Alissa Knight talks API security, formjacking and hacking | Cyber Work Podcast


(upbeat music) – Welcome to another episode of the Cyber Work with Infosec Podcast. Each week I sit down with a different industry thought leader
to discuss the latest cyber security trends, and how those trends
are affecting the work of infosec professionals
as well as tips for those trying to break in or move up the ladder in the cyber security industry. Today we have a repeat
guest on today’s show. Alissa Knight is the senior
analyst at Aite Group an independent research and advisory firm focused on business technology
and regulatory issues, and their impact on the
financial services industry. And I daresay she’s been one of our most popular guests to date. – Yes. – She led with a hell
of a story about her, her days in high school and a certain government organization escorting her off campus. So if you get a chance, listen to that, the previous episode
as well, it’s amazing. – It was fun, it was fun. I like how you introduced
me as a repeat guest. I’m kind of like, I always like to say I have this effect on
people, where I infect them. I call it the bubonic Ali.
– Oh yeah. – So I’ve definitely infected you guys. You guys can’t get enough. Got the Ali fever. – Alissa is our favorite guest, she will be on again and again. – Yes, this time it’s happy hour, we’re doing a happy hour interview. – We’re going full happy hour. – Salute to all the listeners. – Salute, I wish I could join you. Today we’re gonna talk about API security, the Magecart hacking group, some recent breaches that
should be on your radar and the concept of formjacking skimmers, as well as Alissa’s upcoming book. So let me tell you about it, Alissa Knight is the senior analyst with Aite Group where she performs focused research into cybersecurity issues impacting the financial services, healthcare and fintech industries throughout the assessment
of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts and developing industry models. We gave a little sneak
preview on this last time, but Alissa is in fact the author of “Hacking Connected Cars: “Tactics, Techniques and Procedures”, which is out on paperback
on October 8th from Wiley. Alissa, thank you and
welcome back, and cheers. – Thank you Chris cheers, salute. Actually while you were
reading my bio I’m like, damn, I really need to change that bio, I really need to update it. That was literally a copy and paste from a job description
for an industry analyst. So for the viewers, just so you guys know, basically I’m a content creator, that’s basically what it comes down to. I am a content creator and I’m an influencer, so basically if a content creator, a content marketer and
an industry analyst, and a hacker, the three
people were to have a baby, not that that would be even possible. – Three-person baby, sure, I’m following. – You’re following, if they were to have a baby,
all three of these people, I would be the product of that, so I’m basically a hacker
meets content creator, meets industry analyst. So that’s what I am,
basically I create content, in video, audio and written. – Meets new author. So what’s been happening since
you were last on the show? When we last spoke you were talking about hacking connected cars, and again, a very fascinating episode. And the book you wrote on the topic, but it sounds like to book is
almost about to be released, and it sounds like you might also have some big news
to announce as well? – Oh yeah, there’s a lot of it. So I don’t even know where to start. So in my personal life, I’m moving to Las Vegas. I fell in love– – Is it the hotbed of cyber security? – Yeah. – I guess it would be.
– It’s funny, actually we met at Black Hat briefings, if you believe it, so I bet no one out there
thought Black Hat briefings could actually be a dating site, but we met, I fell in love
and I’m moving to Vegas. So other than the personal stuff, professionally a lot’s
been happening as well. I’d like to announce I got a
new book contract with Wiley, I’m actually gonna be authoring
a new series of books. – Okay. I’ve been doing quite a lot of– – Can you tell us what they are about? – Yeah, so hacking API,
hacking and securing APIs. That’s a prevalent
pervasive issue right now, it’s a contemporary issue
that people care about. Keeping CSO’s up at night, that’s what I like to keep my research on is anything that people care about now not what they cared about 10 years ago. Containers and container security, hacking containers and
securing containers, which is really cool, a lot of issues around Docker security, AWS security, S3 bucket security. There is that. Gosh what else? I finished the copy edit on
my books like you mentioned, so the “Hacking Connected Cars” book will be out I believe in
October just like you said. So copy edit is done and
starting on the new book. So a lot of exciting stuff, today also the embargo was lifted on the Arxan In Plain Sight II series, so this is a follow-on to the first report where I hacked those 30
financial services mobile apps. This is a new report
focusing on e-commerce sites that have been formjacked or hijacked from Magecart groups
stealing credit card data. So that got lifted this morning, that reports come out, I discovered 80 sites that
were breached by Magecart, worked with the FBI in
the take down of those and the report is out. So things are good, things are good. – Let’s put a pin in that and jump back to what
you were talking about. When we recorded back in
May you told me you were, and you just said it again, you were on a 10 country
world tour documenting 30 financial services mobile apps in which you discovered vulnerabilities, so how did that go, how were your discoveries
and remedies received? – It’s still going. It’s funny, I just got
off a podcast of my own with the Arxan team, and I was just analyzing this, hindsight is always 2020 vision. And I was just pulling this apart. When we walked into it and we came out, we were like, of yeah, these are some awesome
vulnerability findings, we’ve got SQL injection here, we got some other insecure logging. It’s funny, it took on a life of its own. After the research and after speaking at
different conferences the emphasis started to change, the narrative started to change. It started to change to API issues, they were hard coded
API keys and API tokens and 29 out of 30 apps. And so the narrative
really started to change, not that those other
vulnerabilities weren’t important, not those other
vulnerabilities weren’t bad, it was just that there was all this emphasis on
API security right now, and you have these major banks, major banks where they were
hard coding API access keys and tokens and credentials
in these mobile apps. And so it was really interesting
to me as a researcher to see this narrative change
midstream, mid-flight. Where when I was speaking at conferences it started to become less
about the other vulnerabilities and more about the API issues. So I ended up on, and you ask a great question, how did it go, it’s actually still going. I’m heading to Tokyo, I’m heading to Singapore, heading to Singapore and also Germany to discuss the findings, and I’m actually starting
to change the presentation, so every single conference I speak at I do a different version
of the presentation. But the remaining conferences
for the rest of the year I’m actually gonna be
doing it live on stage. So I’m gonna take an actual bank app and I’m gonna reverse engineer it on stage and then I’m gonna show the findings live. I still haven’t figured out how to actually mask the name yet. – Oh yeah okay, that’s important. – So I’m working on that, I’m
working out those logistics. But Germany in Frankfurt, the global CIO banking summit will be where I will be doing that live on stage for the first time. – I’m assuming this is
not online to the public, this is something that is invite only. If our listeners want to, okay fair enough. – I think it’s an invite
only event, I think. – Fair enough. So basically you’re saying, you came to these presentations, you’re like hey, I hacked
these financial service apps, and they’re like, never mind
that what about API security, that was kind of what
their reaction was or? – Exactly. It was like the other
stuff is kind of cool, SQL injection blah, blah, blah, all that stuff is bad. But let’s talk about those API findings. And it somehow brought
me over to API world and brought me over to API days. And it is, it’s like people
are trying to figure out how to secure their APIs. And it was really interesting for me as an outcome from this research where I started to reach out
to some of the app developers for these banks, and we are not talking
about small community banks, your listeners might be thinking these were small community banks, these were small credit unions. No, these were billions in
assets under management. These were really, really large banks. So it was real interesting because I talked to
some of these developers and reached out to them
and I found out that a lot of these large
banks actually outsourced the development of their mobile apps. So the interesting thing to me is that I found out that
the marketing department considers a lot of these
financial institutions consider the mobile app to
be a function of marketing, because they consider it
to be like their website. And a lot of times, and a lot
of these instances and cases the security team was not involved in doing a pen test of the mobile app, they weren’t involved in doing any sort of static or
dynamic code analysis, the marketing department basically outsourced this development. Cyber security was not
involved in this project. Once the app was done they
requested an API key for the app and the bank was none the wiser, they had no idea that these keys were being hard-coded in the apps. So it was a very endemic
issue across all the apps, and the one bank that
was the most hardened that I didn’t really find anything with was a bank in Europe, it was a European bank. So we definitely have a ways to go as far as maturity is concerned. Financial institutions, a lot of people will tell me, yeah, they’re further along in their maturity of their cyber security program, not necessarily, especially for the empirical data of my research. – So let’s talk about API security and the Magecart group and
formjacking as a tool of choice, but before that let’s
start at the ground floor, give us an elevator pitch
on what API security is and what some of the most
common API vulnerabilities are? – Sure So API security is simply, I like to use the analogy it’s like an electrical
socket in your house. You have API consumers,
you have API producers, the people that are providing the data, these are the financial
institutions in this case. The electrical socket
is analogous to the API, so the API is like an electrical socket, it doesn’t matter what you connect to it, you could connect your hairdryer, you can charge your iPhone, the electrical socket doesn’t care. The company on the back end, the electrical company on the back end doesn’t care what you’re
plugging into it either. It’s producing this data
through this electrical socket. Sorry, it’s provisioning the service through the electrical socket, which is electricity. APIs are very much the same thing, it doesn’t matter what
you are tying to it, it could be a mobile
app, it could be a car, cars connect and communicate with APIs. And you have the backend, which
is the provider of the data, the API provider is
provisioning this data. So that’s really a quick
elevator pitch on what an API is. Securing APIs is a different story. A lot of companies are making the mistake of putting a WAF in front of it and treating it like a website. But that’s not really the
case, APIs are not a website. Yes, they speak HTTP, they speak HTTPS, they speak the same protocol
that a website would, but you can’t secure it like
you would secure a website, because you’re not really
looking for things like a SQL injection attack. You’re looking for things like I am providing this API access key, even though it’s valid,
should I be getting that data? I have this API key and I’m presenting it to you through a postman request, but does that necessarily mean that just because I have
a key I should see that? So it addresses the authentication
and authorization issues and you need a security
solution to do that. So I’m actually looking
at API security solutions like the form systems of the world, 42Crunch-ers of the world. And looking at these solutions because companies aren’t
securing APIs in the proper way, which is why they’re
still getting breached. So if you have an API access
key it’s like the password. So I found these API access keys hard-coded in these mobile apps, it’s like having the password
to the backend system. It’s crazy. – It’s like putting the
Post-it note with the password on the front door of your
building or something. – These companies have no control, once these apps are published
for the app marketplaces I can sit there and tear
apart this mobile app in the comfort of my own home
without worrying about the bank’s network intrusion detection system, or host IDS, or anything regarding timing, I can take my time, I can
pull this mobile app apart, and it doesn’t matter,
no one’s looking at me nobody’s watching me until I get the data that I need in order to actually launch my attack. So it’s an interesting attack surface. – It is, and I was gonna say, it feels almost like the old movies where the terrorists are going
after the infrastructure, they’re going after the Hoover
Dam or something like that, you’re hitting utilities in a way. So is this a new enough issue that these organizations are off the hook for not knowing to do it, or should they have known better? How sort of (mumbles). – That’s a good question. I always say you should have known better, but that’s just me, I’m kinda a cynical ass. Sorry, am I allowed to swear on the show? – Oh sure. – Sorry, bleep. So I’m kind of cynical in that way, you should have always known. But at the same time, it’s the story of my life. I’ve been working in this
industry for 20 years now and vulnerabilities always
reappear in a different form. It’s like history repeats itself
in cyber security for sure. – There’s patterns I would imagine? – Yeah, I see the same problems
as far as insecure code development and everything
from 20 years ago just reappearing every few years. Maybe it’s because developers
are coming out of school and they haven’t really been exposed to security development yet. Whatever it is, but vulnerabilities reappear. Just like buffer overflows reappear, hard coding credentials
and source code reappears. It doesn’t matter, it’s
just a game of leapfrog, every time we make a leap forward, hackers make two leaps forward, and it’s just this game of catch up. – Of course, that’s always the case. So you mentioned a little bit about it, but what are your primary recommendations for securing APIs right now? – I would definitely recommend
that organizations consider API management and API security
to be two separate things. Now this is a religious debate. Because I’ve decoupled, moving my mic here, sorry, I’ve decoupled the technologies. There are certain analyst firms that want to consider the API management space
to be all-encompassing, to include the API security
gateways of the world. I think that’s wrong, I don’t think that security should be a feature of a management product. So you have these API management companies that have included API security
capabilities as a feature, as an add-on, whereas these companies like
Forum Systems or 42Crunch, these companies have built
their technologies from the ground up to address
API security threats. So my recommendation to
CISOs and buyers out there is yes, have your API management solution, but also look at investing
in an API security product. It’s kind of like the old TVVCR combos, if anyone remembers those. When your VCR broke all you had was a TV, if your TV broke all you had was a VCR, and then because it was attached you couldn’t really do
anything if your TV broke. I see API management solutions with security functionality as being those TVVCR combos that should have never happened. – I see. So is there a resistance to this because of the usual I don’t want to spend more money on another service, or what do you think
the friction point is? – No, I don’t think it’s a budget issue, I think it’s a lack of education. One of the things that I’m doing as a content creator and influencer is to really influence the market and help guide decision-making. And really help form that narrative. And the narrative that
I’m addressing right now is the fact that the API
management solutions, the API gateways out there are trying to set the narrative that you don’t need a security solution. Now, I will give credit
to some of the folks for connecting us into Ping identity, that connect us in with
OCTA, those are great setups, those are great ways to architect it, but understand that I
think what’s happening is that just the market
needs to be educated on the fact that you have API management and you have API security and those are definitely
mutually exclusive. In my mind I think those things need to be two completely separate things and they need to go together. – So I guess moving on from that and expanding on that a little bit, I’m assuming we haven’t
covered the entire topic yet, but can we talk about the lifted non-embargoed
report that came out today? – Yeah, so I’m glad you
want to talk about that. So it’s very interesting research, this is part two as a
follow-on to the first In Plain Sight series paper oriented on the mobile
apps that we talked about. – Are these papers available
to the general public? – Yeah, so if they go to ARXAN, www.A-R-X-A-N.com, you can actually download the report. I don’t know of part two
has been published yet, I know the embargo has been lifted on the new coverage of it. – The news folks have it anyway, but it will filter down eventually. – Probably about a week I would
imagine, if it’s not today. – It’s gonna be up by
the time we get this up. – Yeah, so if you head over to
Arxan.com you can download it. So what part two is about is we have moved from the
mobile attack surface to the web attack surface. So when you go to check out, let’s say you go to Amazon and you buy something and you check out, there are these groups
called Magecart groups, now people mistakenly refer to Magecart as a single group or a tool. – That’s what I was imagining. – Magecart is an umbrella term for a set of groups who are focused on stealing credit card
data from e-commerce sites. There is currently tracking of seven completely separate groups, one of the intelligence research firms has collapsed one of them, so there’s six. There is of course more, but there’s six major one with this intel firm is actually tracking. So what Magecart is is it’s
a group that has implemented an attack kit, a malicious JavaScript that’s been embedded
into an e-commerce site. So if you’re going to for example www.shoes.com and you
want to buy some shoes, they’ll compromise that site,
typically running Magento, thus the name Magecart. – Ah, there you go. – There is a correlation. – Now I got it, I always wondered. – And the site will be running a vulnerable version of Magento, and they will breach it, and once they have a shell on a site they will inject malicious
JavaScript into the checkout form and paste it in there and as soon as someone goes to the site puts in their credit card data, the credit card information is sent to the Magecart controlled server, the collection server
and it’s also processed, so if Chris Sienko is
buying a pair of kicks your order will be processed, but a keystroke logger
or the formjacking code will send your data to third
party site under their control. So you will be none the wiser, you’ll have no idea that
you’ve just been skimmed. – That was one of my questions. – A digital skimmer. – This is an electronic skimmer, it’s like ATM skimming,
but electronically. So I guess that brings
up a worrying question, is there a way for
users to be able to tell that the site they’re
on has been formjacked, or is this one of those problems
that’s so deeply embedded but you can only address
it after structural level? The thing is that I think the Alissa Knight’s of
the world will be able to, meaning that John Doe or
Jane Doe on Main Street isn’t gonna shoes.com, right click on the site
and say inspect source. You can see the malicious JavaScript in the source code in the Dom, which is referred to as
the Dom in the browser because the JavaScript
executes on the browser side, it does not execute of
course on the server side, it’s executing in the browser. So if you right click and view the source you can actually inspect
it and see the code, and it’s typically obfuscated. The average Joe consumer
isn’t gonna see this, or if they do see it they’re
not gonna know what it is because it’s obfuscated. So the answer to your question is yes, you can see it if you look for it, but you need to know
what you’re looking for. So that’s why this is
such a successful attack. Just like if you were at the gas pump, if the person does a good enough job they can hide that card
skimmer at the gas pump. They did a really crappy job
and it’s hanging off the side. – And your card doesn’t
go in for whatever. – You can tell. – So I guess that brings up two questions, what is our expectation of what
our due diligence should be as online users, consumers, whatever, you said Joe average isn’t
necessarily gonna know to look for this or isn’t
gonna know what they’re seeing, but should they know, is that
something we should be asking, and second, would there be possible to say, here’s a website, here’s what
malicious code looks like, look at it or do a comparison thing with the code, and then I
guess the third thing is, are we gonna have to spend
the rest of our lives looking at every single
retail site we look at and examining the source code before we put our digits in? – I have a very funny response to that, I actually blame everybody. I’m not someone who
selectively claims people. I think everyone is at fault. – All of you at fault,
every last one of you. – You’re all at fault, the vendors, the security vendors, the e-commerce operators, the consumers, we’re all at fault. It’s funny, I really pass
this blame onto the consumer, because it doesn’t make
sense to put the onus on the route consumer to right click and inspect the source
code before the checkout. But we should always be vigilant, we live in a very exciting time, but at the same time
with this connectivity it introduces a vulnerability with us as consumers, either in connected
cars or shopping online. It introduces a vulnerability and we should all be responsible for our own vulnerabilities. However, having said that, I put a lot of blame on the vendors and the e-commerce site operators. This is a very simple fix, there’s a security control called in app se urity protection where the site operators
can actually obfuscate their site code with this technology. And it doesn’t interrupt
the dev ops process, the companies can actually, the e-commerce site operators can basically mouse click and
apply this code obfuscation and they’re up and running. It’s obfuscated, the Magecart
group can’t do anything with the code because they
can’t make sense of it and then move on to the next site. So I blame the site operators, the other interesting thing is in this research in visiting these sites my EDR solution, my virus
solution didn’t see it. So even though there was this malicious JavaScript in the browser that’s appearing in the Dom, I don’t know, I feel like either Internet Explorer, Chrome or Edge or whatever
needs to be doing a better job. I talked with Deborah over at Arxan, she’s the head of marketing. And Deb mentioned, she visited all 80 sites and only three of the sites yelled at her about it being
potentially malicious. Three out of 80. So I think there’s enough
blame to go around, I think we blame everybody. – Okay, you heard it here first man, everyone did it wrong. – Alissa is such a bitch,
she just blames everyone. – No, but I think that’s worth noting because once you feel
like you’re off the hook you relax a little bit, you don’t keep your vigilance on. – No you can’t be complacent, even consumers. – So we talked about
them in a cyclical way, but let’s really get into
these Magecart hacking groups. So contrary to what I thought they are not a centralized group but it’s a classification of multiple hacking
groups that are out there. – Yes, I educated you. – You did man.
– I love educating. – I’m learning every second here. How long have they been around, apart from formjacking what types of attacks are they best known for? – That’s a good question, they’ve been around for a while. It’s in my report,
you’re testing my memory. I want to say 2010 maybe. Mid 2000. I could be totally wrong,
which happens quite often. The attacks that they’re known for are definitely going after
Magecart driven sites, CMS platforms. It’s not the CMS that
you need to worry about, it’s all the plug-ins kind of thing, but there are definitely a lot of vulnerabilities in Magento, so site operators need to
keep their Magento’s upgraded. Stay on top of that patch and vulnerability management strategy, make sure that when a new
version of Magento comes out, or Shopify, that you upgrade. They’re known for exploiting Magento and other CMS platforms. Or it could be WordPress,
they could go after WordPress, it doesn’t matter. If the e-commerce site is running a CMS and it’s vulnerable to something, or if they’re not running CMS, I’m sure there’s a
Magecart group out there that goes after everything, and doesn’t care if it’s Magento or not, but surely they have, a key chain so to speak
of exploits for Magento that they like to use. – You mentioned that one of
them was collapsed recently, are there particular
strategies in place to try and? I realize this is squashing
cockroaches or whatever. – Playing Whack-a-Mole. – Whack-a-Mole, exactly, but are there particular strategies for tracking these organizations down, or do they catch them by
accident or what’s going on? – I think the way that
they’re doing it is, is tracking them based on
their tactics and techniques. So if you think of tools, if you see repeating patterns and beaches where they’re using the same malicious JavaScript, that’s an identifier. So I’m sure if you drill down into it and get in the weeds, they’re even tracking
the individual actors that are members of the groups, but ideally its categorization
of the Magecart groups based on the specific tools that they use, or malicious JavaScript that
they use when they formjack. – It sounds also you mentioned
that it seems like it’s a fairly easy fix to obfuscate your site’s code and whatever, is this another thing
like the connected cars where a $1 USB thing or whatever, a firewall can solve the problem and it’s just not being done, because either people don’t know about it or they don’t feel like it. – I think it falls into that category of this is a stupid problem to have. Because if you look at the
Arxan solution for example, it’s really easy to apply it, it’s literally on Linux,
it’s a period slash command, and it’s so easy to apply, and you don’t have to install
anything special on the server to read it. It’s just really simple. So I think that’s really what perplexes me about the whole thing, is man, this is so quick and easy to apply and it doesn’t interrupt
the dev ops process. Developers don’t have to
wrack their brain over it. Once it’s done, you just go
in there and period slash it, so why isn’t it being done. So the answer to your question is yeah, this is one of those categories
of stupid problems to have, it’s so easy to fix and
people aren’t doing it. – Interesting. So moving onto that, a couple of things here, but one, would it be possible, I guess if you right click
and you couldn’t find, if you couldn’t see the code, or whatever is that another sort of tell, if you look at a site you’re
about to buy shoes from and you can’t see the code, is that the goods sign
that they put something that obfuscates it in there, and should there be a list of sites that have got it together? – So that’s a good question. So it will look like gibberish. Literally you will not see
anything that makes sense. It’s very much at a combination
of white box encryption. And anything about the Arxan solution, God this is turning into
a commercial for Arxan, and I apologize to the listeners. But I don’t own any stock in Arxan and I do not work for
them, they are a vendor. I am an independent third party. – Alissa, this is an ad for
Infosec and don’t you forget it. – I forgot about that, everybody go sign up for your training. So the thing about it is that, with Arxan it has this ability
to actually kill the browser. So not only can you
obfuscate the code with it, but they have the ability to actually implement tamper detection and kill the browser of the offender. It’s real interesting, real interesting technology. So I definitely urge people
to take a look at it. – Wow, so if you are working for one of these retail sites or
whatever and you suspect the dev ops team or
the security department is not utilizing this, is this something that you
could bring to leadership and say this quick fix needs to happen? – Yeah, and it literally takes, God, it’s a few seconds, just period slash and run that command on it. It automatically will obfuscate the code, whether it’s a mobile app or a web app. And you don’t have to
worry about anything else, it just does the rest. And so yeah, request that
budget and go pick up a copy, it’s cool stuff. – So you want to talk about
your upcoming book a little bit? – Yes. – Do it. – So new book coming out from
the Alissa Knight library, #KnightWriter. – I was gonna ask you about that later, we’ll get to that too. – Last week tonight, #KnightWriter. I love that guy John Oliver. Anyway, so yeah I’m writing a new book. So the “Hacking Connected Cars” is available on preorder
on Amazon right now, so pick up your copy. And a new book, I think the dust hasn’t
really settled on the title or table of contents, I’m actually in the process of outlining the book at the moment, but Wiley has picked it up again and I guess they just have been
infected by the bubonic Ali, they’ve got Ali fever,
they want another book. So I’m writing a new book on
hacking and securing APIs. And I’m gonna start writing. The last book took two years, I don’t want to spent
two years on this book. My plan is to– – Your learning curve
should cut it in half maybe? – Well it was my first book, I had no idea what I was doing. I had no idea how much work it took. So for all of you out there
who want to write a book, it’s hard, if you think you’re gonna
kick out one chapter a week while working a full-time job. – No. – I’m slapping you back into reality. It’s tough, it’s tough. So I’m gonna start the outline, gonna start writing out the outline and everything will go from there. I’m excited, because I don’t think there is really much out there on this, it’s a pervasive issue and there’s really not much known about
properly securing APIs. – So let’s jump back to “Connected Cars”. What sort of readers are you imagining who would be interested in this, what can we expect out of the book? – You know it’s interesting, so for “Hacking Connected Cars”, definitely the OEMs who
were making components, because a lot of people don’t understand. If you buy a Mercedes all those parts aren’t
coming from Mercedes. Mercedes didn’t build every single part. An automobile manufacturer is seriously assembling Lego blocks, these technologies from
all these different OEMs. The head unit is from someone, the TCU is from someone, the ECU is from someone. And it’s everyone’s parts assembled by one organization and that’s your car. – So we’re getting into supply
chain security here as well. – Yeah, this is supply chain security, this is the automakers
making sure that the OEMs are doing pen testing, they’re
doing their due diligence. And those requirements
are appearing in RFPs. So the readers are going
to be the automakers it’s gonna be the OEMs, it’s gonna be all of these kind of things, we’ve got these new start-ups
that are coming up in the connected car space
that are making the EVs, and its cool. So these are the readers of the book, these are the people that are involved in
automobile mechatronics, that are involved in people who are in charge of securing cars, what was it, 56% or something of the cars on the road by
2020 will be autonomous? So this is where things
are going, it’s happening, this is a thing, so really anyone. And maybe even drivers, maybe consumers, when you go out there you want to be educated on the
tech surface to your car. I can remotely move the steering wheel, push the brakes, push the
gas on a connected car given the right vulnerabilities. You need to know about this, you’re driving around with
your family in the vehicle. You need to know about this, and when you’re shopping for a car it’s not about asking
about the type of leather or the size of the engine
or how fast it can go, it should be IT risk management related issues and questions. Does this thing have an ECU firewall? Is the head unit able to
transmit to the canvas? All these things are important questions. – How about readers who might be just interested in cool hacks, like penetration testers,
people who do capture the flag, is that interesting in that regard? – Yes, penetration testers for sure, red teamers. I’m always a big proponent of the fact that just because you’re a pen tester doesn’t mean you can do
connected car pen testing. It’s not the same. And hacking an Apache Web server is way different than hacking a TCU. Pen testers who want to get involved in connected car pen testing, take a look at this book, read it, it’s got a lot of really cool stuff on it, it’s literally a field manual on how to build your junk kit for doing connected car pen testing. And what do you need to understand, what are the things you
need to think about. – Okay, so as we start
to wind up a little, if you wanted to get out your
crystal ball for a moment, whether talking about APIs or otherwise, would you care to predict
what vulnerabilities are gonna be most prominent and
dangerous in 2020 and beyond, do you have any thoughts on possible election hacking
or anything like that? – Goodness, the crystal ball question, yes, I think hostile nation states will continue to try and disrupt this great experiment of democracy that we’ve got going on. So that will continue, they will continue to
become more sophisticated, it will definitely continue to be a focus on hacking a human, we are the weakest link in security and that will never change. I think over the next few years it’s gonna be a focus on micro-services. I think as the monolith disappears, and the monolithic applications disappear and start to be replaced by
micro-services and server-less, I think CISO’s are gonna struggle to continue to understand
how to secure that, how do you secure a server-less app? How do you secure micro-services? I think that this is very understated, but the last metric I heard was that the average
organization runs about 420 APIs. I’m seeing 800, I’m seeing more. So the average organization I think is running between 800 to 1000 APIs. And how do you secure that? I was talking to Mike the CISO over at Twitter a few weeks ago. There is a pervasive concern that’s keeping CSO’s up at night today is securing their APIs
and their micro-services. How do you secure that attack surface, Docker containers, Kubernetes, there are some great technologies out there that are doing that that are focused on it, New Vector, you’ve got Twistlock recently
acquired by Palo Alto. You’ve got all these really
cool companies out there doing this and focused on this. And take a look at them, you
need to secure these things. Hackers are learning how to bust out of containers and pivot. You’ve got to protect yourself from that. – Wow, that’s a lot of
things to worry about. – So last time we talked extensively about the need for more
women in cyber security. And I notice on LinkedIn that you’ve been posting on social media using #KnightWriter is what you just said, KnightWriters, W-R-I-T-E-R-S. Tell me about that, are you building and growing a coalition of women in cyber security? – I am, KnightWriter. – Tell me all about it? – Okay, so Knight Rider, I grew up on it, I’m a 70s baby, I’m 40 years old, I just turned 40. I’m old. – I see the hashtag and the theme song goes
through my head instantly. – I’m old. Michael Knight. I grew up on Knight Rider, and it was me just thinking
about the fact that, I don’t know how this came up, I want to say that one of my followers, because I’m an influencer and one of my followers I think, I want to say one of my
followers came up with it. I was like, that has a good
ring to it KnightWriter. So I went with it, and its in Twitter’s hashtag library now, it’s been used so much at this point. So definitely look for the
#KnightWriter on Twitter or LinkedIn if you’re
looking to follow my research and publications, but yeah, so Carmen, I don’t know if you heard, I was recently nominated in the top three by Intelligentsia of the hacker of the year award, Female Hacker of the Year. I didn’t win, but that’s okay, I was up against some amazing women. But just to have been recognized among these thousands of
amazing women out there. Awesome. Having said that, so Carmen recently received funding from the founder of Craigslist, Craig something or other. And to do this 100– – Craig Slist.
– Craig Slist. We’ll just call him Craig Slist. – Yeah, sure. – He put up all the
funding that Carmen needed to do this 100 women in 100 days thing, and it looks like I’m actually
gonna be an instructor, where we’re gonna be teaching 100 women and she’s partnered up with employers to actually hire those
women after the 100 days. So it’s a really neat initiative, try to get more women in cyber security, if you’re a woman in cyber security, follow me, reach out to me, happy to provide guidance
and be your spirit guide. Spirit animal. I have a lot of female
followers, which is great. I get reached out on a daily basis, there’s women that are in cyber security, want to get into cyber
security, want to understand it. Happy to be a spirit guide for them. We need more women, we need
to change these numbers. Just a few weeks ago I
had someone on Twitter say that cyber security was
too fast-paced for women. Shocking, shocking that
this individual decided to do this on Twitter. Especially with me, its like do you know
who you’re talking to, you have no idea who you’re talking to? Be really careful when you’re gonna decide
to troll Alissa Knight. So it was cool, because all
my followers got in on it and let’s just say the gifs
were really cool, really funny. But we need to change these numbers and we need to do one number at a time, and I’m really trying to do that and change the narrative here. – Can you break that
down a little bit more about what this training is, where it’s gonna be, how it’s gonna be made available. Is this through individual
organizations or? – Sure, Carmen, you should interview Carmen on this topic, she definitely has more info on this. I want to say there’s one in Chicago, she’s gonna do it in multiple cities, and there will be 100 women
that will be selected. I’m sure there’s going to
be a registration gate. – Are these women already in the industry and they are learning higher levels or? – I think it’s anyone, any woman who has an
interest in cyber security wanting to move into cyber security. I always say, I love this, I used to run a website to teach women how to invest in the stock market, it was called street girl. I used to be a day
trader believe it or not. And one of the things, I always loved the quote is that women are the chief financial
officer of the household. We’re awesome CFOs of the household. And just the same, women I think make just
from the way we’re built, the way we are coded as women, I think we make great penetration testers, we make great cyber security engineers and the industry needs more of us. So it’s anyone, any woman wanting to
get into cyber security, who has an interest in it, or is in cyber security right now. And doesn’t have a job
and wants to continue to do capacity development and get into something and have a job waiting for
them when they are done. – Okay, speed round. Let’s throw every form
of social media Link or your books or whatever you want to promote here at the end. – Yes, Twitter, LinkedIn, YouTube. So on YouTube, Alissa Knight, slash Alissa Knight, that’s A-L-I-S-S-A K-N-I-G-H-T. I spell mine with an I. There’s an I in Alissa. And Twitter @AlissaKnight, and LinkedIn Alissa Knight, reach out to me, connect with me. I’m trying to shoot for
5000 followers on YouTube, by the end of the year, so if you can help me
meeting that number, do it. – Do it. – So subscribe to me on YouTube. – You have a podcast
as well, is that right? – I do, I have Aite Radio for Aite Group, and I also have LeetSpeak. So I host two podcasts, check us out on Libsyn,
iTunes, all the usual, Stitcher, all that fun stuff. – What are the focus of each of those? – Cyber security. Cyber security just on LeetSpeak it could be about really anything, I’m obsessed with productivity
and time management. Aite Radio is more
focused around definitely every episode is cyber security. – Gotcha. Alright, Alissa, thanks
again for all your insights, this is always a blast. – Thanks Chris, love nerding out with you, let’s continue to do this. – We absolutely will. Thank you again, and thank you all for
listening and watching. If you enjoyed today’s video you can find many more
on our YouTube page. Just go to YouTube and type
in Cyber Work with Infosec. Check out our collection of tutorials, interviews and past webinars. If you’d also rather have us in your ears during your workday, all our videos are available
as audio podcasts of course so just search Cyber Work with Infosec in your favorite podcast catcher to see the current promotional offers available for podcast listeners. And to learn more about our
Infosec Pro Live Boot Camps, Infosec Skills On Demand Training Library, and Infosec IQ Security
Awareness and Training Platform, go to InfoSecInstitute.com/podcast, or click the link in the description. Thanks again Alissa Knight, and thank you all for
watching and listening. We’ll speak to next week. – Love yourselves and each other. – Absolutely. (upbeat music)

Leave a Reply

Your email address will not be published. Required fields are marked *