Reimagining Cyber - real world perspectives on cybersecurity

Unpacking DeFi Security and Cybersecurity Summit Insights - Ep 96

Reimagining Cyber Season 1 Episode 96

In this episode of "Reimagining Cyber," join hosts Stan Wisseman and Rob Aragao as they explore the cutting edge of cybersecurity. They delve into the world of smart contracts and decentralized finance, examining both the revolutionary potential and the inherent risks. The conversation shifts to cybersecurity roadshows, where they highlight key insights from recent fireside chats with industry leaders about navigating the complexities of cybersecurity programs, gaining executive buy-in, and harnessing AI while maintaining data security.

Links relevant to this episode:
Unlocking Security in Smart Contracts with Fortify SCA
Cybersecurity in a Web 3.0 World
Cyber Risk Posture Management Webinar registration


Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

[00:00:00] Stan Wisseman: Welcome to another episode of Reimagining Cyber. I'm Stan Wissman with my co host Rob Arago. And Rob, we have something exciting on the horizon, don't we? 

[00:00:10] Rob Aragao: We do. We do actually on May 15th, you and I will be doing almost like a live format of the podcast, right Stan? 

[00:00:16] Stan Wisseman: So our listeners can not only just hear us, but they can see us and they can also pepper us with questions live.

[00:00:22] Rob Aragao: That's right. That's right. Come one, come all. So we're doing this Smarter Insights webinar, our series that we've been invited to, and we're going to cover the topic of cyber risk posture management. So it goes across multiple areas, obviously of cyber, but yeah, for those that would love to come and join and participate and pepper the questions, we're going to be there.

[00:00:42] Stan Wisseman: We'll put the link in the show notes. I can't remember the time of the webinar, Rob. Do you happen to have that on your fingertips? 

[00:00:48] Rob Aragao: 11 a. m. Eastern. 

[00:00:50] Stan Wisseman: So again, hopefully you can join us. Today though, Rob, we're going to dive into the world of well, we're going to hit a number of different topics, right?

[00:00:57] But we're going to hit smart contracts and the, the, the world of, of decentralized finance. It's something that I, I haven't really been that exposed to. I wrote a blog about it recently and. Sort of learn more about it, and the reason I did the blog and I want to talk about it is that it is a hot space in the sense of people trying things out you know, to implement it.

[00:01:20] But also there have been a lot of incidents, you know, so it's it's 1 of those things where it's an evolving, rapidly evolving area. At the same time, there are a lot of threat actors that are, are looking at it and probing for weaknesses and finding some to exploit. 

[00:01:36] Rob Aragao: So Sam, why don't you kick us off into that topic and you know, just kind of give everyone a foundation in essence around smart contracts and, and defy in general.

[00:01:44] Stan Wisseman: Well, Rob, let's start there with smart contracts, you know, so basically it's, it's a contract just like any other contract. Right. But it's written in code. So if you, if you, if you think about trying to capture, you know, all that contract language and the code and the fact that it will then self execute.

[00:02:05] Without the need of anybody overseeing the process, that really is the key here. And it's all based on, you know, blockchain technology and these contracts operate automatically and they drastically reduce reliance on intermediaries like lawyers or brokers. So that's, there are those that really believe that this, you know, approach, and this is where decentralized finance or DeFi comes in.

[00:02:31] It could be a game changer. It could really revolutionize. How we, we do finance. You know, so a lot of these contracts are written in solidity. It's a, as a programming language that's tailored for contracts on blockchain platforms like Ethereum. And Ethereum is, is one of those platforms that sort of is the basis for this whole thing, you know?

[00:02:53] So I wish, I wish I had a whiteboard. This is one of those instances. It'd be nice to share a PowerPoint slide or, you know, but, you know, or have some kind of way of visually representing things, but imagine, you know, That you could do all these different financial services, right? You could do loans, you could exchange assets, all your fingertips through your digital wallet.

[00:03:14] Mm hmm. So no banks. No brokers, no intermediaries dictating terms or collecting fees and it sort of it's democratizing, right? You know, the access to financial services and it's 1 of the big things is also that is transparent. You can see the contract. You can see the code. But that's also part of the issue as far as the fact that, you know, with this reliance of smart contracts, there are also some risks, right?

[00:03:43] And, you know, everything runs on code and any flaw or bug in that code could have implications and affects the outcome for the. The user and the, that impacts the trust of the whole system. And so, you know, one of the things that we're, we're seeing is that some of these bad actors are, are, are taking advantage of some of those flaws or, you know, exploits.

[00:04:05] Rob Aragao: Well, you, you talked about the flaws, the exploits and more from the software side of things, right? Are there any examples, anything that you've seen out there? That would be kind of a good example to share with the audience of the potential vulnerabilities within, within you know, looking at things in the smart contract area.

[00:04:21] Stan Wisseman: Yeah. Yeah. Yeah. I mean, there, there are a number of different ones out there. I mean, some of the common types of attacks are related to things called like flash loan manipulation. Or attacks due to human errors, like I mentioned, but there are specific vulnerability types or logic flows and the contracts that can be exploited.

[00:04:40] 1 of the poster children of attacks is the DAO attack or hack. It really was a, a compromise of a smart contract. That was, you know, the complexities allowed the exploit and it resulted in 50 million worth of, of money being lost in that particular hack. You know, there, there are other ones where there are, you know, insiders that have been actually part of the the hack you know, and, and one of the things that, again, brought my, to my attention was there was a real spike.

[00:05:18] Of incidents that occurred in March that ultimately exceeded in aggregate exceeded over 100 million dollars worth of money lost through these exploits. And so a variety of different issues, like, whether it be a weakness in an algorithm or, you know, vulnerabilities in an outdated contract, you know, it just, it was a variety of different things that.

[00:05:43] You can't put your finger on one thing as being the cause. It wasn't like a log 4j kind of issue, right? It was, it's just, obviously the threat actors are, are looking very carefully at this. New way of doing finance. 

[00:05:57] Rob Aragao: Yeah. And I know there was one previous, like back in 2021, they're running the poly network and that hack.

[00:06:02] And I thought that was interesting in looking at that one, right. Because that was over 600 million of right. Don't want digital tokens in essence. In the end, the, the attacker basically was just trying to point out the flaw that was found. And, and, you know, and kind of. Maybe quote unquote, the negotiation that occurred.

[00:06:20] They basically said, Hey, listen, I'm a good person. I'm just trying to tell you, this is where you have an issue and you know, the things that you need to maybe potentially do to resolve that. And so, you know, he gave back. What he initially took and kind of just kept a bug bounty, if you will, of about 500, 000 back for, you know, the finding to be able to, to kind of help the original, 

[00:06:41] Stan Wisseman: the original loss was like 600 million, right?

[00:06:43] Rob Aragao: The original loss was over 600 million. Yeah. 610 million. But, but his point was, Hey, listen, again, I'm not here as a bad person. I'm just showing you. As an example, making it where there's a problem. Yeah. And, and, and basically taking that bug bounty portion back or about half a million dollars. So, you know, it's, it's still a very, very early space that people are trying to face, you know, basically figure out how to properly secure.

[00:07:05] And there's a lot of embedded security, obviously within their two in the blockchain, but, but There 

[00:07:09] Stan Wisseman: is. And, and, and one of the practices to mitigate risks is. You know, through auditing, it's sort of like a safety certification in the traditional industries, right? I mean, by conducting an audit.

[00:07:24] You're, you're, you're looking for any kind of anomalies in the, in the, in the logic you're looking for potential known vulnerabilities, but it doesn't necessarily, you know, guarantee that a contract is entirely free of vulnerabilities, you know, because there, there, there are complexities and there are human errors in coding, right?

[00:07:42] So, you know, but that the audit process is evolving as well. So you have A manual method of doing it, right? And that is, is very methodical in the sense that you have experts that know what they're doing. Typically now, granted, those are hard to find, but they, they know how to catch the nuances and some of these vulnerabilities that are well known.

[00:08:06] But it's very time consuming. You know, they're going to catch things like logic flaws that you won't be able to necessarily catch an automated scans. Right. But automated scans can, can certainly be more repeatable and has some kind of, you know, structure of hitting, you know, known vulnerabilities. You know, you're going to look for certain things just like any static code analysis.

[00:08:26] Right. And so there's, there's an advantage, I think, of pairing them up. You want to have both the, the automated scans and, you know, it's a time saver as well as augment that with manual scans and hopefully that will help you mitigate some of the concerns you have about your smart contracts, but it's a continuous process, right?

[00:08:44] I mean, it's like any of these things we've talked about where it's a cat and mouse thing where the, the threat actors are looking for new ways of exploiting the system. And you on the defensive side as a developer need to work collaborative with the community. It's sort of like again, open source projects where you have hopefully a healthy project community that, you know, can work together and identify and flag things quickly.

[00:09:07] You know, I think we need to adapt to the threats as they come in. 

[00:09:11] Rob Aragao: Yeah, yeah, for sure. For sure. And this, this will definitely be a topic that we'll cover up off in the future. Again, it's still very early in its stages of, you know, where the cyber kind of components are starting to play a critical role.

[00:09:22] So one other thing I wanted to discuss today, Stan, and you know, you've been a part of this too. So, so, you know, within our organization that we're part of within OpenText, we've been doing these different cybersecurity roadshows, if you will. And a lot of it's been about pulling in, you know, parts of our network.

[00:09:39] In these conversations and fireside chats that we've been bringing across different cities in a way, it's almost like the podcast in a road, but we're kind of doing it individualized. Right. 

[00:09:46] Stan Wisseman: Right. Right. 

[00:09:48] Rob Aragao: And earlier in the week. I was having some conversations with a few other folks and broken up fireside chats.

[00:09:56] You know, a couple of we've actually had in the past a deal seed we had from kindredal CTO Adam Rosso, right from tag InfoSphere. And another gentleman who, who's a good friend Neil Schloth, who's actually over at Fiserv as their head of application security. And we broke them up into kind of two different.

[00:10:14] Conversations Neil and Adil, you know, what I did basically with them is we really were very kind of over the top of cyber. What are you seeing? What are some of the different things that are working? One of the, the main emphasis points that we, we drove into was around the cyber security programs and that buy in that you need from the executive level.

[00:10:33] Adil touched upon that pretty heavily. You know, a lot of the around, around, 

[00:10:36] Stan Wisseman: around budgeting or just around budgeting, 

[00:10:38] Rob Aragao: We talked about, like we did not that long ago, we talked about, you know, some of the things you need to do to get the budget in place versus, you know, geez, now the events occurred.

[00:10:47] And now all of a sudden, I have this free flow of money that comes in to do the things I want to do. Or, hey, the, you know, third party has come in to point out the areas that, you know, we've already identified. We're trying to put into place, but because they told us like, we're going to go do it now. So it was just an interesting conversation, but a lot of it was actually, you know, very much driven around that maturation process of how you actually, you know, Don't try to bite off too much coming out of the gates especially, you know, from Neil's perspective as, as they were launching into their, really their application security program several years back just being very poignant on what they were going to do, getting, you know really good coverage of some of the key applications and what they wanted to be able to take a look at to pinpoint security vulnerabilities.

[00:11:32] But also that kind of fine line of how do they balance that by being able to work very effectively with the development teams. 

[00:11:37] Stan Wisseman: So is that basically not to burn the, the, the program? So you had a good foundation and, and a good, some quick wins. Or, or, you know, what was the motivation for not biting off too much?

[00:11:49] Cause obviously you come in and you could see there's so much we can do. Yeah. 

[00:11:54] Rob Aragao: Yeah. Let's say there's a, there's a lot of fires we can put out is what kind of, you know, you'll see initially, but they just want it to be very much. In a manner of setting things up very strategically, so they could say, okay, we're gonna, we're gonna, we're not gonna go for the top application per se, right out of the gates, right?

[00:12:08] We're going to go for just underneath those and we're going to show that this is how we can approach it mutually, right? With the development teams at our side, get them on board. And once we get them on board, right, we should be able to actually take that model to then go across much more higher positive 

[00:12:25] Stan Wisseman: buzz.

[00:12:26] Right? And we get some feedback. Yeah, exactly. Exactly. 

[00:12:31] Rob Aragao: Which, which was part of the conversation around culture too. Right? And so we even discussed, you know, the aspect of. We know that in cyber, it's a very competitive landscape. So, you know, kind of this consistency of the program with people potentially moving around quite a bit, not just within your organization to other, you know, potentially higher paying jobs that pop up left and right.

[00:12:50] And, you know, ensuring again, that that relationship stays in place across the different stakeholders. So a lot of that was more about. Non technical per se conversation, you know, that were, Hey, how do we actually marry these things together? How do we actually show that we're working very effectively?

[00:13:05] And also how do we, how do we handle the outside world of the regulators coming in and knocking on our doors all the time, being a financial service organization, right? So that was, that was a lot more of what that conversation kind of was around with, with him. As I mentioned with the deal, it was. You know, kind of this framing back into that whole resiliency aspect and you know, he was, he was just talking about some of the past experiences he's had, but a lot of the conversation was much more about the conversations that he's now having with different organizations that they support at Kendrell.

[00:13:33] And a lot of it absolutely is still being driven by different, you know, regulations. And he was talking about what you did actually on our episode, if I recall correctly DORA, right? The Digital Operation Resiliency Act that we covered. So that 

[00:13:46] Stan Wisseman: really is being a driver for folks to start trying to get ready for DORA compliance?

[00:13:50] Rob Aragao: It is. And again, that's a financial sector specific, right? That's driven out of the EU, but you know, anyone that's doing any sort of financial business in the EU. Falls underneath that regulation. So that is actually moving the needle. The other thing that he called out, which I thought was very interesting, because again, he's very much focused on the commercial sector was the you know, utilization of some things from the federal government and some of the kind of pulling the levers, like on the continuous diagnostics and and, and monitoring capabilities and management capabilities.

[00:14:20] Right. And so maybe it's more of like a framework approach that seems to be resonating. But just, it was an interesting kind of crossover between some of those things that actually have come out of federal sector that to drive back in and be applicable. You know, what about, what 

[00:14:34] Stan Wisseman: about Ed? I mean, Ed, we had such a great conversation with Ed when he was on and imagine you, you, you could, you could spend the whole time just talking to him.

[00:14:44] Rob Aragao: Oh yeah. Oh yeah. So, so he was the second part of our, our conversation. So had great fireside chat with Ed. Our focus with Ed was around AI. Right. And so it was. It was a lot more around he gave examples that they at tag have recently completed about 45 different client engagements with large, very large organizations and midsize organizations as well.

[00:15:06] And it's a lot more about the like, where do you get started? With AI adopting, you know, the program, starting to build it out. And what he really said, he goes, it's he said it's a bunch of different wildfires. It's a bunch of different, you know, kind of, you know, these different things that are being spun up in parts of the organization.

[00:15:22] HR is doing it, finance is doing it. No one has any sort of control or governance over it, right? It's, it's very, very kind of wild west approach. He also kind of painted a pretty interesting analogy. And he goes, for those who recall and remember basically kind of the beginning of, you know, the web browser, the beginning of the search engine out there, the Alta Vistas of the world, Ask Jeebs of the world, 

[00:15:45] Stan Wisseman: the mid nineties, right?

[00:15:46] Early, early, mid nineties, 

[00:15:48] Rob Aragao: when you're just getting started, like, you know, What are we doing with this? How are we going to use it? And people just continuously kind of started planning and become, you know, more understanding of what value it can return for them. Right. And he, he, he painted that analogy of like, that's pretty much where we are now.

[00:16:03] He said, well, he was very much of the perspective. Don't slow things down. Be very security minded. But allow people to go and utilize and try to innovate without putting, you know, all these different kinds of control mechanisms in place that's just continuously holding back, if you will. For 

[00:16:20] Stan Wisseman: competitive reasons, they, they, they can't, you know, in this case, fall too far behind, right?

[00:16:26] I mean. Absolutely. Absolute. But, but there are, there are cautionary tales I imagine there are too, as far as the sensitive data being ingested into these ais. And if you don't have guardrails as far as what is appropriate, it's a black box. Once it, once that data is in, you can't get it back out. 

[00:16:42] Rob Aragao: Yeah. And that was one of the, the other.

[00:16:44] Points of topic of conversation with him was, you know, where do you get started with actually the data that you're going to leverage when you're doing your own, you know, LLM's public or private, like what are you doing to get started to ensure to do your best you can to ensure that the data is properly secured.

[00:17:01] That you don't have privacy risks associated to it, which is very difficult to do, but we got into some of that conversation about, you know, maybe creating kind of that that sandbox first of where the data goes into and then being able to push that back out. And now you have this kind of quote unquote approve or sanitize set of information that you're actually using within your production.

[00:17:18] You know, large language models. So very early. Very interesting to kind of hear the points of different organizations because he's had, again, like you mentioned, 45 different organizations they've been engaging, but yeah, but just a real, really a lot of those conversations again, it was asking, where do we start?

[00:17:37] Right? And who are the stakeholders that need to be involved and just pulling it all together. So still really early on. 

[00:17:44] Stan Wisseman: Did he see a role for the cyber security team as being sort of that guard railed establisher? I mean, again, you mentioned the wild, wild west. I mean, who, who has that role to determine what is appropriate and wasn't, isn't appropriate.

[00:17:59] Rob Aragao: So not per se, cybersecurity as the kind of one only, you know, voice, if you will, it was a combination absolutely of, you know, the, the, the data office, if you will, then if there's a chief data officer in the organization. The privacy side of the organization with legal and compliance kind of being at the table, being aware of what you're planning to do, what you're planning to use security, absolutely.

[00:18:24] Being there you know, technology from a CIO CTO level as well. But yet he didn't kind of call out and say, yeah, this is kind of who the end all should be. There probably 

[00:18:35] Stan Wisseman: isn't any obvious answer. It depends on the organization, right? 

[00:18:38] Rob Aragao: Again, it's depending on the organization is so spread out, you know, it's still so early on, but yeah, anytime you talk to Ed, I mean, the conversation has been going on and on for a long time about any topic.

[00:18:48] He's just so well rounded. But yeah, and in general, you know, these, these discussions that we had, I think is just very enlightening and people took a lot away because, you know, they're, they're not always. looking at it from how do you relate this back into the organization that you're supporting on the business side of it, which was kind of a key theme that Neil, Ideal, as well as Ed brought forth.

[00:19:09] So it was, it was pretty interesting. There was some technical, you know, discussions. We definitely got into some questions from the audience on that, on those kind of more deeper topics. Points, but in general, really good conversations and it was just good to have, you know, some of our previous guests there live for an event with us and I mean, I did the one down.

[00:19:25] Stan Wisseman: I did the one down in Houston and we did ones in Chicago and Washington D. C. Just wrapped up and we had San Francisco. It kicked us off. I hope that we do these again. 

[00:19:36] Rob Aragao: Yeah. 

[00:19:38] Stan Wisseman: So, Rob, you know, next Wednesday we have another guest coming in that's going to be interesting. We've never talked about the public relations side of cybersecurity and how that's important.

[00:19:48] And who's our guest? 

[00:19:49] Rob Aragao: Our guest is going to be Kevin DeNino, and he's going to be talking all about crisis management. He comes from more of the traditional, as you said, PR side of things, Dan, but we're going to take that back into some experiences you've been having as it relates to cybersecurity events and how public and private organizations deal with those.

[00:20:06] Stan Wisseman: It should be a good one. 

[00:20:07] Rob Aragao: All right, Stan. Until next time. 

People on this episode