7. How To Upgrade Your Security and Privacy with Peter Thermos
hey real quick a quick word of thanks to today's sponsor vertex Innovations before we get started for over 17 years vertex has been building the nation's Wireless and Broadband networks providing project management network engineering and construction oversight are just some of the ways vertex helps their clients so if you're looking for more of a partner to help you with your wireless network designs construction implementation or operations reach out to vertex you can find them at vertex.us.com that's v-e-r-t-e-x-us.com welcome to the 5G guys podcast the premier resource for industry insiders and newcomers alike to explore anything and everything Wireless and telecommunication we discuss explain and explore all things Wireless technology so let's Dive Right In welcome your host Dan mcbaugh and Wayne Smith welcome back I'm Wayne Smith joined by my co-host Dan mcvall hey everyone welcome back thanks for joining us again hey before we dive into this episode I want to thank everyone for listening and if you haven't already hit the Subscribe button um give us some Stars if you like what you're hearing tell your friends and five go to 5guys.com to connect with us comment and see more about what we got going on uh today welcome our guest Peter thermos from palindrome Technologies he's the president and CTO he's got over 20 years of experience in information security and Assurance providing Consulting for commercial clients and conducting research for government agency in his current position with palindrome he spearheads the technology technological Direction and vision of the company he's been working as a subject matter experts for customers in various Industries including Telecom energy and financial this work is helping to secure emerging Technologies including internet multimedia applications like voice over IP pair great networks like 4G LTE and 5G and user equipment such as 4G 5G handsets and iot devices Peter's also the primary author of a book called securing voice over IP networks by Addison Wesley so check that out if you want to learn more and he's also a speaker to conferences he's published several research papers and has even had articles in Publications you may have heard of like Forbes and wired so Peter thanks for joining us great to have you thank you then thank you Wayne happy to be here yeah Peter we know each other from working together in previous projects in the past we go back quite a few years whether it's security testing and software and other types of applications so we're luck we're looking forward to hearing from you and what you can bring to us in the podcast today yeah I'm excited to be here and uh there are a lot of interesting things going on with uh 5G that that actually will be that the fabric with for a lot of emerging Technologies coming out iot is one of them but there are a bunch of other ones uh virtual reality augmented reality that we're gonna see and and 5G will be the Cornerstone of all the emerging Technologies so nice nice we'll tell it don't keep you guys busy these days at palindrome what's uh what's kind of been the thing that wakes you up in the morning to getting you excited and keeping you uh busy so uh one of the things that we do is we help carrier grade Pro service providers to secure their Network saw so one of our Mantra is is that keep calm and zero trust so we're trying to push that but some of the other interesting things that we do is we collaborate with uh standards organizations such as tsma and IEEE as a matter of fact there's an IEEE event uh World Forum event on iot security and privacy coming up July 12 to 15th and I will encourage your audience tune in and listen to some of the speakers it's open and I can share that information at the end of the podcast for any interest that members of your audience nice nice so tell us more about who are who are the types of clients you guys work with I know I know you work for private sector you work for the government industry but give us some sense of some of the specific projects that that you guys are working on and and how that relates to security both from the standpoint of the the consumer right folks using their cell phone as well as it relates to maybe the Enterprise or the regulatory side and you know the the thing the guys behind the curtain if you will sure so on the commercial side uh we work with providers telecommunication providers here United States and Cube European ones trying to build their 5G Network so we've been working for the past two and a half years testing the products for the core Network and also some of the user devices so we look at the security on the user equipment whether it's a handset or an iot device but also we look into the Buy and so we do end-to-end testing security Assurance testing we also help with security architecture especially when it comes to using mobile Edge computing because cloud is a technology that the big carriers are trying to leverage in order to offer better Services especially within the 5G rollout and 5G and mobile Edge Computing go hand in hand nowadays and that will be a big differentiator for Enterprise organizations especially the ones that deliver real-time multimedia applications whether it's augmented reality virtual reality telemedicine and speed is the I guess primary driver but also security that we have to make sure those implementations are secure not only at the network layer but also at the signaling the infrastructure and the user devices as well so the entire ecosystem will have to look at it from a multi-dimensional approach to one area and try to secure that holistic security approach is what we've seen over time being the most effective mechanism to prevent breaches and also unauthorized access to subscriber data I know uh back when I started the industry back when I guess we call it the 1G side of the world known as analog I think really the biggest security risk we had was either crosstalk where you could hear somebody else's conversation accidentally because we were using analog FM modulation or it was basically cloning of a phone right pretty basic stuff somebody would clone a phone and they'd use another phone on your account to pay for your their minutes fast forward to 4G today and 5G kind of give us a sense for you know what's what's different today especially as a consumer tumor obviously things like securing my password are an important part of my security but give us another sense for for how it's different today from from how it's changed over the years the current threat landscape is much different than it used to be you have more actors some of them are state sponsored some of them are individuals that they're trying to defer the system so the threat actors have increased and also the attack vectors against those Technologies so uh you have many more attackers coming to the picture researchers that are wearing a black hat versus white hat and they're trying to identify zero day vulnerabilities in telecommunication equipment whether it's in device the user equipment or part of the signaling protocol that reaches in the core speakers can take advantage and commit certain fraud extract or exfiltrate information and ultimately impact the end user so again the primary I guess difference is that the threat landscape has shifted dramatically from 20 years ago wow one of the things that uh I think all of us are starting to feel is the impact on security on consumer prices so a few weeks ago we had the pipeline you know Cyber attack and now we had the meat packing and you know for the first time I think it's really affecting the everyday person and how they live their lives and so what's what's your take on that on those kinds of attacks do we expect more you know now that it gets to mainstream and there's a cost you know and it impacts you you can't get gas or you can't get food what you know what's your take on those kinds of um or definitely definitely uh so right now we have all these events whether it's the colonial pipeline or any other run somewhere type of attacks but also you have those advanced persistent threats from state-sponsored attackers and we see that infiltration the next filtration of of data that affects the organization But ultimately affects the end user just like mentioned before so whether it's going to disrupt the operations of an organization or the supply chain those attacks have a great impact that eventually propagate and the negative effects are realized by the average person not only small Enterprise organizations that may have ransomware attacks but as you said you're not going to be able to use an ATM possibly if your financial institution gets impacted or not be able to get gas from the gas station or go for your regular medical examination if you do telemedicine so that infrastructure that we rely on is much more fragile as new technologies such as 5G IOP kind of getting adopted into our ecosystem in our daily lives and we have to be more cognizant as a the average user of those threats so if you ask the person I think 10 years ago about cyber security or Internet Security and threats the most common response was of you know I run an anti-virus and I'm okay nowadays an antivirus is doesn't typically do much because the end user may be affected by a virus but it's also the infrastructure that the end user relies upon that gets affected and then that infrastructure impacts not only one person but hundreds of thousands in certain cases uh there is dramatic shift as to the incentives that the attackers have instead of just frauding one person or 100 people that they've gotten account information they're going after the big fish if you will under after organizations that can pay a lot of money and make a greater profit compared to just targeting one or a hundred or one thousand individuals yeah right Peter because yeah the threat vectors are higher all of the things you've talked about are significantly bigger than what we've seen in the past but we also have technology that's much more capable of protecting us now too though right encryption models are higher and higher every day talk a little bit about kind of the good side of where we're at technology wise in terms of How It's protecting us and in ways it didn't used to sure and that's a good point and we've seen dramatic Improvement over time that provide additional controls and protection layers for the end user and the infrastructure but we also realized the adversaries have to find ways around those protection mechanisms so we've built an infrastructure with firewalls and Juris Protection Systems anti-virus that help I guess keep out the script kitties or the the threads that are not as determined but a state-sponsored attacker or someone that has the resources to go after certain targets they will succeed because they have enough time they can sit there for a year or two years until they get in in the most I guess vulnerable piece of of our ecosystem is the human element and that that's what we've seen over and over again so we do have protection mechanisms that have prevented many breaches but it's not consistent I think that's the difference that we've seen some organizations are more disciplined in implementing testing verifying Security on an ongoing basis some other ones feel that security is an added cost and maybe sporadically doing some of these exercises to verify security or ensure that their cyber security program is healthy enough to withstand emerging type of attacks and threats before we kind of shift to kind of more the Enterprise level so as a consumer what are the top two three four behaviors you've seen that are the direct result or source of security intrusions and and what are the top two or three things that we can do as consumers to protect ourselves and our identity things of that nature so fishing has been the dominant attack Vector not only on the consumer side but also Enterprise organizations too so spearfishing or fishing in general has been the Main Avenue that we've seen people getting compromised from social engineering kind of goes with spearfishing or fishing in general It's a combination of the two and then the third one I would say is you know lack of awareness on the end user side so those three things the active attacks and lack of awareness is something that we need to improve upon moving forward so for those in our audience they may not know what fishing is fishing's basically when like I get an email from what I think is my credit card company but it's really not my credit card company it's someone else pretending to be there the company and I click on a link they've offered me thinking it's them that at a basic level is what fishing is Right correct correct and also to add to that we also have the device level security that may not be implemented or in some cases is implemented properly and we we see Packers identifying vulnerabilities for iot devices or handsets end user devices and then trying to take advantage of those from our abilities to hold my stocks perform uh fraudulent transactions steel identities and so forth so we have to have a an approach on or the discipline rather to secure those devices and also educate users for related to phishing type of attacks or social engineering and then interfacing with me in some way to try to learn more about me to try to guess my password or or take over my identity so I've always been I've always been like paranoid about Facebook right like when you see those things going around Facebook asking like what year were you born what was your first car like I'm like I'm not answering that because I'm just getting some social engineer all the stuff that he wants to try to figure out my account is that accurate or is am I being paranoid well yeah I mean even today I receive calls from the IRS I'm sure you've received some of those too sometimes they tend to be FBI agents too or the Federal Reserve I I received a call from somebody claiming that they were with the Federal Reserve and it just so happened that I've done work for the Federal Reserve for 10 years uh on the nerd the National Institute the national instant earned response team and you know when you receive such calls you start to giggle but the average person is not golden engine or of who that color is and they're going to start disclosing that information so again if the attacker goes after a knowledgeable person that is in cyber security they can pretty much figure out that it's not going to be a fruitful exercise but if they go after the non-educated folks they're more successful so and that's that's their approach they spray and Target the ones where they're more vulnerable and that that's their tactical yeah yeah a great question in talking about the future you mentioned iot and so iot you know we're seeing millions of devices and then 10 million I mean a connected world what standards does iot devices have to follow is that some of the work that you're working on because when you think about it about a new stove the stove's connected to Wi-Fi I'm not sure why I haven't made a connection between my stove and actually why it needs to have internet but it's a good example I mean of everything being connected how how do those manufacturers what what security protocol do they do or do they do any or is it up to the consumer to figure it out uh very good question so there are some standards out there from organizations such as ctia gsma that require or focus on iot security and you can have a device being tested on a regular basis to ensure that the device aligns you with those security requirements so there are efforts in the industry where even consumers can look up and go back to the product vendors and ask hey have you guys gone through a ctia gsma or some kind of other iot security certification because they are available out there but going back to your example of Home Appliances talking to each other or talking to your router you know a few years back I've been in this business for well and I always had this idea in the back of my head that I will be running my own intrusion detection at home just for my home devices so if there are any entrepreneurs out there maybe a home intrusion detection system for your network could be an idea that they can push out because again we have so many devices at home from refrigerators to microwaves to thermostats to solar panel controls that it only is going to get bigger and you have users within your home network and visitors that may use your home network that may bring other exotic threats at some point that you're not aware of and shut down you know your home network and that can impact especially if you have any people with medical conditions they and they rely on certain appliances that may impact those appliances as well so on network security I think it's going to become a lot more significant in the next five years and we'll start surfacing more and more as we move forward don't be surprised if you are seeing homeowners having a specific uh group support group for ransomware my home network has been locked and I can't do anything as I said especially if you have a person with medical conditions that relies on network medical devices yeah and I I kind of feel like there's just some basic things like you don't have to be super technical to be able to protect yourself with using some of these devices you know just simple things right like changing the default password that comes from the manufacturer you know I know it's inconvenient but two-factor authentication you know so I've got a ring doorbell or I've got a nest doorbell if I put two Factor on my account it's gonna make it harder or less likely for someone to hack into my system and and look at my camera things like that is that is that an accurate assessment sure I mean you can follow basic security principles which is always recommended and changing the full password is number one thing anytime I get any device from a product vendor I look at the security configuration and I change immediately the passwords Keys whatever the case might be so yes it is very important also the other thing that I personally do I have a guest network if you will so my my kids bring their friends over and they can play with that Xboxes are also isolated so I wrote I run my own security program at home but as I said having a good basic security practices and educating also your users or your children in the at home about internal security is important so let's let's kind of shift perspective a little bit let's say hypothetically I am a business Acme Enterprises and I want to get engaged with leveraging wireless Telecom maybe I'm going to go beyond just having my Wi-Fi access network but I want to put in you know a Citizens Broadband radio private LTE or private 5G Network and I want to do so responsibly in a way where I'm leveraging the technology without adding unnecessary risk to my business and my employees and my customers what what's sort of the basic way that I would go about you know implementing or looking into implementing and partnering with the right people to not just put in good Technical Solutions that have the support for my use cases but doing way in a way that's safe and and as secure as possible what's where do I start I have no no idea where to begin but from an Enterprise perspective we're talking about um so yeah adapting 5G cbrs within an Enterprise environment can be tricky it depends your agreement with the provider the carrier that you're working with and whether you're going to be managing the femtos or other access technologies that you're going to be using where they're going to be monitoring house or the provider will manage them and then your user base you you have to start considering security controls on the end devices the network that you manage but also the provider infrastructure whether it's secure or not and I'm sure you know most providers tend to go towards the right direction in verifying security but there might be some emerging type of providers that are not as well educated or willing to put cyber security security investments in place to ensure Enterprise customers maintain adequate security so if I was an Enterprise user today and I wanted to adopt 5G I would first look at my architecture in its entirety then do a risk analysis threat model and then start going into validating the controls through testing product testing Network testing end-to-end testing because as we know you know it's great to trust but in our world we need to verify so that sounds daunting maybe so are there is that is that a service that palindrome offers are there or are there other companies that offer that where I just bring them in as part of my Solutions toolkit where I have a partner that really understands that and can advise me on that and maybe even provide that as a service uh definitely so palindrome provides assistance with validating security controls especially if you adopt emerging Technologies so we have several clients that ask us to do a specific product testing before they deployed or network testing and content before they push their production Network to be available to end users or other customers so of them of theirs and palindrome we've been helping especially in the 5G for the past two and a half years carriers we've seen now some Enterprise customers coming up and asking questions of adapting 5G especially when it has to do with the robotics all augmented reality the the folks that have very large Enterprise organizations and they have to adapt 5G but on top of 5G they need to operate other emerging Technologies and that's where our specialty comes in because we've been looking at emerging Technologies for several years now and palindrome Technologies focuses on securing emerging Technologies that's our bread and butter so tell us more about this IEEE conference how can people learn more about it how they how can they connect how can they join how can they connect with other things that you guys are doing how can they find you guys so you can look us up at www.palindrometech.com but also if you want to Google IEEE World Forum iot you're going to have plenty of hits there and there is topic on security and privacy as I said it's about three days a long truck we're gonna have several sessions within those three days on different aspects of iot security we're going to have researchers presenting on the work that they've been doing from Academia we're going to have standards organizations and also commercial organization practitioners that do assessments that operate networks that provide products so you're going to see names such as Verizon Wireless Samsung Kia Erickson which are all well immersed in 5G security and iot security so the audience will get very useful insights so thanks for that Peter um also thanks for joining us and sharing all your wisdom you know security is definitely on everyone's mind today and it's a subject I think we'll all in our home life and work life that we'll we'll continue to figure out how to make our life safer more secure in how we move into the future thank you thank you gentlemen uh Wayne and Dan for the opportunity to share a little bit of our insights again with emerging Technologies there's always new things and I look forward to subsequent sessions of your podcast yeah thanks to everyone listening again joining in remember uh hit the Subscribe button go to 5guys.com to connect with us if you have any further follow-up questions Corrections we love to hear from you we'll uh we'll address those on future episodes so thanks everyone and take care and be well [Music] next with Dan and Wayne check out their website at 5gguys.com if you enjoyed this episode be sure to hit that follow button and share this episode with your friends and family [Music]
2023-03-08 14:50
