Securing the Invisible Threats: Insights on IoT Security with Eric Johansen

Speaker 1: 0:00

Welcome to the audit. Today we're joined by Eric Johansson from Phosphorus. So, eric, thanks for joining us. And today we're going to be talking about IoT and IoT security, which is just a huge market and lots of things happening in that space, and I think we've all got some stories we can share about IoT security or lack thereof, but excited to jump in and talk about it. So maybe, to start, you want to just tell us a little bit about yourself, your company and what you do.

Speaker 2: 0:34

Yeah, sure, thanks. So yeah, Eric Johanson, work for Phosphorus. We are focused on managing X IoT devices at scale. So the challenge that we see in the market is that these devices are out there, they're purpose-built and they get deployed and people put them out there and then that's it. There's no management, there's no maintenance, there's no one actually watching these devices from an administrative perspective, and so our platform is dedicated to find those devices, do a full risk assessment on those devices and then you can fix them. So the main thing I guess the gist is if the device can do something, we can do it at scale, and if a device has a piece of data on it, we can monitor that at scale, and so that's really our focus. We're all device obsessed, and that's kind of my story as of today.

Speaker 1: 1:30

That's great. I've already got a lot of questions on that, but maybe from a career perspective, how did you end up at Phosphorus? What were the things along your journey that?

Speaker 2: 1:38

brought you here. Yeah, I mean I spent about 20 years in I'll call it normal cybersecurity. Yeah, I mean I spent about 20 years in I'll call it normal cybersecurity, and much of that in managed security services. And the last organization I was working with we launched one of the first OT managed security services, which is operational technology. So that's what you, when you hear industrial control systems or critical infrastructure manufacturing, those are very typical and classic OT type environments. As I mentioned being in cyber 20 years prior to that.

Speaker 2: 2:11

You know, obviously I'm not a young person, but I got to experience cybersecurity as it kind of came up, you know, in the late 90s. It really wasn't yet a thing and it was awesome back then. Right, and that's what I saw with OT is there's just a lot of need for security with these types of devices that are typically air-gapped or put aside and they're very important to an organization, whether it's safety or reliability or both, because they're revenue generating or they're part of a process that's very know, like water or coal or you name it, energy generation of any type, and so. So, yeah, with all of that, I left that organization to go to a company called Nozomi Networks because I wanted to immerse myself in the OT world in the OT world and I spent two years there, really enjoyed my time, got to go to some really great places that a you know, normal white collar geek like myself doesn't get to go, you know. I got to go all kinds of different plants and wear hard hats and it was super exciting and it just really kept me going. And so one of my colleagues I was working with at Nozomi Networks me going, and so one of my colleagues I was working with at Nozomi Networks mentioned that this phosphorus organization was looking for folks and we took a look and, yeah, the rest is kind of history.

Speaker 2: 3:33

And the interesting thing with phosphorus is the founders have been in the space for quite a while. Startup is not the best term, but one of their first organizations was X-Force, which became IBM's X-Force, which is very well known for threat intelligence and advisories and those types of things. And then, secondarily, they created the you know, I guess thesis that no one's really doing this for devices and that's the management component and it's a hard problem. So let's, let's seek out how to fix that, and so, yeah, so that's kind of how I got here and why I continue in this space. It's a exciting.

Speaker 1: 4:23

Yeah, it's certainly a rewarding mission to be able to discover, find and help with security with those devices, iot devices. And you mentioned OT and I kind of smile because at IT Auto Labs we get asked to help a lot of different types of clients with their security problems, and one that I was recently engaged with had a ton of OT and tongue in cheek, ot often stands for old technology. We were seeing some of these things Windows 98, 2000, maybe even a little bit earlier. Some of these things Windows 98, 2000, maybe even a little bit earlier. And I saw an article a couple of weeks ago on the transit system I believe it was in San Francisco where they're still updating it with floppy disks and normally you'd be like, wow, why are they doing that?

Speaker 1: 5:18

But I think the thought is that in some cases they've got long-term contracts with these manufacturers. In some cases the manufacturers have been bought and sold and gone out of business and the only way to really keep these things running with the equipment that they have is to stay on this really old technology that's pretty difficult to update, pretty difficult to update. The only saving grace is that it's usually air gapped or usually pretty hard to get into it. But when you talk about that hard shell and soft exterior, I have not seen an up-to-date OT environment in my time in security. It's usually this old stuff that's not patched for and there's a ton of excuses that you hear around why it's not patched, but it really is a big problem.

Speaker 2: 6:13

Yeah, I mean I think you're right with that statement, but there's also some nuance to it. You know, one of the things that's interesting about OT is they are just it's a very different approach, right? So when you look at IT, of course everything is about. You know, the CIA triad, you know you've got risk is a very big component in mitigating that risk, because you have users directly engaged within these environments that you're protecting in the IT world, and we all know that users are a great source of security issues and things like that, and so it's a lot faster paced type environment.

Speaker 2: 6:49

So, like you mentioned, eric, it's air gapped or it's segmented. But the reality is these devices are still supported by the OEMs in a lot of cases, depending on the industry. In fact, they are, it's a requirement. I mean, they have regulations where they have to be within XYZ parameters and the difference is they look at risk a lot differently. They're actually, you know, either producing dollars when it's a manufacturing type environment, or there's lives at risk.

Speaker 2: 7:20

You know, I was in coal plants and those types of environments are extremely dangerous and you have to take training videos, you have to do all these things, and so the nature of the place is, you know, you don't necessarily every three years replace something like you do in IT, give them a new laptop, or replace and refresh the server or move the workload to the cloud.

Speaker 2: 7:41

It's in a plant, it's helping produce revenue or it's helping, you know, do something that's very, very important in a little bit of a different way, and so it's treated a lot differently. And yeah, your comment about the air gap and the segmentation is very true. I mean, I've seen a lot of air gaps and rarely are they actually truly air gap, especially now with the changes that we've seen since the pandemic right has everyone realized that these supply chain issues can really hit home very, very quickly and everything is very fragile, and so it's created, kind of this, you know, the whole industry 4.0 thing. You know, I think we're all kind of tired of some of those buzzwords, but there's a lot to that because now there's more connectivity, there's more real time information and that type of you know world is creating more risk and more attack surface, and that is a big challenge for any type of organization.

Speaker 4: 8:34

Eric, you know you mentioned, you know these assessments that you're doing. Is there, and you know air gapping you're getting into that. Is there any common mistakes that you see all the time that people aren't realizing that they should be fixing right away? Maybe somebody's listening that it's looking to do an assessment. Is there, you know something you see all the time a common mistake that you see? I?

Speaker 2: 8:53

mean, I think the biggest thing and this is what powers the entire OT cybersecurity industry is asset inventory, is knowing what you have.

Speaker 2: 9:01

And there's a concept in the OT world called floor walk, I mean, where it's literally what it sounds like.

Speaker 2: 9:08

Right, you're walking the floor, you've got your hard hat on, you've got a clipboard and you're noting all the different things, and there's actually still value with that in a great way currently, because when you go into these environments, they may not even know what they have.

Speaker 2: 9:24

You've got technical data, as we were talking about earlier. Right, a lot of times these environments are 10, 20, 30 years old. There could be something that you know is an older device and it's been brought onto the modern network with an adapter or some kind of gender change type situation, and then it's like you're just compiling all of that, and so I think the biggest thing that I think is worth it's just really important for these people is asset inventory knowing what you have so you can secure it. The other thing I think is you know, third party risk is obviously a lot greater concern with these types of environments because of the nature of the air gap or the segmentation or what have you when you start opening up access to an environment that's previously been, you know, somewhat closed, then everything just multiplies from a risk factor.

Speaker 1: 10:11

And Eric, I'll echo that and wanted to get your thoughts on a tangent to that. What I've seen in some of these assessments is some of the technology is so old and it might be the tangent technology to be able to do some of the vendor-supported firmware updates. But some of that tangent technology ruggedized notebooks that have serial connections or other things that the organization might be using to support that OT environment that they're bringing into the OT environment. In some cases I've seen where they're going to eBay or some other third party to get this hardware that was end of life 10 years ago because that's the only place to get it as it's no longer maybe made, sold, maintained, what have you? And you're just introducing a ton of risk when you don't have any sight into what that chain of custody of that device has been. And you're bringing this thing into your environment, introducing grayware, and I'm just wondering have you seen anything like that in your journeys?

Speaker 2: 11:22

Yeah, absolutely. I mean that's that is a big risk, right? I mean, I think we all know about the concept of business continuity, and it again has different meanings, because when you have a process in your built, in your manufacturing or whatever the line is, that's associated with the company making a lot of money, you know, if you're producing something that is making millions of dollars per day, if you're producing something that is making millions of dollars per day, that downtime leads to great cost and, as we've been discussing, replacing things with modern elements is often not an option or difficult. There are a lot of dependencies with all these different devices, and so you do see a lot of that where there's just old, end of life, discontinued devices and, as we know, right there, the biggest thing for us as security professionals that we recognize with end of life or discontinued is you're not going to have any more updates, right? So if you have a vulnerability or an issue, that's obviously a, not something that's going to be fixed because it's no longer supported, and so the concept of compensating controls is very greatly used in OT.

Speaker 2: 12:29

It's just that you know there needs to be more attention paid, and I think a lot of times the main issue is not neglect. These folks are not. It's not that they're sitting back on their laurels, it's that they're just there's not enough time in the day. You know the people that I meet in a lot of these types of environments. They're wearing multiple hats. You know there is not necessarily a cybersecurity person at each plant. There might be one OT cyber expert at a fairly large organization, and so therein lies the challenge with these types of situations is they just can't possibly know.

Speaker 3: 13:04

Well, we went pretty deep pretty quick there. I like hearing some of this. This stuff is very technical. Went pretty deep pretty quick there. I like hearing some of this. This stuff is very technical. I'd like to back it up and just uh point out that we we learned last, uh, last episode that eric brown in the late 90s would wear umbro shorts and keep his, keep his wallet in his sock while going to work.

Speaker 3: 13:25

Just wanted to lighten up the situation just a little bit and say, eric, maybe, what were you driving? What were you? What was your go to outfit back in the late 90s?

Speaker 2: 13:36

Late 90s. I love it. I think I think that's the great thing I think about the late 90s for those that grew up at that time, is the cameras that were digital. A lot of times the data would be lost. I know myself I lost the data so many times. There wasn't cloud storage. Obviously there wasn't social media. So I think there's probably a few photos of me, if you guys remember. Back then they had these button-up shirts that would have flames on them big.

Speaker 3: 14:07

Japanese scenes the disco Guilty yeah.

Speaker 2: 14:16

Something will come out, but it's. It's pretty safe these days the kids now, and everything's connected, so it's pretty challenging.

Speaker 3: 14:24

I did a little shopping at hot topic myself.

Speaker 2: 14:27

Oh yeah.

Speaker 4: 14:29

Oh man, I have been in one of those stores in forever. You never know what you're going to see inside that store.

Speaker 3: 14:36

Well, for some of the non-cyber security experts, maybe you could explain. We all know about ring cameras, rumbas or roombas or whatever they're called, some of these more common internet of things, devices that we might all have in our homes. I'm wondering if you could point out some of the things that are not so obvious that you might come across in your day-to-day, whether it's at a factory or at an organization.

Speaker 2: 15:03

That's a good one. I mean, there's just so much more than the standard stuff printers and cameras and things like that. One of the more interesting ones, at least for me. I'm a geek, so I go through a lot of tech and so that means that I do a lot of eBaying, right?

Speaker 2: 15:22

Because I want the latest thing, so I'll sell the old thing, yada, yada, yada, and I've been doing it for a long time, and so when we were working with a logistics company, we found something that we hadn't seen before, which is always exciting. So the way our platform works is we probe these devices and we have probes that are standard types of protocols that these types of devices use. Right, so we might have a Modbus probe or HTTPS probe or what have you, and so, even if we don't know what a device is, we pull back, like that webpage data and when we have unknown or unclassified devices, we can review that data and there's little breadcrumbs inside that data that allows us to identify the device, find information about that device, et cetera, shodan, wherever. So what we found was essentially it's called a Mettler Toledo dimensioner, a 3D dimensioner, and basically what this product is is these logistics companies like a USPS or FedEx or UPS. They place them and as the packages go by, it's essentially a ton of cameras along a line line and it rapidly dimensions every single package as it goes by. And so what made me? It made me realize like I'm still shipping to this day and I now have a ruler next to my station where I ship and and all of that. But 20 years ago I was definitely fudging things here and there, and I guess you know I was younger so I guess I was trying to save a couple bucks. But it's amazing the technology they have. They can do something like a thousand packages per minute going through this with laser accuracy because of these cameras, and that's how they. If you send a package with UPS today and you maybe said it was 14 inches and it was really 16, you get that bill in a week or two and it gets through that and that's one of the sources of that, and so it's pretty interesting.

Speaker 2: 17:10

There's a lot of fun things like that, and I think, going back to a more simple world is when we think about our house or, even better, the office. When you start thinking about the different places in an environment, then you'll start realizing there's different classes of devices within that environment. So, for example, conference rooms are great, right. It's also a good thing to talk about, because we're just talking about the pandemic, right. So in a lot of ways, we thought conference rooms were going to be something of the past and there's a little bit of that going on.

Speaker 2: 17:38

I think we're all kind of coming back, but the technology in conference rooms is very consistent across organizations. They're similar brands, similar types of devices. You've got your table-mounted microphone, you've got your TV with the camera and all that type of thing, and so those are devices as well and those are all internet connected. You've got to hook up your Zoom or WebEx or whatever to that and they are being used and they're very important to a business, and if they're not working, it's a room that goes underutilized.

Speaker 2: 18:16

So's just a lot of things like that that we don't necessarily think about it and, uh, it adds up to lost productivity or issues or what have you, if something's down or has been, you know, compromised, which is even worse when I talk about conferencing type stuff, because we've been in environments and we've seen, we found cameras that they didn't have any awareness of.

Speaker 2: 18:31

And when you think about a camera, obviously it's espionage in a box, right? I mean, in a lot of ways, when we see cameras today, it doesn't bother us, right, because we're used to cameras. They're all over the place. I can see several right now from where I'm sitting and in that sense you can oftentimes just get away with something in plain view because you just think, oh, there's just a camera there, but it can be on, it can be just recording audio, or it can be recording both video and audio, and when you're thinking about like, for example, we found something in a legal environment, you know head counsel for a law firm, I mean, then you're looking at just a multiplier or the risk factor and potentially issues that can occur.

Speaker 1: 19:11

So, eric, along those lines, with IoT and just to define that internet of things, where you essentially have these internet connected devices that may have a myriad of other devices inside of them and there's not really a great way to update the security on a lot of these type of devices.

Speaker 1: 19:37

So when you think of the Roomba that Josh had mentioned, where it's got a camera, it's got some sensors in it and it has the ability to map your house and vacuum and all that sort of good stuff, but that manufacturer does not necessarily control all of the components in that device, where they're going out and they're sourcing maybe the lowest or the cheapest product that they could put in there so that they can package this thing up and offer it at a good price.

Speaker 1: 20:09

And some of those sub manufacturers may have a bug in their, in their firmware, or what have you that there isn't a great comprehensive way to update that software. So, when you, when you're, so when, when you, when you're, when your company is essentially inventorying all of these devices, how are you, um, how, how are you helping to provide security around the devices that people may, you know, somebody may order a cat toy that has like a laser on it and a camera so that they could, you know, chase Mr Meowgi around with the laser pointer from 50 miles away. That's a great cat name. By the way, that's Nick's cat, oh, really.

Speaker 4: 21:03

Awesome, you beat me to it. This time he's got two.

Speaker 1: 21:05

He's got Mr Meowgi and General Meow.

Speaker 4: 21:08

Oh, wow.

Speaker 1: 21:09

That's a different story. But you know they're connected to the Internet and they've got, you know, maybe a camera and people don't necessarily think about oh wow. Well, the manufacturer could have a compromised portal and now other people could access this, other people could access this. You mentioned Shodan as a way to easily find these devices that may have very poor security, that the user can't even change the login and password.

Speaker 2: 21:37

To succinctly answer the question, we look at devices from a firmware perspective when they're XIoT, because that is the full truth. So we're not a network-focused platform, we're firmware-focused. And so, when I mentioned that we manage these devices, we manage these devices by reaching out to them and directly interacting with them in their native language, which is to passively listen to everything using span or mirror or tap infrastructure. You're essentially waiting for someone to say their birth date in casual dinner conversation to identify that birth date. The way that we approach it is we talk to these devices natively. So if I'm going to show up to the ambassador from France, I'm going to speak to him in French, because if I talk to him with my Minnesotan accent in English, you know it might bother him a little bit, right? And that's the same thing with these devices, right?

Speaker 2: 22:36

If you use brute forcing or if you use a methodology that is talking to them in a way that they're not designed for, that's where you can knock them over and that's where you see air gap and a lot of these devices being treated in a different way, because they're often very, very sensitive, and so that's, you know, kind of another area, uh, that we've kind of approached things differently.

Speaker 2: 22:56

Uh, the other issue of that passive approach is to do things passively is to imply that you know where these devices are going to be, and the challenge, at least, is you have to go and go to the switch and set up that passive listening or set up your tap infrastructure in a certain way. The challenge with XIOT, as we know, is these devices are everywhere. I mean you'll have your employees attaching a device that they needed to solve a problem quickly to the guest network, right, and so you know it may not be where you expect it, and so that's where this problem comes, and this is why it's. An issue is a lot of people are just putting stuff out there, and as long as it does the tasks that they need talking on the phone or providing video then they're happy.

Speaker 2: 23:48

For a POC you'll come into an organization, set up some monitoring to collect information about all of the devices that organization might have and then show them the list. Yep, yeah, and that's actually one of our, um, big differentiators is, as far as, like, how we do things, and we just created this. Uh, we basically have a 15, 30, 60 challenge, and so we can literally fully assess an entire building, uh, in less than 15 minutes, and so that's our. That's where our approach is extremely different, so I can literally do a full POV in a half day of time, and that's where the way that we've approached this problem is completely unique and different. And the fact that we're managing devices is completely unique and different, because the challenge that we're solving is really only being attempted by us, because it is so massive.

Speaker 2: 24:29

Because, when you start to think about just how many vendors are out there making these devices and how many devices are coming out every day, we're big fans of looking at the world from the perspective of families of dogs or horses or just looking at the animal kingdom, right, and so a good analogy is that when you look at like servers that are supporting the cloud, let's use horses to represent that, because there's about 10 million servers within cloud environments and globally there's around 10 million horses. It's a great animal to think about, because you guys can probably think about the last week, and how many horses have you seen? Right? Unless we're in a farm environment, you don't really see them, and when you kind of extrapolate that out, you've got you know IoT is really represented by birds. I mean, they're everywhere, right, and the number doesn't ever go down.

Speaker 2: 25:25

Endpoints is another one where you know, when you start looking at the quantity of end points, the quantity of servers, that number is really not going up necessarily because of those cloud workloads and other things like that, but with XIoT, the numbers are exploding, and they have been exploding for years, and so one of the things that we've done with our platform is we've created in a way that we know there will be devices that we'll not know about because there's so many coming out. You know, there's never going to be a time where we're like, hey, we're done right, we've solved everything and we found everything. I shouldn't have done my fist bump there it was dramatic.

Speaker 4: 26:02

I I guess I'm curious, too, to walk at a step back. You know, eric, what we're. You know going through the whole, talking from everything from Siri devices all the way up to what people are using at the organization. Do you have any IoT devices at your house or is there anything that you use all the time at home? Do you have Siri or cameras, or what do you use at home?

Speaker 2: 26:21

I mean, I think people would be surprised I'm I'm a big user of IoT technology and smart home technology. I'm not I'm not against it by any means. And in fact I just had this conversation this morning with one of my colleagues, which is, you know, they were looking for really sexy like cyber attacks related to IoT devices. And the challenge with that is a lot of times these attacks are originating on an IoT device as kind of the landing point to expand the campaign, and then they're getting into another area of the environment and then it's kind of being forgotten where that origination point is. So, with all that said, there's really not any kind of real big sexy XIoT hacks. I mean, we all know Stuxnet, which, I would argue Stuxnet is the reason that OT cybersecurity kind of started coming up and becoming a very important thing.

Speaker 2: 27:15

We really haven't had that type of event or IoT yet. That's really made people stand up and take notice of this IoT as tax surface.

Speaker 1: 27:39

And that's one of the big, you know, challenges I think today is when you start to look at you know the breadth of devices that are out there.

Speaker 1: 27:42

You know there's just a lot. You mentioned, Eric, that you New York, coming from the East Coast, I wasn't quite up to speed on all of the recreational vehicles that colleagues of mine had. People had just tons of these vehicles and lots of yard space where they were doing all sorts of things and they would say well, Eric, what's your cylinder count, Meaning, how many engine cylinders do you have? And people are in the high 20s, low 30s when you're counting gas-powered lawnmowers and weed whackers and dirt bikes and snowmobiles and all of these things weed whackers and dirt bikes and snowmobiles and all of these things. And now I think that the trend is going down to more electric vehicles, so people don't have as high of cylinder counts anymore. But we could pivot that to what is our IP counts in our homes and I'm sure some people are probably approaching, if not several, dozens, but you could easily get to 100, right, when you have online washers and dryers and refrigerators and coffee makers and all these things. Next thing you know, you've got several slash 24s in your house.

Speaker 2: 29:00

The issue that exists in IoT security today is not necessarily around sexy cyber attacks, because what we found in seven years of doing this is that there is basic hygiene just not being done.

Speaker 2: 29:13

So we're seeing, you know, default credentials in environments, and we're talking fortune 20 environments. We're seeing, you know, 50, 60, 70 percent of IOT devices still have factory set default credentials on them. We're seeing nearly 20% vulnerabilities on these devices that are of critical CVSS score 9.0 or higher 20% of all devices that have those critical vulnerabilities. And then the number from an end of life firmware, end of life, you know, discontinued device. I mean that's in near the 50s as well. And so what I was explaining to my colleague is like, look, we don't have to necessarily even use FUD by any means, because the main issue is there's just absolute neglect in these environments and people are not doing the basic level. And there's no need for me to do some crazy trick against your environment when I can just Google the make and model of your device, find out the password is root and pass and log in and do whatever I want.

Speaker 2: 30:13

Put my own firmware, do whatever or just use the common vulnerability that's out there and well published and pop it with my tool that is easily and readily available.

Speaker 2: 30:23

So that's really kind of the big area that I think is an issue, and as now more and more of these devices are deployed, one area we're seeing a lot of growth is, like you know, smart farming connected farming and you can only imagine what types of things could happen there, especially when you're talking about really large machines. That's another interesting device that we found in a manufacturing environment last year was we found a web console and we're looking at it, and this is this is why I say we get excited because we figured out that this was a remote control web interface where you could actually drive the like devices, like the forklifts within this manufacturing environment, like the forklifts within this manufacturing environment. So if you take that and you're looking at the safety of your people that are in this environment, you know that's a massive risk and so you know those types of things are just you know, it's just a matter of time before something really bad happens related to these types of devices.

Speaker 4: 31:22

I think just a second ago, Eric, you mentioned your tool when you're doing these assessments. Is there actually tools that you guys are using to maybe perform penetration tests on the devices, or how do you go about that?

Speaker 2: 31:38

So we are purpose-built for these types of devices, so we take it very seriously as far as causing no harm, because we do operate in the OT side. So critical infrastructure, infrastructure manufacturing, it's safety and reliability are paramount. And we also operate on this side of the medical side of the world. You've got human connected, you've got, you know, medicine being distributed, you've got HIPAA concerns and then, of course, we're in the middle, the carpeted area, as we call it. Right, where you've got carpet, there's your devices. It's what you expect, that that is in that type of environment.

Speaker 2: 32:09

And so, um, with all of that said, yeah, we are a single small appliance.

Speaker 2: 32:15

We can we're typically deployed virtually, we can be deployed from the cloud and it's, all in one, very easy to deploy. Because I think it's what we wanted to do is really just have a platform that is simple to use, simple to deploy, and it helps these environments get to a maturity level so we can help them find and assess all the risks that they have, we can help them remediate those risks and fix them and then move on to. Now that you've got to a good state, let's start to monitor and make sure that no rogue devices occur, make sure that devices are being deployed to your standards going forward, and so that's kind of the whole package. And so when you think about the fixing that we do, it's things like upgrading, downgrading firmware, it's integrating with PAM platforms or using the one that we have built in to help them change credentials at scale and manage those credentials at scale, so they no longer have to worry about factory default credentials or change password once and leave it as is type of situation.

Speaker 1: 33:16

Are you able to do copiers or multifunction devices?

Speaker 2: 33:19

Anything. Yeah, so we actually manage one of the largest hotel chains in the world, particularly around printers for now, which, you know, we love printers but we don't because, like, when people hear printers they're like that's low value, right. You know, people don't necessarily. You know I mentioned sexy cyber stuff. Printers don't really rank, but we've all done it when we travel right, especially guys like us that are here, or maybe you at home guys and gals, when you're getting checking into the hotel and you take a look over the corner and you're like there's that business center. Oh my gosh, who would ever use that, that crusty place? You know it's got the monitor, it's running like windows 7 or whatever. The heck's going on over there and you're just glancing at it and you're just shuddering, but there there's people that use it.

Speaker 2: 34:05

And what happened to organizations like the one that we support is they're actually now getting popped via those printers. Because these printers I mean, think about it. I know my printer that I've got in my laundry room, like over there, it's five, seven, eight years old, right, it just keeps printing. So I don't necessarily worry about it, and that's what happens in these environments in a lot of cases. Is they're not, you know paying attention to these things, and when you have an open environment like that, where you have a lot of people passing through and it's on your network, well, now you have a recipe for, you know, a risk multiplier.

Speaker 1: 34:39

Nick, I know you've got a question, but I, but I, I can't wait.

Speaker 3: 34:42

I got to ask this Go ahead.

Speaker 1: 34:46

So you said you were able to come into an environment with Phosphorus, your company, and do an assessment within 15 minutes. Let's say it takes half a day. Let's be generous with the time. How are you able to discover the devices across all of their networks if they've got network segmentation in place? Or what have you to be able to get the information on all of these XIoT devices? I mean, it sounds like magic.

Speaker 2: 35:18

I mean, some of it is, but in reality it's not necessarily magic. I mean, one of the things that is to our advantage in a lot of cases is there's still a lot more flat networks out there than you think. It's pretty incredible. But the other area, because we're an active platform, you can literally deploy us like a vulnerability management platform. So you know, we've all used Qualys or Tenable or Rapid7. Most organizations put that in one place and then they allow access from that individual device out to their entire network, and so that's one way that it can work from that perspective to access everything we of course have. Our engine can be deployed into all those different segments or air-gapped environments to do discovery there. But yeah, we received a patent last year on our discovery engine because it is completely unique and original for our platform and how we do things.

Speaker 2: 36:08

It's something that we built internally and I mentioned earlier we use probes and so basically what we have is around 500 different probes. Those probes are tiered based on typical sensitivity of the devices that use these protocols. So think Ethernet, ip, bacnet those are earlier on and what we do is we stop communicating with a device once we classify it. So what that turns into is we find the devices. Hey, let's hit 65,000 ports per device, right. When you look at how we do that, it's only around 13 megabytes of traffic to do that discovery. And, as I mentioned earlier and this is worth noting we exclude Windows, mac OS, and that is what pours gas on our speed. So we've scanned, in a production environment, 1.6 million IPs in under eight hours, and so that's just that's how we can roll.

Speaker 2: 37:10

We've, before we launched our engine, probably shouldn't even say this publicly, but we were scanning the internet. You know we can, we can do it all I mean with with this engine because of the way that it operates and and so it's. It's very, very fast and one of the cool things that we did as well, when we do a POV or when someone does a scan out of the box, all the data streams in. So in live you can see the devices because, as I mentioned, when we classify a device, we stop talking to it. So it's done. And when we classify it, you see everything that's going on with it if it has default credentials, what vulnerabilities it has, what configuration issues it has. So it's pretty powerful.

Speaker 1: 37:48

Do you sell through the channel and how do we become a reseller?

Speaker 2: 37:53

We do and I would love to give you guys a demo. I mean it's awesome. I'm extremely passionate about what we're doing and how we're doing it. And yeah, phosphorusio, check it out we're actually working with a lot of the Fortune 100 already. It's been pretty incredible.

Speaker 2: 38:10

But I think, like I mentioned earlier, I think you know it's not all roses right. I think one of the challenges, I think, is we are early right If we get engaged to do a POV at an environment where they don't necessarily have an acute problem, just like any other platform. But what happens is we'll be successful. And because we have a little bit of a overlap with some tools like hey, we already have Qualys for scanning and we already have Forescout for passive identification, and so then it becomes like, well, we don't really have budget because there's not necessarily a problem, and so, in that sense, that's why I talk a lot about our management, because our biggest success is when someone comes to us like a very large medical organization.

Speaker 2: 38:57

They had infusion pumps all over the US and they actually had a team of 40 people trying to figure out a way to change passwords on those infusion pumps with their own code. And we came in and did that within a week, because it's just part of what we do, and that's one of the unique things for us is, before we do a POV, we always ask, hey, what are your business critical devices? Because what we can do is they can give us two or three devices and if we don't already support it out of the box, we can build that support. So that's one of the unique things we can have that support for full management in under a month. So it's pretty incredible.

Speaker 4: 39:31

The question I've been just dying here to ask. No, I'm kidding, one of the many things you know that we do at IIT Outlaws, eric, and you know who would have guessed that? It's audits. But from audits trickles down to compliance, right, whether that's PCI, hipaa, anything, nist, what I'm really curious to get your thoughts on. You know a bigger governing body you know doing such of all the other entities that are governing CMMC, nist. There's nothing that's really coming in to take over the space for IoT, to set standards and govern that whole area that you're saying. There's a bunch of problems that we're seeing, but there's nothing that's coming in on top and setting those standards. Do you see benefit to having an entity like that, or would that be problematic, or what's your guys' take on that?

Speaker 2: 40:20

Oh, absolutely. I mean I think there needs to be more pressure from a regulatory and compliance perspective in order to push some of this Right. You know, like I mentioned, there hasn't been this event that really makes people take notice, and they're really. You know, I think OT has a lot of that going, depending on the part. You know, like critical infrastructure of course has a lot of regulatory and compliance issues and pushing them Right.

Speaker 2: 40:48

One of the great examples that I experienced talking to one of my buddies that works at a organization that does chemicals for farming and also seeds and, as you guys can imagine, the chemical side, highly regulated, right the seed side is like the wild west. We're talking people going to Best Buy, you know, throwing routers on the network. I mean it doesn't because it makes sense, right, it's seeds versus like chemicals that can literally be used for whatever you know all kinds of bad things, and so those are the things that are helpful and that push a minimum standard and that really make people take notice. Maybe you guys saw, but recently the UK is starting to push on passwords and making sure that people are not using easy to guess passwords, and what I found very interesting about the article was that there were actually regional passwords that tied to easy to guess passwords in that region. So for UK it's like Arsenal, liverpool you know like, and I'm sure in the US we'll have our own that are very, very commonly used. But it's a.

Speaker 1: 41:54

Vikings 2024. Yeah, exactly.

Speaker 2: 41:59

Vikings next year.

Speaker 4: 42:00

Yeah, so you're saying and unfortunately it is this way we need to have some sort of catastrophic event for people to take notice of the space.

Speaker 2: 42:10

Well, I don't know if it's that. I mean, it's just that would certainly help. I think that you know there are regions that are taking it a lot seriously than others. So one example within Saudi Arabia, we have a few smart city initiatives out there, and so, because of how forward thinking they are if you guys have heard about their initiative, it's Vision 2030 for Saudi Arabia. Their goal is obviously they don't want to be reliant upon oil for forever and so they want to create new revenue streams and new industries and so they've been very, very, very forward thinking with smart cities. In fact, they have literally a smart country in Neom, in the northern part of Saudi Arabia, and so they have actually developed some government related standards towards IoT. I think, because of some of these projects that they're working on and the importance of these projects, when you think about, you know and that's really where I think we all need to take notice of IOT is that when you think about, like a camera camera today it's a CCTV camera, it's security. You know, but really where cameras are going in the future is going to be, you know, we all maybe know about the Xbox connect Right and it helps. You know we all maybe know about the Xbox connect right and it helps you know where people are. And that's really where cameras are going is. It's not necessarily just recording what happened. It's now about visualizing in the space and helping someone interact within that space. That's where everything's going from a smart city perspective, and it's also like that's.

Speaker 2: 43:43

One of the things that I saw when I was in Saudi last month is that I got a tour of a 911 facility and it was literally like minority report. I mean, I'm telling you they had monitoring where you would see people driving down the highway and it showed their name and what. Their seatbelt was off and what have you. And you had another area where it was monitoring crowd density, which makes sense when you think about it. Right, if you have 10 people crowding together, that's potentially trouble versus two or three people talking. So they're being proactive and monitoring people in that space.

Speaker 2: 44:16

We also have related to that. They had another part where, when we were there, there was actually a fire going on and there's a big button deploy drone. So a lot of what they do is now you've got your physical cameras that are in a place, and then now, of course, we all know about drones and their use in warfare, but there's also public safety and other components where drones are being utilized. When you get into, you know, mountainous regions or cold or hot or other types of areas, that's where you can really save a lot from a risk component, you know, for deploying people and things like that.

Speaker 3: 44:59

Sounds a bit Orwellian, especially hearing a lot about the FISA 702 that just got passed here in the US. You know there hasn't been any big sexy Stuxnet type breaches or anything like that with IoT that we can point to. Are there maybe some smaller stories of concern or that popped up in your news feed that are worth mentioning?

Speaker 2: 45:21

Yeah, I mean we experience quite a few of them, like just working with clients, that they don't make the news. But I think you know, related to that, like we all know, the FCC put a ban on certain vendors a year or two ago with Chinese origin, and the key thing with that ban to note is that the ban is not about Chinese companies per se. It's not saying every Chinese company is bad not by any means but what it's focused on is Chinese companies that are beholden to Beijing, so they're essentially found or suspected to share information with the government of China in perhaps a non-standard way that you would think. So with that it creates a lot of risk, and so one of the things we do is, when we do discovery within an environment, we'll actually highlight prohibited devices, and so one of the deployments that I had last year was we had a meeting with a CISO in Nashville in our headquarters and we found out, hey, they had a big concern around those types of devices and this organization.

Speaker 2: 46:33

I didn't know this when I started talking to them, but they are making goods everywhere, and I'm talking in Iran and Russia. I mean literally ice cream in Russia, which I wasn't really thinking straight. I'm like that logistically makes no sense. You're just going to put a bunch of frozen ice cream in Russia, which I wasn't really thinking straight. I'm like that logistically makes no sense. You're just going to put a bunch of frozen ice cream on a ship and send it over. You know, but of course it's. You know the liquid or whatever.

Speaker 2: 46:54

I digress, but the the interesting thing was, sadly they because of these cameras and when you start to think about modern cameras, they're running firmware, but that firmware is Linux. And because of the optic capabilities, and now they're starting to do facial recognition, there's a lot of power in these cameras. So we know about the Mirai botnet right, that was one of the earlier types of IoT. You want to talk about sexy attacks? The Mirai one is maybe one of the top ones, and there's a reason why it was focused on cameras is that there is a lot of horsepower within these Linux kernels when you pop the device to be able to run things on there that can create issues like that botnet did.

Speaker 2: 47:36

So, getting to the point, with this organization, the issue that they had is they had actual people disappearing from their factories because of these cameras and because of these cameras reporting information back, and so one of the things that China is very focused on is when they have people that leave or maybe go to other areas, you know, in some cases they want to bring them back and so so, with that, that was our focus within, you know, those environments was we were given a couple of days to go out there and to their largest facility in the UK to do discovery, and, of course, we know how our product works, and so we were able to do that in four of their largest networks in less than around a half day.

Speaker 2: 48:18

So that gave us some time to do other things, and that is one of the beauty, like you know, when you think about assessments, our data, we get the data and we're done. We can just walk away. It's a single JSON file and I can take that data and import it elsewhere later to do analysis, and so, you know, for me, I just I love it because it's just so easy to get the data and it's so portable and you can get results very quickly.

Speaker 1: 48:42

Eric, it's really been awesome talking to you today. This is so much. We We've covered so much ground and I think I've learned a lot. I definitely want to take you up on that offer for a POC because I'd love to see how this works in practice. I'd love to talk to you more in the future.

Speaker 2: 49:05

Awesome, looking forward to it. Thanks a lot for having me, guys. This has been a lot of fun.

Speaker 3: 49:09

You've been listening to the Audit presented by IT Audit Labs Today. Our guest was Eric Johansson. We've been joined by Eric Brown, nick Mellom and the producer, joshua Schmidt. Thanks so much for listening. Please like, share and subscribe if you'd like more cybersecurity content in the future.