Cloudflare TV

Hacker Time

Presented by Evan Johnson
Originally aired on 

Join Evan Johnson as he speaks with security professionals about recent security news!


Transcript (Beta)

All right and we are live. Thank you for joining me for the first installment of Hacker Time in 2021.

2020 was not the best year. A lot went on. 2021 is not exactly off to a great start either, but I'm hoping we're in for a better year and I appreciate you joining me on Hacker Time, the number one security TV show anywhere, not just on Cloudflare TV.

I like to pick on the other shows on Cloudflare TV, but this is the number one security show anywhere.

And actually over the last month or so, I haven't had too many of these episodes.

I think my last episode of Hacker Time was in the first or second week of December and since then kind of a lot has happened in the world of security.

Big security news out there, a lot going on and we're here to talk about it.

Today we'll probably touch on a little bit of SolarWinds discussion and some of the fallout from that.

We'll talk about some other like pop-cultury security news.

I want to spend some time talking about how startups can sell security.

I think it's a really difficult subject for a lot of newer companies and getting your security story straight is really hard for people without a security background.

So I'm hoping to at least brainstorm ideas and maybe it'll be a conference talk one day or a blog post or something to help early stage companies navigate those waters.

And then definitely going to end on some chess puzzles for the day because it'll be a nice palate cleanser for the week.

And first week back, so I'll probably be at about 90% capacity.

So last couple of minutes, we'll spend on some very challenging chess puzzles.

They're probably not too challenging, just regular challenging, but I'll talk about them.


So SolarWinds, if you have been living under a security rock, I'm going to break some news to you.

There's many people have reported. Let me see if I can present my screen here.

There's been a number of reports around a breach at the company SolarWinds, and it's really sad because you never want to see that.

I just realized I can't present my screen today because of a new...

I have to restart Zoom and I'm not doing that mid show.

So chess is off, unfortunately. I'll just start talking.

The number of reports for... New York Times, I have on my screen, I was going to present to you, shows that the company SolarWinds was breached in what's called a supply chain attack.

A supply chain attack is when there's software being distributed or hardware being distributed, and this was a software supply chain attack where the distributed software was backdoored and compromised.

And this is the exact details.

I'll start with this. The exact details of what happened internally at the company, it's not clear yet.

The reporting has kind of talked about what happened and some of the impact of that, but there's been not a lot of information externally about or that has reached externally about the internal controls that failed and how it happened.

And so we can't speculate too much. There's been, as recently as yesterday, Krebs on security reported that there's been a lot of impact on the U.S.

court system and many, many agencies and parts of the U.S.

government were compromised by this because when... And the whole point of a software supply chain attack isn't to compromise SolarWinds, it's to compromise their customer support.

So anybody distributing software, the goal is to compromise the people downloading the software and running it, and not necessarily the person sharing the software.

So you can think about this like other...

You can remove the word SolarWinds from it and think about other situations.

So NPM or any type of package manager, a software supply chain attack might look like you upload a malicious package to a previously known good package and then that software has new behavior.

So an example of this might be that left pad function from a few years ago where developers all of a sudden woke up one day and the thing padding their strings with zeros on the left side of it had been deleted.

But imagine if instead of being deleted, there was a new version released that was just malicious where the left pad function still just padded the string, but it also might've done something devious like probed your network or set up a remote shell or something.

So that's how a supply chain attack might work outside of the realm of SolarWinds.

And inside the realm of SolarWinds, there was a product that they have called Orion where it was distributed and it was backdoored and the impact and the details of that are still coming out.

Recently though, within the last two days, there was also a report about TeamCity, a continuous integration product being involved somehow.

And those details were a little unclear. I read the New York Times article about it and thought that they...

And I didn't think it was very clear what they were reporting because it seemed like they were on one hand reporting that it wasn't clear if they were saying that the company JetBrains had been compromised, which it didn't seem like, and there's no evidence of that and JetBrains has come out.

That's another blog post I would love to present right now, but I can't on my screen.

But I'm reading from their CEO, a blog post kind of saying, hey, we're not...

We have no evidence of any compromise or anything like that.

And so what it reads, what the New York Times reporting about JetBrains and TeamCity reads like is that SolarWinds may have been using that product internally as part of their build pipeline.

It's a really common CI, CD tool, like a Jenkins, like a CircleCI, like any of them.

And those inherently are remote code execution as a service.

Every developer runs code on these CI machines and build machines.

And so if a malicious entity... So it's common that those are compromised because they're kind of a free-for-all.


It used to be Jenkins servers being left on the Internet or insecure, but it's a common story that CI, CD pipelines are compromised by attackers.

And the impact of that is very high because those usually create build artifacts, like a release, and they normally have access to push code and either make changes automatically or create new artifacts that then get used by your software or whatever it is.

So it's been really interesting and I'm... The SolarWinds hack is definitely going to be one that we hear about for years because of the impact of the attack, but I'm very interested in what comes out about the technical details, what internal controls they had, which controls failed, and how it happened, which still not super clear, but it seems like something related to their build pipeline and their CI, CD usage of TeamCity, which is a fine product, but it's common.

The security model of CI, CD is a challenging one to secure in kind of a DevOps and move fast environment.

So we'll see. You can search for the news and the information from JetBrains and TeamCity kind of disambiguating that they weren't compromised.

And there's plenty of news on SolarWinds out there.

There's Krebs, there's New York Times, there's all sorts of stuff about it.

But it's been really interesting. I can't wait to see what's next.

And we'll definitely keep you updated over the next couple of weeks as more news comes out.

What else do I have on the agenda here? So I thought it was really interesting.

There's a lot of talk around chat apps, both the WhatsApp news and a lot of buzz around Signal.

And I don't have much to share about this. I've seen some interesting takes on Twitter about the WhatsApp changes in policy and whatnot.

But I thought the really interesting thing was Elon Musk kind of pushing Signal on Twitter yesterday.

And it had such an impact on downloads and usage of Signal that Signal had problems sending people verification codes to their cell phones.

Because when you sign up for Signal, they actually have a record of I believe your public key and your phone number.

And so you register with them and you have to verify that you actually own the phone number.

Because otherwise, you might be able to sign up someone else's phone number and overwrite their public key, break their chats.

There's all sorts of funky stuff you can do. So they need to know who you are.

And just Elon's tweet created such a buzz that they couldn't verify the people signing up quick enough.

And I thought that was worthy of news. Okay.

So I want to talk about selling SaaS products and selling any type of product and navigating the waters of security, which is really challenging.

I wish I could present my screen and start working on a talk outline with you.

But maybe I'll share it afterwards.

I'll start a doc and share it via tweet afterwards. But the first thing is just some observations about the industry and what it's like as a startup navigating the security waters.

I've been on the side of security engineer or small company selling to much larger company or much older company.

A lot of times software companies are selling to really entrenched or non-software companies, if it's in the marketing space or security space or anything.

But you sell to all different types of companies and all different types of companies have different models for taking on vendors.

And so I've been on both sides of the table, both now, Cloudflare is a larger company.

We're publicly traded. And so it's often that people trying to sell to us talk to me.

And it happens often that I hear from friends who have started startups or they're at a 10 person company or they just raised a series A and they're trying to sell to their software to a company.

And that company's security team is just they don't know what to say to those, the security team.

So I am here to tell you exactly what to say. The first thing that I think companies should internalize is that they need to tell their security story.

And that's really hard if you're not a security person and you're passionate about whatever it is you're building, whether it's a travel app or a work tracking app or anything.

It's probably not security if you're not a security company.

So it can be really hard to tell a story about something that you might not know a ton about or just enough to get buy in.

So the way to tell the story is you want to start by telling your audience, which is people, security people like me, all the good things you're doing for the security of your product and your company.

So let's break that down. I'm going to take some notes here.

Tell your security story. And then the way that security is broken down, I think the most effective way to tell that story is to start with controls, procedures, and policies, and then sprinkle in a little empathy around the kind of cliche that people make fun of in the security world is security is important to us.

And what does everybody say when they have a security incident? We take security seriously, and we vow to do better next time.

And that comes off as unempathetic, and you can definitely do better than that.

But we can talk about how to do that.

So first, controls. Second, policy and procedure. And third, some empathy.


So you want to tell a convincing story about all of these good security things.

Let's start with controls. Every company now, a lot of early stage companies are using a lot of vendors themselves.

So there's a lot of third parties, and just starting with Slack or with G Suite, whether it's Microsoft Teams or Office 365, you could be using Jira, you could be using AWS or Google Cloud.

There's a lot of vendors.

There are basic controls in each of these vendors that will go so far in your security story.

The first one is second factor authentication. And I hope Cloudflare is one of your vendors, but I won't try to sell you.

I hope the first thing that you do in every single vendor that you're using is an Enforce 2FA.

In your GitHub, in your Cloudflare account, every kind of organization has a control.

Every software product that you're probably using has a control to enforce that two-factor authentication is turned on.

You should turn that on.

Because telling your customers that we have 2FA enabled everywhere is like 80%, 90% of all security risk is getting phished, and it goes so far.

So step one, turn on 2FA everywhere. Turn on 2FA everywhere. Then you can tell your customers that we have 2FA turned on everywhere, and it goes a long way.

Okay, second, you're using cloud services. I'm sure if you're watching this, you might be the CEO of a tech company, of a small seed round tech company.

If you're having this problem, the second thing, if you're using cloud services, you should understand that you're using cloud services and your responsibility.

So you're going to turn 2FA on in them, but you should also read up about the, what does Amazon call it?

The shared responsibility model. I think some of this is a little, I think some of the shared responsibility model will change over time where it's not here to stay completely.

But I do believe that it's important to know that you have a responsibility and then understand what Amazon's responsibility is.

And those, everything that Amazon or Google Cloud or whatever company you're using as a cloud provider, all of their controls, you can talk about.

So your network security, you can say, we're a serverless company.

Our network security is completely run by Google Cloud.

And we use Cloudflare for DDoS protection.

And you can talk, you can offload parts of your controls and security story to your vendors when you're very small.

You can't do that forever and you shouldn't do that forever because at the end of the day, network security is your responsibility.

But when you're two or three person company, it's barely a responsibility.

You might not have any assets that aren't running on port 80 and port 443.

You might not be running any complicated servers or anything like that. It's just the website and the network security is handled by your cloud provider.

So the thing that I would tell you is understand what you're getting for free.

It's not for free. You do pay for it and it gets pricey fast, but understand what you're getting from your providers.

Leverage those in your story around controls.


What else? There's a lot of things inherent to a small company like limited access to resources.

That's a selling point. If you have really sensitive data or let's say you're a two person HR startup and you have employee salaries or something listed in your database.

The one strong selling point is we're a two person startup.

Only two people have access to this and focusing on raw numbers of people when it comes to access to say that access is very limited is a little bit of spin, but it is true.

It is smaller, a smaller number of people than probably the people team or HR team at the company you're selling to.

So in terms of risk, it is kind of limited.

So access control being limited is a selling point. Even better is just never storing any of that data, being very sensitive about what you log and what you store.

And that's a good one for the empathy bucket. So if you're a two person HR startup and you don't need to have everybody's salaries, even better being able to tell a customer that you don't have any sensitive data goes even further than saying only two people have access to it.

Or showing when you're selling to somebody showing that, yes, we have this piece of data, this piece of data and not this piece of data and this piece of data shows that you've thought about it and you're intentional about what you're storing and what you're logging.

And then, okay. So controls, just to summarize this, you want to turn on second factor authentication everywhere.

You want to make sure what you want to understand the controls you're getting from your providers and you can leverage those in your security story.

You want to turn on the basics controls everywhere.

So if you can get single sign -on set up, if you can limit access, and you can turn on full-disk encryption.

Oh, that is another big one. I can't believe I forgot about that.

Let me write that down. This is another very simple one to turn on and goes a long way in telling your security story.

So you can say that every laptop and every asset has full-disk encryption on.

So here we have a spreadsheet of three assets and each one has full-disk encryption on and you can walk over to me, walk over to the other co -founder and see that we both have full -disk encryption on our laptops.

Okay, those were controls. We have about six minutes left and I want to talk about policies and procedures.

This might have been and how to kind of sell.

This might have been a better one to start with first because I think a lot of the things that smaller companies, smaller companies can get a lot of benefits of just tracking things and writing things down a little better than you might want to.

So it might feel like a waste of time to make a spreadsheet with three laptops in it, but I think that that is a fantastic idea.

So track the things in your company that are important, everything, whether it's a software application, whether it's a laptop, whether it's a phone you purchased, whether it is the vendors you're using, all of it belongs in a spreadsheet somewhere because those are your asset inventory, your vendor list of third-party risk, your, what else did I say?

Asset inventory for software services. Track if every time somebody reports a vulnerability to your security mailing list or to you as a company, track everything related to security and you can kind of attach a fancy title to each one, asset inventory, vulnerability management list, and for the vulnerabilities that you're tracking.

And these are big time selling points.

Half of security compliance and if you look at SOC 2 and ISO, a lot of it is like, are you doing those things?

And doing it early takes very, very minimal effort because your company is small and has a huge benefit in selling because you can tell people all these good things you're doing, tracking all assets, tracking all vulnerabilities.

And then lastly, eventually there will come a time when you do want to get a security compliance certification, whether it's PCI or ISO or SOC 2 or whatever it is, and those things will go so far.

So track everything for procedures.

You want to track vulnerabilities, assets, vendors is a huge one.

Being able to tell what vendors you're using to somebody you're selling to is a massive win.

Vulnerabilities, assets, vendors, software, subscriptions, software, production services, being able to have a spreadsheet of every production service or like maybe it doesn't make sense to automate all of that out of the gates, but that'll go a long way.

Number two, onboarding and offboarding. Having a list, this is somewhere that's really hard for every company of all sizes.

So having a list of things that every new employee does and every employee leaving the company does and a procedure that you have documented will go so far.

So one thing you can do is in the onboarding guide, you can have a list, you can have a link to the spreadsheet of all of your vendors and software subscriptions and make sure that people are getting access to each one of those.

And then you can have a line item to say enable two-factor authentication and turn on full disk encryption in your onboarding guide.

And having that in onboarding will go so far. And then in offboarding, making sure that somebody is removing people's access from each one of those vendors, from each one of those software subscriptions from each production service will go so far.

Both in actually mitigating risk, where the people who join the company get access to things and then when they leave the company, you're taking away their access to things.

That's a huge risk mitigator. And two, in your story to sell to other companies.

So onboarding, offboarding, track everything. And then last is procedures.

For procedures is just basic how software gets developed, how software gets pushed.

It doesn't have to be fancy. You can just tell them what you do.

We make pull requests to GitHub. Somebody reviews it or not because there's two people at the company or something and then it gets merged.

And talk about how that software gets deployed. And then last is empathy. This show sure went fast and I thank you for joining.

But empathy, the biggest thing is not to sound like you're reading off of a script, but you want to sound like you've actually thought about these things.

So you've actually thought about why you collect the data you collect.

You've actually thought about why onboarding and offboarding is important.

And being able to explain why you've done the things you do will go a long way.

And I'll make sure to share the stock in these notes.

But I'm sorry I couldn't play chess puzzles. I promise next week I got to fix the Zoom permission and then we'll be back.

But I appreciate you joining me for the first episode of Hacker Time in 2021.


Thumbnail image for video "Hacker Time"

Hacker Time
Join Evan Johnson each week for the latest security news, programming tutorials, and more!
Watch more episodes