Simply Solving Cyber

Simply Solving Cyber - Chris Reed

Aaron Pritz
Aaron P.:

Welcome back to Simply Solving Cyber. I'm Aaron Pritz.

Cody:

And I'm Cody Rivers.

Aaron P.:

And today we're here with Chris Reed, who's the VP of Product Security at Medtronic and before we introduced Chris, I've known Chris for a long time. I think we were at the same pharmaceutical company back in the early 2000s. So, I'm interested to hear, a little bit about you, your journey. And like a lot of our guests, let's start out by telling your story, how you got into cyber and maybe a little bit on your journey over the years. Yeah,

Chris Reed:

Sure. Thanks, Aaron. Thanks, Cody. It's great to be here.

Cody:

Good to have you.

Chris Reed:

Yeah, it's been an interesting journey. I'm a computer science grad many years ago. Really quickly ended up in our security team, at a pharma company and I was there 23 years before I left to go to Medtronic. So quite a few experiences, starting at being in charge of how to manage intrusion detection on our network, running architecture, running operations, and eventually building a product security program for, medical devices for that company, for insulin injectors and insulin pumps. It was quite a wide variety of experiences there.

Cody:

What was the defining moment? The first thing you saw, you're like, yeah, I think I want to keep doing this. Or what was the first thing that kind of got you into the, got that cyber bug going?

Chris Reed:

Oh, you know, I just have always been one of those people that was curious how things worked and

Aaron P.:

Like to break things.

Chris Reed:

I did break a lot of things when I was a kid. There were a lot of radios that got taken apart looking at the boards. I wouldn't say I had the right influences around me. It took later in life to really get into the hardware hacking side, but I was always curious how things worked. And, even really quickly as I was in college, I had a gateway machine. Oh, it was a Calbox. Calbox, yeah. Yeah, that was my first one as well. and Linux got put on. And, just really loved, compiling software, getting in and looking at the code. Just understanding how all that worked. That continued just into my professional career. So, early on got, was fortunate enough to get trained, through SANS. Pulling apart network traffic and, you know, for that moment that really got me into security. I mean, I think probably I was always interested, but the part that probably really got me into it was early in the 2000s. You know, that's when all the worms were happening and taking down companies and, watching how to figure all that out on our network and break through the network traffic and start to understand like where it was at. Hmm. Yeah. Oh yeah. All sorts of interesting things on our network.

Aaron P.:

So worms got you into it. The bigger question is, can you do the worm?

Chris Reed:

Of course. That's like one of my favorite moves. Nice. Absolutely.

Aaron P.:

A lot of kids think they can do it, but they're really just kind of flopping around. That's what my son does at least. Yeah. Yeah.

Chris Reed:

My son does that too. Now I could really do it.

Aaron P.:

Do you want to see a video for YouTube? That's a separate show. It should be.

Cody:

Look for the link.

Aaron P.:

Yep. Awesome. So, um, I guess who are some of your influences? Cody asked about the kind of defining moments like, leaders internally, outside thought leaders. Who influenced your, who did you kind of early on? Like, I want to be like this person from a cyber standpoint or just from a general business leadership standpoint.

Chris Reed:

Yeah, that's a great question.

Aaron P.:

And I didn't prep you on this, so I just thought of it in the car.

Chris Reed:

No, it's good. Yeah, great question. I think, I was really fortunate. Again, you heard how I just jumped into Linux and things like that. Back when I was in school, the whole idea of open source really inspired me where you had, I mean, this was the very beginning of that. Now it's like there's get help repose everywhere and everyone's, you know, but that was, this was earlier. And, I would say that whole mindset really intrigued me that the idea of having You know, community source software. And so, gosh, there were a lot of big names back then. But I mean, obviously, Linus Torvalds from Linux. The idea that Microsoft trying to charge hundreds of dollars for windows and here I have a operating system that I think worked better that I could literally just download and run. I thought that kind of thing was amazing. And so. I think the good part about that is I think it always showed me the value of, I guess finding good solutions. You can go out and spend lots of money on software. That's like not accomplishing anything.

Aaron P.:

You don't believe in reinventing the wheel. It sounds like, no, you want to start with something that somebody else

Chris Reed:

In fact, I was a little bit of a troublemaker earlier in my career because I, uh, I was using all sorts of open source and that's before we had a lot of rules around that, you know, so I was downloading stuff from all over the internet and in the code running all of our networks.

Aaron P.:

So how early of an adopter have you been with chat GTP and figuring out how that changes how you or your team does work?

Chris Reed:

You know, I'll be honest with you. As far as Chat GPT goes, I'm not. I mean, I've played with it, but I haven't had quite the time to mess with it to be honest. So when I left my previous company for my role at Medtronic back in 2021, part of that was around. I actually moved from a security role. I'm running product security. Into a role that was actually in regulatory, and it was regulatory advocacy, and strategy. And part of the role was security, like how do we influence what laws and guidance and standards are being created. But the other part of my job actually was digital health and AI. So, I spent a lot of time actually early, but it was at a more policy level. So in Chat, GPT, it was interesting watching that explode, because we've been talking about bias. Um, all the problems we have with AI, we've been talking about it. We had a policy we set up, um, a Medtronic that basically guided our work with AI before all that hit. So it was super interesting to play with, but I had already been, it wasn't quite, I wasn't quite as enamored by it.

Aaron P.:

Yeah, that makes sense. And it's like. It was consumerized, right? It became approachable for people that didn't have a computer science background and all that. So new for a lot, but actually Tim Sewell here that we work with, same thing. He had been doing that, yeah, a decade or two ago.

Chris Reed:

Part of my degree, I have computer science. The other part of my degree is actually Cogno Science. So I wrote AI back in college, but back then we didn't have the power. The GPUs to do what we do today, but, yeah, even back in college, I had written like neural nets to recognize letters and images and things like that. So yeah, it's amazing to see how far it's come and a lot of it's compute power and there's tooling as well, but.

Cody:

Yeah, we said something earlier that when I thought back on and you said the word influencing, I think it's a thing that, you know, a lot of cyber professionals need these days. We need a PhD and because you're fighting for a little budget or you're trying to look for a seat at the table. So share with some of our listeners, maybe a key thing and it can be at a previous company, current company, but maybe a good victory you got from a challenge you face and how you were able to influence others to kind of align on your vision.

Chris Reed:

Yeah, you know, this is a key skill, especially as you climb in an organization. When you're lower levels, you're definitely have a clear scope of what you're trying to get done and And generally, um, you know, that scope's clear. But as you move up, influence becomes more important. And, there's so many examples I have of this. It's actually a skill I think I do fairly well. One of the things I'm able to do is build really great relationships outside of my core function. So, as a cybersecurity professional, my legal team really loved me and knew who I was because... I have one lawyer that I work with there. That's always like it didn't matter how complicated it was, but I went and asked Chris the question. I walked away understanding it and so I think the key thing about influence is you really got to put yourself in the shoes of the other party and understand a little bit of what their current challenges are and then put your problem in that context appropriately, that's the thing I'm able to do pretty effectively and as a result, huge accomplishments. You know, there was one case where I was working with legal on a case and they were describing what they were trying to do, why they were frustrated. And I came back with a log that proved something that allowed them to take it into an interview to get someone to admit something they had done. But all that was me hearing what they were trying to do. They didn't ask me for this specific log. They were explained to me. Why they were frustrated and what they wish they understood. And I was like, wait a minute, I think I can prove that. And I came back and proved it. And that's the kind of, and then that wins you points. And then all of a sudden now you're a trusted partner and, you have, they start listening to what you're saying.

Cody:

Oh, that's excellent. That's excellent.

Aaron P.:

Awesome. So it sounds like listening, putting yourself in their shoes before trying to force them into your shoes or to force your agenda on them. I had a similar thing. Actually, we may have crossed paths on this, but with privacy regulations and trying to do things like, you know DLP. There's a lot of roadblocks that can come up, especially in certain countries. And I remember some of the conversations where the individual kind of already made up their mind before going in to the meeting. So if you don't walk them back and understand what are you trying to do and articulate, Hey, we are not big brother. We're not looking to look at what you're doing on the Internet during your personal time. It's kind of like, how do you, bring down the defensive, because a lot of times people come in with, an assumption that's already, Hey, I know what this is. I don't like it. And, here's my agenda.

Chris Reed:

Yep. Another really good example of this would be, later in my career at the pharma company, I'd taken on product security, which is part of how I got to Medtronic. And, one of the things I really wanted them to do was, to be able to update the firmware on the device in the field. So in the field updates, which required some pretty advanced cryptography and it's not cheap to design that. Yeah. A working model of it. Right.

Aaron P.:

Did you call in Diffie Hellman?

Chris Reed:

I did. No, actually I won't go into all those details, but yeah, it was fascinating because of the battery power and in the low processor, like it's actually quite a challenging problem that we had to work on because it wasn't just slap inserts places and using standard libraries. It was actually quite a complicated problem. But what I was able to do when I listened to the business was share how they could go to market with more of an MVP product and that this capability would allow them to evolve it as they learn from the market. Yeah. Yeah. And it went from something I was trying to convince them to to their number one feature for MVP was the ability to update the device because again, they were, they heard now that this was a business enabler, not a just a security solution. And so that it's finding those types of situations and expressing complex problems like that, that really help influence and bring things along. And again, you get brought to the PA table as a partner, not just that annoying security guy that keeps nagging you.

Aaron P.:

What was it? One question to throw in there is, has there been any cases of ransomware in medical devices?

Chris Reed:

Oh, thanks for asking that question.

Aaron P.:

Is that a vector?

Chris Reed:

Yeah. You know, I really appreciate the ask that question and that was not preceded for everyone.

Aaron P.:

So off the cuff.

Chris Reed:

Right off the cuff, which is great. This is actually a really important issue. If you read a lot of articles out there, obviously we have a problem with ransomware in hospitals right now. Specifically, they're just very complex environments that are built to be open because they need access to records to treat patients

Aaron P.:

And it's desperation and it's don't have it.

Chris Reed:

Yeah. And it's desperation because they all of a sudden have to shut down. It's a really complicated situation and a lot of times when we read the articles out there, They say, look, we're having all these ransomware attacks. And then the very next statement is, and medical devices have lots of vulnerabilities, and it implies that medical devices are causing the ransomware. And I want to be really specific about this. They get ransomware just about how everyone else does. It's someone clicking on a phishing email. And then, of course, it goes through their workstations. It is true that medical devices have gotten ransomware on them, although it's a pretty exceptional situation, but it's definitely not the root cause of it. That being said, there's been a few cases lately, and I won't name company names, but you can go out and look. There's been a couple examples where, you know, as devices get more connected, they rely on the cloud services behind them to operate. So there's been one situation where radiology equipment to do cancer treatment. Um, it needed settings from a cloud service to be able to operate. And because ransomware hit the cloud, it shut down cancer centers all across the country because they couldn't operate the equipment.

Aaron P.:

But it wasn't the equipment.

Chris Reed:

It wasn't the equipment. It was back on the cloud side, but it was affecting the medical device indirectly and most importantly, the service. So, It's a huge problem. You know, we're leaning in on the medical devices as well because we never want to become the source or the primary part.

Aaron P.:

If you think about it, if you get a pacemaker, if you're going, even if you found a way to proverbially click the fish on your pacemaker, where's the alert screen going to go? Like, if you shut down the heart, you're done. You're not going to pay. So it's a little, it's not the target market, right?

Chris Reed:

It's not right now. And we never want it to be. So we're working very hard. Yeah. And honestly, there's a lot of reasons that prevent you from that situation from happening, but the reality is threats change fast and, one thing that's tough in medical devices is our development life cycles, kind of like pharmaceuticals, they last years. So unlike tech companies that can build a product and put it out in three months, we have to run clinical trials to prove they're effective. There's all sorts of work that goes into it. We're highly regulated with manufacturing. Every time we make a change to our process, you know, we have to communicate to FDA what we've done.

Aaron P.:

Minimum viable product is not a term that correlates.

Chris Reed:

Yes, agree.

Cody:

Well, yeah. And like you said, just like the length and oftentimes in healthcare and strategies, like the technical debt is large because, you can't just go out and buy 15 new ultrasound machines, absolutely two years and so it's like,

Chris Reed:

That's a problem we call legacy. It's a huge problem in healthcare. And not only that, We could go all around on this. I know we're bouncing all around, right? But, one of the things I've learned in my role is you have, bigger healthcare systems that buy the MRIs brand new. And as soon as they've used them for their useful lifespan, they turn around and actually sell it to the aftermarket. And so a rural hospital will buy that and continue to operate that MRI. So we have this ecosystem in the U. S. that, equipment, aged equipment out. So now our life cycle is long. The equipment gets used way past the, when it was meant to be used, which is a huge issue that we're working on solving in general.

Aaron P.:

Right.

Cody:

So then let's pivot a little bit here. I've said I had a great career and still do amazing things, but what would you give advice for some of the listeners who are, maybe new in the field or are there other emerging, but Hey, the things that I, what I've learned over my career, if I can go back to my first three to five years in the field. What would you tell yourself then that you've learned now?

Chris Reed:

Yeah. So definitely early in your career. First of all, I think picking a space and really going deep in it, is super important.

Aaron P.:

I thought you were going to say pick Amazon stock, but

Chris Reed:

If you pick the right stock, it could always work well. Of course, then you don't really have to work. No, absolutely. Going deep to really understand, I worry today even about professionals coming in. As I shared earlier, like I came in at a time where, I was compiling the software. I understood how the operating system worked. There's a lot of people that don't understand some of those fundamentals today. Yeah. And I think it's really important. You need to know you're never going to learn everything.

Cody:

Yeah.

Chris Reed:

But you need to be able to go deep and understand it. And then the other thing would be in doing so. Look for those experts in that space. And, you asked about influencers earlier, but, you know, participate not just going deep, but then watch the conversations that are happening around that technology and possibly from participating. But I think part of why I was able to develop pretty fast is, I found people I really respected that knew their stuff. And those are the ones that I listen. I listened to their voices, not just the loudest voice, but hey, that guy there knows what he's talking about. Ed Scotus from SANS is one example, right? Like that guy is amazing. And I think I took his class again in the mid 2000s, right? Um, but he used to do this thing called command shell Kung Fu, where they would come up with complex problems to solve and then write a one command line that would solve the problem, right? Like, that's the kind of stuff that when you see those influence, like those types of people, like paying attention to them and learning is just huge.

Cody:

Yeah. One thing, I'm a ct, a former C T O in a no former life, but one thing to your point I think was beneficial was listening to the other side and the perspective. And it's like, not so much how I speak, but how do I talk, how my other side listens and to your point, bringing the business, whether it's the business, it's different function, but talking in their perspective, I think point

Aaron P.:

You have to tailor the message to the audience for sure.

Chris Reed:

Yeah. And I think that would be the other thing I would share, to that point, I know we're kind of circling around this, but to emphasize that. A lot of security professionals think there's like this black and white, right and wrong, like this is the policy and if everyone did this, it would fix everything. And the reality is it's not like that. It's, but it's helping it again when you listen and you try to put it in context, like this is the benefit you're going to get if this is happening, and also understanding when that black and white answer wasn't the right answer. Because there's so many times and I know Aaron and I have a personal experience in this. So many times you set up controls and water flows to the easiest route, and you create all these bad behaviors that you didn't mean to because you have controls that aren't effective and they're just causing productivity.

Aaron P.:

My new passion topic is user experience for cybersecurity, because I feel like the, unfortunately, the end user or the employee is, The least focus of the budget. There's very little OCM and a lot of cyber programs, and we are giving them technology that's 10 years old to do things like encryption and things. So what we're advocating and Cody, you've done a lot of work in the space on, awareness, focus programs and process development and OCM around even cyber tool rollouts, you can't spend enough money and time there because to your point, the water's going to move around to the easiest path forward. So you should be focusing on making the path easier to do the right thing, not black or white. Here's the 10 things you can't do versus how do you do my job? Like here's three ways to do your job. Focus your effort on that, not the David Spade. No list.

Chris Reed:

Yeah. People are always a little surprised. I've had, definitely in my pharma career, it was always funny. because we would have vulnerabilities come up in products and everyone was freaking out because, oh, we have this vulnerability and it's cvs, s you know, eight and we gotta get this fixed. And I'd sit down with'em and we look at it and we'd realize it probably wasn't that big of a deal. And my next question was, when's your next maintenance release? And they were like, well, it's in three months. And I'm like, that's good enough. Hit your maintenance release. And they were like, wait, what? And, and I just saved them. And hours of paperwork and trying to do an off cycle release. Like, think about the cost of that. And when I became the voice of reason in those situations, and by the way, we were still keeping that product safe and secure, right?

Aaron P.:

People listen to you. They're like, yeah, he's got my back. He's not here to derail me from my agenda.

Chris Reed:

So all of a sudden now they come and ask a device and they start flowing cause they're realizing, Hey, they're going to help me get this decision that's going to help manage my time, or if it really was a big deal, I became a help and an advocate to get them the resources they needed.

Cody:

Yeah, the cost of jumping around. And we have to say a lot of times, like one of the biggest, like obstacles in cybersecurity is the lack of focus. To your point, it's like there's always something you can do, right? There's no short thing that you can, but it's like, how do I focus, take time, push together initiatives, and then, make a list and go after and then report that back out.

Aaron P.:

So we normally ask our guests for a fun fact. I'm going to switch mine a little bit because I think I know what you'll probably say here, but I'm gonna I'm gonna go out on a limb here. What you know both of us traveled a lot internationally when we were in the pharmaceutical world What is your most interesting international experience?

Chris Reed:

Yeah, Aaron knows this probably a little bit, right? I mean the witness maybe I have been a little I've been fairly fortunate to travel a fair amount not quite to every continent yet, but pretty close and But I got an amazing experience at the pharma company I worked at. And, to make a long story short, I was put on a short term assignment where I got to move my entire family over to Shanghai and my four year old and five year old got to go with us and with my wife and we decided to live smack dab in the middle of the city on the 16th floor of a high rise apartment,

Cody:

Just immerse yourself.

Chris Reed:

Just immersed in, and, um, and really just had the most amazing experience there. My wife was amazing that every day when I was at work, she would go out and adventure and they had such amazing experiences. I guess my fun story for this, and I wasn't there, but I have pictures of it. They went to the zoo one day and, things work differently in China. So you know, how you can do a ride like through the exhibit and see the tigers off in the distance and things like that. Yeah. Well, in China they have bars on the windows and my kids put their hands on the bars to try to see out. And then immediately the guide was like, no, no, no, no, no. Like pulling their hands off. And then my kids were like, what's going on? What's going on? And about five minutes later they took a chicken and put it out the window and the tigers came up and ate it on the side of the vehicle.

Aaron P.:

You don't want to be your hands mistaken for a chicken.

Chris Reed:

So they had trained the tigers that food comes out the window. So

Cody:

It's like they're coming to your zoo. You're just like parading through there and they're like a little exhibit.

Chris Reed:

It is. So in China has all sorts of fun things like that, but it was also an amazing environment. The people in China are just amazing and so friendly and welcoming. And, there was just the amazing experience all around. Oh, that's cool.

Aaron P.:

Well, Chris, we bumped into each other at the biohacking village at Black Hat slash Defcon, but it's really Defcon. Yep. And, you know, I was wading through the massive, every year it gets worse, like the shoulder to shoulder, massive body odor, just uncomfortable. Like, I don't know, but anyway, once you get past all that drama.Yeah, Cody, you're going next year in my place, uh, once you get past all that, you get to the really cool exhibits in the biohacking villages, med devices and chance for people to try to hack them. Tell us about your experience there. Tell us what else goes on in that and what is accomplished by that?

Chris Reed:

Yeah, great. Great question. Yes, the biohacking village has been around for a number of years now and the scope of it isn't just medical devices. They do implants and they've talked about how to make pharmaceuticals like insulin. They do any type of biotechnology, if you will. But medical devices have has specifically found a space there. It's been the passion of some people in the industry. There's a group called I am the Calvary and they work in multiple areas, but a few of their leaders created the biohacking village and invited manufacturers to come in there to talk and interact with security researchers or hackers, whichever term you want to use. I was not Medtronic back in the day, but one of the things that's happened at Black Hat and DEF CON is, when people have bad practices, hackers like to find it and expose it, make it public. Right. And so back in 2018 Medtronic was one of those companies that was, they looked at pacemakers and insulin pumps. And basically after that, it created quite an almost adversarial relationship for some period of time until manufacturers became more aware of this coordinated disclosure and how do we work together? And if we find a flaw, report it, get it fixed,

Aaron P.:

Hackathon, like get it all out on the table, potentially even offer rewards, right?

Chris Reed:

Exactly. In medical devices, we haven't quite gotten to the bug bounty point yet. It's a discussion that's happened, but we actually show up at the biohacking village now and I think we had over 10 manufacturers there this year and we bring our devices. So this year we had our implantable heart rate monitor. link along with a telemetry reader, like what it communicated with and an iPad that had the app running on it.

Aaron P.:

And I think you're missing the laser that cuts sharks or maybe it was an apple or something.

Chris Reed:

Yeah. Yeah. Right. So we had a, we also had a powered surgical tool. It wasn't a laser, but it, power is quite a interesting tool in surgery. So they can use electricity to heat instruments or things like that. Yeah. So if you go get your tonsils out, they'll use a blade to do it, but they superheat it so that it actually cauterizes as it cuts.

Cody:

Yeah, that's what I had done.

Chris Reed:

So we have power generators and so yes, we had a demo where we had an orange and we were,

Aaron P.:

Orange, yes.

Chris Reed:

We call it ablating, which means kind of burning to close.

Aaron P.:

Yeah.

Chris Reed:

We were basically searing the orange and it was creating a nice, a nice stench for the room.

Aaron P.:

Yeah. It's not an orange peel that I would want to put it in a cocktail after going through that.

Chris Reed:

It's been a scarred up pretty good.

Cody:

For the old fashioned.

Chris Reed:

Yeah. And we also had a light ball we would connect it to, to show how we could literally power the light bulb, the power flowing through the scissors from the surgical equipment and things like that. So we had our engineers there. Yeah. They answered questions. Yeah. The hackers could sit down and we had them actually, you know, we have Bluetooth operating on one device on that device. It had a RFID prox card interface that someone was messing around with. They were connecting to all the ports and interacting and so they could do. So it's a great learning experience and I think it creates an appreciation from the the attendees, because they're seeing that how seriously we take this and some of the problems we're trying to solve. It's not your typical desktop computer. There's some pretty complicated stuff we're in safety issues. We're trying to manage. But at the same time, we are engineers when they watch them go after things are like, I would have never thought someone would have done that. And so they learn to it's a really great environment to me.

Aaron P.:

So how many challenges have been found? Or, do you know this? Yeah, how many things?

Chris Reed:

So one of the things we push in the village is coordinated vulnerability disclosure. And, I didn't even realize this till this year, but they have a capture the flag running where there's a bunch of simulated things, but if you find a vulnerability in one of the products of the manufacturers, you score extra points.

Cody:

Ooh.

Chris Reed:

So, the winner this year, you can see when he turned in all of his vulnerabilities, because his score goes straight up, and he got a score way past what you could get solving all the challenges.

Aaron P.:

Oh, wow.

Chris Reed:

So I think we did not have anything found, and you can go on Medtronic.com/security. We have a blog post about our experience there. We would absolutely welcome if we did. We didn't have any, but my understanding is at least 16 this year got found in the room and reported them to the manufacturer.

Cody:

Okay. Excellent, man. So what would you say, I know we're getting close to time here, but what would you think, looking at the next year to three years, what are the big challenges that you see coming? And I would say too specifically to, to medical devices and to like the IOT medical field and, cyberspace.

Chris Reed:

Yeah, I think the biggest challenge that I'm passionate about right now is, medical devices. They have long development life cycles. They've grown up in the hardware space where you work really hard on that initial release, and then you run it for, you know, 5 10 years and don't make a lot of changes because every time you change it, it's risky. So the biggest issue we're working on is how do we come up with reasonably rational maintenance cycles on these devices? We can't do like monthly patches and that's not just for the manufacturers, like even our downstream healthcare, like the hospitals. If you ask them to go touch devices every month in every hospital room, it would be an impossible task. So. We're working through jointly, what are those rational cycles and what do they look like? And that will change based on the type of platform. So like a pacemaker, which has very little third party software, we're probably not going to have a very fast life cycle or a maintenance cycle. It might be years. We're not even, since we have so few third party software items, it might not, we have the ability to update it, but we might not never update it. Whereas if you have a workstation that's interacting with an MRI that runs special software and it's running native windows.

Cody:

Yeah.

Chris Reed:

Well, maybe that's quarterly or every six months.

Aaron P.:

That's probably more targetable, right? Versus a pacemaker that may be harder to get to.

Chris Reed:

Exactly. Yeah. Yeah. And has more just because they're using more off the shelf software, that's more vulnerable. and just more complex software, right?

Aaron P.:

Threat modeling come into this at all? I'm trying to get to what should you prioritize based on the actual threat?

Chris Reed:

Yeah, luckily we've been really fortunate that FDA instead of some regulatory agencies, authorities, they've really not tried it. They do have some amazing expectations around the types of controls they expect and the guidance they actually just finalized last week, including signed and verified firmware on devices and things like that. So they have some pretty advanced expectations, but even that is not a checklist. It's not you need to have this in your product. It's here's the controls we expect you threat model and then you give us the information of why the choices you made are rational and we use threat modeling to do that and then present that case to FDA and they kind of gut checked to make sure we've made a good decision. Just a really quick example of that. Um, You know, we all think of authentication, even multi factor authentication, as like a, that's a no brainer. You put it on everything, right? Well, if you have a device in the ER that needs to be accessible right away to, like, Jump someone's heart. Yeah. Stopping the like badge on

Cody:

Hold on. Let me pull out my authenticator and get my 62 code real quick.

Chris Reed:

Not a good idea.

Aaron P.:

I left my badge in the cafeteria. You're going to have to wait, Cody. I'm sorry.

Chris Reed:

Right. So we have to threat modeling helps us work through those to come up with, that benefit risk analysis and come up with the right rational controls. And so a lot of devices like that have no authentication in the room, but of course if they're network accessible, they do.

Aaron P.:

So last thing it's Cyber Awareness Month, Cody and I were on a recent podcast, trifecta podcast with the Cyber Ranch, Allan Allford and George Kamide at Bare Knuckles and Brass Tacks. And it was a little bit of a rant on awareness month and that it can turn into the vendor sea of marketing messages. And then on the employee side, ill-defined programs that are just pushing stuff out. That's just creating a bunch of white noise. So we banded together. We challenged the community to think about cyber community month of how you're giving back to your communities, whether that's within the workforce or within your actual community. We're doing something here with a local nonprofit to kind of give back. But my question for you is thinking about, maybe community. Groups kids you have kids. We have all of us have kids here or elder parents. One what's the group that you think needs the most help that's not maybe in your day job? And two what's your best tip that you would give them here in October to really help them as a community in need?

Cody:

Good questions. And for listeners, man, this was not teed up.

Aaron P.:

So this is off the cuff.

Chris Reed:

Yeah. I think, I always get really concerned about youth and I know there's some good materials out there for them, but even just watching how my kids interact with technology, sometimes I'm terrified about decisions they make. I definitely think, one of my biggest fears I have a mom who actually has Alzheimer's even, and she uses an iPhone. And the thing I'm most terrified about is all these scam messages coming across on text and things like that in phone calls. So I think on that side, just helping people with the right tools, but then on the use side, teaching them things like how to use the password manager on their phone. I have simple things I teach my kids around. Hey, these passwords you keep memorized, but, all these game sites and stuff that you could care less if someone gets your account, you need to be using a unique password, keep it in your keychain. You should never have to worry about remembering that thing, right? Just those types of strategies for kids. I'll catch my kids just not even reusing the same password places. So I think things like that for our youth to help them understand what this world, is like, and definitely how not to get themselves in trouble. Cause, you know, it's an interesting time out there, right?

Cody:

A lot of access to a lot of things.

Chris Reed:

Yes.

Aaron P.:

Awesome. Well, this has been a great conversation, Chris, thanks for coming on. Hope you have a good rest of the weekend and we'll see you next time. Thanks Cody. Thanks again.

People on this episode