Podcast

Military Cyber Security: How to Stay Resilient When Threats Go Digital

Today, no military operation would be possible without digital systems. The systems are needed for communication, situational awareness, and rapid decision support, all critical for mission success.

Written by: Terma
Podcast Cyber Security

What happens if your command-and-control system is hacked? Or if someone prevents, eavesdrops, or even manipulates the flow of information between units in combat? Just imagine what damage an armed drone could do, if taken over by enemy hackers.

In this first episode of Allies in Innovation, we talk about, what cyber threats nations and companies are facing, and what counter measures are taken in the military industries to ensure a resilient cyber defense for our armed forces.

Today’s guests are:
  • Chief Specialist in Cyber Security at Terma, Samant Khajuria
  • Cyber Exploitation Test Engineer at Lockheed Martin, André Cunningham
  • Cyber Architect at Lockheed Martin, Chris Sargent.

Your Host: Mikkel Svold
Produced for Terma by Montanus

Find it on

Or anywhere you listen to podcast.

 

*Disclaimer: This episode was recorded in Autumn 2021 before the war in Ukraine started.

Resources

Want to learn more about Cyber Security?

In our blog post "How to Design for Cyber Resilience in Modern Defense Technology", you’ll learn which countermeasures within cybersecurity are necessary for organizations, nations, and alliances to stay safe and resilient within the digital threat landscape.

READ ARTICLE

Episode Transcript

Mikkel Svold:

Welcome to Allies in Innovation. I'm Mikkel Svold, and this very first episode, we 're talking about something often neglected, but very, very important, cyber security. To enlighten us on this topic I've invited three clever people into the studio, Chief Specialist in Cyber Security at TERMA, Samant Khajuria, and from Lockheed Martin, Cyber Exploitation Test Engineer, Andre Cunningham, and Cyber Architect, Chris Sargent. Welcome.

All:

Thank you.

Mikkel Svold:

So today we'll look at some of the cyber threats countries, alliances, and even private companies are facing. Then we'll dive into the trends within counter measures and the future of cyber defense. Before we end this episode, we'll touch upon how we ought to prepare for the cyber challenges of tomorrow. I've been looking so much forward to this talk and Samant maybe you could start off by taking us through some of the more prevalent security events that we've seen recently. After that we'll segue into the general cyber threat landscape.

Samant Khajuria:

Yeah, we have examples like the Ukraine example, where the attack was done on a Ukrainian power grid, which is seen or speculated as a nation state attack. We have seen attacks on a civilian world, for example, Kia Motors. That's another example, which was a ransomware attack that's been seen. We have also seen supply chain attacks like SolarWinds that we know. Above all, we have also seen one of the biggest attacks, what we have ever experienced, WannaCry, that everyone knows about, which was basically exploiting the vulnerability of the underlying operating system that people use in the critical infrastructure or in their offices or enterprises, that being exploited and affected more than a hundred countries in the world.

Mikkel Svold:

Andre, can we talk about that? What sectors are more vulnerable or more prone to being attacked? Are there any sectors that are specifically at threat or?

Andre Cunningham:

I'd say right now we see that there are a lot of money motivated attacks, ransomware, but the scope has been fairly broad across the broad spectrum of different types of corporations. You've got like the Kia Motors, like Samant mentioned. There was a CD Project Red, so that's a game manufacturer. That one was a little different. So rather than locking down their services so they couldn't access their data, they actually stole a copy of the data. So, it was more, they were holding their intellectual property ransom, but we've seen police departments in the US. I think that the DC police department, just this year had a ransomware attack on their internal data. We've seen hospitals where they've locked down the machines in the hospital, so they couldn't conduct their operations. I think that actually led to a death and there's a lawsuit pending, and I don't remember which state it happened in. So, it's really starting to hit everything from the commercial to the public, to the defense industry sector. It's really across the board.

Mikkel Svold:

But when you look at the commercial attacks, it's easy to see that, okay, you can do a ransomware attack and you can get money out of it, but why would you attack a hospital? A private hospital?

Andre Cunningham:

Yep, a private hospital. Honestly, because fear. If you can generate fear, if people don't want to step back and they're already stressed out to begin with, and I think some of these attacks actually occurred during the COVID outbreaks and so that created an extra feeling of stress that may make people more likely to pay. And in the US where hospitals are a profit business that tie into the financial side of it, there may have been some political motivation in that. I'm not sure. And like the DC police department example, I think that may be a result of the political climate in the US right now. Because traditionally we don't see that state and federal government industries and infrastructures are usually attacks for ransomware, but we have seen some of those ransomware attacks in recent history that are starting to focus that way.

Andre Cunningham:

Traditionally it's always been, or almost always been focused on commercial companies and trying to make money. I think one of the examples was the oil pipeline attack in the US, where they went after the ordering and shipping infrastructure for that company and because of that, that shut down all sorts of operations and they were unable to ship oil, which caused a major slowdown in people being able to get gas. So, it affected a lot more people, and I think those ransomware actors, I actually stepped back and said, "Hey, this was not our intent. We were after money. We're not attacking the government infrastructure. That is not what we want to do." Because I think when you take it to that level, it really changes the dynamic of the response and what happens back. I think a lot of companies would rather keep quiet and they don't want to potentially jeopardize their market share or embarrass themselves talking about having an attack. So, a lot of these attacks are kept fairly close hold but changing that model from going after companies and then now go affecting people and government infrastructures really takes it to a new level.

Mikkel Svold:

You mentioned it already, Andre, but Chris, can you try to elaborate a bit on what are we actually supposed to be afraid of? What are the threats that we see right now?

Chris Sargent:

Especially from my perspective, the going from data stealing type of attacks that were occurred in the past, where a lot of the focus of the mitigations were to mission affecting or business affecting attacks to disrupt the business, maybe damage reputations of the company and just the fact that an attack gets released says that, "Okay, Lockheed Martin, for example, got hacked." If that makes the news, then does the government trust us to protect their information? Maybe not, if it happens too often. Attacks, to leverage what Andre was saying too, some of these attacks may be against smaller entities that have more of a limited ability to pay. But these are also smaller entities that don't have the resources to have dedicated security departments that can manage that. So, they're softer targets than maybe a larger corporation.

Mikkel Svold:

Maybe we should actually use that segue right into talking a little bit about the supply chain, cyber security. I know we've talked about it Samant and can you take us through, what are the threats that we see when it comes to the supply chain?

Samant Khajuria:

So, there was quite a lot of trust in when we are providing our systems to our end customers, from our end customers. But supply chain is one of the ways because there you just need to find the weakest link. So, the weakest link is if we, as Terma are providing to defense, but we are also using vendors which are providing to us, which become part of our product that has been delivered to someone. And from hacker's perspective or from attackers, our adversaries’ perspective, this becomes quite an interesting way of looking into so where is the weakest link? Where can they infiltrate and compromise or jeopardize what is being provided, so they can go into the bigger organization? Hacking or attacking our defense organization is very difficult, probably more difficult than we think about, but having the small companies or having open-source systems where the accountability might be a bit less or what Chris mentioned that they simply do not have the resources to think about security in the way the bigger organizations think, that is their way to come into this, an entry point.

Andre Cunningham:

So, I want to caveat off of that. So, I definitely think that as an adversary is looking at that supply chain, they're looking for the least defended place. I like the looking at physical security. So, if you look versus cyber security, it comes down to a lot of the same ideas. So, if I'm in the Middle Ages and I'm going to attack a castle. I'm not going to charge the main gate; I'm going to look for the posturing gate. I'm going to look for the areas that are less secure, or I'm going to surround it and keep things from entering it, put it in a siege state so that you negate the strength that those defenses give you by looking for those weak links that everybody's dependent on. They use cut off waterways, so then all of a sudden you wouldn't have enough water flowing in, things like that.

Andre Cunningham:

It's that same concepts that I like to think that there's nothing new under the sun. All of this has been done before. It's just the medium has changed and evolved a little bit. So that has a lot of those same strategies that were used in warfare. A lot of the same strategies that used in considering safety consciousness can be applied to cyber. So, it's really about changing that mindset away from the technology to the processes, the people, because really all cyber is there to deliver a service to someone. And so, looking at it that way really changes that conversation. The other thing I wanted to add was that looking at the SolarWinds act, you mentioned earlier, that's actually a well-developed large organization that supported a lot of different countries, a lot of different people. They had a lot of resources put towards cybersecurity of their own products, but because it was so widely used, that made it a more valuable target. Rather than the soft target, it was a target that had the center of gravity where it could affect a lot of different things if they managed to get in and ultimately, they finally did.

Chris Sargent:

I would add to that too some of the threats that we're really analyzing, aren't just the effects. We're analyzing the kill chain – the Lockheed Martin kill chain – we have an advanced persistent threat that may achieve a presence through the supply chain. That may be months. It could be, if its software especially, and it isn't being updated frequently, if it's in hardware, it could potentially be years before it's even triggered to achieve its effect. I think we talk about some of those accesses, but we also have threat command and control. The threat has to find a way to trigger that malware to achieve its effects sometime in the future, when it's going to be the least advantageous for the defender. Frequently there are attacks like we've talked about a simple attack, like a logic bomb, which is just setting it to some point in the future when we know the system's going to be an operation versus during test.

Chris Sargent:

There are also attacks for example, against vehicles that may leverage what we would call a geo fencing attack, which is the vehicle ends up in a certain position and that triggers the attack, or it's close to a threat country or adversary and that triggers the attack. Then the effect, what is the effect? Well, it could be trying to steal data, but it could also be trying to disrupt the control system to try to cause the vehicle, if it's a vehicle or the platform to not perform as expected. It could also be, for example, it could be as simple as just putting a logo on a screen that's an adversary’s logo and doing nothing more than that. And would that cause the maintenance, the country's security departments to basically tear apart their software and their systems, trying to find that other effect that's been hidden, that really isn't there.

Mikkel Svold:

Because they take it out of service for us for a while, I guess.

Chris Sargent:

Yeah.

Samant Khajuria:

And just to add that, so DOD, Departments of Defense' answer to supply chain is CMMC, Cyber Security Maturity Model Certification. So, this is something what us in Terma, we have been working towards, to get this cybersecurity maturity model compliance towards this, where we can also prove, but for us also to show that we are fairly confident where our products are being developed are secure environments and all the right policies and procedures are being followed. We put these requirements also to our suppliers that they need to follow those requirements.

Mikkel Svold:

Yeah, because those requirements, what do they entail?

Samant Khajuria:

Those requirements are basically good standards and good practices, good controls, tasks, and policies that need to be put in terms of cyber security, to make sure that we are cyber resilient in our environment. Example being, this whole CMMC comes in five different levels. And for a company like Terma, we need to be level three compliant, which consists of 17 domains and 130-odd tasks under these domains that we need to be compliant to, for example.

Andre Cunningham:

I would say from a US perspective, there's a lot of work going on right now where we're really trying to figure out what those requirements could look like, both from an integrator or prime contractor, like Lockheed Martin obviously ends up with. So, handing out requirements to people that are producing in our supply chain farther down the line, parts or software for us and, and helping to give them guidance on where we want them to focus. But I think the US government is really struggling with how to define that out. Cyber is one of those things that's so complicated, it's incredibly hard to evaluate, to quantify. So, without that ability to say, "Hey, you've got to do these five things," which has been the traditional model. It now becomes more, "You have to build cyber resilient systems. You can't worry about just protection. Now you have to actually worry about how quickly you can recover."

Andre Cunningham:

There's actually been a recent shift in how the US is looking at our supply chain and acquisition policies to account for that, for things like the SolarWinds attack. I think the president, I think it was last month, or maybe the month before last released an executive letter where one of the things that's called out is looking at a zero-trust model where rather than developing say a trusted relationship where, "Terma, I trust you. You give me the best products." Nobody is trusted, and so all of our products are developed around the design that something will be broken into eventually. So, we have to design the product to be less fragile, so we can react to that and be able to recover from that quickly and we can detect those attacks.

Andre Cunningham:

And I think we've been, as cybersecurity professionals, really looking along those lines for a long time now. But I think we're seeing a shift in how the governments are really looking at and what they're asking for. Now it's becoming a focus, which is making a lot easier for us to deliver products at cyber resiliency. I think cost has always been one of our biggest concerns. Because if I give you a contract and say, "Hey, I want you to develop a widget that does A, B and C." Well A, B and C is going to take all the money and that's how the contracts were really built initially, was A, B and C plus a little bit for profit was what you would ever. Well now it's, "I want you to deliver a product that does A, B and C, and it has cyber security in it and built into those requirements." So now that in the engineering models that we develop and when we give our quotes to the government, we're able to account for that deliverable of delivering a cyber resilient system. I think a lot of corporations, I know Terma, with our talks with them, I know Lockheed is really focused on how do we quantify that? How do we evaluate our systems? How do we train our career force to deliver those kinds of resilience systems from the ground up?

Mikkel Svold:

Do you find that customers are willing to pay for that or not?

Andre Cunningham:

I think... Well, go ahead. You want to answer from your side, and I'll answer from my side.

Samant Khajuria:

No, that's a very interesting thing because are customers willing to pay for a secure Facebook? Are users willing to pay for a secure Facebook?

Mikkel Svold:

Are users willing to pay for Facebook at all?

Samant Khajuria:

Yeah, exactly. But there are many of these factors because this is a shift right now that's going on in some cases where customers ask for something very specific, then they are willing to pay for it. But a basic cyber hygiene on the product, for example, and basic could mean also 10% of the total cost of the product. That is something that customer expects that you do. But our way of doing business today does not accommodate necessary, those kinds of things. And this is where cyber security becomes a little bit hard. It's not hard in having right policies, procedures, doing the vulnerability assessments and doing implementation of controls. It is just to justify what is the industry benchmark in all of these things. Especially when we come from these niche markets and niche products, then it becomes even more difficult because there is no one out there tell us that this is the industry benchmark on a radar sensor, or anything related to that kind of thing. So that's the grunt work that is going right now to figure out and build those benchmarks for these products.

Andre Cunningham:

I really like the car model. In the 1970s we built a car, and it was all about getting from point A to point B and how many people we could fit in and how fast it would go, and then over time, as seat belts were developed and airbags and crumple zones and roll cages, safety became a primary concern because the consumer wanted more safe vehicles and governments started mandating more safe vehicles. So, I think that that combination of a more aware public with more aware demands and the government looking at it and saying, we can't take failure in these areas, especially as more and more of the critical information exchanges that we do to make our government's work, banking and finance and industrial control systems are all relying on the internet nowadays, everything's interconnected. So now we have to defend it.

Mikkel Svold:

But how do you do that? How do you actually defend the critical infrastructure? Because there's all kinds of different things like oil, it's been border, banking, finances?

Andre Cunningham:

It's a big complex problem.

Mikkel Svold:

And they're very different sectors and industries as well, right?

Andre Cunningham:

But I think it's starting from the mindset that cybersecurity is something that everybody has to be concerned with. Just like if I was going to build a factory, safety and everybody working in that factory, safety is a primary concern. We don't want to get injured. We want all of our employees; we value our employees.

Chris Sargent:

I think it goes back to something you said, which was quantifying it.

Andre Cunningham:

Yeah.

Chris Sargent:

We have a very difficult time quantifying the benefit of all the mitigations that we're including in our products. And if we can't quantify it or show the benefit, which is difficult because we're not actually attacking our own systems.

Andre Cunningham:

How do you prove a negative?

Chris Sargent:

Yeah.

Mikkel Svold:

What do you do then?

Andre Cunningham:

So, we're not attacking our systems, but we're testing our systems.

Chris Sargent:

Yeah.

Andre Cunningham:

So, we go out and do tests on our systems and attack our systems – it almost sounds like I'm saying we do attack it and we don't attack it at the same time – to validate them, to look for those weaknesses, to show proof and that we are taking cybersecurity seriously and they can react and recover from attacks.

Chris Sargent:

These analytical events do have the ability to prioritize and analyze the mitigations. I'll be on honest with you getting our customers to recognize the marketing value of these mitigations versus just, "What do I need to comply with? What's the standard for compliance?" is a challenge and getting suppliers to develop products that are going to include those when they're not explicitly specified by requirements is a real challenge.

Andre Cunningham:

So, if everybody starts thinking about cybersecurity as a requirement, as a function requirement, the same level as the system performance, I think Internet of Things is the perfect model for this.

Mikkel Svold:

Yeah.

Andre Cunningham:

"Hey, we're going to start putting internet of things, devices everywhere in your house." And well now people are like, "Well about privacy? I'm concerned about privacy." And all of a sudden, the manufacturers reacted to that. And so now security is being considered in the design of those internet things products, in even the basic process of how do I update the software on it? Who is it allowed to communicate? Is it communicating back to a home server? Is it doing that at an open or is now it encrypted and in a VPN tunnel? People are really concerned about this because they live with cyber every day and the recent attacks have brought to the forefront of their mind how dangerous they could be. Something we've been screaming about for 10, 15 years.

Mikkel Svold:

If we take that example into a military context, what's the equivalent of that, because I heard in my research, one of the incidents that I stumble upon was I think it was the Las Vegas casino who got hacked through the filtering of the fish tank, because it was on the internet.

Andre Cunningham:

It was internet things device?

Mikkel Svold:

Exactly. But talking in a military context, what's the equivalent?

Andre Cunningham:

So, I would say that in, and I think the department of defense, DT&E, test and evaluation organization looked at that. One of the areas that they've been putting out as focus areas for their acquisition programs is you have to look at maintenance systems. You have to look at because we're actually getting really good at defending the primary surface, a warship or a plane or a missile or a car. We're getting good at defending that. But what about the diagnostic equipment that plugs into the car, is anybody defending that? And so, we're looking at those dependencies for this system to operate it connects and communicates with all these other systems. And by looking at that and figuring out which of those systems are critical to important services and who communicates to who, it's the same problem as the supply chain. Primary tax surfaces the car, but all the other things that connect into it and who can communicate with it and so I think that we are taking that model and the government's starting to take that seriously because they've been bitten a few times. They've had incidents that have popped up and based on those incidents, they said, "Hey, there is a problem here and we have to pay attention to it."

Samant Khajuria:

And IoT model is very much applicable to the defense way of looking into things. I can give an example, I am not ex-defense, like my colleagues here, but one of the things I learned very fast is the OODA loop for example, and the whole point of their OODA loop is the timing. Timing is very important. And for Terma, one of the core things is to provide situational awareness to our customers. So, they have the right situational awareness at the right time. If we take this IoT example, because it is basically the sensors, sensing information and bringing this information to an operator for better situational awareness. If we see attacks there, for example, someone can get into the system and not change or manipulate any information that is coming from these sensors.

Mikkel Svold:

But also, I guess not just manipulate, but also just observe.

Samant Khajuria:

Yeah, exactly.

Mikkel Svold:

That's a big deal as well, right? Just even knowing what you know.

Samant Khajuria:

Yeah, exactly.

Mikkel Svold:

It's a big deal, right?

Samant Khajuria:

So just simply sit in the network and just eavesdrop or manipulate or make the systems un-operational.

Chris Sargent:

Denying that the critical commands to key systems, yeah.

Andre Cunningham:

I like, it comes to me, everything we do in cyber is all about a system, an IT system. And IT systems, ultimately at their heart are all about providing information to the right person at the right time. Anything you can do to affect that and this back to the CIA triangle, is the confidentiality, integrity, the availability of that system compromised, what kind of impact does that have? If it's just a C2 system for alerting, it may not be big. But if we're talking air traffic controllers, if we're talking train operators, managing multiple trains across similar sets of tracks, the impacts can be huge and disastrous, and that's what we're all afraid of and we're doing our darnest to try to mitigate.

Mikkel Svold:

So, I think for the general public, or at least for me, one of the examples that I can imagine is obviously you have a vehicle, a car that can drive more or less autonomous. If you take over the controls of that, you can wreak havoc on the highway. But that could be, I've never thought about trains and well, I guess, power plants as well, and anything.

Andre Cunningham:

Yes, anything that is using the internet as the primary means of moving information is a danger.

Chris Sargent:

Yeah.

Andre Cunningham:

Is potentially a danger.

Chris Sargent:

And to your point about the trains, there was that train that crashed off into the station because there was an operator basically that took a phone call, I think, and wasn't watching the train at that critical moment. You can imagine how that could be misused by a cyber attacker. They're watching this, they're seeing all this and seeing what the damage is that could be caused by that, what safety measures are in place that could protect against that. Thankfully they're getting better, but just seeing the impact and working backwards from that, sometimes that's what we do I think in war games, what I've done is work backwards from a potential impact and then get to what are the cyber effects that could cause that, and then how could we propagate through the system from a maintenance system, the malware in order to achieve that effect?

Andre Cunningham:

Yeah, if you think about everybody's favorite heist movie. Ocean's 11 say just pulling out-

Mikkel Svold:

Brilliant movie.

Andre Cunningham:

I want to get in there and I want to steal the money. So, where's the money located? How is it defended? How are the guards moving about? They figure out all those steps, those processes, and those procedures, and look at all the human interactions and they plan all of their interactions to take advantage of that, use deception, use blind spots. So that understanding of what's going on and how to attack it, that's the mindset we're trying to get all of our IT people to look at things, look at your system as I'm designing it, "How could this be misused? Is there anything I can do right now to fix that that would cost me five cents to do it right now versus $500 later," and that security focused mind, just like that safety focused mindset being integrated is great.

Mikkel Svold:

That actually takes me into one of my last questions here is how do you design for cybersecurity going forward? What do we need to do right now? Both when we design software and I guess also hardware?

Chris Sargent:

A lot of it is just a culture shift. Andre brought up earlier, a lot of the mitigations that have been out there aren't new. It's just finding ways to apply them that are, for example, like on a platform that's space, weight, and power constrained, where if we're adding security functionality, we might be take away resources that could support non-security functionality that the users want. How do we apply that in a way that gets the user that security without impacting their ability to get the new functionality that they need in order to accomplish the business function or the mission? A lot of it is just looking at things, Andre mentioned it before, the recovery part of it. That's not necessarily a security function. we have recovery mechanisms in place. We can reload software and override the malware with a known good gold disc, but that may occur too slow. If the mission timeline or the cadence of it is that I have to recover in five minutes and somebody has to go and get the disc out, it's an hour long or two hours long, or even 10-hour long operation.

Samant Khajuria:

The incident response.

Andre Cunningham:

Goes back to ocean's 11, they set off that EMP device and, or maybe that was 13, whichever one it was. And then that caused everything to reset and then all security went down, but it came back up, but was that enough of a window for them to get what they wanted done?

Samant Khajuria:

This is the reason why Lockheed is there. So, I would say cooperation with your partners. That's what we are doing right now together with Lockheed, learning processes and doing it in a form of a CTT, cyber tabletop, where we are bringing our own systems and architectures and sitting with our partners here and discussing about all these cyber threats that could potentially happen to our systems and take it from there and start building more resilient systems.

Andre Cunningham:

Yeah, so one of the most important things from my perspective is that shift to knowing yourself. We are really bad in the IT domain about knowing ourselves. How many computers are in your building, what do the computers doing? What software on the computer, and that there's so complicated, there's so much off that nobody's paid a lot of attention to that. This is nothing new. I always like to take it back to a Sun Sue quote, and this is, "If you know the enemy, you know yourself, you need not fear the results of a hundred battles. If you know yourself, but not your enemy for every victory you gain, you'll suffer defeat. And if you know neither the enemy or yourself, you will succumb in every battle." So, if we don't know our systems, and we aren't thinking about how attacker can take advantage of that, we're never going to be able to defend the attacker. You're never going to stop everything, it's all about making it so expensive for the attacker that you can make them have to spend so many resources it's not worth the effort. You'll never stop somebody from robbing a bank.

Mikkel Svold:

Is that possible?

Andre Cunningham:

Yeah.

Chris Sargent:

I think it is. A lot of it though depends on our ability to get those mitigations, not necessarily to implement them all at once, because a lot of these products rely on third party legacy products that we can't redesign all at the same time, because it would cost an inordinate amount of money. So just building these mitigations into our product roadmaps, as we replace them, as we update a library for new functionality, that's probably the only way realistically where we can incrementally get those in.

Mikkel Svold:

Now, if you're a small company or basically any company, what would be the first two, three steps that you ought to take right now, when you leave this podcast?

Samant Khajuria:

I would say, and good you asked this question because this is in many different forums, this is always come up. If you are a small Danish company, who's trying to figure out how to do cyber and where to start. Either it's cyber or it's privacy GDPR, many different things and people are really struggling there to do that. I would say that not everything needs to be done by themselves, so it's not like they need to figure out by themselves. So, there are systems, there are services.

Mikkel Svold:

Going back to the partnerships as well.

Samant Khajuria:

Partnerships, and utilize those things to do that, rather than try to do it yourself. Many times, we have seen that it sometimes pays off and it helps where you use security as a service, or you use systems which are already secure. So, an example being a cloud system, for example. Today, the cloud service providers, for example, like Microsoft, Google, and all these guys, for them security is really important and data privacy also together with that.

Mikkel Svold:

And they've got the muscles as well. [crosstalk].

Andre Cunningham:

And the economy scale. So rather than 50 companies, each having a hundred people focused on security. Now 50 companies can pay Amazon to have 200 people on security and receive a lot of the same benefits for less cost.

Chris Sargent:

Just sharing information.

Mikkel Svold:

But also making Amazon more vulnerable to attacks, well, not vulnerable, but prone to.

Andre Cunningham:

They become a more valuable attack service.

Mikkel Svold:

They're more at risk?

Andre Cunningham:

Yes.

Chris Sargent:

But they always were anyway as a big company. If they weren't a hard target, they would be an easy target.

Andre Cunningham:

Yeah. So, the simplest thing I think that any organization that really is turning their first look to cybersecurity can do, is sit down and think about their operations. "What do I do? What do I have to do on a daily basis? And what's the most important thing to me?" All right. So, if it's email, if it's code, if it's our code is stored in a repository, defining those out and saying, "These are the priority things that would mean the most harm to me, how do I protect those?" And you work from that core, Mitre calls it a crown jewel analysis. You work from crown jewels out and successively as you can improve the resources and the defenses all out, but based on those, because if you've got your critical things protected, you can work on recovering everything else. So, by doing that, by focusing on those critical things and figuring what's important to you, that's probably the easiest first step.

Mikkel Svold:

Yeah. Okay, well thank you so much. We've got to wrap this up a little bit. I think it's been such an interesting talk. We've been quite a bit around different domains, but it's been super interesting. And I just want to ask Samant maybe you could take this one. If listeners want to learn more about the trends and developments within cybersecurity, where would you recommend, they look and stay updated?

Samant Khajuria:

There are many forums, many places out on the internet. So, for example, we were just discussing before wired.com, for example, is one of the places where all the trends, what are the attacks, what has been seen and how we can mitigate those attacks, as an example. There are many other sources like this. So, for example, find best practices or standards that are being followed that we can definitely follow.

Mikkel Svold:

All right. Andre Cunningham, Chris Sargent and Samant Khajuria, thank you so much for joining and to you, dear listener, we'll have all the links to everything we've talked about in the show notes at terma.com. And if you do like this episode, don't forget to hit the subscribe button and please leave us a comment and rate this episode, so we'll make sure to give you the coolest insights possible coming forward. Thank you so much for listening.