Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode, Paul Asadoorian, Allan Alford, and Josh Corman discuss the growing threat posed by China, particularly in the context of cyber operations and geopolitical ambitions. They explore the implications of China's strategies, the vulnerabilities in critical infrastructure, and the need for transparency and trust in digital systems. The conversation highlights the urgency of addressing these threats as they relate to Taiwan and the broader global landscape. In this conversation, the speakers discuss the critical issues surrounding digital infrastructure, emphasizing the over-dependence on unreliable systems and the need for greater trust and transparency. They explore the balance between usability and security, the challenges posed by security appliances, and the regulatory landscape affecting digital trust. The conversation also highlights the importance of empowering smaller enterprises and addressing the asymmetry in cyber defense, particularly for those at the bottom of the economic pyramid. The speakers advocate for proactive measures to prepare for future disruptions and the need for collective action to improve the overall security landscape. Takeaways: China's ambitions towards Taiwan are a significant concern. The geopolitical landscape is increasingly complex and interconnected. China's cyber operations are organized, funded, and strategic. Critical infrastructure in the U.S. is vulnerable to cyber threats. Cyber warfare will likely be a hybrid conflict involving multiple actors. Dependence on connected technology poses risks to national security. Malicious intent is not necessary for cyber harm to occur. Transparency in digital infrastructure is crucial for security. The threat of hardware exploits remains a significant concern. The recidivism rate of cyber threats is high, especially in critical sectors. There's a cost to connectivity that we haven't acknowledged. Usability is often prioritized over security, leading to vulnerabilities. Dependability in digital infrastructure is crucial for resilience. Security appliances can sometimes introduce more vulnerabilities than they solve. Regulatory frameworks need to adapt to the evolving digital landscape. Consumer demand can drive accountability in security practices. Smaller enterprises often lack the resources to secure their systems effectively. The asymmetry in cyber defense leaves many vulnerable to attacks. Proactive measures are necessary to prepare for potential disruptions. Collective action is needed to improve trust and transparency in digital infrastructure.

In this episode, Paul Asadorian, Larry Pesce, and Evan Dornbusch delve into the recent Sophos reports on threat actors, particularly focusing on the Pacific Rim case. They discuss the implications of the findings, including the tactics used by attackers, the vulnerabilities in network devices, and the challenges of securing appliances. The conversation also highlights the importance of network detection solutions, the impact of zero-day exploits, and the need for a shift in how appliance security is approached, especially concerning firmware backdoors and UEFI threats. In this conversation, the speakers discuss the implications of UEFI attacks, highlighting Sophos' proactive measures in cybersecurity. They emphasize the importance of observing attackers, the role of manufacturers in enhancing security, and the need for better monitoring and visibility in devices. The discussion also touches on the significance of shared responsibility in cybersecurity, learning from transparency in incidents, and the challenges posed by overpowered devices. The speakers advocate for the implementation of security software and the necessity of bills of materials to improve device security.

In this episode, Paul Ascidorian and Matt Johansen discuss the recent targeted attacks by Chinese threat actors, particularly focusing on the Volt Typhoon group. They explore the implications of back doors in cybersecurity, the role of ISPs, and the ongoing tension between privacy and security. The conversation delves into historical contexts, the evolution of threat actor tactics, and the shared responsibility model in cybersecurity. They also highlight the challenges of supply chain security and the visibility issues that make network devices vulnerable to attacks. In this conversation, Paul and Matt discuss the evolution of software security, focusing on the shift from traditional vulnerabilities to emerging threats in network devices. They emphasize the importance of observability and aligning incentives for better security practices. The discussion also highlights the need for innovation in infrastructure security, including the use of modern web frameworks and memory-safe languages to enhance security measures.  

In this episode, Edwin Shuttleworth from Finite State discusses firmware security, insights from the GRRCON Security Conference, and the challenges of firmware analysis. The conversation covers various topics, including firmware scraping techniques, the IoT landscape, types of firmware, the importance of Software Bill of Materials (SBOMs), and emulation in firmware analysis. Edwin shares his experiences and offers advice for those looking to get started in firmware reverse engineering.  

In this episode of Below the Surface, host Paul Ascadorian and guest Patrick Garrity discuss the complexities of vulnerability tracking and prioritization. They explore various sources of vulnerability data, the significance of known exploited vulnerabilities, and the concept of weaponization in cybersecurity. The conversation delves into the challenges posed by supply chain vulnerabilities, the importance of Software Bill of Materials (SBOM), and the impact of user behavior on security. The episode concludes with thoughts on the future of vulnerability management and the need for a more comprehensive approach to cybersecurity.  

Matt Brown, a firmware reverse engineering and hardware security expert with a popular YouTube channel, delves into the vulnerabilities of IoT supply chains. He shares insights on the challenges of extracting firmware from embedded Linux systems and discusses the issues of code reuse and lack of security incentives in IoT devices. Tools like binwalk and unblob are spotlighted for firmware analysis, while Matt emphasizes the importance of hands-on experience and passion for tackling IoT security challenges.

Stewart and Trey join us to talk about driving cybersecurity policies for the nation, what makes a good policy, what makes a bad policy, supply chain research and policies, and overall how we shape policies that benefit cybersecurity. Segment Resources: https://www.atlanticcouncil.org/in-depth-research-reports/report/broken-trust-lessons-from-sunburst/ https://www.atlanticcouncil.org/in-depth-research-reports/report/open-source-software-as-infrastructure/ This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-36

Gain insights into the CISA KEV straight from one of the folks at CISA, Tod Beardsley. Learn how KEV was created, where the data comes from, and how you should use it in your environment. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Resource: https://cisa.gov/kev Show Notes: https://securityweekly.com/bts-35

Jay Jacobs Co-Founder and Data Scientist and Wade Baker Co-Founder; Data Storyteller from The Cyentia Institute come on the show to talk about The Exploit Prediction Scoring System (EPSS). This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-34

Ed Harris joins us to discuss how to secure OT environments, implement effective air gaps, and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-33