Alissa Knight talks API security, formjacking and hacking

Chris Sienko: Welcome to another episode of the Cyber Work with Infosec Podcast. Each week I sit down with a different industry thought leader to discuss the latest cyber security trends, and how those trends are affecting the work of infosec professionals as well as tips for those trying to break in or move up the ladder in the cyber security industry. Today we have a repeat guest on today's show. Alissa Knight is the senior analyst at Aite Group an independent research and advisory firm focused on business technology and regulatory issues, and their impact on the financial services industry. And I daresay she's been one of our most popular guests to date.

Alissa Knight: Yes.

Chris: She led with a hell of a story about her, her days in high school and a certain government organization escorting her off campus. So if you get a chance, listen to that, the previous episode as well, it's amazing.

Alissa: It was fun, it was fun. I like how you introduced me as a repeat guest. I'm kind of like, I always like to say I have this effect on people, where I infect them. I call it the bubonic Ali.

Chris: Oh yeah.

Alissa: So I've definitely infected you guys. You guys can't get enough. Got the Ali fever.

Chris: Alissa is our favorite guest, she will be on again and again.

Alissa: Yes, this time it's happy hour, we're doing a happy hour interview.

Chris: We're going full happy hour.

Alissa: Salute to all the listeners.

Chris: Salute, I wish I could join you. Today we're gonna talk about API security, the Magecart hacking group, some recent breaches that should be on your radar and the concept of formjacking skimmers, as well as Alissa's upcoming book. So let me tell you about it, Alissa Knight is the senior analyst with Aite Group where she performs focused research into cybersecurity issues impacting the financial services, healthcare and fintech industries throughout the assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts and developing industry models. We gave a little sneak preview on this last time, but Alissa is in fact the author of "Hacking Connected Cars: "Tactics, Techniques and Procedures", which is out on paperback on October 8th from Wiley. Alissa, thank you and welcome back, and cheers.

Alissa: Thank you Chris cheers, salute. Actually while you were reading my bio I'm like, damn, I really need to change that bio, I really need to update it. That was literally a copy and paste from a job description for an industry analyst. So for the viewers, just so you guys know, basically I'm a content creator, that's basically what it comes down to. I am a content creator and I'm an influencer, so basically if a content creator, a content marketer and an industry analyst, and a hacker, the three people were to have a baby, not that that would be even possible.

Chris: Three-person baby, sure, I'm following.

Alissa: You're following, if they were to have a baby, all three of these people, I would be the product of that, so I'm basically a hacker meets content creator, meets industry analyst. So that's what I am, basically I create content, in video, audio and written.

Chris: Meets new author. So what's been happening since you were last on the show? When we last spoke you were talking about hacking connected cars, and again, a very fascinating episode. And the book you wrote on the topic, but it sounds like to book is almost about to be released, and it sounds like you might also have some big news to announce as well?

Alissa: Oh yeah, there's a lot of it. So I don't even know where to start. So in my personal life, I'm moving to Las Vegas. I fell in love--

Chris: Is it the hotbed of cyber security?

Alissa: Yeah.

Chris: I guess it would be.

Alissa: It's funny, actually we met at Black Hat briefings, if you believe it, so I bet no one out there thought Black Hat briefings could actually be a dating site, but we met, I fell in love and I'm moving to Vegas. So other than the personal stuff, professionally a lot's been happening as well. I'd like to announce I got a new book contract with Wiley, I'm actually gonna be authoring a new series of books. Okay. I've been doing quite a lot of--

Chris: Can you tell us what they are about?

Alissa: Yeah, so hacking API, hacking and securing APIs. That's a prevalent pervasive issue right now, it's a contemporary issue that people care about. Keeping CSO's up at night, that's what I like to keep my research on is anything that people care about now not what they cared about 10 years ago. Containers and container security, hacking containers and securing containers, which is really cool, a lot of issues around Docker security, AWS security, S3 bucket security. There is that. Gosh what else? I finished the copy edit on my books like you mentioned, so the "Hacking Connected Cars" book will be out I believe in October just like you said. So copy edit is done and starting on the new book. So a lot of exciting stuff, today also the embargo was lifted on the Arxan In Plain Sight II series, so this is a follow-on to the first report where I hacked those 30 financial services mobile apps. This is a new report focusing on e-commerce sites that have been formjacked or hijacked from Magecart groups stealing credit card data. So that got lifted this morning, that reports come out, I discovered 80 sites that were breached by Magecart, worked with the FBI in the take down of those and the report is out. So things are good, things are good.

Chris: Let's put a pin in that and jump back to what you were talking about. When we recorded back in May you told me you were, and you just said it again, you were on a 10 country world tour documenting 30 financial services mobile apps in which you discovered vulnerabilities, so how did that go, how were your discoveries and remedies received?

Alissa: It's still going. It's funny, I just got off a podcast of my own with the Arxan team, and I was just analyzing this, hindsight is always 2020 vision. And I was just pulling this apart. When we walked into it and we came out, we were like, of yeah, these are some awesome vulnerability findings, we've got SQL injection here, we got some other insecure logging. It's funny, it took on a life of its own. After the research and after speaking at different conferences the emphasis started to change, the narrative started to change. It started to change to API issues, they were hard coded API keys and API tokens and 29 out of 30 apps. And so the narrative really started to change, not that those other vulnerabilities weren't important, not those other vulnerabilities weren't bad, it was just that there was all this emphasis on API security right now, and you have these major banks, major banks where they were hard coding API access keys and tokens and credentials in these mobile apps. And so it was really interesting to me as a researcher to see this narrative change midstream, mid-flight. Where when I was speaking at conferences it started to become less about the other vulnerabilities and more about the API issues. So I ended up on, and you ask a great question, how did it go, it's actually still going. I'm heading to Tokyo, I'm heading to Singapore, heading to Singapore and also Germany to discuss the findings, and I'm actually starting to change the presentation, so every single conference I speak at I do a different version of the presentation. But the remaining conferences for the rest of the year I'm actually gonna be doing it live on stage. So I'm gonna take an actual bank app and I'm gonna reverse engineer it on stage and then I'm gonna show the findings live. I still haven't figured out how to actually mask the name yet.

Chris: Oh yeah okay, that's important.

Alissa: So I'm working on that, I'm working out those logistics. But Germany in Frankfurt, the global CIO banking summit will be where I will be doing that live on stage for the first time.

Chris: I'm assuming this is not online to the public, this is something that is invite only. If our listeners want to, okay fair enough.

Alissa: I think it's an invite only event, I think.

Chris: Fair enough. So basically you're saying, you came to these presentations, you're like hey, I hacked these financial service apps, and they're like, never mind that what about API security, that was kind of what their reaction was or?

Alissa: Exactly. It was like the other stuff is kind of cool, SQL injection blah, blah, blah, all that stuff is bad. But let's talk about those API findings. And it somehow brought me over to API world and brought me over to API days. And it is, it's like people are trying to figure out how to secure their APIs. And it was really interesting for me as an outcome from this research where I started to reach out to some of the app developers for these banks, and we are not talking about small community banks, your listeners might be thinking these were small community banks, these were small credit unions. No, these were billions in assets under management. These were really, really large banks. So it was real interesting because I talked to some of these developers and reached out to them and I found out that a lot of these large banks actually outsourced the development of their mobile apps. So the interesting thing to me is that I found out that the marketing department considers a lot of these financial institutions consider the mobile app to be a function of marketing, because they consider it to be like their website. And a lot of times, and a lot of these instances and cases the security team was not involved in doing a pen test of the mobile app, they weren't involved in doing any sort of static or dynamic code analysis, the marketing department basically outsourced this development. Cyber security was not involved in this project. Once the app was done they requested an API key for the app and the bank was none the wiser, they had no idea that these keys were being hard-coded in the apps. So it was a very endemic issue across all the apps, and the one bank that was the most hardened that I didn't really find anything with was a bank in Europe, it was a European bank. So we definitely have a ways to go as far as maturity is concerned. Financial institutions, a lot of people will tell me, yeah, they're further along in their maturity of their cyber security program, not necessarily, especially for the empirical data of my research.

Chris: So let's talk about API security and the Magecart group and formjacking as a tool of choice, but before that let's start at the ground floor, give us an elevator pitch on what API security is and what some of the most common API vulnerabilities are?

Alissa: Sure So API security is simply, I like to use the analogy it's like an electrical socket in your house. You have API consumers, you have API producers, the people that are providing the data, these are the financial institutions in this case. The electrical socket is analogous to the API, so the API is like an electrical socket, it doesn't matter what you connect to it, you could connect your hairdryer, you can charge your iPhone, the electrical socket doesn't care. The company on the back end, the electrical company on the back end doesn't care what you're plugging into it either. It's producing this data through this electrical socket. Sorry, it's provisioning the service through the electrical socket, which is electricity. APIs are very much the same thing, it doesn't matter what you are tying to it, it could be a mobile app, it could be a car, cars connect and communicate with APIs. And you have the backend, which is the provider of the data, the API provider is provisioning this data. So that's really a quick elevator pitch on what an API is. Securing APIs is a different story. A lot of companies are making the mistake of putting a WAF in front of it and treating it like a website. But that's not really the case, APIs are not a website. Yes, they speak HTTP, they speak HTTPS, they speak the same protocol that a website would, but you can't secure it like you would secure a website, because you're not really looking for things like a SQL injection attack. You're looking for things like I am providing this API access key, even though it's valid, should I be getting that data? I have this API key and I'm presenting it to you through a postman request, but does that necessarily mean that just because I have a key I should see that? So it addresses the authentication and authorization issues and you need a security solution to do that. So I'm actually looking at API security solutions like the form systems of the world, 42Crunch-ers of the world. And looking at these solutions because companies aren't securing APIs in the proper way, which is why they're still getting breached. So if you have an API access key it's like the password. So I found these API access keys hard-coded in these mobile apps, it's like having the password to the backend system. It's crazy.

Chris: It's like putting the Post-it note with the password on the front door of your building or something.

Alissa: These companies have no control, once these apps are published for the app marketplaces I can sit there and tear apart this mobile app in the comfort of my own home without worrying about the bank's network intrusion detection system, or host IDS, or anything regarding timing, I can take my time, I can pull this mobile app apart, and it doesn't matter, no one's looking at me nobody's watching me until I get the data that I need in order to actually launch my attack. So it's an interesting attack surface.

Chris: It is, and I was gonna say, it feels almost like the old movies where the terrorists are going after the infrastructure, they're going after the Hoover Dam or something like that, you're hitting utilities in a way. So is this a new enough issue that these organizations are off the hook for not knowing to do it, or should they have known better? How sort of .

Alissa: That's a good question. I always say you should have known better, but that's just me, I'm kinda a cynical ass. Sorry, am I allowed to swear on the show?

Chris: Oh sure.

Alissa: Sorry, bleep. So I'm kind of cynical in that way, you should have always known. But at the same time, it's the story of my life. I've been working in this industry for 20 years now and vulnerabilities always reappear in a different form. It's like history repeats itself in cyber security for sure.

Chris: There's patterns I would imagine?

Alissa: Yeah, I see the same problems as far as insecure code development and everything from 20 years ago just reappearing every few years. Maybe it's because developers are coming out of school and they haven't really been exposed to security development yet. Whatever it is, but vulnerabilities reappear. Just like buffer overflows reappear, hard coding credentials and source code reappears. It doesn't matter, it's just a game of leapfrog, every time we make a leap forward, hackers make two leaps forward, and it's just this game of catch up.

Chris: Of course, that's always the case. So you mentioned a little bit about it, but what are your primary recommendations for securing APIs right now?

Alissa: I would definitely recommend that organizations consider API management and API security to be two separate things. Now this is a religious debate. Because I've decoupled, moving my mic here, sorry, I've decoupled the technologies. There are certain analyst firms that want to consider the API management space to be all-encompassing, to include the API security gateways of the world. I think that's wrong, I don't think that security should be a feature of a management product. So you have these API management companies that have included API security capabilities as a feature, as an add-on, whereas these companies like Forum Systems or 42Crunch, these companies have built their technologies from the ground up to address API security threats. So my recommendation to CISOs and buyers out there is yes, have your API management solution, but also look at investing in an API security product. It's kind of like the old TVVCR combos, if anyone remembers those. When your VCR broke all you had was a TV, if your TV broke all you had was a VCR, and then because it was attached you couldn't really do anything if your TV broke. I see API management solutions with security functionality as being those TVVCR combos that should have never happened.

Chris: I see. So is there a resistance to this because of the usual I don't want to spend more money on another service, or what do you think the friction point is?

Alissa: No, I don't think it's a budget issue, I think it's a lack of education. One of the things that I'm doing as a content creator and influencer is to really influence the market and help guide decision-making. And really help form that narrative. And the narrative that I'm addressing right now is the fact that the API management solutions, the API gateways out there are trying to set the narrative that you don't need a security solution. Now, I will give credit to some of the folks for connecting us into Ping identity, that connect us in with OCTA, those are great setups, those are great ways to architect it, but understand that I think what's happening is that just the market needs to be educated on the fact that you have API management and you have API security and those are definitely mutually exclusive. In my mind I think those things need to be two completely separate things and they need to go together.

Chris: So I guess moving on from that and expanding on that a little bit, I'm assuming we haven't covered the entire topic yet, but can we talk about the lifted non-embargoed report that came out today?

Alissa: Yeah, so I'm glad you want to talk about that. So it's very interesting research, this is part two as a follow-on to the first In Plain Sight series paper oriented on the mobile apps that we talked about.

Chris: Are these papers available to the general public?

Alissa: Yeah, so if they go to ARXAN, www.A-R-X-A-N.com, you can actually download the report. I don't know of part two has been published yet, I know the embargo has been lifted on the new coverage of it.

Chris: The news folks have it anyway, but it will filter down eventually.

Alissa: Probably about a week I would imagine, if it's not today.

Chris: It's gonna be up by the time we get this up.

Alissa: Yeah, so if you head over to Arxan.com you can download it. So what part two is about is we have moved from the mobile attack surface to the web attack surface. So when you go to check out, let's say you go to Amazon and you buy something and you check out, there are these groups called Magecart groups, now people mistakenly refer to Magecart as a single group or a tool.

Chris: That's what I was imagining.

Alissa: Magecart is an umbrella term for a set of groups who are focused on stealing credit card data from e-commerce sites. There is currently tracking of seven completely separate groups, one of the intelligence research firms has collapsed one of them, so there's six. There is of course more, but there's six major one with this intel firm is actually tracking. So what Magecart is is it's a group that has implemented an attack kit, a malicious JavaScript that's been embedded into an e-commerce site. So if you're going to for example www.shoes.com and you want to buy some shoes, they'll compromise that site, typically running Magento, thus the name Magecart.

Chris: Ah, there you go.

Alissa: There is a correlation.

Chris: Now I got it, I always wondered.

Alissa: And the site will be running a vulnerable version of Magento, and they will breach it, and once they have a shell on a site they will inject malicious JavaScript into the checkout form and paste it in there and as soon as someone goes to the site puts in their credit card data, the credit card information is sent to the Magecart controlled server, the collection server and it's also processed, so if Chris Sienko is buying a pair of kicks your order will be processed, but a keystroke logger or the formjacking code will send your data to third party site under their control. So you will be none the wiser, you'll have no idea that you've just been skimmed.

Chris: That was one of my questions.

Alissa: A digital skimmer.

Chris: This is an electronic skimmer, it's like ATM skimming, but electronically. So I guess that brings up a worrying question, is there a way for users to be able to tell that the site they're on has been formjacked, or is this one of those problems that's so deeply embedded but you can only address it after structural level?

Alissa: The thing is that I think the Alissa Knight's of the world will be able to, meaning that John Doe or Jane Doe on Main Street isn't gonna shoes.com, right click on the site and say inspect source. You can see the malicious JavaScript in the source code in the Dom, which is referred to as the Dom in the browser because the JavaScript executes on the browser side, it does not execute of course on the server side, it's executing in the browser. So if you right click and view the source you can actually inspect it and see the code, and it's typically obfuscated. The average Joe consumer isn't gonna see this, or if they do see it they're not gonna know what it is because it's obfuscated. So the answer to your question is yes, you can see it if you look for it, but you need to know what you're looking for. So that's why this is such a successful attack. Just like if you were at the gas pump, if the person does a good enough job they can hide that card skimmer at the gas pump. They did a really crappy job and it's hanging off the side.

Chris: And your card doesn't go in for whatever.

Alissa: You can tell.

Chris: So I guess that brings up two questions, what is our expectation of what our due diligence should be as online users, consumers, whatever, you said Joe average isn't necessarily gonna know to look for this or isn't gonna know what they're seeing, but should they know, is that something we should be asking, and second, would there be possible to say, here's a website, here's what malicious code looks like, look at it or do a comparison thing with the code, and then I guess the third thing is, are we gonna have to spend the rest of our lives looking at every single retail site we look at and examining the source code before we put our digits in?

Alissa: I have a very funny response to that, I actually blame everybody. I'm not someone who selectively claims people. I think everyone is at fault.

Chris: All of you at fault, every last one of you.

Alissa: You're all at fault, the vendors, the security vendors, the e-commerce operators, the consumers, we're all at fault. It's funny, I really pass this blame onto the consumer, because it doesn't make sense to put the onus on the route consumer to right click and inspect the source code before the checkout. But we should always be vigilant, we live in a very exciting time, but at the same time with this connectivity it introduces a vulnerability with us as consumers, either in connected cars or shopping online. It introduces a vulnerability and we should all be responsible for our own vulnerabilities. However, having said that, I put a lot of blame on the vendors and the e-commerce site operators. This is a very simple fix, there's a security control called in app se urity protection where the site operators can actually obfuscate their site code with this technology. And it doesn't interrupt the dev ops process, the companies can actually, the e-commerce site operators can basically mouse click and apply this code obfuscation and they're up and running. It's obfuscated, the Magecart group can't do anything with the code because they can't make sense of it and then move on to the next site. So I blame the site operators, the other interesting thing is in this research in visiting these sites my EDR solution, my virus solution didn't see it. So even though there was this malicious JavaScript in the browser that's appearing in the Dom, I don't know, I feel like either Internet Explorer, Chrome or Edge or whatever needs to be doing a better job. I talked with Deborah over at Arxan, she's the head of marketing. And Deb mentioned, she visited all 80 sites and only three of the sites yelled at her about it being potentially malicious. Three out of 80. So I think there's enough blame to go around, I think we blame everybody.

Chris: Okay, you heard it here first man, everyone did it wrong.

Alissa: Alissa is such a bitch, she just blames everyone.

Chris: No, but I think that's worth noting because once you feel like you're off the hook you relax a little bit, you don't keep your vigilance on.

Alissa: No you can't be complacent, even consumers.

Chris: So we talked about them in a cyclical way, but let's really get into these Magecart hacking groups. So contrary to what I thought they are not a centralized group but it's a classification of multiple hacking groups that are out there.

Alissa: Yes, I educated you.

Chris: You did man.

Alissa: I love educating.

Chris: I'm learning every second here. How long have they been around, apart from formjacking what types of attacks are they best known for?

Alissa: That's a good question, they've been around for a while. It's in my report, you're testing my memory. I want to say 2010 maybe. Mid 2000. I could be totally wrong, which happens quite often. The attacks that they're known for are definitely going after Magecart driven sites, CMS platforms. It's not the CMS that you need to worry about, it's all the plug-ins kind of thing, but there are definitely a lot of vulnerabilities in Magento, so site operators need to keep their Magento's upgraded. Stay on top of that patch and vulnerability management strategy, make sure that when a new version of Magento comes out, or Shopify, that you upgrade. They're known for exploiting Magento and other CMS platforms. Or it could be WordPress, they could go after WordPress, it doesn't matter. If the e-commerce site is running a CMS and it's vulnerable to something, or if they're not running CMS, I'm sure there's a Magecart group out there that goes after everything, and doesn't care if it's Magento or not, but surely they have, a key chain so to speak of exploits for Magento that they like to use.

Chris: You mentioned that one of them was collapsed recently, are there particular strategies in place to try and? I realize this is squashing cockroaches or whatever.

Alissa: Playing Whack-a-Mole.

Chris: Whack-a-Mole, exactly, but are there particular strategies for tracking these organizations down, or do they catch them by accident or what's going on?

Alissa: I think the way that they're doing it is, is tracking them based on their tactics and techniques. So if you think of tools, if you see repeating patterns and beaches where they're using the same malicious JavaScript, that's an identifier. So I'm sure if you drill down into it and get in the weeds, they're even tracking the individual actors that are members of the groups, but ideally its categorization of the Magecart groups based on the specific tools that they use, or malicious JavaScript that they use when they formjack.

Chris: It sounds also you mentioned that it seems like it's a fairly easy fix to obfuscate your site's code and whatever, is this another thing like the connected cars where a $1 USB thing or whatever, a firewall can solve the problem and it's just not being done, because either people don't know about it or they don't feel like it.

Alissa: I think it falls into that category of this is a stupid problem to have. Because if you look at the Arxan solution for example, it's really easy to apply it, it's literally on Linux, it's a period slash command, and it's so easy to apply, and you don't have to install anything special on the server to read it. It's just really simple. So I think that's really what perplexes me about the whole thing, is man, this is so quick and easy to apply and it doesn't interrupt the dev ops process. Developers don't have to wrack their brain over it. Once it's done, you just go in there and period slash it, so why isn't it being done. So the answer to your question is yeah, this is one of those categories of stupid problems to have, it's so easy to fix and people aren't doing it.

Chris: Interesting. So moving onto that, a couple of things here, but one, would it be possible, I guess if you right click and you couldn't find, if you couldn't see the code, or whatever is that another sort of tell, if you look at a site you're about to buy shoes from and you can't see the code, is that the goods sign that they put something that obfuscates it in there, and should there be a list of sites that have got it together?

Alissa: So that's a good question. So it will look like gibberish. Literally you will not see anything that makes sense. It's very much at a combination of white box encryption. And anything about the Arxan solution, God this is turning into a commercial for Arxan, and I apologize to the listeners. But I don't own any stock in Arxan and I do not work for them, they are a vendor. I am an independent third party.

Chris: Alissa, this is an ad for Infosec and don't you forget it.

Alissa: I forgot about that, everybody go sign up for your training. So the thing about it is that, with Arxan it has this ability to actually kill the browser. So not only can you obfuscate the code with it, but they have the ability to actually implement tamper detection and kill the browser of the offender. It's real interesting, real interesting technology. So I definitely urge people to take a look at it.

Chris: Wow, so if you are working for one of these retail sites or whatever and you suspect the dev ops team or the security department is not utilizing this, is this something that you could bring to leadership and say this quick fix needs to happen?

Alissa: Yeah, and it literally takes, God, it's a few seconds, just period slash and run that command on it. It automatically will obfuscate the code, whether it's a mobile app or a web app. And you don't have to worry about anything else, it just does the rest. And so yeah, request that budget and go pick up a copy, it's cool stuff.

Chris: So you want to talk about your upcoming book a little bit?

Alissa: Yes.

Chris: Do it.

Alissa: So new book coming out from the Alissa Knight library, #KnightWriter.

Chris: I was gonna ask you about that later, we'll get to that too.

Alissa: Last week tonight, #KnightWriter. I love that guy John Oliver. Anyway, so yeah I'm writing a new book. So the "Hacking Connected Cars" is available on preorder on Amazon right now, so pick up your copy. And a new book, I think the dust hasn't really settled on the title or table of contents, I'm actually in the process of outlining the book at the moment, but Wiley has picked it up again and I guess they just have been infected by the bubonic Ali, they've got Ali fever, they want another book. So I'm writing a new book on hacking and securing APIs. And I'm gonna start writing. The last book took two years, I don't want to spent two years on this book. My plan is to--

Chris: Your learning curve should cut it in half maybe?

Alissa: Well it was my first book, I had no idea what I was doing. I had no idea how much work it took. So for all of you out there who want to write a book, it's hard, if you think you're gonna kick out one chapter a week while working a full-time job.

Chris: No.

Alissa: I'm slapping you back into reality. It's tough, it's tough. So I'm gonna start the outline, gonna start writing out the outline and everything will go from there. I'm excited, because I don't think there is really much out there on this, it's a pervasive issue and there's really not much known about properly securing APIs.

Chris: So let's jump back to "Connected Cars". What sort of readers are you imagining who would be interested in this, what can we expect out of the book?

Alissa: You know it's interesting, so for "Hacking Connected Cars", definitely the OEMs who were making components, because a lot of people don't understand. If you buy a Mercedes all those parts aren't coming from Mercedes. Mercedes didn't build every single part. An automobile manufacturer is seriously assembling Lego blocks, these technologies from all these different OEMs. The head unit is from someone, the TCU is from someone, the ECU is from someone. And it's everyone's parts assembled by one organization and that's your car.

Chris: So we're getting into supply chain security here as well.

Alissa: Yeah, this is supply chain security, this is the automakers making sure that the OEMs are doing pen testing, they're doing their due diligence. And those requirements are appearing in RFPs. So the readers are going to be the automakers it's gonna be the OEMs, it's gonna be all of these kind of things, we've got these new start-ups that are coming up in the connected car space that are making the EVs, and its cool. So these are the readers of the book, these are the people that are involved in automobile mechatronics, that are involved in people who are in charge of securing cars, what was it, 56% or something of the cars on the road by 2020 will be autonomous? So this is where things are going, it's happening, this is a thing, so really anyone. And maybe even drivers, maybe consumers, when you go out there you want to be educated on the tech surface to your car. I can remotely move the steering wheel, push the brakes, push the gas on a connected car given the right vulnerabilities. You need to know about this, you're driving around with your family in the vehicle. You need to know about this, and when you're shopping for a car it's not about asking about the type of leather or the size of the engine or how fast it can go, it should be IT risk management related issues and questions. Does this thing have an ECU firewall? Is the head unit able to transmit to the canvas? All these things are important questions.

Chris: How about readers who might be just interested in cool hacks, like penetration testers, people who do capture the flag, is that interesting in that regard?

Alissa: Yes, penetration testers for sure, red teamers. I'm always a big proponent of the fact that just because you're a pen tester doesn't mean you can do connected car pen testing. It's not the same. And hacking an Apache Web server is way different than hacking a TCU. Pen testers who want to get involved in connected car pen testing, take a look at this book, read it, it's got a lot of really cool stuff on it, it's literally a field manual on how to build your junk kit for doing connected car pen testing. And what do you need to understand, what are the things you need to think about.

Chris: Okay, so as we start to wind up a little, if you wanted to get out your crystal ball for a moment, whether talking about APIs or otherwise, would you care to predict what vulnerabilities are gonna be most prominent and dangerous in 2020 and beyond, do you have any thoughts on possible election hacking or anything like that?

Alissa: Goodness, the crystal ball question, yes, I think hostile nation states will continue to try and disrupt this great experiment of democracy that we've got going on. So that will continue, they will continue to become more sophisticated, it will definitely continue to be a focus on hacking a human, we are the weakest link in security and that will never change. I think over the next few years it's gonna be a focus on micro-services. I think as the monolith disappears, and the monolithic applications disappear and start to be replaced by micro-services and server-less, I think CISO's are gonna struggle to continue to understand how to secure that, how do you secure a server-less app? How do you secure micro-services? I think that this is very understated, but the last metric I heard was that the average organization runs about 420 APIs. I'm seeing 800, I'm seeing more. So the average organization I think is running between 800 to 1000 APIs. And how do you secure that? I was talking to Mike the CISO over at Twitter a few weeks ago. There is a pervasive concern that's keeping CSO's up at night today is securing their APIs and their micro-services. How do you secure that attack surface, Docker containers, Kubernetes, there are some great technologies out there that are doing that that are focused on it, New Vector, you've got Twistlock recently acquired by Palo Alto. You've got all these really cool companies out there doing this and focused on this. And take a look at them, you need to secure these things. Hackers are learning how to bust out of containers and pivot. You've got to protect yourself from that.

Chris: Wow, that's a lot of things to worry about. So last time we talked extensively about the need for more women in cyber security. And I notice on LinkedIn that you've been posting on social media using #KnightWriter is what you just said, KnightWriters, W-R-I-T-E-R-S. Tell me about that, are you building and growing a coalition of women in cyber security?

Alissa: I am, KnightWriter.

Chris: Tell me all about it?

Alissa: Okay, so Knight Rider, I grew up on it, I'm a 70s baby, I'm 40 years old, I just turned 40. I'm old.

Chris: I see the hashtag and the theme song goes through my head instantly.

Alissa: I'm old. Michael Knight. I grew up on Knight Rider, and it was me just thinking about the fact that, I don't know how this came up, I want to say that one of my followers, because I'm an influencer and one of my followers I think, I want to say one of my followers came up with it. I was like, that has a good ring to it KnightWriter. So I went with it, and its in Twitter's hashtag library now, it's been used so much at this point. So definitely look for the #KnightWriter on Twitter or LinkedIn if you're looking to follow my research and publications, but yeah, so Carmen, I don't know if you heard, I was recently nominated in the top three by Intelligentsia of the hacker of the year award, Female Hacker of the Year. I didn't win, but that's okay, I was up against some amazing women. But just to have been recognized among these thousands of amazing women out there. Awesome. Having said that, so Carmen recently received funding from the founder of Craigslist, Craig something or other. And to do this 100--

Chris: Craig Slist.

Alissa: Craig Slist. We'll just call him Craig Slist.

Chris: Yeah, sure.

Alissa: He put up all the funding that Carmen needed to do this 100 women in 100 days thing, and it looks like I'm actually gonna be an instructor, where we're gonna be teaching 100 women and she's partnered up with employers to actually hire those women after the 100 days. So it's a really neat initiative, try to get more women in cyber security, if you're a woman in cyber security, follow me, reach out to me, happy to provide guidance and be your spirit guide. Spirit animal. I have a lot of female followers, which is great. I get reached out on a daily basis, there's women that are in cyber security, want to get into cyber security, want to understand it. Happy to be a spirit guide for them. We need more women, we need to change these numbers. Just a few weeks ago I had someone on Twitter say that cyber security was too fast-paced for women. Shocking, shocking that this individual decided to do this on Twitter. Especially with me, its like do you know who you're talking to, you have no idea who you're talking to? Be really careful when you're gonna decide to troll Alissa Knight. So it was cool, because all my followers got in on it and let's just say the gifs were really cool, really funny. But we need to change these numbers and we need to do one number at a time, and I'm really trying to do that and change the narrative here.

Chris: Can you break that down a little bit more about what this training is, where it's gonna be, how it's gonna be made available. Is this through individual organizations or?

Alissa: Sure, Carmen, you should interview Carmen on this topic, she definitely has more info on this. I want to say there's one in Chicago, she's gonna do it in multiple cities, and there will be 100 women that will be selected. I'm sure there's going to be a registration gate.

Chris: Are these women already in the industry and they are learning higher levels or?

Alissa: I think it's anyone, any woman who has an interest in cyber security wanting to move into cyber security. I always say, I love this, I used to run a website to teach women how to invest in the stock market, it was called street girl. I used to be a day trader believe it or not. And one of the things, I always loved the quote is that women are the chief financial officer of the household. We're awesome CFOs of the household. And just the same, women I think make just from the way we're built, the way we are coded as women, I think we make great penetration testers, we make great cyber security engineers and the industry needs more of us. So it's anyone, any woman wanting to get into cyber security, who has an interest in it, or is in cyber security right now. And doesn't have a job and wants to continue to do capacity development and get into something and have a job waiting for them when they are done.

Chris: Okay, speed round. Let's throw every form of social media Link or your books or whatever you want to promote here at the end.

Alissa: Yes, Twitter, LinkedIn, YouTube. So on YouTube, Alissa Knight, slash Alissa Knight, that's A-L-I-S-S-A K-N-I-G-H-T. I spell mine with an I. There's an I in Alissa. And Twitter @AlissaKnight, and LinkedIn Alissa Knight, reach out to me, connect with me. I'm trying to shoot for 5000 followers on YouTube, by the end of the year, so if you can help me meeting that number, do it.

Chris: Do it.

Alissa: So subscribe to me on YouTube.

Chris: You have a podcast as well, is that right?

Alissa: I do, I have Aite Radio for Aite Group, and I also have LeetSpeak. So I host two podcasts, check us out on Libsyn, iTunes, all the usual, Stitcher, all that fun stuff.

Chris: What are the focus of each of those?

Alissa: Cyber security. Cyber security just on LeetSpeak it could be about really anything, I'm obsessed with productivity and time management. Aite Radio is more focused around definitely every episode is cyber security.

Chris: Gotcha. Alright, Alissa, thanks again for all your insights, this is always a blast.

Alissa: Thanks Chris, love nerding out with you, let's continue to do this.

Chris: We absolutely will. Thank you again, and thank you all for listening and watching. If you enjoyed today's video you can find many more on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec. Check out our collection of tutorials, interviews and past webinars. If you'd also rather have us in your ears during your workday, all our videos are available as audio podcasts of course so just search Cyber Work with Infosec in your favorite podcast catcher to see the current promotional offers available for podcast listeners. And to learn more about our Infosec Pro Live Boot Camps, Infosec Skills On Demand Training Library, and Infosec IQ Security Awareness and Training Platform, go to InfoSecInstitute.com/podcast, or click the link in the description. Thanks again Alissa Knight, and thank you all for watching and listening. We'll speak to next week.

Alissa: Love yourselves and each other.

Chris: Absolutely.