 Live from Las Vegas, it's theCUBE, covering NAB 2017, brought to you by HGST. Hi, welcome back to theCUBE. We are live in Las Vegas at the NAB Show 2017. I'm Lisa Martin, and I'm very excited to be joined by our next guest, Ted Harrington. Ted, you are the executive partner at Independent Security Evaluators. Welcome to theCUBE. Thank you for having me. Absolutely, we're excited to have you here. We're very excited also because Ted has a very cool Twitter handle at Security Ted. Super cool. So you are with Independent Security Evaluators. Tell us a little bit about what the ISC is. You were the first company to hack the iPhone and the Android. Give our viewers a little bit of a backstory on ISC. Sure. So probably the simplest way to think about it is that we're the good guy hackers. Companies hire us to help them find security flaws and remediate those flaws in their technologies. And so we do that across a number of industries including heavy, prominent presence in the media and entertainment business. We also have a pretty strong focus on security research, which is what you're referring to with the iPhone and the Android OS. We also, even the company came out of what is today known as car hacking. We found a way to build a weaponized software radio that we could start, afford, explore without the authentic key. Wow. So we're tankers and problem solvers and we like to find issues before the bad guy does. And that's a great point about being the good kind of hackers. But also being able to highlight that these security challenges are real across industries and be able to, I presume, influence or help companies whether they're in media and entertainment or other industries, start understanding what is the type of cybersecurity protocol that we should be putting in place here to prevent the bad hackers from getting in? You hit the nail on the head. The core emphasis of what a security assessment with us entails really is focusing on the technology problems, the deep technical issues. But at its core, where all of these issues come from is the presence or lack thereof of an effective mission. Many companies that think about security are thinking of it as something that would be nice to have, not as a core business requirement. And changing that attitude is something that we spend a lot of our energy trying to influence. Because the companies that see security as the business enabler that it is, those companies are doing some tremendous things across industries today and they're really being the pioneers that are leading. One of the things that I was reading recently was what happened to La La Land where screeners were leaked and fairly prolifically. And obviously that was a big massive box office hit nearly a best picture winner a few months ago. But I've also read reports where a leak like that can really negatively impact box office sales upwards to 20%. If you look at a studio for example and you were kind of saying that maybe in general, security is viewed as a nice to have. Is that a strong enough demonstration of the vulnerability of say a studio to make them go, okay, we need help here. There are vulnerabilities we might not even be aware of. Are you seeing more uptake in the media and entertainment industry or is security still a, it's a good idea. But we've got other things to focus on creating really, really cool content. The media and entertainment business, I think does a fairly good job of prioritizing security. Now, of course across the spectrum there are things that we would advocate doing better or in different ways. But the business driver that you mentioned, the idea of avoidance of box office decline. That's the core fundamental problem that we're trying to solve for the content owners and their vendors. Because that window, the theatrical release from a revenue perspective is the most important moment for especially the blockbusters. La La Land, no one necessarily knew it was going to be a blockbuster before it came out. But when you look at things like the next Star Wars, the next Avengers, the movies that are definitely going to make huge amounts of revenue, making sure that that movie makes it to theater without being released. That is the top priority for many organizations in this industry. And we see a lot of organizations doing it well. That's good because the IP in that alone for a company, the next Star Wars, the next whatever happens to be the intellectual property that that studio owns is probably nearly invaluable. So having the right strategy around that is key. Wanted to pick your brain. I know that you have started the IOT Village and as we look at this proliferation of connected devices, the audience we were chatting earlier before we went live, the audience, we're so empowered. We can make decisions, we can watch whatever we want, whenever we want, from 35,000 feet in the air, we're binge watching, we're sharing on social, we've got multiple devices. Where that's concerned, and also you mentioned content, that's also not just a way that we're consuming content, that's a way that we're creating it. How, what is the IOT Village all about and is it down to the level of helping media and entertainment companies start providing security across the connected devices that are consuming and creating the content? We started IOT Village as a security research platform, basically where we invite other smart security researchers to help us focus on the problem of security issues in these connected devices that are being deployed, everything from people's homes all the way to businesses and like you said, even to the creation of content and consumption of content. And the reason that we wanted to put some emphasis on this problem is that that's an industry that I think maybe by contrast to some of the things we've talked about with media and entertainment that still has a ways to go in terms of how it's thinking about security. Security is not a priority in the development process for the majority of organizations in that industry. Now there are definitely some that are doing it right but they're more of the minority. So what IOT Village does is helps us shine a spotlight on those issues. To connect a dot full circle to what you were talking about with media and entertainment, this is a conversation that I don't think is happening loudly enough in this industry. Connected devices are being deployed for a lot of the cases you said. Consumption of content, for creation of content. Even for things that people don't necessarily equate with the process like the TVs that are used to screen whatever version is being reviewed right now in the conference room. Those are often smart TVs with an internet connection and there's not necessarily an adequate control in place around how to think about the security implication of that. Fundamentally, connected devices expand the attack surface and that's the way that organizations need to think about it. Not to say that they should not deploy those devices but that they need to adequately consider that in the security model. Absolutely and how does an organization get control over that, over those devices? Well, like any technology that's developed by a third party, one who procures that technology can only do so much. You can't actually get into the source code or whatever unless that organization wants you to. But there definitely are things that organizations can do in a deployment model to mitigate risk. So those would be things like ensuring you have proper segmentation where the highest risk types of devices are quarantined away from areas where the biggest, most impactful compromise could potentially exist to absolutely implement a threat model which is an exercise through which an organization identifies what you're trying to protect, who you're trying to protect against and how those adversaries will deploy their campaigns. Question for you about the devices now that are popping up in our homes, right? The Google Home, the Amazon Echo, as an owner of those, there's very little control, right? That an owner or user has over those devices. Any recommendations or insight into what can be done on the vendor side to, if this device is listening all the time, right, that's their job, any insight there into recommendations that can be taken to help make those a bit more secure? So for the person who purchases and deploys that device, there are a handful of things you can do. First and foremost, change the default password. Seems like I should not have to say that. Change it from admin password. But you'd be surprised how a few people actually change the default password and a default password is effectively publicly available information. There was a very significant distributed denial of service attack that happened in October that basically took the internet offline for a few hours. And that was completely mobilizing connected devices that had not changed the default password. Attackers took them all over and then used those in the attack. So change the default password. Check for updates to what extent that you can. And really think about whether or not you might need the connectivity of a certain device. So for example, we talked about a moment ago, the smart TV. There are a lot of people out there who buy a TV, not because they need the internet connectivity to it, but because they want to consume content. If they're not going to use that connectivity, turn it off. Effectively, all that it's doing, if you're not using it, is introducing new ways to be attacked. So there's some simple remedies that either people or industries can take for their internet of things or connected devices to be a little bit more secure. Yes. However, the real crux of the solution definitely relies on those who manufacture the devices. So manufacturers of connected devices need to do things like adopt an adversarial mindset. Think about how someone will attack this system. They need to think about things like how are you going to update this system over time, especially given the fact that the average consumer of this device probably is not technical and probably will not proactively go want to be dealing with updates. They want to set it and forget it. So thinking about those things from that perspective, adhering to principles of secure design, going through security assessment, really looking at your system in terms of how it can be broken, that's how you build it to be resilient against attack. I want to ask you one final question about laws and regulations. What are your thoughts on that? Is that something that can either help a film studio protect their IP all the way down to helping those of us that have at home connected devices? Laws regulations, good, bad and different. What are your thoughts? I am very strongly not a proponent of regulation as a security measure. Laws and regulations, what winds up happening, they take too long to enact. The adversary has already evolved away from whatever the control is. They're usually very riddled with compromise based on all the stakeholders who helped develop this law. They're usually developed by people who are not technically savvy. Lawmakers are not security analysts, though they rely on security analysts. In the delivery of the execution, it doesn't really manifest itself effectively. That said, I recognize that in a lot of ways, that's just the way the world will move. And many organizations should anticipate that some sort of regulatory body at some point is going to require compliance with some sort of law. And while I don't think that it's a great solution to solve the problem, it's at least a start because it does get those who will not invest in security to at least start investing in security. So it lowers the minimum bar. It does not raise the highest bar. Very interesting insight. And one more question if I can tweak it in that is, you mentioned that media and entertainment is pretty good with respect to security. For those industries where it's still a nice to have, do you think it's going to take something like another DDoS attack or something else to something big that is quite impact, negatively impactful to get some of those industries to go, you know what, this is no longer a nice to have. This is a fundamental element that we need to culturally adopt. Do you think it's going to be something almost catastrophic that's going to drive that change? Most likely, but it won't be just the big issue. It will be whatever the big issue is combined with an individual or collection of individuals with the political capital to drive for that pioneering change. Industries don't typically change on their own. They change because people make them change. Good point. Well, Ted Harrington, thank you so much for spending time with us today. If you're not following Ted on Twitter at security Ted, follow him from independent security evaluators. Thank you so much for sharing your insights. Have a great rest of the NAB show. Thank you for having me. And with that said, you've been watching theCUBE live from NAB in Las Vegas. I'm Lisa Martin. Stick around, we'll be right back.