04-02-20 - I'm Not Worried. It's Just a Tiny Unpatched IoT Device.

I'm Not Worried. It's Just a Tiny Unpatched IoT Device.

April 02, 2020

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

Internet of Things

Defense in Depth: Internet of Things

 On this episode of Defense in Depth:

Co-host Allan Alford and guest Josh Corman, founder of I Am The Cavalry, discussed:

  • For years, manufacturers didn't consider device security. As a result, attackers have used insecure devices like connected webcams to gain entry into a corporate network.

  • If you're manufacturing devices, then make security and patches a top concern even after end of life support.

  • Big gap between public trust and the reality. Almost all people trust manufacturers to secure their devices. The reality is most manufacturers aren't securing their devices.

  • While we've seen webcams used to launch distributed denial of service (DDoS) attacks, the greatest concern is of a similar style attack being launched against industrial systems.

  • The discussion of IoT security goes beyond security of devices. We know there are devices with zero security connected to our network. This is where a larger discussion of zero trust and defense in depth-style security programming comes into play.

  • We have a growing number of unmanaged devices. Devices that are just always on and connected to the Internet providing simple functions like reading their environment.

  • How much responsibility do manufacturers have for the security of their devices after they've been purchased and shipped? They can create updates and patches, but they can't enforce them.

Thanks to this week's sponsor of Defense in Depth, Pulse Secure.

Pulse Secure

 offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance.

Gary Harbison, CISO, Bayer about the inconsistency of CRO roles

 Fridays: An Hour of Critical Thinking 

Communicating Risk in Terms of the Mission of the Organization (Not Always Dollars)

Communicating Risk in Terms of the Mission of the Organization (Not Always Dollars)

“CISOs need to put that risk in the terms of the mission of the organization,” said Von Welch, executive director, cybersecurity innovation, Indiana University in our conversation at Cybertech 2020 in Tel Aviv. “Whatever business that CISO is in they’ve got to talk the language of management and be the translator of that business mission and the cybersecurity risks.”

It’s not always about dollars as there are some communities, like scientific, that need their credibility maintained as that is the gateway to survival, said Welch.

Thanks to our video sponsor, Boardish.

Boardish

Boardish allows you to translate your information on threats and solutions into clear financial risk figures and full solution costs for decision-makers. Quantifying and simplifying the impact of threats, and solution combinations into a clear dashboard. Allowing for a quick breakdown of various threat vectors both on-prem and cloud.

JJ Agha, head of InfoSec, WeWork on the need to contribute to open source

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.