Episode: 062
Title: Security in the Cloud
Aired: December 02, 2017
Featured Segments: Security in the Cloud
Synopsis:
Bret Piatt, CTR Host, and Jacek Materna, CTO at Assembla, discuss security in the cloud.
Follow Us & Stay Informed:
Bret Piatt (left), Jacek Materna (right)
Tweet us: @cybertalkradio, @bpiatt, @assembla / Stream on iHeartRadio: Android or iOS
Transcript:
00:00:05 from the dark led to your radio dial you 00:00:09 were listening to cyber talk radio on 00:00:11 news 1200 W 00:00:17 [Music] 00:00:29 welcome to cyber talk radio I'm your 00:00:33 host Bret Pyatt a 20 year internet 00:00:35 security veteran this week we're gonna 00:00:37 be talking security in the cloud all 00:00:40 about software development oh this 00:00:42 blockchain stuff and what does GD P are 00:00:45 the front of new acronyms their industry 00:00:49 is always coming up with them every 00:00:50 industry has them I think Tech thinks 00:00:52 they're worse than everyone else but 00:00:53 they're not really worse but we do have 00:00:55 our own acronyms and I'm joined this 00:00:58 week by the CTO of one of our tech 00:01:01 companies here in downtown San Antonio 00:01:03 and our tech district on Houston Street 00:01:05 jaesik materna of a company called 00:01:07 assemble adjacent thank you for joining 00:01:09 us this week great to have me yeah so 00:01:11 give us a little bit of background how 00:01:13 did you get to where you're at and here 00:01:15 into San Antonio and what does assemble 00:01:17 it work on yeah great so a little 00:01:20 background on myself originally from 00:01:23 Canada been in San Antonio eight years 00:01:27 long background in cyber security had a 00:01:29 bunch of businesses up in Canada some 00:01:32 successful some not and then oh way came 00:01:35 in interesting times for small startups 00:01:40 opportunity to move to the United States 00:01:43 so I've been in San Antonio now for 00:01:46 eight years I said and assemblee is a 00:01:50 b2b SAS company that was bought by scale 00:01:53 works about I'd say 20 months ago and so 00:01:56 I came in with a few of the team members 00:01:59 over at a scale work so we put together 00:02:02 a team we've been growing the business 00:02:04 for for about two years now here on 00:02:06 Houston Street and we're really in the 00:02:10 business of source code management and 00:02:12 security so I think of it as kind of a 00:02:15 more Enterprise version of Dropbox for 00:02:18 software developers and we support all 00:02:22 types of different customers and it's 00:02:25 all cloud-based so you know supporting 00:02:30 security environments small teams people 00:02:34 that are just starting companies gaming 00:02:35 studios and stuff like that and like 00:02:38 said we're just across the street here 00:02:40 so yeah for marketing our cyber talk 00:02:43 radio studio 00:02:43 we can look out the window and see your 00:02:45 team from over there exactly there they 00:02:47 look busy selling product which is good 00:02:50 see that right there that's excellent 00:02:53 yeah so for those of you that are a 00:02:56 little bit less technical in our 00:02:58 audience that's okay everyone starts 00:02:59 somewhere and we'll learn so the the SAS 00:03:02 software is a service so that's all 00:03:04 these things that you consume over the 00:03:06 Internet these days Dropbox is an 00:03:10 example of one but your email if you've 00:03:12 got email from Google or Microsoft or 00:03:15 any of those folks that's all software's 00:03:16 a service that just happens to be 00:03:17 emailed as a service so assemble it 00:03:18 manages the source code that people use 00:03:21 to build software as part of that 00:03:23 platform and product so security is 00:03:25 paramount there because if as Marc 00:03:28 Andreessen said software eating the 00:03:29 world if you you've got that source code 00:03:31 and you have access to that then you 00:03:33 have access to the keys to the kingdom 00:03:34 and two really important things for your 00:03:37 customers and very important things for 00:03:40 their businesses their investors and 00:03:41 their stability in their future yeah 00:03:45 exactly and you know everybody's 00:03:49 probably seen the recent news about you 00:03:52 know there's been Equifax thing recently 00:03:55 I think there was something on uber you 00:03:58 know talking about you know they were 00:04:00 hiding a data breach that went on and I 00:04:03 think 2016 you know so everybody's been 00:04:08 hearing about data breaches and what's 00:04:11 happening and when you look at it what's 00:04:13 interesting is you know sometimes it's a 00:04:18 really simple reason you know it's it's 00:04:21 sometimes not really malicious you know 00:04:23 it's not some kind of nefarious actor 00:04:25 there's basically you know a lot of 00:04:27 different stuff that goes into making 00:04:30 cloud software work or businesses work 00:04:34 so somebody puts you know a secret 00:04:35 password up in a source control system 00:04:39 in the cloud and you know maybe they 00:04:42 don't think about the security side of 00:04:43 it or you know double check stuff and 00:04:45 then it gets compromised and the keys to 00:04:48 the kingdom yeah go with that and so 00:04:50 it's it's that's interesting you know in 00:04:53 the sense that that it's just a simple 00:04:55 thing right you've got 00:04:56 really important 20 letter password that 00:05:00 opens up databases databases yeah in the 00:05:04 uber example yeah so on that one one of 00:05:07 their engineers checked in production 00:05:09 credentials into their source code 00:05:10 system that developer or operations 00:05:14 engineer or if they're so old DevOps 00:05:16 blending and we'll talk a little bit 00:05:17 about how that stuff works now that the 00:05:20 blurring line that in that case one of 00:05:23 those folks got their credentials 00:05:25 compromised somehow someone gained 00:05:26 access via their user to that source 00:05:29 code repository and then they were able 00:05:31 to go authenticate to the production 00:05:33 system and pull down information about 00:05:35 57 million of us that took an uber ride 00:05:38 or drove around as a driver on uber they 00:05:42 still haven't been very clear I've used 00:05:44 the service we probably all have almost 00:05:46 everyone listening here and not very 00:05:50 specific about what information was 00:05:53 contained in that they've said it's not 00:05:55 your credit card or not certain things 00:05:58 that they do have to disclose so and 00:06:01 it's not specific addresses in your trip 00:06:02 history it's really vague and that's 00:06:05 frustrating from a customer perspective 00:06:07 on the disclosures you would prefer to 00:06:09 have an idea of what information is out 00:06:12 there because if you don't know what it 00:06:13 is it's hard to protect yourself and I 00:06:15 mean Equifax while it was basically 00:06:18 every adult in America compromised in 00:06:20 that one they were at least pretty 00:06:23 specific with what information was 00:06:25 contained in the records that were 00:06:27 leaked in that case yeah and it's just 00:06:32 interesting I was having a call this 00:06:34 morning with the partner of ours a 00:06:35 hacker one out of San Francisco and they 00:06:38 do their there a kind of a hacker bounty 00:06:42 vulnerability program what that really 00:06:44 means is they have white hackers that 00:06:47 are you know the good guys that 00:06:49 basically hook up with companies and 00:06:52 they get incentivized to you know test 00:06:54 systems for vulnerabilities and you know 00:06:58 think of it as kind of a super testers 00:07:00 or they're looking at the security side 00:07:02 of the house and I think Ebers one of 00:07:05 their customers one of the key customers 00:07:08 and what's interesting about it is that 00:07:10 there 00:07:10 you know they talk about vulnerability 00:07:14 disclosure programs you know as a first 00:07:16 step that you know it's super important 00:07:19 to let customers know early or when it 00:07:22 happens that there's been a compromise 00:07:23 but it seems like I said there's still 00:07:25 still a lot of companies that are 00:07:28 operating in some kind of stealth mode 00:07:31 or kind of a let's not disclose it and I 00:07:36 think you know probably the uber case it 00:07:39 may be the tipping point maybe there'll 00:07:42 be another one but I think it's gonna 00:07:43 change you know the CEO I'm sure is 00:07:46 asking people the new CEO 00:07:49 yes he's asking interesting questions in 00:07:51 the sense of I know he kind of I think 00:07:53 knew about it 00:07:54 before they went you know at a certain 00:07:56 point he knew about the actual breach 00:07:58 before but still it kind of begs a 00:08:01 question of hey you know if you're if 00:08:03 you're a customer of a service any kind 00:08:05 of service email outlook Yahoo you know 00:08:10 they've all had issues disclosing 00:08:13 information timely yeah Yahoo sat on 00:08:16 theirs for years I think if it probably 00:08:18 wasn't for the Verizon due diligence and 00:08:21 Verizon set a pretty strong security 00:08:23 team that they built up through the 00:08:25 years that did some audit analysis there 00:08:27 and and during that acquisition of Yahoo 00:08:30 by Verizon and all of these different 00:08:32 disclosures came out exactly yeah so I 00:08:36 think we're gonna see a lot more 00:08:38 corporate hopefully some corporate 00:08:40 governance around that I mean ultimately 00:08:42 it's gonna be the customers that are 00:08:44 gonna make the most impact so you know 00:08:47 if if a company is losing you know brand 00:08:50 faith and and and customers that's gonna 00:08:53 ultimately be obviously the thing that 00:08:55 changes behavior but hopefully it'll be 00:08:57 a bit more proactive you think there's 00:08:59 some fatigue around this it's just 00:09:01 everyone feels like all their 00:09:02 informations been leaked so many times 00:09:04 does it even matter anymore 00:09:05 that's a great great point yeah you know 00:09:09 there's probably a lot of that I mean I 00:09:11 hear that as well they're kind of like 00:09:13 well you know it's it's already out 00:09:14 there everywhere yeah so what's another 00:09:18 leak so it's a good question it's an 00:09:23 it's an interesting one and 00:09:24 while certain people may have some 00:09:26 portions of your information it's not 00:09:28 that everyone has complete access to all 00:09:32 of your information I'm know the stories 00:09:35 about the LifeLock CEO who put his own 00:09:37 social security number up and said go 00:09:40 ahead and try to steal my identity and 00:09:42 because he did that and made himself a 00:09:43 high-profile target he had folks that 00:09:46 were constantly trying to steal his 00:09:49 identity and commit fraud on his his own 00:09:53 identity his account it made their 00:09:55 service probably better ultimately over 00:09:56 the time but he individually had issues 00:09:58 for years because of putting his social 00:10:02 security number up on the side of trucks 00:10:04 and billboards and other places it was 00:10:05 his actual social security number yeah 00:10:07 yeah I remember that ya know it's it's 00:10:11 gonna be interesting like I said I think 00:10:12 you know people tend to also forget as 00:10:16 well that you know there's probably 00:10:19 there's certain even easy steps I get 00:10:21 everyone on the call that's that's 00:10:23 listening you know even if you're not 00:10:25 super technical you know if you're using 00:10:27 something like email you know as an 00:10:29 example you know everybody may be 00:10:32 familiar with you know some of the extra 00:10:35 security that some of these services 00:10:37 offer you know where you get a text 00:10:39 message that says hey you know you've 00:10:41 logged in please confirm your code and 00:10:43 so what's interesting about that is that 00:10:46 you know even that's kind of insecure 00:10:48 and it ends up being that you know you 00:10:49 can call into a Verizon and AT&T and and 00:10:52 I'm sure they've got some processes in 00:10:54 place now but in a lot of cases people 00:10:57 have had their phone numbers yeah this 00:11:00 is a common Bitcoin wallet theft 00:11:01 technique exactly they've been you know 00:11:03 hey I know your address there's a couple 00:11:05 piece of info and and the the person in 00:11:08 a call center you know pushes some kind 00:11:10 of button in the system and suddenly 00:11:13 your phone numbers somewhere else and 00:11:14 then you know your accounts been 00:11:16 compromised so it could be email or a 00:11:19 wallet Bitcoin wallet whatnot so you 00:11:22 know get back to the whole deal around 00:11:24 you know data being out there 00:11:27 I still think you know it's it's 00:11:29 important to think about you know what 00:11:33 your what data you're putting out there 00:11:35 and and when you're looking at services 00:11:38 I think it's important to look at the 00:11:40 what's their approach no company's 00:11:42 perfectly secure but is security part of 00:11:45 their mission or is it kind of a 00:11:48 marketing thing or is it a like 00:11:51 non-existent point so I think consumers 00:11:54 are gonna be asking more of those 00:11:56 questions yeah and even if you're you're 00:11:58 with your cellphone carrier good 00:12:00 question to call up it and ask them is 00:12:02 can you turn off or disable or block all 00:12:06 attempts to transfer your phone number 00:12:10 for the phone number portability says 00:12:11 what will happen in many cases is your 00:12:13 accounts not locked I think by default 00:12:15 and the hackers will go to some smaller 00:12:20 mobile operator and that smaller mobile 00:12:23 operator has a trusted relationship set 00:12:24 up with the bigger carriers to where 00:12:25 they say hey we sign up a new customer 00:12:27 we want to move the phone number over 00:12:28 and they they get to go that route with 00:12:31 your current carrier you can call and 00:12:34 many of them support flagging your 00:12:36 account to block phone number 00:12:38 portability by request by other carriers 00:12:41 and then to where you have to go 00:12:43 specifically into and start the request 00:12:47 and initiate it from your current 00:12:48 carrier instead of allowing somebody 00:12:49 else to initiate it and pull your number 00:12:52 on over so yeah with all of these things 00:12:55 it's pretty complicated tricky to stay 00:12:57 secure which is why I mean we see 00:12:58 Bitcoin wallets being stolen with this 00:13:00 multi-factor SMS which is the text 00:13:03 messaging service on your phone the the 00:13:05 hacks from that on a on a regular basis 00:13:08 Bitcoin wallets are these digital 00:13:10 wallets where you you it's your digital 00:13:12 bank account effectively for the Bitcoin 00:13:14 your cryptocurrency all that that new 00:13:17 blockchain stuff that folks are talking 00:13:18 about and hackers are going after that 00:13:21 and robbing Bitcoin banks effectively 00:13:22 the way they used to rob banks in the 00:13:24 Wild West it's kind of the Wild West of 00:13:25 the internet again yeah absolutely 00:13:29 so as you guys are taking care of folks 00:13:33 source code on a regular basis how how 00:13:38 do you think about authentication into a 00:13:41 platform that holds information that 00:13:44 valuable 00:13:46 yeah so what we do is you know most of 00:13:51 these companies their core intellectual 00:13:54 properties stored on these systems and 00:13:56 so what we try to do is you know we 00:14:01 offer different approaches to security 00:14:03 and we you know we make recommendations 00:14:05 around hey you know all your users 00:14:07 should have you know multi-factor 00:14:10 authentication you know this and that 00:14:12 you shouldn't be sharing account 00:14:14 passwords and different things 00:14:16 unfortunately what's happening though is 00:14:18 it's one of those especially when you're 00:14:22 dealing with teams that are you know 00:14:25 focused on building stuff like you know 00:14:26 developers that want to you know just 00:14:28 get products out secure house to break 00:14:31 things yeah they want to move fast and 00:14:33 because you know they have a deadline 00:14:35 they've got you know hundred things to 00:14:37 finish security tends to kind of take a 00:14:40 secondary seat you know so they're 00:14:42 they're they're doing little shortcuts 00:14:45 you know they're trying to get stuff 00:14:47 done quickly and it what we end up 00:14:51 having to do is we just have a you know 00:14:53 we're monitoring it we're letting 00:14:55 customers know if certain things are 00:14:58 happening if they want to know about 00:15:00 that but ultimately it's one of those 00:15:02 things where you sign up for the service 00:15:04 here's the available options and if a 00:15:07 company decides to put their trusted 00:15:10 stuff up in a in in in the cloud but 00:15:15 doesn't go through any kind of diligence 00:15:17 educating their team saying hey you know 00:15:21 this is our core stuff do this this this 00:15:23 and that you know there's not much we 00:15:26 can do beyond just like you know 00:15:28 recommending it so I we still see a lot 00:15:30 of companies not go through a full suite 00:15:35 of security kind of post deployment 00:15:38 stuff and I think that's what's 00:15:39 interesting about it is that I don't 00:15:42 think that's happening anywhere so that 00:15:44 brings up kind of a question about you 00:15:48 know what is it is it security as it is 00:15:50 it too burdensome to implement is it is 00:15:54 it you know what it what is the issue 00:15:56 there and and I think it's kind of 00:15:59 something to dig into 00:16:00 yeah it is there any going back those 00:16:02 like you talked about using the cloud it 00:16:04 almost sounds inevitable like you have 00:16:06 to if you're not using the cloud you 00:16:07 can't go quickly you can't build 00:16:08 software with distributed teams very 00:16:11 effectively that is there the option if 00:16:14 I'm an individual could I just unplug 00:16:16 from the internet at this point in my 00:16:17 life you know probably you probably find 00:16:23 some way to doing it but it'd be a 00:16:25 difficult path you know you'd have some 00:16:28 kind of server in your closet connected 00:16:32 to something power outlet for sure VGA 00:16:37 line of a monitor and and you probably 00:16:40 could do something with your cell 00:16:41 network but that's connected to the 00:16:43 Internet to at some level so you know 00:16:45 you could see that being pretty 00:16:47 difficult cuz you can't you can't get 00:16:48 any new you know the center of 00:16:51 excellence is in the cloud now for you 00:16:53 know new tools new news apps everybody's 00:16:56 you know look at the new generation you 00:16:58 know they're growing up on their phones 00:16:59 everything's yeah whether they see it or 00:17:02 not it's always chatting with everything 00:17:03 else you look at blockchain I mean 00:17:06 blockchain is effectively a super chatty 00:17:09 you know network of users and computers 00:17:14 but that's what makes it effective but 00:17:16 you got to be plugged in no most folks 00:17:19 under the age of 30 at this point don't 00:17:21 have a physical checkbook like if you 00:17:24 have to get a check they well digitally 00:17:27 they might know what the account number 00:17:28 is and you can kind of do an online ACH 00:17:31 but physically actually writing out a 00:17:33 cheque is something that you you only do 00:17:36 if you're in a really odd situation 00:17:40 maybe you're traveling overseas or 00:17:41 something but it's not anything you 00:17:43 physically do these days for yeah paying 00:17:46 for stuff it's all digital to check your 00:17:48 credit card balance to all of that stuff 00:17:51 is all online it's all an app it's all 00:17:53 connected to the Internet going through 00:17:55 on the software development so we talked 00:17:56 a little bit about development and 00:17:58 operations it's coming together and most 00:18:02 tech startups are doing this now but 00:18:04 this is even kind of spreading into 00:18:07 larger more well-established 00:18:09 organizations where you have a sharing 00:18:12 of duties now between the people 00:18:13 building thing 00:18:14 and the folks running the application 00:18:16 infrastructure is you think about the 00:18:18 security implications of this is it this 00:18:21 model making stuff better or worse how's 00:18:24 DevOps impacting the security world yeah 00:18:27 it's a good question I mean we so so 00:18:31 there's definitely kind of a shared 00:18:34 responsibility now you know the the 00:18:36 coined term is called dev ops all that 00:18:39 means is you know as developers and 00:18:40 operators are working together on the 00:18:44 same kind of projects there's not not 00:18:46 anymore this kind of throw it over the 00:18:47 fence model and all of it is because 00:18:50 things move so quickly you look at an 00:18:52 Amazon if you go onto their website to 00:18:55 buy something and you've probably bought 00:18:57 something in the last few days you know 00:19:00 they're developing and putting new 00:19:03 capabilities out hundreds of times a day 00:19:06 sometimes so they're tweaking things and 00:19:08 changing and and so that that whole 00:19:11 process that the teams that do all of 00:19:13 that you know call them the DevOps teams 00:19:18 you know the things that they work 00:19:20 together to make it happen and they're 00:19:22 doing it so quickly you know I say a 00:19:24 hundred times a day how could you you 00:19:26 know how is it possible to you know look 00:19:29 at the quality of it or hey is it are we 00:19:32 introducing new vulnerabilities into 00:19:35 Amazon so there's a new feature on the 00:19:37 website let's say you know how could you 00:19:40 if it's a hundred times a day 00:19:42 how could you ensure that it's secure 00:19:45 and I think the answer to that is but 00:19:51 the only answer to it at that speed is 00:19:53 you've got to bring in new technologies 00:19:55 that automate or help the people you 00:20:01 know do more with less so they can you 00:20:04 know they they can scan the code or they 00:20:06 can quickly assess like hey it's a red 00:20:09 you know yellow or green you know only 00:20:12 when it's green should we deploy it yeah 00:20:14 so you know a uh you know there's all 00:20:17 these different kind of terms that are 00:20:18 floating around so any kind of 00:20:20 automation or tools they'll help you you 00:20:23 know do tasks in about five minutes that 00:20:26 used to take maybe months 00:20:27 is is where things are at and I think 00:20:31 from a security perspective like I said 00:20:33 if the tools aren't there to do that but 00:20:37 you're moving quickly then I think 00:20:39 that's where you've got big problems 00:20:40 because you've got companies that are if 00:20:43 they're not thinking about security in 00:20:45 that process then all they're really 00:20:48 doing is moving quickly and potentially 00:20:52 you know it's they have great products 00:20:55 or things look great it's always getting 00:20:58 what the customers need but security 00:21:00 could be catastrophic because there's 00:21:03 just nobody that can look at that stuff 00:21:05 at that pace so I think security needs 00:21:09 to be kind of part of the discussion 00:21:10 first of all you know small companies 00:21:13 and I think today the biggest thing 00:21:17 we've heard is that it's just an 00:21:19 expertise I mean the Security's kind of 00:21:21 black magic world you know you have to 00:21:23 be this signals intelligent expert I 00:21:25 mean that's the kind of the the 00:21:29 perception that that's what the skill 00:21:31 set you need but in reality you know 00:21:34 developers people that are building the 00:21:37 software operators you know if they've 00:21:40 got the right tools to help them in some 00:21:41 education they could be pretty effective 00:21:44 at you know helping the software be 00:21:48 secure you know when they're building it 00:21:50 so I think it's just an education thing 00:21:52 it's it's companies thinking about 00:21:54 security at like a you know it's part of 00:21:58 their mission so you know the executives 00:22:00 down say hey the developers can't just 00:22:03 do whatever they want yeah we got to 00:22:06 have security 00:22:07 we got an embedded security we got to 00:22:09 spend money on security so that our 00:22:12 customers know that we're building 00:22:14 products that are you know we've done 00:22:17 our diligence it's it's not just a pure 00:22:20 technology problem on a standalone 00:22:21 either it's one that requires both the 00:22:25 technological controls but people to 00:22:27 implement those in a process that has 00:22:31 quality checks built in so if you think 00:22:35 about a physical analogy I can go buy 00:22:37 the fanciest alarm system for my house 00:22:41 but if you don't plug the cameras in 00:22:44 properly if you don't point them in the 00:22:45 right direction if you don't set up the 00:22:47 laser beams to be able to connect in a 00:22:51 line where someone's gonna trip it as 00:22:53 they walk through the room if you don't 00:22:54 do all of those things properly and you 00:22:56 don't have somebody else come through 00:22:58 and double-check it it doesn't matter 00:22:59 that you bought the fanciest alarm 00:23:00 system in the world so you have a bunch 00:23:02 of companies that will throw potentially 00:23:04 some money at this they'll go buy the 00:23:05 latest greatest whiz-bang set of 00:23:07 security software and tools but then 00:23:09 like in the Equifax scenario so some of 00:23:12 the information that came up about that 00:23:13 one is that there was a database there 00:23:15 no encryption turned on the database 00:23:17 supported encryption but it wasn't 00:23:19 turned on and they had a default 00:23:21 username and password on it so the 00:23:23 hackers didn't have to do anything 00:23:25 advanced like they're like well this is 00:23:26 a database um this version of this 00:23:28 database let me put it in the default 00:23:29 super user name and the default super 00:23:32 user password oh look I'm in oh and look 00:23:34 here's all the tables that have all the 00:23:36 information in it and there's no 00:23:37 encryption key stored separately 00:23:39 somewhere else that you need to go 00:23:40 decrypt them so this is one if you don't 00:23:44 have that process baked in if you're not 00:23:47 being thoughtful about these things then 00:23:50 you end up leaving information behind or 00:23:53 you you end up creating vulnerabilities 00:23:55 where you aren't even aware that you you 00:23:58 had them because you have bought all of 00:24:01 them Equifax I'm certain owns encryption 00:24:03 software and I'm certain that they have 00:24:06 a process that says production databases 00:24:09 aren't allowed to have default usernames 00:24:10 and passwords what the process didn't 00:24:11 get followed the technology that they 00:24:13 own didn't get used and 00:24:15 a hundred million plus records later 00:24:17 they're out there at someone else's 00:24:19 hands because the hacker only has to be 00:24:20 right once the folks that are trying to 00:24:22 keep stuff say it have to be right all 00:24:24 the time 00:24:24 now we're gonna go ahead and take a 00:24:26 break here for a news traffic and 00:24:28 weather update at the bottom of the hour 00:24:29 you're listening to cyber talk radio on 00:24:31 1200 W AI 00:24:33 [Music] 00:24:43 [Music] 00:25:04 [Music] 00:25:08 welcome back to cyber talk radio 00:25:11 I'm your host Brett PI at a 20-year 00:25:13 internet security veteran joined this 00:25:15 week by Jacek materna 00:25:17 assembler our tech companies here in San 00:25:21 Antonio our tech district forming 00:25:24 downtown 00:25:25 it's good to see a scale works a local 00:25:28 venture private equity tech cool company 00:25:34 that runs and operates a whole bunch of 00:25:36 different businesses finally moved in 00:25:39 next door to the cyber talk radio 00:25:41 studios we can look out the window over 00:25:44 there see the the rest of your team 00:25:45 working hard away we can see the 00:25:48 construction transforming downtown of 00:25:50 you've not been in a downtown San 00:25:52 Antonio in a while come on down for the 00:25:55 kickoff of our 300th year or try 00:25:58 centennial there'll be some great 00:26:00 fireworks there's a whole new open lawn 00:26:03 and big area over by HemisFair Park and 00:26:05 where they'll be holding that here at 00:26:06 the start of the year 00:26:07 and on through the year you're gonna see 00:26:10 a San Pedro Creek kind of a whole new 00:26:12 Riverwalk and all sorts of things 00:26:13 opening up transforming downtown so if 00:26:15 you're one of those folks in our 00:26:17 listening audience that lives outside 00:26:19 the 410 loop are outside the 1604 loop 00:26:22 the downtown has turned into more than 00:26:24 just the Alamo it's still here they 00:26:27 haven't changed it yet if you don't want 00:26:28 it changed you should get involved to 00:26:30 talk to your City Council talk to folks 00:26:33 in a preserve that album applies if if 00:26:35 that suits you if you'd like to see it 00:26:37 change and transform speak up and get 00:26:39 involved but uh there's a lot going on 00:26:41 downtown tech companies is one thing 00:26:44 though centered around geekdom in this 00:26:47 whole ecosystem that started over the 00:26:49 last five years it's growing in this 00:26:52 area and out all across the whole city 00:26:54 if you missed the first half of this and 00:26:57 you just happen to be turning on the 00:26:58 radio right now you can listen to the 00:27:01 rebroadcast and replay of this episode 00:27:04 and all of our cyber talk radio on our 00:27:07 website at wwlp.com as well as on itunes 00:27:11 podcasts or pocket cast or your favorite 00:27:14 podcasting app on an android device if 00:27:17 you happen to be listening to us on that 00:27:19 replay right now thank you for tuning in 00:27:22 and enjoying some cyber talk radio you 00:27:25 can give us suggestions feedback and the 00:27:26 things on our website we're also on 00:27:29 Facebook cyber talk radio and Twitter 00:27:32 cyber talk radio as well so Jacek then 00:27:35 again thanks for the good discussions we 00:27:37 were talking a little bit about 00:27:38 some of the trade-offs between speed and 00:27:41 security and and how folks are having to 00:27:45 work through this and we hinted about 00:27:48 this regulatory requirements in a lot of 00:27:51 areas if you're not a healthcare company 00:27:53 you can kind of do security in your own 00:27:57 way there's not a lot of descriptive 00:27:59 stuff if you're taking credit cards 00:28:01 maybe you've got to protect the credit 00:28:02 card information but that's not even 00:28:04 really a law PCI is just an industry set 00:28:07 of standards if you'd like to take 00:28:08 credit cards in your website you should 00:28:10 follow that one because if not then the 00:28:12 banks and the credit card companies will 00:28:14 not allow you to do it anymore that's 00:28:16 not even a law now HIPAA that healthcare 00:28:19 one that is a law can you help our our 00:28:21 audience learn a little bit about how 00:28:24 are their medical records getting 00:28:25 secured and what has happened out there 00:28:27 from a legal perspective around those 00:28:31 electronic medical records yeah thanks 00:28:34 right so you know in terms of HIPAA so 00:28:36 HIPAA is a you know it's a legal 00:28:39 framework specifically directed at you 00:28:42 know EMR electronic medical records and 00:28:45 you know it's pretty wide ranging a set 00:28:48 of parameters around you know how you 00:28:53 know your information is secured you 00:28:55 know who should be accessing it how how 00:28:58 companies should be you know sharing it 00:29:00 with with other companies you know 00:29:02 hospitals may be sending EMR records 00:29:04 between themselves those HIPAA releases 00:29:07 we all sign every time you go anywhere 00:29:08 that's right exactly that all that all 00:29:10 that stuff is thanks to HIPAA and and 00:29:15 you know it's what it's really done is 00:29:17 its created you know an ecosystem and a 00:29:18 really a framework where companies have 00:29:21 had to build products where hospitals 00:29:23 have had to spend a lot of money to 00:29:26 invest in security which is a good thing 00:29:28 because you know your records are very 00:29:30 very important and so in a lot of ways 00:29:32 it's been really good you know from from 00:29:37 a security perspective because most of 00:29:39 these EMRs or your records are now 00:29:42 digital and so whether it's email or 00:29:45 other means they're being shared so it's 00:29:48 not just a letter in the envelope being 00:29:51 sent 00:29:52 on a postal truck it's now over the 00:29:55 internet so again the security super 00:29:59 paramount there it's going through the 00:30:00 cloud as they call it in a lot of cases 00:30:03 when it comes to an area that's been 00:30:06 interesting in HIPAA that is is often 00:30:10 not discussed is again back to this this 00:30:15 source code or the the code that goes 00:30:18 into building these these these 00:30:21 applications so imagine going into your 00:30:23 doctor's office and you know you go to 00:30:24 the front desk you give them your 00:30:26 information and they're they're using 00:30:28 their typing some stuff in the computer 00:30:29 they're using some kind of software to 00:30:32 look up your info you know maybe your 00:30:35 appointment whatnot and so that software 00:30:38 is talking to a whole bunch of other 00:30:40 software somewhere you know could be in 00:30:42 the office could be over the internet 00:30:44 whatnot effectively at some point that 00:30:47 that application or that software is is 00:30:50 looking you know it is looking at your 00:30:54 records you know it's it's putting them 00:30:56 on the screen it's it's it's looking in 00:30:58 some kind of database so an area that 00:31:02 we're seeing a lot of a lot of change in 00:31:05 is that other than just securing your 00:31:09 records over email over the the sharing 00:31:12 of the information between you know 00:31:14 parties like hospitals and whatnot 00:31:17 looking at the software team sort of the 00:31:20 you know who's building these 00:31:21 applications you know is it companies in 00:31:23 the United States is Canada it could be 00:31:25 built anywhere in the world now so when 00:31:27 they're building these applications 00:31:28 those applications are really looking at 00:31:33 the electronic medical records and 00:31:35 they're going to be really subject to 00:31:36 the same HIPAA requirements because 00:31:39 they're kind of looking at the EMR and 00:31:41 so that's been a kind of an eye-opening 00:31:44 discussion with a lot of at least 00:31:45 customers that that I talked to where 00:31:47 they think HIPAA is just about your 00:31:50 records and they're not thinking well 00:31:53 we've got all these cool applications 00:31:55 that our doctors love and it lets them 00:31:57 collaborate and whatnot and you know but 00:32:01 nobody's thinking about the security of 00:32:03 those applications so if somebody 00:32:06 puts a something nasty in one of those 00:32:08 applications that is looking at your 00:32:11 records right because they're presenting 00:32:13 it to the doctor on their iPad what not 00:32:15 then there could be you know there's a 00:32:17 vulnerability you know they could 00:32:19 effectively take your records and ship 00:32:21 them somewhere and which has personal 00:32:23 information so again it's a new area for 00:32:28 HIPAA around the software that that 00:32:32 powers these cool apps that doctors are 00:32:35 loving because it makes things quick for 00:32:37 them and easy they can look up stuff 00:32:39 really quickly so like I said it at a 00:32:43 general level it's it's a it's a still a 00:32:45 booming field because the medical 00:32:48 industry is still going digital they got 00:32:52 a long ways to go but one thing's for 00:32:54 sure is that you know the hospitals and 00:32:57 the doctors that have adopted new tools 00:33:03 to you know go faster they you know they 00:33:07 love the tools you know it's they came 00:33:09 but once they start they can't stop 00:33:10 because it makes their their whole 00:33:12 workflow so much simpler and like I said 00:33:15 it's important to have security be a 00:33:19 topic of discussion so when they're 00:33:21 buying those apps they should they 00:33:24 should ask those questions you know so 00:33:26 and at least that's what we're we're 00:33:28 hearing and I think it's an interesting 00:33:30 evolution of of HIPAA as apps become you 00:33:35 know commonplace in hospitals and 00:33:38 doctors offices I mean everyone's going 00:33:42 mobile and digital but is if you're a 00:33:45 doctor you're backlogged on patients all 00:33:49 the time and the more productive the 00:33:53 more patients you can see the more folks 00:33:54 it can get processed through your 00:33:56 practice or your facility the more 00:33:58 revenue the business makes so there's 00:34:00 this trade-off of revenue and 00:34:02 productivity versus security and and 00:34:05 it's it's a hard push and pull on that 00:34:08 risk management directed risk balance 00:34:10 inside of whether it's a medical 00:34:13 practice or any business out there the 00:34:15 the type of data in medical practices is 00:34:17 folks listening from a 00:34:19 a classification perspective you have 00:34:22 medical records which contain facts and 00:34:24 you can't if if facts get out there and 00:34:27 the information is now disclosed 00:34:31 you can't go cancel your fact that you I 00:34:35 had shoulder surgery 20 years ago like 00:34:38 that's a fact I can't go cancel the fact 00:34:40 if my credit card number gets out there 00:34:41 I can cancel that credit card I can get 00:34:43 a new credit card number and I can start 00:34:45 over so you have these facts that are 00:34:47 permanent and these in this information 00:34:49 once it's out it's gone for good it's 00:34:51 like your mother's maiden name if you're 00:34:53 a security engineer and you're using 00:34:55 that for a security question please stop 00:34:57 because I can't go change my mother's 00:34:58 maiden name 00:34:59 my mother's maiden name is gonna be the 00:35:01 same thing from now until the end of 00:35:02 time for security questions use 00:35:05 something that can change something that 00:35:07 is temporary because those security 00:35:10 questions could get compromised as well 00:35:11 so facts for authentication and is is 00:35:16 risky and these information that are 00:35:18 permanent facts you've got really as a 00:35:20 steward of that you have to do more to 00:35:24 safeguard it because once it's out there 00:35:27 and exposed you can't put it back inside 00:35:30 Pandora's box and things like medical 00:35:33 records can have a dramatic impact on 00:35:37 somebody's life if that information is 00:35:39 out there and shared in a manner that 00:35:43 they didn't get to control or disclose 00:35:46 exactly I mean it goes you know you're 00:35:49 looking at the insurance market in this 00:35:52 hole you know there's a national debate 00:35:54 about health care and whatnot which is 00:35:57 not for this show but the you know 00:36:01 you've got insurance companies that have 00:36:04 used information from I'm not sure where 00:36:07 that has been obviously disclosed 00:36:09 somehow about you know pre-existing 00:36:11 condition you know data that was very 00:36:14 sensitive you know and once it's out you 00:36:16 know you now have you know a big problem 00:36:20 if you're trying to get you know health 00:36:22 care or just kind of some kind of 00:36:24 insurance so back to Brett's point 00:36:26 around kind of that permanent nature and 00:36:29 I think that's why you know HIPAA 00:36:31 is a good framework and like any 00:36:33 framework it it needs to constantly 00:36:36 evolve to meet where we're at so every 00:36:41 good law should be amended as things 00:36:44 move and so with with the whole you know 00:36:47 apps in hospitals that that's a new 00:36:49 thing yeah 00:36:50 and now the the internet-of-things 00:36:51 hospitals I mean all of the equipment in 00:36:54 the hospital or even devices on people 00:36:57 it's I mean if so many folks now carry a 00:36:59 Fitbit around so like you've got a 00:37:01 low-level medical device effectively 00:37:03 they're you're carrying on your person 00:37:05 it's connecting back to your phone via 00:37:06 bluetooth and then it's your phone's 00:37:10 connecting up to the internet and 00:37:11 sharing that information but as you look 00:37:14 at these medical internet of things I 00:37:16 mean imagine if that was an insulin and 00:37:18 a blood sugar meter and it was tied into 00:37:21 your insulin pump and a hacker could get 00:37:23 access to that now a wrong dosage of 00:37:26 insulin can be fatal 00:37:27 so healthcare it's as you mentioned it's 00:37:31 interesting the hospitals are still 00:37:32 working their way online but you have 00:37:34 doctors and patients that are demanding 00:37:36 these apps they're demanding easier 00:37:40 tests they're demanding more automation 00:37:42 because if you're they have diabetes and 00:37:45 you don't want to have to stop multiple 00:37:47 times a day to take tests regulate your 00:37:50 blood sugar check all these things it 00:37:51 would be much easier much more 00:37:53 convenient if you could just have an 00:37:54 Internet of Things device hooked up to 00:37:57 you that just kept you at a good level 00:37:58 all day and you didn't have to worry 00:37:59 about it anymore but on what risk on the 00:38:03 security side of these things yeah 00:38:04 exactly and I think that's the that 00:38:09 that's really I think the question of 00:38:10 the day I mean it's it's actually an 00:38:11 opportunity for the healthcare industry 00:38:13 to to make sure that you know that 00:38:17 they're bringing these new things online 00:38:18 which the patient's love the hot the 00:38:22 hospitals are bringing those online and 00:38:25 in a lot of cases you know back to the I 00:38:28 this Internet of Things so these small 00:38:31 little devices that are connected but 00:38:32 they're not very powerful or smart 00:38:34 themselves they rely on you know 00:38:37 something smart that they're connecting 00:38:39 to you know the the interesting thing 00:38:43 about that is that 00:38:45 the the whole area is is kind of ripe 00:38:50 for you know kind of a booster shot in 00:38:54 the security aspect I mean nobody is 00:38:58 focusing in my opinion strongly on you 00:39:02 know the security of IOT or Internet of 00:39:07 Things applications because you know 00:39:11 there's there's a you know there's other 00:39:13 markets that are how would I say much 00:39:15 more much more attractive from you know 00:39:19 revenue perspective so security 00:39:21 companies or providers of security they 00:39:27 tend to go after things you know where 00:39:29 you're able to get the maximum return 00:39:31 for potentially less effort and so I 00:39:35 think it's an interesting kind of deal 00:39:36 around where you know how does it how do 00:39:39 we get to the point where the healthcare 00:39:40 industry demands more from their supply 00:39:43 chain that the apps they use you know 00:39:46 the maybe they'll buy an app that has to 00:39:48 prove that it was built in a secure way 00:39:51 you know over a different app so now 00:39:54 you've got these these providers having 00:39:56 to rethink how they look at security you 00:40:01 know becomes a competitive advantage to 00:40:02 offer your you know your your 00:40:05 application as a as a provider that's 00:40:07 got all of these things figured out and 00:40:11 so I think it you know it's really on 00:40:14 the the consumer side so the hospitals 00:40:16 doctors to to know that they have to ask 00:40:18 those questions yeah and there's a good 00:40:21 group of folks out there asking these 00:40:23 hard questions but you've kind of talked 00:40:25 about if you've got security skills 00:40:27 right now you're gonna be taking the 00:40:30 highest paying job that is out there in 00:40:33 a lot of cases because there's good fun 00:40:35 challenging work across all sorts of 00:40:37 different industries now from a cyber 00:40:39 security perspective this is a frequent 00:40:41 topic for us here on the program is just 00:40:43 about the education around cybersecurity 00:40:46 is there's hundreds of thousands of job 00:40:48 openings now and I believe that there's 00:40:49 kind of a latent pool of maybe a million 00:40:52 more job openings behind the scenes 00:40:53 where folks would love to hire somebody 00:40:55 with security expertise but it either 00:40:57 doesn't end up 00:40:58 as a requirement for a job that gets 00:41:00 posted or if it's a security specific 00:41:03 job they just don't post it because they 00:41:04 know they cannot find qualified 00:41:06 candidates so why do I type one of my 00:41:08 racks with a job that I know I can't 00:41:11 fill in many large companies hiring 00:41:13 managers are given a pool of job 00:41:16 openings and if they set one as a 00:41:18 security analyst or security engineer 00:41:20 and they can't fill that they can't hire 00:41:22 and fill that with a software developer 00:41:24 or a system administrator that maybe 00:41:26 they could teach some security to or 00:41:28 they could say hey can you be the 00:41:29 software engineer that's gonna try to 00:41:31 help us make this stuff more secure so 00:41:34 they'll fill it with a generic technical 00:41:36 person and then look to try to train 00:41:38 them in security so this the skill 00:41:41 shortage in this gap is causing issues 00:41:44 across many different industries and and 00:41:48 this is one way I'm kind of a frequent 00:41:51 leave recommend folks choose in many 00:41:55 cases they can a software as a surface 00:41:57 solution instead of trying to build 00:41:58 their own applications because the 00:42:01 software service providers even as we 00:42:04 talked about the uber breach and these 00:42:05 other things early on they all have 00:42:07 highly qualified security teams and 00:42:09 they're working really hard at keeping 00:42:11 these things as safe as possible and 00:42:12 they even still run into issues from 00:42:14 time to time but if you're building 00:42:16 software and you don't have a security 00:42:19 engineer if you don't know what static 00:42:20 code analysis is if you don't know what 00:42:22 dynamic code analysis is if you don't 00:42:23 know what a white hat hacker is or white 00:42:26 box testing or blackbox testing or any 00:42:29 of these different things if you don't 00:42:31 have people on your team doing these 00:42:32 things you're not gonna be in a spot 00:42:34 where if an attacker decides to end up 00:42:37 targeting you and they could do it on 00:42:39 purpose because they want to go after 00:42:42 your business or they could do it on 00:42:43 accident because you just happen to fit 00:42:45 a profile that their automated tools 00:42:47 scanned and found you should be yeah 00:42:49 using software as a service solutions 00:42:51 whether it's all the way to store your 00:42:53 source code all the way through to 00:42:55 running your website there's little to 00:42:58 no reason to host your own website 00:43:00 anymore unless you again have your own 00:43:04 team of web security experts and then if 00:43:06 you look at it you may go like for 00:43:09 hosting this service or 00:43:11 paying for this monthly subscription is 00:43:13 more expensive than buying a server 00:43:15 myself but you really aren't looking at 00:43:17 the whole suite of costs in there is 00:43:20 from a security perspective all the way 00:43:22 from the hardware up through the 00:43:24 operating system to the application 00:43:26 there's constant patching update and 00:43:28 maintenance that has to happen as new 00:43:31 vulnerabilities are discovered at every 00:43:33 layer and if you are not turning over 00:43:36 and managing and maintaining all of 00:43:37 those things again the hackers only have 00:43:39 to find one chink in the armor they've 00:43:42 only got to find one way to get to get 00:43:43 in and you have to continually update 00:43:46 patch and monitor all of these the the 00:43:48 us-cert mailing list which if everyone 00:43:51 if you're paying attention of the stuff 00:43:52 and working in this area should 00:43:54 subscribe to and monitor last week there 00:43:57 was over a hundred vulnerabilities 00:43:59 released during Thanksgiving week and if 00:44:01 your team was not in reading them 00:44:03 understanding if they impact your 00:44:05 business or not in paying attention to 00:44:06 those then something could have come out 00:44:09 over that holiday week where your 00:44:12 business is now at risk for some period 00:44:14 of time and it this is a constant 00:44:17 ongoing discovery of new defects that 00:44:21 leads to new risks that have to be 00:44:24 patched or mitigated or you have to just 00:44:27 accept that maybe they're gonna be out 00:44:29 there and open yep yeah and you know our 00:44:33 company I mean the companies in the 00:44:35 space whether it's security or whatever 00:44:39 end up doing you know we're working over 00:44:42 the holidays I mean our systems our 00:44:44 software processes are working over the 00:44:48 holidays and so I think that's that's 00:44:49 really the key right is you could be 00:44:52 enjoying your your Thanksgiving holiday 00:44:54 but your website is you know be up to 00:44:59 date because you've got a company that's 00:45:01 really working 24/7 so you know you know 00:45:03 it kind of moves the you know you feel 00:45:06 feeling good about it your Thanksgiving 00:45:08 that you know your stuff is secure so 00:45:10 that that's why people I mean that's why 00:45:12 it's so popular nowadays so yeah and 00:45:14 it's interesting on the computing side 00:45:16 where folks have kind of felt this need 00:45:18 to do it themselves because if you have 00:45:19 an office building you probably hire an 00:45:21 alarm company to monitor your physical 00:45:23 alarm and 00:45:24 building to watch the cameras for you to 00:45:27 take care of all those things to respond 00:45:28 in the event of an incident but then 00:45:31 folks feel that need to do all of those 00:45:32 activities for their own computer they 00:45:34 monitor their own systems they respond 00:45:36 to their own incidents and and it's one 00:45:40 where nowadays as I got out there and 00:45:43 talked to two bank executives they're 00:45:46 not worried about Jesse James coming 00:45:48 through the front door with a hood on 00:45:49 anymore they're worried about the cyber 00:45:51 criminals coming in over the Internet to 00:45:53 their bank branches so those guys all 00:45:56 now whether they're paying a third party 00:45:58 or they've built their own teams they 00:46:00 are monitoring the your internet banking 00:46:02 branch 24/7 and checking that responding 00:46:06 to alerts in real time is they they have 00:46:08 to because they know that's where the 00:46:09 the criminals are now many businesses 00:46:12 that are outside of these highly 00:46:14 regulated super high risk industries are 00:46:16 still maybe paying for a physical alarm 00:46:19 but not paying for their internet to be 00:46:21 monitored yeah 00:46:23 and and that's that's that's a great way 00:46:25 to put it yeah so as you're out there 00:46:30 we've got some listeners with us that 00:46:32 maybe you're interested in getting into 00:46:35 working for a pure tech company so maybe 00:46:37 they're there in school now or they're 00:46:40 working on a technology department of a 00:46:42 business that does something else what 00:46:44 kind of big difference do you see or 00:46:45 advice do you have for them to make that 00:46:47 that shift from school into a technology 00:46:49 firm or from a general businesses 00:46:52 technology department into a company 00:46:54 that does nothing but tech all the time 00:46:56 yeah so I mean what I would say is is 00:46:59 around you know again it depends on the 00:47:03 type of role but let's say it's a 00:47:05 technology - technical role so something 00:47:08 in the development or operations our 00:47:10 DevOps area versus just business or 00:47:13 sales etc it would be around I like at 00:47:18 least what we see is that there's a you 00:47:20 know self-starter so you know if you're 00:47:22 able to demonstrate you know a grasp of 00:47:26 particular new technology or or you've 00:47:29 built some new way of approaching a 00:47:32 problem so you know you may be working a 00:47:34 larger company and you know while the 00:47:38 official line says you know there's not 00:47:40 really any time or any need to change 00:47:41 something you know you've gone out of 00:47:43 your way to create kind of a better way 00:47:45 of securing something or doing a process 00:47:49 you know whether that's a university or 00:47:52 like I said at an actual company 00:47:54 demonstrating that or kind of showing 00:47:57 that kind of initiative at least tech 00:48:00 companies in our our size you know which 00:48:02 are typically smaller you know less than 00:48:04 a hundred people small businesses that 00:48:08 goes a long way so the the kind of pure 00:48:10 academic you know I know every single 00:48:13 new acronym or technology that's out 00:48:17 there you know those are important at 00:48:18 some level but you know I look for at 00:48:21 least kind of initiative you know almost 00:48:24 like entrepreneurism internally 00:48:27 self-starter self motivating so you know 00:48:31 like I said that that kind of balanced 00:48:33 with with the skill set you know so 00:48:36 there's you know if you're going to want 00:48:38 to go into a web company there's a list 00:48:40 of you know web technologies if you want 00:48:42 to go to security you know it would be 00:48:44 good to you know there's a lot of 00:48:46 different online courses or code up 00:48:49 academies or just even you know ninety 00:48:51 day programs where you can get you know 00:48:54 pretty good grasp on it and then take 00:48:56 that learning and try to do something on 00:48:58 your own and then you can use that as 00:49:00 almost like a resume ya know it's a 00:49:02 excellent advice you can check out our 00:49:06 rebroadcasts of cyber talk radio listen 00:49:09 to things about some of the programs at 00:49:11 san antonio colleges area around here 00:49:13 other programs as well code up on the 00:49:16 software development side our open cloud 00:49:18 Academy on this 00:49:19 administration and cybersecurity thank 00:49:22 you for joining us this week and a thank 00:49:24 you out there for listening to cyber 00:49:26 talk radio 00:49:27 [Music] 00:49:43 [Music] 00:49:49 you