November 6, 2020


The internet of things is taking off. 

IoT is bringing new innovations across the board…

But it’s also bringing a new set of vulnerabilities. 

If you’re looking to make sure you’re secure in the world of IoT, I can’t think of anybody better to talk to than Aaron Guzman, Co Chair of the IoT Working Group, and John Yeoh, Global Vice President of Research, at Cloud Security Alliance.

So, in the latest episode of the Virtual CISO Podcast, I do exactly that. 

We discuss (among MANY other things):

  • What is an IoT device “really”? (Spoiler alert: the definition is not what it used to be…)
  • How IoT is shaping the future of all of cybersecurity
  • The incredible implications that 5G may have for IoT
  • Who are the Cloud Security Alliance (CSA) and what are they doing to help secure IoT ecosystems
  • How to judge whether a third-party is qualified to secure and/or test your IoT environment

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:00:06):

You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no-BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

Jeremy Sporn (00:00:26):

Hi, there and welcome to another episode of The Virtual CISO Podcast. I’m your MC, Jeremy Sporn, but missing today, the jelly to my peanut butter, John Verry, but don’t fret. Although John could not be here to record this intro, he gave us a gift with this conversation he had with John Yeoh and Aaron Guzman from CSA, the Cloud Security Alliance. It was phenomenal to hear from these two leaders in the IoT and application security space on just how to frame the conversation around IoT security. These guys are the ones writing some of the best guidance available for IoT developers, manufacturers, consumers, really the people who need to understand if these devices can be trusted to protect our data. It was great to hear some of the why behind the guidance they are creating. Really cool stuff.

Jeremy Sporn (00:01:23):

I can’t say enough how fortunate we are to have these two guys on the show. They work so this guidance. If you depend on the security of an IoT ecosystem to run and grow your business, John Yeoh and Aaron Guzman are two of the best resources to help you know if your data is safe within these IoT ecosystems. This conversation will prep you extremely well to make great decisions when developing or purchasing an IoT solution. Now, let’s get to the show.

John Verry (00:01:57):

John, Aaron, thanks for joining us. How are you today?

John Yeoh (00:02:00):

We’re doing great considering.

Aaron Guzman (00:02:01):

Doing well. Yep. Healthy. I’m good with that.

John Verry (00:02:06):

In COVID world, you can’t look past that, right? So, for any of our normal listeners, this is a little bit unusual. We’ve got two esteemed visitors instead of one tonight. Looking forward to seeing how this works out. Probably twice as much good information in the same period of time, which means that we should charge them about twice as much as we charge, and what’s two times zero, John?

John Yeoh (00:02:27):

Zero?

John Verry (00:02:30):

I told you he was smart. All right. John and Aaron, would you guys be so kings as to give a brief introduction of who you are and what you guys do?

John Yeoh (00:02:37):

You bet. Hey, guys. My name is John Yeoh. I’m the global VP over at CSA and head of research, and basically what that means is I manage a lot of the research assets that come out of the organization. That includes also a lot of the relationships that we have with standard development organizations, federal agencies, and other professional organizations to make sure that what we do is very applicable to the industry, and also, everything that we do within the organization is also available to the industry. And we also try to do it zero times two, making that free to everybody is well, too, from a cost perspective, so that’s the unique thing that we do.

John Verry (00:03:16):

Cool. Aaron?

Aaron Guzman (00:03:19):

Yep. My name is Aaron Guzman. I am the product security leader over at Cisco Meraki and the co-chair of the IoT Working Group with Cloud Security Alliance. Been involved for at least a handful of years. I feel like since the beginning when the IoT Working Group was part of the Mobile Working Group, we kind of branched off from there. I also lead the OWASP IoT projects as well as a number of subprojects.

John Verry (00:03:44):

Gotcha. And you do that? Are you involved with the attack surfaces stuff with the IoT?

Aaron Guzman (00:03:49):

I was, yes.

John Verry (00:03:49):

Yeah, okay.

Aaron Guzman (00:03:50):

A while ago, yep.

John Verry (00:03:52):

Yeah.

Aaron Guzman (00:03:52):

Yeah.

John Verry (00:03:53):

And it’s great guidance. Something that we’re fans of. So, we always start easy, and before we get down to the real business, I always ask the question, “What’s your drink of choice?” John?

John Yeoh (00:04:03):

Boy, oh, with me, huh? I got to get and dive into a just whiskey neat. Every time I travel, I love to try different bourbons from different regions. Buy a small batch bottle, bring it back. I love the Scotches. I love the local American whiskeys and ryes, and to be honest, my collection’s so big to this point, I just need to have both of you over so we can tackle one. Just have a big toasting.

John Verry (00:04:27):

Okay. Where do you live? Where do you live?

John Yeoh (00:04:32):

I’m in Seattle.

John Verry (00:04:33):

Seattle. Well, I don’t know any. I’d take you up on that because I don’t know any of the local-made bourbons. I mean the bourbon scene’s active everywhere. Any favorites on the bourbon? Because I’m a huge bourbon drinker. That’s why I ask.

John Yeoh (00:04:44):

Yeah. There’s a distillery called Westland. Now, it’s they do some bourbon, but they’re mostly a wheat mashes. It’s very in the flavor of Scotch and Westland’s a pretty big distiller. They distribute all over, but that’s one of my favorite ones that’s pretty close to where I live. And I’ve been following them for a long time, so, yeah, yeah. Back in the day, in fact, they used to invite small groups of people over there to help them label their bottles, and then it’d be just a big tasting party, too, so-

John Verry (00:05:16):

Well, if you ever get to New York, and so if you ever get to New York, pick up a bottle of Widow Jane out of Brooklyn, which is a really but one of my favorite, super local, and obviously, there’s a ton of great stuff out of Kentucky. But in terms of local stuff, they’re really good. And, Aaron, what about yourself?

Aaron Guzman (00:05:32):

I am not as high maintenance as you both. No, I’m just kidding. I’m more of a cheap date. I mean I would say before my go-to drink was like a Makers neat or a Makers and Coke. But I’ve kind of went on the health train, and it’s all about seltzer Saturdays now, so …

John Verry (00:05:49):

And I’m assuming those aren’t hard seltzers at this point.

Aaron Guzman (00:05:53):

Sparkling waters or whatever, I’m not picky.

John Verry (00:05:57):

Hey, and nothing wrong with that.

Aaron Guzman (00:05:57):

Right.

John Verry (00:05:59):

So, let’s talk pretty simple, too, is that you guys were very quick on the CSA, which is to me a really great organization. Who is the CSA, and what does it do?

John Yeoh (00:06:11):

Hey, Aaron, maybe I’ll start just from at least from an organizational perspective. We’re not for profit in the technology space, and sometimes, that can look a little weird. But our mission is really to secure all forms of computing.

John Verry (00:06:27):

Mm-hmm (affirmative).

John Yeoh (00:06:27):

And so, when you think of non for profit, what the hell does that mean? We’re very membership and community driven, so everything that we do operates within this community that we have. A community staff of experts and stakeholders, and together, we build these best practices tools and frameworks. And the most important thing is we make that available to the industry to the community for free.

John Yeoh (00:06:51):

So, everything that’s developed internally with what we do, it’s going to be one, available to the community for free, and then two, it’s going to be very vendor-neutral in the way it’s design. So, we don’t favor specific vendors. We really think the approach is securing all forms of compute. 11 years ago, starting with the cloud, and as we’ve all seen the industry evolve, I mean particularly in the last seven months, it evolves to all aspects of compute, and cloud becomes a really core foundational technology of all these. And so, cloud, IoT, securing forms of blockchain, and even preparing for the quantum age, it all becomes very relevant, and we try to address all these things.

Aaron Guzman (00:07:32):

Just to piggyback on kind of John’s explanation of what CSA is, there is local chapters as well as local events, conferences, summits in addition to working groups where we have the focus areas that John mentioned, blockchain. IoT is one of them. And there are some of the more public or more projects that maybe have the more, I don’t know, push behind them, and you might become familiar with the Cloud Controls Matrix as one of them and the CSA STAR for folks to kind of get certified as far as their infrastructure’s concerned. But like John mentioned, the kind of core of things are kind of the free research that we put out as well as some of the events as well, webinars, and so forth.

John Verry (00:08:25):

Yeah, I think anybody that’s listening, if you haven’t seen the Cloud Control Matrix and you are someone that’s a SaaS or a technology service provider, do yourself favor and pick it up. I think it’s one of the best forms of guidance out there on the market. What I like is like you know, we’re big believers in open trusted frameworks, things like ISO 27001. What I like is the fact that you guys have taken that and then kind of built on top of that, right? Which is what that CSA STARs program does, right? It’s a way to certify the Cloud Control Matrix on top of ISO 27001.

John Verry (00:08:51):

Again, a really well-done guidance, and today, specifically, why we asked you guys if you’d be so kind as to share some time with us is you’ve come out recently with some really cool guidance on IoT. It’s a very big area for us right now bigger, a very big area for our clients, and I wanted to ask you some questions there. So, with that, I’m going to ask you one that’s going to sound like a stupidly simple question, but I don’t know that it is anymore. And that is what is an IoT device? And then, I’m sure your answer’s going to likely lead into the idea of an IoT ecosystem. So, what’s an IoT device, guys?

John Yeoh (00:09:24):

Mm-hmm (affirmative). You want me-

Aaron Guzman (00:09:26):

I’ll take the first stab. I’ll take a first stab, and the first stab would be that an IoT device is a physical device or a service that is controlled remotely via a user interface, so whether that’d be mobile or web, and it does have real world kind of consequences with cyber-physical systems as an example. And it’s network connected, so it has to be controllable remotely. So, and that’s kind of my explanation in a nutshell. If it’s a device that’s has network connectivity, that’s controlled via an app, to me that’s considered IoT.

John Yeoh (00:10:04):

Yeah, yeah. I think it’s, yeah, as it’s a very broad term, for sure, and I think it’s like Aaron said, it’s any device that has connectivity, especially internet connectivity. And I think it’s not just a connected device these days, but the expansion of what that means, right? And we’ve all had laptops and mobile phones and computers, that would connect to the internet, but the expansion of the type of devices that now connect to the internet is so different, and Aaron touched on those.

John Yeoh (00:10:33):

And we talk about sensors and small, really small compute devices that don’t have their own operating systems. They connect differently, and so we need to protect them differently. The security around that is going to be very different, and what we try to do, I guess, is when we look at a connected device and we try to kind of take that top-down and bottom-up approach to where start from the device itself and how you would secure or connect that device. And then, also, from your systems itself that are connected to the device. How can we implement security across that?

John Yeoh (00:11:08):

But when it comes to just a connected device, I feel like it’s just, man, anything that’s connected. Any IoT device is anything that’s connected to me.

John Verry (00:11:15):

Yeah. So, that’s an interesting question, and the reason why I said it becomes such a difficult question. So, you guys might have heard of the ioXt Alliance, right? So, this is another alliance that’s trying to come up with a framework, and Google actually for the first devices that were actually “ioXt aligned” or whatever the term they used were, were four Google Pixel phones.

Aaron Guzman (00:11:34):

Hmm.

John Verry (00:11:35):

And I’m thinking to myself, “Wait a second. Are we now going to consider a mobile phone an IoT device?” And then, I had a conversation with one of our clients with a very high-level person in their legal department. They have a huge array of IoT devices, and she defined an IoT device as and per the California SB-327 guidance. And she basically said, “Anything that can be authenticated from outside of the local area network,” with no definition of what a local area network is, what that actually means, and what authenticated means, which is really another crazy, broad interpretation. So, that was why I was asking is that I mean I think in a weird way we can all … It would be helpful if we had a better definition, right?

Aaron Guzman (00:12:17):

Yeah. I think somebody said it, but I think it says, “Directly or indirectly,” right? So, it’s like Bluetooth, Wi-Fi, or whatever other in-between mix.

John Verry (00:12:24):

Yeah. And is Bluetooth the only player in a network? It’s I mean, yeah.

Aaron Guzman (00:12:28):

It is.

John Yeoh (00:12:29):

Mm-hmm (affirmative).

John Verry (00:12:29):

Yeah. I think it is. Yeah. But I mean but technically, it’s a PAN, right? I mean if you look at the definition, it’s a PAN not a LAN, so it is really an interest … That’s why I asked it as a question, and I meant it somewhat tongue-in-cheek, but I also mean it in a serious way is because you do have these people that are saying like, “Do I need to test this device?” And it’s like, “And I don’t know how.” I’m like, “Look. You got to consult legal counsel. I can’t.” I’m not sure with the definition anymore. I thought I knew a little bit ago.

John Verry (00:12:58):

All right. So, let’s talk. And so, when you talked about you talked about an IoT device, so let’s talk about you guys came out with what I think you might refer to as an IoT security controls framework and an incredibly well thought out, well implemented version of one I might add. So, question for you is who did you intend this for, right? Did you intend it for end-user organizations to understand IoT devices and what risks they might provide? An IoT platform provider like a Thingworx or PTC or Azure, or an IoT device manufacturer that is either leveraging one of those platforms or is actually rolling their own? Who’s this intended for?

John Yeoh (00:13:36):

Brian, do you want to shoot that up first?

Aaron Guzman (00:13:39):

Yeah, yeah, sure. So, the framework is initially designed for kind of system developer’s folks who are implementing an IoT system in an enterprise as well as designing an IoT architecture. So, not necessarily from the manufacturer perspective unless you are, let’s say, creating a custom feature using do that API that’s exposed to you, and now you know you have to undergo certain security processes to ensure you’re not introducing new vulnerabilities, as an example, which is some things that we’ve considered in the framework. But it’s really a holistic from a process to technical controls to even safety and privacy. So, it’s really holistic from that perspective, not necessarily completely everything is a control that is testable or at least from a technical perspective, but the process part is what helps there fill those gaps.

John Yeoh (00:14:36):

Yeah, yeah. And I think we only took a page out of the Cloud Controls Matrix, too, so we can recall talking about the Cloud Controls Matrix earlier as a security control framework with high-level objectives for security and cloud and grab that cloud supply chain. And the IoT framework can be done in that similar way, too, with show me design with what Aaron had said in mind. But if you look at even some of the device layer controls in there, too, they can be very specific to at least manufacturers understanding like, “Hey, remember there’s some default principles when it comes to the manufacturers when it comes to sending out these devices to your customers.” Maybe there’s things that can be set as default.

John Yeoh (00:15:16):

And if we remember that initial wave of IoT devices that went out to where default passwords, for example, administrative passwords weren’t changed by default, and we saw huge vulnerabilities and exploits there. So, it’s things like this that I think that we can still give many factors guidance on, too, as well as the implementers and the administrators and the architects.

John Verry (00:15:36):

Gotcha. And the issue you’re talking about, right? That was the root cause, right, of the Mirai botnet, right? Wasn’t the Mirai botnet caused by a whole of bunch IoT, I think it was cameras, video cameras, right? That had a bad default password, and they were able to use that and still the bandwidth?

John Yeoh (00:15:53):

Right. A gigabit, the OS, yeah.

John Verry (00:15:55):

Cool. So, when you look at the IoT, I think there’s another confusion or another not confusion but maybe a lack of consideration is that IoT is a lot of the guidance around devices, but when you look at an IoT ecosystem, right? There’s a lot more to it than just the device, right? You’ve got the device. We’ve got a piece of software often mobile software on an iOS or Android or a pick client device that’s intended to help you configure that, right? We’ve got the embedded web services and our API on the device in and of itself, so we’ve got a mobile app.

John Verry (00:16:27):

We’ve got a cloud component, right? So, we’ve got cloud infrastructure. We might have cloud API. We might have a cloud web app on top of that, and we may have ecosystem partners, right? You might be talking up through a Cradlepoint. You may, let’s say if we use Alexa as an example, and I hope she doesn’t answer. Thank you.

John Yeoh (00:16:47):

I’m familiar with that.

John Verry (00:16:47):

Yeah, yeah. I was waiting, but I mean if you think about it, you’re talking to her, and she’s out talking to the Spotify cloud and other clouds, right? So, again, same question what pieces does the IoT security framework that you’ve developed out of an IoT ecosystem address?

Aaron Guzman (00:17:03):

Well, we have 21 different domains that address holistic. I mean we really think about the device as well as infrastructure as code checks. Nowadays, you have Terraform. You have all these Docker Kubernetes. You have Docker files. You have these YAML files, but putting automated kind of checks and validation checks from a build perspective or a deployment perspective.

Aaron Guzman (00:17:26):

But we even go as far as to add legal considerations. It has its own domain, which I think really sets itself apart from other pieces of guidance and best practices and documents out there, especially from a framework perspective. But I mean I think literally from the ground up, we start with knowing what you have, asset management is the number one control domain, and because you can’t protect what you don’t know you have, and you don’t know how to protect it. You don’t even know the versioning of it. So, we start from asset management, config management, secure connections, and all the way down to security testing and the different types of security testing, which is, I might add, one of the newest sections that we’ve included in Version 2.

Aaron Guzman (00:18:07):

Security testing could be not only penetration testing, red teaming, but also third-party assessments where you really don’t have the in-house skill to, let’s say, perform the physical type of engagements, I would say, like a firmware or a hardware or even wireless as an example.

John Yeoh (00:18:25):

Yeah. And then, other controls, too, just to add on to what Aaron’s saying. They’re all applied architecturally.

John Yeoh (00:18:30):

So, John, you mentioned before, it’s applied to the devices, the networks, the gateway, and then the applications, and so you can kind of see within that ecosystem where specific controls apply. And I think that was a one big thing, too, is I’ve had these conversations a lot in the past. We mentioned, again, I keep bringing up the Cloud Controls Matrix, but it’s a really highly adopted controls framework for cloud. And people are always like, “Why do we need one for IoT? Why is IoT so different?”

John Yeoh (00:19:00):

And we already talked about how different the networks are having these local and these LANs and PANs that you need to worry about, so you got all these different kinds of Bluetooth, ZigBee, and other sorts of short-area, wireless networks. you have the messaging protocols that are different between these devices because again these devices are tiny, so we need to change messaging protocols. We need to change encryption protocols, certificate types, and so there’s so many things that can go into changing this ecosystem to where we really felt like a framework needs to pay attention to these details of IoT. What makes IoT different? All these devices that we talked about, what separates them from the way we do things currently? And this framework highlights those things.

John Verry (00:19:42):

Gotcha. Does it get, do you dig down into the absolute weeds? I mean like so as an example, I mean are we down into the JTAG UART world, right? Where it’s recognizing whether or not these mechanisms exist once we’ve kind of deconstructed a device and making sure that we’re protecting against the risks associated with that, most notably probably downloading firmware off of the device?

Aaron Guzman (00:20:05):

That will likely come about as part of an assessment, the security testing phase.

John Verry (00:20:09):

Mm-hmm (affirmative).

Aaron Guzman (00:20:10):

There’s not much that an enterprise can do other than make better buying decisions and be informed through transparency. I don’t know if we have a particular, I mean not from manufacturing perspective, it would include that, but we actually have secure configuration control that addresses like locking down debug interfaces.

John Verry (00:20:28):

Okay.

Aaron Guzman (00:20:28):

And again-

John Verry (00:20:28):

Yeah. I think-

Aaron Guzman (00:20:29):

… only to toss it to.

John Verry (00:20:30):

… to me those are essentially a form of a deep interface.

John Yeoh (00:20:33):

Yeah, and we don’t get too prescriptive just, you know, John, I mean things change so quickly too, right?

John Verry (00:20:38):

Mm-hmm (affirmative).

John Yeoh (00:20:39):

How you do configs, how you do testing, and so not to be too high level with the objectives, but they do have a purpose and a process, and then how you fulfill that. There’s additional guidance that CSA’s Working Group will produce that complements the control and how you implement those controls or test controls, and other organizations, too, such as OWASP and CIS and a few others have aided in them in that, too.

John Verry (00:21:06):

Gotcha. Now, Aaron, you’re making me very jealous here because you referred to Version 2, and last time we chatted, we talked about Version 1, and that’s what I have downloaded. And if you saw me looking very anxiously at the screen, that was because I went to your website, and it still looks like I downloaded copy on my other laptop before we started anything, and I still got Version 1. So, how come I’m not getting Version 2? I mean the testing guidance is what I’m looking for, man. Where is it? You holding out?

Aaron Guzman (00:21:34):

Yeah, yeah. No. Great question, and we had all intentions of releasing Version 2 before the CSA SECtember event, but essentially, it’s going to come out on the next week or so in peer review.

John Verry (00:21:48):

Good.

Aaron Guzman (00:21:48):

And we’ll be sure to share that with you as well if you’re interested in reviewing.

John Verry (00:21:50):

Of course. I would love to see it.

John Yeoh (00:21:53):

Yeah.

Aaron Guzman (00:21:53):

So-

John Yeoh (00:21:54):

These peer reviews are open to the public once they’re released, but also, what’s open to the public, John, is joining a working group. So, if you join the IoT Working Group, man, you’re a part of the whole thing. You can start. You can contribute. You can see it right away, so-

John Verry (00:22:08):

You got me. I invite you on podcast, and the way you pay me back is to give me homework to do, John? Aaron, he’s got a lot, and the next time you come back on, don’t bring John along with you, okay? I mean he reminds of the Jim Gaffigan. He reminds me.

John Yeoh (00:22:20):

What happened to my bottles of bourbon I was bringing you? Can I buy 20 seconds?

John Verry (00:22:23):

Okay, all right. Tell you what. Are we drinking bourbon at these working group sessions? If we are, and you’re grinning, then I’m with you, man.

John Yeoh (00:22:28):

All right.

John Verry (00:22:28):

I think this virtual thing is going to make it hard for me to drink your bourbon.

John Yeoh (00:22:32):

Yeah.

John Verry (00:22:32):

I think you were going to drink your bourbon, and I’m going to drink my own. But, all kidding aside, if there is a way for us to sign up to be part of that review group and add comments and things of that nature, we’re doing a ton of testing right now, and having the most recent expert guidance and thought process on this would be fantastic. Because I mean it is an emerging field, and for anyone to say that their experts in it or everyone to say they have everything figured out and they do everything perfectly, it would be foolish thing to say at this point. I think we’re all still learning.

John Verry (00:23:06):

So, any like sort of a sneak peek on what it’s going to look like? Are you guys intending it to be more like a certification scheme where somebody can actually say that they had a CSA IoT Testing Framework 1 Accreditation, or not a certification, but some … Do you guys see it that way, or is it just like this first document that I read more what I would call an excellent form of guidance?

Aaron Guzman (00:23:33):

That is absolutely part of the plan. We do have an open certification group, a working group, right? John, who has definitely been pushing us to try to get this in a more certification kind of road map, and that is our plan. This pandemic put some brakes on some of the mental capacity, but it’s definitely part of the road map for sure.

John Verry (00:24:00):

Good, good, yeah. So-

John Yeoh (00:24:00):

We’re getting a lot of aid from other organizations, too, that wanted to participate in that, too, like you will and some other folks who really see that as how can we take this framework, the controls here, and apply that to the ecosystem from the manufacturers to the services to the service providers? And then, yeah, can individuals themselves get certified on something like, “Hey, I understand IoT. I’m able to certify myself as a professional,” like in-

John Verry (00:24:28):

Oh, cool. So, you think you might even go with a not only a more formal attestation scheme, but there might actually be certification programs for testers?

John Yeoh (00:24:37):

Yeah. We’re kind of looking at all those things, John, and so hopefully, yeah, we’ll see what it takes. We definitely listen to what the industry wants. If we need more professionals that are certified against something like that, yeah, we want to provide that to the industry, so-

John Verry (00:24:52):

I think it would be awesome because I think right now, there’s a lot of people out chasing a lot of business to do this testing, and I almost feel bad for the people that are hiring people like us because I mean there is no way to know whether or not someone’s qualified to do this. I mean they can have an OSCP. They can have a CWE. They can have an CEH, but this is a different beast than these ecosystems are.

John Verry (00:25:13):

And that’s why I kind of talk about the ecosystem concept. I mean you could argue that it’s you need to know the Mobile Application Security Verification Standard. You could argue that you need to know the application security with the cloud. You need the API security, and device testing is an absolutely unique field, right? So, I applaud the effort and 100% in support of it, and we’ll do anything we can to support you guys on it.

Aaron Guzman (00:25:33):

Hey, John, we actually plug those projects from OWASP in our security testing guidance to ensure that the folks-

John Verry (00:25:40):

Good, good.

Aaron Guzman (00:25:41):

… are using the industry standard.

John Verry (00:25:42):

I love this. You know, Aaron. You and I have talked about this once before. I’m an unabashed OWASP fanboy, and we’ve been lucky enough to have some, you as the, I think the fourth great member of OWASP that we’ve had on. We’ve had Daniel Cuthbert on to talk about ASVS. We’ve had Andrew on to talk about the Top 10, and we’ve had Jim Manico on talk about security awareness training and things that fix your coding.

Aaron Guzman (00:26:07):

A lot of energy there.

John Verry (00:26:07):

Oh, my God. He’s a fun guy. I’d like to spend some time with him. He and I, we had a blast.

Aaron Guzman (00:26:13):

I mean, he’s from New Jersey, too.

John Verry (00:26:15):

Yeah, but now he’s in like Hawaii, right?

Aaron Guzman (00:26:17):

Yeah. He’s in Kauai, yeah.

John Yeoh (00:26:17):

Oh, wow. Nice.

Aaron Guzman (00:26:17):

He’s sold out.

John Verry (00:26:17):

All right. Cool.

Aaron Guzman (00:26:17):

Yeah.

John Verry (00:26:21):

So, we’ve alluded to, right? We’ve talked about the framework a little bit. Can you dig in a little bit different, right? There’s 160 controls across 19 domains. One of the things that I thought was really well-executed about it was you take a very risk-centric approach, which to me is the right way to do things, and I’m surprised how often people don’t. And that you also have the controls. You have a mechanism by which based on the risk, you can prioritize the controls. Can you talk about a little bit of the framework, the construct that different domains give someone, kind of paint a picture a little bit of it?

Aaron Guzman (00:26:52):

Yeah, for sure. We definitely have the core controls, right? Which folks will often look to first, and they’ll be, “Okay. These controls matter to us.” And we also have the impact levels, the confidentiality, integrity, and availability, and we based it off of a FIPS 199, 200 to kind of level set.

John Verry (00:27:11):

Mm-hmm (affirmative).

Aaron Guzman (00:27:11):

And usually an organization will define their own appetite for confidentiality, integrity, and availability, so the default ratings that we gave for each control could be different for your environment. We also supply supplemental directions for the particular control itself. It may help you in the implementation phase or in an auditing phase or an assessment phase.

Aaron Guzman (00:27:38):

And additionally, we have areas that you can get more granular as far as the control type and whether it is something that you can automate, or it’s manual, as well as whether it is, I guess, the cadence, you can say. I’m trying to pull up the guide here so I can actually know word for word what I’m talking about here. But, yeah, so we have the control type, whether it’s manual, automatic, or semi-automatic, and the frequency is the implementation guidance there. And of course, that varies depending on your priorities and your industry.

John Verry (00:28:14):

Mm-hmm (affirmative).

Aaron Guzman (00:28:14):

And then, we further get granular whether that particular control applies to the device, the network, a gateway, or a cloud service. That’s one thing that we had changed. It was, I think, SaaS before, but we realized that cloud services are actually what’s being consumed in an IoT ecosystem more than just a SaaS, right?

John Verry (00:28:35):

Yeah. As we’ve gone towards a Lambda-style interfaces on stuff. Yeah, it’s no longer a SaaS, right?

John Yeoh (00:28:41):

Right, man.

Aaron Guzman (00:28:42):

Yeah, yeah.

John Verry (00:28:42):

Service as computing is definitely something that I think we’re going to see a lot more of in the IoT space.

John Yeoh (00:28:48):

Even device type was really unifying that just because I mean there’s just so many different kinds of devices that are coming out, too, where to have a complete list would just … Yeah, you’re always limiting yourself when you try to come up with lists like that.

John Verry (00:29:01):

Yeah, yeah, yeah. I think your imagination is the limit of the types of devices that we’re going to see, right?

John Yeoh (00:29:07):

Yeah, but we did try to create a pretty exhaustive list of controls.

John Verry (00:29:10):

Mm-hmm (affirmative).

John Yeoh (00:29:13):

And then, we know organizations, as they do with all frameworks, I mean, yes, you want to meet and you know the requirements in the entire framework, but you’re always going to pick and choose which ones are really important to you. And so, at least if you have an exhaustive list to start with, you can then select and say, like, “All right. This one’s very applicable, what I’m doing now. This is very applicable to my environment. This protects me and my customers.” So, yeah.

John Verry (00:29:35):

Gotcha.

Aaron Guzman (00:29:36):

That’s what we tried to do with the impact levels, right?

John Yeoh (00:29:39):

Yeah, yeah.

Aaron Guzman (00:29:40):

The high criticality. We want you to focus on those accordingly, and then probably prioritize the mediums and lows, depending on-

John Yeoh (00:29:47):

Mm-hmm (affirmative).

John Verry (00:29:48):

Yeah. That’s what I thought was great about it is that, I mean and it also allows you to go through in a risk-centric way and then go, “Let me get rid of everything that’s critical now.” And any good control framework as the concept of continuous improvement, so I can knock off all the highs this year, and then I can kind of start working my way through the mediums. And even if I’m going for an ISO 27001 process as an example, the auditor wants to see continuous improvement, you guys gave them a built-in way of going through continuous improvement, which I thought was elegant.

John Verry (00:30:15):

Question for you. So, there’s a couple terms that you use in there that are also ill-defined terms to me that I sometimes struggle with even myself. So, talk about you use the term at the edge. So, talk about what is when people talk about IoT, what is the edge?

Aaron Guzman (00:30:30):

That’s great, then we actually changed that wording.

John Verry (00:30:34):

Oh, you did? You changed it in there?

Aaron Guzman (00:30:34):

We did.

John Verry (00:30:34):

And do we-

Aaron Guzman (00:30:35):

We did because there was a little bit of ambiguity there with the edge, and I think that was part of the architectural allocations that we defined when we defined device network gateway into the rest of it.

John Verry (00:30:48):

Yeah, you did. Yeah, it’s in the network in the cloud, right?

Aaron Guzman (00:30:49):

Yeah.

John Verry (00:30:49):

Which I thought was helpful, and I also liked the fact that you used to term sensor and actuator because I think it’s A, interesting for people to think of it that way. B, actuators, I think inherently have a higher risk than just sensors do, so I like that as well.

Aaron Guzman (00:31:02):

Yeah.

John Verry (00:31:03):

So, what did you change at the edge to because I guess you agree with me?

Aaron Guzman (00:31:06):

So, I’m sorry.

John Verry (00:31:06):

It’s one of those oddly defined terms.

Aaron Guzman (00:31:08):

For sure, for sure. That was my big kind of nitpick for Version 2 was like, “I’m writing this. I don’t even know if this control applies to the edge for this particular domain.” So, what I was reading off of was Version 2, so I apologize for that. So, we change those to device to network to gateway in cloud service.

John Verry (00:31:31):

Ah.

Aaron Guzman (00:31:32):

We simplified that to for rather than kind of I think the edge and the fog and all these other industry terms that we had.

John Verry (00:31:40):

And so, my site, and so, now, by the way, you still haven’t answered my edge question.

Aaron Guzman (00:31:46):

I mean, I don’t-

John Verry (00:31:47):

What is your definition of the edge?

Aaron Guzman (00:31:50):

I think the edge is especially with IPv6, right? I mean you have devices who are connected via 4G and soon to be 5G that they’ll be they’ll have their own edge or rely on the internet provider. But I think the term was coined initially by a certain manufacturer as far as the edge is concerned, and it’s not really a term that I’ve ever agreed with.

John Verry (00:32:16):

Okay.

Aaron Guzman (00:32:16):

But for me it’s like wherever that device is placed in contextually in an environment. It varies based on the firewall, based on the device of its own host-based kind of firewall system, whatever it may be, so I don’t have a clear answer for you because that’s-

John Verry (00:32:30):

Okay, good. You’re making me feel … It’s good when the guy who wrote it, who’s writing IoT guidance tells me it’s a little unclear because I got to honest with you. I literally do struggle with that term. I always had this image of the edge being something where there was some form of interpretation of data happening prior to getting all the way back to the cloud, to the center. You know what I mean?

John Yeoh (00:32:54):

That’s interesting.

John Verry (00:32:54):

Definitely.

John Yeoh (00:32:56):

That’s such a big part of it, too. I think the best way to even explain an edge is if you look at connected vehicles, right?

John Verry (00:33:03):

Mm-hmm (affirmative).

John Yeoh (00:33:03):

If you have these sense, understand, and act methods that you need to do if you’re, let’s say, implementing braking systems with a pedestrian in front of you. So, if you need to process that information and put it back up to your cloud and then bring it back down, I mean there’s a lot of latency there.

John Verry (00:33:20):

Mm-hmm (affirmative).

John Yeoh (00:33:20):

And if you need to react quicker, you need to have those kind of analytics somewhere at the so-called edge. So, that’s where that edge, I think, story started, and we touched on it earlier, too, right? Aaron, with the 5G, and know if we’re thinking of 5G capabilities now to where I mean 5G capabilities to now replace corporate networks. If you can start lighting up corporate buildings with 10 gigabytes per second, there’s going to be a lot of cost savings there, and you’re going to just go directly to 5G networks.

John Yeoh (00:33:54):

And we even see some of the major cloud providers that are now moving stuff out of their data centers, and you have data and information out that’s just going to be living in an active 5G network. I mean that’s pretty incredible if you think about it, so this, I think what we’re doing with IoT, this IoT framework, and even if you want to call something edge- or network-based, I mean it could be there. In the future, it could be there permanently, and so-

John Verry (00:34:20):

Really?

John Yeoh (00:34:20):

Yeah, it’s something to think about.

John Verry (00:34:23):

Do you think that an edge … What about devices that do their own AI? So, like you said, autonomous vehicles, right?

John Yeoh (00:34:28):

Mm-hmm (affirmative).

John Verry (00:34:28):

There’s some level of AI that takes place maybe in the cloud but to some level that takes place, and then can a device itself be considered the edge? If it’s making some decisions that way, or is an edge some intermediary between the device and the brain, the essential cloud APIs?

John Yeoh (00:34:50):

There’s that broad term, right?

John Verry (00:34:51):

Okay, right.

John Yeoh (00:34:53):

Yeah.

John Verry (00:34:53):

And so, I’m going to ask you one more confusing term to me that I always struggle with, and it’s a NIST term, which it makes it even worse is fog.

Aaron Guzman (00:34:59):

Yeah.

John Yeoh (00:34:59):

Yeah, it is.

Aaron Guzman (00:35:02):

Brian could definitely hammer that one in. He definitely talked about fog a lot.

John Verry (00:35:06):

You guys are making fell so much better. I got two guys that are smarter than me, and they both look at me a little bit like, “Yeah. It’s one of those tough ones.”

Aaron Guzman (00:35:12):

Yeah.

John Verry (00:35:12):

That’s okay.

Aaron Guzman (00:35:12):

Honestly, I mean-

John Yeoh (00:35:15):

Well, so right before it gets to the cloud, all that processing that happens there, and I know there’s a provider that coined that term, too, and it got it in NIS speak to see if the-

John Verry (00:35:24):

So, the fog is the crap that happens before you get to a full cloud.

John Yeoh (00:35:27):

Yeah, yeah. Again, it’s all that stuff has to get processed closer to the device, so it’s not just about the device and cloud. There needs to be some processing in-between, and that’s that fog layer. That’s that edge layer.

John Verry (00:35:40):

Okay.

John Yeoh (00:35:40):

So, where it’s now-

John Verry (00:35:40):

So, now, they’re similar concepts.

John Yeoh (00:35:41):

Yeah. Close to the device, there needs to be processing power and capabilities and analytics and an ability to make decisions and understand something, and so that’s when that’s this whole edge, fog terminology came to be.

John Verry (00:35:55):

Now, that’s cool. Thank you.

John Yeoh (00:35:57):

It’s funny because these conversations I had this. Had a conversation with NASA a number of years ago, and that was one where really a rug in my head where they’re like, “Yeah, John. So, if we have satellites out there, and we’re trying to send stuff back to the cloud here on earth, we’re going to have several light years of information that’s going to take before we can actually process something. So, there needs to be analytics and decision-making at the end closer to these devices,” and, yeah. Made absolute sense that if it’s a satellite in space, if it’s a satellite way out in space.

John Verry (00:36:31):

That’s far. Yeah, I never thought about that.

John Yeoh (00:36:34):

Yeah.

John Verry (00:36:35):

The transit time and the latency associated with something of that nature.

John Yeoh (00:36:38):

Right.

John Verry (00:36:38):

That’s pretty crazy now when I think about it. Now, all those adjustments that you’re making to trajectory and things of that nature, you’re having to … Latency has to be calculated in. How long ago did they send that, and how long is it going to take to get there because that’s going to be part of that adjustment of yaw angle or whatever might be.

John Yeoh (00:36:57):

Yeah. That’s the best way to see it. I know when we talk about in milliseconds and microseconds it’s still very applicable here on Earth, too. But when I saw it from their perspective, I was like, “Ah. There’s clear gaps in latency that you can see for sure.”

John Verry (00:37:11):

Yeah. When you talk about like you started talking about the whole smart car or smart traffic whatever the buzzword you want to use, yeah, I mean that kind of latency could result in the car-to-car communication latency can’t be very high in order for it to be very effective because at 60 miles an hour, you’re moving 88 feet per second. That’s not a lot of space.

John Yeoh (00:37:32):

Yeah. Lives.

John Verry (00:37:34):

Yes, exactly. So, I always joke around with people is that the only thing worse than too little guidance is too much guidance, right? So, you guys have put out some great guidance. CIS, you mentioned asset management. That’s CIS CSC 20 Top number one. NIST has come up with 8228 and 8259. ENISA put out some really interesting stuff. They’ve broken theirs down into smart cities and smart factories, and they broke internet of bodies. They’ve broken down theirs. There’s SB-327 that we talk about.

John Verry (00:38:04):

Talk about you guys are a research organization. How much are you communicating with these other bodies? How much you sharing? How much you trying to harmonize? I got to imagine that’s a challenging issue to deal with on your side as well?

John Yeoh (00:38:18):

Yeah. No. Always challenging, but I think that’s the keyword is to harmonize, and maybe what you might not see so much because it happens maybe more behind the scenes is that we have our working groups, and they’re very strong. But they don’t work in a vacuum. We have such tight relationships. I mean someone like Aaron who’s very tight with OWASP and another bunch of other organizations is important. We have formal and informal relations with a lot of these different organizations, standard developments, even the major providers in the provider groups that they have, and I think that’s a pretty key component of it.

John Yeoh (00:38:52):

And that’s probably one of the magic things that CSA is pretty good at is that we’ve had. It starts with our CEO, Jim Reavis, who had a lot of relationships in all these different organizations, and he built an executive team that could do the same thing, that can build off of these relationships and make sure that, yeah, what we’re doing isn’t just happening within our small little tight community. But it’s also expanding, and it’s kind of echoing throughout the industry because we have relationships with all these other different organizations.

John Yeoh (00:39:20):

And we’re also … It’s a two-way traffic, too, right? It’s not just us telling them what’s going on. They’re telling us. I meet with NIST multiple times a year, and we actually have these brainstorming sessions on, “Hey. What are you doing? Here’s what we’re doing. Let’s line up our roadmaps to make sure we’re not reinventing the wheel, but we’re very complimentary of each other.”

John Verry (00:39:39):

Mm-hmm (affirmative).

John Yeoh (00:39:40):

Important to do.

John Verry (00:39:41):

Yeah. I had Dr. Ross on earlier this week. God, he’s a fascinating guy to talk to and hear about sort of the history of cyber security and practices and standards. So, I’m super excited to hear that you guys are on track with them because they put out a lot of great guidance as well. And OWASP is to me the … What I like about you’re also doing is OWASP, to me, is the leading software guidance in the world, and realistically, if you think about it, the IoT is software. I mean-

Aaron Guzman (00:40:07):

Everything’s software.

John Verry (00:40:07):

Yeah. Everything’s software. Yeah. You’re right. And so, I think the idea that you’ve put that you’re so tightly connected with OWASP and using their guidance just definitely puts you in a really good spot.

Aaron Guzman (00:40:19):

I mentioned peer reviews coming up for the controls framework. We definitely make sure to include each of those groups.

John Verry (00:40:25):

Mm-hmm (affirmative).

Aaron Guzman (00:40:26):

ENISA, UL, even folks at NSP who run the SESIP, which is another-

John Verry (00:40:32):

I’m sorry. I don’t know what NSP is.

Aaron Guzman (00:40:33):

Yeah. It’s another. It’s SESIP.

John Verry (00:40:35):

Okay.

Aaron Guzman (00:40:36):

It’s a European-based assurance framework for IoT. I think five different levels. In addition, we’ll reach out to like IoT security foundation.

John Verry (00:40:46):

Right.

Aaron Guzman (00:40:46):

So, everyone basically that we have contacts with and just to make sure number one, they’re aware of our work.

John Verry (00:40:51):

Mm-hmm (affirmative).

Aaron Guzman (00:40:52):

Number two, they have the opportunity to provide feedback, and three, they’re likely going to map to something in our work at one point so that helps as well.

John Verry (00:41:03):

Gotcha.

Aaron Guzman (00:41:04):

But we also we have joint projects that we do work together when we’re not working independently, so those have been few and far between, although even when ENISA, for example, they have new research projects that come out, they’ll ping our team to get involved and be part of the experts panel.

John Verry (00:41:23):

Excellent.

John Yeoh (00:41:24):

Yeah. We’re very public, and I think very transparent. And I think that helps so that everybody can see, “Hey. Here’s what’s happening. It’s not a secret. We welcome your involvement, and, yeah, we want you to hear what we’re doing, and we want to hear what you doing.”

John Verry (00:41:39):

Full stop.

John Yeoh (00:41:40):

Mm-hmm (affirmative).

John Verry (00:41:41):

For someone who’s listening and starts to think like, “Okay. Now, you’ve got my attention. Do I have any IoT devices that that I need to be worrying about?” How do they best answer that question?

Aaron Guzman (00:41:53):

Geez. That’s a big one, especially with that new announcement that Amazon made that has the autonomous drone, the home security camera-

John Yeoh (00:42:00):

Oh, yeah, right?

Aaron Guzman (00:42:01):

… that flies around your house. It’s like, “What? We are there.” So, we are here. I mean, right?

John Verry (00:42:07):

Well, I actually have a robot vacuum that will do the same. I can navigate. From anywhere I am, I can navigate the vacuum around the house to see where the dog is because it’s got a video camera and LiDAR on it, and it’ll find the dog and give me live footage and allow me to talk to the dog through it, so, yeah.

John Yeoh (00:42:25):

Wow.

John Verry (00:42:25):

I’m sitting there, so I’m thinking as you’re saying that like, “I think I’d better go turn that damn thing off.”

Aaron Guzman (00:42:32):

Yeah. I mean there’s always a risk, right?

John Verry (00:42:34):

Yeah.

Aaron Guzman (00:42:34):

Especially, with the data that’s being used to make that device function correctly, but also, for them to make their product better and things that you might not be aware of that they may be correlating with, which is the scary part that people don’t really seem to understand your TVs, your vacuum, your assistants, whatever it is. Just have to be mindful and sure that you’re properly protecting those devices, your accounts, multi-factor authentication is definitely one area that can help in any type of account, whether it’s IoT or not.

John Verry (00:43:08):

Mm-hmm (affirmative).

Aaron Guzman (00:43:09):

But, yeah, just be mindful, right? If you’re buying a cheap connected device from, say, China or Russia or something, it’s probably not going to have good security posture, good updates, good account. They’re probably not caring about your data and how to handle that.

John Yeoh (00:43:25):

Yeah. I don’t know TV yet, too, but I’m pretty heavy consumer of connected devices, and the capabilities are incredible. And so, if you think about it from a business perspective, too, capabilities are really nice. You want to certainly make sure they’re a fit for purpose.

John Yeoh (00:43:41):

I do remember, this was three or four years ago, and I think it was a joke. But I remember on Twitter, they were talking about a birth control testing device that was internet-connected, and it would actually Tweet the results to your feed and be-

John Verry (00:43:57):

Oh, my God.

John Yeoh (00:43:57):

Right? And so-

Aaron Guzman (00:43:58):

Why?

John Yeoh (00:44:01):

Understand what you want that connected if it makes sense, so that should be connected, and that’s pretty important. I love what Aaron said about access. Access is so important, and multi-factor and two-factor authentications so easy to put on everything.

John Yeoh (00:44:15):

But follow the data. Follow the data, especially if you’re an enterprise and you know that the IoT system can really enhance your customer experience and help your business. Follow the data. Is the data that you’re collecting is it protected? Does it have customer information layers are protected? Do the right people or sources or the device themselves, do they have access to the right things? So, access privileges and just if you follow the data, you can kind of see where all the vulnerabilities are going to be. So, it’s almost that privacy by design, security by design approach, but, yeah. Follow the data as a really important starting point at least.

John Verry (00:44:55):

Yeah, I like the follow the data idea, and you’re making me think about the problem is that a lot of people I don’t think think through the implications of data. So, as an example, I’m just thinking about that robot vacuum I have. It uses LiDAR, and it created a map of my house.

John Yeoh (00:45:10):

Mm-hmm (affirmative).

John Verry (00:45:11):

And you can not only see where the furniture is, but, I mean, you would know what rooms are which, what’s in each room, and then, of course, any time I connect to it to roam it around the house to see where the dog is, what does that tell somebody? He ain’t home.

Aaron Guzman (00:45:23):

Yeah, yeah.

John Verry (00:45:26):

So, you know where the bedroom is where the wife’s got the jewelry. You know I’m not home. You know where the dog is because I just showed you.

Aaron Guzman (00:45:35):

Yeah.

John Verry (00:45:37):

So, I do think you also have to … You have to think through it. It’s not just a matter of following the data, but it’s also think about the implications. I love this story of the it was the story of how the reporter from like the Washington Post knew that the Baghdad bombing was about to begin, and published it or Tweeted not long, but like 15 minutes before or a half hour before. And he did it based on the fact that all of the pizza companies in the area, there was an inordinate number of pizza deliveries to, he was sitting outside, and he saw all these pizzas being delivered, and he knew, “Okay. It’s going to be a late night. What’s going on?” And that’s how he figured out what was going.

John Verry (00:46:14):

So, it’s amazing. Sometimes, it’s not only the data that they have, but what are the implications? How can someone use that data in a way that you don’t expect it to be able to be used?

John Yeoh (00:46:22):

Yeah, yeah.

Aaron Guzman (00:46:22):

Definitely.

John Yeoh (00:46:23):

Yeah.

John Verry (00:46:24):

One other question for you. Do you give any guidance or either in the standard or do you have any other additional kinds of how somebody would know if they had an IoT device in their network, right? So, for instance, if I’m looking at a video camera, how do I know if that’s an IoT device? Is there an easy way for somebody listening to know that?

Aaron Guzman (00:46:41):

I mean hopefully you’re running, well, number one, you’re running if for an enterprise, some sort of asset management scans or even ping sweep scans or using something to help manage what you have in your network. What type of devices are there? What versions, and also who they may be communicating with as far as the server infrastructure?

Aaron Guzman (00:47:04):

As far as the consumer wise, I mean if you hopefully, you have folks here who are tech savvy who you can log into your home router, and there’s some pretty interesting products, product lines that are being released and being marketed as IoT security home routers that give you push notifications when new devices join your network, when they leave your network, when they’re visiting sites they maybe shouldn’t have.

Aaron Guzman (00:47:28):

I’m not saying that I’m marketing those, but I think they’re interesting. It’s a whole different side that’s been introduced in the last, I think, two years now.

John Verry (00:47:36):

Mm-hmm (affirmative).

Aaron Guzman (00:47:37):

Oh, and it could be something that they have use for only, not only parental controls but more of just being aware of what you have in your network could be a starting point.

John Yeoh (00:47:45):

Yeah.

John Verry (00:47:45):

I think that’s an excellent starting point.

John Yeoh (00:47:46):

Yeah. Those are great, too, and as so many people are coming up with new scanning tools that not only scan your environment for what’s connected to your network, if that’s a corporate network or a home network, but it also does the device categorization for you, too. So, I know there’s a lot of hospitals’ solutions that now will do that, too, to where you can scan your entire building and understand how many different medical devices are connected, what type of medical devices they are. These MRI machines down to are they insulin pumps and heart monitors, and so, yeah. It’s pretty good to understand not just what you have but what types of devices are connected, and then more importantly, can you do something about it? So, can you actually kind of see-

John Verry (00:48:28):

Well, you can always enforce. Look. You can always block it inbound and outbound at the firewall, right? Minimally.

John Yeoh (00:48:38):

Right, right. I mean-

John Verry (00:48:38):

So, I mean so you can, but I do think you’re right. I mean I think that the concept of asset management, the concept of knowing what’s on your network is critical and then making decisions on whether or not the potential risk is justifies the value prop or whatever that device does for you, right?

John Yeoh (00:48:54):

Yeah.

Aaron Guzman (00:48:55):

Yeah. And also-

John Yeoh (00:48:56):

But and also, so many times do we see people that can … They have the logs. They can see everything, but there’s they have no really … They don’t have ability to manage all those logs that are coming in, and so if the red lights are flickering and going off and on, there still is nothing you can do about it because you just don’t have the team in place to address it. So, that’s another thing, right? Tools are fun if you know how to use them, and actually can use them.

John Verry (00:49:18):

No question.

Aaron Guzman (00:49:19):

Hopefully, you have policy to back that, right? Internal processes like a BYOD, hopefully, to discourage folks, too, who have consumer devices that want to plug into your corporate network. I don’t know where everyone, where your listeners are at, but at least you have something to stand by like, “Hey, no corporate assets that aren’t given from organizations should be allowed on these networks. If you want to connect your network, here’s the guest network that segments it.” Hopefully, you know what I mean.

John Verry (00:49:45):

Yeah. I think the bigger companies that listen to this would definitely be there, but I think when you get some of the SMBs, that concept of NAC or network access control, a little bit harder. Although, with some stuff Microsoft’s doing now because so many people are moving to Office 365, and Intune is kind of a poor man’s NAC, right? In a way. I mean, so there are some ways to do it that are getting to the point where it’s reasonable for even a smaller company to do. So, that was for someone who-

Aaron Guzman (00:50:10):

It’s Meraki.

John Verry (00:50:12):

Yeah. It’s Meraki. That’s true. Sorry about that. Yeah, I should have thought of Cisco. I mean, yeah, go ahead, Aaron. You can beat me up for that one. I go out. I’m sorry. It’s so funny because I think of you as being the IoT guy from OWASP, but and then, it was new to me that you were the CSA guy. And by the way, it was new to me today that you were the Cisco Meraki guy. I didn’t know that. The last time we chatted, I didn’t realize that so sorry about that.

Aaron Guzman (00:50:36):

No worries, no worries.

John Verry (00:50:37):

One other question for you. So, we talked about if someone’s listening who just wants to know, “Do I have an IoT device in my network?” What about if someone’s listening that is developing some kind of a solution, whether they’re building a device, they’re integrating off-the-shelf components into a solution? Yeah, I mean, and I know this might sound stupid, but how do they know if what they’re building is an IoT device? I literally had a conversation with someone recently. They’d asked me that exact question. “Hey, we got this group doing this. Is that an IoT device? Do I need to worry about that?” And if so, what are the most important steps one and step two to get them going in the right direction using your guidance?

John Yeoh (00:51:10):

If they don’t know, I’m a little worried.

Aaron Guzman (00:51:14):

Right? I mean there’s certainly, right? As we mentioned there are a number of-

John Verry (00:51:17):

Now, just for the record there, John, it was a PE firm that was backing some technology spinning out of a university, so they had developed this it was wearable, biomedical technology. And I’m talking with the guy that’s funding them, the money behind it, and they’re ready to roll this out. And he’s like, “Do I need to worry about it? Is this an IoT? Is this IoT? I keep hearing about IoT.” So, my question was actually like a real question. So, in that case, how would you answer that? How does somebody know if what they’re doing is IoT? And if so, what would you tell him to do? What are the first couple things you’d tell him to do?

John Yeoh (00:51:55):

It’s-

Aaron Guzman (00:51:57):

I think one of our first papers, correct me if I’m wrong, John, we addressed a lot of the manufacturing and design perspective, future-proofing the connector world, and we really lay out not only the challenges and how you know what device is, but also, what manufacturers should be doing from a process perspective, from a testing perspective, and I think we provided a checklist. I know it’s been some years. I haven’t had a chance to look back at it, but I mean that’s definitely one resource that someone can reference. There’s several others, and we talked about ENISA. They have a baseline for IoT security, and they break that down in different industries.

Aaron Guzman (00:52:35):

And even further to good practices for developing secure IoT, which was released earlier this year, and what will be really released later this year, which I’m working with them on is on supply chain of IoT security.

John Verry (00:52:47):

Mm-hmm (affirmative).

Aaron Guzman (00:52:48):

But, yeah, there’s certainly a lot of different angles you can take this, but at least maybe you have to do some due diligence and read up on some of the guidance that’s out there and determine, “Hey. Is this applicable to the service I’m providing, the device that I’m writing for, and am I properly protecting it? Am I properly securing it and putting the controls I should be putting in?”

Aaron Guzman (00:53:09):

And especially, if it’s going into a regulatory environment, is it using FIPS modules? Is it doing X, Y, Z? John, do you have any suggestions there? Any other things you might want to add?

John Yeoh (00:53:22):

I was going to say just that whole top-down, bottom-up approach stand, and here’s why I think, too. I think there’s a lot of devices that are created today that become smart later, right?

John Verry (00:53:32):

Hmm.

John Yeoh (00:53:32):

So, they become connected, so people will a connectivity because it’s like, “Hey. I want …” I mean think of even our whole set of household appliances now that we can connect to some sort of device, and now I have access to that. And so, a bottom-up top-down approach is what I mean by that is, too, so you start with that device as a device. Security, you have securing the device itself, the messaging protocols that are being sent to wherever, and then security from the top where the cloud service that might be connecting to it, that might be managing that device, or procuring that device and maybe even orchestrating that device throughout your network so understanding it from both. So, if you can attack it from both sides, you can ensure a little bit better than you have a pretty secure device because you’re securing it on different layers and the different platforms that interact with your network and that are part of that whole IoT ecosystem.

John Verry (00:54:27):

Mm-hmm (affirmative).

Aaron Guzman (00:54:27):

I’ll start from an easier perspective real quick, and I’m going to plug OWASP. The IoT Top 10. Start there. Start there-

John Verry (00:54:37):

That’s actually good guidance as well. I mean the only other thing, which is interesting, too, is I actually I like this stuff that you guys have done. What I would almost be tempted to do would be to almost kind of understand the risk and use some of the stuff that you guys have given because if you think about it, you already started with the concept of security categorization. So, if we just look at the information that we’re processing, I mean that would be one of the things that I would tie it to. It’s like, “Is this HIPAA data? Is this personal information?” And depending upon the impact and the regulatory compliance requirements and the impact if you don’t meet them, that would kind of map to your low, medium, high, and kind of going back through and then looking at what you guys are doing against leveraging that low, medium, high would be probably also another interesting way to do it. Almost conduct a risk assessment, if you will. Almost using your tool in reverse to assess the risk of this solution that you developing?

John Yeoh (00:55:27):

Start with the raw data that that device is collecting and-

John Verry (00:55:30):

Yep.

John Yeoh (00:55:30):

… understand what it’s being used for? Yeah. Mm-hmm (affirmative).

Aaron Guzman (00:55:31):

So, I have-

John Verry (00:55:31):

So, interesting question.

Aaron Guzman (00:55:34):

Yeah. My thought and my hope was one day to convert or move the data that’s in the controls framework over to a simple application that can help with filtering and mapping, and in some of these conversations that we’re having, it’s just a matter of resources and time. But definitely want to try to look into that further for future versions and hopefully provide a companion tool that’ll make using some of our research and guidance more approachable to that.

John Verry (00:56:06):

Yeah. I don’t think it’ll be very hard because I mean like when because you have a lot of the basics already there to understand risk, and if you could almost put just an overlay on the front that would be the type of data, you could almost categorize if you think about it. If you almost had the equivalent of FIPS 199 security categorization process on the front side, and they mapped to medium, you could then basically filter your controls and prioritize guidance based on that and if you asked a few more questions with regards to the type of a device, use case, you can probably get there reasonably quick because I mean the amount of information that you have in the worksheet already is really ridiculously good. You know?

Aaron Guzman (00:56:40):

Good.

John Verry (00:56:40):

I mean and you can even like you prioritize preventative versus detective controls, and things of that nature as well. Because I mean that’s all built into your sheet.

John Yeoh (00:56:50):

So, maybe-

John Verry (00:56:53):

I think that’s a great idea, and I don’t think it would be that much work to do it is what’s really interesting with the way you guys laid out your document.

John Yeoh (00:56:58):

So, step one could be watch this podcast.

John Verry (00:57:03):

Yeah.

John Yeoh (00:57:03):

Step two is to call up Aaron, whose number is (818) 555. No.

John Verry (00:57:04):

Step three is to send John a bottle of your best bourbon from the region.

John Yeoh (00:57:14):

Oh. At least you’re not-

John Verry (00:57:14):

And then, step four would be he’ll answer the call with a glass in hand when you call. All right. So, last question. So, you referred to this in Version 1, Aaron. I got to be clear. The version that I have a copy of, not the one you have a copy of.

Aaron Guzman (00:57:28):

All right.

John Verry (00:57:30):

You refer to this as base-level security controls. So, I’m curious. I think you guys, if I look at what you do with the Cloud Control Matrix, and I think you’ve been true to the concept of defining fundamental controls that apply across all instances of cloud. When you look at IoT, I think there are specific use cases, smart cars, smart cities, internet of bodies, right? Smart factories, Industry 4 I think they call it, right? Do you see your guidance as going across all those, or do you use foresee in future that you’ll start to branch a little bit for some of those use cases which might be a little bit different, right? Like smart cars are not conventional IoT devices in the fact that there’ll be so much more car-to-car communication as built into that.

Aaron Guzman (00:58:17):

I think we definitely have those discussions, and it’s been it could be challenging, right? We don’t want to pigeonhole ourself with the amount of effort. We have to have folks who are experts in that area, and I think those landscapes between automotive and medical are changing rapidly fast, especially again, if one of us in the working group isn’t working there every day, we could miss some things.

John Verry (00:58:42):

Oh, yeah.

Aaron Guzman (00:58:43):

So, it’s definitely still up for grabs if we do have someone to come help out and get us on that right page, right foot forward, and what’s really applicable. I think we all have had experience in medical in some way, shape, or form whether it’s device, whether it’s a provider, whether it’s a cloud. But we haven’t had yet concrete discussions. Maybe John knows more. I couldn’t answer on that front, but that’s as far as I’m aware of.

John Yeoh (00:59:08):

Yeah. You know what? Even with the cloud framework, there was always due diligence that we had to do, right? So, when you’re establishing baseline security as a start but there’s due diligence that you want to do with your providers and in IoT with your manufacturers, your network administrators, and your application providers, too, but, yeah. If you’re applying something to industry-specific areas, that’s something that again, within the CSA community, that we offer that.

John Yeoh (00:59:37):

So, the healthcare, specifically the healthcare sector, the financial services sector, and the entertainment sector, so those are the major movie producing studios, they’ve all taken stake into taking that Cloud Controls Matrix, that security framework, and applying it specifically to their industry. And I would imagine especially in health care, where IoT is at top of mind, that as soon as Version 2 is ready, they’re going to be really willing to consume that and start applying prescriptive guidance for that industry. And that would be the next step.

John Yeoh (01:00:09):

And so, John, yes, I think that’s definitely some of that should be done, and Aaron will make sure that all the healthcare organizations that are working on those types of things consume, digest, and bring back to the IoT working group what they think is very specific and prescriptive for them.

Aaron Guzman (01:00:27):

John?

John Verry (01:00:28):

That’d be great.

Aaron Guzman (01:00:28):

John, I’m not sure if are you familiar with I am The Cavalry?

John Yeoh (01:00:31):

Yeah, actually, I am.

John Verry (01:00:31):

I am The Cavalry?

Aaron Guzman (01:00:33):

Yeah. With Josh Corman and Beau Woods and a lot of the folks. No? Okay. They’re doing … They’re actually pushing a lot of the kind of security processes and bills that have been passed over the last few years, and I’m also part of that group. They’re much more familiar, ears to the ground, and all of the pre-market guidance, the post-market guidance, responsible disclosure work that they push for medical and software build materials, NTIA, and transparency. They’re definitely the folks who are leading in that area. I mean I can connect you as well, so you can [crosstalk 01:01:09].

John Yeoh (01:01:08):

Yeah. That’s something that’s a big … I’ve been referencing them for quite some time, too. I think they do great work, but absolutely. I can’t even remember. Maybe and, Aaron, you might have introduced them to me years ago maybe.

Aaron Guzman (01:01:19):

Yeah.

John Yeoh (01:01:19):

But either that or just kind of maybe I stumbled across them myself but, yeah, absolutely. Any. Yeah, let’s make sure that the intentions are clear and that they know. We both know what each other’s up to, so we can do that. Yeah. We don’t want to start over and reinvent the wheel. We want to do things together, so that sounds great.

John Verry (01:01:36):

Sounds cool. So, anything we missed, guys? Any last thoughts that we should cover? I mean, you guys have been incredibly gracious for your time. We’re probably over, and over an hour already, so-

John Yeoh (01:01:46):

Yeah. Boy, boy, no. This is fun.

John Verry (01:01:50):

Time flies when you’re having fun.

Aaron Guzman (01:01:51):

Right?

John Yeoh (01:01:52):

That’s right.

John Verry (01:01:53):

I mean I looked down at the clock. I’m like, “Oh, crap.” Sorry.

Aaron Guzman (01:01:56):

I know.

John Verry (01:01:56):

After all, it didn’t feel that long.

Aaron Guzman (01:01:56):

I missed a meeting. I was like, “Well?”

John Verry (01:01:57):

Yeah, yeah, no. Listen. No, it’s fun talking shop. I mean it really is, but, yeah. I thought this was great.

John Verry (01:02:04):

Last question. Two last questions. Duh. I was going to say the last question is do you have any ideas for a future episode? But I have another question. I have an idea for a future episode. Can I get one of you guys or both of you guys or somebody else on your team to come back when the testing guide comes out? Because I really think that that’s an important concept, and I would love to talk through it how you guys anticipate that all working.

John Yeoh (01:02:27):

Yeah, cool.

Aaron Guzman (01:02:27):

Sure, yeah.

John Yeoh (01:02:27):

Yeah, absolutely.

John Verry (01:02:28):

Any other thought process on another interesting topic for another episode, especially anything around IoT?

John Yeoh (01:02:35):

We still do that 5G talk a little bit, but I think because if 5G has the capability to, I mean, potentially even replace data centers … Remember the old saying, “Hey. The cloud is just somebody else’s computer”? It’s certainly gone beyond that, but if we’re talking about a 5G network that replaces corporate networks and that potentially replaces data centers to work, boy, that changes how we do security.

John Yeoh (01:03:01):

And what we’re doing in security right now for IoT becomes just the way we do security. So, this is so important I think what we’re doing is to understand the IoT because everything, according to that definition that we talked about earlier, anything connected is IoT, but it can get to the point where how we secure our current systems becomes obsolete, 5G.

John Verry (01:03:25):

Really? I knew that the bandwidth would change this ability for sensors and the speed at which these devices and the amount of data. I didn’t realize that, and I know it had implications, and I would say I didn’t realize it had that many implications on broader corporate infrastructure network architectures.

John Yeoh (01:03:44):

Interesting, right? I mean it certainly has the potential to do just that, and so everything comes down to costs and business operations, right? And so, if you can actually administer a 5G network instead of, and then replace, your own corporate network and everything that goes around maintaining that, boy, yeah. I guess, wouldn’t you? I think we’re seeing, and we saw it just last [crosstalk 01:04:07]

John Verry (01:04:07):

I guess that kind of makes sense, right? Because what you’re saying is that the reason we had these corporate networks is so we could run like one gig point-to-point and to get the connectivity that we need. And then, we pay for these high speed leased lines and things of that nature. Once you get to a point where … Now, this is do you remember it? I’m old enough to remember George Gilder and Telecosm, which was one of the greatest papers ever written, where he theorized in like the 1990s that once bandwidth is omnipresent, right? That the components of a computing system no matter … You no longer need to have a computer, right?

John Yeoh (01:04:42):

Yeah.

John Verry (01:04:43):

It doesn’t matter where the microprocessor is. It doesn’t matter where the storage is. It doesn’t matter when the disk is. It doesn’t matter where the memory is because the only reason they’re all self-contained is because we need that high-speed bus. You’re almost taking that same concept and applying it to networks, right?

John Yeoh (01:04:56):

It seems so out there, but 5G is really the reckoning of, “Oh, my gosh. This is maybe a lot closer than we think,” and when you think of those kind of capabilities, like I said, it’s so much more important what we’re doing for IoT right now and the potential to replace certain network components that we’re doing right now in the large enterprise, that’s, yeah.

John Verry (01:05:17):

That’s cool. And either you or somebody on your team is somebody that’s figured all that stuff out?

John Yeoh (01:05:23):

Yeah. Actually, I wish Brian was here, too, because Brian and I were both on the FCC Technical Advisory Committee for IoT and 5G was a big component. And so, we did a little bit of that like back in 2015 and 2017 and 2019, and so, yeah. There’s a-

John Verry (01:05:38):

And, yeah, but the only question is that will we all be here, or will the one-millimeter waves kill us all? Oh, geez.

Aaron Guzman (01:05:44):

Oh, man.

John Verry (01:05:48):

Yeah, yeah. And there’s a story that I can’t tell that would make me believe that that’s a possibility. So, yeah. But, listen. I would never see the light of day if I told that story.

John Verry (01:06:00):

Aaron, any thoughts from you?

Aaron Guzman (01:06:02):

I mean, CSA has a ton of great work. I think you could definitely tap some of the other working groups and probably gauge what would be … I think right now, we just released Top Threats, the Top Threats our working group released research there. And I think we want to try to incorporate IoT Top Threats in there at some point.

John Verry (01:06:20):

Yeah. Didn’t you also have like a Cloud Threats document?

Aaron Guzman (01:06:25):

Yep. That’s what it is.

John Verry (01:06:25):

Is that the one that you talking about?

Aaron Guzman (01:06:25):

Yes, yes.

John Verry (01:06:27):

So, you have a new version of that out?

Aaron Guzman (01:06:28):

Yep. Just released within the month or a couple weeks ago.

John Verry (01:06:31):

Oh, I would love that. I would. Just for the record, I … Sorry. My dog decided that it’s time for the podcast to be over.

John Yeoh (01:06:37):

He’s excited about it, too, right?

John Verry (01:06:41):

Okay. Aside that, actually, John, who would we reach out to? Because we actually were trying to get to someone to talk about the cloud threats because I think right now, especially now, with COVID and cloud adoption having even advanced beyond what it was, that that would be a fantastic topic. Because I think one of the things that concerns me the most is that the vast majority of our clients don’t understand the concept of shared responsibility. They assume once they push something to the cloud, that it’s somebody else’s problem, and that security is somebody else’s responsibility.

John Verry (01:07:13):

And depending on which model, infrastructure, platform, SaaS, I mean you still own user account management and authenticating authorization where you own all the way down to owning some of the responsibility for the network infrastructure and they insist on it. And I don’t think people understand that. “Oh, no, no. You don’t understand. It’s an Amazon.” “No, no. You don’t understand. Amazon owns this much. You still own this much in the security responsibility,” which is what your cloud documents did such a good job of, I think, communicating.

John Yeoh (01:07:39):

Yeah, absolutely. I can connect you. Our co-chairs are Jon-Michael Brook. He’s a principal architect for Starbucks, and then Alex [Gibson 01:07:48]. There’s another OWASP guy, too. And so, yeah. Those two would be great people to talk about the Top Threats on an-

John Verry (01:07:55):

Awesome.

John Yeoh (01:07:56):

Yeah.

John Verry (01:07:56):

Thank you. Thank you, all. I’ll ask Jeremy to reach out because I think that would be really cool, cool, discussion.

John Yeoh (01:08:02):

Yeah, great.

John Verry (01:08:02):

All right. So, before I say farewell, and if folks want to get in contact with either of you guys, what’s the best way to do it?

Aaron Guzman (01:08:10):

My email address is [email protected], or you can find me. I’m not very difficult to find. Find me on LinkedIn. Something like that. Feel free.

John Yeoh (01:08:19):

Yeah. Same here. I think LinkedIn is a great way to get ahold of me. Emails are okay, but-

John Verry (01:08:27):

Yeah. In other words, don’t send me an email.

Aaron Guzman (01:08:30):

Yeah.

John Verry (01:08:30):

John, just message us. There’s nothing wrong with that. You sound a little like-

John Yeoh (01:08:35):

Yeah.

John Verry (01:08:36):

I mean that sounds pretty modern to me. I mean like, “Yeah. Don’t bother with email.” By the way-

John Yeoh (01:08:39):

LinkedIn or something like that, yeah.

John Verry (01:08:44):

All right. Well, listen. Guys, thank you so much. I’ve genuinely enjoyed talking with you guys. This was a great episode. Thank you.

Aaron Guzman (01:08:49):

Thanks for having us.

John Yeoh (01:08:50):

You, too. Thanks, guys. Cheers.

Narrator (01:08:52):

You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.