This Week in Enterprise Tech 530 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Louis Maresca (00:00:00):
On This Week in Enterprise Tech, we have Mr. Brian Chi and Mr. KZ Franklin back on the show today. Now have EOCs Outstay their welcome in the industrial space. We're actually seeing manufacturers keep zero days out in the field. We'll actually talk about what that means for the future of micro controllers. Plus the passwordless world is the North star for organizations today we have John Engates. He's field Chief Technology officer of CloudFlare, and we're gonna talk about some passwordless options. MFA really how to get your organization into the future. Definitely should miss it. Quiet on the set
Announcer (00:00:35):
Podcasts you love from people you trust. This is TWIT
Louis Maresca (00:00:48):
This is TWIET. This Week in Enterprise Tech, episode five 30, recorded February 10th, 2023. Death the password. This episode of This Week in Enterprise Tech has brought to you by ZipRecruiter. Are you hiring for your team? Despite current headlines, several industries like Hospitality, healthcare are heading for hiring. Boom. No matter what industry you're in, if you need to hire, go to ziprecruiter.com/twi and try it for free. And by Collide, collide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of their operating system. Visit collide.com/twit, learn more and activate a free 14 day trial. No credit card required. And by murro, murro is your team's visual platform to connect, collaborate, and create together. Tap into a way to map processes, systems, and plans with the whole team. Get your first three boards for free to start creating your best work yet at miro.com/podcast.
(00:01:58):
Welcome to Wyatt, This Week in Enterprise Tech, the show that is dedicated to you, the enterprise professional, the IT pro, and that geek who just wants to know how this role is connected. I'm Lewis Esca, your host, your guide, through this big world of the enterprise. I can't gad you by myself. I need to bring in the professionals, the experts in their field, starting with our senior analyst at, I'm dia, he's, you know, enterprise expert. I would say he's our very own Mr. Curtis Franklin. Curtis, it's great to see you, my friend. How's your week going? What's paquita? And you Busy
Curtis Franklin (00:02:30):
Lou? It's been a great week. We're having a good time in the world of analysis and lost to talk about over in my various places. And it's, believe it or not, time to start getting ready for the R S A conference, which pops up in April starting to get hit with a flood of, oh, can we meet in San Francisco meetings? Or requests looking forward to actually seeing human beings when I get out there to the city by the bay.
Louis Maresca (00:03:01):
Are you hearing any themes coming out of the RSA conference this year? That's that's, you know, we've been hearing in the news at all.
Curtis Franklin (00:03:08):
The big thing that I'm hearing in terms of themes at rsa we're, we're getting back to one that we talked about a lot last year, and that's risk using risk as a metric for security. And especially watching the number, how, however you express risk, watching that change as you do various things in terms of your risk posture, whether that's educating your workforce or installing new technology or changing policies and procedures. People want to be able to know that the investments they're making in security are moving the needle and risk is the language that most are choosing to do that.
Louis Maresca (00:03:57):
I think that's what security all is really is. It's just moving the needle. Rik Chris <laugh>. Absolutely. Alright, thanks for being here, Chris. Well, we also have to take a very own Mr. Brian Chi back to the show cheaper. It's great to see my friend. How's the fairgrounds fairing and have you got it connected yet?
Brian Chee (00:04:14):
Oh yeah, we've, we've got a bunch of stuff. I'm getting ready to go throw some fiber up in the air and get it going to the different buildings, but mostly we're trying to make sure that there's enough security cameras so that the security guys that have to run the fair have less to do and are able to cover more area. But I'll tell you one of the things I, I just did today was visit my local gray bar and start, start the ball rolling to go and get a account for the fairgrounds and for myself, because, you know, there's doesn't seem to be any specialty communications shops like I had in Honolulu. Orlando seems to have big ones, but not a whole lot of specialty shops. So I'm learning what's where and where to buy stuff.
Louis Maresca (00:05:08):
You get to do all the fun projects. Well, I wish you luck with setting all the network security devices up, but you know, we have a lot to talk about here, so let's go ahead and get started now. Industrial devices have been targets for hackers for a long time. In fact, some devices have actually been around four decades. Today we're gonna talk about PLCs and where things are going there. Now. Passwords continue to be a problem with lots of organizations just because they can really unlock the keys to the kingdom. Well, today we have John Engates, he's Fields Chief Technology officer of CloudFlare. And we're gonna talk about Passwordless Worlds and what it looks like and how you can actually get there. So we definitely wanna stick around cause we have lots to discuss, but like we always do, let's go ahead and jump into this week's news.
(00:05:49):
Blips, you may remember several weeks ago, there was a massive, huge one ESX I ARGs ransomware attack that was targeting those VMware ESX I servers. And it wasn't really good. It was actually a huge impact globally. Now, this week, according to bleep bleeping computer, the US Cybersecurity and Infrastructure Security Agency or CSA might be able to actually help things if you were impacted by the attack. That's right. CSA has released a recovery script for you for any of the servers that was encrypted by the ransomware attack. Wasn't that nice of them? Well, according to cisa, the attacks encrypted over 2,800 servers. They were able to actually count the number of servers, or actually the ones that were attacked by ransomware because of the Bitcoin addresses that were posted. Now, while many of the devices were encrypted, the campaign wasn't that successful. In fact, that's because the threat actors failed to encrypt the flat files where the data for virtual discs are stored.
(00:06:45):
Almost sounds like an amateur did this right? Well, the tool is fairly comprehensive. It works by reconstructing the virtual machine metadata from virtual discs that were not encrypted by the malware. Now, their GitHub page has the steps you need to actually recover the VMs. Basically, the script will clean up virtual machines, encrypted files, and then attempt to rebuild the virtual machine's VM DK file using the unencrypted flat file. Now you're gonna use the script. Make sure you do yourself a favor in your organization's favor, make backups before you attempt to recover, because I don't wanna get emails saying that you blindly ran this script and lost everything. Also, do yourself a favor your organization a favor as well. Make sure that the script does what you want it to do for your specific or situation, because you don't wanna restore the wrong data from VM metadata. Not a good thing that would be bad.
Curtis Franklin (00:07:33):
Hey, remember SolarWinds? No, of course you do. That's the supply chain exploit that continues to be a painful reminder of just why criminals so love supply chain exploits. Well, in a new article at Dark Reading, they look at recently released research from Microsoft that shows that the gang taking advantage of SolarWinds wasn't just opportunistic. They were very, very sophisticated. Criminal balls started rolling through a sophisticated authentication bypass for active directory Federated services or A D F S, which is an identity management platform offering a way of implementing single sign on, across on-prem and third-party cloud systems. This particular exploit was pioneered by the Russia linked Nob Bellum group, the malware that allowed the authentication bypass. The Microsoft called that Malware Magic Web gave Nob Bellum the ability to implant a backdoor on an A D F S server, then used specially crafted certificates to bypass the normal authentication process.
(00:08:42):
In its report, Microsoft plainly says something that has become quite apparent in cybersecurity. Quote, nation state attackers like Nobel have seemingly unlimited monetary and technical support from their as well as access to unique modern hacking techniques, tactics and procedures, or TTPs. Now, unlike most bad actors, Nobel name changes their tradecraft on almost every machine they touch. Magic Web used highly privileged certifications to move laterally through the network by gaining administrative access to an A D F S system. The noum group paired that malware with a backdoor dynamic link library installed in the global assembly cash, which is an obscure piece of the.net infrastructure. So what does all this mean for you? According to Microsoft, companies need to treat A D F S systems and all identity providers as privileged assets in the same protective tier as domain controllers. Such measures limit who can access those hosts and what those hosts can do on other systems. In addition, any defensive techniques that raise the cost of operations for cyber attackers can help prevent attacks. What sorts of things raise those operational costs? Think multifactor authentication and zero trust architecture. And you'll be heading in the right direction.
Brian Chee (00:10:09):
So this article from the Verge brings up some very pointy questions amidst the frenzy to rollout competition for chat G P T. Well, in my opinion, their most worrisome point is that chat g p t has a tendency to create what the Verge calls BS and to sometimes not really answer the base question. The example in the article is that when they asked, which is heavier 10 kilograms of iron or 10 kilograms of cotton, well they didn't, I for one, would love my search engine to be able to infer some of the information, like finding information on both 24 volt passive power over ethernet and 48 volt active power over ethernet. When I ask simply about solar based power over ethernet solutions, well anyway, I draw another analogy of how when looking at papers written by my college freshman that they overwhelmingly quote Wikipedia as if it were a definitive source.
(00:11:14):
I kept asking them if they believed everything they read on the internet at all. Too often I get answers that they must be true since the answer could be edited by multiple people. Well, I'm getting similar answers about chat g p T from students in regards to its accuracy. Some belief systems worry me greatly about this generation's critical thinking skills. Well, don't get me wrong, I'm all in favor of large language models, but like all data derived from opinion, I caution someone if they ask it whether they should jump off a cliff. Perhaps our search engine friend should take a good hard look at what are called Delphi models that are designed to help winnow the chaff from opinion on large surveys. By normalizing the opinion, the hope is to throw out the outliers and concentrate on the middle ground. Well, it's not perfect. It does occur to me that the popular opinion might be a little closer to reality. I hope
Louis Maresca (00:12:17):
Amazon is entering the satellite internet race. That's right. Back in 2020, the FCC gave Amazon permission to launch thousands of low orbit satellites as long as it's later secures regulatory approval for an updated orbital debris mitigation plan. According to this end Gadget and Space news article, Amazon is even closer to this past week because the FCC has given them approval to officially send 3,236 satellites to Ora and to begin its Cooper's satellite internet operations. Spacex wasn't very happy. Why? While the FCC granted grant actually comes a few weeks or three months actually, after SpaceX got conditional approval to launch up to a quarter of the proposed 30,000 LEO satellites in its second generation Starling broadband constellation. Now, that approval gave SpaceX permission to deploy satellites at the 525 kilometers, five 30 kilometers and the 5 35 kilometers. But Starling's first generation operates at the five 50.
(00:13:12):
Now, SpaceX had called on the FCC to limit Cooper's approval to only 578 satellites in the 630 kilometer orbital shell and defer a decision on the rest of the constellations, which the regulatory rejected. So that means Amazon's free to go. Now as part of its updated orbital debris mitigation plan, the FCC will require Amazon to submit a semi-annual report concerning the number of satellites launched and disposable reliability. Now, if Amazon experiences disposable failures, they're required in a single year to actually provide a report to the FCC about it. Now, in addition, commission is requiring Project Cooper to ensure that it will be able to deorbit its satellites after their seven year mission is done, making sure that they can actually decommission those satellites out of orbit if necessary, preventing them from colliding into things like the International Space Station. Now, with the rate of new satellites going up into low orbit, we might just hit that day where we look up and all always see is satellites rather than the real star constellations.
(00:14:11):
But hey, we'll have better internet. Well folks that does it for the blips. Next up we have the bites, but before we get to the bites, we have to thank a really great sponsor of This Week in Enterprise Tech and that's ZipRecruiter. Now, are you hiring for your team? Well, despite current headlines, several industries like hospitality and healthcare or heading for not hiring, boom. No matter what industry you're in, if you need to hire, go to ziprecruiter.com/twi and try it for free. I'm constantly looking for technical people who can build scalable microservices and being able to code for those critical path components. Well, ZipRecruiter makes it easy for me. I've had it a bunch to find the people with those exact parameters I'm looking for, and also the technology stack and experience that I need. It's makes it really easy for me to find those people.
(00:15:00):
A ZipRecruiter uses a powerful matching technology to find qualified candidates for a really wide range of roles. You can actually see a candidate who you'd be perfect for your job. Ziprecruiter makes it easy to send them a personal invite so they have more likely to actually apply. And ZipRecruiter also has a user-friendly dashboard that lets you filter, review and rate your candidates all from one place. In fact, four out of five employers who post on ZipRecruiter, get a quality candidate in the first day, find quality candidates fast, and let the ZipRecruiter keep your team growing strong. Go to ziprecruiter.com/twit to try ZipRecruiter for free, that ziprecruiter.com/t W I E T, and we thank ZipRecruiter for their support of This Week in Enterprise Tech. Well. Folks, it's time for the news bys. Now, this article by Wired, it brings back some memories for me about the days when I was a system control engineer at Alar large brewery.
(00:16:05):
Now, PLCs were magical, but they also were the bane of any engineerings existence because they were always going down, or they gave, sometimes gave you false data. Now, I remember back in the day, even 20 years ago, these were Siemens devices. In fact, I really liked the simplicity of lateral logic that came out. Now, while back in 2009, Stuxnet a computer worm crippled hundreds of centrifuges inside Iran's uranium enrichment plant by targeting the software running on their PLCs. Now they exploited these PLCs and that were made by the automation giant Siemens. And were all models from the company's ubiquitous long-running somatic S seven product series. Let's, let's fast actually fast forward almost a decade or even a decade longer. Like a decade long run. A decade, yeah. Fast forward a decade or more later. Now, what do you think? You just, we just heard this last week.
(00:16:57):
Well, Siemens disclosed that the vulnerability is actually in its seven 1500 series PLCs and can be exploited by an attacker to silently install malware or malicious firmware on the device and take control of them. Now, there is a silver lining here because they discovered it was discovered by researchers. It wasn't discovered by actual hackers. And the fact that you need physical actually require physical access to the device in order to make that exploit. Now, researchers spent almost a year trying to breach the protected devices even though the firmware was encrypted. Now, the exploit they found, in fact, was the inside the encryption method because it was the device isn't actually able to patch that particular device because it's hard coded in the dedicated crypto authentication chip or the co-processor that supports it. So there's no way to actually patch the firmware to make this better.
(00:17:47):
Now, if you remember, Stuxnet famously used tainted u sb thumb drives as a way to introduce their malware into air gapped networks and ultimately infecting the current S seven 300 and 400 series PLCs. Now, in the case of the 1500 series, Siemens has decided not to provide them with a fix. In fact, their guidance is that you just need to lock them down, lock down physical access to devices. You don't need to do anything else there. So that means it should in fact, stay a zero day forever for those devices. I wanna bring my co-host back in because this is an interesting case. You know, CM Siemens has been around for a long time. I I kind of think that they should have probably evolved their security practices by now, don't you think, guys?
Brian Chee (00:18:32):
I would certainly hope so. You know, I actually ran into some PLCs. I'm not going to even bring up the, the brand that were approved by the American Bureau of Shipping. And in fact, a B S wouldn't even let me change from the old thick ethernet which was running right next to high voltage cables to fiber optics. It took me a year and a half, almost two years to get approval to make that change. So I, I mentioned this only because there's an awful lot of PLCs floating on the ocean. There's actually p some PLCs flying in the air above us. And the problem is it's a very, very inertia ridden industry. The folks that I had to deal with, especially in the shipping world were not interested in change. They really weren't. And it was very, very frustrating.
(00:19:35):
In fact, when I found a, a set of PLCs on shipboard, that their stack was so fragile that all I had to do is throw six pings in a row at it and I could crash the plc. And I discovered the hard way that a lot of these PLCs were originally set up for RS 4 85, a serial protocol. And when people various manufacturers and customers were saying, we must have ethernet, we want it, we want it. Darn it, a lot of the PLCs, especially the older ones, were not originally designed to work with ethernet. They were originally designed for RS 45 cereal and originally designed for sub megabit per second performance. Well, even with the slowest T C P I P ethernet stack designed for 10 megabit per second half duplex most of those legacy devices alter get their buffers overloaded. So it's been frustrating. There are a lot of new next generation PLCs being marketed, but again, inertia nobody wants to change out PLCs because they don't want to have to redevelop the software. So it's gonna take a little while, and I strongly encourage anyone that is doing process control that they take a very, very hard look to actually think hard, really hard, especially if you've got PLCs that are older than a decade or so.
Louis Maresca (00:21:16):
Agreed. Agreed. I mean, if you think about it, I mean, when I used, we used to PLCs, they were, they were on the lines of the brewery. So like, they were just kind of exposed. There was like really no way for us to, to really secure them. I mean, Curtis, I I'm sorry, I I know that there's, there's like, this can't be the only way to secure these things, right? I mean, Siemens has gotta do a better job.
Curtis Franklin (00:21:33):
No, and, and it's worth pointing out in siemens's response to all this, they said, well, it's not that big a deal because you have to have physical access to the devices in order to launch an exploit of the vulnerability Stuxnet was delivered to and disabled devices that were air gapped from the internet. It was delivered on a U USB thumb drive left nearby the facility that an engineer picked up and plugged into a system. You don't have to have the internet to have a vulnerability exploit and to say, well, we're not gonna fix it, but we will sell you a new product that we promise will be better. Sure. and, you know, I'm not, yeah, I am picking on Siemens because it's a bad response <laugh>, but it is not a uniquely bad response. You see that, that sort of response all over this part of the industry, all over the whole plc embedded controller operational technology market, and the, the risks are getting greater as these devices more and more must be connected to enterprise IT systems. In order for things like enterprise resource planning to take place on a real time basis, this is a problem that's going to get worse. This is a problem that the vendors are resisting finding a real solution to. And it's one that the customers and by customers, I mean, big companies with lots of zeros in their income statements are going to need to press hard in order to get a fix.
Louis Maresca (00:23:41):
Now, I'm actually seeing organizations out there replace PLCs with micro controllers and microcontrollers being sometimes simplified microcontrollers that are just industrialized to, to fit their specific needs and it's cheaper. It's, they can update their firm more easily. They are, you know, they, they don't get any of these kind of like, stuck zones of not being able to update things. And the fact that, you know, if they need to get rid of them or replace them, they're a lot cheaper than, you know, these other counterparts is. Do you guys see this going in that direction?
Brian Chee (00:24:12):
Oh, yeah, I've been, I've stopped buying PLCs, period. And actually there's an Arduino based device. They, they, they go, they're sold into the PLC market. But I actually participated in a Kickstarter for it. And it is a gorgeous device fulfills just about everything that I would've normally done with the plc, but I've got a lot more control over revving the software. It's in a language that I don't lose sleep over reading <laugh>. And you can make it do lots of interesting things. Double-Edged sword. If it could be made to do lots of interesting things, it could be made to do mount malicious things too. But it is like a regular general purpose computer, whether it's Arduino based, whether it's raspberry pie based, whether it's PC 1 0 4 based it needs the same kind of safeguards that you have for your general purpose computers. If you are going to ignore it and stick your head in the sand someday you're gonna have something really interesting. Like suddenly your shipboard power generation plant will go dark <laugh> and q going to black <laugh>.
Curtis Franklin (00:25:46):
Well, you know, I, I'm going, I'm going to say real quickly that you're absolutely right. This is a trend. This is the direction things are going. And people not only using embedded controllers, but using outlandishly powerful embedded controllers for the purpose. And while that does give you flexibility, it gives you more capability for things like security on the chip if it's programmed to have that. The problem is that for many industrial applications, a P L C, a piece of silicon that does one thing and one thing only is the right solution. Because if you're going to do things like timing based off of clock, knowing precisely what is happening, every clock cycle with no possibility for interrupts to be thrown, or some other piece of software to come in and claim part of the CPU's time is a very good thing. Whether you should in fact use clock cycles for timing loops is a, a subject for another conversation. But PLCs are not intrinsically bad. What is intrinsically bad is never considering security, stability and recoverability as you're designing a system. If you do those, then PLCs could still be the right answer for a lot of embedded applications.
Louis Maresca (00:27:37):
Agree. I agree. You know, it's, it's interesting because, you know, if people are gonna have to go out and even secure their existing PLCs, it might be even more cost effective for them to just go out and replace them with inexpensive microcontrollers instead. So I think we'll have to go definitely see what happens in, in the coming years as people, you know, are exposed to these types of threats. We'll have to see. Well, thank you guys. That does it for the bites. Next up, we have our guest to drop some knowledge on the TWIT riot, but before we do, we do have to thank another great sponsor of This Week in Enterprise Tech, and that's collide. Now, you know, the old saying, when the only tool you have is a hammer, everything looks like a nail. While the traditional approach to device security is that hammer and a blunt instrument that can't solve those nuanced problems.
(00:28:24):
And even after installing clunky agents that users, hey, IT teams still have to deal with mountains of support tickets over the same old issues, and they have no way to address things like unencrypted SSH keys or OS updates or pretty much anything going on with a Linux device. Well, collide is an endpoint security solution that's more like a Swiss Army knife. In fact, it gives IT teams a single dashboard, single pane of glass for all devices, Mac, windows, or even Linux. You can query your entire fleet to check the for common compliance issues or write your own custom policy checks there as well. Plus, instead of installing intrusive software that creates more work for it, collides lightweight agents, shows end users how to fix issues themselves. That's right. Empowering people to sell service their own scenarios is one of the major things I look for In security software. You can achieve endpoint compliance by adding a new tool to your toolbox. Visit collide.com/twit to find out how. That's K O L I D e.com/and we thank collide for their support of This Week in Enterprise Tech. Well, folks, it's my favorite part of the show. We get to, we're gonna guest to drop some knowledge on the twi right, which way we have today. We have John Engates he's field Chief Technology Officer at CloudFlare. Welcome to the show, John.
John Engates (00:29:47):
Hey, nice to be here. Thanks for having me.
Louis Maresca (00:29:50):
Absolutely. We're excited to be here, for you to be here. Cause we have a lot to talk about here. Lot passwords are always a hot topic on this show, but before we get to that, people love to hear our guests origin stories. We have a set of people that have experience levels of all, and they're all different points of their career, all different experience levels, and they love to hear people's journey through tech. So you can maybe take us through a journey to tech and what brought you to CloudFlare.
John Engates (00:30:11):
Sure. So my journey started way back in the early nineties. I was in college, I was tinkering around with Linux in the computer lab at school. This was like Beta Lennox back in those days and had internet access only really through the school when I graduated, had to have internet access. So I started an I S P with a couple of friends of mine in San Antonio, Texas. And we ran a local I S P, you know, se selling dial up and T one s and all that kind of stuff. And that eventually led me to a company called Rackspace. One of my best customers at the I S P was one of the original investors and founders of Rackspace. So I worked at Rackspace for almost 18 years as the cto. And then I worked in a couple other companies. And then last year maybe a year, year and three months ago, I joined CloudFlare. It's a company I've known for many years through Rackspace, through my relationship, and it's a great company and I'm excited to tell you all about what we're doing.
Louis Maresca (00:31:08):
Fantastic. Well, you know, you know, I work in services, you know, and I know that a lot of organizations, they're like Achilles heels sometimes are hackers using social engineering techniques, fishing techniques to really get those necessary credentials from organizations or to really wreak some havoc on the network. Right. And, you know, I would say a lot of organizations still depend on the standard username and password to secure things. Question is, what's the right way to evolve this for them? What, what should they be doing next?
John Engates (00:31:39):
Well, you're, you're right. Passwords are everywhere. They're in every system. They're every consumer based system, enterprise system. I mean, we still rely on them heavily. Some companies have gone a step further and in employed a multifactor authentication of some sort, which gives you an extra layer of protection and, you know, multifactor authentication, it's the one time codes that we see sometimes delivered via text message or on a phone app of some sort. The challenge is even those aren't perfect. You know, they're, they're vulnerable in some regards, and we can talk more about that through the conversation. But we have to move beyond passwords in some way, shape, or form, because they can be phished, they can be written down and handed over to someone. They can be you know, sort of stolen basically, and then shared, you know, and that's a problem. So we have to, we have to move beyond password in some form or fashion.
Louis Maresca (00:32:37):
A hundred percent agree. I think, I, I could be honest with you, I, I don't think I've used a password in a critical system service or even production wise service for a long time. Like I, I, I've used other methods, which I won't go into, but I've definitely used other methods to, to make sure things are secure. I get Jet amic access to things. However, these are complex environments that took us a long time to evolve into. And I think the reality is a lot of organizations, they're still stuck in these stone ages of username and password. They want to go and implement like, really quick MFA type scenarios, like, for instance, s M s or, or whatnot. Is, is that good enough? What, what, what's, what's the beginning? What's a good stepping stone for an organization?
John Engates (00:33:17):
Well, look, I think anything is better than just a password, but, but the mfa, we have to get better than, than the stuff that's being used today. Because if you have a sophisticated attacker, they will send you a password, prompt, username, password, and an m FFA prompt. They'll ask for your M FFA credential, you'll type in your six digit code, or maybe you'll hand your six digit code to someone over a, a social engineering telephone call because you think they're the IT folks. And then they'll turn around and take those credentials, type them into the legitimate system, and now they've owned you. Basically, they have access to your account. You know, you may be a lowly employee at a, at a firm, but that is a jumping off point or a launching point for a broader attack. And it's oftentimes the sort of the way in that they use to just get a foothold in your organization.
(00:34:08):
And once they're in, then they try to sort of figure out what else they can find inside the organization. So one individual user can open the door to a broader attack. And, and that's what, that's what we need to protect. We, we need to stop blaming the end user for handing over credentials, and we need to protect that end user from the attack by giving them better tools that don't allow them to be fished in that simple sort of way that they're, that that it's happening quite regularly around the, around the world.
Louis Maresca (00:34:38):
Yeah, I think one thing I've seen a lot organizations do as well as maybe a stepping stone into this is try to, you know, we talk a lot about zero trusts on, on this program, and I know that a lot of organizations are trying to isolate their systems, especially critical systems, so that if things are, you know, somebody does get a password, they can't kind of unilaterally walk through the network and get unique systems and critical systems. Is, is this also like pairing, you know, getting away from passwords, you know, using some other type of mfa, but also maybe working towards a more segmented network or set set of services? Is that a good approach? Is it, that is a good, a combination, that kind of thing?
John Engates (00:35:17):
Absolutely. So definitely zero trust. We, we employ zero trust inside of CloudFlare. We actually have a product for zero trust services around you know, the, the, the services that we deliver at CloudFlare are, are put together into a solution for zero trust. And we at CloudFlare deploy a stronger form of, of authentication in the form of a hard key or a hardware key that is not fishable or is it certainly Phish resistant? Where there is no there is no six digit code anymore. It's basically a cryptography based authentication that is tied to the application and tied to the specific keys that the user holds. And we combine that with zero trust. So not only are we making the authentication stronger, but we're also limiting the damage or the blast radius, so to speak, with regards to the user if they should be fished or, or compromised in some way.
(00:36:16):
So for example, the device that I'm sitting in front of my laptop if someone were somehow to be able to take over the, the laptop that I, that I have, they would only be able to have access to the very specific applications that CloudFlare has provided access for me to, to get to. And then you know, there's no way that I can do port scans. There's no way I can ping the network or look for other sites or services to log into. They're, they, they're not exposed to me. I don't see them. There is no sort of wide open network, like the typical V p N of, of yester year where you could basically see everything on the network. And so what we're trying to do at zero trust is locked down access even tighter to very specific applications and under certain conditions that have to be met before you can get access to them.
Louis Maresca (00:37:08):
Now, one thing, you know, obviously hackers could be very tricky. And, you know, one thing we know that they use social engineering techniques, even in the case of let's say, having some kind of authenticator or a device that you need to, to, to authorize things. You know, I could be, let's say I am, I'm vulnerable and somebody calls me and somebody convinces me to just approve the the lockbox request that came to my device, right. To go. So while they can go and you know, be able to access and get the appropriate data they need, you know, what, what's ways to prevent that type of thing?
John Engates (00:37:38):
Yeah. Well, oftentimes, again, they're trying to take your credentials and they're trying to use them themselves. They're, they're you know, trying to leverage those in a broader attack. And so they need your username, your password, some form of, of MFA token. It could be a six digit code or something like that. Or again, like you said, maybe pushing the, the right button to allow for it for that. But you know, we have to have multiple mechanisms to prevent those kinds of attacks. We need to make sure that we're authenticating at every turn. If there's a new login to a new system that I haven't been logged into lately, zero Trust is going to ask for those credentials, make sure that I'm sitting in front of my machine. I, the, the, the keys that we use, the UBI keys require you to re, you know, lean over and touch the the key physically or, you know, some people may use the built-in tools that Microsoft or, or apple or other vendors provide where you have a fingerprint or a face ID or something of that sort.
(00:38:39):
So it's, it's layering the security. It's not sort of relying on, you know, one factor, it's multiple factors, and then it's layered security in terms of network access. And then even potentially going beyond that, we, we have some capabilities in terms of remote browser isolation to, to protect the browser from a malware drive-by of some sort to keep that malware sort of in the cloud and at arm's length. And so you're trying to protect that end user from every every form of attack. And then education, you know, you gotta make sure you keep them educated as well on a regular basis so that they're ready for those kinds of social engineering attacks. They need to recognize what those look like and be aware that they can happen to even the best of us.
Louis Maresca (00:39:24):
Now, we hear a lot about the concept of presence devices, making sure that, you know, when what, whatever we're logging into, we're trying to access the user is present. Is this, is this the UBI keys that you're talking about? Or is there, is there other kind of combinations of things that we need for that? Well,
John Engates (00:39:38):
There, there are all kinds of different solutions to that, but physically being present means in, in the case of a UBI key is, you know, leaning over, reaching over and touching the little touchpad. You know, I see you have a picture up there, I have some here. They've got a, a little met metallic sensor on them that you have to put your finger on, and I'm sure that passes a little electricity and it makes sure you're physically present. So you know, somebody's sitting on the other side of the world trying to hack this laptop. If I'm not physically here, then, then they can't leverage that u b key for, for their attack in any way, shape, or form. It, it locks those credentials, you know, into the key, unless it's, it's authenticated by a touch. So I'm, I'm looking, when I think about multifactor authentication or passwordless authentication, what that, that's, you know, sort of future mechanisms. I'm looking for ways that, that do require some, some form of physical presence, like a fingerprint, thumbprint, face id, something of that sort.
Louis Maresca (00:40:37):
Now, I've worked with several organizations, especially ones from other cloud service providers, and they, they're taking it even a step further. They're going to not only using, you know, these kind of hardware keys, but they're all also using presence. They're using multifactor, but then they're also, they're getting these devices that actually have secure VMs on them so that anything that's accessed when it comes to company assets or services has to happen on the vm. What type of scenarios would you need that for? Like, is that, is that just for, you know, you know, part particular industries? Is it, is it for everybody, that kinda thing?
John Engates (00:41:12):
Well, I think maybe what you're thinking about, and I, and I'm by no means a deep hardware expert on this, but I do think about it from a trust perspective. You have to trust the hardware that your operating system is running on, because if you don't trust the hardware underneath, you know, it's sort of how, how can you trust the platform if, if the if the hardware is compromised in some way or if, if the underlying virtualization layer, the hypervisor or the operating system underneath your application, you know, from, from the point of view of an app looking down, you have to make sure you have trust all the way to the, to the bare metal, so to speak. And so there are companies that are building that kind of capability to verify the hardware you know, is, is legitimate and authentic and the same hardware that we deployed initially and that it hasn't been tampered with.
(00:42:03):
Encrypting memory space, encrypting the you know, the, the storage on the machine. All of those kinds of techniques are important, especially when that hardware is outside of your direct purview. If it's in the remote data center somewhere, or if it's been shipped across the world and someone could have intercepted it and tampered with it. And so those are the kinds of things that I think you're referring to, and I think that really matters. Even in a scenario like my laptop, I mean, you know, this thing I'm a remote worker, hybrid worker. It got shipped to me you know, as a, as a new employee, it came in, you know, one of the courier services and who knows who could have touched that machine, right? So you have to make sure that you've got some trust in the platform that you're running your systems on top of.
Louis Maresca (00:42:52):
Right, right. Well, it's time to bring my cos back in cuz they have a ton of questions, but before we do, we do have to thank another great sponsor of This Week in Enterprise Tech and that's Miro. Now, quick question. Are you and your team still going to from tab to tab, tool to tool losing those brilliant ideas, maybe even important information along the way? Well, with Miro, that doesn't need to happen. Miro is the collaborative visual whiteboard that brings all of your great work together, no matter where you are, whether you're working from home or in the hybrid workplace, everything comes together in one place. Online. At first glance, it might seem like just a simple digital whiteboard, but Miros compatibilities run far, far beyond that. It's a visual collaboration tool packed with features from the whole team, for the whole team to build on each other's ideas and create something really innovative from anywhere a shortened time to launch so your customers get what they need faster.
(00:43:46):
Now with Miro, you need only one tool to see your vision come to life. You planning, researching, brainstorming, designing and feedback cycles, they can all live on a mural board across teams. And faster input means faster outcomes. Fact, mural users report the tool increasing project delivery speed by 29%. That's a lot. If you and share the big picture over, over you in a just really, really easy way when everyone has voice and everyone can tap into a single source of truth, your team remains engaged, they remain invested, and most importantly, they remain happy. Now cut out any confusion on who needs to do what by mapping out processes, roles, and timelines. You can do that with several templates, including miros Swim Lane Diagram. I can definitely use some of that. The strategic planning becomes easier when it's visual and it's accessible. Tap into a way to map processes, systems, and plans with the whole team.
(00:44:45):
So they not only view it, but they can have a chance to give feedback as well. Now, if you're feeling meaning fatigue, I know I am Miro users report saving up to 80 hours per user per year just from streamlining conversations ready to be part of the more than a million users who join Miro every month. Get your first three boards for free, start working better together at miro.com/podcast. That's M I R o.com/podcast. And we thank Miro for their support of This Week in Enterprise Tech. Well, folks, we've been talking with John Engates, he's the field chief technology officer of CloudFlare talking about Passwordless world. But I do wanna bring my co-host back in who's, who wants to go first? Hubert?
Brian Chee (00:45:33):
Sure. John, I want you to speculate a little, you know, the viewers love to hear about our guest Crystal Balls, you know, we've got some neat stuff. Yes, sir. Now I've had, I've had a time when I actually stuck with UBI Key especially onto my key chain, bad move <laugh>. I ended up with a broken YubiKey mm-hmm. <Affirmative>. I keep hoping they'll provide one that's made from something else. But the question is those Dongs and the MFA apps on our phones, are they good enough? Do we need to do better? You know, like I've worked in the Department of Defense world and we very, very, very quickly found out that standard biometrics like, you know, fingerprint readers weren't good enough. We actually had to change those so it would detect a heartbeat behind it. In a perfect world and we, let's ignore cost. Should we be doing better? Could we do better?
John Engates (00:46:43):
I think we can. I think there are folks working on something better. One of the things that I put into my predictions, I do a predictions blog or a, you know, bit of content every year. And last year, late last year, I put in there the talk about the password list or pass keys. There's a standard called pass keys and it really aims to replace the password entirely and move beyond you know, the users having to create strong passwords or remember passwords or write down passwords and get to the point where we are. We're using you know, basically a unique crypto cryptographically strong key pair that allows us to authenticate to any number of websites and guarantees the authenticity of, you know, sort of the, the individual user. Those can't be stolen, they can't be phished, they can't be hijacked.
(00:47:40):
And, and it's one of those things that I think is the next step beyond NFA in the sense of, you know, username, password plus some sort of second factor. And it's really it's gonna roll out this year. I mean, it's already starting to roll out on a number of different platforms. Apple has announced it already, the PAs key, their support for the the PAs key standard. Microsoft has been working on Passwordless for a while and they're fully adopting this this year. And I think Google as well. So all the three major device and hardware and operating system vendors are now sort of supporting this Fido Alliance Passkey standard. And I think it's just a matter of time now. There's the domino effect where you start, you're gonna start to see all of the different you know, websites and popular apps that we use start to adopt it as well. It just makes sense.
Brian Chee (00:48:31):
I'm gonna take this line just a little further. When I talk to a lot of different users all over the world especially in the Department of Defense li you know, life there is a lot of talk about we need something that's not gonna get forgotten. That's one of the big selling points of folks like Duo and so forth where you're not gonna forget your phone. Well, what about not forgetting your wallet. So Mr. An I'm gonna ask you to bring up a picture that was published in 2019 in nine to five Mac. It was a concept of a crypto wallet that could also hold, you know, your credit card information, your cryp, your Bitcoin and so forth. But most importantly it could be used with a fingerprint sensor to authenticate in the future. It kind of didn't happen, but what do you think crystal Ball owns Spitball on that one for us?
John Engates (00:49:38):
Well, I think that the thing that you have to have for a broad adoption is it has to be super simple. It has to be dead simple for everyone to use. I don't think necessarily UB keys in the form that I'm holding here, were simple enough for the average person. You know, my mom my sister, you know, they're not tech people. They want something that just works. It needs to be simple. They don't want to carry a piece of hardware around mm-hmm. <Affirmative> that could be lost. Another device is just one more thing that they don't want to deal with. The good news about the past key standards that this, it's gonna be built into all your favorite devices, you know, the Apple ecosystem, the Microsoft ecosystem, Google as well. And it doesn't require a third party piece of the hardware.
(00:50:25):
And so it's a balance. We have to make it something that is ubiquitous. It has to be simple, it has to be easy to deploy. It has to be something that you can recover if, if it gets broken in some way. I mean, if you only carry around one UBI key, that's a problem. So I, you know, I try to have multiples, but again, I'm a technical user who is using it for work, for a consumer, for a small business, for somebody that isn't highly technical and requires high security, I think it's probably enough for, for most of us past keys. That is one, one to think about more. It's fun to think about what else could, could be more secure, but it's gonna be a smaller and smaller and smaller subset of folks that are going to be able to adopt that. Right. Right.
Curtis Franklin (00:51:11):
Curtis, well, you know, I'm, I'm curious. We tend to look at alternatives to the password in the context of very large organizations. The government is doing this. My, you know, national Bank is doing that. Mm-Hmm. <affirmative>, my credit card issuer is doing the other thing. What about small companies? What about someone who has somewhere between 10 and a hundred seats and they're looking to make their systems as secure as the systems of the larger players are there? Or are there likely to be solutions that are cost effective even for very small application owners? Mm-Hmm. <affirmative>?
John Engates (00:52:05):
Well, look, I I think we're probably not at the shameless plug section yet, but I would say that CloudFlare, the company I work for, has a solution for small businesses that's free. You can get started with Zero Trust for free. So we're, I'm not, not selling anything there. If you go sign up for Zero Trust, you can deploy that in a small organization. I've done it. The, the literally the first thing I did when I joined the company is I went to the website and see what I could do for free and I set it up on my home network here. Wife kids, they all have zero trust on their machine. They're all using the 1.111 dns. It's filtering out malware. It's doing some pretty clever stuff, and you can take it a little further and integrate it with your IDP so that if your users are using some, you know, some sort of centralized identity provider, it will authenticate against those.
(00:52:54):
And that is not super expensive enterprise functionality. It's, it's, it's in the platform. And so I would say by all means, at least look at what's available. I think the cloud itself has made that so much more cost effective because you don't have to go out and buy hardware. You don't have to buy expensive perpetual licenses. You don't have to engage with a big enterprise software company to buy this stuff. You can go and use this. And it's literally the same software in our platform that we're using for some of the largest companies on on earth. So take advantage of the free stuff.
Curtis Franklin (00:53:30):
I couldn't agree more. Take advantage of free stuff. It's a, it's a great general principle for, for small companies and for families alike. But you brought up something that we are now getting back to after a couple of years away from it, during the, the play years. So I'm gonna ask you, you mentioned your 1.1 0.11 dns mm-hmm.
John Engates (00:53:53):
<Affirmative>,
Curtis Franklin (00:53:54):
Now that we are moving around, again, many of us are going to coffee shops, cafes, hotels, other places, not our office, not our home, but where we want to be part of our office network, we will sign on to these local networks. In most cases, some of us carry our own, you know, MiFi or similar devices, but when we do sign on, we are likely to hit the dreaded captive portal. Are we likely to be getting to systems that allow us to use public internet places at coffee shops while still having the security of d n s servers that do things like filter out malware and, and keep us safer? Right.
John Engates (00:54:48):
Well, look, I think that's another element of the Zero Trust story is the, is the remote access aspect of it. It doesn't, it shouldn't only work where you're connected to some corporate network. It needs to work everywhere, right? It needs to work at the airport, the hotel the coffee shop. So getting customers onto the Zero Trust network, you need a secure way to do that, a tunnel of some sort. So the the app that we use for 1.1 0.1 0.1 on, on the devices also doubles as the Zero Trusts client for CloudFlare. So when you go to the you know, zero trust version, you can enable that same piece of software to create a secure tunnel between your device and the cloud. And that is actually the nearest CloudFlare point of presence. And that could be one of 285 cities around the world, and you're basically tunneled to CloudFlare.
(00:55:43):
And from there it becomes secure across our network to whatever applications, SaaS, cloud provider, whatever you're connecting to. But I hear you, we really want to protect that end user and we need to get them secure as quickly as possible. Yes, there is probably a small bit of time in there when you're gonna have to authenticate to that captive portal and you know, tell the hotel what room number you're in, but then quickly turn on the tunnel and the, and the zero trust to make sure you're, you're connected to something secure.
Curtis Franklin (00:56:13):
It's nice to know that we're moving in the right direction, even if there is gonna be a transition period. So you mentioned the shameless plug earlier. We weren't there then, but we are now. So if one of our listeners viewers is interested in exploring CloudFlare and what it can provide, how should they get started and what would you recommend they do to take the first step down that path towards Zero Trust?
John Engates (00:56:41):
Well, I would say go sign up for an account@cloudflare.com. You can register domains there, you can protect websites there. You can set up a a number of different services to protect your home network. As we've talked about. If you wanna go a little deeper, go to the blog. Cloudflare has a blog that is super technical, very deep dive into all kinds of things. You can see us on Twitter, you can see us on Discord, and then we have a community website as well. So there's lots of avenues. Just search CloudFlare and you'll find all these different resources that I've talked about.
Louis Maresca (00:57:16):
And thanks so much for being here. Obviously we're running low on time. You gave a little pitch of CloudFlare. Is there anything else you wanna share, like upcoming thing, the couple events maybe from CloudFlare that you, that you wanna tell the folks about?
John Engates (00:57:27):
Well, we do a zero trust roadshow. Most years. We did it last year. We're doing again, again this year. So in cities around the country, we're doing enterprise focused zero trust roadshows. And so please look for those in your major city and come see us.
Louis Maresca (00:57:44):
Thanks again. Well, folks, you've done it again. You sat through another hour, the Best Day Enterprise and IT podcast in the universe, so definitely tune your podcast or dwt. I want to thank everyone who makes this show possible, especially to my lovely co-host starting at the very own, Mr. Brian Chi Sheer. What's going on for you in the coming weeks where people find you?
Brian Chee (00:58:04):
I am playing E S P 32. I want to go and package a little Duda that's gonna be an acrylic tube with batteries and a external solar cell and be able to go and do time lapse photography as shows are being built at the fairgrounds. Not only that, it'd be really cool because apparently the Blue Iris c video management system apparently can harvest data from the E S P 32 platform. So with a battery with a solar cell and even the cost of the acrylic tube, I can do a reasonable surveillance camera for under I think $40. So that might be cheap enough that I'll be able to go and throw 'em around during special events. And if someone shoots it with a gun or something like that I'm not going to be terribly upset. I'll be a little upset. But, you know, we're finally getting to the point where I can have special purpose surveillance cameras. Well, if you wanna see how I'm doing it, just harass me over on Twitter. I am A D V N E T L A B advanced Net Lab on Twitter. You're all welcome to show me email. I'm email. My email is sheer C H E E B e R T at twit tv. Or you can throw email at twt twit tv and hit all the hosts. And look forward to hearing from you. No matter what country you're in that you watch TWT in, take care.
Louis Maresca (00:59:54):
Thank you. Cheaper. Well, we also have to thank our veryo, Mr. Curtis Franklin. Curtis, what about you? What's going on for you? The coming weeks, and where can people find you in your work?
Curtis Franklin (01:00:03):
Well, as I said, I'm gonna be busy writing. I've got a number of projects on deck that I'm trying to get done. Also, beginning to set up my dance card for the RSA Conference. But before RSA, I will be at enterprise Connect here in Orlando. So if you're gonna be at Enterprise Connect, let me know. If getting together in person isn't in the card, you're welcome, encouraged, urged to follow me on Twitter, KG four gwa. I'm also on Mastodon KG four GWA at mastodon sdr org. I'm on LinkedIn, Curtis Franklin, I'm on Facebook. Same name, oddly enough. I'm just everywhere. Veritable social media butterfly. Follow me somewhere, send me a note and let me know you're there. Would love to get together virtually or in person with members of the TWT Riot.
Louis Maresca (01:01:07):
Thanks Curtis. Well folks, we also have to thank you as well. You're the person who drops in each and every week to get your enterprise goodness. We wanna make it easy for you to watch and listen and catch up on your enterprise in IT News. So go to our show page right now, that's twit.tv/twit though. You'll find all the show notes, the co-hosts notes, the guest information, all the amazing back episodes, and of course the links of the stories that we do during the show. But more importantly, next to those videos, you'll get those helpful. Subscribe and download links. Support the show by getting your audio version, your video version of your choice. Listen on any one of your devices or any one of your podcast applications cuz we're on all of them. So definitely subscribe and support the show. And of course you can support the show.
(01:01:49):
Also support the Network by jumping into Club Twit. That's right, it's a me, it's a members only ad free podcast service with that bonus TWIT plus feed that you can't get anywhere else. And it's only $7 a month and there's a lot of great things you get with Club twit. You not only get the the Ad-free podcast, but you also get exclusive access to a members only Discord server. You can chat with hosts, producers, we have a ton of amazing channels in there, plus they also have special events that you can't see anywhere else. So definitely check out Club, join it right now. Go to TWIT tv slash club twit. Now Club ti also offers corporate group plans as well. That's, it's a great way for your team to access all of our ad-Free Tech podcasts. The plans start with five members at a discounter rate of just $6 each per month.
(01:02:35):
And you can add as many seats as you like there. And this is really a great way for your IT departments, your developers, your tech teams, your DevOps teams to really get access to all of our podcasts. And just like regular memberships, you, they can actually join the Discord server and get the TWI plus bonus feed as well. So twit TV slash club twi thereafter you subscribe. We want you to impress your family members, your friends, your coworkers with the gift of Twit cuz we talk a lot about FunTech topics on this show and I guarantee they'll find it fun and interesting as well. So definitely share twit with them and have them subscribe. Now don't forget, we also do the show live. That's right, 1:30 PM Pacific Time. We are on the live stream@irc.twit.tv. There you can choose from all the different streams, whether it's YouTube or whatnot.
(01:03:20):
Definitely choose that and check the live stream out cuz you know, come see the, how the pizza's been, come to see all the behind the scenes, all the fun stuff, all the banter we do before and after the show. Come see what's going on there. Plus if you're gonna watch the show live, you might as well jump in our famous IRC dot twit TV IRC channel as well, where we have a lot of great characters in there each and every week we get some great show topics and as well as good questions as well. So in fact, we're getting some good show titles from there. So thank you guys for being there and being part of the Twit Riot. Well, folks definitely hit me up. I want you to hear all your ideas. I wanna have conversations, twitter.com, SU Liam, I'm, I'm pretty prominent on there as well as I also have been really kind of pushing things on LinkedIn as well cause I have some really good professional conversations on there as well.
(01:04:04):
So suddenly Louis Maresca on LinkedIn and you know, hit me with show ideas, you know, direct messages, me about the industry, whatever you wanna talk about, definitely hit me up there. And you know, if you wanna know what I do during my normal work week at Microsoft, you can check developers.microsoft.com/office. There it is. You can see how the latest or greatest ways you customize your office experience to make it more productive for you. Check out Office script. It's a lot of fun. Well, I want to thank everyone who makes this show possible, especially to Leo and Lisa. They continue to support this weekend enterprise tech each and every week. So thank you for their support over the years. We couldn't do the show without them. I wanna thank all the engineers and staff at twit because again, the show cannot operate without them. And of course, I wanna thank Mr.
(01:04:46):
Brian Chi one more time. He's not only our Titleless producer, he's not only our co-host, but he's also our tireless producer. He does all the bookings and the plannings for the show. And again, we couldn't do this show without him. So thank you Jeer for all your support over the years. Now, before we sent out, I wanna thank the editor that's gonna edit this show after the fact because you know what, you're gonna cut out all our mistakes and look us, make us look good. So thank you so much for your support. And of course I wanna thank our talented TD for today. He's the talented Mr. Aunt Pruitt. He does an amazing show called Hands On Photography each and every week. And I'm just looking forward to what's going on this week in that show. What's going on this week?
Ant Pruitt (01:05:21):
Well, thank you Mr. Lou. This week we're taking a look at golden hour photography and how to get the right skin tones in golden hour photography because got a beautiful image sent in from one of our Club TWIT members and he was concerned about his subject's skin, not quite looking right. So I walked him through how to take that image, put it in a video editor, and use the tools in a video editor to figure out exactly what's wrong and how to address this issue.
Louis Maresca (01:05:51):
It's amazing. Check that out. Cause mine always yellow and I really need to check that out. Thank you, Anna, I appreciate that. Well, until next time, I'm Lewis Maresco just reminding you, if you wanna know what's going on in the enterprise, just keep quiet.
Rod Pyle (01:06:05):
Hey, I'm Rod Pyle, editor in chief of Ad Astra as Magazine. And each week I joined with my co-host to bring you this week in space, the latest and greatest news from the Final Frontier. We talk to NASA chief space scientists, engineers, educators and artists, and sometimes we just shoot the breeze over what's hot and what's not in space books and tv. And we do it all for you, our fellow true believers. So whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on this weekend space and be part of the greatest adventure of all time.
