[00:37] New Co-Host Petko Stoyanov Presents the Security Headlines
Rachael: Please put your hands together to welcome my new official co-host, Petko Stoyanov. Petko, are you excited? You're officially on the podcast now and I know our listeners are going to have so many questions. I want to take a little time to get to know you a little bit better.
Petko: I'm looking forward to this, Rachael. You and I have so much fun just talking about cybersecurity in general. I'm looking forward to continuing the energy that this podcast has had and interviewing so many interesting guests who continue to do that.
Rachael: Let's start at the top, Petko, because we were just laughing and how Petko's such an original name. I'm curious, I'm sure listeners are too. How did your parents come up with the name Petko? What's the history there?
Petko: I know most people are thinking of the pet store, so I have to put that out there first. I am not named after the pet store, but the name Petko itself is originally a very common Bulgarian name. So emerging from Bulgaria that's in Europe. If you trace Petko, it's actually tied back to Petros, which is in a way, Peter. I'm older than Peter, you could argue.
Rachael: So Bulgaria, is that where your family's from, and what brought you to the US?
Petko: That's an interesting story. So I came to the US back in the mid-'80s. I was a refugee with my parents who came to the US by way of Italy. Interestingly, my parents were both math professors.
An Opportunity to Leave the Country
Petko: They taught mathematics and had an opportunity to leave the country to go teach other areas of the world in terms of education. I was lucky enough that they were able to bring me along. But instead of going to those countries, they said "Let's stop in Italy, leave our suitcases and then just go directly to the local police and file for asylum and refugee status." We did that in Rome back in the mid-'80s at this point. What was interesting is my parents spoke seven or eight languages apiece. So, French, Russian, German, and Portuguese, spoke it fluently.
When they submitted the paperwork, they realized if I put in Bulgarian there were probably going to be a lot of refugees from Bulgarian. So let's just do it in French, German and maybe even Portuguese so that there's always a translator on the other side. They ended up putting us in a refugee camp initially.
There were some people there for six or seven years. We were fortunate enough that we were there for six months and then we came to the US. In some ways, they socially engineered the process.
Rachael: Well you do what you have to do to get it done because that's six years is a long time to be in a refugee camp.
Petko: We were fortunate enough to be there for six months, and came to the US, typical refugee process. You get sponsored by a family temporarily for about a couple of months and then afterward you're on your own. My parents donned jobs in the US, and I ended up getting all my formal education in the US.
I started almost all my education in the US and eventually got into technology.
Working in Software Development
Petko: Funny enough, math was very intuitive to me. So I went from majoring in mathematics to IT because I couldn't decide as most young 18, 19-year-olds, and 20-year-olds. I ended up working in software development where I was doing things like websites, then building software for Raytheon.
Then I ended up majoring in system engineering operations research, which is the form of original data science. Applying math to solve problems yet at a system level. For a couple of years, I worked at Raytheon building UAVs and designing, thinking about the system problem, how do we solve it?
Sometimes we tend to over-optimize one piece, not realizing that that creates a backlog somewhere else.
Then I spent about 10 to 15 years in the US government working across government, within government, and working with the private sector. I found myself leaving the government and working at McAfee for a couple of years with their public sector team and then Forcepoint as well. What's funny is, I feel like I came into cyber a little bit differently.
I know we've had so many guests on this podcast where there are some people that did medieval and now they're doing cyber.
So I came in from mathematics trying to figure out how do I build weapon systems or airplanes to saying, wait, we should protect these airplanes. We should protect these UAVs. Next, I'm doing cyber on an airplane or a data center in the sky and then saying, well we should probably do cyber security everywhere, not just on airplanes.
Rachael: You've sat on both sides then, you've sat on the government side and the private sector side. What would you say are the biggest differences that you've seen between the two?
Security Headlines: How the Government Looks at Risk
Petko: I think the government is always looking to solve a problem and then trying to figure out how to get funding for it. I would say the industry starts with the funding in mind and figuring out what can we do with this funding. It's a little bit more of an open-ended answer on the government side. The government looks at risk holistically, and at the same time, as an industry you're like, well we have this much, what can I do with it?
You start off with that and you get really creative on both sides.
Sometimes you come up with these crazy big ideas in the government. In the industry you start saying, let's focus on this because that's our biggest risk. I've got a saying, don't create a diamond without pressure. Sometimes depending on how you look at the pressure, you do create diamonds.
Rachael: It's an interesting metaphor. Do you think all this pressure over the years has gotten us to this point today where we're truly seeing a lot of action happening at the top? Biden executive order, SEC has new regulations coming online. Just there are new railroad regulations for security. It's just really interesting in the last couple of years, how much seems to be activated, and do you think that we're finally hitting that point where that pressure is making that diamond because we got to address it?
Petko: That's an interesting way to put that metaphor into cyber. When I look at the industry, for years, there's so much we've invested in cyber at the government level. Every government's done this.
Petko: They would build their capabilities of almost like just in case, just like the nuclear side of it, just in case. But what ends up happening is, if one thing gets out, that trickles out from the government to the crime groups to everyone else. So we're seeing reuse.
I think that cycle used to be shorter, it used to be a long cycle. Now it's a shorter cycle, meaning that it would take time. But now we're moving at a cyber speed where someone creates an exploit on a Tuesday.
Someone creates a patch on Tuesday, we're exploiting it on Tuesday before it would be exploited on Wednesday. Now we're doing the same day. What we're seeing is the speed at which some of this pressure or these tools we've developed over the years are just coming out a lot faster than they have in the past.
One thing that's exciting about the industry is we keep hearing the concept of shifting left. But shifting left is really about not just shifting left, but how we shift from left to right very quickly. We put security in, but at the same time, we want to make sure that we're applying them right. From code development all the way to deployment as quickly as possible. It should not take months to deploy, it should be weeks or hours.
Rachael: Agreed. I think this is a nice segue too because we were talking a little bit earlier about the global cybersecurity landscape today. There was a Washington Post article that quoted, Dmitri Alperovitch. We're big fans of his and he's been on the podcast a few times.
One of the Most Dangerous Times
Rachael: He suggests that we may be entering "One of the most dangerous times that we've had in the history of the cyber domain." Not only tensions with Russia and China, but it's so much more than that. Petko, how can you just peg it to two entities?
Petko: No, absolutely. I love Dmitri. It's been awesome to have him on the podcast, and we'll definitely look forward to having him more. One area that I struggle with is, just attribution. Being able to tell, is it Russia, is it China? Is it an outsider or an insider? Pretend to be an outsider and vice versa or an outsider pretending to be an insider. It gets harder and harder to tell if there is an insider threat or an outsider threat.
It's a lot easier to say, this came from China, or was it China inside of this university in the US, or was it a kid in the US in that university? It gets harder and harder over time and with the speed that we can do that with, we're not moving at cyber speed there. The investigations take a long time. But look at some of your questions about who's the biggest risk to the US. It almost feels like you're asking the question of who's the smartest and the most focused.
But if we look at some of the targeted attacks we've seen over the years if I had to rank them top 10, we can start talking about WannaCry. That was attributed to North Korea, eventually. NotPetya was attributed to Russia. Stuxnet was attributed to certain nations. You have the OPM hack that was believed to be from China.
[10:21] What’s Happening Outside sre in the Security Headlines
Petko: You have Sony, if you recall, which was believed to be North Korea. You have the Bangladesh Bank that was, they stole $80 million. There was also North Korea. I started thinking about all of those focuses. There's not one nation, it's just that we've got so many that are the nation. There are smart individuals in that nation that are doing it. It's harder and harder to tell.
But I think as service security professionals, we folks spend so much time focusing on what's happening outside. We really need to say what's happening in my culture, in my team, and in my network that I can control.
Rachael: Coming back to attribution, do we only say it's attributed to X country because we saw something in the code that's like a hallmark signature of a country? Does it necessarily mean that someone's not imitating them to deflect attribution? But how do we get ahead of that to where we actually know who's doing what? Do people raise their hands and that's the only way we're ever going to know truly who's doing what?
Petko: Well even if they raise their hands, they probably just won't take credit. But I have seen the amount of code reuse, just like developers, we go to GitHub, and they'll download something. We see the same thing in the cyber community industry and the cybercrime groups, that team that created it for X nation-state. He's like, well I can all sell it to these other guys. Let me just resell it again.
If I resell it, I now get paid two or three times more versus just paid once.
What Makes Attacks So Dangerous
Petko: I think there's a lot of reuse that we need to be aware of and that's what makes this so dangerous is when we see an attack in one part of the world. We should definitely be aware of how those attacks came, how they got in, and what they stole. Just from a threat analysis standpoint or threat awareness, knowing it was one country or another helps.
But eventually, you're going to get to a state where I think, I remember seeing Bank of Lloyds came out and said, "If it's a nation-state, we consider that an active war. We're not going to cover you for cyber insurance." So sometimes saying it's a country might actually backfire. But being aware of it, how it happened, where you're being diligent in your security practice, that's what we should be focusing on.
Rachael: It's interesting too that you keep reading all, every time that there's a new hack or new incident, they always keep coming back in the recommendation. Just have good cyber hygiene, just see that gets you what 90, 95% of the way there.
Petko: But what's hygiene, Rachael?
Rachael: Well, I guess the generic answer would be the patches. It’s making sure you're updating your software and patching and being diligent in keeping up with all of that. Is that not a correct answer?
Petko: I think patching's part of it, but having a gold image or a space line security standard you're applying to your right OS, your servers, your desktops. Are you monitoring all of those? So I can patch all day long, but I have no idea what's happening. It's almost like IoT.
Security Headlines on IoT Devices
Petko: I buy these IoT devices, and I put them inside my network. But I don't have real visibility on them, I don't have visibility on the code. I'm not running anything on them. I might have some network traffic, but most likely 95% of it's encrypted.
Rachael: It's funny you mention IoT because we were just looking at some articles before we got on the call here. It looks like the US is looking at security labeling, like nutrition labels for IoT devices. But the US isn't the first one here. I was surprised to see that Singapore's been leading this charge for a while. Why Singapore?
Petko: You could argue its geographical location what we could assume. I can't tell you why Singapore itself. But I know Singapore, I think it was just a year or two years ago, they started doing this. They partnered up with Germany and Finland on this. If you buy an IOT device and they're going to let, which is really good about this, they're going to let consumers choose if they want security or not.
Imagine going to your local technology retailer if you do buy there or even Amazon and you would say I have this, let's use cameras as an example. It's certified as level two now. Just to go over to levels, Singapore's got levels one through level four, level one and two are like self-certification. Three and four are full-blown pen testing, making sure you haven't done any exploits in them. It's pretty impressive what they've done. It does feel like nutritional labels, at the same time, I think nutritional labels, how many of us actually read them?
Rachael: I do not.
Why You Should Look at the Nutrition Label
Petko: Rachael, you're health conscious, you probably read them all day long.
Rachael: I actually don't. I go with brands that I know have a certain reputation and then I just stick with that. But no, I should look at the nutrition label.
Petko: But what's funny is, I don't think nutritional labels simplified as much as even Singapore did this.
Rachael: They don't tell the whole story either necessarily.
Petko: I think having spent so much time with certifications and others, it's all about how you define the scope of that certification or that self-certification. Like level one do you have some baseline security requirements? That's what Singapore is doing. Level two is, are you applying life cycle requirements like patching, like others? Then level three, which needs a third party to validate is having full vulnerability analysis and software binary analysis. Level four is full-blown pen testing.
When you start looking through those, if you went to the store and said this is a level two, this is a level four, and next thing you're like, what's the price difference? The difference is maybe 10%. You're like, "Just go to higher security for 10%." If the price is double, you might say, "I don't know what am I really getting. I've heard of this brand before, let me just go with them." I'm really excited about what is coming down the path for security labels or cyber security levels for consumer devices.
Consumers will get to know influence is a security matter to them and hopefully our listeners, the answer is, yes.
Highly Vulnerable Products
Rachael: It looks like the US, this could roll out, I think under voluntary. So IoT companies with products that are deemed highly vulnerable like a router, like a home nest camera, let's say. Then it's voluntary for them to start putting these labels together. There's no label. I think it doesn't exist yet. There's a template that they're working on. I think 22 different entities have contributed to some thoughts on what this could look like. It's really interesting how fluid this is.
They're talking about wanting to roll it out next year.
Petko: So they make it voluntary in the spring of next year, 2023. My understanding of it is, it's going to have not just a security focus. Meaning, when were the last updates, and what access control do you have on it? But what are the data privacy practices? Are there things that the data's collecting on you? Where it's being stored, I think this could be huge, not just for cyber, but data privacy in general.
Rachael: No. That's a good point because there's a lot more happening on that front that we have to absolutely keep an eye on. I did want to say one more thing about Singapore though as well because we keep hearing so much about healthcare attacks. Healthcare, ransomware, and Singapore, I guess, because they've been ahead of the curve on this, have expanded their security labeling. They start to include healthcare products, which I think is actually critical, maybe more so than IoT devices.
I guess a lot of those are IoT devices. But what's your perspective there? Because it’s healthcare, we need to do a lot there.
[18:00] Security Headlines Featuring the Healthcare Industry
Petko: The healthcare industry is interesting. Let's say your blood pressure or your robotic arm is in the operating room. Do you think the healthcare industry or the hospital buys them? In a lot of cases, they're actually leasing them. They're leasing them just because they want to get updates, they want to get everything. But when you're leasing something, you are limited by how many updates you can do it.
You can't really install something on it.
Can you imagine, some of the security that was applied to healthcare, originally designed for the healthcare system? We never assumed to be connected to a network with the internet. What we assumed is it'd be one computer connected to this robot that's doing surgery. For convenience, they said we need to have it remotely accessible in case the power goes down or something else. All of a sudden, now the practices they use for the protocols have become not your standard practices.
It might be something as dangerous as, let's just ping it. Next thing, the arm opens up or you ping it and blood pressure starts pumping. Blood starts pumping. I think that was years ago. Of course, it's not like that anymore. I hope not. But if you think about the IoT or a security mindset of just healthcare technology like this, I'd love to see this in healthcare and others. That's such a major attack factor. It is such a difficult problem to solve because of those third-party risks right there. We talked about the assets that you don't own, that are in your network.
The Devices in Our Houses
Petko: You and I were talking about earlier how many devices we own in our house. Well, do we know what's on it? Do we know what it's doing? We just plugged it in, put it behind our firewall, and said, okay, I trust you. I think I look forward to these labels starting to influence our buying decision because that's how we're going to make security mainstream. That's how we make data privacy mainstream because the consumer's going to be aware of, "oh this does X."
Rachael: It'll be eye-opening too. Particularly if the labels start coming out and you're looking at what you currently own and where it falls on that one-to-four scale as well. It could inspire a lot of people to make a lot of changes in their homes.
Petko: I have a friend of mine who refuses to buy things unless they're made in certain countries. He goes out of his way to go open source, out of his way to say email to manufacturer, where is this motor made in? Where is this little mode of my desk made, before he even buys a desk? He'll pay two or three times more just because he wants to make sure it's not just protected from a security standpoint, but it's been sourced accordingly. Because he wants to make sure his money is going to countries and nations that he supports. That's a personal choice. It's not always the cheapest.
Rachael: No, it isn't. Now that we're talking about it, I'm laughing because, at my house, I have the Arlo security cameras. I've got the Furbo connected to my network. This is watching my dogs.
Petko: What's Furbo? I'm picturing some type of stuff to the animal for some reason.
Rachael: It's a camera with two-way audio. When I'm away from my house, I can see what my dogs are doing, but I can also talk to them. Like "Hey, get out of the trash can" or I can send them treats. I like to watch it when I'm driving home, which is completely not safe, I admit that looking at my camera while I'm driving. I love to see at what point they realize that I'm coming down the street.
But that's highly vulnerable. But yet, I don't feel comfortable having a voice assistant like an Alexa in the house. Heaven forbid that thing's always listening to me. But yet I'll have all these other things that have the audio, that have the camera but not the Alexa. Just now I'm thinking that just sounds hilarious, actually.
Petko: So you trust Arlo and this thing called Furbo more than Alexa.
Rachael: Yes. Now that I say it out loud, it sounds a little crazy, actually.
Petko: I'm just thinking about your dogs, how they're trying to figure out, this thing gives them treats. I would not be surprised if they went in there and said, let me just get the food out of it completely and they hacked your Furbo.
Rachael: I have two Dawsons and an Australian shepherd, and the Dawsons have figured out how to. I think, one stands up on the other and they help each other access the Furbo and knock it over for the treats.
Petko: One stands on top of the other dog?
Security Headlines: Hacking the IoT Devices
Rachael: That's the only thing I can think of how they would do it. There's no way otherwise for them to get in on this table.
Petko: I need a video of this.
Rachael: I need another Furbo, so I can watch what they're doing with the Furbo.
Petko: Or just use another Arlo on the other side. This has been the most interesting thing about how your dogs are really hacking this IoT device in your house to get treats out of it.
Rachael: See there's motivation. That's the thing. Hackers are motivated people and they're going after some kind of gold mine for them. So there you go. Anyone could be a hacker, I think, is what we're finding.
Petko: Not anyone, but anything.
Rachael: Anything. Exactly. I would love for us to end our conversation with two final questions. So the first one I think you had suggested, which I really liked was a top five list in priority order. If you were to give our listeners a top five list for how to assess security labels as they start coming online, what would be your top five suggestions?
Petko: Oh, security labels they come online. I almost want to say we've got to wait and see what the labels say. I'll use the example of organic. We see something that's organic, you're like, is it really organic? One of the examples I think was that you have organic that's vegetarian and organic, but I'm like, it's chicken. It should be eating worms. Yet, it's vegetarian-organic. We overthink, so I'd love to see what the label say themselves.
I'm going to hold off making any kind of list.
What Consumers Should Do to Protect Themselves
Petko: On the organic, or not organic, but any type of labeling because we got to see what happens with it. How many of them in the spring of 2023 actually come out and say that they're doing security? There’s one question I do get over and over again during my travels, which I might flip a little bit here for you. It’s, what should a consumer be doing at home to protect themselves?
I was just recently in Australia and on the airplane, someone asked me, "All these attacks that we're seeing," and there were some major attacks in Australia recently. That would just change the landscape for them. What has become a conversation on airplanes and there, I say, "What should we be doing as consumers?"
My first question is, "Well, you can't control the security of some of these companies you do. But there are things you could do to ensure you're protected."
I'll ask the question, "How much is any kind of password reuse? Do you reuse the same password across you," everyone. I guarantee you almost all of us have at some point increment a number or a letter or something at the password just to keep it simple. But the number one thing that we need to be doing is honestly just driving for a unique password for every single service that we have.
Things like password managers are just great tools. LastPass and other solutions like that are so easy to use. They'll identify that there's a breach in your email and notify you should go change your password. In addition, you just make unique passwords, and they'll notify you.
[26:15] Two-Factor Authentication
Petko: Then the second thing is we definitely need to be, in some cases, the two-factor. We should be implementing some type of two-factor beyond just email. Most of us are being forced to do it by the banks and others. But if there's an opportunity where you're not being forced, you should always say, yes. That way, you can save the best practices, and you've done your due diligence. Those are so simple things.
Now, I know some friends of mine who take that two-factor and password managers that are unique to another degree. They'll create a separate email address for every single service.
They'll use something like Gmail. In Gmail, you can do a plus notation where you can say your name and your email, and then you add the word plus Netflix. So only Netflix uses that. If you see that email address somewhere else, maybe there was a breach, not saying Netflix had a breach, but they do that per service. One might be for your internet provider.
They do this on purpose to see if that email's being shared.
Rachael: Genius. How did I not know about this?
Petko: We'll have a training session after the podcast.
Rachael: As Eric used to observe, I have reluctantly gotten on the two-factor train. Some vendors make you do it. Like USAA, I believe they forced me into it, which I'm glad they did because it is important to have. But man, sometimes it is just that extra step, just want to do what you want to do. Final question, the bonus round. What book or books are you reading right now?
Retraining Your Brain
Rachael: I'll volunteer for that. I just got a book on neuroscience on retraining your brain, which I'm very excited to read. His name's Dr. Amen. If anyone's heard of him, I discovered him on TikTok. As everyone knows, I'm new to TikTok and I get a really interesting selection of things in my feed.
Petko: Can only imagine with, I don't have TikTok or Facebook or anything.
Rachael: It's a great way to lose a lot of time, for sure, on TikTok. I don't really do Facebook so much, but TikTok figures you out pretty quickly and then just serves it up.
Petko: I will start off by saying, I'm looking at my Kindle and I have one of the ones I recently was reading about taxes. That sounds boring, I know. Living in the United States, you start realizing taxes are something you need to focus on and understand. When I'm not reading books on taxes, I am reading things like James Clear on Atomic Habits and just things about your health and everything. I'm obsessed with my health, so I tend to focus on a lot of that.
Without being specific on the books, I've got some regarding health, age, just owning the day, and owning your life.
Rachael: There's a lot of people that are thinking that way today, too. I mean it’s just taking a step back and how we live healthier and happier all those things. It's wonderful. You were telling me about a really great practice that you're into. I hope, you don't mind me bringing this up, but I do read a lot about the benefits of meditation and yoga.
Security Headlines on Neuroscience
Rachael: Even just a few minutes a day, part of this neuroscience book I'm reading, can do so much for your thinking on that day. I think that's wonderful.
Petko: In the book, Seven Habits, there's this concept of sharpening the saw. If you do that every morning, you're sharpening your saw, your focus. Most days, I try to spend my morning honestly just, I'll wake up before the kids and the wife and everything, I will go downstairs in the basement, and I'll do some stretching and some yoga. It sounds very simple, but for some reason,
I just guess being in the right mindset where the rest of the day is just clear. It's more focused versus oh my gosh, I got 300 emails I have to respond to.
You just get into the state of letting me just take care of things one at a time. It's calming more than anything else. I tend to do about four to five days out of the week. Weekends are a little harder. But for days where I do, I notice the next day or two is so much easier. For days I don't, I got to get back into it because I can feel a difference.
Rachael: Isn't it amazing?
Petko: Rachael, I think it was all because of COVID, honestly, would always be at home constantly. I used to use my commute to work as my focus time. Now, that's gone. I have to now find my own habits and my own atomic habits that make small changes throughout life.
Rachael: That's a really good point. You're on the east coast so it probably was quite a commute to get to where you were going.
Setting Your Mindset
Rachael: That 30 minutes in the car can make a lot of difference just to set your mindset for the day. While you're not road-raging, at least, I say that from my perspective.
Petko: Mine's 30 to 45 minutes, and I just treat it as a calm morning.
Rachael: Well come drive in Austin for your morning commute and maybe not so calm.
Petko: I'm in the DC Area. I need to say how interesting your traffic is. Between the construction and the roads constantly changing, you seriously have to pay attention because signs will shift overnight.
Rachael: I hate driving in that area because of that reason. My GPS is never accurate. I’m excited about the road ahead on the podcast. I think we are going to have so much fun. I'm excited about all the guests that we have coming up in the next few weeks. We've got a great lineup of folks, and I think our listeners are going to really enjoy these conversations. So welcome to the podcast officially.
Petko: Thank you, Rachael. Looking forward to it.
Rachael: To all our listeners out there, thanks again for joining us this week. If you haven't yet, just tiptoe to the subscription button. Smash it so you can get a fresh episode every Tuesday in your email inbox. Until next time, everybody, be safe.