Host Tanya Janca meets Ron Brash. He is a well-known technical expert in the ICS community, with a long-standing history in oil and gas from a young age, but also by engaging in difficult-to-solve industry solution development questions. Today, he has a Master’s degree in Computer Science, a Bachelor’s in Technology, over a decade of experience with industrial networks and technologies, embedded systems, systems design, risk advisory, and in several different domains ranging from aviation, energy, gas & more. Currently, he is a director at Verve Industrial Protection where his role as Director of Cybersecurity Insights includes product ownership, risk analysis, vulnerability research, reverse engineering, and facilitating relationships in IT & OT divisions of organizations. Check out his Twitter!
Thank you to our sponsor 10Security
NEW Secure coding Course here!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.
Don’t forget to check out We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field.
[Music] [Music] welcome to the we hack purple podcast where each week we meet a new and interesting member of the information security industry because we want to learn what it's like to do all the different types of jobs we have a very special guest on today so he was on my bookstream a free few weeks ago he's a fellow canadian which is awesome but he works in a very interesting area of i.t security where he is in the ics community so you know like nuclear power plants and stuff that is ron's jam and we are sponsored this week by 10 security those nice folks that make defect dojo and help people uh by consulting and just like setting things up and fixing them and automating them so let's meet ron brash and let's talk about securing big serious things well thank you thank you that's a lovely introduction as a fellow canadian thank you for coming on the show we're pretty excited to have you we had so much fun with you when you're on the book stream and thank you it was always a blast always like as soon as we got off my my um sound person was like we have to have him on again i'm like i know when's the best time let's figure it out let's just plug rod into every space so thanks for uh thanks for accepting our invitation no problem this is a we break before the rest of my work day continues and i'm also three hours in the future so it will it will continue yes um before we went live ron was explaining um that his evening is far from over is just beginning this is because industrial control systems are all over the planet and they are not necessarily in your time zone that's absolutely correct and in the current world and the way that we do business for everything um you don't a lot of people don't understand that there's externalities to everything so if for example because some of you might be from bc you're very probably familiar with uh catalyst pulp and paper well pulp and paper often winds up in products that guess what wind up is the packaging for your vaccines and without the packaging you don't get your vaccines so everything goes left right and center way farther than you think even beyond your organization and that's that's what makes my interesting life very interesting but it also makes it very problematic because you don't shut down a system uh when you do windows patches on tuesday on tuesday friday um okay so i just realized i didn't tell everyone this is ron brash and i'm tanya jenka because i'm bad at doing intros and i was just excited to have ron on can you tell us what your job title is and kind of tell us roughly what you do besides saving the world every day well saving the world is an understatement uh it's a thankless job for an industry that probably has very little expenditures for actual security so hi i'm ron brash as jen as tanya introduced me as i'm a director of cyber security insights of urban industrial protection and so we focus on industrial cyber security for industrial control system environments operational technology and then the systems that often run on i.t commodity infrastructure that support those industries but besides my title being a humongous mouthful what it actually means is i'm a super geek so i get to present things in front of executive boards absolutely but then i also well known for reverse engineering embedded hardware and even bringing several products to market so that's i get to do it all um there's less glamorous parts like writing in running interviews and working with sites uh it's not very sexy play probably 50 60 of the job is actually relationship management and helping teams feel less abandoned because they were the site but then corporates in that nice ivory tower and mending the fences there's a lot of that going on and trying to make sure people don't lose their jobs as well as making sure you and i get all the products that we want so it's a really complex thing and also including the technical part because you can't have the relationships without passing the technical sniff test so it's it's everything yeah well i mean if you're gonna let someone touch your industrial control system that's really serious can you can you explain what an industrial control system is for people who might not have heard of that sure so when you hear iot it's similar but not at all the same thing it's similar in the sense that it's often very small uh it's doing something very close to something like a sensor or maybe even something cyber physical right it flips off an actuator flips a relay turns your light switch on and off that's iot but when we get towards industrial control systems they might share commonalities but we're talking not about millisecond delays we're talking about microsecond delays uh even some sub microseconds as in like 400 mil uh microseconds so very very very tiny tiny stuff uh the the difference though is kind of in the way that these systems work they don't get to be fleet repaired and thrown away every three years like your corporate laptop we're talking about lifespans of 15 20 years uh these are the systems that that i instead of everyone dealing with the the cia triad the confidentiality integrity and availability triad we work in terms of srp safety reliability and productivity so things that go boom things that uh wind up with people losing their jobs localized regions uh not having an entire industry because that plant is ceased to production especially in high volume low margin markets like pulp and paper or even oil and gas in many regards lng is not profitable so there's a lot of things that we do and we do and it's it's fun so embedded in control systems are the things that we take for granted right doing throughout this pandemic guess what we had water we had electricity we had sewer we had vaccines funny enough but as you start to see certain things do and our will break down and actually after the pandemic we are due for a lot of things not being available because the maintenance cycles and the prevention prevention hasn't happened and so yeah industrial control systems is a completely different world than just going to best buy and buying a new laptop well and like i think that a lot of people have not realized how many things have been interrupted during the pandemic like for for instance um you know i wanted to buy some wood so i could build a greenhouse it's tripled in price that's wow and so now there's going to be a housing shortage coming up because people are not like it's going to cost more for all these different supplies and i've noticed when i go for instance the hardware store that certain things that i know weren't actually affected they're like you know what i'm going to bump it up 20 because i know i can because all the other prices went up and people don't know and so like working in be safe we have the trees and we have the lumber but apparently like a bunch of large american companies actually buy the lumber a year in advance and so because they're struggling to keep up because of the pandemic uh we're just not allowed our own wood which sounds weird but um that is how it goes so for instance like you can buy wood at home depot in america but then it's harder to get here at home depot because of the way supply goes yeah i think we're gonna have a lot of interesting stuff after the pandemic kind of smooths out a bit yeah well there's there's a few other areas that are similar to wood um so everyone says oil and gas super evil uh terrible for the environment well if we had been very smart asphalt is one of the most expensive things that you can make from oil and gas and the tar sands do do that they actually make oil make asphalt very very well it would have been a great time for us to pave all of our roads but what people forgot was that because there was such a glut of fuel on the market we're actually paying that at the pump now because the refineries cut production to raise the cost and therefore we are accepting that because they run the gas stations so everyone everyone is playing uh playing a game to a certain extent but also because they need to cover their margins if they weren't making profit they need to reoccur somewhere or regain it somewhere else so there was a bunch of that happening and if you work on the networking and hardware side of things or if you work in the automotive you'll find that guess what your car lots have no cars on them right now well because all of the commodity chips that are supposedly made in taiwan are getting actually held up in china because of china first policy so cisco a lot of cisco equipment i've been waiting on it since the spring or my firm's been waiting on in the spring for one of our customers and it's not being made or it's not even coming in because cisco can't guarantee the dates because of a china first policy so there's there's a lot of stuff happening around the world that we don't see in the news particularly in canada united states have been too focused on things that are burning right now um or or vaccines and stuff like that before that but there's other pieces that we're kind of we've kind of taken for granted uh and and we're starting to see the repercussions of of that after a year and a half going on two years honestly ron when i look at the news and the fact that twitter feels the need to share at least like almost every other day masks are actually useful in the prevention of getting like the spread of the vaccine and vaccines are safe and they're like they're the fact that they're trying to just deliver the basics because there's so many people in denial how can they talk to us about more advanced things like like those topics if they're just trying to deliver like general i guess like they're trying to combat a lot of fake news i guess is what it's called or like rumor spreading or whatever and and doubt about scientific processes and such and so like they're spending all this time doing that and it's like we're missing the real news that's a great segue into cyber security basics yes that's a great segue because if we have to keep talking about them and apparently ai and fancy things are going to solve all of our security woes which they won't um basics basics people basics yes yeah oh my gosh last week we had this woman on name meryl vernon and she's a pen tester and someone asked from the audience they said if we followed the cis benchmarks and all the best practices like turning on mfa you know using service accounts all this stuff like would that stop you as a pen tester she's like oh hell yeah if everyone actually followed the advice and actually did the best practices she's like yeah my job would be really hard uh and i how do we get them to do the basics ron well we gotta make them sexy we gotta make it gonna add glamour to it glitter i i don't know what the right answer is maybe it's sequins but that's what we gotta do um and and that's also true not just for programmers but even what we need is professionals the world doesn't need a whole army of pen testers per se the majority of cyber security is from a lack of maintenance and and tidying up of user accounts and applying patch well patching isn't necessarily a solution especially in my industry it's not because you have bigger fish to fry and you have to schedule everything but when it comes to writing programs uh things are very very different uh in terms of the basics and we need more doers a lot of a lot of stuff can be done by just doing or planning ahead uh in many regards devops and lean stuff is actually kind of counterintuitive for security because people cut corners going from sprint to sprint to sprint and they paper mache upon paper mache without thinking through the console it's like so okay i'm going to accept user input so this print we're making our interface where was the the task item to sanitize the input oh well we'll do that in the next sprint but that guess what there's another feature being paper mesh shade on it and that's the progression industrials exact same way iot is the same way um if i actually was a vc i would recommend that no vc ever buy a startup that does iot devices maybe buy it for the idea but can all of the code because it's worth it's entirely we're throwing out so there's a there's a huge thing for basics here and we can go into many of those discussions and i think that's i guess kind of how i also got into the industries by being pragmatic so who knew basics are sexy and they get you a job you know they they really do um yeah um i i have a question so there's some chat there's some chat about um actually about vaccines in the uh but i'm not gonna comment on it um but someone was saying isn't part of devops security as you go so in my opinion security should start at the beginning and it should be a part of everything you do and i have lots of thoughts on how to build it into devops but is it de facto a part of devops well i no no uh i i thought i thought lean agile programming practices would do more work with less people so we can we can save money that's what i've i've heard is from organizations um so i kind of joke about that but i'm saying that tongue-in-cheek you would think security and engineering well okay let's look at this way the basics if you look at the basic word security security implies stability and the the overall integrity of something especially if you go after the finances sort of sense of the word and 80 90 of the vulnerabilities in devices is related to poor engineering and poor coding so for some reason development and well-designed things are not they're not integral they're not intrinsic and for some reason maybe it's an ownership problem as well persons don't think security is their job that's the cyber security professionals or it's their tools job i don't know what the excuse is but that's one piece and then if you're a dev uh ops person you might be integrating other people's code and thereby infecting yourself so who's responsibly for that as well so that there's so so so much on all of those things that it all stems around uh not cutting corners and being uh pragmatic uh maybe not super pragmatic like in the sense of being dogmatic but but going back to the the real sense of engineering and security and writing your code as such plan for the worst day and you can't be surprised and you can do so without affecting your schedule too much yeah especially if you plan it out in advance and especially if you template things if that makes sense so you know we're going to build an iot device and so last time when we built one what were the security issues we came up with what were things that were requirements that we need in every app like let's build that in from the very beginning make it part of our original plan but yeah i'll give you i'll give you an interesting example so there was this concept of uh writing code based on parameters so it was called dynamic programming circa 1980s and it was built on the whole concept of using models to write your code and so if you remember the earlier days of unix and linux and even windows your configuration files were super unstructured you could do whatever you wanted to the drivers because nobody did any sanitization onwards you would go and then along came xml with xsds and everyone's like well yes it's super expensive performance-wise off you went but now i'm seeing the complete offset where everyone's throwing everything into a binary json stream and there's no model to even properly parse out the results that know what your worst case is and what your allowed inputs are so we've actually regressed again already within a short span of like five years so there's all sorts of interesting things oh yeah that's a good one uh yeah absolutely um we should say it out loud for people listening for sure okay so kellen has a great point here uh just to kind of go down the side track i know there i know from an industrial standpoint and he came from oil and gas there's always a problem of cutting labor providers while increasing responsibilities absolutely it's true in corporations it's true every everywhere especially where if you're in an industry that has become globalized uh in general where you need to be very very effective and cost efficient yeah okay so ron what is a day like in the life of doing like securing industrial control systems or what is a day like in the life of like your job as a consultant trying to essentially accomplish that there's so many things and then we could even go back to when i was a more of a developer as well um so being a consultant everyone thinks it's very glamorous it's like being an entrepreneur and it's for some people it's great uh and being a consultant is also great but you but also it's like having a family if you're not just the only employee in your organization it's like feeding a family if you have employees they're wasting your money if they're not making work that makes money they're kind of like kids um but you got to feed you got to feed them uh and and that's the piece here but also you forget that there's a huge mental cost to it and so if you're going to have a high stress life potentially like myself i'm not necessarily so boxing that that's what someone should do um and i've paid some paid some mental dues for that but my day of my life is uh get up early and look at probably three or four pages of notifications it'll calm down uh then the meetings start and then you'll you'll come through and it everything always comes in waves where another big incident comes out and you're getting calls about that particular thing or that vulnerability because the customer is like i have no idea if this applies to me i don't even know how to read an advisory so there's those pieces um a lot of it's firefighting a lot of it is doing assessments a lot of it is teaching uh and i try to do so without being very uh as a vendor shill i try to be more plus about how i write or how i speak uh and then on the other side of it eating my family i don't know what country you're in but all right uh there's there's there's that side and then the other piece that you need to consider is that consulting is not a glorious job for the most part unless you take on very technical well-defined scope problems consulting means you get brought in for one of two things they need a scapegoat and you're gonna get put under the bus or two you're getting put in as a consultant to solve a problem because that business is unable to do so of their own because of uh toxic culture has no money whatever and you're probably still gonna get thrown under the bus at some point during that whole adventure uh very rarely do you get the third category which is this is actually gonna go somewhere correct um maybe in maybe in very like i said very specific technical problems where it's well defined what you know i'm going to make a device from start to finish it's going to do a b and c you can do that that'll work out well if you well if you you're very good at it but when you're going there to deal with human problems build road maps uh do technical assessments it never goes well people are unavailable uh schedules mix match people are afraid to tell you the right answers you have to go find them or surmise you have to uh i don't like the word manipulate but that's the truth you actually have to massage them into giving you basically the answer that you suspected which was the real answer you kind of just reposition them uh you offer help but the same and the same time under the guise that you're actually questioning them there's a there's a whole art to it and i don't like that aspects of the job but it is very important uh in order to to get to the base to the base of the problem um and i guess we could apply the same for coding if you're if you're a lead how do you make your your developers get to the same point that you want to get them and that does require leadership slash uh some more uh softer version of just persuade uh or lead by example but it still is a form of uh psychological manipulation to some extent and that's also bribery bribery incentivization yeah i will make baked goods and bribe teams with them like banana bread chocolate chip cookies like i'm not above that and then and then the other piece is uh depending on who your customers sometimes they tell you to jump and you gotta jump three feet or sometimes ten feet yesterday but then simultaneously what i'm doing as part of in my job is i'm also reverse engine engineering other devices to figure out how they work so what what you know it's undocumented as highly proprietary probably bob or jane has since retired uh or passed away potentially moved out of the country god forbid or it was it was outsourced as well so nobody knows anything about anything companies have been acquired divested so there's there's all sorts of uh i mean i never asked to become a historian but i kind of have in many cases uh so there's there's a whole aspect there and like i want to go find an answer on google it doesn't exist you want to call up a maintainer not possible um this is this is a whole other world and then there's the whole politics about vulnerability disclosures which we could talk about as well that's another world where you need to be watching your back from the corporate lawyers um we thought we got past it but we haven't so yeah that that's my my whole life is all of consulting project solving vendors teaching speaking you name it and also raising a puppy named e.t the canadian apt oh my gosh he's so cute he's so happy so what type of puppy is he again so he's a he's a chihuahua but he's a certain kind of chihuahua correct he's a deer-headed chihuahua oh what a cutie pie and not not berkey that's not bad yippie okay sign me up you're not recommended they're not recommended as your first time dog oh really are they high maintenance they're not high maintenance but you have to teach them and treat them in a certain way we're still we're still struggling with a couple basics like the p-pad but everything else is doing fantastic okay yeah i've never had a dog before however um my bonus daughter it sounds nicer than step um really wants a puppy and i'm like can it be as small as possible and that dog is so cute ron what about a chuwini have you seen those it's like a chihuahua and a wiener dog put together those are really cute so i always try to keep what what's meant to be kept as something if you start breeding things that are like long short with multiple weaknesses you're not going to wind up with something happy so weiner dogs are notorious for having broken backs hip issues joints not deer deer-headed chihuahuas but apple-headed chuawas all are also the same so kind of again there's another lesson there don't turn a product into something it's not supposed to be um or a piece of software so chihuahuas are similar to that uh and i could find analogies all day long for my dog or the cars and how to make them better but i have to say that is a really cute dog um yeah oh so there's some so i mean apparently not everyone wants to talk about your puppy so given so comment from the chat like good comment given that kaspersky vulnerability was known for a year or more seems pretty wild out there with disclosing vulnerabilities what is it like disclosing vulnerabilities in ics like because it's totally different when it's a power plant right so there's the point of disclosing it and there's the point of actually getting that to the customer's hands eventually there's the problem with the cpes never ever possibly matching something or even being disclosed so if right now you go on ics third i checked yesterday and there's a device called an n-tron tcp serial gateway and you go to check the cve entry in nvd it's reserved which means they've never published it it's locked up and it's under it's stuck somewhere and guess what no vulnerability scanning solution will ever find it because the cpu is not there secondly the cpu has no meaning to even possibly be matched because if you have things like let's take a linux device for example i'll give you an example of an abb relay it runs linux on part of the system and it's got an issue with lib ssh so abb would produce a vulnerability report maybe somebody would find it maybe they would even see the ics advisory page but your your vulnerability management tool won't because it's looking for an abb product or it's looking for a lib ssh and so it doesn't they don't match because you don't know what's inside of it so that's that's kind of leading into another part of software bills and materials uh but in the proprietary sense this is the whole hell of a ball game the other piece is okay just because i report the vulnerability to cisa homeland security various product vendors doesn't mean they have any obligation to produce an advisory or disclose the vulnerability it's all honorary the whole entire system is honoring we expect it from linux the foundation we expect it from the distros we expect it from microsoft to a certain extent um because they hide stuff sometimes in bug fixes uh same with all the vendors actually do this they roll it all up you got to be very careful in your readmes and your change notes um because you might see your fixes so if you take busy box in linux you'll find out that there's not many vulnerabilities for it but if you looked at the the pull requests and all of the fixes you'd find out that a lot of things like buffer overflows have been fixed and no one's ever reported as a vulnerability this is everywhere in open source except for maybe like the the things that are under the most scrutiny although arguably open ssl is not that great um but there's a bunch of that or even in the web the web community they do this all the time they silently fix stuff uh probably because they weren't looking for security like oh that's just a bug and if it works now and so it silently gets rolled up into into a pic so there's like there's a whole thing there of like stuff being hidden uh stuff is hidden on uh on top of uh hidden portals for certain governments or certain relationships with vendors and those will never actually hit nvd or any of the vulnerabilities yeah it's it's full of politics and then there's also the vendor has a chance to arbitrate between the researcher the government entity and then myself for example so i would be like here's ten vulnerabilities it's non-refutable and they're like we'll deal with five take it or leave it and we want them not to be tens we want them to be five so they monkey around with the cvss uh vectoring string to drop it down as far as possible or they say it's not my problem because there's a compensating control and you can play this game until the kingdom comes and again after they've been published no one's responsible for updating them as well and and making sure the data sources are in sync this is true for everything and that's not just industrial control systems so yeah it's it's uh it's a lot of fun why is it more complex to report vulnerabilities and actually get them reported for real in ics rather than in general software like an operating system uh i think it's got something to do with the ubiquitous nature of mainline operating systems uh when you have controlled the hardware well arguably nowadays with some of the microsoft stuff like surface pros when you get control of hardware and you have a certain uh ease of how you can patch and nuke the operating system and apply whatever you wish that changes a lot on how you reflect and report vulnerabilities people expect it but when it comes to even your home router when was the last time you got an update for that once once you include a bunch of things together proprietary or open source together and put that in a box the concept of owning a product from from cradle to dry grave becomes very very difficult and generally by the time a product has ever hit hit the market the whole team that built it has either been fired let go or they finished their contract or they've been already shuffled onto the next product and off they go and maintenance is never considered yeah and when i say maintenance there's that also includes updating your core operating system by the way those of you in containers please update your core operating system and your dependencies inside it containers are not a way to make sweep everything under the rug i'm saying that again and i know it's coming um yeah but yeah that that all of that stuff that i'm describing makes this makes it so so tricky uh and then uh helen again had another great question so about how do you secure something that's so remote not physically secure guarded or like a pump jack or pipeline controls uh depends on what you mean by security so physical security is a bit tricky right cameras barbed wire uh i don't know army of small chihuahuas uh maybe that's how you deal with it but when you're dealing with things um uh as well i don't ever actually try i try to tell people don't trust your windmill don't trust your pump jack because that actually could be an entryway into your organization because there's nobody out in like i don't know uh let's pick let's pick a random place it's got pump jacks i'm not that familiar with some parts of oil sands but if you chose i don't know the duke if let's say there was there was there was pump jackson leduc um there's not that many people in leduc anyways uh or if you took a wind farm uh like one of the ones i was in not too long ago uh in the northwest united states that one state has a population the size of victoria well wow there's nobody around and you could probably watch your dog run for days so you really need to consider your physical aspects and you assume that that site could always be compromised locally by someone physically and you can't trust what comes out of it now you want to monitor it you want to do all your basics but then you rely on compensating controls uh then you have stuff like maybe potentially pipeline controls and those generally so people forget certain things about pipelines pipelines are a logistics company they move product from point a to point b uh everything is like a freight train it's back to back to back back with scheduling if you screw up the scheduling i can't guarantee what's in the pipe i can't say that someone received 10 000 gallons of x all of that starts to change and so you just stop the pipeline because you can't control the building and metering um yeah it's pretty simple to deal with that and there's so many manual places in there but you try to stage a lot of it so security uh becomes very tricky uh remotely as well but then you need to also make sure that you can trust what you what you have and that gets very tricky especially in assets like uh like a pump jack or a well where security upgrades even on hardware that's long end of life uh are not they're not possible because they're not you'd rather abandon the well and throw a concrete plug into it and forget about it for the remainder of humanity and to then to put in new products so it's really really tricky and you kind of one of the reasons why they hide vulnerabilities is for that purpose uh you don't want the bad guys to know no there's camps about this uh you can pick your religious side of the debate some types of vulnerabilities and certain things i do agree should not be public knowledge but they do have to show up on a register somewhere because otherwise the asset owner would never know they exist yeah and how do you fix it if you don't know about it it's hard well you can't fix it because that turbine control system has been out of manufacturing for i don't know let's say 10 years and the cost of a new one starts at five hundred thousand dollars and that's the most basic safety system so you can see that it's it becomes a very different scale of just starting new with a new framework and patching and doing all that stuff it's it's you have to think about how you do stuff and that's what really is starting to scare me about iot now you could say containers and load balancing might help potentially but that's assuming that the developers have not decided to use a new framework every six months um because you have testing to go all this as well so that it's it's so it's so it's so different and that's the only way i can explain it and if you think regular cyber security and development is is kind of a niche section of society we're talking about something that's like fringe or fringe yeah okay i have to thank our sponsor because somehow 33 minutes have gone by and i don't know how that happened thank you folks from 10 security for sponsoring our podcast for several weeks in a row and buying a whole bunch of diversity scholarships yes that's right we have purple has a diversity scholarship it is to help people who are underrepresented in tech become more represented so if you apply for the scholarship which is open all the time uh if you're selected and a very hard percentage are getting selected like i think maybe over 50 percent are managing to get in you get to take the entire application security foundations program and you get a copy of my book and you get a certification at the end when you've completed all of the coursework that said what i was actually supposed to be talking about was how 10 security is awesome they are consultants that basically created defect dojo which is a vulnerability management system they're super nice dudes and they will come and set up your devops pipelines and automate all the things and it's pretty awesome i've got to work with them before and they are a blast also we had purple just released their newest course it is called secure coding it is a language agnostic course uh it is 249 dollars for an on-demand course of three and a half hours worth of videos 80 articles checklists quizzes code review um so i'm supposed to tell you about that and also this saturday we are doing chapter five of alice and bob learn application security that's right this saturday at 1 p.m pacific standard time myself and a whole bunch of my friends are going to get together and be nerds and talk about the fifth chapter of the book which i believe is common pitfalls that means mistakes that we make a lot and that we need to fix so i've done lots of marketing and i would like to go back to ron now and ask him more questions about like how someone could get so ron i find this area of security really really interesting i remember in ottawa um i got to see a talk and how do i add you back in i want to add you there you are okay awesome i just forgot which button it was i saw someone give a talk on this and it was really really interesting but honestly the person was full of beans let's say um and i like that person i was just like well that guy's full of crap um am i super fascinated by the topic like how how can someone get into this line of work because it's really niche like i have people tell me what i do is niche but that's i i got nothing on you so like how does someone even start well i i had a bit of a head start uh my mom and dad sold the most fuel for chevron in north america and retired at a nice ripe age of mid-30s um so i got lucky i got lucky that i was dipping tanks and going on the field trucks with my dad back in the days and by the way i was born in tofino i lived in ukulel so uh and now i live in montreal worlds apart but i grew up in that environment i grew up with people cutting down trees getting oil out of the ground going fishing you know all of that stuff and for right or wrong that made me behave certain ways and talk certain ways uh that are maybe a little less pc that i had to correct as i got older but i grew up with a mindset of macgyvering making do with what you had solving your own problems for those of you that remember what man pages are we had very slow internet um i grew up on uh with 286s and and trying to make stuff work i was writing basic websites and getting shock able to host them even with my i don't know what i had how much bandwidth they had maybe 50 megabits per month or may think megabytes of traffic per month i think that's what i had when i was in like grade four or five i was making a silly website for something that's what i preferred to do when i was super young but i grew up solving problems and i actually like to even ask people as an interview question do you know how to change the oil or breaks on your car now less people have cars than they used to now but the reason why i say that is if you don't know how to do it how would you go about finding the solution to that and if you can't even come up with a question like well i'd go look up the model in my car i'd go find a manual on the internet i'd go get a jack and start or look at youtube videos that have already disqualified you probably from from an interview because my time is very valuable i'm not saying that i don't wish to mentor people but i want people that do the time to get ahead i want them i want them to want something right versus me spoon feeding you and you not knowing why i'm speed fooding you like i don't mind being uh food feeding someone but there has to be they have to understand the consequence is the impact of what i'm trying to teach if you can't do that on your own no matter amount of courses university you go to you're going to still struggle with like it's like not having a mission is your you know it might it takes you a lot longer to get focused right you might still achieve several objectives and goals and milestones in your life so because of the way i was brought up uh and i got lucky of being in the right place several times so arguably again luck is half of us being prepared um i actually did a diploma program as part of my high schooling at viu which at the time was called malaspina which is i did a two-year program called itas information technology and applied systems and it was a mixture of systems dev to networking to basic programming and i'm going to tell you security was not one of the functions in any of those classes for programming but we had a security plus thing so before i even finished that security plus course i'd already taken the exam i'd already taken my network plus i'd already taken my linux plus at before i even finished the diploma because i was like well if i'm doing the course i might as well validate that with something else for an extra couple hundred bucks at the time comptia is dirt cheap great place to get started in security and the basics by the way in terms of value person uh still still like a decade later actually it's more than a decade now so i started there and then i started working for a company that's based that was based out of lansville called tofino security we were the first in the world to industrial control systems and firewalls and a gentleman named eric byers who's still a good friend of mine by the way who just won the bc ventures uh fundraiser well the thing for adulus which by the way is also stacked in lansville and i'm also if you're you're in that realm and you're looking for some work i know they're looking for some skilled uh persons but not actually skilled in a particular language but have the drive the mission why are you doing this well we're doing it to make critical infrastructure better right there's a reason why we're doing it um so he took me under his wing and then i was doing technical destructive testing and all that stuff and i said i don't like doing this so i went did my bachelor's in bcit and so the whole you can see the whole trend of this was i knew what i wanted to do and i and i did the time to do it even if it was difficult i bridged and skipped two years of school and went straight into my third year at bcit because i did the time and did all the bridging while i was working that that is a that is how i did it so if you're going to try to get into a very high stress type environment uh for right or wrong uh not everyone could excel in it there's room for everybody but the way i did it was by doing the extra time by learning if i didn't know what that was well i googled it until the cows came home and then even if i still didn't understand it specifically well on monday you know after the weekend on monday i'd go and ask that person okay i googled it here's what i understand confirm deny give me my next thing to google so i can go figure it out on my own that that's how you get into this you don't necessarily need to go and become an electrical engineer or process control engineer then go into cyber security you don't need to be a web app developer necessarily to do embedded systems you can do it if you got the drive and that's my advice to everyone if you want to get into the space uh do the time understand the language understand what the customer's needs are and you'll get there it's okay really simple what type of technical skills do you think someone needs to be able to do like our because if we if we make a list of like the types of things they need to know then they can go and clobber those things like good question so here's here's a fun one if you want to be a good web developer and do websockets do you think it's important to know networking most most most web developers don't understand how tcp sockets work in tls that's a problem because you don't know how the secure connections set up nor the primitives so you do need to have some fundamental skills and basics in there no no one's asking you to be algorithic and cryptographic wizard they're just understanding that you need to know the primary basics what is an ip address what is a port oh tls implies this this and this those are the types of basic skills so if i were to say what were the basic skills to get in this besides your personal soft skills uh fun good fundamental programming skills i know people say you don't need to learn that stuff in university you can skip university degrees but they do teach you vocabularies and primary basics that you allow you to go on the go google and solve problems on your own where teaches you what patterns are and some of the basic things so when you do read uh documents from acm and other digital publications for research you understand what's being said and you say oh well i know what that is i don't need to do it exactly but i can follow it and i just need to use that the algorithm or whatever that's in the library so there's there's like some basic uh some basic cryptography that you need to know basic networking basic fundamentals and architecting systems of systems because not most of the time now you write a container but it's actually got another container next to it and you're doing interconnected container communication or how does a browser interpret what's going on right and you're you're you have all your stuff on a server on a server that's being load balanced and that load balancing is actually talking to a series of databases on the back end and oh and guess what your data all of a sudden your tables are locking well you didn't do any profiling so there's a bunch of core uh pragmatic skills that you need and then i think in overall just need to be inquisitive and try to just think through what you do i had a junior asked me uh with one on my side that i mentor he said you know you look like you just write the code last minute and you get it done and i said no no you don't understand if i had 10 hours eight hours of that went into planning it i'd write the code and by the time i wrote the code guess what that code because i didn't rush it and write terrible code all the way through the next sprint i would have been fine because i'd set myself up for the next sprint because i thought it through part of that is experience east but part of that is something else so there's there's a whole bunch of things not just skills that you need to acquire but the way you think and the way that you plan and also just try to glue different even disparate experiences together and you'll find out that different domains all talk the same so if you take electrical engineering take computer science you merge them together you're going to find that you're going to go really far to get so skills are like cyber security by itself or secure development they're kind of verticals but they're not they're not intrinsic they're not desperate they're not independent from each other you can always quilt them together and get places so if someone said what skills do i need it's very very tricky to say which specific ones it depends on what you want to do yeah yeah um we have we have some comments about yes set the foundation first and then build and yeah i think that's really great so i have so many questions how did we go 45 minutes already like you just got here also i mean like before we finish i hope we can see the dog again but um what do you like best and what do you like least about what you do and also actually first before that question um so adolesce is hiring so that's a-d-o-l-u-s so would that be like adolescent.com probably yeah yeah okay cool so for anyone that is wondering about that you can find that absolutely and you'll probably stumble across a very important thing which we need to consider nowadays especially under biden's xo in the united states is software builds materials so that's what they're going about and uh i recommend everyone wonder about where your code came from and what you've done to it um and because there's a few things to be said there just because something they're using has a pack has that says it's linux and a particular version does not mean it is exactly as it is you've mod you've modified it you've adulterated it there's so much more to think about than just oh i've used this package and it came from from debian or it came from red hat it's been adulterated and modified by the maintainers and so one vulnerability might not apply to you because you've done something else so there's so much there that we all take for granted when we ask visual studio or whatever our idea is go import sure but you forgot the rest of it is you don't know what you imported and what the consequences are now if you're doing web apps maybe that's not so bad although it was supply chain attacks that's true um but yeah there's a whole world there so that's what adolescence is doing i'm giving them a free pitch because they're they're in canada as well uh and yeah for programmers canada for programmers definitely it could be a very interesting uh way to get started in your career for sure so i have been informed i must ask the cheese question but first what do you like best and what do you like the least about what you do because what you do is very specialized it's different than a lot of other jobs and i bet there's different things that are kind of awesome and different things that are not awesome uh the part that's not awesome is that every time i do an assessment i always find things wrong that we've been telling people to do right for the last 20 years that is beyond frustrating um beyond frustrating the other thing is i'm seeing new products also winding up with all the same mistakes uh that were quite some years ago and they're actually being made they're actually being amplified by the amount of extra things being allowed in a device so before you had a 300 megahertz megahertz cpu you had 16 megs of flash if you were lucky uh and maybe 32 megs around there's only so much you could do it so much you could put on that thing but now you've got a quad core with a gig of ram with whatever you wanted for a piece of nand flash you could have a uh 10 30 gigs whatever four gigs whatever and so you're winding up with a system that's got everything in the kitchen sink in it and actually attackers don't need to even bring any tools with you because you gave them the whole platform for free so certain parts of my life are getting harder and that's that's gonna that's we're gonna see what that's gonna look like and by the way all those iot devices that you're buying get abandoned so fast not just because the vendors are disappearing or they're abandoning the product the hardware has changed and so they don't maintain the product the whole world there too um so that's that's the parts i don't like uh and and the slow pace of which you see security moving it's hard to find budgets that imagine trying to get a whole bunch of fiber laid and get all this equipment if you're stuck because of cisco right now if you're if you're trying to find the budget for where it's like five or six dollars per foot but then you haven't counted in the cost of the swap over the shutdowns all that that's that sucks what do i like best i'm seeing more and more of the devices that i've actually built for security uh before i left one of my employers in 2014 i see them much more regularly now so that's what i love about my job stuff i've made is showing up in the workplace uh i'm having calls from product security officers as a friend to ask about particular questions and how do i deal with this being recognized and having my articles going around in certain circles where i didn't know that i was classified it turns out they classified what i wrote that's the nice part about what i do and that's what i enjoy or having individuals come up to me and i help them present and i watch them do great that's what i love about my job even though it's not part of my job it's what i do just as as my own profession so that's what makes me keep doing what i'm doing oh i love it that's such a fantastic answer so now the cheese question so um every so i was trying to figure out like a polite way to say does your job pay well for what you do and so we came up with the cheese question because it's like are you able to buy as much cheese as you want because cheese is an expensive grocery store item um but i you and i were talking a little bit about this before the show where we're talking about how security engineers it's just off the charts how much they're charging now because there's just not enough of us and companies are having a lot of trouble affording the security teams they need what's the answer well i'll break that into two parts i am paid very very well um but not well enough in the sense where the housing prices have gone up to such a point that even if i could do the down payment i don't want to i don't want to drop that much money per month on just a mortgage payment that makes no sense so that's that's my answer to you um but i do say that it is enough cheese so enough cheese is something very interesting to think about for a lot of people is i've managed to buy happiness so i bought et which is the now the price with all the shots as the price of a small used car and then you have uh my boat which was hot i named it happiness because it's proof you can buy it i love water it's the this what i want to retire early in the next five years to just live on water that's all i want so there's enough cheese although right now the housing market's kind of ruining how much cheese is necessary to get there but that's in terms of salaries that's a very good point so generally things pay quite well but people need to be very mindful of who can pay what so just because google can pay 120 180 000 us dollars does not mean that the government of canada can do so because to do so means that all of our taxes need to go up or price of everything goes up or uh we'll make do with less right so i'll hire one individual but not five those are very interesting things to think about you need to be very conscious about so again and what's enough cheese for your lifestyle is a very important question to ask yourself you ask for lots of money guess what double the work is expected from you and learning is on your own dime and dollar or on your own weekends and guess what that's life there's also to be honest i don't think there's actually a shortage of resources i think there's i think if you looked on linkedin there's tons of candidates what there is a shortage though of is individuals who can think for themselves can add one plus one or maybe two plus two that's the part that's missing and if you consider uh let's pick i don't know a smaller business in nanaimo or victoria that's probably under a million dollars of revenue they don't and they're fine there you go so could you afford a to pay someone software engineering 120 or 160 and the benefits on top of that four weeks of vacation and so on we need to start being realistic and most people that are asking for salaries have never ran or owned a business in their life or been exposed to one and that's the really hard truth that i don't like telling people is you might you think you might be worth that but guess what the market's going to collapse and though you better be worth 160 when the market collapses or those businesses are having a bad day you better have skills across the board to make yourself worth it um there's there's a lot to be said about how much cheese and how much you can ask and what's realistic in the market i mean the job market is going to crash and the bubble's going to break and a lot of people aren't going to have jobs unfortunately i i suppose but that's just my belief i'm honestly hopeful that we can create a lot more security engineers like by making training more affordable like not just we hack purple i mean the industry in general i'm hoping that uh like schools universities colleges even high schools start actually teaching stuff that can land people jobs so they don't have to pay seven thousand dollars american per course that they were talking about fans no um but it's just it it makes it unaffordable and you mentioned the canadian government so i think one of the problems with the canadian government is that they pay help desk the exact same amount that they pay software developers and they the exact same amount that they pay cyber security people so like i held the highest technical position available for like a decade and i remember like talking to the help desk dude and it's like like the help desk skill set is easier to come by than the cyber security skill set because of cost of training because of certain amounts of experience you need to get there and it doesn't mean that their work do not have value that's not what i'm trying to say but in the market it has a different value but the canadian government lumps them all into the same thing and it's like i'm sorry i'm not willing to take a 50 000 pay cat to work for the government it's ridiculous and part of the shortage isn't necessarily like if you look at linkedin or twitter you'll find a whole deluge a rainstorm if you will of of pen testers malware analysis stuff but if you really consider how many jobs are actually available that look for those specific things it's teensy compared to what the market actually needs the market needs administrators that are capable for windows boxes we need people to do all of these things properly which by the way are generally the reason why all this all the systems are getting hacked or popped uh same with coding right so you brought up a good point most of the coding examples that you see on stack overflow the coding examples you saw in your textbooks garbage that's also true for embedded iot devices where the sdk that comes from vxworks or arm is full of and riddled through holes uh i make jokes about even qt linux or qt uh and see is that they're not even doing the practices that they're recommending so there's there's a whole there's multiple areas that we need to be doing this and you don't necessarily need to have like to be a cyber security only person most of the cyber security professionals that i know that are let's say like ourselves we didn't necessarily come from that we came from a different background and we learned security as a as a an additive to our roles more so at least that's how i did it it became an additive i came as a developer and i learned security along the way um most of the time you don't learn secur if you learn security first and you don't learn how to program that could be that could be helpful that's not usually how it works that's not what their employer wants so it's a very delicate dance depending on which job role it is and what industry you're in and so on it's there's no i don't think there's a formula but we there's a lot of a lot of finance i would rather have one skilled apsec person with a whole bunch of software developers that have secure coding knowledge and experience than having like 10 people on the apsec team but none of the devs have like any secure security training they have no security knowledge it's it's much better to enable everyone to do their job securely than to hire a hundred security staff to run around and whack people with sticks absolutely i mean that's that's true i think in every software development thing right that you i'll take a video game company in canada and you have a very famous game and there was roughly i'm just going to round the numbers but it was 100 developers 10 of those were doing probably 80 of the work 10 20 of them were probably doing the other like another 10 of that work or maybe maybe even 30 and the rest were just doing things looking for spelling mistakes and and having coffee in the the coffee shop that was built into the building um yeah and just you know trudging behind the wagon right there's nothing wrong with that but that kind of tells you a lot is the majority of of what we need to be doing in terms of security is really related to discipline having the ethic to be like that looks stinky let's fix it um versus just putting it off uh there's there's so much that we that we can fix and we can do and and to to make it a part of our job but just i i don't know the right answers to all this i wish i did i mean but i have a feeling that even in 15 20 years nothing is going to have really changed just that the technology will have changed names more than more than anything or gone more virtualized that's i i don't like that i have to agree with you because i love what you're saying is true but i wish it wasn't true so it's hard i could talk to you all night but i'm definitely getting the you are supposed to wrap up now signals if people want to learn more about you if they want to follow you what are their options ron sure so uh so you can you could go through verbindustral.com and you can read a bunch of my ramblings on the blog or white papers uh some of them will have a little marketing twist uh but if you wish to get a hold of me you can reach out to me through my twitter ron underscore brash b-r-a-s-h uh or you can add me on linkedin and i would be more than happy to add you back and have a conversation with you however you wish uh even on even if it was a one-on-one call to ask ask and answer a certain question so feel free to reach out to me however you wish even if it was about the wakeboards behind me or about my about e.t the canadian ept and i would be more than happy so thanks for joining us thank you so much i want to just spell out verve industrial for anyone that's listening that can't see so it's verve like remember the band the verve so v e r v e and then industrial just the way you would think and then com because sometimes with podcasts we speak quickly and i want to make sure everyone can go and visit oh my gosh et the canadian apt thank you so much ron thank you thank you to et for joining us and being adorbs oh oh my gosh heart melting seriously everyone on the internet is missing the cutest dog on the planet um thank you so much and thank you for sharing all this amazing knowledge this is really really great i felt like you had a lot of fantastic advice especially about like just setting a really good foundation having the good work ethic and i love how you're like plus you have to have a certain amount of soft skills like this is automatic you have to have some skills that comes up a lot on this show and and we could talk about how soft skills are important whether you're male female neuro divergent if you want to get promotions not to get passed across soft skills are very important as in advertising your own brand you can go we could go we could have a whole another webinar on that as well ron i feel like you and i could talk for four hours honestly um but well yeah are you going to besides calgary just like totally random we have purple besides calgary but okay no you're not okay just wondering thank you again and i'm gonna actually say goodbye i'm really bad saying goodbye so this is ron brash he does ics security i'm tanya janka i want to thank all of you so much for coming to the show thank you kellan thank you ben thank you everyone who showed up thank you especially to ron oh my gosh that's such a great conversation thank you to our amazing sponsor 10 security we appreciate you guys i am tanya jenker your host and up this saturday july 10th is chapter five common pitfalls of alice and bob learn application security we are going to talk about the oas top 10 and how it is not a standard we're going to talk about a bunch of other common pitfalls like race conditions buffer overflows and all sorts of other stuff that you as software developers need to be concerned about and most of all how to fix them thank you again oh and you can join in at 1pm by going to youtube she hacks purple uh that's me your resident nerd and so thank you so much and we will see you next week [Music]