New Episode Alert (copy 83)

Weekly Blaze PodcastEpisode 100December 23 2019

The Year in Reviewand 2020 Predictionswith Special GuestKevin Johnson

We've reached the 100 episode milestone for our Weekly Blaze Podcast! Thank you to all of you for listening to the podcast! Below is the full transcript of this episode and here's to 100 more episodes!

- Co-Host and Founder, Tom Eston

00:18 TE: Can you believe this is episode 100? It's been an amazing two years bringing you this podcast, so I wanna give you, our listeners, my thanks for listening and subscribing to the show. We also couldn't have gotten to this milestone without the help and support from our sponsors, Silent Pocket, make sure you visit

Silentpocket.com

to check out their line of Faraday Bags and other products built to protect your privacy. And don't forget you get 15% off your order by using discount code Shared Security at checkout.

00:51 TE: Welcome to the 100th episode of the Shared Security Weekly Blaze Podcast, and in this very special edition of the show I'm joined with favorite and perhaps the most popular guest we've had on the show, the infamous Kevin Johnson.

01:08 Kevin Johnson: Infamous.

01:09 TE: Infamous.

01:11 KJ: Yeah, I think that's only because you shot me in the head at OWASP with a rocket.

01:15 TE: I did. I did. [chuckle] There is a video of that and we actually have that video in one of the monthly shows I believe, I spliced that into the video.

01:26 KJ: I bet you did.

[laughter]

01:27 TE: Guess what,

I'll have that in the show notes

.(Yes, I did)

01:30 KJ: Oh man.

[laughter]

01:31 TE: You know I will.

01:33 KJ: I do.

01:34 TE: That's right. Well, we are here because this is such a big episode for the podcast, and it's always great to have Kevin back on the show, but we really wanna end the year and talk about two things. First, we wanna talk about Kevin's thoughts on the year that was, 2019. And then we would like to talk about maybe what he thinks is coming up in 2020 or what he wants to see in 2020 from a cyber security and privacy perspective. And we're gonna do this all under 15 minutes.

02:03 KJ: Gonna be a challenge.

[laughter]

02:04 TE: We can do it.

02:06 KJ: Start your watches.

02:07 TE: We're doing it. So what do you think, Kevin? What about the year that was?

02:11 KJ: I think it's been a good year. I like 2019. I know that not everybody can say that.

[laughter]

02:18 KJ: I think that we've done some really, really cool things. We've gotten better at things. Technology is constantly improving. Right now, we can just say, machine learning and AI and venture capital will fall out of the ceiling, so that's kind of cool. I worry sometimes I'm just a negative person, I just don't like people.

02:35 TE: Oh, not at all.

02:36 KJ: Never. Don't follow me on Twitter though. I think that, in my opinion, one of the things I reflect back on 2019 and say this is something we should get better at, we should stop, is I feel like that we have as an industry really moved toward this idea that everything we do needs as much attention as possible. And I'm not a psychologist, I don't even play one on Facebook, so maybe it's just the world has gotten that way or because communication is so fast or whatever, but I feel like we've seen a lot this year that people promote things as if they're unique and new and have forgotten the origins. The most recent example I can think of is, and I can't ever remember the name, we just talked about it, StrandHogg.

03:33 TE: Yes, the Android vulnerability.

03:34 KJ: The Android vulnerability. Hey, we have a vulnerability. It's been announced, and without even going to the website, I know that it says and we've talked about this, so I know I'm right, but even before I went to the website the first time, when I first heard about it, I knew what I was gonna read was a quote along the lines of, "security researchers from company X have announced," that phrase is always there at the beginning, and you know my opinion of the term security researcher, it's just another phrase for criminal in many cases. But [chuckle] what we see is, "Hey I found a vulnerability. Oh my gosh, this is horrible." And then you look at the vulnerability and it's something that's been around for five years, four years, three years, whatever. And while I don't expect that we'll never duplicate stuff... We all make mistakes, I'm sure that there's been times I've stood up and said, "Hey look at this vulnerability." And I thought I was doing something new and somebody had found it before, but we seem to be doing that more and more, that it's more important for us to get attention than to actually solve a problem or to help fix things.

04:41 TE: Yeah. So is it... Have you seen just a lot of stunt hacking this year, is that where we're going?

04:48 KJ: I hesitate to use the term stunt hacking 'cause it causes so many debates and arguments and pissy feelings from people. But yeah, and I think I was just talking to a friend of mine about the fact that we seem to be losing basic knowledge, I made a comment to the friend that I started running bulletin board systems and he was like, "Yeah, people don't know what those are anymore." And I talked to a firewall admin and a customer about pulling a config from a firewall, and the interface he uses doesn't do that. And I'm like, "Well just SSH into the firewall and pull the config," and he didn't know what I meant. So, we are so... And I think that's one of the reasons why everything has to be so impressive. "Hey, look at this cool thing I did, look at this, look at me, look at me," instead of what we should be doing is, "Here are the problems, here are the solutions I think will fix it." The fact that we can talk about things like the latest Android vulnerability and ignore the fact that 93.5% of all organizations don't patch their systems... I made up that statistic by the way... That I think is... Biggest takeaway from 2019 to me is we have to stop focusing so much on why we're cool, 'cause none of us are cool.

06:12 TE: I completely agree with you. And I think we have completely lost a focus on the basics, all around, like the fundamentals, like we've seen huge increases in social engineering and phishing attacks, this year, right? Or credential stuffing attacks. All of these things are caused by weak passwords or lack of awareness, of clicking on a link, right? Basics.

06:33 KJ: OWASP top 10. They removed CSRF from the list because according to their own documentation, and I'm not arguing, I'm just saying, their own documentation says, "We're not worried about CSRF anymore because it's been fixed by the platforms." Which implies that we're not gonna teach people what CSRF means because the platform they build handles it for them without them understanding the basic concept. And what that means is we're not gonna teach them the basic concept anymore, right? And so, the next vulnerability, which by the way, I wanna be very clear, CSRF has not been fixed, but [chuckle] we're not gonna teach that basic. So, one, if the platform fails or they're not using a platform that does actually try to fix it, they're not gonna try to fix it either 'cause they don't know it. And when the next vulnerability that is similar comes out, they're not gonna understand the basics to solve it.

07:27 TE: And ironically, you know that CSRF is actually on the C... I can't even talk. The CWE Top 25, which was just updated. They updated, it was eight years old, and they just updated it. And people are already talking about how that's a better list than OWASP Top 10, just saying.

07:45 KJ: Well, I have my own personal opinion too.

07:49 TE: I know you do. We don't have time for that podcast. [chuckle]

07:49 KJ: We'll leave it at that. I know, we'll leave it at that. I think it's... You're absolutely right. It's a lack of basic.

[music]

08:00 TE: And now a word from our sponsor, Edgewise networks. The biggest problem in security that remains unsolved are flat networks in cloud and data centers with unprotected attack paths that allow threats to move laterally to cause data breaches, but micro-segmentation using network addresses is complicated and takes too much time, but there's a better approach. Edgewise zero trust auto-segmentation. Edgewise is impossibly simple micro-segmentation delivering results immediately with a security outcome that's provable. At the core of Edgewise auto-segmentation is zero trust identity, which allows workloads to communicate only after their software identity has been verified. Malicious or unimproved software is no longer allowed to communicate. Identity-based protection provides more coverage with your policies to make Edgewise simple to deploy and manage. No changes to the application or network are required. One solution protects virtual machines and containers in the Cloud and on-premises. To stop lateral threat movement and prevent breaches visit

edgewise.net

for a demo, and to see results within minutes.

[music]

09:17 TE: So what does that mean for 2020? Are we just all doomed to fail...

09:21 KJ: Yes. [laughter]

09:22 TE: Follow the same path and nothing is going to change?

09:25 KJ: No. God, I hope not. Hindsight is 20/20 so we should be able to fix it 'cause it's the year to fix it. [chuckle] Sorry, stupid joke. I don't like predictions, I suck at them. The minute I say, "Well this is what's gonna happen, it's not." What I'd like to see happen, though, is I'd like to see a movement toward those basics to stop this idea that I'm gonna hire people right out of college as senior pen testers because they can be and have them understand it. And I think that one of the ways to do that and I wanna be very clear, I do not expect this to actually happen anytime soon, but I would love to see it happen, is I would like to see us move away from the model where security is a separate organization, both inside organizations as third party consultants whatever. I'd like us to start going back to the idea that securing things is part of just running our business, doing things correctly.

10:25 KJ: You and I have talked many times about the idea of basic IT hygiene. We can talk about the cool security knowledge I have, or if I put a single quote here, I get a database error, and oh, my Gosh, it's SQL injection, and that makes me a wizard and whatever. But the reality is putting a single quote in that field and getting a database error is a functionality bug. So security doesn't have to tell development that. Development should just know that functionality is broken and so they should fix it. It also happens to be a security issue, the same thing with deploying systems, or managing permissions and every single thing that security has tried to take ownership of is basic business and IT processes. So I'd like to see us take that 400 person IT security team and disperse them into the business, have them understand what the business does, have them understand what IT does, have them be part of all of those processes.

11:27 KJ: If you want to, you can still have the dedicated... I got two people who are my security architects but have them be advisors instead of gatekeepers. Does that even make sense?

11:41 TE: That does.

11:42 KJ: That's what I'd like to see. Every CISO and CSO in the world is cringing at that idea. Yeah, that's okay, I like making people cringe. [chuckle]

11:49 TE: Well I think what the industry needs, kind of a shake-up in a way, right, something different. We need to do something radically different, and it can't be another blinky light box or cloud-based crazy solution that's going to solve...

12:02 KJ: But blinky lights are so cool.

12:02 TE: That's gonna solve all your problems. That's never changed. There's always something cooler, something new, innovative, that... All over security. I mean look at... Don't they say that the vendor area at RSA just gets bigger and bigger every year?

12:02 KJ: Yes.

12:25 TE: And I'd love to do a comparison of how many of those companies at RSA actually exist the following year, and are actually still in business?

12:34 KJ: I believe, not to [chuckle] not to immediately go back to the idea that things have happened before, we talk about them again. I swear there was an article that I read like that a few years ago, where it compared the vendor area year, over year, over year, at RSA, or Black Hat, or whatever. And then also looked at how many of those companies still existed. Now of course, some of those companies that didn't exist anymore, didn't exist 'cause they got bought.

12:57 TE: Right.

12:58 KJ: So the technology still exists, but the company isn't. But if I recall correctly, and maybe I'm just believing this, because I think it's true. A large number of those companies, and not the IBMs, or the RSAs, but the smaller vendors, the medium-sized vendors, the majority of them didn't exist within a year or two, right? More so, a higher percentage than the normal, what is it, 50% of all marriages end in divorce, whatever. If you don't make it past the first... What is it for a small business, five years, they always say?

13:31 TE: Some stat like that, yeah.

13:32 KJ: Yeah, but specifically in IT security that numbers of failures is orders of magnitude higher than the industry's as a whole. But yeah, I'd love to see it done again. If I'm wrong, that it wasn't done, I'd like to see it done. If I am right, that it was done, I'd love to see it done again.

13:48 TE: I'll look that up. And then if we do find some article, or a statistics, or research I'll post it in the show notes. But that's interesting stuff, for sure.

13:54 KJ: And I think you're absolutely right that, most of them, they come out with a blinky light thing, they come out with a cool... And...

14:01 TE: AI.

14:02 KJ: Oh, jeez...

14:02 TE: Machine learning.

14:03 KJ: You know the difference between machine learning and AI, right?

14:06 TE: Tell me, Kevin, what is it?

14:07 KJ: Machine learning is in Python, and AI is in PowerPoint. I read that online somewhere and I love it. So I'll claim it as mine, but it's...

14:15 TE: It's yours now.

[laughter]

14:19 KJ: But we allow people to blow smoke and we fund them. And I don't know how that works. [chuckle] I don't know how people convince me. Well, I don't know how you sleep at night if you're one of those people just making stuff up.

14:33 TE: Money does weird things to people.

14:37 KJ: I'd like to test myself with that. If anybody would like to invest a billion dollars in Secure Ideas, I'd like to see if we lose our ethics.

14:44 TE: You hear that?

14:45 KJ: I'm willing to take that challenge. [laughter]

14:46 TE: Alright. Well, all of our listeners, there you go. Kevin has issued a challenge for 2020. Invest $1 billion into Secure Ideas, please, thank you.

14:56 KJ: Yeah, and then we see if we lose our ethics over the next few years. And Tom, my offer, if we get a billion dollar investment, we'll bring you on board so you can help.

15:04 TE: Oh, excellent. You'll buy out the podcast?

15:05 KJ: You'll help test your ethics with a billion dollars. [laughter]

15:07 TE: Excellent, excellent. All of the sudden Shared Security is up for sale. [laughter]

15:11 KJ: It's awesome.

15:12 TE: Amazing.

15:16 KJ: This is great. [laughter] This is...

15:16 TE: Very cool.

15:17 KJ: Cool.

15:18 TE: Alright, anything you'd like to do plug, that's upcoming for you here in a January timeframe?

15:23 KJ: We've got our

CISSP mentorship launching again, late January

. I'd love to see some people come take that. I think it's a good program, it's gotten great feedback from people. And it's inexpensive, a veteran discount. And if you want to just reach out to me, and I can give you a coupon code for it.

15:41 TE: Awesome. Well, as always, Kevin, thank you very much for being on the show, and being with me here for the 100th episode of our Weekly Blaze.

15:50 KJ: 100th episode, that's awesome.

15:51 TE: Yeah, yeah, it's been great. And you've been part of it, so you've been on the show before, and it's been great. And you'll continue to be on the show, hopefully.

16:00 KJ: I appreciate that I've fooled you enough at being an expert that you keep having me back.

[laughter]

16:03 TE: Well, it's so good, I think we wanna continue. [laughter]

16:05 KJ: Cool. [laughter] Thanks man.

16:07 TE: Alright, thanks Kevin.

[music]

Watch Episode 100 on YouTube!

NovemberMonthly ShowEpisode 94In episode 94 of our monthly show Tom and Scott discuss the 25 most dangerous vulnerabilities, the privacy of new “smart cities”, and which search engine keeps your searches more private? It’s DuckDuckGo vs. Google!

Watch this episode on our YouTube Channel!

Shared Security is now on GetVokl!

We live stream our monthly show on a new interactive video chat and streaming service called GetVokl!

Click here to subscribe to our channel

to get notified when we will be live and to watch previous episodes!

Thank you to our sponsor

Silent Pocket!

Take advantage of this exclusive offer and help support this podcast!

Visit

silent-pocket.com

to shop Silent Pocket's great line of privacy focused products.