Below the Surface (Audio) - The Supply Chain Security Podcast

In this episode, Paul, Vlad, and Chase discuss the security challenges of Palo Alto devices and network appliances. They explore the vulnerabilities present in these devices, the importance of best practices in device management, and the need for automatic updates. The conversation highlights the evolving nature of firmware vulnerabilities and the necessity for compensating controls to mitigate risks. The hosts emphasize the responsibility of vendors to ensure their products are secure and the need for a shift in user expectations regarding security appliances. In this conversation, the speakers discuss the pressing need for improved security standards in network appliances, the challenges posed by auto updates and supply chain security, and the importance of implementing zero trust principles. They also delve into the role of firmware encryption and key management in enhancing security while emphasizing the necessity of monitoring and detection to safeguard against vulnerabilities.

Chase Snyder, a Director of product marketing with extensive experience in network security, joins to explore the rising threats faced by network appliances, particularly Avanti and Fortinet. He discusses the troubling vulnerabilities that accompany these devices and the urgent need for better security standards. Chase highlights the lack of visibility in network security, making appliances easy targets for attackers. The conversation also delves into the accountability of vendors and emphasizes the necessity for customers to demand improved security practices.

In this episode, Paul Asidorian, Alec Summers, and Lisa Olson discuss the 25th anniversary of the CVE program, its evolution, and the importance of transparency in vulnerability management. They explore the history of CVE, the process of creating CVE records, and the role of CNAs in ensuring accountability. The conversation also addresses challenges related to end-of-life software vulnerabilities and the need for maintaining the integrity of CVE records in an ever-evolving cybersecurity landscape. In this conversation, the speakers discuss the complexities of managing and analyzing vulnerabilities in software, mainly focusing on the roles of CVE and CVSS in providing accurate and enriched data. They explore the challenges of combining vulnerabilities to assess cumulative risk, the importance of community engagement in improving CVE records, and the evolving landscape of supply chain vulnerabilities. The discussion emphasizes the need for better data analysis methods, the significance of community involvement, and the ongoing efforts to enhance the quality and accessibility of vulnerability information.

In this episode, Paul Asadoorian, Allan Alford, and Josh Corman discuss the growing threat posed by China, particularly in the context of cyber operations and geopolitical ambitions. They explore the implications of China's strategies, the vulnerabilities in critical infrastructure, and the need for transparency and trust in digital systems. The conversation highlights the urgency of addressing these threats as they relate to Taiwan and the broader global landscape. In this conversation, the speakers discuss the critical issues surrounding digital infrastructure, emphasizing the over-dependence on unreliable systems and the need for greater trust and transparency. They explore the balance between usability and security, the challenges posed by security appliances, and the regulatory landscape affecting digital trust. The conversation also highlights the importance of empowering smaller enterprises and addressing the asymmetry in cyber defense, particularly for those at the bottom of the economic pyramid. The speakers advocate for proactive measures to prepare for future disruptions and the need for collective action to improve the overall security landscape. Takeaways: China's ambitions towards Taiwan are a significant concern. The geopolitical landscape is increasingly complex and interconnected. China's cyber operations are organized, funded, and strategic. Critical infrastructure in the U.S. is vulnerable to cyber threats. Cyber warfare will likely be a hybrid conflict involving multiple actors. Dependence on connected technology poses risks to national security. Malicious intent is not necessary for cyber harm to occur. Transparency in digital infrastructure is crucial for security. The threat of hardware exploits remains a significant concern. The recidivism rate of cyber threats is high, especially in critical sectors. There's a cost to connectivity that we haven't acknowledged. Usability is often prioritized over security, leading to vulnerabilities. Dependability in digital infrastructure is crucial for resilience. Security appliances can sometimes introduce more vulnerabilities than they solve. Regulatory frameworks need to adapt to the evolving digital landscape. Consumer demand can drive accountability in security practices. Smaller enterprises often lack the resources to secure their systems effectively. The asymmetry in cyber defense leaves many vulnerable to attacks. Proactive measures are necessary to prepare for potential disruptions. Collective action is needed to improve trust and transparency in digital infrastructure.

In this episode, Paul Asadorian, Larry Pesce, and Evan Dornbusch delve into the recent Sophos reports on threat actors, particularly focusing on the Pacific Rim case. They discuss the implications of the findings, including the tactics used by attackers, the vulnerabilities in network devices, and the challenges of securing appliances. The conversation also highlights the importance of network detection solutions, the impact of zero-day exploits, and the need for a shift in how appliance security is approached, especially concerning firmware backdoors and UEFI threats. In this conversation, the speakers discuss the implications of UEFI attacks, highlighting Sophos' proactive measures in cybersecurity. They emphasize the importance of observing attackers, the role of manufacturers in enhancing security, and the need for better monitoring and visibility in devices. The discussion also touches on the significance of shared responsibility in cybersecurity, learning from transparency in incidents, and the challenges posed by overpowered devices. The speakers advocate for the implementation of security software and the necessity of bills of materials to improve device security.

In this episode, Paul Ascidorian and Matt Johansen discuss the recent targeted attacks by Chinese threat actors, particularly focusing on the Volt Typhoon group. They explore the implications of back doors in cybersecurity, the role of ISPs, and the ongoing tension between privacy and security. The conversation delves into historical contexts, the evolution of threat actor tactics, and the shared responsibility model in cybersecurity. They also highlight the challenges of supply chain security and the visibility issues that make network devices vulnerable to attacks. In this conversation, Paul and Matt discuss the evolution of software security, focusing on the shift from traditional vulnerabilities to emerging threats in network devices. They emphasize the importance of observability and aligning incentives for better security practices. The discussion also highlights the need for innovation in infrastructure security, including the use of modern web frameworks and memory-safe languages to enhance security measures.

In this episode, Edwin Shuttleworth from Finite State discusses firmware security, insights from the GRRCON Security Conference, and the challenges of firmware analysis. The conversation covers various topics, including firmware scraping techniques, the IoT landscape, types of firmware, the importance of Software Bill of Materials (SBOMs), and emulation in firmware analysis. Edwin shares his experiences and offers advice for those looking to get started in firmware reverse engineering.

In this episode of Below the Surface, host Paul Ascadorian and guest Patrick Garrity discuss the complexities of vulnerability tracking and prioritization. They explore various sources of vulnerability data, the significance of known exploited vulnerabilities, and the concept of weaponization in cybersecurity. The conversation delves into the challenges posed by supply chain vulnerabilities, the importance of Software Bill of Materials (SBOM), and the impact of user behavior on security. The episode concludes with thoughts on the future of vulnerability management and the need for a more comprehensive approach to cybersecurity.

Matt Brown, a firmware reverse engineering and hardware security expert with a popular YouTube channel, delves into the vulnerabilities of IoT supply chains. He shares insights on the challenges of extracting firmware from embedded Linux systems and discusses the issues of code reuse and lack of security incentives in IoT devices. Tools like binwalk and unblob are spotlighted for firmware analysis, while Matt emphasizes the importance of hands-on experience and passion for tackling IoT security challenges.

Stewart and Trey join us to talk about driving cybersecurity policies for the nation, what makes a good policy, what makes a bad policy, supply chain research and policies, and overall how we shape policies that benefit cybersecurity. Segment Resources: https://www.atlanticcouncil.org/in-depth-research-reports/report/broken-trust-lessons-from-sunburst/ https://www.atlanticcouncil.org/in-depth-research-reports/report/open-source-software-as-infrastructure/ This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-36