Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning, everybody on today's show, we're going to talk about layers. And the reason why we're going to talk about layers is I was reviewing three upcoming research papers from the Trend Micro research team about industrial iot or operational technologies. Um And they all had a common theme. So I'm not gonna give away the research that's coming out over the next 6 to 8 weeks.
All three papers will be released somewhere in there basically before the new year. And they're fantastic. You'll see that on the at Trend Micro handle. And of course, I'll be tweeting that out to support the research in social as well. But the underlying theme was essentially each of these areas that the research was focused on had unintended consequences because they didn't go far enough down into the layers they were building on and they had constraints that they thought were solid and all this is never going to happen or, you know, we don't have to worry about these scenarios.
And of course, lo and behold, they did and we see that time and time again, we look at, if you look at research that I talked about at South by Southwest middle of the Atlantic Security Conference uh last year around um smart cars um as well as factories, same kind of thing from the trend micro research team.
Um You look at that and they go, ok. Well, cars are built on a bus system that was designed in 1986 for an entirely different world. Right? An entirely different automobile system. Um A lot of the factories, uh you know, things are built on uh 7 to 15 year life cycle, same with health care.
And yet we're seeing a new threat every 0.3 seconds in the digital world. So there's layers that we're building on that we assume are fine because that's what's out there or it's a matter of convenience and we're picking the wrong choices and those are coming back to bite us. Now, we see that specifically in operational technology all the time, but we're seeing that in other areas as well.
And that's a topic that comes up quite often when I'm talking to corporate security teams and organizational security teams is that they're operating under constraints that they believe, you know, not just constraints but foundations that they believe are strong, that aren't strong at all. So, a classic example of this is when we try to build anything on top of email, right?
So anything on top of email, email for all intents and purposes is a postcard exchange system, that's the best way to think of it. You're exchanging postcards around the world, which means anyone along the route for that postcard could potentially see and read the information on the postcard, right? But most people think of email as secure, like little mini safe that we're passing back and forth.
And if I send you an email only you can read the contents, that's not true at all. So when we build systems on top of email, things like, I don't know, resetting your password and there's issues there, right? Which is why good security practices are in a password reset situation to send you a unique link that expires shortly after that link was requested.
So that it reduces the possibility of anybody intercepting that email or hacking into your email to get that password reset. But it's again another example of where we're building on top of a layer that may not be as strong as it should be, right? But our perception is that it's solid and we can build on that foundation and we can just add layers on top of it and it will stack up where in reality, we're dealing more with like a Jenga Tower where the higher up we go, the more likely this whole thing is just to go bam and you know, crash onto the table in spectacular fashion.
So the challenge as an it developer or you know it as a builder as a security person is to figure how far and how deep you need to go in the analysis. What are you building on top of? Another example, quite common is developers use frameworks all the time. So maybe you're building on angular or on react or maybe you're using struts two, we've seen struts two over the last 18 months has had three absolutely massive huge vulnerabilities.
And I don't think they are ones that people accounted for while they were building on top, they assumed that foundation layer was strong. Now, I'm not trying to dissuade you from using foundations from using layers. That's how we move forward, right? We just keep building on top of previous accomplishments and that's a very, very good thing that's gotten us to the ability to do these kind of live streams.
But you need to look deeper and make sure that the assumptions you're making based on the layer you're currently standing at, you know, I'm on level three, I'm up nice and high is what's below me strong enough to hold what I'm building on top of it. That's a really tricky thing to answer. But it means understanding at the very first step, what you're actually building on.
And I think that's absolutely critical now and especially moving forward. So stay tuned as always to the trend micro social handle at trendmicro on Twitter to see the latest research. You can also go to the trend micro website and look for, I think it's under intelligence these days, but there's a ton of great research reports freely available.
No sales info in them at all. It's all just, hey, we deep dive into this vertical and take a look, these three papers coming out by the end of the year, you know, at least that's what they're scheduled and we'll see if they make it fantastic, really great stuff, really exciting, you know, diving deep into that operational technology, it builds on foundations that the team has published over the last year and I'll link out some of those again.
I compiled them all for a talk previously, so I'll send you that well, next link. Um But what do you think about building on foundations? Is it um you know, do you check, how deep do you check? Um Are you building on something strong or are you confident about what you're building on top of, let me know uh online at Mark NC A for those of you in the blogs, in the comments down below.
And as always for podcast listeners and everybody else by email me at Mark N dot ca. I will talk to you online um uh today and I will see you on the show tomorrow. Have a great one.
