7 min read
34. Bruce Snell: "There are going to be vulnerabilities out there that there aren't fixes for yet."
Hannah Trum Feb 3, 2021 12:00:00 AM
Have you ever wondered how to mitigate the vulnerabilities that stem from IoT? Well, in this episode, that is what you will find out. We’re going to provide you with common vulnerabilities and current risks with devices that you use every day—smartwatches and modern cars, to name a few. Today, we have Bruce Snell, Global Vice President of Cybersecurity Strategy and Transformation at NTT Security, to discuss this topic in greater detail.
Rather read?
Bruce: NTT is part of a larger global organization based out of London and Tokyo. It's kind of funny when I tell my friends in the US that I work for NTT, they're like, “oh, who's that?” But if I tell my friends in Japan that I work for NTT, they are like, “Oh, that's pretty cool.”
NTT is a large organization. The entity security arm is a security services company. We provide security consulting. We provide managed security services. For example, organizations will come to us, and they'll have us manage their sock for them. There's been this huge skills gap in security. I remember talking about it ten years ago, and it hasn't changed.
Many organizations are finding that it's better or easier for them to reach out to us to have us manage their sock, look at all their security events through the 24 by 7, instead of trying to find those experts and have them come in-house.
Sierra: That makes sense. Can you provide some additional info about your current role?Bruce: Historically, I'm always one of those people that have like 16 jobs within a company.
My primary job is to work with our larger customers. I work with the C-level executives to look at what their plans are for security, what are the things concerning them, their issues, the gaps they're finding in their security coverage, and figure out the best way to address those.
Part of the thing I like about working at NTT is I'm not a product vendor. I don't have to say, “Oh, you need to use this product.” I'm not trying just to shove one thing down and make it fit every single purpose. It allows me to work with different partners to figure out the best solution for my customers.
That's the thing I like about the role with NTT. In addition to that, I am on the larger, virtual team around OT security and looking at security solutions for operational technologies and IoT because it's still a pretty nascent field when you look at it.
A lot of the security leaders in IoT are still in the startup phase. You're starting to see them get purchased by larger organizations. A lot of the front runners are still round one financing companies. So, part of my job here at NTT is to look at that market and figure out what we can do to bring the best solutions to bear.
Sierra: Okay, great. And you mentioned IoT. Do you mind providing our listeners with some examples of common vulnerabilities and current risks with devices such as smartwatch watches and modern cars?Bruce: IoT is interesting because it's such a varied field. Traditional security for laptops or desktops is all pretty standardized. There's varied interest based on what you're doing, but IoT is all over the place.
A lot of it is because of this concept of a minimally viable product. What can we do? What's the least we can do to build this product and ship it out to fit a need that we have right now? That happens a lot in IoT.
Because of that, many practices are done in the backend, where they're not thinking about security. A lot of IoT products are shipped with hardcoded passwords already inside.
Now for industrial IoT, or we call OT, that's understandable. Because you have certain systems that you never want to have a password on, for example, the safety information system. You don't want to have to enter in a 14 character password if your factories are on fire.
But there are also things like security cameras or smart devices. We will stick with these “admin 123” password or something as the default password. People don't get around to changing them. Because part of IoT is that you plug it in, and you forget about it. You're not interfacing with it every day. So, we have this huge issue with passwords.
Then you also have a lot of issues with updating. One of the things I always tell people, the number one thing you can do for security is to make sure you're doing all of your updates. Now for your laptop or your iPad, that happens pretty much automatically and fairly regularly. You'll get a pop up because you see it you're looking at the screen every day.
But for, let's say, your front door camera, you're probably not interfacing it with a lot. So you may not see those little updates signal that says it's time to update. That's huge. Your camera will sit there with an out of date OS, which may be a year out of date because you haven't gone in and updated it. That's a huge issue.
Sierra: Right? And that makes sense. Can you provide our listeners with info on Ripple20 specifically?Bruce: Ripple20 is interesting because it plays a little bit in the way the IoT market works. Again, as you look at companies that are trying to get these products out the door, a lot of times, they won't do the development from end to end. They'll use libraries that they get from different vendors or different open source libraries, things like that.
So Ripple20 was taking advantage of some vulnerabilities in a TCP IP stack. For example, a smart security camera. Often, the hardware vendor isn't going to go in and go through the trouble of building up the communication stack from the ground up. So, they'll find something that's already existing on the internet or exists in an available library and use it. What happens is, when you get something, you get vulnerabilities that stack, then it starts impacting all of the other products that were using it.
So that's what happened with Ripple20. It was a very common communication stack that they found like 20 different vulnerabilities in it. In turn, it didn't just impact one product; it impacted a huge number of them.
It goes back to that minimally viable product and getting something out the door as quick as possible. And using software that you didn't necessarily code yourself because it's not your daily job to build that stack.
So that's why Ripple20 was such a big impact. It impacted hundreds of different devices because there were all these people using that same stack. That's why it was such a big issue.
Sierra: Well, thanks so much for giving our listeners a better overview of that. What are your recommendations for ensuring security across IoT devices?Bruce: The number one thing is to put together some sort of program for making sure that devices are updated regularly. This is one of the problems I'm trying to solve with the customer right now.
They have a number of different IoT devices like badge readers. They're in airports. So they have the mantraps. One door closes and won't open to the other ones close. All of those are kind of registered IoT. So, they're trying to find some consistent way to make sure that all of those are updated regularly because that's a big issue. I think that's the best start to try and figure out how you can get them updated.
If you can't find a product that will update them for you, build it into your process. These are the weekly maintenance things that I have to do for my IoT network.
A lot of IoT is that a lot of it does require monitoring because there's going to be things you can't patch, there's going to be vulnerabilities out there that aren't that there's not a fix for yet. That's where you start looking at just monitoring the traffic that the IoT devices are sharing and looking for malicious traffic that's going back and forth. Or, suddenly, all your cameras are reporting to some weird IP address. That may be an issue that you need to look for.
So, unfortunately, right now, a lot of the IoT security really is kind of an older model of making sure it's patched and also making sure that you're watching the traffic to look for suspicious activity.
Sierra: Right. Awesome. Great info, and how do you keep up with industry trends and best practices?Bruce: That's tough. I was thinking about that. There are all of the industry sites out there—having been in the industry for longer than I care to admit that I tend to know people at different companies. That's what we hear a lot. They are now doing more groundbreaking things.
I hear a lot of what's going on and what's new in the industry from connections that I made over the years. In the position that NTT is in, the vendors want to work with us. They want me to recommend a product to my customers. So I get a lot of information ahead of time, directly from the vendors saying, okay, here's what we're releasing next month, this is our plans or this is our roadmap. I tend to keep up, unfortunately, with insider information.
Sierra: That's fine! Collaboration and networking are huge. That's what most people say. So Bruce, what do you do to de-stress and relax, especially in this COVID environment?Bruce: Two main things that I do, and they're almost diametrically opposed. One is my daughter and I both do Brazilian Jiu-Jitsu. So luckily, knock on wood, our area has a fairly low COVID case number, so we're able to keep our gym open and go and train every day. I've just been trying to exercise as much as possible and de-stress. And there's something very distressful about Jiu-Jitsu.
Sierra: That would relieve my stress, for sure.Bruce: Then if I'm not doing that, I've got my 3d printers in my office here. So I do a lot of just building random things. This last year, I've been making a lot of Star Wars helmets. That's a lot of fun. The printing itself is kind of the shortest part. The longest part is the detail work, the finishing of the painting, and all of that. I find that to be very relaxing.
Sierra: Wow, that's amazing. You've got some good hobbies; you got some unique hobbies. I like it. Bruce, thank you again for your time today. I appreciate it. And listeners. Thank you again for joining the HIPAA Critical Podcast. Our next virtual conference is Paubox Spring Summit 2021, “Secure Communication During a Pandemic,” and will take place virtually on April 6. As a reminder, you can listen to other podcasts at paubox.com or subscribe via Apple Podcasts, Spotify, iHeartRadio, Stitcher, or Amazon Music. Thanks again and see you next time. SEE ALSO: HIPAA Compliant Email: the Definitive GuideSubscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.