00:00:05 from the dark led to your radio dial you
00:00:09 were listening to cyber talk radio on
00:00:11 news 1200 W
00:00:17 [Music]
00:00:29 welcome to cyber talk radio I'm your
00:00:33 host Bret Pyatt a 20 year internet
00:00:35 security veteran this week we're gonna
00:00:37 be talking security in the cloud all
00:00:40 about software development oh this
00:00:42 blockchain stuff and what does GD P are
00:00:45 the front of new acronyms their industry
00:00:49 is always coming up with them every
00:00:50 industry has them I think Tech thinks
00:00:52 they're worse than everyone else but
00:00:53 they're not really worse but we do have
00:00:55 our own acronyms and I'm joined this
00:00:58 week by the CTO of one of our tech
00:01:01 companies here in downtown San Antonio
00:01:03 and our tech district on Houston Street
00:01:05 jaesik materna of a company called
00:01:07 assemble adjacent thank you for joining
00:01:09 us this week great to have me yeah so
00:01:11 give us a little bit of background how
00:01:13 did you get to where you're at and here
00:01:15 into San Antonio and what does assemble
00:01:17 it work on yeah great so a little
00:01:20 background on myself originally from
00:01:23 Canada been in San Antonio eight years
00:01:27 long background in cyber security had a
00:01:29 bunch of businesses up in Canada some
00:01:32 successful some not and then oh way came
00:01:35 in interesting times for small startups
00:01:40 opportunity to move to the United States
00:01:43 so I've been in San Antonio now for
00:01:46 eight years I said and assemblee is a
00:01:50 b2b SAS company that was bought by scale
00:01:53 works about I'd say 20 months ago and so
00:01:56 I came in with a few of the team members
00:01:59 over at a scale work so we put together
00:02:02 a team we've been growing the business
00:02:04 for for about two years now here on
00:02:06 Houston Street and we're really in the
00:02:10 business of source code management and
00:02:12 security so I think of it as kind of a
00:02:15 more Enterprise version of Dropbox for
00:02:18 software developers and we support all
00:02:22 types of different customers and it's
00:02:25 all cloud-based so you know supporting
00:02:30 security environments small teams people
00:02:34 that are just starting companies gaming
00:02:35 studios and stuff like that and like
00:02:38 said we're just across the street here
00:02:40 so yeah for marketing our cyber talk
00:02:43 radio studio
00:02:43 we can look out the window and see your
00:02:45 team from over there exactly there they
00:02:47 look busy selling product which is good
00:02:50 see that right there that's excellent
00:02:53 yeah so for those of you that are a
00:02:56 little bit less technical in our
00:02:58 audience that's okay everyone starts
00:02:59 somewhere and we'll learn so the the SAS
00:03:02 software is a service so that's all
00:03:04 these things that you consume over the
00:03:06 Internet these days Dropbox is an
00:03:10 example of one but your email if you've
00:03:12 got email from Google or Microsoft or
00:03:15 any of those folks that's all software's
00:03:16 a service that just happens to be
00:03:17 emailed as a service so assemble it
00:03:18 manages the source code that people use
00:03:21 to build software as part of that
00:03:23 platform and product so security is
00:03:25 paramount there because if as Marc
00:03:28 Andreessen said software eating the
00:03:29 world if you you've got that source code
00:03:31 and you have access to that then you
00:03:33 have access to the keys to the kingdom
00:03:34 and two really important things for your
00:03:37 customers and very important things for
00:03:40 their businesses their investors and
00:03:41 their stability in their future yeah
00:03:45 exactly and you know everybody's
00:03:49 probably seen the recent news about you
00:03:52 know there's been Equifax thing recently
00:03:55 I think there was something on uber you
00:03:58 know talking about you know they were
00:04:00 hiding a data breach that went on and I
00:04:03 think 2016 you know so everybody's been
00:04:08 hearing about data breaches and what's
00:04:11 happening and when you look at it what's
00:04:13 interesting is you know sometimes it's a
00:04:18 really simple reason you know it's it's
00:04:21 sometimes not really malicious you know
00:04:23 it's not some kind of nefarious actor
00:04:25 there's basically you know a lot of
00:04:27 different stuff that goes into making
00:04:30 cloud software work or businesses work
00:04:34 so somebody puts you know a secret
00:04:35 password up in a source control system
00:04:39 in the cloud and you know maybe they
00:04:42 don't think about the security side of
00:04:43 it or you know double check stuff and
00:04:45 then it gets compromised and the keys to
00:04:48 the kingdom yeah go with that and so
00:04:50 it's it's that's interesting you know in
00:04:53 the sense that that it's just a simple
00:04:55 thing right you've got
00:04:56 really important 20 letter password that
00:05:00 opens up databases databases yeah in the
00:05:04 uber example yeah so on that one one of
00:05:07 their engineers checked in production
00:05:09 credentials into their source code
00:05:10 system that developer or operations
00:05:14 engineer or if they're so old DevOps
00:05:16 blending and we'll talk a little bit
00:05:17 about how that stuff works now that the
00:05:20 blurring line that in that case one of
00:05:23 those folks got their credentials
00:05:25 compromised somehow someone gained
00:05:26 access via their user to that source
00:05:29 code repository and then they were able
00:05:31 to go authenticate to the production
00:05:33 system and pull down information about
00:05:35 57 million of us that took an uber ride
00:05:38 or drove around as a driver on uber they
00:05:42 still haven't been very clear I've used
00:05:44 the service we probably all have almost
00:05:46 everyone listening here and not very
00:05:50 specific about what information was
00:05:53 contained in that they've said it's not
00:05:55 your credit card or not certain things
00:05:58 that they do have to disclose so and
00:06:01 it's not specific addresses in your trip
00:06:02 history it's really vague and that's
00:06:05 frustrating from a customer perspective
00:06:07 on the disclosures you would prefer to
00:06:09 have an idea of what information is out
00:06:12 there because if you don't know what it
00:06:13 is it's hard to protect yourself and I
00:06:15 mean Equifax while it was basically
00:06:18 every adult in America compromised in
00:06:20 that one they were at least pretty
00:06:23 specific with what information was
00:06:25 contained in the records that were
00:06:27 leaked in that case yeah and it's just
00:06:32 interesting I was having a call this
00:06:34 morning with the partner of ours a
00:06:35 hacker one out of San Francisco and they
00:06:38 do their there a kind of a hacker bounty
00:06:42 vulnerability program what that really
00:06:44 means is they have white hackers that
00:06:47 are you know the good guys that
00:06:49 basically hook up with companies and
00:06:52 they get incentivized to you know test
00:06:54 systems for vulnerabilities and you know
00:06:58 think of it as kind of a super testers
00:07:00 or they're looking at the security side
00:07:02 of the house and I think Ebers one of
00:07:05 their customers one of the key customers
00:07:08 and what's interesting about it is that
00:07:10 there
00:07:10 you know they talk about vulnerability
00:07:14 disclosure programs you know as a first
00:07:16 step that you know it's super important
00:07:19 to let customers know early or when it
00:07:22 happens that there's been a compromise
00:07:23 but it seems like I said there's still
00:07:25 still a lot of companies that are
00:07:28 operating in some kind of stealth mode
00:07:31 or kind of a let's not disclose it and I
00:07:36 think you know probably the uber case it
00:07:39 may be the tipping point maybe there'll
00:07:42 be another one but I think it's gonna
00:07:43 change you know the CEO I'm sure is
00:07:46 asking people the new CEO
00:07:49 yes he's asking interesting questions in
00:07:51 the sense of I know he kind of I think
00:07:53 knew about it
00:07:54 before they went you know at a certain
00:07:56 point he knew about the actual breach
00:07:58 before but still it kind of begs a
00:08:01 question of hey you know if you're if
00:08:03 you're a customer of a service any kind
00:08:05 of service email outlook Yahoo you know
00:08:10 they've all had issues disclosing
00:08:13 information timely yeah Yahoo sat on
00:08:16 theirs for years I think if it probably
00:08:18 wasn't for the Verizon due diligence and
00:08:21 Verizon set a pretty strong security
00:08:23 team that they built up through the
00:08:25 years that did some audit analysis there
00:08:27 and and during that acquisition of Yahoo
00:08:30 by Verizon and all of these different
00:08:32 disclosures came out exactly yeah so I
00:08:36 think we're gonna see a lot more
00:08:38 corporate hopefully some corporate
00:08:40 governance around that I mean ultimately
00:08:42 it's gonna be the customers that are
00:08:44 gonna make the most impact so you know
00:08:47 if if a company is losing you know brand
00:08:50 faith and and and customers that's gonna
00:08:53 ultimately be obviously the thing that
00:08:55 changes behavior but hopefully it'll be
00:08:57 a bit more proactive you think there's
00:08:59 some fatigue around this it's just
00:09:01 everyone feels like all their
00:09:02 informations been leaked so many times
00:09:04 does it even matter anymore
00:09:05 that's a great great point yeah you know
00:09:09 there's probably a lot of that I mean I
00:09:11 hear that as well they're kind of like
00:09:13 well you know it's it's already out
00:09:14 there everywhere yeah so what's another
00:09:18 leak so it's a good question it's an
00:09:23 it's an interesting one and
00:09:24 while certain people may have some
00:09:26 portions of your information it's not
00:09:28 that everyone has complete access to all
00:09:32 of your information I'm know the stories
00:09:35 about the LifeLock CEO who put his own
00:09:37 social security number up and said go
00:09:40 ahead and try to steal my identity and
00:09:42 because he did that and made himself a
00:09:43 high-profile target he had folks that
00:09:46 were constantly trying to steal his
00:09:49 identity and commit fraud on his his own
00:09:53 identity his account it made their
00:09:55 service probably better ultimately over
00:09:56 the time but he individually had issues
00:09:58 for years because of putting his social
00:10:02 security number up on the side of trucks
00:10:04 and billboards and other places it was
00:10:05 his actual social security number yeah
00:10:07 yeah I remember that ya know it's it's
00:10:11 gonna be interesting like I said I think
00:10:12 you know people tend to also forget as
00:10:16 well that you know there's probably
00:10:19 there's certain even easy steps I get
00:10:21 everyone on the call that's that's
00:10:23 listening you know even if you're not
00:10:25 super technical you know if you're using
00:10:27 something like email you know as an
00:10:29 example you know everybody may be
00:10:32 familiar with you know some of the extra
00:10:35 security that some of these services
00:10:37 offer you know where you get a text
00:10:39 message that says hey you know you've
00:10:41 logged in please confirm your code and
00:10:43 so what's interesting about that is that
00:10:46 you know even that's kind of insecure
00:10:48 and it ends up being that you know you
00:10:49 can call into a Verizon and AT&T and and
00:10:52 I'm sure they've got some processes in
00:10:54 place now but in a lot of cases people
00:10:57 have had their phone numbers yeah this
00:11:00 is a common Bitcoin wallet theft
00:11:01 technique exactly they've been you know
00:11:03 hey I know your address there's a couple
00:11:05 piece of info and and the the person in
00:11:08 a call center you know pushes some kind
00:11:10 of button in the system and suddenly
00:11:13 your phone numbers somewhere else and
00:11:14 then you know your accounts been
00:11:16 compromised so it could be email or a
00:11:19 wallet Bitcoin wallet whatnot so you
00:11:22 know get back to the whole deal around
00:11:24 you know data being out there
00:11:27 I still think you know it's it's
00:11:29 important to think about you know what
00:11:33 your what data you're putting out there
00:11:35 and and when you're looking at services
00:11:38 I think it's important to look at the
00:11:40 what's their approach no company's
00:11:42 perfectly secure but is security part of
00:11:45 their mission or is it kind of a
00:11:48 marketing thing or is it a like
00:11:51 non-existent point so I think consumers
00:11:54 are gonna be asking more of those
00:11:56 questions yeah and even if you're you're
00:11:58 with your cellphone carrier good
00:12:00 question to call up it and ask them is
00:12:02 can you turn off or disable or block all
00:12:06 attempts to transfer your phone number
00:12:10 for the phone number portability says
00:12:11 what will happen in many cases is your
00:12:13 accounts not locked I think by default
00:12:15 and the hackers will go to some smaller
00:12:20 mobile operator and that smaller mobile
00:12:23 operator has a trusted relationship set
00:12:24 up with the bigger carriers to where
00:12:25 they say hey we sign up a new customer
00:12:27 we want to move the phone number over
00:12:28 and they they get to go that route with
00:12:31 your current carrier you can call and
00:12:34 many of them support flagging your
00:12:36 account to block phone number
00:12:38 portability by request by other carriers
00:12:41 and then to where you have to go
00:12:43 specifically into and start the request
00:12:47 and initiate it from your current
00:12:48 carrier instead of allowing somebody
00:12:49 else to initiate it and pull your number
00:12:52 on over so yeah with all of these things
00:12:55 it's pretty complicated tricky to stay
00:12:57 secure which is why I mean we see
00:12:58 Bitcoin wallets being stolen with this
00:13:00 multi-factor SMS which is the text
00:13:03 messaging service on your phone the the
00:13:05 hacks from that on a on a regular basis
00:13:08 Bitcoin wallets are these digital
00:13:10 wallets where you you it's your digital
00:13:12 bank account effectively for the Bitcoin
00:13:14 your cryptocurrency all that that new
00:13:17 blockchain stuff that folks are talking
00:13:18 about and hackers are going after that
00:13:21 and robbing Bitcoin banks effectively
00:13:22 the way they used to rob banks in the
00:13:24 Wild West it's kind of the Wild West of
00:13:25 the internet again yeah absolutely
00:13:29 so as you guys are taking care of folks
00:13:33 source code on a regular basis how how
00:13:38 do you think about authentication into a
00:13:41 platform that holds information that
00:13:44 valuable
00:13:46 yeah so what we do is you know most of
00:13:51 these companies their core intellectual
00:13:54 properties stored on these systems and
00:13:56 so what we try to do is you know we
00:14:01 offer different approaches to security
00:14:03 and we you know we make recommendations
00:14:05 around hey you know all your users
00:14:07 should have you know multi-factor
00:14:10 authentication you know this and that
00:14:12 you shouldn't be sharing account
00:14:14 passwords and different things
00:14:16 unfortunately what's happening though is
00:14:18 it's one of those especially when you're
00:14:22 dealing with teams that are you know
00:14:25 focused on building stuff like you know
00:14:26 developers that want to you know just
00:14:28 get products out secure house to break
00:14:31 things yeah they want to move fast and
00:14:33 because you know they have a deadline
00:14:35 they've got you know hundred things to
00:14:37 finish security tends to kind of take a
00:14:40 secondary seat you know so they're
00:14:42 they're they're doing little shortcuts
00:14:45 you know they're trying to get stuff
00:14:47 done quickly and it what we end up
00:14:51 having to do is we just have a you know
00:14:53 we're monitoring it we're letting
00:14:55 customers know if certain things are
00:14:58 happening if they want to know about
00:15:00 that but ultimately it's one of those
00:15:02 things where you sign up for the service
00:15:04 here's the available options and if a
00:15:07 company decides to put their trusted
00:15:10 stuff up in a in in in the cloud but
00:15:15 doesn't go through any kind of diligence
00:15:17 educating their team saying hey you know
00:15:21 this is our core stuff do this this this
00:15:23 and that you know there's not much we
00:15:26 can do beyond just like you know
00:15:28 recommending it so I we still see a lot
00:15:30 of companies not go through a full suite
00:15:35 of security kind of post deployment
00:15:38 stuff and I think that's what's
00:15:39 interesting about it is that I don't
00:15:42 think that's happening anywhere so that
00:15:44 brings up kind of a question about you
00:15:48 know what is it is it security as it is
00:15:50 it too burdensome to implement is it is
00:15:54 it you know what it what is the issue
00:15:56 there and and I think it's kind of
00:15:59 something to dig into
00:16:00 yeah it is there any going back those
00:16:02 like you talked about using the cloud it
00:16:04 almost sounds inevitable like you have
00:16:06 to if you're not using the cloud you
00:16:07 can't go quickly you can't build
00:16:08 software with distributed teams very
00:16:11 effectively that is there the option if
00:16:14 I'm an individual could I just unplug
00:16:16 from the internet at this point in my
00:16:17 life you know probably you probably find
00:16:23 some way to doing it but it'd be a
00:16:25 difficult path you know you'd have some
00:16:28 kind of server in your closet connected
00:16:32 to something power outlet for sure VGA
00:16:37 line of a monitor and and you probably
00:16:40 could do something with your cell
00:16:41 network but that's connected to the
00:16:43 Internet to at some level so you know
00:16:45 you could see that being pretty
00:16:47 difficult cuz you can't you can't get
00:16:48 any new you know the center of
00:16:51 excellence is in the cloud now for you
00:16:53 know new tools new news apps everybody's
00:16:56 you know look at the new generation you
00:16:58 know they're growing up on their phones
00:16:59 everything's yeah whether they see it or
00:17:02 not it's always chatting with everything
00:17:03 else you look at blockchain I mean
00:17:06 blockchain is effectively a super chatty
00:17:09 you know network of users and computers
00:17:14 but that's what makes it effective but
00:17:16 you got to be plugged in no most folks
00:17:19 under the age of 30 at this point don't
00:17:21 have a physical checkbook like if you
00:17:24 have to get a check they well digitally
00:17:27 they might know what the account number
00:17:28 is and you can kind of do an online ACH
00:17:31 but physically actually writing out a
00:17:33 cheque is something that you you only do
00:17:36 if you're in a really odd situation
00:17:40 maybe you're traveling overseas or
00:17:41 something but it's not anything you
00:17:43 physically do these days for yeah paying
00:17:46 for stuff it's all digital to check your
00:17:48 credit card balance to all of that stuff
00:17:51 is all online it's all an app it's all
00:17:53 connected to the Internet going through
00:17:55 on the software development so we talked
00:17:56 a little bit about development and
00:17:58 operations it's coming together and most
00:18:02 tech startups are doing this now but
00:18:04 this is even kind of spreading into
00:18:07 larger more well-established
00:18:09 organizations where you have a sharing
00:18:12 of duties now between the people
00:18:13 building thing
00:18:14 and the folks running the application
00:18:16 infrastructure is you think about the
00:18:18 security implications of this is it this
00:18:21 model making stuff better or worse how's
00:18:24 DevOps impacting the security world yeah
00:18:27 it's a good question I mean we so so
00:18:31 there's definitely kind of a shared
00:18:34 responsibility now you know the the
00:18:36 coined term is called dev ops all that
00:18:39 means is you know as developers and
00:18:40 operators are working together on the
00:18:44 same kind of projects there's not not
00:18:46 anymore this kind of throw it over the
00:18:47 fence model and all of it is because
00:18:50 things move so quickly you look at an
00:18:52 Amazon if you go onto their website to
00:18:55 buy something and you've probably bought
00:18:57 something in the last few days you know
00:19:00 they're developing and putting new
00:19:03 capabilities out hundreds of times a day
00:19:06 sometimes so they're tweaking things and
00:19:08 changing and and so that that whole
00:19:11 process that the teams that do all of
00:19:13 that you know call them the DevOps teams
00:19:18 you know the things that they work
00:19:20 together to make it happen and they're
00:19:22 doing it so quickly you know I say a
00:19:24 hundred times a day how could you you
00:19:26 know how is it possible to you know look
00:19:29 at the quality of it or hey is it are we
00:19:32 introducing new vulnerabilities into
00:19:35 Amazon so there's a new feature on the
00:19:37 website let's say you know how could you
00:19:40 if it's a hundred times a day
00:19:42 how could you ensure that it's secure
00:19:45 and I think the answer to that is but
00:19:51 the only answer to it at that speed is
00:19:53 you've got to bring in new technologies
00:19:55 that automate or help the people you
00:20:01 know do more with less so they can you
00:20:04 know they they can scan the code or they
00:20:06 can quickly assess like hey it's a red
00:20:09 you know yellow or green you know only
00:20:12 when it's green should we deploy it yeah
00:20:14 so you know a uh you know there's all
00:20:17 these different kind of terms that are
00:20:18 floating around so any kind of
00:20:20 automation or tools they'll help you you
00:20:23 know do tasks in about five minutes that
00:20:26 used to take maybe months
00:20:27 is is where things are at and I think
00:20:31 from a security perspective like I said
00:20:33 if the tools aren't there to do that but
00:20:37 you're moving quickly then I think
00:20:39 that's where you've got big problems
00:20:40 because you've got companies that are if
00:20:43 they're not thinking about security in
00:20:45 that process then all they're really
00:20:48 doing is moving quickly and potentially
00:20:52 you know it's they have great products
00:20:55 or things look great it's always getting
00:20:58 what the customers need but security
00:21:00 could be catastrophic because there's
00:21:03 just nobody that can look at that stuff
00:21:05 at that pace so I think security needs
00:21:09 to be kind of part of the discussion
00:21:10 first of all you know small companies
00:21:13 and I think today the biggest thing
00:21:17 we've heard is that it's just an
00:21:19 expertise I mean the Security's kind of
00:21:21 black magic world you know you have to
00:21:23 be this signals intelligent expert I
00:21:25 mean that's the kind of the the
00:21:29 perception that that's what the skill
00:21:31 set you need but in reality you know
00:21:34 developers people that are building the
00:21:37 software operators you know if they've
00:21:40 got the right tools to help them in some
00:21:41 education they could be pretty effective
00:21:44 at you know helping the software be
00:21:48 secure you know when they're building it
00:21:50 so I think it's just an education thing
00:21:52 it's it's companies thinking about
00:21:54 security at like a you know it's part of
00:21:58 their mission so you know the executives
00:22:00 down say hey the developers can't just
00:22:03 do whatever they want yeah we got to
00:22:06 have security
00:22:07 we got an embedded security we got to
00:22:09 spend money on security so that our
00:22:12 customers know that we're building
00:22:14 products that are you know we've done
00:22:17 our diligence it's it's not just a pure
00:22:20 technology problem on a standalone
00:22:21 either it's one that requires both the
00:22:25 technological controls but people to
00:22:27 implement those in a process that has
00:22:31 quality checks built in so if you think
00:22:35 about a physical analogy I can go buy
00:22:37 the fanciest alarm system for my house
00:22:41 but if you don't plug the cameras in
00:22:44 properly if you don't point them in the
00:22:45 right direction if you don't set up the
00:22:47 laser beams to be able to connect in a
00:22:51 line where someone's gonna trip it as
00:22:53 they walk through the room if you don't
00:22:54 do all of those things properly and you
00:22:56 don't have somebody else come through
00:22:58 and double-check it it doesn't matter
00:22:59 that you bought the fanciest alarm
00:23:00 system in the world so you have a bunch
00:23:02 of companies that will throw potentially
00:23:04 some money at this they'll go buy the
00:23:05 latest greatest whiz-bang set of
00:23:07 security software and tools but then
00:23:09 like in the Equifax scenario so some of
00:23:12 the information that came up about that
00:23:13 one is that there was a database there
00:23:15 no encryption turned on the database
00:23:17 supported encryption but it wasn't
00:23:19 turned on and they had a default
00:23:21 username and password on it so the
00:23:23 hackers didn't have to do anything
00:23:25 advanced like they're like well this is
00:23:26 a database um this version of this
00:23:28 database let me put it in the default
00:23:29 super user name and the default super
00:23:32 user password oh look I'm in oh and look
00:23:34 here's all the tables that have all the
00:23:36 information in it and there's no
00:23:37 encryption key stored separately
00:23:39 somewhere else that you need to go
00:23:40 decrypt them so this is one if you don't
00:23:44 have that process baked in if you're not
00:23:47 being thoughtful about these things then
00:23:50 you end up leaving information behind or
00:23:53 you you end up creating vulnerabilities
00:23:55 where you aren't even aware that you you
00:23:58 had them because you have bought all of
00:24:01 them Equifax I'm certain owns encryption
00:24:03 software and I'm certain that they have
00:24:06 a process that says production databases
00:24:09 aren't allowed to have default usernames
00:24:10 and passwords what the process didn't
00:24:11 get followed the technology that they
00:24:13 own didn't get used and
00:24:15 a hundred million plus records later
00:24:17 they're out there at someone else's
00:24:19 hands because the hacker only has to be
00:24:20 right once the folks that are trying to
00:24:22 keep stuff say it have to be right all
00:24:24 the time
00:24:24 now we're gonna go ahead and take a
00:24:26 break here for a news traffic and
00:24:28 weather update at the bottom of the hour
00:24:29 you're listening to cyber talk radio on
00:24:31 1200 W AI
00:24:33 [Music]
00:24:43 [Music]
00:25:04 [Music]
00:25:08 welcome back to cyber talk radio
00:25:11 I'm your host Brett PI at a 20-year
00:25:13 internet security veteran joined this
00:25:15 week by Jacek materna
00:25:17 assembler our tech companies here in San
00:25:21 Antonio our tech district forming
00:25:24 downtown
00:25:25 it's good to see a scale works a local
00:25:28 venture private equity tech cool company
00:25:34 that runs and operates a whole bunch of
00:25:36 different businesses finally moved in
00:25:39 next door to the cyber talk radio
00:25:41 studios we can look out the window over
00:25:44 there see the the rest of your team
00:25:45 working hard away we can see the
00:25:48 construction transforming downtown of
00:25:50 you've not been in a downtown San
00:25:52 Antonio in a while come on down for the
00:25:55 kickoff of our 300th year or try
00:25:58 centennial there'll be some great
00:26:00 fireworks there's a whole new open lawn
00:26:03 and big area over by HemisFair Park and
00:26:05 where they'll be holding that here at
00:26:06 the start of the year
00:26:07 and on through the year you're gonna see
00:26:10 a San Pedro Creek kind of a whole new
00:26:12 Riverwalk and all sorts of things
00:26:13 opening up transforming downtown so if
00:26:15 you're one of those folks in our
00:26:17 listening audience that lives outside
00:26:19 the 410 loop are outside the 1604 loop
00:26:22 the downtown has turned into more than
00:26:24 just the Alamo it's still here they
00:26:27 haven't changed it yet if you don't want
00:26:28 it changed you should get involved to
00:26:30 talk to your City Council talk to folks
00:26:33 in a preserve that album applies if if
00:26:35 that suits you if you'd like to see it
00:26:37 change and transform speak up and get
00:26:39 involved but uh there's a lot going on
00:26:41 downtown tech companies is one thing
00:26:44 though centered around geekdom in this
00:26:47 whole ecosystem that started over the
00:26:49 last five years it's growing in this
00:26:52 area and out all across the whole city
00:26:54 if you missed the first half of this and
00:26:57 you just happen to be turning on the
00:26:58 radio right now you can listen to the
00:27:01 rebroadcast and replay of this episode
00:27:04 and all of our cyber talk radio on our
00:27:07 website at wwlp.com as well as on itunes
00:27:11 podcasts or pocket cast or your favorite
00:27:14 podcasting app on an android device if
00:27:17 you happen to be listening to us on that
00:27:19 replay right now thank you for tuning in
00:27:22 and enjoying some cyber talk radio you
00:27:25 can give us suggestions feedback and the
00:27:26 things on our website we're also on
00:27:29 Facebook cyber talk radio and Twitter
00:27:32 cyber talk radio as well so Jacek then
00:27:35 again thanks for the good discussions we
00:27:37 were talking a little bit about
00:27:38 some of the trade-offs between speed and
00:27:41 security and and how folks are having to
00:27:45 work through this and we hinted about
00:27:48 this regulatory requirements in a lot of
00:27:51 areas if you're not a healthcare company
00:27:53 you can kind of do security in your own
00:27:57 way there's not a lot of descriptive
00:27:59 stuff if you're taking credit cards
00:28:01 maybe you've got to protect the credit
00:28:02 card information but that's not even
00:28:04 really a law PCI is just an industry set
00:28:07 of standards if you'd like to take
00:28:08 credit cards in your website you should
00:28:10 follow that one because if not then the
00:28:12 banks and the credit card companies will
00:28:14 not allow you to do it anymore that's
00:28:16 not even a law now HIPAA that healthcare
00:28:19 one that is a law can you help our our
00:28:21 audience learn a little bit about how
00:28:24 are their medical records getting
00:28:25 secured and what has happened out there
00:28:27 from a legal perspective around those
00:28:31 electronic medical records yeah thanks
00:28:34 right so you know in terms of HIPAA so
00:28:36 HIPAA is a you know it's a legal
00:28:39 framework specifically directed at you
00:28:42 know EMR electronic medical records and
00:28:45 you know it's pretty wide ranging a set
00:28:48 of parameters around you know how you
00:28:53 know your information is secured you
00:28:55 know who should be accessing it how how
00:28:58 companies should be you know sharing it
00:29:00 with with other companies you know
00:29:02 hospitals may be sending EMR records
00:29:04 between themselves those HIPAA releases
00:29:07 we all sign every time you go anywhere
00:29:08 that's right exactly that all that all
00:29:10 that stuff is thanks to HIPAA and and
00:29:15 you know it's what it's really done is
00:29:17 its created you know an ecosystem and a
00:29:18 really a framework where companies have
00:29:21 had to build products where hospitals
00:29:23 have had to spend a lot of money to
00:29:26 invest in security which is a good thing
00:29:28 because you know your records are very
00:29:30 very important and so in a lot of ways
00:29:32 it's been really good you know from from
00:29:37 a security perspective because most of
00:29:39 these EMRs or your records are now
00:29:42 digital and so whether it's email or
00:29:45 other means they're being shared so it's
00:29:48 not just a letter in the envelope being
00:29:51 sent
00:29:52 on a postal truck it's now over the
00:29:55 internet so again the security super
00:29:59 paramount there it's going through the
00:30:00 cloud as they call it in a lot of cases
00:30:03 when it comes to an area that's been
00:30:06 interesting in HIPAA that is is often
00:30:10 not discussed is again back to this this
00:30:15 source code or the the code that goes
00:30:18 into building these these these
00:30:21 applications so imagine going into your
00:30:23 doctor's office and you know you go to
00:30:24 the front desk you give them your
00:30:26 information and they're they're using
00:30:28 their typing some stuff in the computer
00:30:29 they're using some kind of software to
00:30:32 look up your info you know maybe your
00:30:35 appointment whatnot and so that software
00:30:38 is talking to a whole bunch of other
00:30:40 software somewhere you know could be in
00:30:42 the office could be over the internet
00:30:44 whatnot effectively at some point that
00:30:47 that application or that software is is
00:30:50 looking you know it is looking at your
00:30:54 records you know it's it's putting them
00:30:56 on the screen it's it's it's looking in
00:30:58 some kind of database so an area that
00:31:02 we're seeing a lot of a lot of change in
00:31:05 is that other than just securing your
00:31:09 records over email over the the sharing
00:31:12 of the information between you know
00:31:14 parties like hospitals and whatnot
00:31:17 looking at the software team sort of the
00:31:20 you know who's building these
00:31:21 applications you know is it companies in
00:31:23 the United States is Canada it could be
00:31:25 built anywhere in the world now so when
00:31:27 they're building these applications
00:31:28 those applications are really looking at
00:31:33 the electronic medical records and
00:31:35 they're going to be really subject to
00:31:36 the same HIPAA requirements because
00:31:39 they're kind of looking at the EMR and
00:31:41 so that's been a kind of an eye-opening
00:31:44 discussion with a lot of at least
00:31:45 customers that that I talked to where
00:31:47 they think HIPAA is just about your
00:31:50 records and they're not thinking well
00:31:53 we've got all these cool applications
00:31:55 that our doctors love and it lets them
00:31:57 collaborate and whatnot and you know but
00:32:01 nobody's thinking about the security of
00:32:03 those applications so if somebody
00:32:06 puts a something nasty in one of those
00:32:08 applications that is looking at your
00:32:11 records right because they're presenting
00:32:13 it to the doctor on their iPad what not
00:32:15 then there could be you know there's a
00:32:17 vulnerability you know they could
00:32:19 effectively take your records and ship
00:32:21 them somewhere and which has personal
00:32:23 information so again it's a new area for
00:32:28 HIPAA around the software that that
00:32:32 powers these cool apps that doctors are
00:32:35 loving because it makes things quick for
00:32:37 them and easy they can look up stuff
00:32:39 really quickly so like I said it at a
00:32:43 general level it's it's a it's a still a
00:32:45 booming field because the medical
00:32:48 industry is still going digital they got
00:32:52 a long ways to go but one thing's for
00:32:54 sure is that you know the hospitals and
00:32:57 the doctors that have adopted new tools
00:33:03 to you know go faster they you know they
00:33:07 love the tools you know it's they came
00:33:09 but once they start they can't stop
00:33:10 because it makes their their whole
00:33:12 workflow so much simpler and like I said
00:33:15 it's important to have security be a
00:33:19 topic of discussion so when they're
00:33:21 buying those apps they should they
00:33:24 should ask those questions you know so
00:33:26 and at least that's what we're we're
00:33:28 hearing and I think it's an interesting
00:33:30 evolution of of HIPAA as apps become you
00:33:35 know commonplace in hospitals and
00:33:38 doctors offices I mean everyone's going
00:33:42 mobile and digital but is if you're a
00:33:45 doctor you're backlogged on patients all
00:33:49 the time and the more productive the
00:33:53 more patients you can see the more folks
00:33:54 it can get processed through your
00:33:56 practice or your facility the more
00:33:58 revenue the business makes so there's
00:34:00 this trade-off of revenue and
00:34:02 productivity versus security and and
00:34:05 it's it's a hard push and pull on that
00:34:08 risk management directed risk balance
00:34:10 inside of whether it's a medical
00:34:13 practice or any business out there the
00:34:15 the type of data in medical practices is
00:34:17 folks listening from a
00:34:19 a classification perspective you have
00:34:22 medical records which contain facts and
00:34:24 you can't if if facts get out there and
00:34:27 the information is now disclosed
00:34:31 you can't go cancel your fact that you I
00:34:35 had shoulder surgery 20 years ago like
00:34:38 that's a fact I can't go cancel the fact
00:34:40 if my credit card number gets out there
00:34:41 I can cancel that credit card I can get
00:34:43 a new credit card number and I can start
00:34:45 over so you have these facts that are
00:34:47 permanent and these in this information
00:34:49 once it's out it's gone for good it's
00:34:51 like your mother's maiden name if you're
00:34:53 a security engineer and you're using
00:34:55 that for a security question please stop
00:34:57 because I can't go change my mother's
00:34:58 maiden name
00:34:59 my mother's maiden name is gonna be the
00:35:01 same thing from now until the end of
00:35:02 time for security questions use
00:35:05 something that can change something that
00:35:07 is temporary because those security
00:35:10 questions could get compromised as well
00:35:11 so facts for authentication and is is
00:35:16 risky and these information that are
00:35:18 permanent facts you've got really as a
00:35:20 steward of that you have to do more to
00:35:24 safeguard it because once it's out there
00:35:27 and exposed you can't put it back inside
00:35:30 Pandora's box and things like medical
00:35:33 records can have a dramatic impact on
00:35:37 somebody's life if that information is
00:35:39 out there and shared in a manner that
00:35:43 they didn't get to control or disclose
00:35:46 exactly I mean it goes you know you're
00:35:49 looking at the insurance market in this
00:35:52 hole you know there's a national debate
00:35:54 about health care and whatnot which is
00:35:57 not for this show but the you know
00:36:01 you've got insurance companies that have
00:36:04 used information from I'm not sure where
00:36:07 that has been obviously disclosed
00:36:09 somehow about you know pre-existing
00:36:11 condition you know data that was very
00:36:14 sensitive you know and once it's out you
00:36:16 know you now have you know a big problem
00:36:20 if you're trying to get you know health
00:36:22 care or just kind of some kind of
00:36:24 insurance so back to Brett's point
00:36:26 around kind of that permanent nature and
00:36:29 I think that's why you know HIPAA
00:36:31 is a good framework and like any
00:36:33 framework it it needs to constantly
00:36:36 evolve to meet where we're at so every
00:36:41 good law should be amended as things
00:36:44 move and so with with the whole you know
00:36:47 apps in hospitals that that's a new
00:36:49 thing yeah
00:36:50 and now the the internet-of-things
00:36:51 hospitals I mean all of the equipment in
00:36:54 the hospital or even devices on people
00:36:57 it's I mean if so many folks now carry a
00:36:59 Fitbit around so like you've got a
00:37:01 low-level medical device effectively
00:37:03 they're you're carrying on your person
00:37:05 it's connecting back to your phone via
00:37:06 bluetooth and then it's your phone's
00:37:10 connecting up to the internet and
00:37:11 sharing that information but as you look
00:37:14 at these medical internet of things I
00:37:16 mean imagine if that was an insulin and
00:37:18 a blood sugar meter and it was tied into
00:37:21 your insulin pump and a hacker could get
00:37:23 access to that now a wrong dosage of
00:37:26 insulin can be fatal
00:37:27 so healthcare it's as you mentioned it's
00:37:31 interesting the hospitals are still
00:37:32 working their way online but you have
00:37:34 doctors and patients that are demanding
00:37:36 these apps they're demanding easier
00:37:40 tests they're demanding more automation
00:37:42 because if you're they have diabetes and
00:37:45 you don't want to have to stop multiple
00:37:47 times a day to take tests regulate your
00:37:50 blood sugar check all these things it
00:37:51 would be much easier much more
00:37:53 convenient if you could just have an
00:37:54 Internet of Things device hooked up to
00:37:57 you that just kept you at a good level
00:37:58 all day and you didn't have to worry
00:37:59 about it anymore but on what risk on the
00:38:03 security side of these things yeah
00:38:04 exactly and I think that's the that
00:38:09 that's really I think the question of
00:38:10 the day I mean it's it's actually an
00:38:11 opportunity for the healthcare industry
00:38:13 to to make sure that you know that
00:38:17 they're bringing these new things online
00:38:18 which the patient's love the hot the
00:38:22 hospitals are bringing those online and
00:38:25 in a lot of cases you know back to the I
00:38:28 this Internet of Things so these small
00:38:31 little devices that are connected but
00:38:32 they're not very powerful or smart
00:38:34 themselves they rely on you know
00:38:37 something smart that they're connecting
00:38:39 to you know the the interesting thing
00:38:43 about that is that
00:38:45 the the whole area is is kind of ripe
00:38:50 for you know kind of a booster shot in
00:38:54 the security aspect I mean nobody is
00:38:58 focusing in my opinion strongly on you
00:39:02 know the security of IOT or Internet of
00:39:07 Things applications because you know
00:39:11 there's there's a you know there's other
00:39:13 markets that are how would I say much
00:39:15 more much more attractive from you know
00:39:19 revenue perspective so security
00:39:21 companies or providers of security they
00:39:27 tend to go after things you know where
00:39:29 you're able to get the maximum return
00:39:31 for potentially less effort and so I
00:39:35 think it's an interesting kind of deal
00:39:36 around where you know how does it how do
00:39:39 we get to the point where the healthcare
00:39:40 industry demands more from their supply
00:39:43 chain that the apps they use you know
00:39:46 the maybe they'll buy an app that has to
00:39:48 prove that it was built in a secure way
00:39:51 you know over a different app so now
00:39:54 you've got these these providers having
00:39:56 to rethink how they look at security you
00:40:01 know becomes a competitive advantage to
00:40:02 offer your you know your your
00:40:05 application as a as a provider that's
00:40:07 got all of these things figured out and
00:40:11 so I think it you know it's really on
00:40:14 the the consumer side so the hospitals
00:40:16 doctors to to know that they have to ask
00:40:18 those questions yeah and there's a good
00:40:21 group of folks out there asking these
00:40:23 hard questions but you've kind of talked
00:40:25 about if you've got security skills
00:40:27 right now you're gonna be taking the
00:40:30 highest paying job that is out there in
00:40:33 a lot of cases because there's good fun
00:40:35 challenging work across all sorts of
00:40:37 different industries now from a cyber
00:40:39 security perspective this is a frequent
00:40:41 topic for us here on the program is just
00:40:43 about the education around cybersecurity
00:40:46 is there's hundreds of thousands of job
00:40:48 openings now and I believe that there's
00:40:49 kind of a latent pool of maybe a million
00:40:52 more job openings behind the scenes
00:40:53 where folks would love to hire somebody
00:40:55 with security expertise but it either
00:40:57 doesn't end up
00:40:58 as a requirement for a job that gets
00:41:00 posted or if it's a security specific
00:41:03 job they just don't post it because they
00:41:04 know they cannot find qualified
00:41:06 candidates so why do I type one of my
00:41:08 racks with a job that I know I can't
00:41:11 fill in many large companies hiring
00:41:13 managers are given a pool of job
00:41:16 openings and if they set one as a
00:41:18 security analyst or security engineer
00:41:20 and they can't fill that they can't hire
00:41:22 and fill that with a software developer
00:41:24 or a system administrator that maybe
00:41:26 they could teach some security to or
00:41:28 they could say hey can you be the
00:41:29 software engineer that's gonna try to
00:41:31 help us make this stuff more secure so
00:41:34 they'll fill it with a generic technical
00:41:36 person and then look to try to train
00:41:38 them in security so this the skill
00:41:41 shortage in this gap is causing issues
00:41:44 across many different industries and and
00:41:48 this is one way I'm kind of a frequent
00:41:51 leave recommend folks choose in many
00:41:55 cases they can a software as a surface
00:41:57 solution instead of trying to build
00:41:58 their own applications because the
00:42:01 software service providers even as we
00:42:04 talked about the uber breach and these
00:42:05 other things early on they all have
00:42:07 highly qualified security teams and
00:42:09 they're working really hard at keeping
00:42:11 these things as safe as possible and
00:42:12 they even still run into issues from
00:42:14 time to time but if you're building
00:42:16 software and you don't have a security
00:42:19 engineer if you don't know what static
00:42:20 code analysis is if you don't know what
00:42:22 dynamic code analysis is if you don't
00:42:23 know what a white hat hacker is or white
00:42:26 box testing or blackbox testing or any
00:42:29 of these different things if you don't
00:42:31 have people on your team doing these
00:42:32 things you're not gonna be in a spot
00:42:34 where if an attacker decides to end up
00:42:37 targeting you and they could do it on
00:42:39 purpose because they want to go after
00:42:42 your business or they could do it on
00:42:43 accident because you just happen to fit
00:42:45 a profile that their automated tools
00:42:47 scanned and found you should be yeah
00:42:49 using software as a service solutions
00:42:51 whether it's all the way to store your
00:42:53 source code all the way through to
00:42:55 running your website there's little to
00:42:58 no reason to host your own website
00:43:00 anymore unless you again have your own
00:43:04 team of web security experts and then if
00:43:06 you look at it you may go like for
00:43:09 hosting this service or
00:43:11 paying for this monthly subscription is
00:43:13 more expensive than buying a server
00:43:15 myself but you really aren't looking at
00:43:17 the whole suite of costs in there is
00:43:20 from a security perspective all the way
00:43:22 from the hardware up through the
00:43:24 operating system to the application
00:43:26 there's constant patching update and
00:43:28 maintenance that has to happen as new
00:43:31 vulnerabilities are discovered at every
00:43:33 layer and if you are not turning over
00:43:36 and managing and maintaining all of
00:43:37 those things again the hackers only have
00:43:39 to find one chink in the armor they've
00:43:42 only got to find one way to get to get
00:43:43 in and you have to continually update
00:43:46 patch and monitor all of these the the
00:43:48 us-cert mailing list which if everyone
00:43:51 if you're paying attention of the stuff
00:43:52 and working in this area should
00:43:54 subscribe to and monitor last week there
00:43:57 was over a hundred vulnerabilities
00:43:59 released during Thanksgiving week and if
00:44:01 your team was not in reading them
00:44:03 understanding if they impact your
00:44:05 business or not in paying attention to
00:44:06 those then something could have come out
00:44:09 over that holiday week where your
00:44:12 business is now at risk for some period
00:44:14 of time and it this is a constant
00:44:17 ongoing discovery of new defects that
00:44:21 leads to new risks that have to be
00:44:24 patched or mitigated or you have to just
00:44:27 accept that maybe they're gonna be out
00:44:29 there and open yep yeah and you know our
00:44:33 company I mean the companies in the
00:44:35 space whether it's security or whatever
00:44:39 end up doing you know we're working over
00:44:42 the holidays I mean our systems our
00:44:44 software processes are working over the
00:44:48 holidays and so I think that's that's
00:44:49 really the key right is you could be
00:44:52 enjoying your your Thanksgiving holiday
00:44:54 but your website is you know be up to
00:44:59 date because you've got a company that's
00:45:01 really working 24/7 so you know you know
00:45:03 it kind of moves the you know you feel
00:45:06 feeling good about it your Thanksgiving
00:45:08 that you know your stuff is secure so
00:45:10 that that's why people I mean that's why
00:45:12 it's so popular nowadays so yeah and
00:45:14 it's interesting on the computing side
00:45:16 where folks have kind of felt this need
00:45:18 to do it themselves because if you have
00:45:19 an office building you probably hire an
00:45:21 alarm company to monitor your physical
00:45:23 alarm and
00:45:24 building to watch the cameras for you to
00:45:27 take care of all those things to respond
00:45:28 in the event of an incident but then
00:45:31 folks feel that need to do all of those
00:45:32 activities for their own computer they
00:45:34 monitor their own systems they respond
00:45:36 to their own incidents and and it's one
00:45:40 where nowadays as I got out there and
00:45:43 talked to two bank executives they're
00:45:46 not worried about Jesse James coming
00:45:48 through the front door with a hood on
00:45:49 anymore they're worried about the cyber
00:45:51 criminals coming in over the Internet to
00:45:53 their bank branches so those guys all
00:45:56 now whether they're paying a third party
00:45:58 or they've built their own teams they
00:46:00 are monitoring the your internet banking
00:46:02 branch 24/7 and checking that responding
00:46:06 to alerts in real time is they they have
00:46:08 to because they know that's where the
00:46:09 the criminals are now many businesses
00:46:12 that are outside of these highly
00:46:14 regulated super high risk industries are
00:46:16 still maybe paying for a physical alarm
00:46:19 but not paying for their internet to be
00:46:21 monitored yeah
00:46:23 and and that's that's that's a great way
00:46:25 to put it yeah so as you're out there
00:46:30 we've got some listeners with us that
00:46:32 maybe you're interested in getting into
00:46:35 working for a pure tech company so maybe
00:46:37 they're there in school now or they're
00:46:40 working on a technology department of a
00:46:42 business that does something else what
00:46:44 kind of big difference do you see or
00:46:45 advice do you have for them to make that
00:46:47 that shift from school into a technology
00:46:49 firm or from a general businesses
00:46:52 technology department into a company
00:46:54 that does nothing but tech all the time
00:46:56 yeah so I mean what I would say is is
00:46:59 around you know again it depends on the
00:47:03 type of role but let's say it's a
00:47:05 technology - technical role so something
00:47:08 in the development or operations our
00:47:10 DevOps area versus just business or
00:47:13 sales etc it would be around I like at
00:47:18 least what we see is that there's a you
00:47:20 know self-starter so you know if you're
00:47:22 able to demonstrate you know a grasp of
00:47:26 particular new technology or or you've
00:47:29 built some new way of approaching a
00:47:32 problem so you know you may be working a
00:47:34 larger company and you know while the
00:47:38 official line says you know there's not
00:47:40 really any time or any need to change
00:47:41 something you know you've gone out of
00:47:43 your way to create kind of a better way
00:47:45 of securing something or doing a process
00:47:49 you know whether that's a university or
00:47:52 like I said at an actual company
00:47:54 demonstrating that or kind of showing
00:47:57 that kind of initiative at least tech
00:48:00 companies in our our size you know which
00:48:02 are typically smaller you know less than
00:48:04 a hundred people small businesses that
00:48:08 goes a long way so the the kind of pure
00:48:10 academic you know I know every single
00:48:13 new acronym or technology that's out
00:48:17 there you know those are important at
00:48:18 some level but you know I look for at
00:48:21 least kind of initiative you know almost
00:48:24 like entrepreneurism internally
00:48:27 self-starter self motivating so you know
00:48:31 like I said that that kind of balanced
00:48:33 with with the skill set you know so
00:48:36 there's you know if you're going to want
00:48:38 to go into a web company there's a list
00:48:40 of you know web technologies if you want
00:48:42 to go to security you know it would be
00:48:44 good to you know there's a lot of
00:48:46 different online courses or code up
00:48:49 academies or just even you know ninety
00:48:51 day programs where you can get you know
00:48:54 pretty good grasp on it and then take
00:48:56 that learning and try to do something on
00:48:58 your own and then you can use that as
00:49:00 almost like a resume ya know it's a
00:49:02 excellent advice you can check out our
00:49:06 rebroadcasts of cyber talk radio listen
00:49:09 to things about some of the programs at
00:49:11 san antonio colleges area around here
00:49:13 other programs as well code up on the
00:49:16 software development side our open cloud
00:49:18 Academy on this
00:49:19 administration and cybersecurity thank
00:49:22 you for joining us this week and a thank
00:49:24 you out there for listening to cyber
00:49:26 talk radio
00:49:27 [Music]
00:49:43 [Music]
00:49:49 you