Cryptography careers and IoT vulnerabilities

Ted Shorter, CTO and Co-founder of Keyfactor, and Cyber Work host Chris Sienko discuss a research report published by Keyfactor in December showing that many of the IoT and network devices in use today are leveraging weak digital certificates, potentially exposing them to attack.

Ted is going to talk about the report, the danger of so-called "predictable randomness," the raw work of cryptography in keeping devices like these safe, the importance of building security into their devices during design and development, and some career advice for those who might like a career in cryptography.

Ted Shorter is the chief technology officer and co-founder at Keyfactor. Ted has worked in the security arena for over 20 years, in the fields of cryptography, application security, authentication and authorization services, and software vulnerability analysis. His past experience includes 10 years at the National Security Agency, a Master's Degree in Computer Science from The Johns Hopkins University and an active CISSP certification.s a computer scientist and team lead at NSA, Ted briefed high-level government officials, including Presidential advisors and members of the Joint Chiefs of Staff. Ted also served as lead software developer on a contract with the Department of Defense to integrate Biometric authentication with the DoD Common Access Card program. He lives in Akron, Ohio with his wife and two sons. Ted is an accomplished musician and played in a rock band for a number of years in Baltimore, MD. He is a passionate sports fan, and actively follows baseball, football and various forms of auto racing.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Chris: Cyber Work with Infosec has recently celebrated its 100th episode. Thank you to all of you that watch and listen and subscribe to both the audio podcast and our YouTube channel. We're so grateful to hear from all of you and we look forward to speaking with you more about all aspects of the cybersecurity industry celebrate this milestone. We have a very special offer for listeners of the podcast. We're giving 30 days of free training through our Infosec Skills platform. Go to infosecinstitute.com/skills and sign up for an account. Or just click the link in the description below. While you're there, enter the coupon code Cyber work. One word all lower case "c-y-b-e-r-w-o-r-k". When signing up and you will get your free access, you get 30 days of unlimited projects to over 500 cybersecurity courses featuring cloud-hosted cyber ranges, hands-on projects, customizable certification, practice exams, skills assessments and more again, check out the link in the description below and use the code. CyberWorks. See why b e r w o r k. Get your free month of cybersecurity training today and thank you once again for listening and watching. Now let's get to the episode. Welcome to this week's episode of the Cyber Work with Info SEC podcast. Each week I sit down with the different cyber industry thought leader, and we discussed later cybersecurity trends. How those trends are affecting the work of info SEC professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. Our guest today, Ted Shorter, is the chief technology officer and co-founder of Keyfactor, a company that focuses on digital security management, giving I T and infosec teams the ability to manage their digital certificates and keys, protecting data devices and applications across an enterprise.  Keyfactor published a research report in December showing that many of the IoT and network devices in use today are leveraging week digital certificates, potentially exposing them to attack. According to Keyfactor's research, one in every 172 certificates are vulnerable to attack due to poor random number generation. Most of these vulnerable digital certificates were not found on publicly trusted websites, but in embedded IoT devices and network appliances, including routers, firewalls and switches. There's obviously a huge problem, and solutions may not be immediately apparent. So Ted is going to talk about the report, the dangers of the so-called predictable randomness, the raw work of cryptography and keeping devices like these safe,  the importance of building security into device during design and development and also give us some career advice for those who might enjoy a career in cryptography. Ted Shorter is the chief technology officer and co-founder at Keyfactor. Ted has worked in the security arena for over 20 years in the fields of cryptography, application security, authentication and authentication services and software vulnerability analysis. His past experience includes 10 years at the National Security Agency, a Master's Degree in Computer Science from the Johns Hopkins University and an active CISSP certification as a computer scientist and team leader at NSA, Ted briefed high-level government officials, including presidential advisers and members of the Joint Chiefs of Staff. Ted also served as lead software developer on a contract with the Department of Defense to integrate biometric authentication with the DOD common access card program. He lives in Akron, Ohio, with his wife and two sons. Ted is an accomplished musician and played in a rock band for a number of years in Baltimore, Maryland. He's a passionate sports fan and actively follows baseball, football and various forms of auto racing. Ted, thank you for being here and welcome to Cyber Work. So what are some of the sign points of your career? And so when I say sign points, I don't necessarily mean job titles. You know, we listed those already at the top of the show, but what were some foundational learning experiences or project experiences or personal hurdles you jumped that got you from your earliest days to being the co-founder and CTO of a cryptography and digital safety company. You remember moments where you thought I really learned a thing and this is gonna, you know, catapult me?

Ted: You know, I think, you know, problem-solving has always been a big piece of that. That's something that in a lot of cases you're sort of born with, but that's been a piece of you wanting to take things apart, figure things out, how things work. In terms of the professional piece, I think, you know, in terms of how the how they came to be CTO at Keyfactor. I joined a consulting company,  called Certified Security Solutions in 2003. And then we did. It was a It's a kind of a boutique consultancy going around talking to customers about security strategy and so forth. We did a lot of work around digital certificates, public infrastructure and that sort of thing. And, you know, I think one of the big pieces that really lead to, you know, the CTO  role and really Keyfactor in general was we saw some unmet needs in the some of the products and things that we were implementing for our customers and, you know, started by writing a very small lightweight tool and people started buying it. It just kind of snowballed from there. I kept asking for more features. The price points kept going up and up, and in about 2008 or [2009], our CEO made a conscious effort to start to pivot the company more to a software company. That company really became what Keyfactor is today. We've been fully a software company since about 2014 or so, and that's where the cofounder piece came from. A little bit of right place, right time, but also just kind of, you know, always wanting to, you know, finding/seeing problems and finding ways to solve them.

Chris: Yeah. And so right out of the NSA you're thinking I'm going to be a sort of cryptographer/software developer. That was what you saw for yourself? Or did you just fall into that?

Ted: In the consulting piece, I think that, you know, from a personal standpoint, my wife and I grew up in the Ohio area. I started looking for, once we had kids, started looking for ways we could move back and roles we could that we could do from here. The cryptographer piece, definition wise, I guess I don't consider myself a cryptographer, per se.  To me [a cryptographer is], someone who really invents the cryptographic algorithms right and scratch and puts him forward. There are people who can try to do that, quite frankly, the people who can really do it, at a level that is a world-class, which is what's needed for the algorithms of today. There is, you know, you're talking about maybe a few dozen people on the face of the earth that can do that.

Chris: And do you have someone like that sort of on-call with your company?

Ted: No, but I think what happens is that the algorithms that we use today, you people have probably heard of things like SHA-1  or elliptic curve cryptography or maybe the RSA  algorithm and so forth. Those are designed by people both in the private sector and public sector that are famous in those circles. Those algorithms undergo a tremendous amount of public scrutiny. You know, the idea of just inventing a code and not telling anybody how it works. That's not really cryptography Real cryptography is: there's an algorithm the entire world can look at it and see exactly what it does and not be able to break it after years of scrutiny. Okay, which is just foreign to a lot of people. What I think in terms of the professional side of things, what actually is far more necessary at places like Keyfactor and also really almost any corporation at this point, is a cryptographic expert. That's one who invents the algorithm and that understands deeply how to use them. So I sometimes refer to myself as a crypto plumber. You know, knowing how to hook the different pieces together to be able to solve problems and create solutions and help make sure that it's not used improperly. You know, crypts, one of those things that if you use it wrong, you probably won't notice it. Things will still work. They'll just not be secure, which actually is a kind of a good segue way to the research. But that is a role. Organizations like Gartner are recommending that large organizations have a cryptographic center of excellence inside of the organization because that is becoming an increasing part of security strategy within these companies.

Chris: So I mean, it sounds like we're talking like when we hear of like, a cryptographer is a job thing, you're really mostly talking about cryptic/cryptographic analysis. Saying you're cryptographer is like saying you know, you have a job, analyzing royal jewelry or something like that. There's just not that many people that are that high up that right?

Ted: There's a lot of people who think they can do it, but really doing it at that level is very difficult and the world when we need so many algorithms really.  So it's more about- we need a lot more people in the world that understand all of these things at a level that you know how to hook them up and know the difference between an asymmetric and a symmetric key and a certificate and a patch algorithm and be able to plug all those things together in ways that make sense for companies, for people they're designing devices and so forth. The IoT trend that we talk about with all these devices now getting connectivity is pushing the need for that knowledge into engineering teams and product teams and people building widgets that have never had to have that knowledge before, and it's creating a huge demand for those sorts of skills.

Chris: Okay, so let's jump into it. We've sort of circle around a little bit. Let's talk about the Keyfactor report from December. So I want to open these numbers up a bit. You found that one in every 172 certificates are vulnerable to attack due to poor, random number generation. So first of all,  let's talk about what one in every 172 certificates means numerically. How many certificates on average is this?

Ted: Yeah, Well, that's a good- There's a lot of certificates out there, I think. I just want to clarify a couple things just for the audience. First of, I want to get credit to my colleague JD Kilgallon, who did most of the actual research with Keyfactor. What we did was to take a data set that we created. Our company focuses on making the use of cryptography easy for our customers, managing digital certificates and keys, making it easy to apply that cryptography,  offering things as managed service is and so forth to offload some of the expertise and the need for that expertise inside of organizations. As a part of that, our software is actually able to scan networks and gather up the digital certificates they're in use on those networks. So what we did was actually aimed at the Internet at large has made a set of every single certificate that has been exposed to the Internet over about a two/two and a half year span. That includes all the public websites that you could ever think of or name, as well as any other network devices that happen to be on the Internet: webcams, routers, et cetera. In that data set, that's where that one in 172 came from. So if you were to look at, public certificates, the certificates that're protecting Amazon.com or probably your website, those probably are those are vulnerable to much, much smaller clip. So I believe of that set. We found maybe five out of- the data set in total was about 82 million certificates, somewhere in that range. We broke about a half million, which is a lot to think about that. But you know what was interesting and why that report is really kind of focused on the IoT piece is, it kind of exposes the fact that some of these constrained devices that aren't, you know, a normal PC or Web server or so forth have trouble generating keys that are random enough and that fact could be exploited in ways that could cause serious, serious problems.

Chris: So for listeners who don't really get the severity of this issue, what is this many insecure certificates mean in terms of available attack surface for hackers?

Ted: Yeah, I think, you know, for the devices in question, there were a few device types that were particularly vulnerable and seemed to have issues. The vendors have been contacted about that. I can't really, relay any status as to how address that issue yet.  I think in terms of,  consumers and so forth, this to me, really underscores one of the bigger problems with IoT in general, is that designing cryptography for these systems, in a lot of cases, you can't use some of the same procedures and software and libraries and so forth that you used in your Windows machine or in your Mac or other more beefy devices. A lot of those just aren't as capable of-there's constraints in these devices, in lots of different ways. Sometimes they can't communicate as well. Sometimes you can't support some of the preferred newer cryptographic algorithms or key sizes. You have to make compromises in those areas. It's also, I think, just a case of as I mentioned is beginning, it's easy to do crypto wrong and not realize it. I think this is one of the cases where you have code that says generate random key. It generates a key. It works. It communicates just fine. Turns out that he is not nearly as random as it should be in this far more easy to guess that it should be. And that leads to problems when you know people who know what to look for a start looking.

Chris: A counterpoint to the severity of this: If this problem were somehow solved tomorrow through a massive change in standards or manufacturing or just a big old magic wand, how different would the threat landscape look in terms of the number of availability of options for hackers.-

Ted: It would, at this point, drop it completely zero. The space, the size of the numbers that we're talking about, the random numbers were being created are large enough that the best computers we have today would spend millions of years trying to guess them all if they were completely random. But as soon as that changes and you start having, overlaps and becomes easier to guess than all bets are off.

Chris: Okay, so we're talking about this a little bit, but in terms of like actual ramifications, tell me about the ramifications of these insecure certificates being on Internet of Things devices. We talked about on the show - we had an episode about IoT and security issues and the obsolescence of non-updatable firmware. If you'll go back and look at Emily Miller's episode, we talked about security issues with US infrastructure. Very interesting. But talk here about the issues with so much insecurity and these types of sort of firewalls and devices. What types of hacks can happen?

Ted: Yeah. I mean, for the firewall piece, being able to- you effectively if you know the key and the certificate that's used on that firewall and one of those things is deployed say, in your company network, you could be able to man in the middle of that connection and actually read the information going back and forth, which would include things like your administrators, passwords and things along those lines, which is obviously a very bad. I think it's interesting you mention the firmware piece. We actually at Keyfactor, do work around code signing and so forth, especially in the medical ah device space. The FDA is actually recently mandated about a year and a half ago. New controls around requiring- I guess their guidelines at this point, but it is likely that they will become stronger than that in the future, around updatable firmware. And you know, we have customers, for example, that are signing the firmware updates to things like insulin pumps or brain stimulators, pacemakers, vehicles, airplanes, et cetera. And if you think about the ability to compromise one of those signatures, right? And be able to, you know, fake firmware updates, just devices of those types. Even you could just imagine the type of ramifications if various hackers got ahold of that sort of thing. Obviously, entropy and proper use of cryptography is extremely important.

Chris: Okay, so we got to the part about, you know, cryptographer is a profession, and I want to get a little further into it. Still, I know you haven't been a cryptographer as a, you know, as a career, but, I do want to kind of start at square one and talk a little more about the difference between the different types of jobs you can have around cryptography. So, I mean, first of all, sort of do If you could still kind of walk me through, like, what an actual cryptographer- how they get to that point but also, like, what are the sort of cryptography adjacent type of jobs that you can do

Ted: That's perfect. So I mean a true cryptographer that you know that I'm referring to, they're literally inventing these algorithms and we're doing so at a -with a skill level where they will get adopted by these standards body. Because that's what happens, right? You probably have heard of AES, right? AES became AES because NIST (National Institute for Standards and Technology) put together a challenge scenario where basically a number of cryptographic groups and cryptographers, amateurs, professionals etcetera can submit algorithms. And then there's a long period where they essentially, they and others attack each other's algorithms and try and analyze.  To withstand that level of scrutiny, hat's how AES became AES, That's how SHA-2 became SHA-2, AND so forth. The folks that play in that space, extremely deep math, right? So, you know, world-class PhD mathematician is absolute, mandatory just for starters. Deep expertise and things like a computer science analysis of algorithms, understanding how computers can process algorithms and what could be done efficiently on a computer and what can't. Those sorts of skill sets are definitely needed, I think for this sort of second tier, which is kind of where we put myself in terms of understanding the stuff deeply enough that you know how these things work, you know, put them together. You know how to use things in such a way that you can help people not make mistakes. As they're designing a device that's gonna communicate over the Internet or over a network or need to authenticate to something or update firmware. It's similar obviously, a lot of math, a lot of computer science. It's just sort of down a notch in terms of the world-class-ness of the skill sets that is required, if that makes sense.

Chris: Yeah. Is this something that's- is there a wide variety of sort of work you have to do, or is it kind of like a security analyst where you're just reading a lot of logs. Are you just constantly looking at algorithms? Are you? I wonder what are the sort of day to day sort of tasks.

Ted: That's an excellent question. I think it varies, you know, at a company like Keyfactor, you know, we're a product company, right? So my role is to help design products that will help our customers solve some of these problems, make it easier and so forth, make sure that our products are secure. But also understand the needs that the people building some of these systems are going to have and try to anticipate those and meet them, you know so that they can use them. Inside of our customers, they also need similar experts because they are responsible for designing all these things and making sure that all of those things where our secure or inside of any large financial institution, same sorts of things apply. You need someone who's gonna understand all these things. When the government comes out with a new encryption algorithm, specifications or someone says, "Hey, this algorithm has been compromised or weaken" to be able to understand what that means for your organization and advise on policy, migration, etc, is something that those people may need to do.

Chris: So in the introduction of the episode, the phrase "the danger of predictable randomness" was uttered. What does predictable randomness mean and what makes it easier to be decrypted?

Ted: Well, I think, like I mentioned the if the size of numbers that we're talking about he's in these cryptographic keys and so forth are large enough, we're literally larger than the number of you know, atoms on Earth and the whole game, or at least a large part of the game of any cryptographic algorithm is to have a key size that is large enough that even the most powerful computers of today, in fact, many of them working in tandem, can't possibly gas all the possible keys that are there and actually break the algorithm. As soon as that breaks down and they don't have to guess all possible keys, right? And that could be for a few reasons. One would be, maybe the algorithm- there's something that someone figured out that now we don't have to guess all of them. I could guess a few of them or some subset. Then it starts to get easier. But certainly, if the key that's supposed to be randomly chosen isn't really random, all of a sudden, it becomes easier to guess. It's difficult. You know, true randomness is difficult, right? Most computers have some way of generating a random number, but it's difficult for a computer to do something that isn't predictable. They tend to be very predictable, by design. Modern computers and modern operating systems actually gather silently, but most people don't know this, but your Windows machine, your Mac, your iPhone and iPad, et cetera, are actually gathering what they call entropy. They're actually gathering up randomness as you're using the computer, based on how fast you type or maybe the network packets that are coming into your machine or how you move the mouse or there's a number of different ways that the specific things, that aren't predictable, can be observed by the computer and actually added to their pool of entropy and when asked to generate a key, which actually does happen more often than you might think, those keys are typically pretty random. So, for example, any time you connect to Amazon or any other website, your browser actually generates a key on your machine that is used to encrypt the connection between your browser and Amazon so that your passwords and credit card information and so forth is secured.  Usually, those are pretty random, but if they weren't, they would be easily guessable and someone maybe I'll get it.

Chris: So what is it that sort of master, top trick cryptographers are doing in creating algorithms that are so random? What is the sort of like a process that takes the sort of pattern-ness out of it?

Ted: The whole thing really is to look at the design of a system as a whole because these systems are broken is usually not the algorithm, right? The algorithms are really good. They've been subjected to all kinds of public scrutiny. It's pretty rare that algorithms fall over, although they do from time to time. More often, it's the implementation. It's the specifics of how things were used, and this randomness thing is a great example. The RSA algorithm is still secure. If you use the RSA algorithm with keys that're predictable, then it doesn't matter. A lot of this really comes down to designing things in a secure way. Looking at, you know, a pacemaker, an insulin pump, or really anything- connected vehicles. Really any system or a piece of software or so forth. Looking at it as a system, looking at what we call the attack surface, right? What is the risk profile? What other things I'm worried about attackers getting access to? What are the controls that have a place to make sure that they can't do that?  Then coming up with principles so forth, things like defense in depth. So even if this one fence that I have in place fails that there's still something else to fall back on. There's a number of design principles that are very important, of which a lot of these cryptographic concepts are a large part of, and it's a skill set that's rare. It's something that's easy to do wrong. It's a skill set that that's in high demand for people who can do it well.

Chris: Well, speaking of demand, that brings me to my next question. So if you're listening to this right now, and you're in a job you don't like, maybe you're working a help desk or you're, you know, reading the same logfiles day after day, and you want to make a change, but you don't know where to start, what's something that our listeners could do or learn today that would put them on the path of working in cryptography?

Ted: You know, I think education is a big piece. I mean, understanding some of these principles. This is a mix of computer science, security design. Certainly, there are college courses that can help with that. There's also no substitute for taking things apart and trying things yourself, right?

Chris: Are there sort of like demo sites where you can play around on that?

Ted: Yeah and then reading books on hacking, you know. And understanding how to break things is a useful skill, even if you're not a criminal, right? That's what you need to know, to be able to design systems that are secure. The more knowledge you could get, the better.

Chris: So, for folks who are in college or even high school and are trying to, you know, learn their first classes and security or IT or computer science and want to sort of get a little inside track on cryptography as like an elective or whatever, what types of classes should they be taking?  I know, obviously computer science and probably math, but, like, maybe some more specifics?

Ted: But, I mean, obviously, yeah, those are the big two. Some courses are now really offering courses in security. When I was in school, that was not the case. You kind of had to figure it out on your own. But most universities that I'm aware of, do you have some level of computer security courses. They vary in how useful they are to this sort of thing. I think a lot of it is, you know, doing research into the things that interest you, whether it's white hat hacking, how people you know look at securing systems. You need to know how to brake systems in order to secure them. And whether that's at a cryptographic level or at an implementation level at a software level, every single piece of the stack all the way up there has to be, you know, a mindset towards how might a hacker exploit this and how can I make sure that they don't.

Chris: Okay, so let's go back to all these insecure IoT devices hanging out there. Could you lay out a strategy that could be put in place to start stitching up some of the security areas, like the ones that are out there right now?

Ted: I think there's a couple of things. One thing that's good, that's starting to happen is that you are starting to see some legislation or suggested guidelines regulation in places where it really matters, like the medical industry, automotive, airline industry. These are places where connectivity, in some case has existed for a while but is now being expanded upon. In a lot of cases, if you're designing some device, if that device isn't particularly expensive, it's a consumer device or so forth. The economics of hiring a cryptographic expert and a team people to help design it securely, or even do a pen test to attack it, adds to the cost of that device and in a lot of cases,  the economics in a normal market just isn't going to afford that right. Customers are gonna buy based on price, and they're gonna assume that it's secure, even though it's not. In places where the economics don't work, I think regulation and so forth is actually a good way to start to get people looking at doing the right thing. The nice thing is, in places where it really does matter, things like automotive medical, there have been kind of, you know, there have been talks of black hat on hack medical devices and vehicles, certainly, and other things, that has raised an awareness in the community, and they are actually working on some of those things, even without legislation to help make these things more secure. I mean, we all want more secure medical devices and vehicles and so forth and that the more they sort of share those practices, the better it'll get. That said, it's gonna take a while because first of all, you're now pushing all of the need for this knowledge into a whole new group of folks who've never had to worry about that before. The other thing that's happening without IoT devices,  these things around for a while. The average vehicles on the road for 14 years, I believe, and so any change that you make now, first of all, isn't gonna get designed into a vehicle until three or four years from now,  and then it's going to be on the road for another 14 after that, right? So you think about the- you know what we knew about cryptography and computer security 14 years ago, right? That's the vehicles that were trying to secure today, right? Yeah, the lag problem that makes it even more challenging.

Chris: Is it really that privilege of expensive or is this a sort of thing like with, we talked with Alissa Knight, about hacking connected cars, and she said it was, you know, for lack of a $2 cable that you know a lot of these things you could catch, you know, hack him from the side of the road or whatever. Is it consistently sort of expensive to sort of go in and root this problem?

Ted: It is. But cars are expensive, right? There should be some margin in cars - they can and are actually working on this stuff. We're actually getting some automotive manufacturers at Keyfactor. But if you get into smaller devices, more towards the consumer place. A lot of the smart home devices, there's been a number of hacks on those of various types, and the reason for that is, you know, then the economics really do come into play. It becomes more difficult to inject all of that security into that process. It makes the costs go up.

Chris: Now that we've fixed all the problems of the old signatures and outdated IoT devices, what are some recommendations you would make to the industry, or it sounds like they're doing some of it, but to make future IoT devices more universally secure. You mentioned that that legislation could actually be a good thing here. Do Do you think that this is something that companies will sort of initiate on their own or is it going to need a strong hand?

Ted: I think that in general, if you don't initiate it on your own, it's going to be legislated for you. So better to get out in front of it-

Chris: And then you like the good guy too.

Ted: Exactly.

Chris: Yeah. So as we wrap up today, where do you see these issues in five or ten years time? You know, things like spam have, you know, largely become a non-issue, you know, between spam filters and taking out some of the main culprits and stuff. But is this- do you envision a time where this type of attack vector just isn't on the map anymore?

Ted:  I don't know. I still get a lot of spam. I don't know. I need...

Chris: I feel like we're down from the Golden Age, but yeah.

Ted: It will get worse before it gets better. I think, you know, there's a general trend anytime any new, disruptive technology comes along, whether it was the Internet, 20, 30 years ago. Whether it's cloud computing or mobile or IoT, any of these new destructive technologies, the pace of adoption outpaces security, right? Every one of those waves, you know, there's a there's an opportunity. There's a lag where it gets worse before it gets better. I think with IoT, we're right in the middle of that gap right now. I guess the good news is, I do think it will get about get better. I think it'll take a while just because of the lag and some of the other things I mentioned a few minutes ago. But, you know, the bad news is it will be replaced by some other disruptive technology that will bring its own security gap.

Chris: Oh, yeah. There's never gonna be universal security peace, I'm sure. But, there are certain things that could be wiped out and allow us to sort of prepare for other things. So as we wrap up today, tell us about some of the upcoming projects on the horizon for Keyfactor.

Ted: Well, I mentioned a few of them. I think we have a lot of we've done a lot of work in the large enterprise space for a long time and helping organizations manage their cryptography which is an even inside of large companies, the use with some of these disruptive technologies, the use of all these cryptographic assets and so forth is expanding and is exploding and creating a lot of opportunities and needs for people in this sort of business, but also companies like Keyfactor. I think the IoT piece, the number of devices they're getting connected and the need to secure them from my perspective, we talk about self-driving vehicles and so forth. You know, I anticipate writing in some of these vehicles, right? And I fly on planes all the time, right? The need to secure this stuff. We all have a personal vested interest in wanting to have this done right for our own lives. We work very hard to do that and certainly take a lot of pride in the work we do to help these organizations not become stars of BlackHat in the years to come, and make things better.

Chris: So if our listeners want to know more about Ted Shorter and/or Keyfactor, where can they go online?

Ted: Any of the social media. I'm on LinkedIn. Certainly, go there. Keyfactor.com is a great place to see more about what we do. That's probably the two easiest places. I'm happy to connect and have a conversation.

Chris: All right, Ted, thank you very much for your time today.

Ted: Absolutely. Thanks for having me.

Chris: Okay. And thank you for listening and watching. If you enjoy today's video, you can find many more on our YouTube page. Just go to youtube.com and type in "Cyber Work with Infosec". Check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available in audio podcasts. Just search "Cyber Work with Infosec" in your podcast catcher of choice. For a free month of our Infosec Skills platform, which you saw a promo for at the top of the show, just go to infosecinstitute.com/skills and sign up for an account and in the coupon code type "cyberwork" (all one word, all small letters, no spaces) for your free month. Thank you once again to Ted Shorter and Keyfactor and thank you all for watching and listening. We'll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.