Episode 34 of The Andy Show
ANDREW MCLEAN [00:00:34] Good afternoon and welcome to The Andy Show. It is Friday, the 5th of June 2020. The time is now 12:30, it must be time for The Andy Show. Thank you for watching us on Disruptive LIVE. You can obviously watch us on LinkedIn, Facebook, Twitter, YouTube, Vimeo and our website, disruptive.live so today we’re gonna talk about all sorts of things, cyber security. We’re going to talk about cyber espionage. We’re gonna talk about the things that are happening at the moment and the things that might happen in the future. So who better to find out about all of these fantastic security implementations that are being put in place? Then my very, very special guest, Mr. Bharat Mistry, the Principal Security Strategist at Trend Micro. Bharat, welcome.
BHARAT MISTRY [00:01:31] Hi, Andy. How are you?
ANDREW MCLEAN [00:01:32] I’m not too bad, I’m not too bad. I’ve been looking forward to this interview,.
BHARAT MISTRY [00:01:36] Oh brilliant.
ANDREW MCLEAN [00:01:38] So let’s start right at the beginning. I know Trend, a lot of people know Trend but what do you tell us a little bit about Trend and what you do there?
BHARAT MISTRY [00:01:48] Yeah. So Trend Micro is a really a global cybersecurity player. We’ve been in the industry for over 30 years. And, you know, we’re kind of headquartered in Japan, but founded in US. Our kind of core solutions really serve enterprise organisations covering the Endpoint Network. And more recently, I would say data centre and Cloud. And as some of the new emerging technologies start coming out. So things like IoT and convergence that we’re seeing with manufacturing and industrial development solutions around that as well. What I do for Trend, I’m a Security Strategist. I work with really customers of all sizes, small, medium, large. But I don’t really work at the technology layer outright. I’m more about really the strategy that organisations are taking. And nevertheless, for you has been talking to a lot of customers around my great Cloud in the safe manner. And more recently, it’s been around convergence of I.T. with operational technology and manufacturing systems and things like that.
ANDREW MCLEAN [00:02:56] Oh fantastic. Well, I don’t know where to start with this. I could ask you so many different questions. It sounds as if what you’re saying is you’re essentially the wizard behind the curtain and a little bit like Jeff Goldblum in The Fly, you come up with the grand ideas and then tell people, put things, build things then you put them together. So the first thing I want to talk about, because I know you published one of our Web sites recently. You did an article on, a really good article on mobile cyber espionage. I want to know what mobile cyber espionage is.
BHARAT MISTRY [00:03:32] Oh, yeah. Yeah. It’s an amazing area. So espionage has always been that, you know, there’s been different players in the past. Nation states have been there, criminals, cyber activists, and they’ve always kind of tried to get into an organisation through traditional means. So, you know, tried to hack and then point or to get it through social engineering or something like that. And what’s happened in the last few years is more and more people are switching to mobile phones. This is the life and blood of most organisations. And if you think of a high value asset and what I mean in a high value asset. I mean a senior individual in an organisation. I can see what COO or someone like that. They’re carrying this device with them 24/7. And what we’re seeing is the information on this device is also enriched more so than ever. Not only have you got, I would say personal data on there, your own kind of photos, your text messages and things like that. But you’ve got a raft of other information, corporate information that’s held on there as well. And the other thing is that this device is kept with you all the time. So you can see from my opportunist point of view, you know, someone having to wanting to have a go and wanting to get information very quickly. The device that you want to target is this snap your mobile phone because that, in essence, carries a lot of data. It also carries a lot of authentication information about, you know, usernames and passwords. We all use things like password managers and things like that, right? It’s all that. So you can see why it’s a rich target. And what we’ve seen as of date is really devious techniques as to how to infiltrate these devices. We’ve seen these apps that come up that look genuine. But in fact, are riddled with malware and that malware is kind of designed to really look at things like your personal text messages, your e-mails, have the ability to switch on and off the microphone. That will take screenshots of what about what is going on and then send it back to a central site. The most kind of famous story around this is last year with the CEO of Amazon. He handed what looked like or he was sent a link, what looked like a genuine WhatsApp type application. In actual fact, it was something that looked very similar, but it was riddled with malware and designed to take specific data from that device. And you can see that happening more and more. And it depends on the geographies of where it’s happening as well. So we did see an instance in the Asian markets where a new chat application was loads of people. Yeah, I don’t use WhatsApp. It’s too corporate. I’ll use something else. You know, I have a smaller community. In actual fact, this chat application called Chatterers had something called Cool Spy on there and Cool Spy, it was designed, didn’t have any chat capabilities tool. It was really designed just to kind of look at your personal data and look at text messages, look at how emails coming in and out, looking at also taking Jpeg files and stuff like that, and then sending it through to a central site where it’s then useful in their means.
ANDREW MCLEAN [00:07:01] It’s a little bit frightening. I mean, I suppose there’s two things that I’m going ask you. Number one, I guess it’s a little bit like terms and conditions on a website. You download something. It does say. Well, I think it does. It says one of the permissions that people just go, yeah, that’s fine and go to the next thing. I mean, do these apps kind of subvert, you know, permissions or are they… is it really it does say but human nature? Because I do it myself. Just click. Yeah. Yeah, that’s fine.
BHARAT MISTRY [00:07:35] Yeah. I mean, the apps do have to ask for permission. And when you think about it, if something looks like a chat application, you’ll gonna say, yes, yes, yes very quickly without looking at the T’s and C’s people quite often still they just want to use the application for its functionality. They don’t want to be left behind. And we’ve seen it with things like TikTok, we’ve seen it with Snapchat and all these other applications that have been out there. People want to get on. They want to use it. And in the worst case scenario, I’ve seen people using default passwords as well. On some applications they just have you know, if you look at things like IoT, you might buy a home camera, for example. Very few people end up changing the password something. And it’s the same application unless you’re forced to do it. Very few people actually look into it and really this is where the problem comes in. The language isn’t simple as well. It’s very convoluted. You got to read the fine print and you got to get exactly what they’re trying to get out. And then you think, have I got time to do this? Or I just want use the app? And 9 times out of 10, just want to use the app. It’s the 1 in 10 who might kind of read the small print that goes with it.
ANDREW MCLEAN [00:08:47] Yeah. We get pop ups all the time with GDPR and in every Web site you go on and ask for permissions for various things. It’s amazing the number of times we’re not just have to cross, yes, yes, yes, yes, yes. Just to see something. I know there’s good pros and cons of these, but why? Well, I would like to ask, you mentioned earlier that one of these big cyber espionage, a mobile cyber espionage, was a huge, multi-billion dollar company like Amazon. But I suspect that espionage, like exacts within most organisations, could fall foul of this, could be a target because every company’s got something of value.
BHARAT MISTRY [00:09:29] Oh, absolutely. You’ve got this kind of mantra with the executives as well, sometimes. If they want something, they’ll go out and they’ll use it. So I’ll give an example. This happened very recently. So my wife, she works for a university and their corporate standard is to use Teams, for example, for, you know, these conference calls that we have. Yet, one of the… Not the vice chancellor, but some very senior in the chain is decided to use Zoom all by himself. So he’s gone, he’s completely bypassed corporate policy for this university. Decided to use Zoom without anyone else knowing. And you can see no one’s gonna step in and say, you can’t use that because this kind of fear of what’s going to happen if we do challenge someone like this. And it’s the same for organisations, you know, where you got senior individuals, you know, they’ll go away from the norm. They’ll see something new, shiny and flashy. I want to use that thinking oh, yeah, all of my mates or my peers in other organisations are using it. Some of them are using either one we left behind. So, yeah, I mean, I don’t see that happening quite a lot. And that’s where some of the problem starts to kick in, you know.
ANDREW MCLEAN [00:10:45] Yeah, I mean, I actually want to talk to you about this a little later in the interview. I want to talk about particularly during this lockdown. I won’t go into right now, but things like shadow I.T. have just popped up way beyond the C-Suite. But let’s stay on topic. Let’s stay on topic for now. A lot of our viewers will be watching this. Our take place in the Cloud, they use Cloud technology, maybe perhaps more now than they did a few months ago. But there’s a hybrid-Clouds and there’s public Clouds and all sorts of different Clouds going on and all sorts of organisations using them in different ways. Can you tell us a little bit about Cloud security threats? I mean, some of the experiences you’ve seen from us.
BHARAT MISTRY [00:11:30] Yeah. So as you say, you know, that this kind of whole movement and adoption of Cloud services is is rising and it’s growing at an exponential rate of growth in services is huge. And we see new services come out. If you just take Amazon, for example, back in 2013, I think it was they only had some like 25 services this year alone. Right now, they’ve got 212 services. See, you can see the services out there which people want to use. The problem comes in. Well, how do I configure these services and how do I know that these services are set up in the right way? And there’s a lot of confusion. First of all, if you think about how we used to do things on our own datacenter, we had a complete control of everything. And we could test and break everything and we could touch everything. When it’s gone out into the Cloud. All of a sudden, there’s two running factors. First of all, you can’t touch me. Not yet, anyway. And secondly, everything is done through software based configuration. And that’s where the kind of hold stopped creeping. Would be cyber criminals are kind of recognising this as well, is that they’re recognising the complexity that goes around with the amplitude of services that are out there. And then they’re realising that, you know, going back to what we talked earlier about people wanting to use applications without reading the fine print. Well, people are using Cloud based services without fully understanding what the implications are or how to secure them. And we see, you know, one of the major attack vectors is criminals leveraging misconfiguration in the Cloud. And the best example of this is things like Cloud fall storage. Fantastic service, you know, you’re getting storage, paying minimal amount of money for it. You know, Cloud providers are going to pack it up for you and everything you think. Fantastic. And if you look at some services like Amazon’s S3, you could actually leverage that service and host the website without you having to stand any of your own infrastructure. Brilliant. And that’s fine in theory, but when it’s not configured correctly. So if that file storage area is left open to the public with full permissions, they can recover. Not only can they upload malware on there, but they can use an ongoing propagation effect. I think there’s a kind of incident last year where a publication, online publication decided to use one of these mechanisms that are using a file storage to host a static website. But they let the permissions open. And lo and behold, a criminal gang found that out. And what they did was they put a malicious script in there. So whenever users visited their website, their computer would be then doing crypto “fighting” on behalf of everyone else. And it is an online publication. So if you’ve got a story that breaks the number of people are gonna hit your website, then they’re kind of churning in the background in crypto mining. I mean, this is only a small example of it. But you can see, you know, this can escalate very quickly. We’re saying things like digital banks forming when they’re looking to use Cloud native applications and, you know, things like, for example, gone are the days of we’d have to go into a bank or insurance, give you kind of passport or your, you know, details to verify who you are. What we’re seeing now is people off loading that data. So photographs of could be your utility bill or whatever you have next to, you know what that is. All of that data is being loaded into “feet” Cloud kind of file storage areas. And you can say, you know, if it isn’t configured correctly, you can extract data from there or you can upload data from that. We could manipulate that data in whatever way you want to. That’s one of the big key areas. The other area is actually this goes back to what I was saying earlier about how we do things previously, whereby we’ve got set teams doing set pieces of work and in the Cloud, some of that is gone and now disappeared. Everything is running effectively as code. You write a template, code, automation. Everything. And so the power has changed from what would have been somewhat, you know, an infrastructure guy to a developer. And so developers have to really learn the culture shock learning curve to go after there. They can code but do they really understand the secure configuration? Do they really know how these services should be set up? And in most cases they don’t? Because that kind of learning how these services works in time and then they needed to know, actually, they got this kind of challenge of I’ve got someone in my ear. You know,from the business saying we need this function, we need this functionality. And on the second and he said, well, I can get that develop for you, but how can I do it in a safe and secure manner? And that’s what the kind of challenges, you know, how do you kind of balance that up and get something out quickly? And you can see, all these kind of weak spots introduce entry points for people to kind of attack and leverage these platforms.
ANDREW MCLEAN [00:17:02] So I’m gonna ask. You’ve kind of answered it but I’m gonna ask the question anyway, because people might be wondering why are Cloud infrastructures being attacked? What is the benefit?
BHARAT MISTRY [00:17:14] Yeah. It is the next natural entry point into an organisation. Now we’re seeing customers kind of three journeys we see. One is people that are just getting their toes in. The second one is who got a significant amount of services in the Cloud and the third one is born in the Cloud companies. Ultimately, what you’re seeing is your crown jewels are moving from what would be your own kind of house to be moving out into the Cloud. And you can see that’s the natural entry point for someone to have a go up. The other thing that we’re seeing is in the Cloud there is, let’s say, a back door. But there is what would be deemed a secure link back into your organisation. And if that link isn’t secured, you can see where I can penetrate a Cloud service, open a bank to and have a straight route through breaking all of my perimeter that I would have for my organisation. And I’m in the heart of what would be my data centre where you might, I might have other critical information or sensitive information that wouldn’t necessarily cross now. And again, Cloud, it just represents that whole opportunity. You know, I can speak if you think about that crypto mining that I just talked about right now, it might be deemed as I’m not really doing any damage. But from a operational point of view, I could be spending on higher compute service, paying the extra money for it, and they could be spending it in the background and doing crypto mining or whatever other activities that they want to do.
ANDREW MCLEAN [00:18:54] Okay. So I’m a neurotic person, worried about myy Cloud infrastructure. And I got your phone number. I say Bharat, Bharat, I got a problem there. I’m really worried about this Cloud thing. I’ve got all these Cloud services. What advice can you give me to mitigate some of these disasters waiting to happen?
BHARAT MISTRY [00:19:17] So first and foremost, I would look at having some kind of framework, having a blueprint for how you’re going to use the Cloud and the services that you can impact. There are organisations like Cloud Security Alliance with that matrix that they have. And they ask a series of questions that you can use. The other thing is you can ask of your Cloud provider what it is that they gonna do for you. There is something called the shared services model. So it’s good to understand what they will do for you and what your liabilities are quite often. I still hear customers saying, oh, we’re gonna put everything in the Cloud. The problem. No, no. Even if they do take care of everything, the data, the actual information itself is still your responsibility. So you do have some ownership around that. Second thing is I would look at really some of the architectural practises that are out there. So if you look at Amazon, for example, look at Azure. They have done well architected principles. And they give you good guidance steps as to how to not only pick the services, have to use them, but how to configure them in a safe manner. The other thing I would also recommend is having some kind of continual monitoring in the background. Whether you use Cloud native services or whether you use some kind of Cloud posture management tool. Is to look at, you know, I’ve got these services, I’ve got some information that says this is how they should be configured. I mean, effectively put some guardrails up to make sure that when people are using or leveraging these services, they don’t go outside of these guardrails. And it’s just taking those basic steps, really. It’s a stepping back a little bit. Understand what you need to do. And then taking a slightly more pragmatic approach from just diving in with your size nines.
ANDREW MCLEAN [00:21:11] Fantastic advice. We’re already 21 minutes into the interview. The time now is 12:51, I told you that I wouldn’t be able to ask everything that I wanted to ask. So I’m gonna move on from that now. We’ve got the other thing, because this is the the Mr. Robot segment. We’re gonna talk about the Dark Web. Everybody keeps talking about the Dark Web. Let’s talk about trading in the dark web. Can you give us an overview of what trading in the Dark Web is.
BHARAT MISTRY [00:21:39] Yeah. So trading in the Dark Web is all about. It’s just like an open market, right? We have a market that you go to and you can buy and sell your ways. The difference in the dark web is that what they’re buying and selling are essentially either tools and these could be illegal tools or they’re selling information. And if you want the clock back, kind of five years ago, the underground market was quite buoyant. You had some major players in there. It was kind of separated by language. So you’d have English speaking. You have Russians, you have, you know, Southeast Asians. But there was no kind of cross overlap. And there was an element of trust in those markets. So what what happened was actually had kind of niche groups doing niche little big pieces of work. So one group could be doing kind of profiling, the profiling organisation and then sell that information. Openly on that platform. And there’d be an element of trust around it. And then that organisation would then do a campaign that would breach an organisation and then sell out on against someone else. So what you had is this neat little ecosystem of players in there, and they’d be working in a way that most enterprise organisations dream about. And watching what’s happened is as this market has kind of evolved. We’ve had law enforcement take place and they’re kind of breaking down some of these markets. We’ve seen, first of all, the trust element go away. So that open relationship that we had or that they had between various players is now gone. And so they’re using other platforms to kind of communicate. So before they talk openly, now they’re using platforms like escorts, for example. They’re selling their wares on a third party e-commerce platform. And we’re also seeing the big change that’s happening is the price of some of these tools. Back in 2015, it was quite high, you know, paying up to a thousand dollars for things like denial of service type tools or for things like ransomware and other things out there. And what we’re seeing is a significant decrease in price. For example, you know, if you look at cryptics, you know, so it’s these are tools that will take your malware and kind of encode it in some kind of way so it doesn’t get recognised by anti-malware tools. You know, those services dropped from a hundred dollars to about 5 dollars a pop. Things like ransomware has dropped from what would have been 200 to again to 5 dollars a pop. Things like one, a cry is available for nothing on that market. The thing is, the players have changed as well. Before, it was very kind of specialist players, highly skilled. Now, with the kind of enterprise markets that they have in the Dark Web. So things like ransomware as a service, botnet as a service. Anyone can enter it. You could be 9 years old. You could be 95 years old. You could be male. Could be female. You could be in Western Europe. It could be anywhere. Long as you’ve got some cash and some kind of mobile device. You can get service from anyone, you can take out a service contract and you can have a pop. So you can see that there’s a number of different things happening in that market. The most significant things that we’re seeing is trust has gone away. The prices have radically come down, but for the newer, more advanced, if the price is still up there. So, for example, Android market, botnets is still very high. And Android is quite prevalent platform going back to what we’re talking about with cyber espionage of high net individuals. You can see if you can get applications that are riddled with malware and you can deploy them on things like Google Play or other platforms like, no, it’s not noticed. It will just kind of slow right out there. So you can get a botnet as a service on these kind of devices without, you know.
ANDREW MCLEAN [00:25:50] I mean, this really is not amongst thieves anymore, by the sounds of it. So, okay, so there’s this couple of things I could probably ask about at this stage. Number one, we’re all currently in this lockdown situation. There’s been a rise in shadow I.T. people scrambling to get their systems up and running. Have you seen that’s affected not only everywhere, but security in general?
BHARAT MISTRY [00:26:19] Massive so organisations that were not prepared in any way, shape or form. They’re struggling. You can imagine when the lockdown was announced. So people that hadn’t normally catered for remote connectivity, they’d be saying, no, what do we do now? We haven’t got enough people with devices we can give out. Corporate owned devices. I know what will get them to use their home devices. Then before you know it, people are connecting to the corporate network on non invented devices. They don’t have any kind of anti malware on there. And they’re using that. The other thing is what I’ve noticed is actually communications. So, you know, when you were inside, an organisation can talk to people over the phone, whatever, and that’s fine. But, when you haven’t got a corporate standard for something like collab operation, like we used to do with Teams and like that. We’ve seen people go out applications of their own. Best one that I saw, house party. During a lockout. In that first two weeks, people were using house party to communicate and collaborate not only amongst themselves, but between business partners. And that’s not a platform you would use them. So you think that that’s up, the other thing is, like I said, you know, devices that connect to the network. Especially when an organisation hasn’t given you a corporate own asset. That said that, use your iPod or use whatever you want. And typically these devices are your home device. S corporate can’t enforce anything on them. But you really should have some kind of control on that. And these home devices, you know, I mean, not like my tablet, the high use, for example. My daugther also uses it. She’s on Snapchat. She’s doing it. You know, so you got other people accessing it and then you’ve got, you know, other applications as well. And I think we talked about Teams and Zoom in and kind of house part of this now. But there are also the collaborative and collaboration solutions out there as well. People just using I’ve seen a lot of people use WhatsApp, believe it or not, sending confidential files over WhatsApp. You know, it’s a pretty strict guidance policy around that.
ANDREW MCLEAN [00:28:35] Okay well, that’s gonna lead to my final question of the interview. After the lockdown. In fact, let’s talk about the next five years. What the likely targets, where do you see this all going?
BHARAT MISTRY [00:28:50] Yeah, I think the next five years is going to be really interesting. Certainly from a malware point of view then, if you’ve come across deep fakes, but hopefully that will happen more and more. You know, the first around of it will be the evolution of things like come sextortion. So people, you know, previously would have had a tape and they would have tech now. Now, with deep fakes, you can see how very easily you could take somebody else’s image and paste onto another clip and send that out there. And you can use that for, you know, kind of news, viral stuff. And you can get fake news out there as well. I see that happening more more certainly with the kind of campaigns that will be happening in terms of political agendas. That’s gonna to happen more. Also, things like IoTas it becomes more more prevalent, more and more than usual, I can see that being leverage. And I can see really cyber criminals making it more scalable than before. We saw one round of it about 18 months ago with things like the mirai botnet. And that was a fairly simple thing to do whereby homepages were attacked. But we could see with a plethora of open devices out there with IoT t that that’s going to happen. The other thing, I suppose. Really is about the geography of where we can see some of these crimes. Certainly Africa is up and coming. If you think about the infrastructure that they have out there, they have kind of there are a point of advantage in the sense that they don’t have any legacy phone lines. I mean, it’s kind of radio based. It’s all high speed Internet is already kind of there. The price of these devices is also coming down significantly as well. And you can see as that kind of market develops in this time, developing more, more digital e-commerce, you can see Africa could be a continent where some of this is going to kick off massively
ANDREW MCLEAN [00:31:01] Well, it will be very interesting to to hear from you again soon to see has some of these things are developed. But, yes, about the interview part is now over. I’m going to do my quick, quick fire psychometric test. The phonology head here, ready for it. So just tell me the first answer that comes in your mind. Are you ready?
BHARAT MISTRY [00:31:24] Yeah.
ANDREW MCLEAN [00:31:25] Cheese and onion or salt and vinegar? You know, salt and vinegar.
BHARAT MISTRY [00:31:26] Cheese, onion.
ANDREW MCLEAN [00:31:30] Yuck. Los Angeles or Paris?
BHARAT MISTRY [00:31:35] Los Angeles.
ANDREW MCLEAN [00:31:37] Kylie or Madonna.
BHARAT MISTRY [00:31:39] Kylie.
ANDREW MCLEAN [00:31:40] I love it. I love it. I love it. And the final one. Private jet or luxury yacht?
BHARAT MISTRY [00:31:46] Private jet.
ANDREW MCLEAN [00:31:48] I like that, answer. I like that answer. You’ve been hanging around execs for too long. Bharat Mistry. You’ve been an absolute fabulous star today. Thank you for telling us all about cyber security, cyber espionage. A very, very wise man. And I look forward to talk to you again soon.
BHARAT MISTRY [00:32:07] Thank you very much Andy.
ANDREW MCLEAN [00:32:09] That was a Bharat Mistry. The Principal Security Strategist at Trend Micro telling us about mobile cyber espionage and all sorts of other things happening in the Dark Web. A very pertinent thing at the moment, but also somewhat frightening thing of what’s going to come up in the future. No, I would just like to say a couple of messages today. First of all, I would like to congratulate a Disruptive LIVE regular that we often have on the show. Mr. Ian Jeffs, who has now taken on the new role as the United Kingdom and Island, Country General Manager at the Novel Data Center Group. So I am now giving you, Ian, an open invite to the show to talk to us about that. I’ll even do the psychometric test. Congratulations. You have been watching The Andy Show to day. On Friday, the 5th of June 2020, the time is now coming up to… So the time is now coming up to 3 minutes past the 1 on Friday. I hope we have a great weekend. I hope you’ve enjoyed the show. And until next week, I’ll see you soon.