Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is cosponsored by Synopsys and IEEE Security and Privacy Magazine. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 133rd in a series of monthly interviews with security gurus, and I’m super pleased to have today with me Cheryl Biswas. Hi, Cheryl.
Cheryl Biswas: Hi, Gary.
McGraw: Cheryl Biswas is a computer security consultant focused on threat intel at KPMG Canada. Cheryl’s 20-year career began at CP Rail’s help desk. And she also worked as an InfoSec researcher at JIG Technologies. Cheryl’s an active blogger, conference speaker, and security presence on Twitter. She likes to connect people in the InfoSec field together with a focus on end users. Cheryl has a B.A. from York University in poli sci. She’s also studied creative writing, as evidenced by her multiplicity of blogs. Cheryl lives in Toronto, Canada, with her three kids. Thanks for joining us today.
Biswas: Thank you so much for having me. You have had such a great number of guests. This is thrilling.
McGraw: It’s really fun to do. I had no idea this podcast series was going to become what it is. But it’s really fun to do. So just how many blogs do you have these days?
Biswas: Well, there is the one that everybody would know about. Then there’s at least two others that most people don’t, so.
McGraw: I found three. So there was kind of...the one that most people, probably, really know as the mom blog, but then there’s the one attached to Twitter, and then there’s the one that’s kind of poli-sci musings.
Biswas: Exactly. Oh my gosh. I have to send you a prize for finding all of those.
McGraw: I have people. I didn’t find them. That’s how I do my job. I actually have people do some background checking for each guest, and then I take their output, which may take them an hour or two, and spend an hour or two writing a script, which is why this podcast doesn’t suck, because it’s not just musings and arbitrary questions. It’s more focused.
Biswas: And this is such a good argument for having, you know, really good OpSec.
McGraw: Yeah, that’s right.
Biswas: You never know what people are going to find about you.
McGraw: You are pretty good. I mean, there are some people that are just invisible that are really problematic from a backgrounding perspective on the net, but they’re very, very, very rare on this podcast. So let’s move into the episode. You moved many years ago from the help desk in a mainframe shop into InfoSec. So how did you make that transition?
Biswas: I like to call it a Cinderella story. So I had been at home raising my kids for 10 years, and really the long and the short of it is if you know the price of day care, there’s a point where it’s, like, it makes no sense to pay all that money and not be with your kids. It’s about the same. So while I was home with them, I kept aware of things that were going on. I got inter-fascinated by websites and actually built small websites for people in a barter situation, but at that point I had no concept really of information and security.
Then I needed to go back to work to earn a paycheck. And I got on with a terrific little managed services firm—that would be JIG—who needed somebody who loved tech but could do all the things that the guys in the office were not capable of doing. So that was me, a hybrid. And I just fell in love with being back in the world of tech, being around servers and taking things apart. And I would read the daily newsletters that came in. And one of them was from Kaspersky, and it talked about Stuxnet. I mean, that was it. I just sank. I was in love. It was everything that I was ever interested, because I’d studied political science and I have that real strange penchant for organized crime and conspiracy theory and action movies, like “Die Hard.” And of course—I know I’m so, so weird. But suddenly, there was this world that had all of these things in it, and I understood it, and it made sense to me, and I just devoured it.
McGraw: That’s cool.
Biswas: So Stuxnet really was my road in. And I wrote a brief to my boss, who was brand-new at that time, for him to take with him on vacation so he could have some light reading, about Stuxnet, because I thought he should know. He didn’t fire me, amazingly.
McGraw: That’s good. So, you know, you had done some IT stuff, I guess, before you took time off for the kids, and then you did...now you’re doing IT stuff but from a different perspective. But have you seen InfoSec evolve in the larger context of IT evolution or, you know, how did those time periods...what kind of inference can you draw from those?
Biswas: Well, there has been an evolution over 20 years. It’s interesting to compare; I’ll first look at it from a customer standpoint. Working in a help desk is a terrific experience for everybody. It’s important to understand things through the lens of the end user, because it helps us really understand what it is they’re not grasping, how we could secure them better, and how we explain things to them, to work with them. We’ve made big strides, just in the past two years alone of saying, “Wait a minute. What if we just try talking to users differently? What if we tried understanding where they’re coming from?” So getting a handle on that is massive because we were working with people who threw keyboards on the floor, washed them in coffee. They were in railroad yards. These are guys who have no time to fiddle with technology. Mind you, the beasts that they were working on were—
McGraw: “Why doesn’t my computer work when it’s covered in coffee? I don’t understand.”
Biswas: Exactly. So you really get an understanding of how you’re going to solve a problem, because if you’ve got a train coming into that yard, you need to be on top of things. And a train is not waiting for anybody, and neither are the guys who are running it. So working with the customers, understanding the nature of their business, their priorities, and then being able to align security to work with them as well as for them is a key to success.
McGraw: I like the way you put that. I think that also applies to IT in general, which should be in service of the business and not something that’s imposed on people trying to get their work done.
Biswas: Absolutely. That’s perfectly said.
McGraw: (Not that I would know anything about that now that I have a huge corporation to contend with.) So let’s talk about poli sci and cyber security. Cyber security is way more politicized than ever, from the Russian info war on the U.S. election through Assange and the WikiLeaks transition from freedom fighter to state puppet, to trying to figure out how to pigeonhole Snowden. I mean, good lord, there’s so much stuff to think about. What I want to do, if you’ll play along, is a quick pass on five topics, one minute each or something, and then dig into poli-sci-meets-cyber a little bit more after that. Does that sound good to you?
Biswas: That sounds like fun.
McGraw: OK. So the first topic is cyber war. Go.
Biswas: Oh, OK. So looking at building up the...we had the military-industrial complex? Welcome to the military-cyber-industrial complex. I’m riveted by what’s happening over in North Korea. I think drones are going to become huge in terms of what they afford both defenders and attackers, and it’s all the stuff that we don’t know yet that’s just waiting around the corner. This has been in the making for far longer than most people realize. The more you dig into it, the more secrets that you’re going to unearth. And yeah, be very ready. This is the new battlefield. That’s it, in a nutshell.
McGraw: Very good. Second topic, really closely related, especially because you’ve been thinking about Lazarus and SWIFT and North Korea: attribution.
Biswas: Be very, very careful where you pin the tail on that donkey. Once you blame somebody, you have fired a shot across the bow. It is very difficult to substantiate your allegations, and you have to bring proof to the table when you do that, particularly in the current landscape. We’re seeing a lot of fallout, and there are people here who will hit first and ask questions later. You don’t want to create an international incident around that. But if you see the smoke and you really suspect there’s a fire, find the ways to alert the right people to get them moving, even without all of the attribution blocks in place, because you don’t need to sit and watch everything burn down. That’s what I’d say.
McGraw: Good. I like that. I mean, I guess attribution becomes more important when response goes kinetic. So, you know, if response is just cyber but it’s not going kinetic, that’s one thing. But if you launch a bunch of missiles based on misattribution and you do it quickly, that can lead to some serious trouble.
Biswas: Oh, yes.
McGraw: All right. No. 3, slightly different: crypto back doors.
Biswas: Well, we’re thinking of being able to have access to everything all of the time, and I will stand by this: When you open Pandora’s box, you cannot put it all back in again. And some of the stuff you will genuinely regret ever having unleashed. We can’t give absolute power to people who have a lot of power already, and that’s why we need to secure and ensure that cryptography is solid and that encryption is treated as a right, that privacy is safeguarded.
McGraw: OK, I want to add one thing to that too, which is: it’s hard enough to design a cryptosystem for real world use that works, and making it also work with a back door included is exponentially harder, maybe even impossible. I think that’s one of the best arguments from a technical perspective.
Biswas: Oh, I agree completely.
McGraw: OK. No. 4, next to last. This is what you’ve already sort of said got you started in security: Stuxnet.
Biswas: Daisy-chaining zero days together, and being able to play hide-and-seek within the networks, being able to jump an air gap, completely taking our notions, our assumptions around security and flipping them. These are huge lessons that prevail to this day, and we are so screwed when a Stuxnet for mainframes or for ICFs, beyond ICFs, emerges. We are seeing that because people are taking the lessons from Stuxnet and redeveloping them, evolving them into the next generation of threats.
McGraw: OK, and I guess Stuxnet was interesting too because it was, in some sense, cyber kinetic.
Biswas: It was. Yes. The politicization of cyber, the weaponization of cyber.
McGraw: OK, last quick hit. I don’t know if this will be quick or not, because I really don’t know anything about it at all, as a typical United States guy: Canadian policymakers.
Biswas: We’re so conservative. Oh my gosh. We need to move faster, particularly with regard to cyber security. However, we really do like bureaucracy, and I think we sometimes entrench ourselves in doing things for things’ sake as opposed to actually making something happen. Nonetheless, we are statesmen; we are reasonable; we have, I think, a much more encompassing and worldly view on what’s going on around us to enable us to make changes that are positive.
McGraw: OK. Than our guys down here, because you said “much more,” but “much more than what?” is the question.
Biswas: OK. We’re lower-key, certainly, than Americans, or than maybe even the Europeans are. And I think that enables us to be heard.
McGraw: OK, yeah. So speak quietly and say “eh” lot.
Biswas: You can speak quietly, and yes, if you speak quietly, you can say a lot and—
McGraw: No, I said “eh.” You’ve got to say “eh” a lot, eh. Sorry.
Biswas: Yes, “eh” and “sorry.” You’ve got to say “sorry” a lot.
McGraw: Perfect. OK. So here’s the last poli sci thing, which I think is actually huge. I believe we’re just barely beginning to experience the information revolution and we’re experiencing that through a backlash, a populism backlash, mostly the populist people that are left behind in the dust. So if you think replacing iron workers and coal miners and car builders is bad and that led to the Trump disaster, just wait until we replace 3 ½ million truck drivers. So, what’s to be done about this corner we’ve painted ourselves into as technologists?
Biswas: OK, I’m not a fan of automating all the things at all, and I really believe we need to take a stand and say the people driving this are people, not machines. And we cannot expect machines to make the best decisions or to make our decisions for us. We’re misguided if we’re doing that.
McGraw: OK. So you’re pro-monkey, basically.
Biswas: Yeah, I guess I am. No, I really believe we are sitting at the helm of the machines and we can’t really lose sight at that.
McGraw: Right, so far, I think we are too. But I also think we already opened Pandora’s box, to use that metaphor that’s been beaten to death, and we can’t stuff automation back in, and we can’t stuff control back in. You know, the information revolution is happening now, and, you know, it’s interesting to see. I have no idea how it’s going to unfold in the future. But I’m not sure I’m on the monkeys’ side. I’m glad that you are. Somebody has to be.
Biswas: Oh, you know. Somebody has to root for that dark horse.
McGraw: That’s right. We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
Back to security as a technical domain. Do you believe that the world understands this notion of building security in that I’ve been yelling about for 20 years?
Biswas: Oh, jeez. I’m going to say “not yet.” I’m going to say so many end users don’t really get it, can’t even actually be bothered to get it, because it’s viewed as somebody else’s problem. I liken this to us being the tip of an iceberg. In the security field, we are privy to so much more knowledge and information and understanding. We get it. But the rest of that iceberg—that’s everybody else who uses the technology, who buy the cameras, who connect the Crock-Pots to the internet, who want, God help us, the stove that they can set from the office so that it’s preheated and cooking when they get home. We know what can go wrong and why. And honestly, there is so much that can go wrong, including the fact that there’s this guy called Murphy and his law. For all the best that we try to do, invariably something can happen.
McGraw: I thought Murphy was a woman. Is Murphy a man for sure?
Biswas: Well now, that hasn’t been proven either way.
McGraw: OK. Well, you know, how do we make consumer device manufacturers “build security in” so that normals who buy these things and just want to cook dinner automatically from a smartphone app can do it?
Biswas: In an ideal world, we would have regulation and legislation that governs their processes so that they are answerable to an outside party that says, “Under no circumstances will you design a product that doesn’t meet this criterion, or would you consider designing a product for these purposes.” That, unfortunately, does not exist.
Biswas: We have change review boards, change management boards. But from what I am seeing, everything is all about innovation, disruption, and being the first to the finish line, because we are businesses that need to stay alive. And it’s more competitive now than ever. So that continues to drive the decision-making process. I don’t agree with it, but that is...that’s the nature of the beast. That’s how it’s done. So what you need to do then is you need to look at how the decisions get made and then you need to—I’m going to say this—hack that process, find a way to get your voice in there. It’s the old twist of making them think that it’s their idea.
McGraw: Yeah, we just use Gartner for that.
Biswas: Yeah. If Gartner says so, it must be so. Exactly.
McGraw: Yeah, exactly. So as an IT person, how do you cope with or influence dev at your company? I know KPMG actually has a bunch of dev, and it is a kind of constant evolution. Is there somebody looking over their shoulders from security? Is there a software security group where you work?
Biswas: I’m in a different realm maybe. We look at what our clients are doing, and we evaluate how they are working, and give them recommendations and best processes. So in essence, we are the security group looking over their shoulders and telling them what they’re doing well and where they have loopholes and what they need to be doing better.
McGraw: But that’s system security analysis, right?
Biswas: Well, it can extend. It’s security analysis whether they’re doing...in some cases, it’s for software development. In some cases, it’s for their actual network and operating system. So we get to see...sometimes we get to see all of the pieces. Sometimes, it’s just one specific focus.
McGraw: Gotcha. All right. So how do you try to influence all of those customers to think about building security in, or not?
Biswas: It’s a matter of showing them a business case: what this would mean in terms of increased efficiency, cost saving, and meeting their regulatory requirements.
McGraw: Right. That’s a reasonable answer. Now, something that I think I already know the answer to, but how important is a good inventory of what you have to secure?
Biswas: Oh, ding, ding, ding. Like maybe No. 1 or 2 on my list of what you need to start with.
McGraw: Yeah, I completely agree with that. I mean, there are so many people who worry about all sorts of aspects of security, but they don’t really even know what they’ve got in their pile. This goes for software inventory as well as regular inventory.
Biswas: Absolutely. Oh my goodness. People think in terms of hard, tangible stuff when they do inventory, but no, it’s what’s also running on your stuff. You need a complete listing of the stuff that you can see and the stuff that’s inside the stuff that you can see.
McGraw: Mm-hmm. And it’s turtles all the way down. So do you think that that’s related to the notion of vendor control and risk management for supply chain?
Biswas: Yes. You have to be constantly on top of where you are getting your things, and I’m thinking in terms because I did a talk on shadow IT, and that just really impacted me. And it’s persistent. It’s an advanced, persistent threat that we just haven’t labeled as such. You have so much access now to Cloud services, and businesses have no idea how many instances are getting spun up. We had the MongoDB situation a couple of months ago. There were like thousands upon thousands being ransacked by ransomware and completely left open, because people just weren’t thinking in terms of security and that anybody was going to really bother with them. It’s sitting out there. It’s open. It’s a target. It’s an incident waiting to happen.
McGraw: Good. So now something completely different. You sort of alluded to this a little in some of your previous comments, but tell us how you negotiated the really tricky life-work balance as a mom.
Biswas: Oh, I hate to say it. I don’t actually have a great life-work balance. I actually had to do a pretty heavy trade-off in terms of being able to go after what I really wanted. So my kids and I are great. My marriage is not. That was the price I paid. But it’s really important to do what you believe in and to have people around you who understand and support that. And in our area, we really have a demanding role, and I think we come to this as more of a calling than anything. This isn’t just what I do. This is who I am. This is what I have wanted to be for so many years; I just did not know what it was called. And when I found it, I was all over it. I’m getting to do things that I only dreamed of. And I share this with my kids, and they are...they love it. They get it. I have the opportunity to open up a world to them, share understanding with them, and inspire them to go after what they want to do and who they want to be. I am really getting to be my best person in that regard.
McGraw: I think that’s good. The take-home lesson, if you want to make it super pithy, is do what you’re passionate about, and maybe other stuff falls into line. I guess the challenge happens for women especially—as the people who are, for whatever reason, supposed to be raising the kids in our current modern society—to be passionate about both what they’re doing professionally and also passionate about raising their kids. And I don’t think we’ve come up with a good answer to that one yet.
Biswas: That’s really tough, and you need to fill that well. You can’t only ever be giving and getting nothing in return. That’s why having a career and being able to identify yourself through what you’re doing and making accomplishments that matter to you is so important, because then you come back home and you recharge. Then when you’re cooking dinner and washing dishes, you’re also in the moment, and you’re present with your kids, and you’re giving them the best part of you.
McGraw: Cool. Last question—well, next to last—tell us about TiaraCon.
Biswas: So last year was our inaugural event. We held a miniconference, two days, to celebrate the concept to encourage women in tech, and we wanted it to be inclusive for everyone. But the focus was on enabling, empowering, and encouraging women to go into this field. Because it can be a pretty daunting prospect; the numbers alone bear that out. And there are women who came to us with some scary stories and some heartbreaking stories, and we wanted to reach out to them and to say, “There are people here who really want to help you get to your goal, who will show you this is possible, who will stand by you.”
So we’re going to do it again this year. We’re going to be down in Vegas for the last Thursday and Friday as DEF CON kicks up. We’re just putting all of the pieces in place. You can follow us on Twitter at TiaraCon, and we have our website up as well. We’ll be sharing the logistics of it, and we’re also very keen to invite anybody who’d like to volunteer or sponsor the event, because we’re opening it up to diversity. It’s not just about women. It’s about everybody who wants to be here to be welcome here. We’ve all got a contribution to make, and we really need some great ideas and some great support.
McGraw: Cool. Thank you. Then the last question, which is always a total flier: What is your favorite movie to watch as a family? I know there’s always one that you’re like, “OK. Well, we’ll just watch this.” And you pull it out and watch it for the umpty-ump-jillionth time. That’s what we did.
Biswas: Oh my gosh. Well, we really enjoy all of the Star Wars sagas, to be honest.
McGraw: That’s a good, one. Yup.
Biswas: That or Harry Potter. So different, but we really alternate between those.
McGraw: Yeah, we sort of did three. We did Star Wars, and we did the Bourne series, and we did the Lord of the Rings early series, too.
Biswas: Oh. Yeah, I can’t get my kids to watch Lord of the Rings.
McGraw: Why not?
Biswas: I’ve tried.
McGraw: Oh, man.
Biswas: I know.
McGraw: Huh. I’m surprised about that.
Biswas: Me too.
McGraw: Well, thanks, Cheryl. It’s been fun chatting with you.
Biswas: Thank you so much, Gary. It’s been a real pleasure.
McGraw: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is cosponsored by Synopsys and IEEE Security and Privacy Magazine and syndicated by Search Security. The January/February issue of IEEE S&P Magazine includes our interview with Marie Moe, a Norwegian researcher who hacks her own pacemaker. Show links, notes, and an online discussion can be found on the Silver Bullet web page at www.synopsys.com/silverbullet. This is Gary McGraw.