comes in on a third party and can’t get spoofed. Right, I get all that. But it’s certainly one of those I. It totally makes sense, especially if we’re going to have these accounts that are going to be able to move nations. You know, you’re like, yeah, Twitter. Considering You know, one one country in the world has a leader who uses that platform. Pretty specifically, a lot.
Christian Johnson [32:00]
Right president tweets to President why, like that’s not a situation you want to be in as you know, someone
Jim Collison [32:06]
playing both sides of the aisle there, right? I thought of it that way.
Christian Johnson [32:09]
Yeah. It’s the I mean, that particular event speaks to several things right? Like that particular thread I could probably spend a whole nother show on of just like what what are all the Pandora’s boxes that were opened by realizing that something is mundane seeming as Twitter now has these very powerful mechanisms associated with it? Because if you can do something like impersonate a verified account with you know, 10s of millions of followers what does that mean when people take that as truth right or some type of ground truth for for for their daily lives? And then what types of operational risks does that bring up when people like actually act on what a president tweets right? So there were just
Jim Collison [32:56]
but let me let me throw this in Christian You know, I’m sure that 10 Who granted the access or whatever had had multifactor themselves to get it in, like, we even think about securing those like, okay, we need to make sure no one hacks their accounts. But how do we stop the willing, in this case fooled where the or the human breaks down, we’ve got to have that almost that multifactor when you talk about reason, you have to start thinking through right of like, Okay, this doesn’t make any sense that a dashboard user, a super user, which in a lot of cases has rights to everything. Yeah, you know, he’s sort of thing that doesn’t look like what a super user normally would do. That should like you said, that should set off some morning.
Christian Johnson [33:43]
So it’s it’s funny, one of the first things when I was thinking that Twitter had a bad implementation somewhere, one of the first things that came to mind was maybe they implemented MFA badly somewhere, right? Because if only verified accounts are being impacted by this, like what’s the most likely account on Twitter to have MFA online, it’s people who are managing these big portfolio accounts right for their for their client.
So, yeah, I suspect that, you know, we can say that this employee had MFA or this or that other thing. The problem is that we’re not consistent about where those things are applied. Like, I’ll give a classic bypass example. This Twitter employee, let’s say he had state of the art MFA. And I’m the teenager that wants to fish this employee, and I’ve fished this employee to the point where I’ve said, you know, please share with me a remote desktop session so I can, you know, help you with your computer problem. Let’s just very naive, contrived example, right? I convince you that for some reason, I’m from your IT department, and I need to get on your computer because there’s an issue
In a broken zero trust model, you as the employee sitting at that computer would present your MFA to the computer where you’re sitting and then turn to that employee from it and say, go ahead and have at it. A correct implementation of zero trust would require all participating entities to have zero trust. And so, the model here in this contrived scenario is already broken.
Why? Because the IT person didn’t have to MFA with the service to say that he’s an authenticated person with remote desktop privilege. So right there. I’m using some inherited trust or authorization that exists locally at that remote computer. And I’m just the keyboard and mouse guy over here taking advantage of all of those presents, things that were validated. Now, if there was an equally strong, zero trust in this model implemented on there Remote Desktop endpoint as there was on the service endpoint where this customer was using the super tool, it would have been a lot harder to either a, convince the service that you have a right to do that remote activity.
And even if you do, right, a perfect world would say, you have the remote access credential, you’ve been validated with your MFA or your strong Point of Presence. this other guy over here has validated him at his MFA saying that he’s waiting for you to receive the remote desktop. And then no matter what, whether it’s a guy from remote or the guy locally, when that person goes to use the control panel, MFA, again, because it’s a highly privileged action. If it reaches a new tier of privilege that’s greater than just I’m an employee using my desktop at this company. There should be like 20 people that get notified that hey, so just open this control panel and this date stamp before they did a thing, right, just like a page. An alert that says this person’s in this system. And there’s a runbook somewhere in the company that says you should never need to be in this system unless X, Y or Z happens.
And these 20 people are going accident happen, why didn’t happen, z or didn’t happen? And they’re picking up their phone and immediately disabling that credential. I mean, that’s an example of how zero trust and reason based authorization would have stopped something like this, like flat in its tracks. Now, is it easy to do? No. Is it super practical and cost effective to do no, like it takes detailed thinking about where are those entry points where you need humans to be putting their stamp on things, and tying this all the way back to what I guess this show is supposed to be about COVID has accelerated that trend dramatically. Because now all of a sudden, where people are going to you know, it’s like a lot of people who come into work in the day? They have to show their badge to someone a security guard a turnstile? Whatever. Right? Now everyone’s working from home, right?
What is that equivalent mechanism where they’re checking in doing their rubber stamps. And so as people’s thinking are evolving about, wow, I really need to shift and move my approach on how to support people from home. Somehow, for the good. It has also driven that conversation of we need to get to zero trust, like way quicker, because the surface area of where people are coming into to interact with the network. It could be remote desktop, could be VPN, it could be some type of remote mail application. It could be your cell phone, doing instant message. I mean, it could be any number of interfaces, where Yeah, people used to use these 10 to 20% of the time, now they’re dominating.
And in addition, you’re still running your entire set of infrastructure, because you know, there’s people who are going to be going in the office to support more critical functions. So now you’re supporting two domains full time, and you need the investment, the resources and the ability to secure That second new domain as if it was that first domain. And in the process of doing that, I think we’ve also started to just make improvements to both domains at once. It’s to me, it’s not like, oh, we’re gonna focus on remote, you know, employee security today. And then next week, we’re going to focus on in the office of security. No, it has to be that holistic picture. Yeah.
Jim Collison [39:19]
So we both we’ve been upgrading both. You know, I think that Hello, for me, it’s now a picture of my face and a pin together has to be done together it it’s kind of that authentication, you would see me in the building, right? I never really thought of it till he said it that way. Christian right after the last time we did a podcast, I thought I had a breach here on the Collison network, because all of a sudden terabytes were leaving. I don’t think we talked about this terabytes are leaving my network, like in days worth.
And I thought, Oh my gosh, somebody hacked in and got it and it and eventually through an audit I found out No, I had just put a new drive on a box and it’s It now the drive isn’t expecting was gone. So it couldn’t write to that drive, but it sure tried. And so it did three solid backups. two terabytes each trying to write to that drive. Mine was Meanwhile, bringing the data in from backblaze. That cost me a little bit of money to get that done three times. The point was, I started reviewing like, okay, who has access to what? In my own network? Like, if someone did breach the Wi Fi, and got in here, what would they see?
So I set up a laptop that had no privileges it was you know, I got a I got a Linux USB key, turned it on and act like okay, I know the password to my own network. What do I have access to? It was super scary. Like how much trust I had set up in embedded that trust in various systems, to even just a single password. Like that’s not even say to FA I had made for For convenience sake, I had made those things all accessible inside my network, not necessarily thinking about what if, or running that scenario, what if someone does breach it through the Wi Fi?
That’s the most likely scenario just to be honest, not going to come in the house and plug in, they’re gonna breach the Wi Fi, right? That’s always gonna work. So got it started getting me thinking, well, like, you know, in and I’m not, I’m not NASA, and I’m not the US government. But I still don’t want anybody stealing my data, right? Yeah. Is there any chance just at a personal level, as we think I mean, most who listen to this podcast or kind of thinking about their own network? Would I have any chance to implement something more than just a, you know, an embedded password that’s, that allows me to go from one box to the other and see the data on all these. As a consumer, do I have any chance? It’s zero trust?
Christian Johnson [41:53]
I think it’s, it’s sadly it’s it’s fragmented, right? It’s not really well integrated and that’s where you see Zero trust become a difficult thing to implement as a average guy in a home environment is that you really need to have that understanding of how all the different security pieces would integrate and play with each other. A lot of the consumer based devices, they’re good at securing that one thing and doing it in a way that’s accessible or understandable. But you as the consumer might not understand what that guidance is in relation to the forest of other things that consumer ism culture is throwing at you consumers a one FA in most cases, yes.
Right? Correct. No, I mean, you can you can think about like, basic evolutions in Wi Fi security besides just the standards themselves of encryption, where most people are in some form of WPA two, maybe WPA three if you’re really spicy, but for the most part, like standard access point, puts out a nice 2g or 5g signal. Some more interesting ways of signing in Person A has their iPhone open Person B has their iPhone open Person B is already on the network. And Person A is like Please let me on and Person B gets this notice that so and so would like to be on your network and no password is talked about right thing is communicated it’s yes or no.
And like at least that’s kind of interesting because now a human is involved in the authorization which to me is a narrowly limited consumerism concept of reason based authorization with a lot of caveats that I won’t go into detail. More interesting to me is this concept of not only do you enter the password for any device that’s coming on the network, but like you as the quote unquote administrator sitting there on the phone with your two factor and before someone’s allowed to connect you have to hit a little thing Yes or no? Would you are seeing on some of the newer like mesh mesh Wi Fi is the like hot thing of Coronavirus because everyone’s got to upgrade to mesh. Everyone’s got to have the Wi Fi, the low buffer bloat, the whole nine yards. So
Jim Collison [44:09]
you’ll see a lot of these things. I’m trying to figure out how to get Wi Fi on my deck.
Christian Johnson [44:13]
Exactly. Yes. I want to work out there. I want to get on your deck. You want to get it right. Oh,
Jim Collison [44:18]
that means I’m blasting a Wi Fi signal out to my neighborhood
Christian Johnson [44:21]
now. Right? Yeah. And you can see the problems of where zero trust starts to make a lot of sense, right? Because I as a Cisco going to convince you home user X to put the level of security on your Wi Fi access point, your television, your kids iPad, the school computer, like there’s all these things that you just you’re not going to have complete control over from a policy standpoint from a what’s running on that thing. And yet, if any one of those devices is weak, and I’ve let you the employee go home and put my corporate laptop on your home network, right, like okay, There’s an asset sitting out there as the front door does something that otherwise is way less secure than it would be if that laptop was sitting inside the office building.
What’s next right? Well, maybe it’s not that he hacked the VPN, but maybe it’s that the computer is running connected to the VPN when I hack and maybe it’s I, I hack the remote desktop, or I somehow get physical access to it. And then all of a sudden, it’s like, Wait a second. Like, Joe, the plumber who came over to fix this thing really was a hacker. And he’s already on this privilege device without doing much of anything in the way of authentication. And so that’s where if zero trust is really working for your organization, it’s not that you don’t care what your employees home network looks like. But reasonably you don’t you shouldn’t need to care because if your zero trust perimeters successfully built and has the right checkpoints at every step of the process inside your umbrella of of
Jim Collison [45:58]
because every entry point point is the same level of security.
Christian Johnson [46:03]
Right? It’s, it’s not that it is the same level, right? Because we just talked about, like having those highly privileged actions where you might need to go up to the next level. But it’s that every entry point does authorization or does some type of Who are you? Like, it’s, it’s the word continuous that makes your trust happen, right? It’s that you’re not putting that trust on a long timeline of ability. It’s that you’re doing it consistently everywhere you go, as opposed to just Well, now that I’m on system a, it’s good for systems A through F. And it’s not until I go to System g that I expect something different, right?
Jim Collison [46:44]
Christian, what about some monitoring? Are we doing this yet where In other words, there’s certain things that I do every day that that that are part of my job, and if I start doing things, like the system would know, if I’m in a new area, even what’s data file structure. I’m in a new area, I don’t normally go there. Like, you know, almost a consensus model where if some of those kinds of things start happening, people are like, hey, you’re these things are being accessed.
Is this okay? Are you okay with that? Even the owners of those files, you know, in a sense, in a lot of way, like the blockchain works, right? Where it says, Hey, we’re gonna have a whole bunch of people, you don’t all have to agree, but we need to have a consensus on this thing to access and it wouldn’t happen every time but only when my account begins to do something unusual in that unusual is tracked by the system because it kind of every day, it’s kind of knowing where I go and what I do on a normal basis. Are we doing any of that yet?
Christian Johnson [47:44]
I mean, certainly, data is king, right. And I think there’s ample opportunities to talk about how metrics monitoring machine learning methods can be helpful in those types of scenarios. I don’t think they’re all encompassing or mature enough yet. Though to catch 100% of those cases, and so we’re automated systems can’t help reason based authorization can.
Because you’re putting an independent body that is also supposedly trusted into the mix in something that they inherently don’t have an interest in, right? Like trust breaks down if if people have are approaching their end state goal from a same origin of bias, right? So have two people on the same service team. They have the same origin of bias. If one person’s on a service team a, and another person’s on sec Ops, Team B, and they never talk or have normal interactions with this person and you Jim for the first time or in some weird part of your file system. It’s not asking Jim if he’s okay being there, or if he thinks he’s supposed to be there. It’s asking sec ops Person B is Jim supposed to be there? And when sec ops Person B can’t answer that question for himself, he reaches out to Person A and says,
Hmm, this seems wrong. Tell me why I’m wrong. And if your answer doesn’t pass the smell test, the access goes away until it should pass the smell test. And that way, the responsibility model is not any single person, which I think is one of the biggest ways that we need to think about solving insider threat, which is related but different topic. But it stops the where, where the computer falls short and making that automatic termination, which I think is going to be the case for a long time that the computer is aiding in surfacing the data, the methods and the automation, really, the automation is key to not making it a painful process.
And I think while the data is helpful in the long term vision of having computers completely removed the task for humans automation is What keeps it from being painful in the short term while those techniques aren’t perfectly vetted out yet?
Jim Collison [50:08]
It’s almost like having your own personal see threepio, who’s giving you the odds of things like, hey, there’s a 75% chance what he’s doing is not or she is doing is not the right thing, because I’m seeing these things in the process, right? constantly. It may never be 100%.
But letting someone else know, like, hey, this just doesn’t look right. But the system, say, the system, and it’s not accusing anyone, it’s just kind of earlier warning, that’s more and it doesn’t even need to necessarily be one of those. Now, we always kind of think of the drop dead ones like okay, shut it down. Now, more like, hey, there’s a probability that this doesn’t look right.
We should probably, you know, someone should spend a little bit of time looking at this or does it get an approval as it goes? I think there’s some ability there now. With what we have to be able to do some of those kind of things. I’m sure there are some security models where that probably works.
Christian Johnson [51:08]
Yeah. And and I don’t think there’s any one answer for and this is this is kind of where the acceleration is interesting because everyone’s moving in that general in a general trend or a general direction. But there’s no one size fits all security. I’m pretty adamantly convinced of that, right? Like the the needs of a, you know, multi corporate 500,000 employees are not gonna be the security needs of a five person startup. And so I think the scale factor is immensely important in measuring that as well.
Jim Collison [51:45]
I sent an email today that was part of a group email that had IBC seats and folks in it and one of the folks who, you know, put my email address in the in the, you know, send it to me, and then BCC a bunch of people on In one of those I was, I was super happy one of those people, I sent it to send it to their supervisor and said, Is this real? And that’s all there. That’s awesome.
Because that typically would look like a spoofed email sent that way, and probably send it to 25 people, and I only heard from one. So, you know, you kind of go and that’s kind of where, you know, well, in that scenario, maybe even the email system begins to take a look and say, definitely, hey, there’s a probability. I’m not saying this is spam. But there’s probability or I’m not saying this is this is phishing or spear or whatever. But there’s probability it is we we sometimes you know, I’ve got spam filters where the stuff goes, but it may be handy in the future to have have some a little more intelligence with me Give me some data like, what’s the what’s the probability of this thing?
Christian Johnson [52:53]
Yeah, and part of what Microsoft recently did a study during the pandemic Of how it’s changing the kind of future of cybersecurity a great article out on tech Republic on this and ranked by the top five things that organizations are looking at or making investment decisions and right now was MFA endpoint device protections, anti phishing tools, VPN, and and user security education. So clearly the anti phishing is pretty pertinent because there’s all sorts of stuff and rumor wheel and otherwise, that can be in the no spin zone when talking about living in a pandemic reality. So I think it’s not surprising to me that we would look at phishing as a even more serious threat in the face of COVID.
Jim Collison [53:46]
Yeah. No, no. What else? Anything else that we didn’t cover during that? That time? Anything in the notes?
Christian Johnson [53:55]
No, I mean, I, I think the takeaway that I hope like listeners hear is that zero trust. Number one is not a product. It’s a mindset, too. It’s a mindset that has been baking for about 10 years now and seems to finally be gaining some critical mass is like, Hey, this is the direction we need to move in both ideologically and an implementation. I think one of the other big areas that folks are looking at is the fusion of zero trust all these different technologies and how they play in I think that Twitter narrative is a real great real world example that just happened to happen, happened to happen.
That’s a great phrase happened to happen during the virus, and illustrates this point quite well. I think some of the other, you know, paradigm shifts that we didn’t talk about on this show, I think we talked about more in the last show about the tools you do to be you know, effective remotely the collaboration tools, the video conferencing of more rapid acceleration of adopting the cloud that you can support those types of tools in your organization. I think those are important trends.
I think the ones we talked about tonight, specifically are the more security relevant trends, whereas those other ones are more broader, like, what are the technologies that are shifting because of COVID. So hopefully, this provides more of a specific filter on the security aspects of where we’re seeing computing shift during pandemic and, and I think it’s fair to say looking at, you know, both of those aspects, we’re seeing stuff that’s going to be permanent changes, long term changes. And, you know, like you and I say six months feels like two years in pandemic time just in our own personal lives. I think the security industry is also seeing that on some interesting scales, so that Some interesting parallels to draw from it. I have
Jim Collison [56:02]
to Oh, for sure. And I think we’re just at the beginning of or I think we’re gonna learn a ton of stuff sounds like in the next X number of days, weeks, months, whatever it is, as people slowly return to work, some won’t. Some will the infrastructure is going to look I think a little bit different when we go back.
I think there’s some IT administrators who have been like, Oh, do we really need all of this? Can I deploy some of it forward facing to make sure I’m I’m showing that. That bit up, Christian, maybe for a future episode. I have seen recently a couple of deep fakes on video I used to have like Star Wars, let’s just say or they implemented like the Carrie Fisher CGI, or even the Oh, what was his name? He was Tarkin on anyways. The where they’ve used seed I just in the last two years, and now they’re using deep fake technology
Christian Johnson [57:05]
to heal. Are you talking about animal target and the spin off series? Yes.
Jim Collison [57:10]
And and yeah, the CGI was pretty good. But I’ve seen some deep fakes of that. And Carrie Fisher, I seen what it would be Raiders of the Lost Ark that was originally supposed to be Tom Selleck and not Harrison Ford. And so they took some tips, Tom Selleck, of that era and put his face on Harrison Ford, in those movie clips. In Christian, you can’t tell like, you can’t tell it all. It’s like, I’ve always I mean, we’ve been talking about deep fake for a while and in an audio, it’s even easier. But man it’s getting so you know, some of these areas where we have started using visual representation of things. I think we’re gonna have to come up with some kind of some kind of personal signature that says that indeed. You know how we made the We made politicians say, I endorse this message, whatever they used to say on the advertisements, right? They’d have to come in on their own voice. Yeah, this blows all that out of the out of the water. I mean, it’s scary. It’s scary how good it is
Christian Johnson [58:14]
it the equivalent of Twitter verified or something.
Jim Collison [58:19]
Something or maybe I like I mean, think about it, do I need my own certificate? Like that authenticates me in the audio in the written audio and and video space that says no, like, that’s not it doesn’t have my like, what if my image had to have a certificate of security certificate on it to say, somebody did fake that? No, you didn’t have the you didn’t have the credentials, and doesn’t make that so I don’t know. It’s Dude, it’s scary. Good. Like I I, again, I’ve heard this was coming. And I think Yeah, How good can it be? It’s better than any CGI. Oh yeah, so there’s gonna be some, I think some ramifications for that. Well, we’ll try.
We’ll try not to go for months but I always say that we end up doing it anyways. We, if you made it all the way to the end here, we appreciate you and listening to Cyber Frontiers. Don’t forget if you’re a home if you’re listening to Cyber Frontiers and your Home Gadget Geeks listener December 3, Christian is back on Home Gadget Geeks our 10 year anniversary of doing that person go back listen to the first one. It’s okay, it’s okay. It’s okay. It’s not the greatest but it is okay. A couple reminders, Cyber Frontiers and Home Gadget Geeks and the entire average guy TV network powered by Maple Grove Partners.
We mentioned in the very beginning, secure reliable high speed hosting and if you’re a podcaster even better, because it’s it’s web and media hosting together for as little as 10 bucks a month. Christian’s got a great plan for you. Check out Maple Grove partners.com if you have suggestions for stuff I just suggested, we talked about deep So you could to send us an email Jim at the average guy TV or Christian really send it a Christian Christian at the average guy TV. And we we’d love to hear from you or take those suggestions. I’ll be honest when you suggest it, Christian is on more.
So maybe we just need a few more suggestions to start piling up there as well as well. Want to thank you for joining us tonight. If you enjoyed this, please share it even though we’re both in read, maybe you can just share the audio version going forward. Thanks for coming out. And I appreciate you guys doing that tonight. If you’re in the field, listen to the live show. Maybe hanging out for the whole show. Good night.
Transcribed by https://otter.ai
Contact Christian: firstname.lastname@example.org
Contact the show at email@example.com
http://theaverageguy.tv is powered by Maplegrove Partners web hosting. Get secure, reliable, high-speed hosting from people you know and trust. For more information visit http://maplegrovepartners.com