ERP016 - Internet Security w/ Christopher Calvert

Welcome to Evolve Radio where we explore the evolution of business and technology. My guest today is Christopher Calvert, who is an information and internet security professional with a deep, deep experience protecting very large scale infrastructures for some of the largest companies in Canada. Chris has a depth of knowledge around this space that I find really fascinating and wanted to talk to him about some interesting events that we've been seeing in this space recently. Today we talked about the evolution of the cyber security industry, as well as state sponsored cyber attacks and the rise of the IoT botnets. Chris has a unique perspective on the development of this space and I really hope you enjoy the conversation. If you enjoyed the show, be sure to subscribe on iTunes, Stitcher or wherever you get your podcast from. Also, be sure to check out the webpage evolvedmgmt.com/podcast for show notes, links to my guests and to check out previous episodes. Now, let's get started. Today we have joining us Christopher Calvert, information and security expert with professional experience of 15 years, so welcome Chris and thanks for joining us. Hey Todd, thanks for having me. So, if you would, maybe just start on a quick background, one or two minutes on your journey to where you have come from and how you got to where you are in a pretty high level in the security industry. Sure, absolutely. Um, so I mean like uh like a lot of people who have been doing security for some time, uh I didn't really have an orthodox path. Uh times have changed quite a bit, but really when I started in on it, I was driven by by interest and passion as opposed to we'll say formal professional training or anything of that nature. Um, really I came in from uh you know, an internet operations and system administration background, primarily Unix systems and that gave me quite a bit of insight into what was going on in the industry in terms of dealing with this emerging thing called security and uh abuse of different communication services. And uh from there I I chose to focus my career on that. Uh you know, 15 years ago and took the took the step from Sis admin to security professional and uh, you know, from there I've I've touched a fair bit of different topics within information security, but mostly focusing uh at least within the last, I'd say seven years on what most people would consider to be offensive security, which is kind of the uh the aggressive finding and proving out of flaws and systems. Would most people sort of understand that as black hat security or is that not necessarily the correct term for that? Uh, that's a that's a great question. So there's a there's a lot of debate on terminology and I wouldn't say there always has been, but it's definitely been there for the last uh last several years. Um, you know, terms like like hacker versus cracker and things like that used to be pretty well defined uh a long time ago, but uh, you know, popular media, news, things like that have really blurred the lines between things like a hacker and a cracker. When you start to get into a hat color, um, you know, black hat usually denotes somebody who is, you know, malicious or criminal in nature or or something along that lines, whereas a white hat hacker would be somebody who exclusively uh does their work for for good. Uh and a gray hat kind of blurs the lines as you might expect. So, uh, you know, I I've definitely been uh on the, let's say the the paler end of that spectrum. Um, a lot of the skills are the same though, which is why sometimes it's it's a bit difficult to to tell the difference. Uh tactics and techniques might be the same uh and often somebody who is trying to do security for uh for good, so to speak, is going to use some of the same tools and some of the same same techniques as uh as a quote unquote bad guy might. Yeah, it's sort of a an interesting interplay between the two that uh in order to know the mind of a criminal and depending and defend against it, you kind of have to get into that world as well, right? Yeah, and and not to not to get, you know, morally relativistic or anything like that. Um, you you do definitely need to understand the mind of the adversary. And and really when we're talking about offensive security and understanding uh, you know, the adversary, we we we use those terms. We use the term adversary. Uh, you know, we use the term threat actor. Those are really non-judgmental terms and I think it's it's important to understand that. Uh, you know, life is full of conflict. Uh, business is full of conflict, it's not necessarily malicious or or mean natured, but um, you know, you end up in various various aspects of life, just pitted against adversaries. And uh, you know, you need to understand those adversaries if you're going to be able to to win the game, so to speak. Yeah, it's something that I find fascinating about security in the modern age is that it used to be uh I've described this before that it was more about notoriety that, you know, people just wanted to it was like like uh like tagging, like um uh graffiti in the past. You know, if you could get uh your logo and your banner running across someone's someone's machine or across their website, that was enough. And now it's a criminal enterprise and it's so there's there has been sort of this continuum of how uh the the security industry has developed. How would you see kind of that evolution of the security industry since you've seen it, as you said, you know, it was it was more of an emerging field when you first got into this and you've you've kind of been along for the ride, what's been your view on that evolution over the time? When I started doing this stuff, really, it was all about uh for lack of a better term, abuse management. Uh at ISP. So somebody offering sort of some sort of internet connection would have to deal with uh with abuse of service. And and bear in mind, abuse of service is defined by the service provider. Not necessarily defined designed uh or defined historically by law, uh that that's something that's emerged much more slowly. But uh service provider really defines what's acceptable on the service, what isn't, and uh they need a way to manage it and uh, you know, some some have had more success than others and uh, you know, reputations get earned based on that success or lack thereof. Um, you know, when so when I started, really, you're dealing with the proverbial uh, you know, 12-year-old hacker in the basement that is poking around and scanning NASA and getting caught doing things like that and uh earning attention from some very powerful folks. Uh, you know, without necessarily having an overtly malicious intent or or criminal intent, uh, but definitely doing something that their their targets didn't appreciate. And like you've like you've intimated, that's really changed. Uh, there's money attached to it. There's a lot of money attached to it and uh now there's there's very, very organized, very capable uh criminal organizations that are involved in uh, you know, in in hacking, so to speak. There's uh, you know, there's nation state level stuff, it's it's moved into the the realm of uh espionage and uh, you know, tradecraft, national security and national defense, even offense against uh an adversary. So it's it's really spanned that uh that journey from completely unprofessional, uh amateurish, uh, you know, just poking around, closer to the traditional definition of hacking, um, right out to to full-on nation state activity with full geopolitical implications. Yeah, that's one one of the parts I found fascinating, certainly in the past year or so, that what used to be uh very discrete espionage and, you know, you can assume that a lot of the stuff was going on for years in the background. But it almost seems like that a lot of the planning and and sort of the preparatory uh uh uh work that the states are doing around launching cyber attacks and defending against cyber attacks is somehow public. Uh is that saber rattling or is it just that, you know, we're in in an information age and it's more difficult to protect? Or, you know, what what's the interest or or the the progression from this stuff being done under covers and and discrete to now being more in the public eye? Awareness is key. Uh, I think you you really hit the nail on the head right off the bat, uh, it's it's coming into the public eye. It's not that this kind of thing hasn't happened before and uh, you know, if you watch you watch James Bond movies from the point at which James Bond movies were being made, uh, you know, there was really no such thing as a personal computer then, literally there was no such thing as a personal computer then. Um, and you see you see spies and you see tradecraft, you see human adversaries pitted against each other. Um, and as those as those movies, as that movie franchise went on, you see uh, you see an arms race in technology, you see almost even the same story told again and again and in some cases literally with Casino Royale. You see the same story told again, but modernized with with new technology, uh, which means new tradecraft, right, new skills are necessary, a new baseline of technical expertise, uh, you know, is is required in order to achieve the objectives in in some sort of conflict like that. So, I I I tend to think of things in those terms, in terms of of adversaries, in terms of conflict, uh, in terms of move and counter move, um, the the security profession has had to go along the the journey as well in understanding the level of maturity involved in those conflicts. And now we need to understand at least at a very basic level, some of the concepts of a game theory and and things like that. Whereas before, you maybe come out of a a system background like I did and uh, you might have to understand a little bit of information theory or things like that and it's really more a matter of of engineering and computer science. And now there's game theory and chaos theory and all these really awesome esoteric things that uh theoretical mathematicians and physicists tend to really do well at. Uh, you know, so it's and and then of course there's there's the emergence of geopolitical motivations, right? So you start to get into a bit of uh a bit of history and uh things like that. It's it's become very, very nuanced. So that that's um the one that we've seen fairly recently was there was there was quite a bit of public attention drawn towards the US and Russia kind of posturing certainly through the course of of the the US election. And there was there were kind of these rumors around the US and Russia prepping kind of a cyber cold war where that's why I kind of alluded to that saber rattling. You know, they're saying, you know, we have plans, we could launch a cyber war against uh Russia or the US and uh just to to sort of state that they're prepared and ready if if anyone wants to make the first move. And there's even rumors that that uh Russia was making an active effort to tamper with if not at least the psycho the psychology of the US electorate. If not, you know, the systems, um, any thoughts on on sort of that, either for at the sort of the the state uh pissing match for lack of a better description or the uh uh the influencing the election and and whether or not we'll continue to see actions like that from states. Uh, so I guess first off, um, that's not even remotely new. It's just we're seeing a different aspect of it with with the the technology. So, so the the types of conflicts uh that we've seen for decades, uh and and I'm sure longer, um, they're just being expressed in in constantly evolving ways. And uh the technology at play force the the ways that it is expressed to evolve. And really the adversaries don't have a choice, right? So you need to you need to wage the the conflict on the the battlefield that you're presented with. And that battlefield includes all these information networks and telecommunication systems and uh, you know, just a a very set of complex systems that require it to be uh for lack of a better term, more and more of a a cyber conflict. Um, there's a lot of controversy over the term cyber, I would say more than you have with hacker versus cracker from back in the day. Um, a lot of a lot of information security professionals really bristle at the the use of the term cyber. Um, and uh, you know, the thing that I think it's important to realize is that it it does have meaning, it has meaning not within the last three years, but in the last several years as the emerging area of uh military doctrine. Uh, it's one that that nation states are really, really struggling to understand, understand the context of uh, we'll say effective conflict. And uh, even international law, uh, you know, it's it's definitely not something that is is new. But again, awareness. So the the saber saber rattling constant. Uh, I mean even even the term harkens back to the old days when there were physically sabers being rattled. Um, I don't want to accidentally coin a term, but yeah, there's a lot of cyber rattling now. It's. There we go, it's out there. No, stop, delete, delete. Um, one of the things Chris that I've noticed, you know, I led a security group in the past and it was sort of one of my first real introductions to what happens under the covers and and deeply understanding what's at stake and what's being protected and generally the level of risk. Uh and I have to say it did make me a little more paranoid for a period of time. Uh you work at a pretty high level at at this work, does it make you paranoid or fearful for so the implications of of sort of the larger uh more uh uh state actor attacks and the implications that that could have for kind of modern life? How do you get past that worry? Yeah, I'm going to do something else which I think I'm going to regret. Uh, so as the as the the the great sage Kurt Cobain once said, just because you're paranoid, uh don't mean they're not after you. Um, and uh, so I I don't I don't like to consider it paranoia. Certainly to non-security people, uh, most security people, if not all of them, appear to be paranoid. Um, like super paranoid. Um, but uh, I think it's I think it's uh, it's something that happens with awareness. And I think the the baseline level of we'll say concern or or even anxiety, most of the the general population, uh, you know, at least those that that read and and watch the news, um, they they're getting more and more concerned, more and more anxious, more and more paranoid. Um, I think the difference between paranoia and the difference between uh, we'll say justified concern is is really bridged by accuracy. Um, as as a professional in the space and and doing this for some time, I think I've got a uh a very accurate and very objective uh view of of the world and of the the technologies and the conflicts in play. Uh, so I wouldn't say I'm paranoid. No, I would say that uh I see threats that the vast majority of people don't see. Uh, but that's true, I think of of any professional that has uh has a view into a world that that just most people don't. Lawyers understand the implications of of various things, uh law and uh extra legal quite, you know, quite well and in a different way that non-lawyers do. Um, you know, people with a really robust business background or finance background understand the implications of some of the things that go on in in uh the economy much better. Uh, you know, historians understand the the long-term implications of the past and see patterns repeating that the vast majority of people simply don't see. And I think I think that's sort of what I'm alluding to is that uh, you know, you understand probably better than most or the the sort of the level of uh practicality around, you know, a full scale uh uh digital war. We'll move away from cyber if you like. But uh, you know, a digital attack that could potentially cripple say a power grid and, you know, that the and the level of implication on that, you know, putting millions of people in the dark for days and potentially weeks on end could have seriously crippling effects to society and the economy and things like that. Uh, you know, is that just sort of the state of the world and, you know, it's like policing, you know that there's bad people out there, but you have to hope that that and trust that people are also working just as diligently to protect you. And I I also feel like this is maybe a bit of um sort of the mad, the mutually assured destruction methodology from from, you know, borrowing again from the Cold War, that no one has a good interest in launching one of these because there's a self-detriment that's built into attacking any other economy on a digital scale. Is that maybe where some of the comfort is is baked in as well? Um, I think that I think that we we need to take a bit of a different assumption rather that the these sorts of attacks are sort of constant conflict. Uh, is happening, has been happening for longer than we've been aware of it, uh, will continue to happen. Uh, and and isn't maybe the Doomsday scenario that that some people uh fear it is or maybe have a vested interest in portraying it as. Um, you know, there's there's been a lot of there's been a lot of conflict in the world. That's that's not news. Um, I think what what is interesting and what not a lot of people know is that uh targeting communications. Uh and the the the integrity and confidentiality of communications has been a concern for for a very long time. Uh, I mean, encryption is is not new. Um, if we even go back to the the last huge conflicts in the previous century, uh, I think some would argue that the battle was won for the allies uh because of the ability to break uh access crypto systems. Uh, and that happened on on really, you know, both Atlantic and Pacific uh sort of spheres. Um, you know, the all the stuff about uh, you know, breaking the Enigma machine and and cracking uh, you know, Japanese communications. And then taking advantage of it, uh, you get into kind of the realm of uh of intelligence and counter intelligence. Uh, you know, once you've cracked cracked a crypto system, you can start perhaps injecting false information in, uh, and watching for the moves of your adversaries. Uh, or perhaps leading them towards specific moves that play out in your favor. And that that's exactly what happened in the Pacific. Um, you know, the other thing and and, you know, cycle back a little bit to the idea of awareness. Just looking at at a book here from my bookshelf. So, if you want to get an idea of how long the debate has been going on about cyber warfare. I'm looking at a book right now called Strategic Warfare in Cyberspace written by uh Gregory J. Ratray and uh really this book is an attempt to understand how uh how cyber space cyberspace plays a role in strategic warfare. So, let's let's play a little game and hopefully you haven't already cheated. What uh what year do you think this was published in? Actually, wait a minute. I got to look. I'm going to say, um, 88. 2001. Okay. I tried to go way back. You did. You did. Yeah, but still, so that's that's quite old in terms of in terms of the the the topic area, it's quite quite old. Um, you know, and again, it's not this isn't the thinking around this, the the struggle with understanding what this all means to society and to uh, you know, to civilization. It's not new. Um, you know, I've got another book here, Cyber deterrence and Cyber war, which kind of touches on your your mutually assured destruction comment. Uh, you know, 2009, published by the Rand Corporation. Um, there's been a constant struggle to really understand this. But uh, you know, I'd argue that the same thing happened with with previous transformational technologies like gunpowder. Um, you know, Japan is is another example where really Japan was forced into the modern world uh by uh, you know, the Europeans coming and bringing firearms. Uh, and firearms, it turns out, do quite a good job against uh mounted sword and bow wheeling wheeling samurai. And it it changed warfare in Japan and Japan had to modernize very quickly. And I think now we're we're seeing is we're seeing a number of different states having to modernize very quickly in terms of uh, you know, information technologies and conflict in that that context. Yeah, this is uh an interesting area that I'm seeing a lot of growth in, so I work with uh uh with managed service providers and IT service providers and one of the emerging markets that everyone's starting to to really start to focus on is security management for businesses. Uh because there's a certain level of awareness in that public uh thought process of of how uh critical this is and how at risk people are. Um and I I think you're right, you know, that that's one of the conversations that those folks have a lot is, well, I can go to Best Buy and buy, you know, this $80 router that connects me to the internet and you're trying to sell me one that's $300. And there's a good reason why those are there's a price gap between those, but you know, people people really struggle with with uh an awareness around that. But there's there's certainly a developing market around that security management and uh I'm interested in kind of your thoughts on, you know, the enterprise is aware of this, but you know, you I I I trust you're seeing an awareness and a development in the small to medium market where they are getting on top of this and there's probably a a significant business opportunity to to help people to remediate this and and move them to a more secure future. Yeah, I think at the I think at the consumer level, a lot of people who are spending uh, you know, two to $300 on some sort of gateway device are are probably not doing it because of the security features, even though those come with it. But they're doing it because of the uh it's got six antennas instead of two and it's got a really cool red shell or or it's got all sorts of awesome Wi-Fi features and things like that. So they're they're spending money uh on features that they want, getting the features they probably need uh along with that for free, but not necessarily turning them on. Uh the positive Trojan horse of security then give them the give them the fancy the fancy box and uh little do they know it's better to secure them. Yeah, attach it attach it to features that they they want to pay for and yeah, you can get good uptake there. Um, you know, I think at at an enterprise level, large or small, uh there's so much variation across uh across any industry or any sector. Um, that it's it's really difficult, I think to draw conclusions. Um, I don't think that there's really all that all that meaningful of a difference between sectors. Uh, I mean, I think inherently technology focused uh areas like like telecommunications, uh critical infrastructure, obviously has to be more aware of the technology and uh, you know, do more uh for security. But um, you know, I think that that's that's just not universally true. And uh, you know, there's also major differences across uh across jurisdictions with with say major legal differences. So, um, you know, there's there's very little to no liability for a consumer uh for uh, you know, fraud or or bank compromise or things like that in Canada, as I understand it, in the US, uh that's quite different. And uh uh, you know, and I think you have different approaches to security in that sector accordingly that it's kind of a it's an unfair comparison because banks tend to be uh, you know, much more numerous and smaller in the United States versus Canada where we tend to have uh a much more of a a large consolidation. Uh monopoly friendly. I'm not using that in a judgmental way either, but monopoly friendly uh kind of kind of set of industries where it's possible for a company to get larger and have fewer larger organizations, which ultimately means they have more resources to throw at security. Uh, you know, that said, the quality of the team makes a huge difference. Um, and if you you you have the support from the executive uh in any organization and they they get it and uh are willing to fund uh and support security initiatives, then you can see incredible differences in maturity uh in in both large and small organizations. Yeah, so the awareness is key to to making that shift, right? Uh buy in, yeah, the buy in of the the key decision makers, the people who control the money and the uh the resourcing, um, turns out that that's very important. Right. All right. Well, appreciate your time today, Chris. Any any parting word? You know, it's been a great pleasure and uh I really enjoyed talking with you and uh, you know, obviously this is this is a a topic of great passion for for both of us and I think it's an important one for people to understand. And uh, you know, maybe parting wisdom if you can call it that. Uh, you know, be aware, think critically, um, you know, try to understand rather than assume, uh, remember that uh security isn't about technology, security is about human adversaries in some form of conflict. And uh technology constantly evolves and that's just the way that these conflicts are expressed. Right. Great parting words. Appreciate it. Thanks again, Chris. Have a great day. Absolutely, you too. Thanks, Todd.