The IoT Security Podcast explores the Security of Things. The Internet of Things (IoT) is a giant network of over 50 billion connected devices, and it’s transforming the way we live and work. But a breakdown in security will prevent this IoT transformation. Join John Vecchi as he speaks with the biggest names and the biggest brains in cybersecurity, including CISOs, analysts, security researchers, and other industry thought leaders, to give you the information you need to navigate security and threats in an increasingly Thing-based world.
Join us on the IoT Security Podcast, powered by Phosphorus Cybersecurity.
https://phosphorus.io/
John Vecchi:
Well, hello everybody. You're listening to the IoT Security Podcast live on Phosphorus Radio. I'm John Vecchi.
Brian Contos:
I'm Brian Contos, and we have an amazing guest today coming all the way in from Southeast Asia by the name of Vig Moorthy. Welcome to the show Vig.
Vignesa Moorthy:
Morning. Thanks to be here.
John Vecchi:
Welcome, Vig.
Brian Contos:
We know this is very early for you, but we're so glad to have you on the show. Vig, as we kick things off, maybe you could give our listeners a little bit of background about you and how you came up, how you got into cyber and what it is exactly you're doing today.
Vignesa Moorthy:
Well, I run one of the telecommunications companies out of Singapore, and we've been providing fixed data services to companies in Singapore, Malaysia, across the region really, for probably the last 20 years. I would say probably about four or five years ago, as we see more cyber issues and more network challenges, there was a convergence or we see a convergence or more demand for network security services, and we started our transformation, in terms of our pivot, in terms of the services that we provide to our customers, in looking at how we could secure our customers' infrastructure from a network standpoint.
So, today we have, I guess to a certain degree, what is now called a SASE solution that we deploy for some customers across the world, and some very interesting customers out of Singapore, and also now across the whole of Asia where we connect numerous branches or sites into our security pops, which are located in the various countries, and we secure that traffic using different technologies, comprising of firewalls, IPSs, before that traffic can go out. I guess I had the opportunity too to catch up with one of your colleagues probably a couple of months ago, and he was introducing to us the concept of being able to mitigate ransomware.
I thought that would be an amazing add-on for us to offer to our customers, because at the end of the day, when we sit down and we talk to our customers, what is the biggest fear that most enterprise organizations have? One of the biggest fears is, in essence, the disruption to the business, if a ransomware event were to take place. If you take a restaurant for example, if that point of sale goes down, then it's going to be quite challenging in terms of how you're going to complete that business transaction for that evening, or in the so many different parallels for so many different businesses of the disruption that would happen just from an event like that. So, I guess that's what brought ViewQwest to you, and we're very excited to see what we can do moving forward.
Brian Contos:
No, absolutely. I think you really touched on a couple interesting points there. Just this evolution of the classical Telco to now having SASE type services and MSSP capabilities built in. It's more than just a delivery of pipes. I've been doing business throughout Asia, but particularly in Southeast Asia now for over a decade. I've spent a lot of time in Singapore and it seems to be Singapore, Malaysia, Indonesia, Philippines, Thailand, that whole region seems to be very open-minded when it comes to, "Yes, let's embrace MSSP services to compliment and help address our security needs." Juxtapose to, "Let's just try to do everything in-house without any expertise and complimentary services," that potentially you see in other regions. Do you find that that's becoming more of an accepted practice now, leveraging the expertise from groups like yourself that are providing these expert level services?
Vignesa Moorthy:
I think that's very much the trend or what's happening out here. The reason for this is a couple of different things that are happening. One is basically you've got many different countries with many different cultures, many different languages, and there's a massive challenge when it comes to the talent pool in the cyber space. These companies have to focus on their own businesses and they have to stretch that dollar, and even more so with the current economy conditions of what's happening today, it's just very challenging to have to find the right people with the right resources for these companies to have in-house, and it just makes sense for them to work with a managed security services partner like us where we are able to deliver outcomes as opposed to them having to put together solutions, and then there's a whole... Everything's disjointed and disconnected just simply by coming to an organization like us.
We've got experience of having done it for other organizations, we see where things potentially create roadblocks for other customers, and we're able to share those findings with customers that come on. When we do process improvement on one side, then that translates into process improvement for all the customers that we provide services to. So, definitely we see this as not at all a challenge or barrier in terms of customers taking up the service, they actually see it as a big value, and at the end of the day, we are able to deliver this outcome to the customers at a lower cost than themselves, which is what makes the most important thing at the end of the day.
John Vecchi:
Yeah. Well, and it's interesting, I think, you can see there's a gap, there's a knowledge gap and a security gap with resources, and it's worldwide. This gap isn't something that's a challenge only to North America, Europe, it's clearly there, and with that security gap, that's why managed services like yours can be tremendously impactful to organizations. Vig, talk a little bit about... You talked on you focus a lot on network side, you see just we're in a 5G world now, then you look at the security side, you mentioned things like SASE, you have managed detection and response, you've got the internal and external attack surface management, you have all these things that can touch on the network side.
Can you talk about some of the biggest challenges you're kind of solving from a network perspective? Furthermore, how do you see... Some call them edge devices like these smart connected devices, this is an IoT Security Podcast, we talk a lot about these xIoT devices, to when did you start seeing the connected smart devices come into the fold of all the other things you're kind of solving from a network perspective? Can you talk a little bit about that?
Vignesa Moorthy:
Yeah. So, okay, couple of things, right? I think coming back to this whole Asia challenge or paradigm. In the US, in Europe, you've got your various cloud service providers that basically have compute, which is quite close to the end users. So, when you have these large brand SASE providers that are able to go out there and provide subscription services for securing customer networks, the ideology of, if I've got a hundred branches or a thousand branches in continental USA and I don't trust any traffic or data in transit, now that data in transit from my branch could be not only my endpoints, which would be my desktops and laptops, but what would also be my whatever IoT devices are in the organization, as basic as IP cameras, telephones, photocopiers, printers, whatever that might be. We are able to secure that very easily to a certain extent because these security pops exist in relatively close distance to where these locations are located or the sites are located.
Now, you take Asia for example, and you start from China and you come down all the way to India, and the prevalence of the cloud service providers is simply not there. You've got some compute locations in Singapore, you've got a couple in Japan, and maybe something in Hong Kong, and then we take a very rapidly growing market like the Philippines, and the Philippines, let's say, I've got a logistics customer that we work with, and he's got almost a thousand branches across the country, and any traffic that he would like to secure has to go all the way from the Philippines to Singapore, U-turn and go back. So, from a efficiency standpoint, the customers' challenge, I mean, this doesn't just doesn't work for me, because it's just putting a network latency impact on me, number one.
Number two is the size of these branches in comparison to what goes on in the west is drastically different. So that translates into revenue generated per branch or per employee being very different. So, therefore the budgets that are available to allocate to securing again becomes very different. So, when we build these security pops, which then allows us to inspect all traffic which is originating from customer network, or while they work from home or while they work from remote, and that traffic is traversing our security pops, then it allows us the ability to inspect what's within each branch, allows us to discover all of these unmanaged devices very quickly, very easily, give customers that visibility of, "Look, this is what is happening in your infrastructure," and across the entire footprint of that infrastructure, it allows us to potentially manage those devices, show customers where the gaps are in terms of the security posture, and further enhance that security, right?
Because today, in essence, if that endpoint isn't Windows or a Mac device, or let's say a Linux to a certain extent, you really don't have anything that enables you to mitigate challenges in that environment. So, I think the fit... We are very ideal in a very ideal situation, where with all of that customer traffic, in a sense, traversing, having to pass through our infrastructure, we are in an ideal position to help our customers secure that.
Brian Contos:
Yeah, that's really interesting. You hit on some really key topics there. When we at Phosphorus sort of look at our world of customers, it's in three distinct but yet overlapping groups, it's the enterprise, it's Fortune 500, Global 2000 type businesses, which can be financial services, it could be a healthcare, insurance, things of that nature. The other side are the industrial manufacturing and critical infrastructure, SCADA type environments, power and energy, oil and gas mining. The third one are government agencies. Depending on the countries, sometimes the government agencies are very much interwoven with the other parts, in some countries they're a little bit more separated.
I'm wondering, because you do operate in so many different countries and you're helping them address their security risks, do you see differences in terms of what they're concerned about, enterprises versus critical infrastructure versus government? Or, is it really just the same stuff? Is it the ransomware that they're concerned about? Is it really just the nuts and bolt security? Or, do you see some specialization across those three disparate areas?
Vignesa Moorthy:
I think fundamentally the primary theme that we see in every location is really the concern around disruption to operations. Whether a device gets compromised, whether something gets ransomware, it's really about disruption. Then naturally you would have, I would say, your much larger, your Fortune 500 type companies or your government agencies, where there's a bit of focus around data leak prevention. They don't want their customers' data or state data getting out. So, there's a little bit more focus on that. But, I think to a great extent, because of the size of Southeast Asia in that regard, the largest industries really are made up of your small to medium enterprise.
There the primary issue is really around disruption to operations, and then also naturally, if something were to happen to any other organization, then it's brand risk. The people have entrusted... I mean, we take something very simple as maybe childcare or early children education, where you might have CCTV cameras there to assure or provide comfort around the fact that your children are in a safe environment. Now, if you don't have the right cyber posture or the right cyber hygiene, then that infrastructure that you deploy to so-called provide us a safer environment has just done the exact opposite.
So, I think there's a lot of different verticals there, but fundamentally, I know what I see is really around disruption to business and protection. Protecting the brand reputation. People have loyalty programs, all sorts of these things, and every other day we see such and such organization has had a massive data breach or data leak and things like that, right?
John Vecchi:
So, what are some of the... Yeah, it's a great point, and there are many attacks, and you talked a little bit about, obviously, there's big concerns today on the ransomware side, and we're seeing prevalence of those types of attacks as you move into the xIoT, the IoT kind of side, you've got botnets like Mirai, we've seen attacks like QUIETEXIT now. Are there specific exploits and things you're finding, Vig, over there, that you're particularly focused on or that you've seen or that are prevalent more geographically around Asia and your geographic area, that might be a little bit different than what we're seeing in some other regions?
Vignesa Moorthy:
What we do see across multiple organizations, or what we do hear of, that the two fundamental things is always data breach. Data breach due to just poor hygiene. They've made a mistake, they've failed to secure this, or they failed to secure that, and as such, a whole bunch of customer data is available for sale on the dark web or something along those lines. Then the other thing that we see is always the trigger that makes a lot of organizations come and say, "Look, we need to do something about our endpoint security. The moment somebody comes and says that, we know they've been ransomwared." In the past, they've always maybe they've been a bit dismissive about the need to do that, and now that it's happened, then they now realize that that's an issue. So, then when people come and start having these discussions, then we know fundamentally it's around that event. Also, in the past, you'd have organizations that don't necessarily understand the implication. This may be not so much in IoT, but we see this a lot in retail, F&B.
I'll give you an example. Maybe a fried chicken, right? And you have several thousand outlets in the country, and they have a point of sale and they might be running some sort of endpoint security on that point of sale, and they believe they don't need anything else because that endpoint security is going to prevent any malware from coming in and executing. But, then they forget or they don't realize, operationally, the people who work in that location refuse to reboot that point of sale machine because they're afraid the machine won't come on and then they've got to find IT and then somebody's going to blame them. So, as long as that machine doesn't get rebooted, unfortunately that endpoint doesn't have the latest update and you don't have security, my friend.
Brian Contos:
Isn't that the truth?
Vignesa Moorthy:
Right, yeah. Yes. We see this, and that's scary. So, people having this false sense of security, and it's just unfortunately just the level of maturity, in terms of my cyber risk or what needs to be done, is just lacking. So, this is where as a managed security services provider or MSSP, this is a value that we bring to our customers in terms of understanding their landscape, seeing what challenges... Operational issues, when they sit down and they tell us something like that, and then we can ask the right questions, because some vendors come in there or some resellers has come in there and said, "Look, if you install this, you're safe." The ability to question and verify just isn't there. That is, I would say, that is the big problem in Asia, the lack of understanding, or that visibility of realizing, "What is my risk?"
Brian Contos:
Yeah.
Vignesa Moorthy:
Yeah.
Brian Contos:
Yeah, and I think we're actually seeing that worldwide. I mean, it's interesting. So, when we talk about xIoT at Phosphorus, we really think of three different groups. The first one is enterprise IoT, these are your printers, your security cameras, your door locks, your KVM switches, lights-out management, traditional IoT stuff. Then we see the OT, SCADA stuff, digital equipment that controls physics, flow, volume, voltage, usually for power and energy, oil and gas, mining, transportation, and then it's the network devices, the layer 2 switches, the wireless access points, the network attached storage, the load balancers, and all of those devices are purpose-built hardware and software, although most of them, almost all of them are running Linux or a Linux variant. We see a lot of Ubuntu, BusyBox, Android, which is a Linux variant on the network side, maybe BSD, and on the OT side, realtime operating systems like VxWorks and other things like that.
But, across those three categories, the one that I find the most interesting in terms of adoption rate, because we see about three to five devices per employee and organization, so a company of 10,000 people will generally have about 30 to 50,000 xIoT devices. For retail, it's actually a little bit higher. For law firms, it's a little bit lower. But, for critical infrastructure, it's quite a bit higher. But, that's an industry that historically has been a little bit slow in terms of adopting what we might consider pretty mainstream cybersecurity controls, whether it's endpoint or network or discovery. But, it's also one of the areas that's most vulnerable. You talked about disruption, in some cases they're literally keeping the lights on, or keeping airplanes in the sky or trains on the track.
Vignesa Moorthy:
Yeah.
Brian Contos:
Are you finding that that particular group, that we'll just put under the umbrella of critical infrastructure, are they starting to come around, do you think, as it relates to just general cybersecurity best practices and being able to leverage those controls and their environments to mitigate the attacks that we know are now getting into OT environments from traditionally IT environment? Is that something that's occurring or does there just have to be a lot more awareness and education in that industry throughout Asia to get people to understand those risks?
Vignesa Moorthy:
I'd say, look, I would divide it into two very big camps. I think you've got potentially your mature economies in Asia that would save you critical infrastructure, power plants. I'm working with a consultant or a contractor that's working on upgrading the infrastructure at one of the airports in the region, and a lot of control systems around aircraft landing lights, all the taxiways and things like that. Traditionally, these networks were basically, in a sense, completely disconnected from the rest of the world. As these networks get connected, the organization that operates the airport is aware and wants to address how they're going to secure that infrastructure. Then on the other side of the curve, you've got probably other countries in Asia where maybe they're not as wealthy or have as much disposable money where these are not a priority yet.
It's not because, I guess, that they don't take things seriously. It's just from a standpoint of where they are on their economic journey, and whether they're in a position to do that yet. You've also got a whole bunch of other organizations or locations that the awareness is just still so lacking. They don't realize the implication. I guess more and more we see this, we hear all stories of power generation facilities being ransomwared or being held hostage because some compromise was done through IoT, xIoT, before, to bring that infrastructure down. So, I think, fundamentally, there needs to be a lot of education and a lot of awareness around how to secure this infrastructure, because these people are not... I guess, the education and the realization of the implication, it's just not there. I've walked into many, I guess you'd call it a building control room, or where they have the lift controls and the HVAC controls and all the cameras, when you've got a security guard or two security guards sitting there, and it's not uncommon to see the username and password stuck on the monitor screen.
Brian Contos:
Yeah.
Vignesa Moorthy:
[inaudible 00:25:06].
Brian Contos:
Yeah. Their security, it's under the keyboard. Now, you brought up a really excellent point about their economic journey, and I've had this conversation with healthcare providers actually at a very large hospital, and they were telling us, "Look, every dollar that we spend, that's not on the patient care or the patient experience, whether that's doctors, nurses, MRI machines, the technology that's directly serving the patient, every dollar we don't spend is a dollar we can't give towards those patients. So, a dollar spent on security, that takes a dollar away from there." So, it's this balancing act, right?
You were talking about these new infrastructures that are being implemented that are now online, they're connected for aircraft when they're landing, obviously very critical. But, the interesting thing we're seeing across these, and I'm glad you hit the point about education awareness, is most of these devices, again, they're Linux servers, but the sad thing is we didn't really learn when we started developing these 50 billion plus xIoT devices and throwing them out into the world, we didn't really learn from IT, because they have default passwords, most of them run old firmware, they're filled with vulnerabilities, they have shared libraries and white labeling and all these other things that just make them an absolute nightmare, multiplied by the shared volume for organization.
I mean, we have big box retailers that you can walk into, and you might be in a single store, that single store might have 10,000 xIoT devices, and if you think a half, let's say, half, 5,000 of them, they're Linux servers with default or no passwords, that are connected to everything else, and you start talking about data exfiltration, a way to implement ransomware, and they're great places to hide. You can maintain persistence, you can evade detection, because now you're on a whole bunch of printers, you're on cameras, you can use that to attack IT assets, and it's interesting to talk about.
But I tell you, we're involved in a lot of IoT villages, and we've been demoing this to people where we actually hack into robots, and industrial robots for manufacturing, we show you what you can do. Instead of shaving off the metal so it's one millimeter thick, now it's two millimeters thick, so it passes QA, it goes into production, and maybe this car part fails 5,000 miles down the road, and now they're going to have to have a massive recall, or using a security camera to attack cloud-based assets or local exchange servers and things like that and steal data.
It's such an eye opener for so many organizations. They're like, "I had no idea that all these little 'smart devices' could cause so many problems. Where do I start?" And then it's like, "Well, how do I get my arms around this? What do I do? Where does this follow my cycle?" It seems to be it's opened up a new Pandora's box as it relates to security, because we thought about network security and endpoint security and application security and data security. While we were doing all that, the bad guys were thinking, attacking printers, attacking security cameras, attacking robots, and I think we missed something. There's a few years in there where the bad guys, the malicious nation-state actors and the cyber criminals, kind of have an edge over organizations that aren't looking at that.
So, I guess my question there is, and where you and I are about to embark on a very large tour through Southeast Asia meeting with a number of customers, but this is what we're trying to get people aware of and let them know that this is a problem, you're probably being compromised already, I know you have 50,000 other problems you need to deal with, but this has to be on the list and probably has to be a high priority. Do you think there's bandwidth and do you think there's economic readiness for organizations to say, "Yes, I get it, this is a problem. Please, how can you guys help me? How can you provide your expertise as an MSSP with these advanced services to address these threats?"
Vignesa Moorthy:
I think definitely there's room for this, and I think our ability, for any of our customers, with them putting in very little effort, or for us to be able to give them that visibility and help them secure that infrastructure. On that same note, we see it's not just in the enterprise environment, and maybe regressing a little bit into a bit of the core DNA of ViewQwest, which is we provide fiber to the home, fiber to the curb, fiber to the office, which is in essence, we have a whole lot of homes connected to our network as well. At home, I have 50 IoT devices, smart switches, smart sprinklers, smart this, smart everything, and the only time you really set it up was the day you bought it, and then it just gets forgotten into the background.
Yes, okay, my home might not be a high value target, but I think something that we've all realized with this whole work from home is we now bring that office sanctioned device home or that office sanctioned mobile device home, we connect it to our local wifi networks, where there's a whole bunch of devices that nobody's looked at for forever. One of the very interesting use cases for us, in terms of looking at ourselves as a telco, was we could start scanning our networks of customer connected edge devices just to be able to go tell customers, "Look, you've got a router that's connected to us, that maybe it's four years old, and hasn't been updated, and there's a whole bunch of flaws or vulnerabilities." Just that's that kind of thing.
Something else, another kind of change that we are trying to drive across the industry, or at least in this part of the world, is we believe that telecommunication service providers or internet service providers that carry customer traffic or provide internet access to customers, have a role to play in terms of inspecting that traffic and alerting our customers if we see things that are not the best. So, if you see botnet traffic or you see some sort of a threat. Not that we have to provide the best IPSs or provide things like that, but in essence, some sort of visibility, it's very easy to see if you've got a whole lot of traffic going to a particular IP address because of the command and control, and to actively do something to block that, because you're achieving two things. You are protecting your customers to a certain extent, and you're also making the internet a safer place.
If you draw other parallels, if you're a nation-state and you operate border control, then you are selective or you control who comes in and goes out, because it's going to affect the security of your country. Same way we do it for our homes or our offices. But, as telecommunication service providers, we don't do any of that. So, I think the contribution or the participation to increase cyber hygiene does lie with the service providers as well.
John Vecchi:
Yeah. To that extent, Vig, is there more pressure from service provider, MSSP side, to be able to more effectively discover all of these various... Again, there's so many of them, Brian went through how many, they're smart devices, right? And then often as we say, if it's smart, it's likely pretty vulnerable. But, you've got all these devices and there's commonalities through them. They can't run endpoint in an agent of any kind, right? They speak TCP/IP, they're connected, they're network connected, they're purpose-built, they're like mini Linux servers and all these things. But how do you find them, right?
You talked about the fact the password's right there on the device, 50% of these things are deployed with default credentials, and the other 50%, if they've ever been changed, were changed when they were deployed. So, essentially, it's a hundred percent of the devices are running with old credentials, if not default, firmware's seven years old. They ship half the time with CVSS scores of eight to nine to 10. I mean, they're a mess, right? But, in many cases, how do you find them? Is there pressure on an organization like yours and others today now to start understanding what these devices are, that they exist, even in a home, in a business, in more of a kind of operational technology environment? Is that part of a challenge that you've seen?
Vignesa Moorthy:
Unfortunately, this is something that I think we've been trying to lobby for in some of the countries that we operate, and we're just not seeing the right pressure to basically offer this service. I think, to a certain extent, what's happening is we are going out there and differentiating our offering in comparison to other service providers, by providing a safer internet or a cleaner internet for our customers. So, I think the way the industry is evolving is really, as opposed from a regulatory standpoint, to say that you need to do this, the approach has been if your customers see value, then you're going to do better than your peers. So, on one side that's happening.
But, I do remember, I do recall seeing a paper coming out from the regulators in Australia, which actually stipulated that the service providers or telecommunications companies, that provide connectivity to the small and medium enterprise and the home's consumers, need to provide some basic level cyber protection because these are the most vulnerable group, because they unfortunately are the least aware and the least in a position to invest in something to protect themselves. Your small startup SME that's maybe doing, I don't know, waffles or something like that, the first thing is really about get that right recipe, get the food out, and it's a small business owner, that's the last thing on your mind. So, if I'm getting that internet connection from my cafe, from a responsible service provider that does some of the basic things, I think the whole industry can move towards a safer place. Because at the end of the day, for a service provider to invest in that infrastructure and then have that spread across thousands and thousands of customers, the economics start to make sense.
Brian Contos:
Yeah, absolutely. I know that's a hot topic amongst providers. Is it just a big open pipe or do we have services on top? What if we cause a problem? And where's liability? But, it's definitely worth discussing, and sometimes what kept us secure has stopped working, and we need to rethink things and see how we can address this, now that you got all these... Like you said, "If my business is making waffles, I probably don't have a full-time security guru on staff to help with that."
Vignesa Moorthy:
Yeah.
Brian Contos:
Well, Vig, as we wrap up here, I just have one final question for you, and we could certainly go on for hours and hours, but just any words of wisdom that you want to leave with our listeners here as it relates to some steps that they could take to have a more secure living on the internet and just keep themselves and their organization and their devices safer? I'm sure you've been exposed to lots of different use cases and stories, but any simple steps that people can take?
Vignesa Moorthy:
I think, a lot of people, when they think about these things, they feel it's such a huge problem that they need to take steps to help manage. But, there's a whole lot of service providers out there that really can help you secure your infrastructure from a very easy standpoint, by adding a small fee on top of what you do, be it whether you're a small office, whether you want to secure your home services and things like that, there's whole bunch of, I think, emerging companies. If any of you need any assistance out there, more than happy, please reach out to ViewQwest. I think we've got some very effective solutions that can fit various organizations' needs, and we'll be more than happy to help you guys out on that journey.
John Vecchi:
Yeah, that's great, Vig. I appreciate that, and fantastic discussion. Thanks so much for joining us today. To that extent, where do we have listeners? Many of them may be in Asia Pacific, Southeast Asia, in your area. Let's tell them where they can find you. What's the best way for listeners to find you and your company and your services if they need that?
Vignesa Moorthy:
The best way probably, hit over to our website that's www.viewqwest.com. So, viewqwest.com, and you can drop us a line there, and somebody will be in contact with you.
John Vecchi:
Awesome. Well, thanks so much again, Vig Moorthy, for joining us, and to my co-host, Brian Contos. Thank you so much for joining us today, Vig.
Vignesa Moorthy:
Thank you.
John Vecchi:
Remember everybody, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive full scope security for the extended internet of things, and until we meet again, I'm John Vecchi.
Brian Contos:
And I'm Brian Contos.
John Vecchi:
We'll see you all next time on Phosphorus Radio.