Cyber Work with Infosec has recently celebrated
its 100th episode. Thank you to all of you
that watch and listen and subscribe to both
the audio podcast and our YouTube channel.
We’re so grateful to hear from all of you
and we look forward to speaking with you more
about all aspects of the cybersecurity industry
celebrate this milestone. We have a very special
offer for listeners of the podcast. We’re
giving 30 days of free training through our
Infosec Skills platform. Go to infosecinstitute.com/skills
and sign up for an account. Or just click
the link in the description below. While you’re
there, enter the coupon code Cyber work. One
word all lower case “c-y-b-e-r-w-o-r-k”.
When signing up and you will get your free
access, you get 30 days of unlimited projects
to over 500 cybersecurity courses featuring
cloud-hosted cyber ranges, hands-on projects,
customizable certification, practice exams,
skills assessments and more again, check out
the link in the description below and use
the code. CyberWorks. See why b e r w o r
k. Get your free month of cybersecurity training
today and thank you once again for listening
and watching. Now let’s get to 
the episode. Welcome to this week’s episode
of the Cyber Work with Info SEC podcast. Each
week I sit down with the different cyber industry
thought leader, and we discussed later cybersecurity
trends. How those trends are affecting the
work of info SEC professionals while offering
tips for those trying to break in or move
up the ladder in the cybersecurity industry.
Our guest today, Ted Shorter, is the chief
technology officer and co-founder of Keyfactor,
a company that focuses on digital security
management, giving I T and infosec teams the
ability to manage their digital certificates
and keys, protecting data devices and applications
across an enterprise. Keyfactor published
a research report in December showing that
many of the IoT and network devices in use
today are leveraging week digital certificates,
potentially exposing them to attack. According
to Keyfactor’s research, one in every 172
certificates are vulnerable to attack due
to poor random number generation. Most of
these vulnerable digital certificates were
not found on publicly trusted websites, but
in embedded IoT devices and network appliances,
including routers, firewalls and switches.
There’s obviously a huge problem, and solutions
may not be immediately apparent. So Ted is
going to talk about the report, the dangers
of the so-called predictable randomness, the
raw work of cryptography and keeping devices
like these safe, the importance of building
security into device during design and development
and also give us some career advice for those
who might enjoy a career in cryptography.
Ted Shorter is the chief technology officer
and co-founder at Keyfactor. Ted has worked
in the security arena for over 20 years in
the fields of cryptography, application security,
authentication and authentication services
and software vulnerability analysis. His past
experience includes 10 years at the National
Security Agency, a Master’s Degree in Computer
Science from the Johns Hopkins University
and an active CISSP certification as a computer
scientist and team leader at NSA, Ted briefed
high-level government officials, including
presidential advisers and members of the Joint
Chiefs of Staff. Ted also served as lead software
developer on a contract with the Department
of Defense to integrate biometric authentication
with the DOD common access card program. He
lives in Akron, Ohio, with his wife and two
sons. Ted is an accomplished musician and
played in a rock band for a number of years
in Baltimore, Maryland. He’s a passionate
sports fan and actively follows baseball,
football and various forms of auto racing.
Ted, thank you for being here and welcome
to Cyber Work. So what are some of the sign
points of your career? And so when I say sign
points, I don’t necessarily mean job titles.
You know, we listed those already at the top
of the show, but what were some foundational
learning experiences or project experiences
or personal hurdles you jumped that got you
from your earliest days to being the co-founder
and CTO of a cryptography and digital safety
company. You remember moments where you thought
I really learned a thing and this is gonna,
you know, catapult me?
You know, I think, you know, problem-solving
has always been a big piece of that. That’s
something that in a lot of cases you’re
sort of born with, but that’s been a piece
of you wanting to take things apart, figure
things out, how things work. In terms of the
professional piece, I think, you know, in
terms of how the how they came to be CTO at
Keyfactor. I joined a consulting company,
called Certified Security Solutions in 2003.
And then we did. It was a It’s a kind of
a boutique consultancy going around talking
to customers about security strategy and so
forth. We did a lot of work around digital
certificates, public infrastructure and that
sort of thing. And, you know, I think one
of the big pieces that really lead to, you
know, the CTO role and really Keyfactor in
general was we saw some unmet needs in the
some of the products and things that we were
implementing for our customers and, you know,
started by writing a very small lightweight
tool and people started buying it. It just
kind of snowballed from there. I kept asking
for more features. The price points kept going
up and up, and in about 2008 or [2009], our
CEO made a conscious effort to start to pivot
the company more to a software company. That
company really became what Keyfactor is today.
We’ve been fully a software company since
about 2014 or so, and that’s where the cofounder
piece came from. A little bit of right place,
right time, but also just kind of, you know,
always wanting to, you know, finding/seeing
problems and finding ways to solve them.
Yeah. And so right out of the NSA you’re
thinking I’m going to be a sort of cryptographer/software
developer. That was what you saw for yourself?
Or did you just fall into that?
In the consulting piece, I think that, you
know, from a personal standpoint, my wife
and I grew up in the Ohio area. I started
looking for, once we had kids, started looking
for ways we could move back and roles we could
that we could do from here. The cryptographer
piece, definition wise, I guess I don’t
consider myself a cryptographer, per se. To
me [a cryptographer is], someone who really
invents the cryptographic algorithms right
and scratch and puts him forward. There are
people who can try to do that, quite frankly,
the people who can really do it, at a level
that is a world-class, which is what’s needed
for the algorithms of today. There is, you
know, you’re talking about maybe a few dozen
people on the face of the earth that can do
that.
And do you have someone like that sort of
on-call with your company?
No, but I think what happens is that the algorithms
that we use today, you people have probably
heard of things like SHA-1 or elliptic curve
cryptography or maybe the RSA algorithm and
so forth. Those are designed by people both
in the private sector and public sector that
are famous in those circles. Those algorithms
undergo a tremendous amount of public scrutiny.
You know, the idea of just inventing a code
and not telling anybody how it works. That’s
not really cryptography Real cryptography
is: there’s an algorithm the entire world
can look at it and see exactly what it does
and not be able to break it after years of
scrutiny. Okay, which is just foreign to a
lot of people. What I think in terms of the
professional side of things, what actually
is far more necessary at places like Keyfactor
and also really almost any corporation at
this point, is a cryptographic expert. That’s
one who invents the algorithm and that understands
deeply how to use them. So I sometimes refer
to myself as a crypto plumber. You know, knowing
how to hook the different pieces together
to be able to solve problems and create solutions
and help make sure that it’s not used improperly.
You know, crypts, one of those things that
if you use it wrong, you probably won’t
notice it. Things will still work. They’ll
just not be secure, which actually is a kind
of a good segue way to the research. But that
is a role. Organizations like Gartner are
recommending that large organizations have
a cryptographic center of excellence inside
of the organization because that is becoming
an increasing part of security strategy within
these companies.
So I mean, it sounds like we’re talking
like when we hear of like, a cryptographer
is a job thing, you’re really mostly talking
about cryptic/cryptographic analysis. Saying
you’re cryptographer is like saying you
know, you have a job, analyzing royal jewelry
or something like that. There’s just not
that many people that are that high up that
right?
There’s a lot of people who think they can
do it, but really doing it at that level is
very difficult and the world when we need
so many algorithms really. So it’s more
about- we need a lot more people in the world
that understand all of these things at a level
that you know how to hook them up and know
the difference between an asymmetric and a
symmetric key and a certificate and a patch
algorithm and be able to plug all those things
together in ways that make sense for companies,
for people they’re designing devices and
so forth. The IoT trend that we talk about
with all these devices now getting connectivity
is pushing the need for that knowledge into
engineering teams and product teams and people
building widgets that have never had to have
that knowledge before, and it’s creating
a huge demand for those sorts of skills.
Okay, so let’s jump into it. We’ve sort
of circle around a little bit. Let’s talk
about the Keyfactor report from December.
So I want to open these numbers up a bit.
You found that one in every 172 certificates
are vulnerable to attack due to poor, random
number generation. So first of all, let’s
talk about what one in every 172 certificates
means numerically. How many certificates on
average is this?
Yeah, Well, that’s a good- There’s a lot
of certificates out there, I think. I just
want to clarify a couple things just for the
audience. First of, I want to get credit to
my colleague JD Kilgallon, who did most of
the actual research with Keyfactor. What we
did was to take a data set that we created.
Our company focuses on making the use of cryptography
easy for our customers, managing digital certificates
and keys, making it easy to apply that cryptography,
offering things as managed service is and
so forth to offload some of the expertise
and the need for that expertise inside of
organizations. As a part of that, our software
is actually able to scan networks and gather
up the digital certificates they’re in use
on those networks. So what we did was actually
aimed at the Internet at large has made a
set of every single certificate that has been
exposed to the Internet over about a two/two
and a half year span. That includes all the
public websites that you could ever think
of or name, as well as any other network devices
that happen to be on the Internet: webcams,
routers, et cetera. In that data set, that’s
where that one in 172 came from. So if you
were to look at, public certificates, the
certificates that’re protecting Amazon.com
or probably your website, those probably are
those are vulnerable to much, much smaller
clip. So I believe of that set. We found maybe
five out of- the data set in total was about
82 million certificates, somewhere in that
range. We broke about a half million, which
is a lot to think about that. But you know
what was interesting and why that report is
really kind of focused on the IoT piece is,
it kind of exposes the fact that some of these
constrained devices that aren’t, you know,
a normal PC or Web server or so forth have
trouble generating keys that are random enough
and that fact could be exploited in ways that
could cause serious, serious problems.
So for listeners who don’t really get the
severity of this issue, what is this many
insecure certificates mean in terms of available
attack surface for hackers?
Yeah, I think, you know, for the devices in
question, there were a few device types that
were particularly vulnerable and seemed to
have issues. The vendors have been contacted
about that. I can’t really, relay any status
as to how address that issue yet. I think
in terms of, consumers and so forth, this
to me, really underscores one of the bigger
problems with IoT in general, is that designing
cryptography for these systems, in a lot of
cases, you can’t use some of the same procedures
and software and libraries and so forth that
you used in your Windows machine or in your
Mac or other more beefy devices. A lot of
those just aren’t as capable of-there’s
constraints in these devices, in lots of different
ways. Sometimes they can’t communicate as
well. Sometimes you can’t support some of
the preferred newer cryptographic algorithms
or key sizes. You have to make compromises
in those areas. It’s also, I think, just
a case of as I mentioned is beginning, it’s
easy to do crypto wrong and not realize it.
I think this is one of the cases where you
have code that says generate random key. It
generates a key. It works. It communicates
just fine. Turns out that he is not nearly
as random as it should be in this far more
easy to guess that it should be. And that
leads to problems when you know people who
know what to look for a start looking.
A counterpoint to the severity of this: If
this problem were somehow solved tomorrow
through a massive change in standards or manufacturing
or just a big old magic wand, how different
would the threat landscape look in terms of
the number of availability of options for
hackers.-
It would, at this point, drop it completely
zero. The space, the size of the numbers that
we’re talking about, the random numbers
were being created are large enough that the
best computers we have today would spend millions
of years trying to guess them all if they
were completely random. But as soon as that
changes and you start having, overlaps and
becomes easier to guess than all bets are
off.
Okay, so we’re talking about this a little
bit, but in terms of like actual ramifications,
tell me about the ramifications of these insecure
certificates being on Internet of Things devices.
We talked about on the show – we had an
episode about IoT and security issues and
the obsolescence of non-updatable firmware.
If you’ll go back and look at Emily Miller’s
episode, we talked about security issues with
US infrastructure. Very interesting. But talk
here about the issues with so much insecurity
and these types of sort of firewalls and devices.
What types of hacks can happen?
Yeah. I mean, for the firewall piece, being
able to- you effectively if you know the key
and the certificate that’s used on that
firewall and one of those things is deployed
say, in your company network, you could be
able to man in the middle of that connection
and actually read the information going back
and forth, which would include things like
your administrators, passwords and things
along those lines, which is obviously a very
bad. I think it’s interesting you mention
the firmware piece. We actually at Keyfactor,
do work around code signing and so forth,
especially in the medical ah device space.
The FDA is actually recently mandated about
a year and a half ago. New controls around
requiring- I guess their guidelines at this
point, but it is likely that they will become
stronger than that in the future, around updatable
firmware. And you know, we have customers,
for example, that are signing the firmware
updates to things like insulin pumps or brain
stimulators, pacemakers, vehicles, airplanes,
et cetera. And if you think about the ability
to compromise one of those signatures, right?
And be able to, you know, fake firmware updates,
just devices of those types. Even you could
just imagine the type of ramifications if
various hackers got ahold of that sort of
thing. Obviously, entropy and proper use of
cryptography is extremely important.
Okay, so we got to the part about, you know,
cryptographer is a profession, and I want
to get a little further into it. Still, I
know you haven’t been a cryptographer as
a, you know, as a career, but, I do want to
kind of start at square one and talk a little
more about the difference between the different
types of jobs you can have around cryptography.
So, I mean, first of all, sort of do If you
could still kind of walk me through, like,
what an actual cryptographer- how they get
to that point but also, like, what are the
sort of cryptography adjacent type of jobs
that you can do
That’s perfect. So I mean a true cryptographer
that you know that I’m referring to, they’re
literally inventing these algorithms and we’re
doing so at a -with a skill level where they
will get adopted by these standards body.
Because that’s what happens, right? You
probably have heard of AES, right? AES became
AES because NIST (National Institute for Standards
and Technology) put together a challenge scenario
where basically a number of cryptographic
groups and cryptographers, amateurs, professionals
etcetera can submit algorithms. And then there’s
a long period where they essentially, they
and others attack each other’s algorithms
and try and analyze. To withstand that level
of scrutiny, hat’s how AES became AES, That’s
how SHA-2 became SHA-2, AND so forth. The
folks that play in that space, extremely deep
math, right? So, you know, world-class PhD
mathematician is absolute, mandatory just
for starters. Deep expertise and things like
a computer science analysis of algorithms,
understanding how computers can process algorithms
and what could be done efficiently on a computer
and what can’t. Those sorts of skill sets
are definitely needed, I think for this sort
of second tier, which is kind of where we
put myself in terms of understanding the stuff
deeply enough that you know how these things
work, you know, put them together. You know
how to use things in such a way that you can
help people not make mistakes. As they’re
designing a device that’s gonna communicate
over the Internet or over a network or need
to authenticate to something or update firmware.
It’s similar obviously, a lot of math, a
lot of computer science. It’s just sort
of down a notch in terms of the world-class-ness
of the skill sets that is required, if that
makes sense.
Yeah. Is this something that’s- is there
a wide variety of sort of work you have to
do, or is it kind of like a security analyst
where you’re just reading a lot of logs.
Are you just constantly looking at algorithms?
Are you? I wonder what are the sort of day
to day sort of tasks.
That’s an excellent question. I think it
varies, you know, at a company like Keyfactor,
you know, we’re a product company, right?
So my role is to help design products that
will help our customers solve some of these
problems, make it easier and so forth, make
sure that our products are secure. But also
understand the needs that the people building
some of these systems are going to have and
try to anticipate those and meet them, you
know so that they can use them. Inside of
our customers, they also need similar experts
because they are responsible for designing
all these things and making sure that all
of those things where our secure or inside
of any large financial institution, same sorts
of things apply. You need someone who’s
gonna understand all these things. When the
government comes out with a new encryption
algorithm, specifications or someone says,
“Hey, this algorithm has been compromised
or weaken” to be able to understand what
that means for your organization and advise
on policy, migration, etc, is something that
those people may need to do.
So in the introduction of the episode, the
phrase “the danger of predictable randomness”
was uttered. What does predictable randomness
mean and what makes it easier to be decrypted?
Well, I think, like I mentioned the if the
size of numbers that we’re talking about
he’s in these cryptographic keys and so
forth are large enough, we’re literally
larger than the number of you know, atoms
on Earth and the whole game, or at least a
large part of the game of any cryptographic
algorithm is to have a key size that is large
enough that even the most powerful computers
of today, in fact, many of them working in
tandem, can’t possibly gas all the possible
keys that are there and actually break the
algorithm. As soon as that breaks down and
they don’t have to guess all possible keys,
right? And that could be for a few reasons.
One would be, maybe the algorithm- there’s
something that someone figured out that now
we don’t have to guess all of them. I could
guess a few of them or some subset. Then it
starts to get easier. But certainly, if the
key that’s supposed to be randomly chosen
isn’t really random, all of a sudden, it
becomes easier to guess. It’s difficult.
You know, true randomness is difficult, right?
Most computers have some way of generating
a random number, but it’s difficult for
a computer to do something that isn’t predictable.
They tend to be very predictable, by design.
Modern computers and modern operating systems
actually gather silently, but most people
don’t know this, but your Windows machine,
your Mac, your iPhone and iPad, et cetera,
are actually gathering what they call entropy.
They’re actually gathering up randomness
as you’re using the computer, based on how
fast you type or maybe the network packets
that are coming into your machine or how you
move the mouse or there’s a number of different
ways that the specific things, that aren’t
predictable, can be observed by the computer
and actually added to their pool of entropy
and when asked to generate a key, which actually
does happen more often than you might think,
those keys are typically pretty random. So,
for example, any time you connect to Amazon
or any other website, your browser actually
generates a key on your machine that is used
to encrypt the connection between your browser
and Amazon so that your passwords and credit
card information and so forth is secured.
Usually, those are pretty random, but if they
weren’t, they would be easily guessable
and someone maybe I’ll get it.
So what is it that sort of master, top trick
cryptographers are doing in creating algorithms
that are so random? What is the sort of like
a process that takes the sort of pattern-ness
out of it?
The whole thing really is to look at the design
of a system as a whole because these systems
are broken is usually not the algorithm, right?
The algorithms are really good. They’ve
been subjected to all kinds of public scrutiny.
It’s pretty rare that algorithms fall over,
although they do from time to time. More often,
it’s the implementation. It’s the specifics
of how things were used, and this randomness
thing is a great example. The RSA algorithm
is still secure. If you use the RSA algorithm
with keys that’re predictable, then it doesn’t
matter. A lot of this really comes down to
designing things in a secure way. Looking
at, you know, a pacemaker, an insulin pump,
or really anything- connected vehicles. Really
any system or a piece of software or so forth.
Looking at it as a system, looking at what
we call the attack surface, right? What is
the risk profile? What other things I’m
worried about attackers getting access to?
What are the controls that have a place to
make sure that they can’t do that? Then
coming up with principles so forth, things
like defense in depth. So even if this one
fence that I have in place fails that there’s
still something else to fall back on. There’s
a number of design principles that are very
important, of which a lot of these cryptographic
concepts are a large part of, and it’s a
skill set that’s rare. It’s something
that’s easy to do wrong. It’s a skill
set that that’s in high demand for people
who can do it well.
Well, speaking of demand, that brings me to
my next question. So if you’re listening
to this right now, and you’re in a job you
don’t like, maybe you’re working a help
desk or you’re, you know, reading the same
logfiles day after day, and you want to make
a change, but you don’t know where to start,
what’s something that our listeners could
do or learn today that would put them on the
path of working in cryptography?
You know, I think education is a big piece.
I mean, understanding some of these principles.
This is a mix of computer science, security
design. Certainly, there are college courses
that can help with that. There’s also no
substitute for taking things apart and trying
things yourself, right?
Are there sort of like demo sites where you
can play around on that?
Yeah and then reading books on hacking, you
know. And understanding how to break things
is a useful skill, even if you’re not a
criminal, right? That’s what you need to
know, to be able to design systems that are
secure. The more knowledge you could get,
the better.
So, for folks who are in college or even high
school and are trying to, you know, learn
their first classes and security or IT or
computer science and want to sort of get a
little inside track on cryptography as like
an elective or whatever, what types of classes
should they be taking? I know, obviously computer
science and probably math, but, like, maybe
some more specifics?
But, I mean, obviously, yeah, those are the
big two. Some courses are now really offering
courses in security. When I was in school,
that was not the case. You kind of had to
figure it out on your own. But most universities
that I’m aware of, do you have some level
of computer security courses. They vary in
how useful they are to this sort of thing.
I think a lot of it is, you know, doing research
into the things that interest you, whether
it’s white hat hacking, how people you know
look at securing systems. You need to know
how to brake systems in order to secure them.
And whether that’s at a cryptographic level
or at an implementation level at a software
level, every single piece of the stack all
the way up there has to be, you know, a mindset
towards how might a hacker exploit this and
how can I make sure that they don’t.
Okay, so let’s go back to all these insecure
IoT devices hanging out there. Could you lay
out a strategy that could be put in place
to start stitching up some of the security
areas, like the ones that are out there right
now?
I think there’s a couple of things. One
thing that’s good, that’s starting to
happen is that you are starting to see some
legislation or suggested guidelines regulation
in places where it really matters, like the
medical industry, automotive, airline industry.
These are places where connectivity, in some
case has existed for a while but is now being
expanded upon. In a lot of cases, if you’re
designing some device, if that device isn’t
particularly expensive, it’s a consumer
device or so forth. The economics of hiring
a cryptographic expert and a team people to
help design it securely, or even do a pen
test to attack it, adds to the cost of that
device and in a lot of cases, the economics
in a normal market just isn’t going to afford
that right. Customers are gonna buy based
on price, and they’re gonna assume that
it’s secure, even though it’s not. In
places where the economics don’t work, I
think regulation and so forth is actually
a good way to start to get people looking
at doing the right thing. The nice thing is,
in places where it really does matter, things
like automotive medical, there have been kind
of, you know, there have been talks of black
hat on hack medical devices and vehicles,
certainly, and other things, that has raised
an awareness in the community, and they are
actually working on some of those things,
even without legislation to help make these
things more secure. I mean, we all want more
secure medical devices and vehicles and so
forth and that the more they sort of share
those practices, the better it’ll get. That
said, it’s gonna take a while because first
of all, you’re now pushing all of the need
for this knowledge into a whole new group
of folks who’ve never had to worry about
that before. The other thing that’s happening
without IoT devices, these things around for
a while. The average vehicles on the road
for 14 years, I believe, and so any change
that you make now, first of all, isn’t gonna
get designed into a vehicle until three or
four years from now, and then it’s going
to be on the road for another 14 after that,
right? So you think about the- you know what
we knew about cryptography and computer security
14 years ago, right? That’s the vehicles
that were trying to secure today, right? Yeah,
the lag problem that makes it even more challenging.
Is it really that privilege of expensive or
is this a sort of thing like with, we talked
with Alissa Knight, about hacking connected
cars, and she said it was, you know, for lack
of a $2 cable that you know a lot of these
things you could catch, you know, hack him
from the side of the road or whatever. Is
it consistently sort of expensive to sort
of go in and root this problem?
It is. But cars are expensive, right? There
should be some margin in cars – they can
and are actually working on this stuff. We’re
actually getting some automotive manufacturers
at Keyfactor. But if you get into smaller
devices, more towards the consumer place.
A lot of the smart home devices, there’s
been a number of hacks on those of various
types, and the reason for that is, you know,
then the economics really do come into play.
It becomes more difficult to inject all of
that security into that process. It makes
the costs go up.
Now that we’ve fixed all the problems of
the old signatures and outdated IoT devices,
what are some recommendations you would make
to the industry, or it sounds like they’re
doing some of it, but to make future IoT devices
more universally secure. You mentioned that
that legislation could actually be a good
thing here. Do Do you think that this is something
that companies will sort of initiate on their
own or is it going to need a strong hand?
I think that in general, if you don’t initiate
it on your own, it’s going to be legislated
for you. So better to get out in front of
it-
And then you like the good guy too.
Exactly.
Yeah. So as we wrap up today, where do you
see these issues in five or ten years time?
You know, things like spam have, you know,
largely become a non-issue, you know, between
spam filters and taking out some of the main
culprits and stuff. But is this- do you envision
a time where this type of attack vector just
isn’t on the map anymore?
I don’t know. I still get a lot of spam.
I don’t know. I need…
I feel like we’re down from the Golden Age,
but yeah.
It will get worse before it gets better. I
think, you know, there’s a general trend
anytime any new, disruptive technology comes
along, whether it was the Internet, 20, 30
years ago. Whether it’s cloud computing
or mobile or IoT, any of these new destructive
technologies, the pace of adoption outpaces
security, right? Every one of those waves,
you know, there’s a there’s an opportunity.
There’s a lag where it gets worse before
it gets better. I think with IoT, we’re
right in the middle of that gap right now.
I guess the good news is, I do think it will
get about get better. I think it’ll take
a while just because of the lag and some of
the other things I mentioned a few minutes
ago. But, you know, the bad news is it will
be replaced by some other disruptive technology
that will bring its own security gap.
Oh, yeah. There’s never gonna be universal
security peace, I’m sure. But, there are
certain things that could be wiped out and
allow us to sort of prepare for other things.
So as we wrap up today, tell us about some
of the upcoming projects on the horizon for
Keyfactor.
Well, I mentioned a few of them. I think we
have a lot of we’ve done a lot of work in
the large enterprise space for a long time
and helping organizations manage their cryptography
which is an even inside of large companies,
the use with some of these disruptive technologies,
the use of all these cryptographic assets
and so forth is expanding and is exploding
and creating a lot of opportunities and needs
for people in this sort of business, but also
companies like Keyfactor. I think the IoT
piece, the number of devices they’re getting
connected and the need to secure them from
my perspective, we talk about self-driving
vehicles and so forth. You know, I anticipate
writing in some of these vehicles, right?
And I fly on planes all the time, right? The
need to secure this stuff. We all have a personal
vested interest in wanting to have this done
right for our own lives. We work very hard
to do that and certainly take a lot of pride
in the work we do to help these organizations
not become stars of BlackHat in the years
to come, and make things better.
So if our listeners want to know more about
Ted Shorter and/or Keyfactor, where can they
go online?
Any of the social media. I’m on LinkedIn.
Certainly, go there. Keyfactor.com is a great
place to see more about what we do. That’s
probably the two easiest places. I’m happy
to connect and have a conversation.
All right, Ted, thank you very much for your
time today.
Absolutely. Thanks for having me.
Okay. And thank you for listening and watching.
If you enjoy today’s video, you can find
many more on our YouTube page. Just go to
youtube.com and type in “Cyber Work with
Infosec”. Check out our collection of tutorials,
interviews, and past webinars. If you’d
rather have us in your ears during your workday,
all of our videos are also available in audio
podcasts. Just search “Cyber Work with Infosec”
in your podcast catcher of choice. For a free
month of our Infosec Skills platform, which
you saw a promo for at the top of the show,
just go to infosecinstitute.com/skills and
sign up for an account and in the coupon code
type “cyberwork” (all one word, all small
letters, no spaces) for your free month. Thank
you once again to Ted Shorter and Keyfactor
and thank you all for watching and listening.
We’ll speak to you next week.
