Ann Johnson: Today I am joined by my friend and colleague Diana Kelley. Diana is truly a cybersecurity industry icon. Not only is she a globally known security expert; she is also the co-founder and CTO of SecurityCurve, a cybersecurity consulting firm, who donates much of her time to volunteer work in the cybersecurity community, including on the Association for Computing Machinery Ethics and Plagiarism Committee. Diana has served as the field CTO at Microsoft, the global executive security advisor at IBM Security, general manager at Symantec, VP at Burton Group, which is now Gartner. And last year Diana was awarded the Executive Women's Forum's Executive of the Year and one of Cybersecurity Ventures' 100 Fascinating Females Fighting Cybercrime. Welcome to Afternoon Cyber Tea, Diana.
Diana Kelley: Oh, thank you so much, Ann. It's really great to be here.
Ann Johnson: So, Diana, obviously, we know each other. You've been a strategic advisor. You've been a cybersecurity writer for many years. You focused on IT security. You've done things in risk management, compliance and network architecture development. And you've seen the security landscape change really quickly from attacks and methods to the marketplace. So how do you help organizations who don't have the experience you do get up to speed in the cybersecurity landscape?
Diana Kelley: Yeah, that is such a good question. And I have to say one of the things I've realized in all my - all these many years that you and I have both been in IT is that the rapid pace of change in technology and the attack techniques can really feel a lot more manageable when it's grounded and balanced by principles and technical realities. You know, we can forget how long a lot of these concepts have been around, like RACF, which is the Resource Access Control Facility. It was introduced to the market in 1976. So that means that people have been thinking about identity and access control for, like, 50 years.
Diana Kelley: So once you start to get a feel for what the baselines are of security and what's important - confidentiality, integrity and, you know, availability, then suddenly the current landscape - it feels a little bit less overwhelming so that they can get up to speed faster when they understand what it means to have the brakes on the car, what those brakes do, whether the brakes are working. So that is really, for me, just a big one - is to give them that baseline. But then you have to start having, you know, conversations with the people about what the real problems are, helping them to prioritize.
Diana Kelley: And I find that a security assessment can really help there because when you're doing an assessment, you're talking to all the key stakeholders. And as you're having those interviews with them, you start talking to them about why you're asking certain questions. You know, a CEO may be like, why does it matter what I do when I get into my email? And that's a great opportunity to explain business email compromise to them and how attackers are getting in that ransomware, you know, going through phishing as one of the big attack vectors.
Diana Kelley: So that, I think, is another big part of that puzzle - is getting the baseline, having the assessment, having that conversation in the real business, you know, the way that business communicates with the business stakeholders. Now they've got a really good platform from which to hear and to read all of these headlines that are coming every day about changes in tactics and techniques. And hopefully they've got, you know, a better base to hear that from so that the delta is going to be smaller between understanding and hopefully all that noise is going to be less alarming and overwhelming.
Ann Johnson: So when you start with a customer - right? - and you start with someone and you want to actually do that landscape overview for them or that assessment, where do you suggest they start? Or is it different depending on their organization?
Diana Kelley: Well, to do assessments, we actually use something that we based off the 27000 series. So we take a look at the 27000 series. What would apply to that organization? If that organization is in health care, for example, and they're getting ready for HIPAA, then obviously, we're going to bring in some of the questions that pertain to HIPAA. If it's NERC, it's got to pertain to energy. After looking at that and assessing what the company is, we read all the policies that the company has already so that we can start to get a feel for where they think they are versus where they should be.
Diana Kelley: And then we go through the assessment interviews and have the conversations. And now we've got a really good handle on what the company is, who the company - who their partners are, who their customers are. And then using that against a really strong, well-known framework like ISO and the 27000 gives a good starting point. But some companies - they prefer to - you know, to use NIST 800-53, for example. You know, any well-known framework can be a really good starting point.
Ann Johnson: OK. Let's talk for a minute about IoT.
Diana Kelley: OK.
Ann Johnson: So we've seen a proliferation of IoT devices. It's been reported that by the end of 2018, there were 22 billion IoT-connected devices in use - yeah, 22 billion. And that was three years ago. So as the sophistication of hardware and software and consumer electronics skyrockets, there's this increasing share of the electronic devices produced around the world that, you know, have internet connectivity. I got in my car there and, by the way, needed to do a software update before I could drive it. So that was - you know, that was interesting. Anyway...
Ann Johnson: The forecast suggests that by the year 2030, around 50 billion of these IoT devices will be a noose around the world. So this is a massive web of all these interconnected devices, spanning everything from smartphones to kitchen appliances to cars. We now know that manufacturers are going to continue to compete on who gets the latest device in your hands first, right? You know, in this household, I'm always the last one to get a new phone because I literally hate upgrading my phone. But my other two gadget-driven household members always want the newest one, right? As soon as they're eligible for upgrade, they're running out to get something. So let me ask you a couple questions. What do you believe are the most significant security and privacy concerns plaguing the field of IoT-connected devices? And what is your guidance to organizations as more and more workers are starting to bring their own devices to work?
Diana Kelley: You know, it's funny, I mean, you talk about, you know, IoT is everywhere. I know we're both huge, huge dog lovers. And all of these different collars that they've got for dogs now that have GPS in them - and we're turning our dogs into IoT devices, too, with them. It's really - it matters, right? There are a lot of significant security and privacy hurdles for IoT. And it can be really hard to figure out where to start. So actually, when I was at IBM, I developed something I've called five indisputable facts about IoT. And it really distills the major concerns into five umbrella categories. And the first one is that devices are going to operate in hostile environments - just kind of a known, right? If it's around your dog's neck, it's going to be running through the woods with your dog. If it's a smart meter outside your house, it's got the wind and the rain. So we have to think about security and privacy in that context.
Diana Kelley: Software security is going to degrade over time. In other words, what do we do about patching these systems? You just had to patch your car, right? So it had an over-the-air update. But there were some car manufacturers that were talking about using USB sticks to update cars, which, as you could imagine - right? - that could be a security vulnerability because maybe anybody getting into your car could just have put that USB stick in. So how do we update these systems? That shared secrets do not remain secret - and this is a really big one in IoT. If you remember the Mirai attack that took down Dyn, the DNS server. And then that brought down a lot of their customers with them, including Twitter. That was in part able to be launched because people don't change their passwords that are the default with the IoT device. Soon as the IoT device ships, some manufacturers, maybe not wisely, have the same user ID and password to get into every single device of that brand that shipped out. So then people were publishing them. So they became known.
Diana Kelley: So these shared secrets do not remain secret. Configurations will persist, which is that if you ship something that's in a completely open state, the most likely action from the consumer is to leave it in that completely open state, right? People aren't security experts. So why should we expect them to lock things down? And then as data accumulates, exposure will increase. And this is really where that privacy comes in. IoT devices are gathering huge amounts of data. And it may not seem like they've got information about us, but as we aggregate it - sometimes when you layer data, you get more able to, like, laser focus on who that data is connected to.
Diana Kelley: The other thing is that data that we might not think is personal could be personal. And one thing that sticks with me is I was talking to a CISO in an electric company. And he was very concerned about the electric records being available. And I said, why? And he said, well, it's a privacy issue. And I said, is it because when people are going on vacation, maybe they use less energy? And he said, well, it could even tell you religion because if the electrical use at a house goes way down at sunset every Friday, that could tell me something about the religion of that household. And I realized, yeah, you know, there's a lot - we don't always think how this data about us, these little data breadcrumbs, could indicate more about ourselves. So those things are a really good way to initially think about what the big buckets of security are.
Diana Kelley: And then beyond that, thinking about, you know, how attackers are using IoT - I had mentioned the Mirai botnet. And they are absolutely weaponizing IoT devices. When you grab an IoT device and you pwn it or you own it, now you've got something that's going to be able to go out and do something for you, whether it's send denial-of-service, like in a volumetric attack, or if it's a device that has the capability to do email, for example, you could do email with it. Some devices have, you know, full processors, and, you know, they can be used in cryptojacking where they're used to mine bitcoin or other cryptocurrency. So, you know, looking at how we lock these systems down to prevent attackers not only from those other big buckets but also from weaponizing our IoT. And Mirai is not the only big botnet that happened. Mozi just occurred over the summer, and that was a big one. Again, it was doing IoT devices, gateways and DVRs and, again, exploiting weak passwords. There's a great Microsoft Security Threat Intelligence Center post on this. I absolutely loved it. They really broke it down really well and explained how the denial-of-service was launched and also about how ransomware payloads were being launched after the attack.
Ann Johnson: That's a whole lot of information, and it's fascinating, right?
Diana Kelley: Yeah.
Ann Johnson: And I think that - so start with the dogs. You know, I was coming...
Diana Kelley: Yeah.
Ann Johnson: It's so funny you said that 'cause last week, I was commenting, we're truly a tech household because we have redundancies.
Diana Kelley: (Laughter).
Ann Johnson: So the dogs, you know, have a - they all have a chip, you know, from the vet.
Diana Kelley: Yeah, I know.
Ann Johnson: My phone number is on their collars. And now they have this GPS fitness tracker.
Diana Kelley: Yes.
Ann Johnson: So, you know, it's three levels of redundancy to not losing my dogs.
Ann Johnson: So if one factor fails, we have a couple others we can rely on. But I also was...
Diana Kelley: Love it.
Ann Johnson: Yeah. But I also was thinking about this device that's on their neck, right? Because it is an IoT device, and it's giving the dog fitness data. And I doubt that there's - you know, I shouldn't say this. There's probably not an attack vector where someone's too worried about the fitness of my dog, but most humans I know also carry fitness trackers. And...
Diana Kelley: Yes.
Ann Johnson: ...I know you've seen, you know, the opportunity for potentially, like, health care blackmail. You know, do you want that information out there? And one of the, you know, concerns people have with having so much information electronically. And I always think about, what's the next threat? And are those fitness trackers going to be a big attack vector in the future?
Diana Kelley: You know, it's funny that you say that because I did this weird side stage thing at TED. It was the actual TED conference in Vancouver, but I wasn't on the main TED stage. I was off in a workshop room. But in any case, that was exactly - it was about threat modeling. And I did two use cases to threat model with the group, and the first one was on implantable medical devices like pacemakers. And then we also threat modeled a fitness tracker - a wrist-based fitness tracker. And at first, everybody just - the thinking in the room was, well, there's a lot you can do with a pacemaker, but this fitness tracker, eh, it's just getting some, you know, heartbeat information, blood pressure, maybe, information. And, Ann, you're so right. As they started threat modeling, they came up with some really interesting misuse cases on the wrist-based health tracker. And things like - look; if you're a CEO or a high-level executive at a big company, then your health actually could matter to an attacker and could potentially be blackmail material.
Ann Johnson: Yeah, I think that - and, you know, speaking of that, we had - a few seasons ago, we had Dr. Andrea Matwyshyn on, who's one of the leading experts on what she calls internet of bodies.
Diana Kelley: Oof.
Ann Johnson: So things like all of those embedded devices that have connectivity - and we've been doing that for probably now 15 to 20 years, by the way, and people didn't even realize that, you know, first through a certificate-based authentication, to do patches and updates to your pacemaker. Now we've moved on to something different. But the threat vector has been there for a very long time. All right, let's go back to something - well, maybe not cheerier. But...
Ann Johnson: Let's go back to enterprise IoT. So I have two questions, and I'll leave it with you. But can you talk us through two things? What are some security practices that could help network defenders and users combat IoT threats, particularly botnets? And how can the industry help them by creating more standards for, you know, security for IoT devices and the creation and production of IoT devices?
Diana Kelley: Yeah. So, you know, I'm kind of a stan when it comes to NIST, but I've been really, really excited at how much NIST has stepped in here and started to lead the charge. They've been doing a lot of publications and thinking and also working with people outside. Some of the publications - I've worked with Rebecca Herold, for example, who's the privacy professor. So they're also reaching out and working with folks outside of the government, and they've really got a lot of incredibly good guidance that can be a baseline. And sometimes people will say, well, why are you recommending NIST? It's really for the government. But a lot of the NIST, the special publications on the NISTIRs, which are the interagency reports, are fantastic baselines that can be used by both the government but also by consumers and by enterprises.
Diana Kelley: So a couple of the ones I'm really happy to have seen got published recently, and some are in draft and some have been finalized. But one is 8228, which is "Considerations for Managing IoT Cybersecurity and Privacy Risks," which is a really good baseline, I think, and a great overview for people that are getting started. On May 12th, Biden administration came out with an executive order about improving the nation's cybersecurity, so NIST came out with a lot of really good baselines on security criteria for IoT devices, including the consumer devices. And one of the things that I really like about where their thinking is is that they're not just saying devices themselves, but they're looking at IoT products. And when I first heard that, I was like, what? What's the difference between a product and a device? But what they mean is that the device is going to work within a system. So as you're assessing the security of that IoT solution, don't forget that it's working in a system. So that would mean the hub it's connected to, the gateways. If you've got a smart lightbulb, what's the hub that's managing that smart lightbulb? And what about the mobile device that you're then connecting to to manage the hub? So I like those.
Diana Kelley: There's also a special pub, 88-213 - again, about, like, the device and the guidance that I think can really help people get a handle. So a lot of really great stuff coming out of NIST that I strongly recommend people go, and you can start with the ones I mentioned. But they're really base-lining and helping us all think about how to do this really well. And then we get into some other strong guidance, like, you know, changing those default passwords that I talked about earlier, using multifactor authentication wherever you can. You want to update and patch your systems. And then - sorry, I don't mean to buzzword people, but zero-trust (laughter) and looking at adopting a zero-trust access architecture. That can help a lot because the core of that is looking at your network segmentation, and network segmentation really helps when attacks are underway. If you've got an attack, then you've got a strong segment. You're going to stop lateral movement. You're going to stop that attack moving through your organization. So that can help quite a bit.
Diana Kelley: And then identity - because when we talk about identity management, of course, we think about ourselves and individuals, but it's also workload to workload, application to an application and device to device. So that can help, too, where if you're locking down and keeping a management of your identity and seeing those Internet of Things, those IoT devices, as having their own identities, that can really help a lot. And for that - again, for that DDoS, I think this is a great opportunity for any company that hasn't looked into the really dynamic, scalable DDoS protection that you can get from cloud providers. Now is the time, and extend that DDoS protection to your IoT and your IoT environment.
Ann Johnson: Yeah, I think that those are all really, really good ideas. And I'm a bit of a NIST stan also, so - it's also, we try to give practical guidance on a show. We're talking about big topics, and we do try to give some practical advice and all.
Diana Kelley: Yeah.
Ann Johnson: And I'll give you an opportunity at the end. But before we go there, a couple more things. Remote work, bring your own device - so a little different than IoT, but how do you suggest employers get a handle on all the different, you know, laptops people are working on maybe at home and they're sharing with their kid or their spouse doing work? And that may introduce malware to the device, and then the - you know, bringing the actual remote device to the office even potentially.
Diana Kelley: Yeah, it's - one of the things I started working on with companies is as we're going to be in this WFA, work-from-anywhere environment, what is it that can - how can we strengthen that? How can we strengthen our programs? And I think creating policies around helping to set up hygienic work-from-home environment, giving people either the tools to do it - so either you maybe you give them the router you want to use at home or giving them a quick-start guide can help a lot because to your example there, you know, what happens when we're all on the same network? Well, we don't have to be. It's really easy to set up different wireless VLANS and then you can have your smart locks and your washer and your kids playing their games. They can be on a separate VLAN. Or if they have a wired house, it could be a separate wired VLAN if they're kicking it old school.
Diana Kelley: But helping people understand how to set up segmentation and the wireless tools now for home use are really actually very, very user friendly. But a lot of people just need a little bit of guidance on how to set that up, and so helping employees understand how to do that, how they can secure their smart devices, helping them understand about the default passwords, how to keep those devices, how to keep them patched and then zero trust again coming in with better identity control - and on the corporate side, as people do come back into the corporate network and making sure you've got that really robust identity lifecycle going so that when people do leave, you can remove access for them or access for their devices, especially if they are BYOD. And I just love that there have been so many technical advances that make it easier to manage identity and segmentation in complex multi-cloud environments.
Diana Kelley: So those are sort of the main things, but again, widespread availability of MFA and turning it on - oh, managed endpoint protection. This is another one - and endpoint detection and response gets some sort of visibility into what's happening with those devices. Even if it's BYOD, you can still install a management agent on that device to give you a little bit more control and transparency from the corporate viewpoint. And the last thing that I'm really excited about is conditional access and just how much smarter we are about monitoring access and making smart decisions about who's doing what and stepping up that control if you need to when you see activity that's unusual, or if you see people going to touch highly sensitive resources either from their home or even from the corporate network.
Ann Johnson: That's all really, really great device, and I think the one thing that you said that resonates outside of zero trust - and I don't want to play buzzword bingo also, but there's a lot of value in a zero-trust identity architecture - is that the consumer tools are becoming simpler, and we need to keep...
Diana Kelley: Yeah.
Ann Johnson: ...Driving consumer tooling to be simpler so people can be inherently more secure.
Diana Kelley: Yes. Yeah.
Ann Johnson: All right, let's pivot for a second and talk about the shows you produce. So you produce "MyCyberWhy" series and BrightTALK's "The (Security) Balancing Act." And these programs are fantastic, right? They provide so much insight to the industry. And I know I learn a lot from every guest I have on Afternoon Cyber Tea, so what is your favorite part of hosting the shows you host?
Diana Kelley: Oh, you're so nice. With "MyCyberWhy," I actually got the idea from Tomi Salmenpaa, who is - he was one of the first guests. And he does cybersecurity for Finnish Traffic Com Aviation (ph). And he was telling me about his job. And, Ann, I was just blown away because I didn't understand, A, how much cybersecurity went into the aviation industry. I mean, I knew that for the planes themselves, we had to make sure the software was secure, but even the communication internationally, because as we fly, we fly over different airspace and different geos in control of the airspace. It just blew me away. So I said Tomi, I think everybody needs to know what you do because it's such a wonderful thing to keep people safe. And that was the genesis of "MyCyberWhy." It was just to celebrate people doing really cool things in cyber that a lot of us, or at least me, I didn't know about. So I love - as you do, I love learning from from people and also just being able to celebrate all these different, the different ways people work in cybersecurity.
Diana Kelley: We just recently had Ellen Xu, who's a high schooler, and she's incredible. She's got her own podcast, and she's just kicking it as one of the top capture-the-flag students in the country. And then all the way to Craig Jones, who - he leads cybersecurity for Interpol, but he started as a beat cop in the U.K. So just these wonderful stories, and I love hearing the stories, and I love being able to share them with others. And then "The (Security) Balancing Act" - because it is really about how do we balance security and privacy but keep our organizations still, you know, very competitive. And I just love this sort of surprise element of each month. The folks at BrightTALK will bring different people into the conversation. So sometimes, we source guests together, but they also bring in guests. And so I never know who's going to be on the show until they give me the list of who's going to be on there. And then we have this wonderful - our first call to get ready for the actual show itself. And just the different dynamic and hearing the different viewpoints from people and then pulling it all together into an organic conversation is just a whole lot of fun. And then on "Security Balancing Act" we're also live, so we get a lot of audience questions that really kind of gooses how the conversation goes and has to keep me on my toes. We were doing election security and whether elections were secure. We happened to be doing that on January 19 or 20 of this year - was when we were running that show, so it was when Biden was being sworn in. And I really had to be at my toes with the questions that day (laughter) because there was a lot of - oh, people had opinions that day...
Ann Johnson: Yeah, no doubt.
Diana Kelley: ...About election security. Yeah.
Ann Johnson: So, Diana, you're never standing still. So can you share a bit with our listeners about what you're working on currently?
Diana Kelley: OK, Ann. So as you know, when I left Microsoft, (laughter) I had intended to volunteer about 50 to 60% of my time for technical nonprofits, and then I was thinking about an animal shelter for elderly companion animals that didn't have a home. So that was sort of where my thinking was last year. And the really good news is that I do devote 50 to 60% of my time to cyber nonprofit work, so that's - I feel really happy about that. I'm on the executive board for WiCyS. You had mentioned what I do with ACM. I lead the Inclusion Working Group at WiCyS, Sightline Security I work at. I'm on the board at Cyber Future Foundation, Cyber Advisory Board for CompTIA. I work with Bartlett College of Science and Mathematics at BSU. So a lot of stuff that I had really wanted to be able to devote time to, and I feel so grateful that I have the time. But for the rest of the time in the day, people kept asking me to do things, and I keep doing them. So the shelter for the companion animals is on hold, and the other part of my time I'm working with Salt Cyber and I do vCISO work through Salt Cyber. I'm also principal consulting analyst with TechVision Research, which is a lot of the former Burton Group folks. And I do startup mentorship and advisory and executive advisory for CISOs and CSOs.
Ann Johnson: That's all?
Diana Kelley: Oh, you know...
Ann Johnson: (Laughter) I'm kidding.
Diana Kelley: (Laughter).
Ann Johnson: I don't know how you do all that.
Diana Kelley: Well, I missed one because I'm the conference chair for EWF, but you and I are both on the advisory board there, so that's awesome.
Ann Johnson: Yeah, that is. And then you have the pups. So I know you spend a lot of time with your pups, too.
Diana Kelley: I do. And, Ann - I don't know - have you seen Bunny, the dog that talks with buttons? Because I got - have you seen her?
Ann Johnson: I have seen her. I just can't figure out how to get my dogs to even - well, never mind. They're not that well-trained.
Diana Kelley: So, you know, I have Nick and Nora, and Nora is really - she's just the - she's a more motivated dog, let me put it that - so she's got inside and outside with her doorbell buttons, and she could do some communication with her buttons. And Nick is - very, very, very grudgingly will put his on the button to come back in when he wants to come in.
Ann Johnson: I think I could get Mariah to do that. I just need to spend...
Diana Kelley: Yeah.
Ann Johnson: ...Some time with her. Well, thanks so much, Diana. We want to send our listeners off with one or two key takeaways about how you think we can overcome the threats we're seeing and why you're hopeful about the future of cybersecurity.
Diana Kelley: So I think we can overcome because when we all work together and anybody who's not a criminal trying to steal from someone in the cyber realm - is we're all on the same team. I think the more that we can communicate and share information with each other, the stronger we're going to be. And there's a lot more information sharing that's going on, so that makes me very hopeful. And I think in order for us to be able to do that as a group, as an entity is to just remember to take a deep breath, not let the attackers weaponize our fear. They're playing on that we're going to get scared, that we're going to go into crouch and defense mode instead of into, we got this.
(SOUNDBITE OF MUSIC)
Diana Kelley: We just need to work together and plan and roll things out in a way that's going to keep us all stronger and more resilient. So we can do this. And working together is the key.
Ann Johnson: Excellent. Well, thank you so much. And have a wonderful rest of your day.
Diana Kelley: Thank you so much, Ann. It was great to be here.
Ann Johnson: And thank you to our listeners. And join us again for the next episode of "Afternoon Cyber Tea."
Ann Johnson: So I chose Diana Kelley because I've known for a while, and she is just this immense resource for knowledge. She is one of the most knowledgeable people across a wide variety of cybersecurity topics and incredibly deep and also just this great person who volunteers time to help make the industry better - very personable. I always learn whenever I talk to her, and she was just this awesome guest on "Afternoon Cyber Tea." It's one of my favorite episodes, so I say that about every episode.