← All talks

BSides St. John's 2024 LIVE!

BSides St. John's · 20248:14:31160 viewsPublished 2024-09Watch on YouTube ↗
Tags
CategoryCommunity
About this talk
We're pleased to present this year's conference as a livestream, to enable those who may be unable to attend in-person to get an opportunity to see the great speakers we've got lined up this year. Background: Security BSides St. John's is a community-organized cybersecurity conference, held in St. John's, Newfoundland and Labrador, Canada. We're the longest consecutively-running BSides event in Canada, and one of the longest globally.
Show transcript [en]

Just yet. Okay, good. All right. Yeah. Yeah. I did bring some dongles too. Yeah, I got some too. All right. So, we'll just take a second. So, there you go. So, that's your second screen. All right.

So, what should I put on this screen, anything?

Oh, okay, yeah, so click on this one.

couple of minutes to come into the room.

I get up here and everybody keeps asking, you know, who are you? We get comments every year saying you don't introduce yourself. Nobody knows who you are. You know, what do you do? What's your background? So this year I said, all right, fine. I'm going to stand up here and I'm going to actually tell you what I do. But when I started, I said, I don't want to throw up my normal profile picture. You know, it's kind of boring. So I said, I'm going to take advantage of AI.

So yeah, I said, you know what, AI, let's do this thing. So I took my profile picture and I uploaded ChatGPT and I said, make it cartoon. So this is what I came up with. And so I was sitting with my family when I did this and I said, what do you think? And they said, no, no, you don't look like that. That was you 30 years ago, all right, too young. Okay, fine, try again. So this is what I came up with.

It's pretty close, it's getting there. But my wife said, no, that's too happy, you're never that happy. Like, definitely, definitely need to fix this. So I said, okay, fine, make it less happy. So it did this. And I said, okay, that's not bad, right? That's pretty damn close. I said, how about a blue shirt? And I said, okay, fine, blue shirt. And so,

Are you close? Yeah, I think it nailed it. I think it nailed it. So, yeah, so I've been in this industry now for 26 years, definitely approaching that curmudgeon level of experience. I'm currently the Senior Vice President for Security IT and Cloud at CoLab. CoLab has been a strong supporter of B-Sides. We have a number of volunteers. that work at B-Sides. And this is all volunteer driven, so they're very accommodating of the time that we need to make this thing happen. If you want to hook up me on LinkedIn, go for it, I'm there. And if you want to know more about me and what I do and what my background is, talk to me throughout the day,

come sit with me, have a drink, drink social, and I'm more than happy to share whatever it is you want to know. So, Welcome to B-Sides St. John's 2024. So this event started in 2011 and we've been running strong ever since. Right now St. John's and Ottawa are the longest running events in Canada and we are one of the longest running events not just in North America but also globally. This is a pretty good achievement for us to be honest. So as we get started, I just want to have a few special thank yous. Obviously our partner, Tech NL, we absolutely would not be able to do this without them. They provide all the support for us

to do all of our invoicing, all the sponsors collecting all the money, just a huge, huge amount of effort. And Allison at Tech NL is the one who's kind of taking care of everything for us. So it's amazing. We have, of course, all of our volunteers. Again, without this, wouldn't be possible. The amount of time that's required to pull off an event like this is phenomenal. So all the volunteers today are all wearing blue shirts. So as you see them walking around, please show your appreciation for them and let them know that you really appreciate the time you need to put into this. Of course, our sponsors. Again, this is entirely driven by sponsorships. This is not for profit at all. So we take

in the money from the sponsorships and we put it right back into the conference and into the community. So without their support, definitely wouldn't be able to make this happen. So all the sponsors, platinum sponsors are all outside. All the booths, go talk to them. The gold, silver, bronze sponsors, they're all sitting in here. Talk to them.

Show them your appreciation. Again, we wouldn't be able to do this without them. And of course, without you folks, it's kind of hard to have a conference if you don't have attendees. So, you know, it's great. The feedback that we get every year, we just keep getting better and better. And the response to the ticket sales is just, well, sales, because they're still free. But it's absolutely phenomenal. So this year, I believe it was about two and a half hours. And all the tickets were sold out in two and a half hours. And as of yesterday when I created this slide, there were 130 people on the wait list. So the demand is pretty, pretty strong. Yeah, it's pretty impressive.

And I'm gonna say a very extra special and huge thank you to Nancy Johnson. I don't even know where Nancy is right now. There she is. So,

I've been doing this since almost the beginning, and it's taken a lot of time. And I tried to do a lot of it myself all along. And then I kind of learned that you need to kind of push off some things. I can't do it all myself. But this year, Nancy took pretty much 80% of this and ran it entirely herself. And so I truly appreciate everything that you've done. It would not be possible. It just absolutely would fail. without you, so thank you very much.

All right, a few housekeeping items before we get our speakers up. We do have a great line of speakers. We're looking forward to listening to the talks. Lunch will be served downstairs. We're gonna send people, as always, we'll just do it in groups, just to make sure we keep the lines sensible. Bar opens, as always, around lunchtime. We'll be giving out tickets. The drink tickets are good for anything, alcoholic, non-alcoholic, whatever your choice. We have a social this evening. So that's the sponsor appreciation social. That starts around 6 after we give away some prizes and all that kind of fun stuff. And this evening we have an open bar and that is courtesy of our very long time sponsor and good friends at Fortinet.

We have prize draws throughout the day as always. I got some great prizes. I went and picked up some things last night. The tickets are the ones you would have gotten at the registration desk, so the split ones. So if you didn't get one, please go to the registration desk and get one. But you should have had one by now. As always, do not drink and drive. We will support you in any way that we can. If you need help, just let us know and I'll be more than happy to call you a cab. If you need anything, find somebody with the blue shirt or just come find me directly. The parking diagram's on the

website, so if you haven't seen it, you can go there and have a look. Please stay in the designated areas. We have the, I guess what's considered the middle and the lower parking lot. The upper parking lot is off limits. If it's full, there's overflow parking up across from the geo center and the overflow parking up there.

All right, this evening, So the great folks at AWS are hosting a CTF for us this evening. It's a very, we're straying from the typical CTF, which is not a hacking event. It's more focused on cloud configuration, misconfiguration, and it's gonna be very, very beginner friendly. It takes you through, it does tips, very great platform. We are restricting it to teams of three mostly because I have prizes for three. And every participant will get a small prize. So I want, I'm encouraging everybody to kind of take advantage of it and try it. Like I say, it's very user friendly and at a minimum, you're gonna get like an Amazon gift card just for trying.

We will have volunteers that will be floating around to help anyone that needs it. So as you're doing the event, just put up your hand, let you know I need help. And there's a few people from my cloud team and from the folks at AWS that are floating around and they're more than happy to help you. You will need a laptop to do this. And you're also gonna have to register. So throughout the day and just before the event, you can see Tyler Parrott. Tyler, stand up. Stand up, gotta stand up. Tyler and Steven Bradbury. Steven, stand up. There you go. So you see one of those fine gentlemen and they'll help you get signed up. And that is it.

So we'll carry on. I'm going to introduce my very dear friend, Mr. Glenn Stacy, who is going to kick off our first talk.

How is that showing it that way? Alrighty. I'm gonna get a little comfortable so this doesn't make noises in the thing. And we have a clicker. Does this work? No. Where is the thing? It's on

the side of the monitor. The main monitor. Oh, okay. You can just pop it out. Perfect. Thank you.

Great. Hi everyone. This event, I travel a lot and I go to a lot of these events. This is by far the best B-Sides, actually one of the best events I go to anywhere. So not only from the organization and capabilities of the whole B-Sides team and the volunteers, but also the turnout that you guys bring to the table here. It just goes to show how much cyber security is prevalent in everything that we do today. And it just shows how much everyone wants to get involved and they see the importance of what is happening within the cybersecurity world and you want to be informed. I can't say that about every location I go to. It's usually only key people that are driving it

and it's a smaller attendance rate, but to see this amount of people is amazing. So I'm Glen Stacy. I'm the regional director for Fortinet for all of Atlantic Canada. For the ones that don't know me, I'm from Newfoundland. I live in Newfoundland. but I handle all of Atlantic Canada. This is my home. This is where anything that we do has a direct impact on our communities and I want to make sure that we're actually giving back. So thank you for letting me have this opportunity to chat. One thing about all the conversations that I have when I'm traveling around is AI is a really hot topic. I was in Vegas and I'd say out of

all of the sessions that were going on, AI was packed, standing room only. It's the only thing that everyone has on their mind and I'm gonna be honest, there's a bunch of huge misconceptions around AI of what it actually does and what makes it up. And then there's the whole political side of it, oh I'm gonna lose my job because of it and so on and so forth and robots are gonna take over the world and all of this kind of stuff. So we're gonna go over some of that today. I'm gonna define what AI is, what machine learning is, and what deep learning is. Because there's three different components to creating a true AI environment, okay? So back to the

whole, the world is crumbling and so on. So as a reference to anyone that's ever watched Jurassic Park, the whole conversation around just because you can create it doesn't mean you should. Just like anything that's created in IT or anything in science, period, There's always a good and bad when you go to look at it, just depends on how you deploy it within the environments that you wanna use it in. So I'm gonna go over the history of AI and you'll see that it's not always for the good, but there is always good in it, just depends on how you wanna use it. So there's always the naysayers that say AI is going to kill the human race. Well, we're not doing

iRobot stuff here, right? This is something very different. So the technical definition of AI is really perform tasks. Now remember it's the task component that's in an AI description. So the tasks that require human intelligence. So and there's gonna be a test on this after, so make sure that you understand this part. There's visual perception. So visual understanding of what's actually happening. Speech recognition, decision making, and translation of language. Machine learning. doesn't do any of that, okay? So this is the AI component. So again, human intelligence. Now, I'm gonna take a step back and put it in everyday words, which is artificial and just, it's making machines think like humans, and then I'm gonna do big quotes around smart, because not

all humans are what I would call smart. And there's some people in this room know what I mean about that, because I was going to have a different piece into this and I decided to move it out because it's just way too political. So AI can produce a large amount of data, it can. That's the beauty of AI. It's the beauty of what computers have been doing ever since they were created, unlike humans. Difference is processing power in the human brain is still way above what any computer on the planet can do. It's just that they can process tasks in a logical fashion without having any kind of human

you know, anything that you've perceived or any of your history associated to something so they can do it very logical where humans not necessarily can. The goal of AI is to do things like recognize patterns, make decisions, and that's another word I contemplated putting in, judge like humans, right? Because judging could be a good or a bad thing, so it's about making the decision associated to it. And again, this whole iRobot, I don't know if anyone's watched this movie before.

The concept that a robot the size of a human is gonna have enough compute power to act like a human, today is nowhere close to being possible. It's not even in the realm of thought process because the computer to do that, the processing power would be larger than this room just to handle one robot. So

all it does is really is what they're putting into Movies and stuff, it's all, this is exactly what it is, it's fiction. It's a movie, it's not there yet. Now, as we increase processing power, we increase cooling capabilities and we make things smaller, you'll see that change, right? So if you think of it back in the big IBM mainframe that actually put someone into space and you look at the compute power of that, and then you look at the compute power of a chip that's inside of a greeting card today, is the green card is 200 times the processing power of what that big massive freaking football sized computer did just to try and do the mathematical equations to put someone

in space. So we are getting smaller but we're still nowhere close to what a human brain can do. So I get a kick out of this because I talk to people all the time, right? Oh, AI is gonna take over the world. The first thing they do is they go out and buy a Roomba to do their floors. It's all about convenience, right, at the end of the day. There is AI built into, well, the early Roombas didn't have AI in it, there was more machine learning, but now there's AI built in. If there's a dog's tail line across the floor, the Roomba won't ride over it anymore. It used to. The dog and cat

would run all over the house with a dragon on the behind them, but it won't do that anymore, or run over your computer cable and chew it all up in the machine, but that's the AI component because it could actually visualize the cable or the dog's tail or whatever that's in the room, that's the AI component. The machine learning component is learning the room, the size, the floor layouts, that's the machine learning piece. The AI is actually doing the visual recognition of what it's running over. You're gonna see a pattern here. So how does all this tie back to cyber security? So cyber security itself, think of everything that we're logging today. It's a massive, massive amount of data, it's huge. no person is gonna be able to actually

go through that, recognize patterns within it because it's just too big. So really the shift to AI and machine learning and cybersecurity and where that's going is that we're moving from event-based cybersecurity strategies into predictive, so predictive cybersecurity measures. Looking at the patterns, looking at behavior. Behavior for most people is the same thing over and over and over and over and over. Your networks are the same, your security's the same. It's the same thing over and over. If there's any deviation from what's normal, it should be flagged. Should be flagged so everyone can actually see it and see what's actually going on with it. So I'm gonna do a little quick history lesson, because I actually love history when it comes

to IT. So we're gonna go through something. So in 1952, Computer science Arthur Samuel actually developed a program for a computer to learn how to play checkers. Okay, so he used machine learning capabilities and AI capabilities to actually have a computer system learn how to play checkers and actually win at checkers. Everyone thought it was chess, but that's years down the line. This was actually introduced in 1952. In 1955, John McCarthy at Dartmouth College actually coined the term of artificial intelligence. So again, in true IT fashion, we're back to a Wozniak and Jobs situation here where someone actually creates the technology but someone else gets all the credit for it in 1955. But AI machine learning actually

happened way before that. Oh, by the way, first victim of artificial intelligence. I don't know if anyone's Tom and Jerry, seen Tom and Jerry, cartoons and stuff. So Tom could never catch Jerry the mouse. So this family goes and buy a robot to go catch the mouse because Tom could never get it. So this is the first victim of artificial intelligence. This was also, and here's the cool fact, this cartoon came out in 1955 when artificial intelligence was actually, the term was actually coined. That's when this particular cartoon came out. Now I'm dating myself, I've actually seen this cartoon, but I am not that old, I'm just saying. So we'll go through a little history. 1930 is

actually when machine learning kinda came into concept. Back in 1930, so we're almost 100 years talking about machine learning and artificial intelligence. It's only now that it's actually hitting mainstream for the last 10 years that people are talking about it even more. So Turing, who was the main collaborator on it, in the 1930s created a machine learning solution or proposed a layout for it. And then they used, so two other people went and created a design associated to this artificial neurons, and we'll talk about that a little bit more. AI research became a thing. at Dartmouth College after someone used the term artificial intelligence. So they actually created research formally at Dartmouth College a year after it was coined. This is where some other things

come in. 1960, the US military, so again, we're talking four years later, the US military puts gobs of money into trying to figure out artificial intelligence. So they can try and get ahead of a whole bunch of things back in the 60s. Remember we're getting into the arms wars, we're getting into a whole bunch of other things. So 1960s the US military put a bunch of stuff into it. 1974 there's still no real huge increase in anything in machine learning or AI. So there's a whole bunch of cutbacks within funding and the US and Britain kind of pull out the dollar values associated to it. Nothing then changed until the 80s and the only reason why it changed

in the 80s is processing power changed in the 80s. Came out with new chip sets that allowed you to actually do more things because AI just couldn't, AI can't exist without the processing power for it and the storage for the data mining associated to it. Then 10 years later after new chips come out, there's another increase in CPU power but there's also now we're starting to get into data mining so they're actually doing going through all the vast amounts of data to try and get more information out of it. 1997, seven years later, IBM, Deep Blue wins a chess match. Now, I want to take a point here. Think of all the money that's been spent from 1930 to 1997,

so 67 years, for someone to win a game of chess.

Like that's a long time for a computer to learn how to play chess. That's all I'm saying. Seeing in 1952 a computer learned how to play checkers, it's a long difference. But this is where it starts changing rapidly. 2003 deep learning is achieved for large data structures. 2011 IBM Watson defeats Jeopardy champions.

2012, the only reason why I have two things in here that have Fortinet logo on it and the only reason is because this is actually history. So Fortinet's actually the first ones to look, researching AI and machine learning technology in a cyber security world and applying that using their OS. 2013,

Watson actually starts doing deep analytics associated to things to make decisions for treatments for lung cancer. So again, huge benefit in the environments that can actually help human beings. By 2015, there's 2700 plus AI projects in place at Google. So now Google, because they have crap loads of processing power and they see the value in AI, they put a big push on it in 2015. 2016, see how fast these things are happening now? 2016, machine learning is utilized in malware detection and cyber security. 2017, Eli Musk calls for regulations around AI. It brings me back to when they tried to do regulations on internet. It's going to be very tough to do it. I also think

there's financial benefits associated to people that want to put forms of regulations, depending on how they roll out the regulations on AI. Because again, AI can be a good thing, it can be a bad thing, depending on the hands it's in. AI was also introduced into web application firewalls and sandboxes and everything else from a cyber security standpoint. And then another big thing is that Fortinet actually came out with a, well we call it NDR today, but FortiAI in a box. It's an analyst in a box. Again, it's first time that it was ever introduced into a cyber security for a standalone to work with any product on the planet and that's the only reason why I got it in there.

So we're gonna cover machine learning a little bit. So we're gonna play a little game. And I wanna make sure everyone understands what this is. So objective, so what is it that you're going to input into the system? Then we're going to, then features, and this is by the way, it's for every AI machine learning platform on the planet. You need to have an objective to start off, then you have to have the features associated. Features could be against your face. pothole interface or warts or color eyes, how big your lashes are. Everything is a feature and then what's the end result associated to it? Okay, so objective is we're going to identify an animal based on their features or characteristics. So features are it

has to be a mammal, has to walk on all fours, it has slightly rounded ears, it's got a long and fluffy tail associated to it, dark fur around the eyes. gray fur and then nocturnal. So let's say that these are the features. So based on those features, so we have our objective, now we have our features that we're gonna use and then the result ends up being a raccoon. That's what should happen. If the data sets that you're putting in along with the features that you're actually doing, you should actually get a raccoon. Makes sense. But it doesn't always work that way. So again, fear that AI is taking over, again, it depends on how you use your data sets and

put it into your infrastructure. So in this case, face analyzed, yeah, it's a cat. Well, it's really not. It's really not. And there's multiple options around this. I see this all the time. It depends on what's going in. So where we have a lot of people getting into the cybersecurity space, trying to understand where AI is going and what it's doing. If you are interested at all in AI, machine learning or whatever, which all falls under predictive analytics, that's what you should be researching. If you're researching or want to be part of predictive analytics, then you should be looking at AI, machine learning and deep learning, because it's the future. There's a lot of jobs for that right now. So what

is artificial intelligence? Again, we covered its required human intelligence, making decisions, recognized human speech, visual elements, translating languages. But I want to point out it's the task. AI does the task component of AI or of deep learning. Machine learning doesn't do tasks. Machine learning just goes through the information and puts it in and labels it and picks the features and puts it in a consumable form. There's no tasks in machine learning, it just puts it in an order of which people, programs and everything else can actually understand it. So machine learning actually feeds what goes into AI. And then deep learning is the combination of both. Deep learning is the combination of AI and machine learning. So the actual task component associated to the data

component, which is the machine learning side. It's key to understand where those break, right? Because AI is Very different than what machine learning actually brings to the table. Both have a reason for existing, but they don't work without each other.

Machine learning usually falls into four different database sets. So supervised learning, which means you're actually labeling everything. So everything is labeled. So you've already gone through and every single feature of all the data sets that are coming in are all labeled so it makes it easy for a program to actually use it. Unsupervised learning means there's no labels on anything. Semi-supervised you're only labeling certain portions of the data set that's coming in. Letting machine learning use, figure out the rest. And then reinforcement learning means you're gonna take those data sets, you're just gonna put them through with no real knowledge of what the outcome's going to be. So it's a trial and error to try and get the algorithms to learn from each other, okay?

So human brain. So human brain is more networked than anything else ever created. The amount of research that goes into the human brain that we still don't know about is massive, like absolutely massive. So for anyone to say that we're actually gonna make computer systems that can interact the way a human brain can is, I just can't see it. And that's my own personal opinion, I just can't see it. Now, can I make certain systems act like the human brain for that component only? 100%.

But if I try to take all the experiences of every human on the planet and then map them out in some neural network to match computers to a brain and the way that it calculates stuff, it's never gonna get there 100%. It's just like generative AI and you put in a bunch of words and you copy someone's voice. It's really good, but it's not quite there. So deep learning's a little different. So machine learning, you're doing the data sets, you're labeling it. and it's very hierarchical. Deep learning is different. So in this case, and this is where I prove my point of where it's not gonna think as fast as you, you see three helmets, you automatically see that it's two football helmets and a motorcycle helmet. You

do that in sub-second response time. When we're talking about deep learning, you actually have to put an input layer. So we're gonna put three helmets and throw it in there. Difference is that we're gonna have all of these features to try and define what those three things are. but all of them are gonna talk to each other. So each one of these blue round dots that are in the middle, they're different algorithms and feature sets and all of them will talk to each other. So that's that neural network trying to match out to a human brain. Think of how much processing power that's gonna need to actually come out to the same conclusions and the cost associated to it. And then you'll get your output layer. Is it a

football helmet, is it not a football helmet? That's a lot of work to actually get to a point to recognize if it's a football helmet or not. So it's a very easy way or light-hearted way of talking about what deep learning is, but it all comes down to the neural networks that you create. So let's just do a small little idea through it. So I take a 67 Mustang Fastback and actually that's my input. So I'm gonna put it in for a feature extraction, so I'm gonna label All my features are already in to figure out what that input is and then it's gonna go through a very hierarchical classification on where it falls. And then at the output it's just gonna tell you if it's a

car or it's not a car. Deep learning again goes a whole lot deeper than what, that's why they call it that way, than machine learning. It's not hierarchical. Everything talks to everything multiple times. So it could start in the top left hand corner, go down to the bottom right, back up to the top left, over, so it pops around multiple algorithms to give you a better idea of what it is that you're getting. And I'll show this to you in a sec. So this is just a wordy slide, I don't need you to read it, it's just more covering what we already talked about except the bottom. The bottom lines on both of these slides

are the ones that are important. AI can work with structured, semi-structured and unstructured data, where machine learning can only work with structured or semi. You cannot throw unstructured data, massive databases that are completely unstructured into a machine learning and hope that it comes out with anything that's worth looking at. It just doesn't exist.

So we're gonna do a little game, try and figure out what falls under artificial versus machine learning. So translating a text. So remember what I said at the start with the test. Anything that's considered human, you're gonna make a decision on. So translating a text, voice side. So translating voice would fall under artificial intelligence. Identifying bank fraud. Well that's machine learning. There's no human element into that. It's just gonna go through all the data and figure things out and then tell you if they think there's bank fraud or not. Making a medical diagnostic, that takes decision, the human-like decision making process associated to it, controlling a vacuum, well you should already know the answer to that one because we had a picture

on that already. Predicting a system failure, again, that's machine learning. There is no real human element needed into it. Playing a game would also fall under artificial or finding cat pictures on the internet. Yeah, that's actually machine learning. And everyone goes, well how, because there's pictures of cats. Well again, it depends on how you actually look at it. So I'm gonna give you an example of that. So in Google, if I just go to traditional Google, we did this, show me feline pictures that are not cats. Google did nothing but give me pictures of cats. Right, because that's machine learning. That's all that is, is machine learning. AI takes it a little bit further because it actually does the visual component associated to it. and we popped

it in Gemini and Gemini actually gave me large cats, right? Lions, tigers, jaguars, whatever it is that you want. That's the difference between the two, just having a data set that doesn't look at all of the human aspects associated to it, okay? So let's look at it from a security standpoint. So I showed this last year, this slide last year. Cyber security's changed. The realm of cyber security's changed. People have changed. This is massive business. This isn't a guy with a black hoodie sitting down with a single light on like they show on television. It's just not the way it works. You have crime wear producers. They just write crime wear and there's different groups that do exploits versus packaging of stuff. special platforms,

mobile, they write stuff different. They're all different groups. They just produce software and they sell it. Now they could sell it to bad people so they'll give that to senior developers, they'll create a source code, they'll sell that to criminal organizations or in some cases they actually do a subscription to the criminal organization, believe it or not. Same as you guys buy subscriptions today. oh yeah, we'll buy a subscription to that, any update to this hacking software or your code, yeah, give us a copy of it, we'll do it for a year and see how things go. They also then sell it to affiliate programmers. So these are brokers, right? So these are people that also buy it and they'll add their pieces onto it, they'll sell

it. Anyway, it's just, this is all big business. They drive around in their Mercedes, they have board meetings like every other company. on it, it's just, it's massive, massive business today. And until, and this is my own personal opinion, until the risk and reward get kind of level, you're only gonna see it even more and more. Right now, the risk and reward are very, very different from each other. If you get caught doing something bad, at least in North America, you go to a tennis club prison for a little while and you just make crap loads of money. You do that in Russia, it's a different story. So until we actually do things different, it's gonna be the same. So how can it help in

cyber security? So what we're gonna do is, what it does is it can discover new cyber security issues, new things that are happening. We can allow organizations to automate things, massive threats that are massive data amounts that are coming in and we can automate it. Automation, and I'm gonna say this until I'm no longer doing this, Automation is your friend. There's a lot of people in this room and every other customer I talk to that have the capabilities of automation and they won't automate it. I have one person call me and say, but Glenn, if I automate it and I take something down, I'm gonna get in trouble. I say, well, if you don't automate and your whole infrastructure gets hacked, you're also going to be in trouble.

Probably a bigger trouble, because now we actually have a dollar value associated to it.

Automation is key. We're not hiring more people, nor is not a company in here that's hiring more people. They're trying to do more with less. You already own automation capabilities in the most cases, and you should be looking at it to make your life easier so you can spend more time on designing better, capacity planning and everything else. Automation is key. Applications, password protection, using PAM or whatever you want to, phishing detection, prevention control, network security. Next big one I think is behavior analysis. Again, behavior is very normal. It's very stagnant most of the time. If there's a change in behavior, your tool set should be able to show you that the behavior's changed and you should be

able to go and look at it. Benefits is that if you're using AI and machine learning, it's constantly learning. constantly learning new things, new discoveries, new ransomware, new malware, new threats, everything. Helps with vulnerability management, enhances overall security posture, which is at the end of the day, that's why everyone's in this room, is to increase security posture. So I'm not gonna go super deep into this. This is just Kill Chain.

There is products out there that have AI and machine learning out there that helps you with your kill chain. The faster you break any kind of attack, the better off you're gonna be. So if you can get it at the reconnaissance level, and by the way, this is a standard kill chain. The faster you get there, the better off you are. And again, each of these products use different database structures, so it will give you a different outcome, just like using the frog. If you have the wrong database infrastructure because you're using a single tool set to do all of it, you're not gonna get to the place that you want. Again, there's a whole bunch of products. So just as some

ideas, right? So you could use EDR for exploitation, for instance. EDR, most EDR either has machine learning, has machine learning or AI or both associated to it. Use the tools that you need to get to actually stop the kill chain as quickly as possible. Because if it goes past the command and control, you're in a different place. You're gonna have problems from there. So, just to end off, AI's a tool, that's all it is, right? It's a tool everyone in this room, everyone on the planet can use, but you choose how you wanna use it. something that everybody should be afraid of, it's actually a really good thing. It's a massively good thing. Does it have potential to do some

bad things? Sure. But anytime new technology comes out, new capabilities come out, roles change, jobs change, everything changes. It's just the nature of being a human. So don't be afraid of AI. AI is actually our friend and it can do a serious amount of good in the world, including cyber security. So just to end off, the more data compliance policies that you have using AI can automate, and automate again is your friend. It is, use automation as much as possible in your environments from a security standpoint. It will make your life easier and it will make you more secure. It will help you with unknown threat detection, vulnerability management, response time capabilities. It will just allow you to sleep at night better.

is I guarantee you all the security in this, people in this room at some point in time have a hard time going to sleep because they're wondering what is going to happen next inside their infrastructure. And thank you. Appreciate it. Hey buddy. Hey. Oh, thank you. I have a coin for you. Awesome. I'll put this back in here for you too. All right, thank you, Glenn. We're gonna take our morning break now. We'll be back at 10.45 and we will have a prize draw then, but you have to be here to win, so be in the room at 10.45.

So I don't usually I like being like, yeah. Maybe just check with the guy down there and find out. Last year we did. Yeah, maybe I just never asked, I just forgot. Yeah, we definitely did. Oh yeah, I like walking. Yeah, yeah, they're not as stiff. Right. Yeah. And also the values are very,

Thank you very much sir.

or the case or something, right? You share it with your phone, I can think, go in and look at it, and then just take it in the review, right from your phone, you're already saying, hey, you guys, you know what? You know what, you can just change this, you know what, profile here, you do this, and you can save X number of dollars because you can do this, right, you work. you know, maybe this is a little too complex, but one could say, this, because

I was getting nervous, I haven't seen you yet today. How are you? I'm Brian, I just said last night. I don't know, I haven't had one sleep. So you made it to the sponsor of social. Thank you, wherever you guys want. Yeah, no problem.

Yeah. Yeah, I didn't make them, I have two kids and they were busy, so I couldn't make them, but I'm glad you're able to. Are you staying close by? Oh, excellent. So you can see the one flying. That's what we tried.

Yes, it's like . Not

really walking.

Oh,

okay. Yes. Oh, okay. Okay, so I will bring the coffee testing right? Yes, so there's connectivity there, so we should be on the phone. We have an AV5, in fact, we run into issues anyway, so we should be pretty straightforward. Did you grab a breakfast drink? Did you get to have something? Yes. After that, it will be open house. Oh, good. Okay, I'm glad you're here, because I have I'm just getting around trying to determine if you're a good one. We look forward to your talk. Yeah, yeah, yeah. And I'm now with Andrea. Oh, excellent, yes. Oh, wonderful. Yes, thank you for coming. Yep, we'll see you in the next one.

I'm not sure if you have any questions. I knew we spaced, but I just hadn't seen this morning. So, you're right. Yeah, it's just a light.

Hello, no, cross.

.

.

That's the first scene that comes out. .

I've done my 10.

.

Oh Jesus.

.

I mean, not the first time. I don't even know what you're saying. I think it was like back up, back up. Yeah, that's why you just abandon it. So our first four vote, our first one,

Thank you.

.

I'm always . The prizes are like .

Like if you sit down and you're like dedicated, like sure, you can walk out here

MBC 뉴스 김지경입니다.

Thank you.

I'll pass them out while you do it again. All right, sounds good. All right, everybody. Welcome back. We'll have our next talk now in a second, but we're going to draw for some, what do we got, AirTags? And draw for some AirTags. So 219-2167.

219-2018. Yeah, and keep your tickets after, because they are going back in. 219-2078.

We'll have some more prizes soon, but now we have Xavier talking about, I forgot, cybersecurity in the era of space exploration. Thanks. Hi everyone, it's a pleasure to be here. I'm Xavier Ben-Simoun and I would like to tell a story about cybersecurity in the era of space exploration. Some of you may have already checked my bio, you may have

I've been in the cybersecurity field since 21 years right now. And I'm really, really a strong fan of space science. So the occasion to talk about both subjects within the same situation, that's great. You may have also the following questions. Why should we take care of cybersecurity in space exploration? So, those guys are really intelligent, so that's already, that should be already in place. Of course, the answer is not, is a bit far from that. So, let's understand how we use the space technologies, and then we go through those risks. First of all, we are highly depending on those technologies, those space technologies. Let's say, for example, artificial satellites. We use them to observe Earth, to communicate, you know, internet, high bandwidth

internet all around the globe, because yes, the globe is not flat, the Earth is not flat, so defense, science, research, and even navigation, you know, those GPS, GLONASS, all those services. So we are highly depending on those solutions that physically stay on the space, And those solutions are complex. In order to fully understand what those risks are, we need to understand some key elements. Usually, those space systems are architecture in four pieces. The space segments, ground and user segments, and those link segments that interconnect those ones. Those systems must be integrated, all of them, and they are complex. such as propulsion systems, communication systems, scientific instruments. Also, we need to know that usually we had, or in the past, we had those nation state agencies. Okay, they did

a great, great job. But now we have the new space. So privatization of the space is concrete right now. And we saw last week the first private space walk. of the history. So the privatization of the space is really something that's concrete that it's right now. So because all of that, we should try to find the risk that those technology are exposed to. So first of all, any IT, OT traditional issues, risks,

that space industry live with those risks. But there is also some specific risk to that industry. The main risk is the supply chain. So when in 2021 some people were warning about anti-satellite missiles, there were risk analysis on what kind of threats that bring to the space industries. And basically the answer was Well, if we have a constellation of satellites, we don't care so much about those anti-satellite missiles. But the real threat for the industry is supply chain. And there is also another one, the life cycle. So come on, we do have in space some satellites that are still operational and was elaborated in the age of the first

first computer security program back in 1972.

So and then there is even AI in space, you know, that's a requirement for autonomous vehicles, autonomous missions, and we need to take care of the future risks with quantum computing, for example. So now we understand the situation. Maybe we should ask for do we have guidelines? Do we have standards? Okay, what are those best practices? Well, all of them are quite recent. Some of them are even only considering some of those four segments and not the full spectre. And yeah, so those space-centric cybersecurity standards are either lacking to recent, and in some countries like US, the space industry is even not recognized as critical industry. So they are complex. We are highly depending on those solutions.

What are those risks? So I've chosen to show you two kinds of threats, effective threats, and I've selected one of them in regards to the user and ground segment. Why I've chosen one? This one because it started with a 90 vulnerability and it finished with a war just one hour after exploitation of that vulnerability. So this is concrete and war is war. The second one is an exercise, a red team and blue team exercise that European Space Agency initiates in 2023. really recent, right? So those fake malicious guys, the red team, was able to gain access to the satellites. The satellite was drilled in order to have such exercise, right? And those guys were able to

modify the picture that the satellite was taken from Earth, okay, of Earth, and was able to either remove some of those pictures or modify them. So

Let your imagination run wide and understand the potential threats. If that kind of satellite was a military satellite or imagery satellite for, let's say, your next harvest.

This is a joke, of course. So you should ash, of course, and sometimes in the ash we add some salt, but in space can be dangerous, right? So NASA provided liquid spice.

There is solutions. So of course those solutions could come from technical aspects, come also from governance, awareness, and human processes.

So in order to sum up, We are highly depending on space systems, even if they are complex. So we need to, of course, secure them.

And yeah, we are highly depending on them, but we still use them.

That's it. Thanks a lot.

that.

I'm good to go. Okay, all right everyone, next up we have Jeff talking about risk management in cybersecurity. Can you hear me? All right, who here in this room is a cybersecurity professional? Put up your hands.

A lot of you. Is there anyone here that is not a cybersecurity professional? Okay, a couple. Those that had your hand up first, I'm gonna pick on you today. Don't throw tomatoes and eggs yet. I'm about to tell a story about our profession. I'm going to tell a story about how our profession sees itself. If we asked everyone in this room what cyber security, we would get many different answers. I want to give you my answer, and I'm going to tell you a story as to why I've come to that conclusion. And that story's going to have good guys, and it's going to have bad guys. And the stage for this story is corporations, organizations,

and governments including apparently satellite companies around the world. So I'm not going to introduce my experience or any of my credentials until after the talk because I want you to think about the story and not the storyteller. So I think we all agree cybersecurity has a critical role and we see daily what the consequences of neglecting risk management are. Here we have Dix hardware sure shuts down its email, locks employees accounts out after cyber attack. These are fairly standard, and I'm not doing these to scare you. This is kind of traditional to start a cybersecurity talk with the scary stuff. BlackSuit ransomware stole data of just about a million from a software vendor. Toyota confirms third-party data breach impacting customers. This is a supply

chain management issue. Park and Fly notifies one million customers of data breach. You've seen this. So this is not new to anyone. Now, shifting gears for a minute, what's the consequences of this? This is CFO Magazine who analyzed small and medium business failures in North America. And they came to the conclusion that the vast majority of small and medium sized businesses that fail, 82% of them, fail due to poor cash flow issues. What's that got to do with cybersecurity?

60% of small companies close within six months of being hacked. What's that got to do with cash flow? The average cost of a data breach to Canadian firms is 7 million. This was in 2022, it was an IBM study. The real cost of a data breach in 2024 in the US is up to 4.88 million. Here the largest data breaches in history. Yahoo at 470 million, Veterans Affairs at half a billion dollars, Equifax was 1.4 billion, Epsilon was 4 billion, and NetPetcha and XPeter were vulnerabilities, but they affected so many companies that it's estimated the cost of those data breaches was 10 billion dollars. Now if that's not loud enough for you, there it is again. Okay, so there's a relationship between cash flow cybersecurity.

We can see the importance of what it is we do. And of course, we always hear we don't have the budget for good cybersecurity. Well, if you can't afford cybersecurity, you can't afford a data breach. So where am I going with this? Well, I want to tell you about an economist. This guy, Fritz Muslap, was doing some investigations in 1962, and he looked at the largest economy in the world, which was then and is still today the American economy. And what he noticed was that as the American economy grew from the beginning of the century, especially from 1960 on, it started to diverge from the proportion of the economy that was due to the creation, the sales and the trade of tangible goods. So why is the economy

growing faster than America's ability to produce, sell, and trade tangible goods? Hmm, he found a problem and he wanted an answer to it. Well, coincidentally, he had been doing previous research on the growth of knowledge workers in the US. He went to a bunch of companies and he asked them on an annual basis for a bunch of years, how many filing cabinets do you have? And he noticed that the growth of knowledge workers increased from 1900 to 1962. He also noticed that the number of patents that were registered in the US correlated to the gap in the GDP. So here's that one you just saw. Notice the knowledge portion of it, which had not previously been measured by accountants and whatnot, exactly

explains the growth in the US economy. So he discovered what's called the knowledge economy. And if you take the The tangible economy and the knowledge economy, that explains the economy. And what this is telling us is that information is currency. Technology is the medium of value creation and information is a form of capital. So when we look at those largest data breaches in history and we say, why does the loss of information result in such big bills, it's because information is a form of capital. Now, I would ask you as cybersecurity professionals, has this insight occurred to you? Hold that thought. Information is capital. The market value of a company exceeds the book value of a company. because its tangible

assets only show part of the picture. And organizations rely on intangible assets far more than tangible ones. So if you think that a company that spends four, like take a university, that might have a police force that spends $4 million a year on traditional brick and mortar policing, and ask yourself, is that the whole picture in terms of security? What's it spending on cybersecurity, given that universities or data-rich businesses, their intangible assets are worth more than their tangible assets? So let's talk risk management in cybersecurity. And I want to compare ineffective and effective approaches, because this is going to speak directly to the question about what is cybersecurity. Where do you find these controls? Just read the list and shout

out where you think they come from. Asset performance monitoring, secure transfer and custody, asset management evaluation, segregation of duties. Where do these words come from? Anyone?

Chat GPT, no. They're related to a profession, yeah? Physical security? Financial control, all of these are financial controls. This is how we safeguard our money, our capital. We have things like performance monitoring, secure transfer and custody of capital, fraud detection and monitoring, audit reconciliation, segregation of duties. Why does that seem familiar to this audience? Because cybersecurity has exactly the same controls. So if you never saw yourself as a financial officer, Maybe you should, because your approach to cybersecurity should be or should look exactly like how accountants and financial analysts safeguard money. Financial analysts know where all of their assets are. We have seven accounts. Here's who has access to those accounts. I go into companies on a regular basis on behalf

of Glasshouse, and I look at companies' cybersecurity programs, and I ask the security teams, do you know where your critical data sets are? And more often than not, I get the answer no. So the question is, if an accountant doesn't know what accounts he has, how good of an accountant is he? If a cybersecurity analyst doesn't know where their critical data is, dot, dot, dot. So let's now look at cybersecurity definitions and the curriculum that our profession... I'm not picking on you because we have to critique ourselves in order to improve. So let's look at what we actually learn. I asked 75 cybersecurity professionals what's their definition of cybersecurity. Here are some of the responses. It's stopping hackers, attackers, intruders.

It's the practice of protecting internet-connected systems. These are all great answers. I do a first cycle encoding, which is a fancy academic way of saying I do a theme analysis. And here's the themes that come out of those answers. And when you boil it down, these are the answers that I got into seven pithy statements. We protect systems and data from threats. We prevent malicious attacks and intrusions. We ensure confidentiality, integrity, and availability. We implement security measures and controls. We secure specific technology domains. We teach humans and best practices. We safeguard infrastructure and system. Now, these are good answers, but in all of this, something struck me as missing. So maybe I shouldn't be asking cybersecurity professionals. Maybe

I should be asking the experts. So I went to Oxford Dictionary, and according to them, it's the practice of defending computer systems, networks, and data against theft, damage, and blah, blah, blah, blah, blah. I looked at US cert definition. It's the protection of internet connected systems from digital threats, blah, blah, blah, blah, blah. And so on and so forth. They all gave similar answers. Still, there's something missing. Can anyone guess what is missing from all of those definitions?

Managing risk. Is there a relationship between what we do and cybersecurity? It's risk management. So here's a new definition. I propose this. I want you to think about it this way. And you can reject this if you'd like, but... Cybersecurity is the practice of identifying assessing and managing risks associated with use of technology to handle information If at the heart of our profession is protecting a new form of capital I think this is a better definition and I'm going to show you why Harvard Law School forum on corporate governments wrote this nice paper It's a bit of thick reading, but it has two things that we can learn from it most corporate boards fail to understand

how reliant they are on technology for the creation of value. I'll say that again. Most modern businesses fail to understand how reliant on technology they are to create value. I'll point out that in the last 100 years, if you looked at the world's top 30 most successful businesses, more than half of them were in natural resources, oil and gas. In the last 25 years, the only companies that have broken into that very elite list are information companies, Microsoft and Amazon, information-rich, information-centric companies. So if a company in the 21st century doesn't understand that it relies on technology for the creation of value, it's missing the boat. Second thing this paper says is that the vast majority of boards

don't understand cybersecurity as a technical risk. And I know this to be true. On behalf of Glasshouse Systems, I go into companies and I ask questions of boards such as, who manages financial risk? The board does. Who manages reputational risk? The board does. Who manages legal risk? The board does. Who manages technical risk or a cybersecurity team? Oh. strategic risk managers do they know that and I know the answer to that is also no if I go in a talk to a Cybersecurity team I ask them do you know that your board thinks your job is to manage strategic risk no We don't do that. We we we worry about controls. We look for vulnerabilities.

We patch systems. Do you see a problem here? I See a problem here The overlooked element of risk management, so let's look on cybersecurity education in the gap and I went to NIST's NICE site, which is a registry of certification courses. It includes things like CISSP, ISA, all of these cybersecurity certification courses. They're all there. I looked at almost 2,400 of them, 2,397 to be precise. And I looked at the curriculums, 44 of them out of 2400 focus on risk. That's 1.83%. 113 of them focus on hacking, how to be a better hacker. So you got four times as much chance of learning how to hack than you do in how to risk manage. Now think about that. If I'm at a bank

and I want to hire a security guard, is it better to hire someone that understands how to look for signs of entry or someone that can pick locks? I think the logic is a little skewed. When you look at their skills that these certification courses require, their skills and abilities, they say this is what you need to know and this is what you need to be able to do. Out of 445 knowledge statements, 49 were related to risk. That's a little better, that's 6.3%. So the word is in our vocabulary slightly, When you look at the ability statements, what are you able to do as a cybersecurity professional? Six were risk related, that's 1.34%, and

zero were hacking related. So the professionals who say this is what you need to learn and this is what you need to know and be able to do, they don't think you need to know how to hack. They do think marginally that you need to learn how to risk manage. What professions currently learn risk management? Financial analysts, accountants, project managers, insurance professionals, engineers, safety officers, and some healthcare professions. Cybersecurity should be at the very top of that list, in my opinion. So what are the broader implications of this education gap? What's the impact on our profession? What's the impact on organizations that employ us? In order to answer that question, we first need to understand what I

mean when I say risk. So we're gonna do some thought exercises. If I ask you to walk across one of these two roads, the first is the country road, and the second is the 401 going into Toronto, and I'm going to put a blindfold on you. Which of those two are you going to choose?

The country road. Why? Because the chances of something, the likelihood, let's use that word, the likelihood of something bad happening to you is less. Right? The likelihood and risk are somehow related. If I asked you to walk across an area where traffic occurs, the country road, and I said, this country road only has skateboards and this country road has trucks, which of those roads would you choose? The skateboard. The skateboard. Because somehow impact and risk are related. This is the only math equation. So if you're math-phobic, I apologize. I won't go past this. At the end of the day, risk is a fancy word we use, but it really means the likelihood of something bad happening and the impact of something

bad happening. And risk is actually something you can calculate. If you can estimate qualitatively what the likelihood is, I think it's probable, I don't think it's probable. And the impact is it would destroy the whole organization, it would only impact five noisy users.

then you can calculate risk. And that suggests that there are different kinds of risk. There are low probability, high impact risks. If this guy falls into the pit, it's gonna have a high impact, but the probability is low because it's only a narrow little thing. There's high probability, high impact risks. There's low probability, low impact risks. And then there's high probability, low impact risks. And the question I would ask is, how often are we as cybersecurity professionals coming into contact with this kind of thinking?

From that, you can create a risk matrix. A risk matrix can take qualitative assessments such as rare, unlikely, possible, likely to almost certain, an insignificant, minor, moderate, major, and critical, and you can actually create risk scores. Now, when you say that there's a risk as a cybersecurity professional and the business unit ignores you, why are they ignoring you? Because you haven't demonstrated how you've come to that conclusion. If you can show them that this is possible and the impact would be critical and you say this is a high risk, you can demonstrate your calculation. Are they going to ignore you? No. Because you're not speaking a technology language, you're speaking a risk management language. Now one thing to note about impact,

impact is relative to the organization. I worked, I was CISO at the University of Western Ontario for eight years. And when I stopped talking the language of technology and I started talking the language of risk, I got a lot more attention. The impact was always relative to the entire organization. So the universities, for example, have strategic missions to teach and to educate. They don't care about ancillary things, such as the ability to host a classroom website or bus schedule. They're there to teach and to educate. And so impact is relative to that. I once got a risk assessment from a faculty that said something was a high risk. And when I reported it to the university,

I reported it as a moderate risk. And the dean jumped all over me and said, I reported it to you as a high risk. And I said, yes, relative to the faculty, you're correct. it is a high risk, it will impact your faculty. Relative to the university, it's a moderate risk because it won't impact the whole university. So impact is relative to the whole organization and likelihood is a function of things like vulnerabilities, exposures, threats, mitigating controls, words you've heard. Why have you heard them? Are you using them in a risk calculation? So let me ask this, and I do want feedback. What is cybersecurity's goal? What's its goal?

Risk is right, but its goal is specifically to reduce the impact potential impact of a risk event to reduce probability But if you don't think in terms of probability impact which is the elements of risk then you you you you you don't really have a goal Cybersecurity is very simple. It has two goals reduce the likelihood reduce the impact and you have in your toolbox Risk acceptance, risk avoidance, transferring risk, reducing risk, hedging risks. When was the last time someone in our profession said to their boss, you can accept this risk? How do you know when to accept risk, when to avoid risk? Again, if you're not doing a risk calculation, you can't make those decisions. If it's a low probability and a low impact event,

you can accept risk. If it's a low probability, high impact event, you transfer it. If it's a high probability, low, Impact event you can reduce it and then if it's high probability high impact you avoid it so those tools in your toolbox have to be used based on your ability to understand risk and This came from a journal on risk management. It's they call it you know the risk management process Do we perceive risk do we assess risk do we communicate risk and then do we manage risk? You'll notice that this works equally well to our profession do we perceive? vulnerabilities, the threats in our environment? Do we assess them? Do we communicate them? And then do we manage them? So you

can see that if I'm wrong, that our profession is not about technical risk management, this alignment should not hold so nicely. Some case studies. So cloud security has kind of a, it's got two problems associated with it. First, people think that when they move to the cloud, all of the risk management is owned by the cloud service provider. that's wrong. Two, if they recognize that they own some portion of the risk management, it's often difficult to explain what portion of that risk management do we own. So you've seen these cloud service models where you have on-premises, infrastructure as a service, platform as a service, and software as a service. And on-prem, all of the risk management belongs to us, just because all of the technology stack

belongs to us. When you start to get into some of the cloud models where you have infrastructure as a service, the risk management It accompanies that. So not only do you have a relationship on the left hand side between the service provider's responsibility over the technology and then the client's responsibility over the technology stack, you also have a split responsibility when it comes to risk management. And the same is true of platform as a service and the same is true of software as a service. So understanding risk management in these terms actually makes something that seems difficult a lot easier to understand. Case study two. I did a review on a company that had a

very good software architecture review process as part of their change management. Before technology could go from development into production, the security team had to do a technical security review. Great, I was really happy to see this. That was very advanced thinking on part of the company. Except that the company wanted to deploy Wealth management system and in the wealth management system there was a component that shared system status from one Component to another and it was using TLS version 1.2 and the security team was holding up business enablement of this wealth management system the bread and butter of the company now If we look at this from a risk management perspective, TLS version 1.2, it's true, it should be 1.3, but what is the likelihood that

this is actually a problem, considering it's in a confined space and it's between two systems that talk to each other about system status? Well, the likelihood is, although compromises of TLS 1.2 have been seen in the wild, the chances are really, really, really low. There's a lot bigger fish to fry up there, and secondly, This was contained and there were other compensating controls. So the question I would ask is, if the cybersecurity team that was doing this architecture review understood risk management, they wouldn't hold up business enablement because of this vulnerability. This is a risk that we can accept. Vulnerability management with equal critical vulnerabilities. Another team, they had two equal boxes, they were Dells, with running some version of Linux. And they came up in a vulnerability scan

with 61 critical vulnerabilities. One system was an HR system, and the other system was something meaningless like bus schedules. And I asked the team, which of these two is greater risk? And they looked at the tenable, and they said, they're both equal. They both have 62 critical vulnerabilities. Is that a true statement? Because if you understand that, that our job is really technical risk management, and we do our simple risk calculation in our head. The impact of losing bus schedules is low. The impact of losing HR data is high, even if the likelihood is the same. They both have 62. You worry about the HR system and not the bus schedule system. And this is just a simple risk calculation. This one comes from SIEM data. This data

came from a SIEM. I have added some columns here. This is exactly the data that a SOC looked at. And they looked at the row highlighted in yellow. And you'll notice that they labeled it as high. That label was assigned by human cybersecurity professionals, some of whom have a great deal of experience. And what is it? It's an unusual amount of external inbound email from an IP address known to be a malicious IP. What is that? We call it spam, right? We said this is high, but I also want you to notice the multiple login failures that was listed as low. When you actually do a risk calculation, and the SIEM gives us that. It gives us a magnitude number based on the criticality of the asset, and it

gives us a prediction probability. This is SIEM voodoo, but they actually give you the two things you need to calculate risk. I added the risk calculation, and when you order by risk, you'll notice that the multiple login failures the highest risk in that list, which was categorized as low. And the detection of unusual amount spam happens all the time, so it's got a high probability. But its impact was only two. When you actually calculate a score, you get like 18% versus 50%. This was a successful attack on many credentials outside the company that went missed simply because the security analyst looking at this data didn't Ask the question, what's the likelihood times the probability? And you'll notice that in the list of kind of the worst attack

types, these likelihood and impacts have estimated on other data, so don't take that as gospel, but let's assume it's reasonably good. This is your attacks ordered by risk. Failed login attempts is top 15, whereas spam is further down, much further down, like 32 or something. So how can we assess our profession as teaching us to be effective risk managers? If I'm right, what you should see, if I'm right that we're missing the boat as a profession, this is the kind of things you'll see. And I want you to think about this. Is any of this true? If none of this is true, I've wasted your time and we'll go to lunch. If any of this is true, I want you

to take away the message. Are technical solutions prioritized over risk management strategies? Is there a lack of communication between your cybersecurity professionals and your business leaders? Are we focused on defending against specific threat instead of overall risks? Is risk management ineffective due to an unclear understanding of the business objectives? Do we fail to prioritize ongoing monitoring assessments of risks and vulnerabilities? Like are any of these resonating with any of you? And the list goes on. There's a lot of maladies that you can see when our profession ignores the core of its purpose. So let's get to the conclusion, the question and the answer, and summarize the key points. Key insights. What can we take away from this talk? We can take away that

cybersecurity is technical risk management. The profession needs to practice risk-based decision making. Cybersecurity controls focus on protecting IT assets that process information. Cybersecurity professionals need to adopt the language of risk, not the language of technology. And the profession needs to learn how to balance business objectives with protection efforts. So what are our call to actions? If I've convinced you that my view of cybersecurity is correct, what can we do about it? First, to employers, three things.

Have cross-functional risk management training. Have your cybersecurity professionals learn how to understand risk. Create collaborative risk committees. Include your cybersecurity professionals with your auditors and other people who do understand, and your project managers who understand risk. Integrate risk management into cybersecurity job descriptions and key performance indicators. What can we do if we're actually engaged in training our juniors? Develop business aligned risk management modules. Emphasize risk communication and training. Don't talk to your boss about technology, talk to them about risk. They'll listen to you. Incorporate emerging threats in adaptive risk management. So use risk equals likelihood times impact to actually understand emerging threats. And then if you have any influence over the industry, and this is really

why I created this talk. I do want to influence the industry. Promote industry-wide risk management standards, such as NIST. Create cybersecurity leadership development programs, and establish risk management apprenticeships and mentorships.

Accountability for what we do, protecting probably our most valuable asset cannot be outsourced. And I want to thank Memorial University for naming a center after me.

Questions and answers. By the way, my credentials. I've been in cybersecurity for 30 years. I've been a CISO twice. CISO stands for career is soon over because you're expected to be a change advocate in often change resistant organizations. And my CISO experience is more than a decade. So do you guys have any comments or questions or anything you want to discuss? Because I know probably nobody has put it so succinctly in this way, but I really do want your feedback.

I thought it was a great presentation. I really like putting these things in perspective in terms of the impact especially. Just a comment on training the other way around and risk managers. As an IT manager for a small group of companies, getting an insurance policy, cyber coverage, from these risk management companies. I found their questionnaires were absolutely dismal. And I guess it was from the underwriters or something. But I'd like to see something like this go towards the other places to, I mean, there was dumb questions like number of records and this kind of thing. So just. I'll tell you why. Because their actuarialists understand risk. But when they write up these cybersecurity questionnaires, they don't ask the actuarialists to do it. asked the cybersecurity team in the

insurance company to do it. And then some project team who's come in to try to sell the policy, and they have no idea. So nobody knows how to answer them. Yeah. But I've just showed you. is a way to quantify risk. Even if your instinct isn't to put a number to it, if you can qualitatively assess it, remember I showed you likely to unlikely, and I showed you probable to improbable. And this is my experience. It's true while I'm bashing the profession, and I do that because I love my profession. I grew up, I was a Unix administrator, a system architecture. If the operating system ends in IX, I've touched it. I built high performance

computers, Beowulf computers, clusters, I built DICOM PAC systems for health care institutions. And when I hit risk management, when I hit cybersecurity, I had a lot of technical background. But nobody took me by the hand and said, your boss isn't listening to you because of this. And this is how you prioritize this over this. Nobody did that. And so I look at somebody that's got 30 years in this profession, and I say, what can I do for the next generation? And I'm telling you, this is what I've learned, is learn how to risk manage. start thinking differently about what you do. And if you can do that, you're going to be impactful. Yeah, I agree.

Often, I've seen it multiple times where impact or likelihood get mixed up, and then something that should have been higher priority just gets lost in the mix. Right. Thank you. Thank you for your comments. Yes? Thanks for your talk and very much appreciate the considerations of impact and thinking through those things and prioritizing, et cetera. But what do you do with the fact that for an awful lot of things in security, the probability of attack is zero and it's zero and it's zero and then one day it's one. And you can't predict which of those things are going to go from zero to one. Not everything is like that, but some things are. So how do those fit into the kind of the risk matrix approach

that you're talking about? So I've mulled over probability quite a lot. I don't think the probability is zero. I think that we don't have enough data because organizations that get breached don't publish their data. If I go back to that list of all of the things, if I go back to this list, Do we know that ransomware is happening? Yes. Do we know that DDoSs are happening? Brute force attacks, SQL injections. And we're not even talking the human things like social engineering. Is the probability of any of these things zero? No. It's just that we're not measuring it. So the next question is, if we're not measuring it, what's the next best thing we can do? And the next best thing we can do is use our judgment. If

I connect a computer to the internet, and I don't connect it to the internet, How does that impact probability? Well, the internet is connected to the world and a standalone system not connected to the world or behind a firewall is not connected to the world so we can make educated, professional judgments on what that probability is. But I don't think that, and I'm not saying you're suggesting this, but I don't think we should be using the difficulty in estimating probability to stop us from using this general approach. Does that make sense? Sure. But when it comes to some specific things like the discovery of previously unanticipated classes of vulnerabilities, that kind of thing, is there a place

for uncertainty of saying, here's a whole range of, I have absolutely no idea how likely this thing is. It might be super likely in 10 years. Right now, I feel like it's not very likely. But really, I have no idea. Is there a place for that kind of epistemic humility, I guess? JOHN DOLANCOISON- If you get into, so this equation I've showed you, I've said that this is a cybersecurity equation. Do you know what its origin is?

You're right. Good for you. The very first paper on this was done by the Department of Commerce in the US back in 1959. And it was an economist that in his prior life was asked, what's the value? an investment if I don't have 100% return rate on that investment. And so the value of an investment is equal to the likelihood times its return. So say, for example, I buy a lottery ticket, and I've got a 60% chance of winning $100. The value of that return is actually $60, 60% times its overall value, its impact. However, when he got asked by the Department of Commerce to estimate cybersecurity risk, he said, well, if we can estimate the value of an

investment with imperfect information, we can also estimate its opposite, the risk, one minus that value. And that's where this comes from. It is an expected value calculation that came from the world of economics that we use. And to your point, if you actually look at expected value calculations, It's more than this. There are things that you could, there are factors that you can factor in for error, for imperfect information like this. I make it look like this because I'm trying to convince a cybersecurity audience that we should be using it, but if you actually look at an expected value calculation, there's more math that you can do. And kudos to you, that person should get a prize. Because that's the first time

anybody's ever answered that correctly. Anybody else?

Standing between a crowd and your lunch. Thank you. You've been a very, oh, one last question.

Remember I said that... Can I interrupt one second? Can you repeat that question for the people online? So the question is, managing risk is often a function of funding. Did I capture that correctly? So remember I said that there's a gap between how the board perceives who manages risk and how cybersecurity professionals see themselves? We first have to remedy that problem. It's not up to us to determine which risks to manage ultimately. It's up to the people that control the budgets. But we need to be able to talk meaningfully to them about the risks. We should spend this amount of money to solve this problem, loses credibility when that problem actually isn't a risk. We lose credibility. But if we can show them why it's a high risk and

convince them that it's a high risk, you are going to get the funding support.

That's been my experience. But I had to learn to talk to them differently. OK. Thank you all for your time and your attention. Have a great lunch.

Thank you. And if you remember who that was that gave that answer, this is a prize you can give. Yeah. I'll do that now. All right, guys. Is this on? Is this on? No.

We're going to have lunch in about 10 minutes or so. So if you could just hang out until then.

No, they're pretty good.

I'm gonna watch this stream later though. I'm glad to hear that it's good. I'm gonna watch that one. Yeah, yeah.

How was he?

How was that?

I'm actually glad that I didn't use any of it. I was able to share it with you.

because I was like, I could put it on it, because I had it, but I realized, well, and I realized, the more I put on this, the harder it is to do. Yeah, exactly. Yeah. I was pretty happy about that.

.

The big suit.

So I, I,

I think most people are, I think the first people I would have their own experience, which is what I do, I think that's pretty good. I think that, I mean, I think I got a lot of people, I'm afraid of them, but I do think that. While I think of it now,

.

Is this on? Hi. All right, lunch is downstairs, everyone. So go help yourselves.

It's like, yeah, exactly. I was better off eating you, too. Yeah. It really is. It's the stuff that you cut. Who knows whoever does it enjoys it. Last time I left was a gluten-free sandwich. I just took all the coffee. Yeah. I think we were right last. Yeah. It was just that the worst. I was like, you know what? Because we were directed.

It was pretty, no, I mean, I was just over two weeks past it, so I thought it was better, but it drained me. It drained me.

Okay.

I was like, you guys got a lot here. What are those? It's a bagel. It's a bagel. It's a bagel. It's a bagel. It's not a concept of interest now, so I signed up for the win. Because last year I was just like, definitely a fan. Nope, I'm going all in. I was like, should you guys have all my information?

I'm gonna try to grab another one before the end. I went looking for him that time and I was like,

Honestly, I like the socks and stuff. Eventually it's garbage, but I tend to go for the socks and make magnets and stuff. The paints are cool. But everything else I can make, whatever this is, the whole of the box. I just got one, I was like, What I really like is a couple of years ago

we had luggage tags. I still do it. I still use my luggage. From, what, 2019? Yeah, it's like I'm saying, dude. One of the cool pieces that I ever got there, still use. That one there, Justin, unless somebody knows they're not going to target. Oh, okay, you're not going to target. Yeah, I just don't want to take somebody. You're gonna come back and expect. I'll sit in for a minute, you guys, we can not follow. Pucks are good so far.

Every

time.

Thank you.

네.

That was a great talk, right? Our change at five before, we go through things, especially when you talk about the fact that we're supposed to talk about the stuff. And, you know, our time first success is engagement. But, thinking about it at that level, and we don't do nothing.

I think the hardcore technical people, like

from a CISFP point of view, you know, getting people to understand. a company can accept this risk. We may not agree with it, but a company can accept that risk. That's a valid decision.

you need $50 million to reduce that risk and the impact is like $10,000. Why do you? You don't bankrupt the company.

just to remind myself after.

I also do Fortnite YouTube games. I'll give you that. You want to point, basically, all the stuff. I just offer all the topics. Yeah. Right, so it's like more of a talk. Like, I don't know what a member of the board is, right? I'll do it. Sorry, you can probably play the whole section in the beginning where last year,

I don't see

it live.

Is that something you want to? Yeah, it's all I can do. Yeah, exactly, because that's what I can do. I'll send it to the normal level, and basically,

I like

to say,

I don't care, as long as I'm back. I don't like that at all. Any message from Sarah? Sarah's the floor? I have a member of the committee every few minutes. Yeah, so nothing? That sucks. Yeah. Yeah, nothing yet. Every year there's always one that their stuff is always sent too late. Yeah.

Right.

Altyazı M.K.

Yeah, it was all like that, I wasn't really paid attention, I thought I saw the picture.

Two different meetings.

.

I found that out my day one. It's all over in the corporate range.

So same job, so I played a different course. Nothing against them, that's currently .

I didn't know.

Thank you.

Such a...

Thank you.

Okay.

I actually got pretty minimalistic. Didn't know what it was until .

.

.

.

Thank you.

I will.

The moment he gets off, take it.

So what we did is I got a spreadsheet

.

I have an edge on what they're asking. I don't know what the answers are. I don't know. It's like you're giving the scenario a different way. It's pretty cool how they got this one done. So the environment's building either way.

and then they might have like email system, it was only supposed to take mail from . And that's how you get to land . So you're like, email equals star. So once you see your answer, there's confirmation confirmation confirmation confirmation, and you're constantly checking your account, and you hit the flag and you go,

but like everything, it's a language. Find the code, which basically says email equals all. This is the one if you like, like, how, when you're not in it, you just need a good pointer, work out. .

Okay.

to follow up on the registration. So as soon as they call, they'll get the registration link. They'll get the address for me. Was it a question we're gonna have to do? Yes.

Talk to the customer.

Start taking the microphone.

I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I can't get all these weird guys. I'm sorry, I

can't get all these

So the

way it works, you do it with the . Yeah, that's what I remember.

Okay, you guys are getting ready to start. I guess I'll make some phone calls. And I gotta do a call.

Thank you. Go by the boat if you want to.

Thank you.

Are you the Curtis running the B-side? I started, I'm running it. Are you not running anymore? Yeah, I was wondering. I've been to one of your B-side once, I think you were running it at that time, but I didn't have any talk. I didn't have any talk over there. Who's running it right now?

So this conference goes to those that didn't get the VR. So it's helping on the builders who get paid on the . They can tell about the .

.

.

.

You're registering together as a team, and you guys are .

There's something that people

and I was talking about that, who did this for their life, but it doesn't work as a cyber security expert. No, they have a true passion about cyber security, and stuff like that. I wonder if you know, do you not have a history of the issue they are, only even in the United States, maybe not in the United States. If I was involved in the research, I would give a job, and I would give a question, and I would give a question,

All right.

I don't know. I'm going to wait for Robert to come back. Yes?

I'll turn it off. Remember last year it was still on and I was talking to you. Yeah. Until we started. It's muted down there. So let me just turn it on then. Okay, perfect. Yep. So you don't need to run it up your shirt if you don't want to. That's up to you though. This is on. Sorry? This microphone is on, but that one is not. you gonna turn this? When you come to speak, yes, I will turn it on. Perfect. Yeah, perfect. But yeah, I just wanna let you know if you're talking, get yourself up here. People may hear it. Is there any chance that I get feedback as well? No. I tend to walk.

Yeah.

A lot of people are head turners these days. Yep. So we'll do something if it's comfortable. Perfect, yep. Everything looks good on my end. Your stuff isn't up on the screens yet and it won't be until you get started. Yeah, we're gonna wait for Robert or Chris or whatever. Exactly, do the introductions and I think there might be, I don't know, prizes or something like that. And then you're good to go. Okay, thank you. My pleasure.

So you fix

the code and then there's and you're constantly running behind the scenes, checking this in, you can have configuration, and you're fixing an infrastructure problem. So like you really want to, your website, your website is actually, it's only supposed to be five or so. So you're like, yeah, nice and low balance, you're thinking, you're going to have security. And the heap is telling you go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go go

go, go, go, go, go, go, go, go, go, go, go, go, go So it's there and it's kind of like . So what I need is some extra people. She'd be one. I'll leave your name and I'll leave your email address that you're in the registration email if you want to get ahead of it.

Anything you have to register? That's the 100 piece. 100 piece swag. Yeah, yeah. And do these.

Everybody's going to go.

Thank you.

.

What is it anyway? I didn't even look. It's a fast charger. Basically it's like a high watt, fast charger. Really super nice actually. So give that one away and we're good to go.

All

right, everybody. We're gonna get going now in just two seconds. First off, we're gonna draw for this anchor faster and smaller charger. 2192004.

So let's keep it going. We have Alex with a true story. Thank you, Chris. Is my mic on? Everyone can hear me now? Not yet? And my slide isn't on there yet either.

Everyone can hear me now. Perfect. Thank you very much. And thank you, Chris. Thanks to the organization of the B-Site as well. So first question, how many of you is your first time at B-Site? So I guess everyone else has a chance over the last couple of years to see at least one of my presentation, I guess, right? So this year is going to be a little bit different. I'm going to talk about a real story, a real story about one of the sessions that I have delivered to an international conference in Amsterdam, where I have totally failed. As usual, I have figs to throw to the room for every good question. And I have also

T-shirt from Splunk, a company that we acquired a couple of months ago. So if you guys are willing to participate within my session, feel free to comment, ask questions, raise your hands or whatever, okay? So here you go.

So a little bit about myself, for those of you who don't know me. My name is Alexandre Argeris. As you can see with my French accent, I'm from Quebec, and I usually speak French. So I've been a proud speaker at B-Side for the last couple of years, I will say almost for a decade now. I've been talking about multiple different subjects that are pretty cool in my mind. Maybe not in yours, but whatever. in touch with computer at very young age. I was fortunate to be able to get a hands on a very old IBM, I guess, at that time. I was able to start digging into the internet as well with Gopher. How many of you remember Gopher? Oof, yeah.

And I started to code. And here I will say like an amateur. Like probably in 1995 or ish, building my own web page or whatever, like many of you as well at that time. I have over 25 years of IT security experience working for multiple different organizations, but mostly with Bell Canada and Cisco for the last 10 years as well as a cybersecurity expert. I have three kids, a wonderful wife, and

If you're looking for me during winter, I usually on a ski hill. If you're looking for me during summer, then I'm on my road bike or on my mountain bike as well. So a couple of warning here. I usually do those warning. The first one, make sure to be aware that that presentation typically contain information that may actually cause you to think. That's one of my goals all the time. All that presentation is all about me, right? And the story as well that I've been through. And it's not the opinion of my employer, which is Cisco, it's my own. And please ask questions, you guys are familiar with that. Ask questions, otherwise it's gonna be boring just

listening and me. And I'm gonna go over that as well, please comment. So B site is typically an event that is there to share. experience and all that. So if you guys think that you're an expert in the area that I'm gonna present, raise your hand and say to everyone that I'm wrong. If you have any other comment, question as well, raise your hand. And if you wanna share your experience with other, that's the best thing to do. So let's dive into the subject here. So any of you have tried to build an API in a couple of minutes, let's say the time it takes to microve a popcorn. No? Okay, okay, fair enough. That's what I have tried. Okay, and

on top of that, for those of you who know me, I'm not a coder per se, I'm not an expert either, right? I'm a cyber security expert that are dealing with multiple different products. That's what I'm doing for life. But I have tried, to show at an international conference, which is called Cisco Live in Amsterdam the first time, how to build an API in 15 minutes. Okay?

So, unfortunately, it didn't go well. I'm gonna tell you the story, of course, but before going to the story itself, I think I want to I want to make sure that everyone gets advantage of my story, which is gonna be pretty short, don't worry about that. And we hopefully will be able to learn from that mistake as well, everyone. Make sense? So just to make sure that we set the stage here, I'm gonna spend a couple of minutes on API, okay? How many of you are familiar with API or think that they are? Okay, that's nice. So for those of you who are not really familiar with API, I'm gonna try to focus on REST API, okay, which is the type of API

that is mostly used these days. And REST API is based on the HTTP protocol, almost, right? It's looked very similar. It's leveraged the verbs or action as well that were familiar with HTTP, whether it's for the request or the error code as well for the return. There is multiple different verbs that are used. The first one is post, which gives you the ability to create something. Get, typically the one that is most used as well. So when you guys use your browser or any apps within your phone and whatever other stuff as well, you're mostly gonna do a get to get information from, a service. But there's other as well, like put, delete and patch as well. So the delete one is of course, if you want

to delete a record or something else on a distance resource. If we dig into the way API requests work, right? And that's pretty important to understand for the rest of the presentation as well. So the first part everyone is familiar with is the destination or the server that we're targeting, right? Or the service that we're targeting to. And then there's something called resource as well, or resource. Sorry, my French is coming back here. So typically, it's where the resource is located within that service. And then there is the query parameter at the end. For those of you who are not familiar with the query parameter, it's everything after the question mark, typically. So you can see this in the line of your browser

as well. It's something that could be dynamic. could be changed as well based on the request that you're initiating to the destination service. Make sense? Any questions so far? I have a t-shirt.

Yeah, go ahead. Can I have a t-shirt? That's a good one. Of course you can get one.

REST API response. Curtis? What's your favorite color? Wrong. No, you can get the snort big. REST API response. So there's multiple different response within the HTTP protocol itself that is built into it. The one that is most known It's 404, right? How many of you have received a C404 error within their browser? A lot of you guys. But when you're dealing with API, you want to get a successful response, which is 200 or 202, which is not listed over there, that typically say, yeah, the request was good, or the request has been successful, and I have been able to create something in the back end, let's say, with 202.

But there's many more as well as a coder or let's say someone is building a script. The one that you want to look for as well is the 500, which mean that there's something wrong within your code that has been trying to be execute in the backend itself. REST API will typically use JSON. And typically people expect to receive a GSON response as well. There's other type of response, of course, but the one that is mostly used is GSON. So in this case over here, I'm just building, making of an API and ask for all title from author called Alexon, let's say. And the response, of course, it's 200 with the GSON path within it. That's just an example here, right? So let's try to design and

create an API then. So first of all, when you create an API, it's quite important to clearly define the purpose and the goal of the API. So that's the first thing. And then you want to determine the functionality of the API itself. Of course, you want to identify the use case and the scenario where those API will be used. you need to identify the needs and the requirement of the developer as well so they can be aware of how to leverage that API. Define the scope of the API, that's quite important as well, so it can identify to the developer again all these different boundaries and limits as well of the API itself. Naming convention,

quite important as well. So for example, if you want to hosting a database of user let's say right and you want to get access to data from those user you better use user with the s instead of user without s because it's definitely going to host multiple different user and maybe you want to use something like a user ID instead of their name because it could have multiple person that has the same name as well and then under that path they And you should have something like their name, last name, dates, or whatever other stuff as well that may be important in that path or that database. No question. You guys are so, I will not say boring, but I will say

quiet. So, documentation is quite important as well. Documentation, an example. It's very relevant for those ones that will leverage your API or use your API. So there is multiple different ways to do documentation. There is commercial product. There is open source product as well. The one that is mostly used is Swagger. It's an open source tool that literally gives the ability to developers to almost test the API through a simple HTML interface or portal as well. All right? Let's dive into what I like, creating your own API. So I have choose to leverage something called Flask. It's a module within Python, right, to create my API, remember, in 15 minutes, okay? So how many of you familiar with Flask? Wow, nice.

It's a quite easy module, very light, that typically gives you the ability to create your web server, but also a very nice service when you want to host an API. It's just a matter of installing the module itself within your environment of Python. And then you identify the path of your API with very simple things like an app dot route decorator. In that case, remember, that was an example while I was presenting this at Cisco Live. So I said the first one will be to be able to test it. through a regular browser. So the output of the request, which is the primary path of the service was hello Cisco Live. And then the API itself

was under slash API slash session. And remember, this was just a very simple API. So the response was pre-canned. And the response was just a very simple JSON with the message 200.

Here's the 10 lines API script, right? Quite easy to build, very easy to read as well. Does this thing is useful? No, not at all, okay? But just an example here. So let's try to push, deploy, and run this API now, okay? I'm getting to the story, guys, don't worry. So there's multiple different way to push an API. In this example, I have choose to use serverless from different cloud provider to be able to push that API easily. And I have choose AWS. Chris, you're going to be happy with that. Thank you.

So I have choose to use AWS Lambda function for that. quite easy for me to leverage a module within Python which is called Zappa or Zpay or whatever in English, which is a very light module as well that allow you to deploy serverless or your code within a serverless environment. And then it's just a matter of a couple of commands and then your script is deployed literally within the AWS Lambda function service.

So if you look at that, it's been like just a couple of minutes literally to deploy my API. And that was the beginning of the story down here, okay? So initial, the deployment, and then you get the URL of your API within the serverless service. You can test it as well. So in this case, I have choose to test it prior to that on my own laptop. There's multiple different ways to do that. For those of you familiar with Python, it's just a matter of running it locally on one of your environments, or there's different other tools as well that you can leverage. If you want to go a little bit deeper than this, you can change the IP. You can change the

port as well. But that's not the part of the story here. I'm getting there. And then I want to test my API as well. So remember, the first path was just to test it to a browser. Say, OK. And then if I look at the logs, everything seems to be okay as well, okay? I can test it to Postman as well. How many of you guys are familiar with Postman? Yeah, nice. So the HTTP method or action or verb that I was talking about, the URL itself, and then the response, status response code, and the output as well, or the JSON response from the service.

For fun, here's the thing, things are getting crunchy here. So for fun, after the presentation or while at the end of presentation, I have choose to create a script that was able to do something a little bit different here. Instead of just pushing a response with a static information into it, I have choose to create an API which is not a second here. So if you have found something, don't tell me right now, okay? I'm getting there.

So I have choose to create an API just to show to people how to manipulate input, okay, with an API request. So I said, okay, what I can do that is very easy for all kind of customer across all kind of area of IT to understand, Everyone know what a ping is. So I said, okay, let's create an API that if I give the API an IP, the service itself will try to ping that host and response with something like, yeah, it worked. No, it didn't work. And the result or whatever, right? So within that script, that was a little bit different than the other one. There's the app route that is said, to API ping and then I'm looking for the

input, right, which is the IP. And then I'm taking that variable and create that ping command within the server that holds the API itself. And then I create the response, right? What was the response? Then I create the JSON response and send it back to the requester itself. So if you test that to,

it's looked like that, right? As you can see, the URL has changed a little bit now. There's a question mark within the API, followed by the IP. And the response is, yeah, IP whatever, true, means that the IP was reachable. If you look at the logs within the script that was executing that function, it worked as well.

Right for those of you are not familiar with with Cisco live It's kind of a very very big conference or there's Thousand and thousands and thousands of people that are showing up There's people that has specialty in networking, but also in all other area including coding as well Okay For a speaker like me that speak at Cisco life usually what we're after its notes, right? We want to be great because every speaker get surveyed by eight individual people that came to your session and they grade you from one to five. Okay, so everyone is after the five because you want to be able to be identified as a distinguished speaker. Unfortunately, right after my session, like

not even a second, I would say, someone has posted a comment. on my survey that said that I have something wrong with my code, right? And that guy marked me as, give me a note of one. Like, oof. Right, I said, what? Right, what the heck I have within my code? So he told me that I have a remote execution vulnerability within my code. So I said, what? Again? So I spend literally the entire night looking at those 25 lines of codes, trying to figure out what I did wrong. Were you able to find them? OK. So let's talk a little bit about that.

So there is only 25 lines of codes within my code. Remember, guys, I'm not an expert in coding. I do this for fun. I'm a skreet kiddies, if you want to say, right? I copy, and I think I said that many times here over here, I copy and paste things that I found on Google most of the time, right? So that's how I code typically. This is only 25 lines of code. Are you guys have been able to find the problem here? Right? So of course, it's required a hacker mindset here, right? It's always that issue here. So I do have a couple of people that has raised their hand over there.

One back here, Alex. Tap on the light. You raise your hand and share. Yeah. Yeah. So if you look at the first, and I'm going to repeat that, So if you look at the first function over here, I was literally just looking at something called IP, which is the option or the parameter input within the API request. And I was taking that IP variable and injecting that variable directly into the ping command within the host that was running the API itself. So if we look at the API API requests itself as you can see there's a question mark which is state for the input and say IP equal 8.8.8 whatever right but if we look at that and if we're familiar with something called command daisy

chaining on mostly on Linux or Mac or or Unix as well there is a way to add extra command so I said okay

Here's my issue, right? Because I remember that guy didn't tell me what was the vulnerability within my code, right? And I had the day after that to present that session again. Yeah. So that's why I have spent the entire night looking at it, right? And trying to figure out the issue. So I said, okay, let's try this. If I go into a CLI or a shell of Linux and try let's say ping minus two dot eight dot eight dot eight dot eight and then some call in whatever other command like ifconfig or whatever other stuff as well. Does it work? Yeah, it worked. Okay, so here's the issue. So if you want to look at one way how to

exploit this, it's to craft your own API request with all these extra command after the ping or after the IP, right? So if you look over here, you're gonna see that I was able to say, you know what?

Default API, which is 8.8.8, that was the original perimeter that the script was looking for. But I was not really looking for anything else, but the script was executing everything else, right? So in this case, I said, okay, can you grab something that is called malicious or dash code.sh on that remote server and can you execute that code after that? And it worked. Right, it worked. So here's the example of the attacker side. If you look at the attacker side, it's just like a flat file. So this is just an example here, right? It's not really relevant to really compromising a server over here, right? That is just an example. It's just a plain text

and at the end of the script, it's leverage the command wall, which send a message to all terminal on the, that is all open, let's say SSH and CLI and all that, that is open on the remote server. And I say, can you just send that text message to the terminal? to all those terminals. So if you look on the compromised site server, which is the server that owns that API, what you end up having is this. You have been hacked. So I just proved through my API that was vulnerable that I was able to compromise that server. Here's another example. That is very more useful. So in this case for those of your family with

is there anyone that is familiar with netcat? Let's say a couple of folks here Here we go So for those of your family with netcat it gives you the ability to run execute multiple different things on and and exploit something that is really like it's to be able to run a reverse shell on something else so in this case I leverage that vulnerability again from my API to execute that netcat command and send all that to the attacker side and say, okay, now you know, you now have full access of the compromised server without having to log in, right? Of course, right? Just by executing or sending that API request to the compromise. So of course,

I mentioned it in the back, right? It's all about REST API validation. That was the issue, right? So when you're creating a code, you better look at all the input that you're requesting from either another machine or from a human as well, right? Unfortunately, I'm a junior coder. Like many of you guys as well probably. If you're not doing for work or for life coding, you're more like a sys admin or like you're a security analyst or whatever and you're doing DevOps or SecDevOps on your part time, then you may be a junior coder like myself as well. And unfortunately, even if I'm working in cybersecurity, I have totally forgot about security best practice. That's why I said I failed, right? So the vulnerability could have been

easily controlled by adding extra layer of checking and multiple levels of stuff as well. So in this case, the easiest part was to add something called IP address function that literally look at the input parameter and validate that it's only an IP and nothing else. Okay? So here's how it's worked. I have changed a little bit my script over here for my second session the day after. and say, okay, now when you get that IP from the API request, make sure to pass this to the other function called ip address dot ip underscore address to validate that this is an IP and nothing else. And if it's not an IP, then just a response with something like not a valid IP to the requester.

So there's many other way that I've been able to find those type of vulnerability within code. So there's commercial and open source tools that are available, of course. If you're leveraging an open source one, although, or a public tool as well, because there's even public available tool on the internet as well, please be careful not to share any confidential information, right? Or intellectual property as well. Any questions so far? No? Yeah? How was the rating the next day? It's 4.6 I think, or something like that. So in, yep.

I'm curious if you would put your code through an AI, would have picked it up then? Look at the slide. Look at the slide. This is a good question.

Be careful. So in my case, since it was just a personal code, very simple code as well, I have choose to leverage my internal or internal AI system at Cisco. and just ask the AI itself, is there something wrong with my code? And here's the answer. Right away, the AI said, you have a common injection vulnerability. And the last one is lack of input validation. So I have literally spent a couple of hours missing good food in Amsterdam and all that, having fun with colleagues and customer for a five minute search on AI.

So there is a couple of lesson learned, right? I'm at the end of the session, guys. And I still have two pigs and a t-shirt. So there is a lesson learned, of course. Please use tool. We are all human. But please use tool to double check your script. Even if it's a very, very small script or code or whatever, right? If tools are not available or if you're in the wrong team, let's say, right? Because sometimes the DevOps team will have access to those tools, but you as a security admin or whatever, a system admin, you don't know that those tools exist, ask your colleagues, right? That's all the purpose of my session as well. And notes to myself. Do

not show up at an international conference with a script full of inability anymore. Any question guys? Yeah? What if you're working on code that's really highly confidential and you don't want to pump it into an AI tool? Yeah, so there is, so the question was, and I did touch a little bit on that. The question is, what about if you have a code that is very highly sensitive in terms of information, maybe about or international properties as well. Typically what you want to do is to deal with commercial product, right? That guarantee the confidentiality of all these information. Any other question? Yeah, go ahead here. I think instead of using the input sanitization, you could instead

exclude the shell equals true parameter. Yeah, sure.

instead of using the shell equals true parameter in the command and using input sanitization, there's always potential for that to be bypassed if it's not a fully solid solution. But with the subprocess.popen method, you can pass a list instead of a concatenated string, and that has a lot less potential for command injection. Yeah, probably. I guess you're a better expert than me on this.

Everything is probably true what you're saying for sure. In coding, there's always multiple different way to achieve what you're looking for. There is better way to do things sometimes, or optimize function as well that can be leveraged instead of other, for sure. Chris, you had a question. Yeah. Oh, here you go.

The question was already asked. I think overall I get 4.6 or 4.6 something and I didn't get the distinguished speaker mark, unfortunately. Yeah. Yeah. So I brought maple syrup. Yeah, that's a good point.

So the question is, did I ever talk to the person who made that comment or that finding? No, because those surveyors are anonymous. So I wasn't able to talk to that person and frankly like at that time I didn't know what I was going to tell him, right? Yeah. So your next presentation you're short gonna say blame it on the API, I'll know who you are. Yeah, oh question over there. Salut Alexandre. I'm curious in the vein of API, AI, ask AI to write you this code to see if it would write it correctly or if it would have the vulnerability as well? So that's a good question. I didn't use API to build that initial script.

If that was a question, I didn't use it. So if you were to just ask it to build it for you, I was wondering if you tested it because I'm wondering if it would actually write something with the vulnerability or if it would write something for your... Yeah, that's a good question. In my mind the API will probably don't give you the error, right? Because I was poorly coding the example here, right? And the API is typically not doing this type of error. I'm pretty sure. Yeah,

that could be the next subject of my next week, next year. Thank you. Guys, it was fun again to be in front of you guys. If you have any questions, feel free to reach me on LinkedIn. I would be happy to share any content with you again.

So Alex, all right, so we'll be back at 10 after two and we're gonna do another prize draw. So be back at 10 after two. That was it?

Yeah, a bunch of those one over there, huh? I know that they did. Yeah, the guy to stand up now. Yeah, I'm going to try to see if I have more. Yeah, both of them are on my team.

more on attackers behavior. Attacker behavior. Attacker behavior. Okay, sounds good. Thank you. Sounds good.

All right, welcome back everyone. So we're gonna do a couple of draws for smart light bulbs. 2192049.

Okay, so our next talk we have Andrea with Attacker Behavior. Hello. Hello, can you hear me? me today with this presentation. I'm officially the third French accent. Please bear with us.

So, yeah, today, the first impression that you might have with this title is that it's very niche, right? But I promise that we will be able to do some generalization about attackers' behavior and maybe their sophistication level to guide this presentation. So what idea of this talk come from is that in the media and for non-expert, the malicious hackers, this is how they would imagine their screen and their skills with computer in general and with code and everything. So I have this question, is this true? What people think of malicious hacker, are they really good with code, line, command line and everything? or are they not as sophisticated as we think? So this is what the analysis will enable us to

conclude today. Let me first properly introduce myself. So I'm Andreanne Bergeron. I am from Quebec City, of course, with the accent. I'm the director of research at GoSecure. And I have done all my studies in the

social science, in criminology. So I have done my PhD in criminology. So I have this social science background behind this cybersecurity research. So you'll see that my research is very painted by psychology and criminology and the law and everything. So I keep close ties with the university as an affiliated professor at an in Montreal and I'm also present in my community, the cybersecurity community, as being the co-VP engagement and outreach for NORDSEC, conference in Montreal in May, if you're looking for new conferences around Canada. And I'm also a board advisor for the Canadian Cybersecurity Network. So enough of me. In this research and throughout this presentation, we will consider the use of any type of prompt

interpreter, such as Command Prompt, PowerShell, Terminal, Bash, anything, as a command line interface, so CLI, right? So from now on, I'll say I'll use CLI just to make this presentation shorter. And we will compare this type of behavior, like using a command line interface, in a position by using the GUI, so just clicking your way through what you're trying to do, your actions on the computer. Staggering 87% of people, and people being probably non-expert here, believe that malicious hackers possess exceptional computer skills. This is where the idea comes from. Exploring if this is just a perception or the truth is what interests me in this research project. So experts say that So it's possible to become a great

hacker without coding knowledge, but having coding knowledge makes it a lot whole easier.

But you know, the CLI will provide faster approach to a complete task and even allows more flexible approach to completing complex and repetitive tasks. And also from my experience, understanding how things work and using the CLI to your advantage is at the core of being a hacker, right? talking here about malicious hacking, but like a hacker in general. So in my mind, we are also exploring, in fact, if malicious hackers are similar to ethical hackers. This is who I know. I work with ethical hackers. I start to understand how they think. So let's explore if it's the same thing for the malicious hackers.

Researchers indicate that, because of course I'm a researcher, I have to explore what previous researchers have said, right, just to make sure we are going in the right direction. So researchers indicate that while there were some common ground between professional hackers and practitioners, so I'm not on malicious hackers already, professional, you know, IT professionals, professional hackers tend to, or hackers or ethical hackers, whatever we call them, tend to use automated and repeated attack as well as creating new tool using the CLI. While the practitioner will use multiple tasks to minimize the effort with the aid of existing tools, and this is in this context that they would use the CLI. So, you know, their usage is a bit

different here. Now if we compare ethical hacker or professional hacker with malicious hacker, this is what we know from previous research. So ethical hacker believe malicious hacker are lazy, irresponsible, and not very bright.

And non-expert for their part will say that malicious hacker have, and I'm not sure that they do the difference between ethical hacker and malicious hacker because they don't know. but they perceive malicious hackers as a master of their art and highly skilled, right? So let's test all that. So how do we study the CLI used by malicious hackers? Well, it's in observing their behavior directly. And how do we do that? Well, in this case, we did by operating high interaction on the internet. So we place real Windows server, but it was fronted with our monitoring tool called PyRDP.

It was a research Unipot, so the only objective of this Unipot was to observe hackers' behavior. So obviously, we did not hide it behind a VPN. We wanted to be attacked. We wanted to observe their behavior. So we exposed it on the Internet. And PyRDP, more precisely, does a lot of things, our monitoring tool. It does a lot of things. I will not go through all that. If you're interested, you can just Google it. We talked about it plenty of time in the past, and it's an open source tool, so you can all use it. But the thing that I want you to remember from PyRDP is that it gives me two types of data for research purposes. It gives me

data before confirmation, so all the attempt logging to our system. I have all the information related to that. And it also gives me information after confirmation, so once they are in our computer, in our system. And this gives us a lot of information. So in four year, we capture 190 million events, so in other words, log lines. And this includes more than 20 million attempts log in.

3.3,000 RDP capture in video output. Because our tool is very cool for that. It gives us video output. I'll come back in a second. But I just want to show you how it end up for what we are analyzing exactly today. So from the log line, the million log lines, we have successful logins. So we will concentrate only on successful logins. But there's also like replay files that are created from successful login. And because we have on a put with TLS and NLA, in TLS like the end shake is made before, so it creates a replay file but it's useless because it's nothing happened and there was not a real connection. So I'll skip the detail for

that. But in the end, there were, and sometimes they just connect to the server and connect for some reason, so maybe a bot was just scanning or something. So in the end, I have 454 sessions with content, with something to analyze because I was interested in analyzing something. So this is what we will talk about. This is what we analyzed. So I come back to the video content. It's really truly a video content that we analyzed here. So when the video will start, you'll see the screen of the attacker in action right there. You'll see the mouse movement with the little yellow dot. You'll see that our tool provides everything that goes through the clipboard and through the keyboard, so everything that

they type. And at the beginning of the session, we also see the creds with which they enter our system. So you see that we make their life easy with administrator admin as credentials. First you see in the clipboard there's our IP address, which probably is how they found us. Then you see when they type on the screen, we see it at the bottom, and this is very useful when they type something that we don't see on the screen, like changing a password. And what is interesting with this session is that they kind of connect their C drive with our session, which allow us obviously to everything that is on there.

And then they proceed with their activities, which is crypto mining in this case. They are not doing all the same activities, but this is what they do here. So reminder, 454 sessions with content. So session would be like one of the videos that you just saw, which represents more than 100 hours of video footage. All the video happened between January 2021 to June 2023. So the first observation, I have a lot of results for you today. But the first observation we made is that how many of them would use the CLI versus the GUI? And you see that the white one used the CLI. So it represents only 8%.

They already got our conclusion to our question at first, so they don't use CLI that much. But then, like I will not stop here, right? It's not enough for me just to know this information. So the first question that comes to mind is that how is this group different from this group? How can we describe better the first group because this is the one I'm interested in.

There's different action done by the attackers in our system once they're in. They add user, they change the system password, they check for user information, check the CPU of the system, check our IP address, test our internet speed, turns off Windows Defender, erase file, files that were not there first but that they put and then erase files so they erase their traces. Download browser, paste files, you know, there's plenty other but let's just look at those ones. So in blue you have the CLI user and in red you have the GUI user. So you kind of see what type of activity the CLI user are doing the most in the sessions. However, this graph is totally biased because I just show you what

the activities of CLI users are doing in the session, right? Because this is what interests me. Just keep in mind that there's other activities that they do not perform, but those are the ones who perform. And as a researcher, I am obsessed with statistics. So This is cute, but the significant relationship between the variable would be only the one that I circled here. So, CLI user tend to add user, change password, check CPU, check IP info, erase file, download browser, paste file, more than GUI user would do.

I just want to make that clear. So there's two trends that appear here at first, is that they do reconnaissance activities like changing CPU, change IP information. And we also learned that there's evidence of them getting comfortable in our system because they seem to spend a little more time than the other because, well, the ad user They change password, they paste files. So they're here for a long time, right? But, so I said that it was statistically significant, but if I go, if I geek out a bit on the statistic, and I swear that it's my only slide on statistics, okay? But for me, like statistically significant doesn't mean that the relationship between the variable are strong. So I simplified this with this graph. We like visual.

So the strength of the relationship is very low. I put the maximum possibility and the minimum possibility here. And you see that it's very low. It doesn't explain the relationship highly. The only thing that we can conclude, in fact, from those observations, is that the main activity CLI user would do in our session would changing the password. So, yeah, I just conclude that. So no trend that is convincing enough for me to drag conclusions. Only conclusion is about the activity that we see here and it's mostly to change the password. The activity done through the CLI would be to change the password. And I ask myself another question because, like based on the observation that I did before, Do they

type in the CLI? Do they actually know the line of code? Or are they using pre-written script? Sometimes they just paste the binary and then launch it and it would count as using the prompt, but they don't necessarily know what it is.

And we saw that there is almost 20% of the CLI user who use pre-written script. So they might be a different group of CLI user within the same group. And what do they do with pre-written script? Here are the answers. So collecting information on the system, generating proxy and use of API tools.

analyzing the video, we noticed that some sessions were related to each other. So, and I have a couple of examples. Some sessions seamlessly picked up at the same place, so they started to do some activities and then leave, but then come back and continue the same activity.

that they were like the same IP connecting in the short amount of time to time, so it indicates me that they might be related. They changed the credential and then come back again with the same credential. So obviously they knew about this new credential. So all those information allowed us to merge the session together. And we passed from 36 different sessions to 27 different attackers.

a couple, but then the analysis are more precise on the type of attacker than on the type of session. So, attacker entered 2.15 total prompts during their session, which is not a lot, and 1.2 unique prompts. So, only one, right? Well, almost only one unique actions in the session.

32% of attackers had only one total prompt to go to their session. And among attackers using CLI, 33% use it to only change the password while not performing other actions. So this is what we conclude from the first test, right? They use it mostly to change the password. And they do not use it a lot once they're in there. So then, I wanted to see the sophistication level,

We can have a debate on what means sophistication, but here it would be just are some of them of this group better than others. This is what we try to evaluate. And how do we measure sophistication level? Well, I explain our process. So here we will add points for those behaviors. Attacker does more than 10 actions through CLI throughout the session because it was really rare. We would consider that like, like, we're seeing a point. If the attacker does more than four unique different actions throughout the session, we would add a point. And then attacker, if the attacker used tools or script in a CLI, which is a bit more complicated, we would add a point.

also subtract points for certain behavior. Some attacker would start something and then was not able to complete their action, kind of were not able to, didn't know how to, or stopped in the middle. So this is considered a failed action. So I would take off a point. And if the attacker does one of the following basic action, we would take off a point. So add user, change password, user information, IP information. If they do that through the GUI, we would subtract a point just because it's one line of code. We just expect that they would use it with the CLI. But if they don't, we subtract a point.

So the most common sophistication score was minus one with a downward after that. the perfect score of three was totally absent. So what we can conclude from that is that they're not really good, in fact. And this result means that malicious hackers who are not doing reconnaissance but rather getting themselves comfortable with their tools and using them are a bit more sophisticated than those who would perform on the reconnaissance. also mean that having a sophistication score is kind of worth it to understand their behavior and their sophistication behavior. So a higher score was associated with using tools and installing tools on the system. So using tools would be associated with more sophisticated. So the general conclusions would be that a low number of attacker use CLI, right?

This is what the first observation we made told us. Malicious hackers show a low level of sophistication, second conclusion. And previous research mentioned that CLI use is associated with professional hackers and it might go into that direction. I am not able to conclude exactly that because I was not comparing with behavior of ethical hackers here. it points toward that direction because now I know that malicious hackers are not using CLI much. But there's concluding thought that I wanted to talk with you and maybe we can talk more if you have ideas later. But you know, previous research that we have done have shown that attackers might work in group, okay? And this group, and in this group, there's that might be more

sophisticated than other. I heard the term associate in this case. So the associate would just perform what they were asked for, which is maybe launch a script like this. They don't know how it works, they're just paid to launch it and wait. So this is to bear in mind just to understand that in the same way attacker, they might be people better than or more skilled than others.

It doesn't mean that they do not have the capabilities to use CLI. I have no mean to prove that for sure. Because like I didn't like if you avoid putting the if you oblique them to use CLI, would they be able to do it? This is something that I didn't test for. So if they had a choice, maybe they could demonstrate capabilities to do so. And I can be sure. Is typing command more at risk for detection? I don't know. It's a question that maybe you can help understand. So is that something they took into consideration?

scared that typing a command would flag, would make an alert. So maybe they are avoiding it for this reason. We don't know. And don't we all use the GUI at some point? Because even if you know how, maybe you're just lazy and sometimes clicking is just easier. It depends on the amount of code you need to perform your action. So this is all that we should keep in mind in the end. So I would be happy to answer your question if you have some. Yes. You listed four or five things that people who use CLI for their common activities. Did you know similar activities with the community or were there different type of actions that they

performed first? I'm not sure. Question? Huh? What are, is that? Oh yeah, can you?

there were four or five activities that were common when a user performed actions during CLI activities. Were they similar activities if they connected by GUI or were there different four or five activities that they would perform? So they will all perform those type of activities. Those type of activities are really present using CLI or not, but they seem to perform it more the CLI user seems to perform it more, so statistically. So a bit more in this group, but it's present all over the group, both groups. Thanks. Yeah. Hi. I thought this was really great, really interesting. Thank you. But I guess I was kind of wondering, so you said, like, in your study design,

you didn't put a VPC or VPN or protect it, really, just put it out there so anyone could access it. I was wondering if you thought, possible that that might have introduced a selection bias towards less skilled hackers? Like is it possible that the more sophisticated, more skilled people wouldn't bother unless someone at least put in a bit of effort to try to protect it? Yes. Thank you so much for asking this question because I love Kaviardage in research and this is my opportunity. We have to bear in mind that my sample is biased because it's exposed, like our own hepat is exposed, and it might attract attackers that are interested in low-hanging fruit, which can make that they are less skilled than others that

would be looking for organization that protects themselves better because maybe they have something to protect, right? So you're, yeah, on point line. Yes? Was your HoneyPod only accessible via RDP, or were other protocols open? Yeah, so I didn't put in faces today on that, but yes, it was purely RDP. So there was no other way to get in, and all the attackers that were able to get in was by brute forcing RDP,

yeah. Yes? Hi.

So you only used Windows as a test platform, right? So you didn't use Linux, like anything that's traditionally gooey, because if I were to, say, use your system, I would probably use LUS or MGR as well to change a password over, say, something like IP config for, say, command line, just because that is not so much a sophistication as it would be, say, for me, I would think of efficiency how quick can I get the action done? And I think for that aspect for my own self, versus say if you were to go into Linux, you wouldn't install Xwindows to hack into it. So I was wondering if you took that into consideration when you

did your stats. So yeah, we didn't because I couldn't, but this is like one of my concluding thoughts to keep in mind, right? Do they just prefer using the GUI for certain actions? So I was not able to determine this, but it's something very important to keep in mind, yeah. Yes. Were you detecting any script execution, like probably someone just logged in and executing a script of one by one commands and they were not typing anything at all? Were you able to detect that or? Yes, yes. So I call that a pre-written script. So they enter, they paste their binaries of pre-written script, they just run it. They grab, and most of them were to grab information about our

system. And then they erase the files and quit. So they would do it for purely reconnaissance activities. But yeah, we witnessed that.

Thank you so much.

Yay, my coin. Thank you.

Hello? OK. Yeah, okay, so we're going to keep going, but we'll be back at 3.05, and we'll do another prize draw then.

Amen.

So the...

I just like straight up.

.

Gracias.

Do you want me to plug in now? Yeah, because it's not going to come up until I do the switching on the back end.

So your presenter view will be on your laptop screen, and then this can be what's being shown to the audience, or that will be how it is. Okay. So once you go into your...

Now, are you just gonna use the podium mic? Are you gonna stray from this position? Do you want the lav? It's up to you. It's like there's no constraints on what you do. It depends. Like the last two speakers,

You saw that the first one after lunch was everywhere. And then the previous speaker to you kind of moved from the podium to approximately here. Yeah, so it's entirely up to yourself. It doesn't matter to me either way. But if you did want to move around more, then we'd have to get you mic'd up. That's the only thing. Okay, great. So just speak like public speaking. Yeah. Announce your aid, all that stuff. Yeah, exactly. So there you go. Okay. That's your setup. is gonna be what I'll see with the rest of it, okay? Awesome, all right. Thank you. Thank you. Howdy. Howdy. Are you using that mic? I'm gonna use the podium mic. Okay. All right, are you good to go?

Yeah, I think so. Whenever you're ready.

I will give it the one minute because I told, oh, now it's 3.05, okay.

So we're going to get going, but before we have Ian start his talk, we're going to do some draws for a couple of wireless speakers. 219-2125. 219-2125. Anyone?

2192052. 2192046.

219-2046, anyone? 219-2169. 219-2169.

All right, and now we're gonna have Ian speak on compliance.

Hello, I'm not sure if you can tell by the way I speak, but I am not from Quebec.

I'm here to give you a talk on compliance this afternoon. So now that we've all had bread and pasta salad and the temperature's coming up, my two objectives are to keep you awake and hopefully to give you some insight here about how compliance can help strengthen and improve your security program and how it doesn't have to be something that you dread or dislike and something you can actually use to your benefit. A little bit about me, my name is Ian McMillan. I'm a senior manager in cyber risk and compliance at M&P Digital. I'm also a co-founder of Boceron Security. So for anybody that knows about Boceron, I'm not the person that personally send you phishing

simulations. I built a product that does that. And yeah, my background is in software development. So originally started as a developer. I've worked on security tools like QRadar. If you use the DSM editor, I did some work on the DSM editor, the log source management app. You can blame me for that one. Originally my career in development was in UI and UX and front end. And I actually bring a lot of those skills from my UI UX background into my security career. So I did do full stack, my preference was UI UX. And I really believe, I'm a really strong believer in the common sense approach and usable security controls. Implementing security in an organization in a way that not create friction for end users

and the people that are trying to use it on a daily basis. And so I've brought it, taken it upon myself to try and hopefully change your perception about compliance and how that doesn't necessarily have to be something that's difficult or causes friction for you as practitioners in industry. My current role, I'm a PCI QSA. So a lot of my role now is consulting to help clients a PCI compliance program. So if you're not familiar, PCI QSA is payment card industry, qualified security assessor. So it's credit card security compliance. And yeah, I help organizations achieve compliance with PCI. I also assess organizations. So I do things like SAQ validations, like self-assessment questionnaire validations, report on compliance assessments as well from organizations that are

small mom and pop shops or local startups. to household brands like telcos and couriers and municipalities and governments. And yeah, before I was in consulting at MMP with BOSER on Security, we built a tool that did security awareness. So when I'm not doing PCI, ISO 27001 readiness, risk management, risk assessment, stuff like that, I actually lead our national security awareness practice at MMP as well. And so I help organizations build out security awareness programs and implement tooling and kind of best practices around that. And at Boeserun Security prior to joining M&P, that was a big part of my role as well. So real focus on people and implementation of controls and helping improve security posture with awareness.

Just a little bit about M&P. So we're founded in 1958. We're a fully born and bred Canadian firm. We've got about 8,000, 8,200 employees. Our core business originally was in accounting. So Myers, Norris, and Penny is actually what it stands for. And we have a digital subsidiary, which is M&P Digital. It's about 500 employees that does sort of end-to-end IT consulting. So we're all over the country. We do all kinds of stuff. A little bit of everything in IT consulting. And I belong to the bottom right corner there, which is the cybersecurity and privacy team and all the stuff we do related to that. So what we're going to talk about today is a little

bit about what information security compliance actually is. I mean, we all know it's checklists and controls that we assessed against or audited on. We're going to talk a little bit about some examples. I'm going to talk about PCI DSS and ISO 27001, and I promise it will be engaging. It won't be boring. We're going to talk about how you can leverage these sorts of standards and frameworks, these compliance standards, to improve your security program. Practical ways, tangible examples of how you can take something like PCI DSS or ISO 27001, even if that's not something that you're subject to or you're assessed on, you can use it to improve the posture of your program and make

your organization more secure. And then we've got some practical examples and takeaways. So I did take some excerpts directly from those standards. Maybe there's people in here that haven't had the opportunity to look at those or you're not like me and nerd out on reading those kinds of standards in your spare time. So I'll be able to kind of show you what that looks like, give you the QSA's perspective on kind of PCI controls or requirements can do for you and then give you the ISO perspective as well. So just before I start here, raise your hands, how many people are involved or are running a compliance program for some kind of assessment in your

organization? Okay, a few. Okay, leave your hands up for a second. Put your hand down if you do not enjoy it. Okay, it's all right, you can be honest, it's okay. I think that's really the common experience that I have as an assessor, as a QSA, right? The room falls silent when the QSA enters during an audit. I often feel like I should be wearing a cloak and carrying a big scythe or something like that. But yeah, so compliance often has this sort of negative connotation, this audit sort of mindset where somebody external is gonna come into our organization, and we have to do all this work and prep and build up to lead to this point, this sort of this crux where we're under a microscope

for a certain amount of time, you know, when we're just trying to do our day-to-day jobs. So at sort of like the ground level here, I want to talk about what information security compliance actually is. What's the objective? So information security compliance is sort of made up of six key elements. The first one is to protect data, right? We're trying to protect data and organizations, and the purpose of these you know, whether it's credit card information with PCI or it's our information security program and management with ISO or any other number of standards and frameworks that you're subject to compliance on, the ultimate goal is to protect the information and the assets of your organization. The second one is to mitigate risks. So similar to the talk earlier today

about risk management, ultimately the purpose of implementation and controls and being assessed on those on a regular basis is to cut down on the chances of somebody actually compromising those assets of our organization. Meeting regulatory requirements, of course, so, you know, Visa and MasterCard and Amex and JCB and Discover, they decide that if you're gonna transact cardholder data as part of their brand, you know, they wanna make sure that you're protecting that data. So meeting the requirements set out by those organizations, whether it's legal requirements or legislation around privacy or any other regulatory requirement. If you're in critical infrastructure, for example, with NERC or others, meeting those requirements in order to operate your business is part of that, of course. Maintaining trust. I think this is a really,

really important one that we kind of lose sight of a lot of the time. In organizations, particularly as practitioners or technologists in our organizations, our goal tends to be focused on a very small part or very specific part of the operation of that business. And so what we have to try to remember is that key role that we play, however small or whatever component of the operation that that is, ultimately is to serve some kind of larger, bigger picture, right? So whether it's supporting healthcare with a healthcare application or infrastructure of some kind, or it's supporting someone that wants to ride share with Uber or whatever that looks like, ultimately the business objective. We're trying

to maintain trust with the regulators that are ensuring that we're delivering those services or achieving those business objectives securely, and also with our clients and our consumers and the people that we're working with. How many of you have heard of an organization that experiences a credit card breach and you say, I'm never going back there again. right? This is the sort of stuff that we want to try and avoid. Improving security posture. So although compliance can often feel like a burden, it's something that we have to force ourselves to do. We have to provide all this evidence and go through this process every year or every interval. Ultimately, the goal of those standards is to improve the security posture of your organization and make your organization more secure.

And then finally, facilitate business operations. Again, a really important one. I'm a big believer that compliance standards and frameworks be a bridge with the business, which is often a void that gets very hard for us to build a bridge across between security and business objectives to help the business understand why it is what we do. Why do you pay our salaries, right? It's so that we can help facilitate business operations. So things like compliance programs like PCI, for example, or ISO 27001 sort of give us some meat on the bone to say, we do these things to ensure that we can operate our business in a way that's secure and safe and protects our assets. So some challenges and perceptions.

I've been kind of talking about this all the way through my intro here, but oftentimes we get this perception that, oh no, brace yourselves, compliance is coming, right? Our PCI audit's coming up, our ISO audit's coming up, we gotta get ready, we gotta collect our evidence, we gotta ensure that everything is in good shape. And what this means is, some of the challenges around these programs is that Controls are often not maintained or baked into the security program. It's something we do leading up to the audit. It's something we stop doing once the audit is complete. In some cases, we only do it for the sake of that audit. We don't actually look at how could this positively improve our program or what are some of the benefits

or the objective of that control that's in the compliance framework. The objective, like I just mentioned, of the control is not really considered. So what we're gonna do today, actually, when I get into some of the specifics, Why does PCI ask you to have a 12 character password as an example? Or why does ISO say that there has to be leadership engagement? Just talking about some of the actual objectives and outcomes from those controls. Compliance really becomes a checklist activity. I can't tell you how many times I get into an interview with a system admin and I'm like, hey, what's the OS on that device? And they'll like literally just say OS number, patch version, patch revision, et cetera. within 30 days? Yes. And

it's a very trained and limited response and all they're trying to do is make sure that for the sake of that audit or that assessment they're just achieving those check marks so that this could be over and I can go back to my cave and not have to talk to an auditor ever again. And finally maintaining compliance is resource intensive. So I'm not sure what your experience has been but in any of the cases where I've been consulting, so more on the internal security assessor, ISA side of the PCI stuff, when I'm supporting an organization preparing for an audit, they're pulling in everybody from all these different teams and operational stuff sort of gets put

to the wayside to focus on the audit or the assessment. And so that's kind of the perception is that now we have to buckle down and focus on getting this stuff done right now so that we're ready for the audit when it comes around the corner. nods or shakes to your head. Does this resonate? Does this sound about right for anybody that's gone through this process before? Yeah, lots of nods, no shakes? Okay, cool. Great, okay. So I love this picture on the left because a lot of my QSA experiences or my experiences as a QSA have been something like this, right? We look at the version. When I do my PCI audits, we're very thorough. So we'll do a screen share, we'll get onto a VM or

an EC2 instance or a VM in the cloud, and we'll say, let's pull up the version of the OS on this device, and let's pull up the patch history. And it was patched the day before I got there, right? So these are the kinds of things that we run into. And of course, for anybody here that's not subject to any kind of compliance, the one on the right there is probably a bit more relevant, right? We can't be non-compliant if we've never been assessed, right? That's kind of the idea. Yeah. benefits of compliance programs, there's actually a ton of stuff that can help you out. So compliance is often all-encompassing. We're gonna... Oh, it's a GIF. It's gonna loop, isn't it? Oh, man.

Okay, hopefully that's not too distracting for you. Compliance can often be all-encompassing. So just show of hands, has anybody here ever actually looked at the PCI data security standard before? A few? Yeah, okay. We just had PCI version four that dropped on April 1st of this year. It's something to the tune of about 400 different requirements. And it covers 12 functional areas around networking, operating systems, password access management, identity access management, logging, protocol, like you name it, there is stuff in there that can help with that. So sometimes, in some cases, these compliance frameworks can really touch on all the different things in your environment, maybe even things that you've overlooked. When maintained proactively, organizations that are more

compliance forward demonstrate a higher level of security maturity. And that's actually my experience speaking. So organizations that adopt PCI in our PCI audits of the minimum viable standard for their security practices. When we go in there, they're not pulling people from teams to try and get this stuff together ahead of my visit. They just do it. It's just part of their culture. It's part of their existence as a security team. And so what ends up happening is we go in and they're like, yep, here's John. John, tell us what you do. He's like, Apache Systems. We do it every 30 days. Here's the log. And that's it. It's like a 10-minute interview, and we're in and out, and it's very simple. The compliance forward mentality is

very important. Compliance often has defined security objective. So whether it's security governance or protecting cardholder data. So ISO actually is a really good example where the purpose of ISO 27001 is to create a scenario where your organization is required to have a consistent cyclical process for reviewing information security in the organization. So rather than a, policies, we produce them and we'll go back and look at them again later. It becomes this cyclical event that's sort of always evolving, involves with the needs of the business, involves leadership, has a review process, has a process for identifying non-conformities and addressing them, all these things. And so the objectives of that are ultimately to make your organization more secure and more diligent in the way that you

handle information security governance. And then finally, compliance standards are measurable. of my favorite things about PCI is there's no subjectivity really. It's either you're compliant to this very prescriptive requirement or you're not. It's a zero or a one. So it makes it a lot easier to measure that to say here's the things we do right and here's the things we do wrong. Okay, hopefully you guys aren't dizzy from that looping GIF there because I didn't realize. I say GIF, sorry, I know some, a lot of you guys probably say GIF. So ultimately, how can compliance

improve your program or strengthen your program. So you can adopt a compliance framework as a security baseline. As a matter of fact, I encourage you to layer compliance frameworks to build your security baseline. So a lot of the controls that you'll have in place will overlap across these different frameworks and these standards. And you can sort of pick and choose and pick your flavor, right? What things are we lacking in? What areas of our program are we less mature in or that we think we're less mature in? And we can say, hey, If it's good enough for credit card data, it's probably good enough for our stuff. Or if it's good enough to develop an

information security management system under ISO, maybe that's how we should be approaching our governance. So these are the sorts of things that you can pick and choose. You can utilize the controls and requirements to strengthen areas in your program that lack maturity. I just mentioned that. So maybe you are looking for a better way to do pen testing. Now we do pen testing like once every three years. Is that enough? a look at PCI, we can have a look at various other compliance standards that are prescriptive about that to give you guidance and sort of be a North Star for you. And then you can use defined requirements to measure the maturity of your programming

controls if you have a compliance program as sort of like your reference. So the idea is, and I'm gonna show you this, like PCI, I'm a QSA, so a lot of my references are gonna be PCI, sorry. In PCI, for example, new this year with the version 4 was the customized approach objective. So there's the prescribed approach, which is valve shell to XYZ. And then the customized approach objective allows the organization to say, well, based on how we operate or based on the architecture of our environment, that doesn't really work for us. So what are we really trying to do with this requirement? And I'm going to give you some examples of that in a little bit here. So, PCI DSS and ISO 27001. I asked about PCI,

has anybody here ever looked at ISO 27001 or, yeah? Okay, a few people, all right. A lot less than what I expected to be honest, but okay. So, what is PCI DSS? It's the data security standard set out by the payment card industry, so for those of you who don't know, I rhymed them off earlier. Visa, MasterCard, Amex, Discover, JCB, got together, formed a council, created a data security standard that says, our cards to process transactions, here are the things you need to do to be secure. And so it's an annual assessment typically. Depending on the number of transactions you do, you can do a self-assessment and have it validated by a QSA like me.

And then once you surpass a certain number of transactions, depending on the nature of your environment, you do a full report on compliance where someone like me comes in and goes through all of your stuff. And essentially it's for organizations that process, store, transmit credit card data. So for my clients, there's three things in life that are guaranteed. Death, taxes, and PCI compliance. If you interact with cardholder data, you are subject to PCI compliance. And for those of you in here that might be doing that and are going, yeah, we've never done anything like that. Have a look at your contract with your acquiring bank because they indicate that you are required to do that and maintain that PCI compliance. Yeah, so that's kind of, in a

nutshell, that's kind of PCI DSS. over 12 sort of functional areas here that are grouped together. So building and maintaining secure networks and systems, protecting account data, maintaining vulnerability management programs, implementing strong access control measures, regularly monitoring and testing, and then also maintaining an information security policy. This kind of sounds like everything you'd want to have in your security program, no? Yeah? Yeah. So there's specific requirements requirement areas within each of these categories that are much more specific. I'm not going to get into all of them right now because, like I said, there's 400 and some odd of them. We'd be here all day. But yeah, this sort of gives you an idea of what's included in there. Like I mentioned, there's compliance

levels too. So what's great about some of these compliance frameworks and standards is when you start to dig into them, they actually have different flavors. So for example, PCI DSS talks about all these different things that you can do. If you have a retail environment that has pin pads, what we call POI devices, point of interaction devices, you know, where you put in your card to pay, obviously you don't have servers that are hosting payment applications. And so as a QSA, we're not gonna look at the operating system version or the patch history or how you're doing vulnerability management because that doesn't apply to those smaller devices, as an example. So I encourage you, it's not like, ah, compliance, hiss, right? at these standards and see maybe if there's

flavors of these standards that align more to the nature of your business and the things that you're doing or maybe the areas of your program that you're trying to improve. The strengths of PCI DSS include, it's very technically focused. So if you're a practitioner, if you're a sysadmin, a network admin, a security practitioner, that's very operational. A lot of the requirements are very prescriptive and specific to what you're trying to achieve technically. Like I said, it's broad, it covers a lot of different areas, it kind of just showed you all the different things. The requirement that I shared here was around audit logging. So as you can see, it's very specific about what it wants you to capture in your

audit logs, right? User ID, type of event, date and time, success or failure, origination, and identity or name of the affected area system component resource or service. So, hey, if this is good enough for credit card data, maybe it's good enough for us, right? The PCI DSS remains current and is updated regularly. Any of those of you that are subject to PCI probably hate that because when a new standard comes out, it gets challenging to meet some of the requirements. But like I said, if you're using this as a North Star or a guideline, it means that you're not looking at something that's a million years old, right? I love looking at some of the NIST SP-800 standards because some of them are

2012, 2015, right, and they don't actually, they're not actually kept up to snuff in some cases. But yeah, PCI DSS always tries to stay abreast of the latest technologies. There's a lot of supporting documentation for PCI in open source documentation from the perspective of the community. Everybody has the same headaches with the requirements, so the PCI compliance Reddit thread is a ton of fun to read. I love going in there and reading it in my spare time. Yeah, the council actually released a whole bunch of stuff. So not only do they give you this 600 page document with the data security standard, they also release FAQs, information supplements, all this kind of stuff. So the

way I look at it is from a perspective of an organization that doesn't handle cardholder data but wants to have a more secure organization and a better security program, here's a guide on what looks good for credit cards and here's a bunch of supporting information on how to get there. Being able to cherry pick and pick and choose from that what makes sense way to navigate some of those challenges around technical controls and improving that security. Okay, ISO 27001. So it's a security standard with a set of requirements that helps you establish, implement, maintain, and continually improve an information security management system for your organization. So the idea behind ISO 27001 is less control focus and more governance

focus. Now there is an accompanying standard which is 27002 which is much more control focused. You know, you could pick from that one if you want to. I chose PCI for the sake of my presentation here. And it's very well recognized. It's very rigorous. So I improved, I included the table of contents here that kind of talks about all the things, leadership, support, operation, performance evaluation, improvement. So again, all of these different areas from a governance perspective that help you build and maintain an information security program in your organization that is kept healthy and continually improved. One of the strengths for ISO 27001 is it's strategically focused, as I mentioned. So for any of you that are managing an information

security program or any of you that are trying to, or tasked with sort of building out this governance, how do we maintain our information security program once it's in place? This is a really good way to do that. It emphasizes rigor, diligence, governance, repetition, cyclical events in terms of the analysis and assessment of that information security management system. It requires a lot of strong leadership commitment and buy-in when it's implemented effectively. So this is a great way to bridge the gap, as I mentioned, with leaders and the business about information security and how it's a business driver and not a business inhibitor. And then finally, oh yeah, sorry, that's the last point. I kind of jumped ahead of myself there, yeah. of examples here of this. So

I included the improvement section on the left-hand side, so in continual improvement. So it talks about the organization continually improving the suitability, adequacy, and effectiveness of the information security management system. And then also how to deal with non-conformities. Like, what are things we can do to find and remediate non-conformities in our information security management system? So if you're in the kind of environment where you've built a security program, you have a million tools like all of us have, and you're just essentially putting out fires as they come up, this might be a really great way for you to set a baseline and have a mechanism to remediate those risks and deal with them. So on the right-hand side, speaking of risks, I included the information security risk assessment

section, which talks about establishing risk acceptance criteria, developing a risk appetite, identifying information security risks and dealing with them. So the level of risk, how do we qualify or quantify these risks, and then how do we track them and continue to improve on them. Okay, that's enough standard stuff and screenshots from those standards for now. So how do you leverage, like, great, Ian, you've talked about PCI, you're a PCI nerd, we get it. You've talked about ISO, you like security governance, we get it. What does this actually mean for me? What do I take away from this and how do I apply this to my program? So if I can give you one thing today to take away from this

that I think is really important is the concept of scope. Just put your hands up if you have an idea of what I mean when I say scope. Yeah, okay, good, all right, good. Okay, so scope is defined by the boundary of what's being assessed or audited. And so what we get into in the case of PCI, when we're talking about scope, is an organization has deployed assets in the way that they deploy everything. Yeah, yeah, our server that hosts the webpage for processing payments is right there in the same subnet as our app that we have, or it's in the same VLAN as our DC. I don't know, I'm just kind of throwing stuff

out there. But the idea is not really thinking about the segmentation controls or the division of those assets, you know, technically. What's important is that this also applies at the business process or business function level too. So what I mean by that is, you know, in this case in the diagram, I kind of drew a little green square around two servers and said, yeah, there's your scope. But also considering processes that we want to include in the scope of this as well and that's more relevant to ISO 27001. So the handling of customer data, you know, maybe we have an application where we have customer information, but maybe we also have a ticketing system over here where we're interacting with customers and we want to make sure that

we're maintaining the confidentiality, integrity, and availability of that as well. So sort of defining that scope depending on, you know, if you're looking at the technical level, the technical control, or the governance level is like really the most important first part. I can give you with PCI would be, you know, how do we reduce that down so that the stuff we have to protect for PCI is only the stuff that pertains to our credit card information, right? If we have this app deployed on the same network as our internal corporate network, and now all of our workstations are essentially adjacent to our payment card application, that's a bad thing. That could give us a lot

of vectors for compromise laterally, right? And so how do we reduce that down so that this little piece of paradise that is our cardholder data environment is separate from everything else, and that's the only view. So applying this in the concept of your security program and applying compliance to improve that would be, okay, what things can we separate out that are the crown jewels and we can assess or internally assess just that piece and make sure that that piece is the most important and the priority number one. And what I put here, and this is a bit of a challenging question, can we keep everything secure all the time? And that's kind of the goal

for sure. But at what point do you start eating an elephant? bit, one bite at a time, right? And so if we apply this concept of scope and we say, okay, here's the crown jewels, here's the stuff that we want to focus on first, and we shrink that down and we create an environment where, you know, this is the stuff that we're going to assess internally, and then we gradually add stuff to that scope, what you'll find is over time you've developed an environment that's much more secure. Setting baselines. So taking elements from compliance frameworks that fit your organizational needs. So this is an example, this is one of my favorites because I always get funny looks when I talk about this one. This is the PCI requirement

for NTP, for time synchronization. One or more designated time servers, only the designated central time servers receives time from external sources, received from external sources based on international atomic time or coordinated universal time, so all very prescriptive stuff. But maybe you're like, We don't even do any time synchronization. We've never even looked at time synchronization in our environment. Well, PCI, I talked about the customized approach, is really great that way, because they say, just as long as the time on all systems is accurate and consistent. That's ultimately the goal of that requirement, right? And so now, you have a baseline. You can say, yeah, we've never looked at time, but maybe at a minimum, we'll do that. We'll just make sure

that everything is consistent from a time perspective. Align your program to the framework in these areas. whether it's pen testing, whether it's audit, whether it's governance, excuse me, audit logging, whether it's governance, whether it's patching, whether it's identity, access management. All of these things can all come together to create your security program. And so the areas that you're lacking, cherry pick that. Grab your favorite compliance framework and pull that out as an orstar. And then what can we do that will be better than where we are now, ultimately? That's sort of the theme. What are the things that we can take away from this to improve our program? useful in identifying gaps. So hey, we've

never really, we've done risk assessments that give us an idea of where our risk lies and our maturity in certain areas. But looking at these frameworks as sort of a template to say, yeah, like I mentioned, if it's good enough for credit card data, maybe it's good enough for us. And so mapping your security program to that compliance framework, seeing where the gaps are, hey, we never really thought about this sort of control, maybe we should start to look into that, good way for you to get an idea of where your strengths are and where there may be gaps. And yeah, I already mentioned this, but are there things that you've completely overlooked or areas that you're less mature or areas where you could use some improvement?

Okay, in the last piece, the last part here, just comes to the time, we're going to have a look at a couple of the specifics. So I I lied earlier when I said I didn't have any more screenshots. I do have screenshots from the PCI DSS and from ISO here. This is a really basic one that we run into as a problem most of the time in our PCI assessments. An accurate network diagram is maintained that shows all connections between the cardholder data environment and other networks, including wireless networks. Seems like a very small thing, a network diagram. But having that as sort of a baseline, to say, yeah, we need to make sure that we have a network diagram that's maintained is a good idea. And what's great

about the PCI DSS is on the right-hand side, there's actually some guidance, some good practices. What's the purpose of this requirement? What's the good practice look like? So all locations, clear labeling, security controls providing segmentation, all in scope systems, all of these things included on that diagram. And so if someone tasks you with, yeah, we need you to create a network diagram, and you're kind of making it up just based on what you know best, this is a really great way to kind of start you and give you that foundation. This is another one I wanted to share, 1283, and it's process is implemented for engaging third-party service providers including proper due diligence prior to engagement. So anybody here

have a TPRM program, a third-party risk management program in the organization? Yeah, not very many. So this would be a great way for you to start, right? Like what's at the very viable minimum that we should do to ensure that we're engaging third parties effectively and securely? There's even information on the purpose and the practice, right? And the customized approach objective, again, which is sort of the broader objective of this, the capability, intent, and resources of a prospective third-party service provider to adequately protect, insert your data here, are assessed before the third-party service provider is engaged.

Great. This is one from the ISO 27001 standard. So information security objectives and planning to achieve them. And so this just talks about

The information security objectives of the program overall are consistent, are measurable, they take into account applicable information security requirements, they're monitored, communicated, updated, and available as documented information. So again, when we talk about what does the governance of a program include and what does good look like, ISO defines it in this way. can go to the ISO standard and pull this out and say, yeah, here's how we want to try and structure the governance of our information security program, and there's lots of takeaways from that that you can pull out of there. I'm starting to see some nods, so I'm going to speed up a little bit. Leadership and commitment, I always go back to this. I always go back to this because I know

what it's like to try and bridge that gap. I talk to execs all the time about It's the fine if we're not PCI compliant. Is it cheaper than paying to be PCI compliant? And helping them understand why you have to keep cardholder data secure. This is an example from ISO that talks about top management's involvement. So demonstrating leadership and commitment with respect to the information security management system by, and here's items A through H that sort of say what the role is of of leadership, of top management. And so as an information security leader or someone that interfaces with the business, you can go, here's A through H that I would like you to do to help us be more secure. And again,

use that as a North Star as a guiding principle to help you be more secure. All right, pretty close to time. Any, oh no, any questions? There we go, questions?

standards and compliance, who actually gives you the fine? Yeah, great question. So for PCI, who gives you the fine? So it's the card brands. The card brands will determine the fine. And actually, it's the card brands that do the investigation. So if you have an incident involving cardholder data, it's Visa or MasterCard that comes a knocking and wants to do that. And then they impose stricter assessment requirements on you if you do experience an incident involving cardholder data. Yeah. Good question. PCI specific questions are good too. QSA, I know we're like the sickly, but this is an opportunity for you to ask me if you have a PCI question, that's no problem. So I have two questions. The first part is

as a startup or high velocity product company, A lot of times these standards get overlooked. And what is sort of like a baseline that I'm a DevOps engineer, so I can convince my leadership that, hey, this is the things that you absolutely need to do. So if we want to get certified in future. And the second part is if we use a third party card, like a payment integrator, like, for example, Stripe. So we are not storing the card holder's data at all. So what are the, like, from PCI perspective, what are the things that we need to do? JOHN MUELLER- Great. OK, good question. So I would say in the first part, as far as being a startup and the cart and horse effect of, we

achieve a compliance standard versus focusing on our development and things. Like I've been there, you know, I built Boeseran, I was literally quit my full-time job and I was appointed number two to do that. And that is a challenge. What I would say, you know, maybe without a hard and fast rule, what I would say is at some point that critical customer that could make or break your business will come to you and want to buy your product and they're going to ask you for that. whether it's a CAIQ or something else from the CSA Star or CCM, for example, or whether it's a PCI compliance or something along those lines, you're gonna have to do that. So do it at some point. All the variables

involved with startup, Landia, there's not really a hard and fast rule, but you do have to do it. Yeah, it's pay me now or pay me later. You either do it in the beginning or you do it when that big customer comes along. And then the second question, What's my payment? What's my responsibility from a PCI perspective? PCI compliance and credit card data are mutually exclusive. You can't have one without the other. So even if you're using a third party service provider like Stripe, like Moneris Checkout, or any one of these other payment gateways, you're still subject to PCI compliance. Your scope is the web server that serves up the page with the iframe. That

web server is your scope. you would want to make sure that that has adequate segmentation controls to keep it away from everything else. Additionally, in requirement 12, the governance aspects of PCI. So we have a list of third-party service providers. We get their AOCs every year. We have an information security policy, these sorts of things. The merchant, the person that's capturing receiving the money for the card transaction is still subject to some of those PCI requirements. And depending on the number of transactions, that's typically an SAQ type A if you wanted to reference that to see what those requirements were. Great, any other questions about compliance or PCI or ISO?

Okay, thank you so much for your time.

Thank you, sir. Appreciate it. All

right, so we're gonna take our last break of the day. We'll be back at 4.15. And we will have another prize.

Last year that I was there, our auditor, we had an auditor. Our auditor was being audited. And what usually was like a few or four weeks, it was like four months. Because they were getting audited. So they were being like super important. It was painful for our guys. But if you build it in your process, it's like a couple of a lot of people

Yeah, unless you start from the beginning, and that was the thing, they wanted to do credit card. So, from day one, it's like, well, . Yes, .

Thank you.

That's not my business.

What's

that?

Just me too.

Yeah, last year our whole class got in. Yeah, this year it's just five. Yeah, but the other team won't win. That's why they didn't even have five. Why don't we have five?

So,

it's mom.

I'm glad mom's enjoying it. I'll join it to you. Cool.

So, in every challenge there's hits that take. No, come on. Actually, I wanna do this. I wanna break through the office, right? And label and stuff. So, I'm gonna set up a .

Okay.

.

Tell us what we're doing next.

Oh, God.

Yeah.

Oh, I didn't even know that.

.

Who is this person?

Merckx. I don't have cyber resilience. Buzzword? I'm gonna explain why.

So I'm gonna have to plug you into the floor. That's good. Because that power is, it's been Yeah, it didn't work. I apologize. That's okay.

I won't trip over it. Oh, you got the... Are you going to be at the podium or did you want the lav? Does it have any lag on it? I mean, no, it's analog, so it's not like it's... What do you mean by lag? Does it have more lag than... Would I be able to hear myself more? It's the same. Okay. Yeah. Sure. Yeah, yeah, it's up to you. If you're gonna be moving around the room, then you'll probably want that. If you're gonna stand at the podium, then there's no sense. It doesn't, like a six and one half does the other. Let me do this one. I'll try it. Yeah, I'll try it. Yeah, we're good. So we got

that right there. Do you wanna do that? This can just drop into a pocket. Is there a presenter view on that? I'm gonna. Like you have notes, speaking notes? No. No, okay. Just that's all you need. Yeah. Okay, perfect. It'll be the same thing then you'll see on the screens as well. So that's all good. Yeah, click on your bell, drop it in a pocket, whatever's easiest for you.

and then if you want to coil that up and kind of you can tuck it behind it or just get the rest of your pocket or whatever just so you don't like hook it on your hand or something when you're speaking. That's all. Make it easier for yourself. Great. I want to just shift it to the other side but yes. Yeah just make it as comfortable as you possibly can for yourself. Here I'll just pocket it.

15. So you're at 4.15. Yeah. Okay, perfect. Great. So I do the switching back there. Awesome. And then you'll see like a little pip of yourself in the side screens. I saw those. Yeah, I saw those. It's just so that we get coverage in the room. But don't get thrown off by that. Yeah, I won't be looking there. Thank you. All right, no problem. And I will leave that on. Leave it muted, yeah. And I'll unmute you when you start. Sounds good. Amazing. Thank you very much, sir. Thank you.

What is... Didn't even look at the topic at all. Just make sure, your first name is pronounced Tarek? Exactly. Tarek, okay. Cyber resilience, okay. You just have to say cyber resilience, like you don't have to say a little thing. Yeah, yeah, I'm not gonna be up here just reading. It's a buzzword, I'll explain. All right.

All right, welcome back everyone. So we're gonna get going in a second, but first we have a draw for a app controlled LED lighting band thing. This is pretty neat.

Yep. I thought so, thanks. 2192145.

talk of the day, we have Tarek presenting on cyber resilience.

TAREK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TARRAK TAR My name is Tarek Khabib. I'm a senior manager in the security and resilience group in KPMG. Based out of Halifax, I studied here. I'm very happy to be back here. And most of my focus, half of my job is cybersecurity. The other half is business resilience. And the reason I put the quotes here is because it goes by a few different names. And we'll

talk about what those are. I do have some certifications in these areas. I'd rather be reading all of them, but most of my work is focused on helping companies be more resilient, whether it's to not just cyber attacks, that's the most popular, most common type of disruption, but also to other types of disruptions which we'll talk about. I know it's a security conference, so we're not supposed to have QR codes, but I promise you that one goes to my LinkedIn page, and I'll have it again at the end. The first thing I wanted to start with is just some context. We hear about these buzzwords. We have business resilience, cyber resilience, anything resilience. We have

even personal resilience as humans. And there are a few related terms. So in the old days, it used to be called business continuity management. Now the more common term is business resilience. And it's all about making sure that your business can roll with the punches. There are other terms. So business continuity planning is, let's say, that's one type of plan that you would develop. And I'll talk about the types of plans in a bit. And then there's also the concept of operational resilience, which is not exactly the same thing. So I won't get into that, but I just wanted you to know that there's a slight difference between those. In government circles, continuity of operations is a popular alternative term. But all of this is to say, I want

to make sure that my business can survive almost no matter what happens to it. On the other side, cyber resilience is a subset of it. there's probably no single definition for what it is, but the way that I would look at it is making sure that my business survives no matter what cyber issues happen. And most of it is focused on my systems, my data not being breached as a business, but also the third parties that I depend on, sometimes that's forgotten about. If that third party is breached and can't operate, what do I do? And so that's the focus of cyber resilience. It's a bit of a subset that really focuses on that scenario.

If you do risk assessments, you'll know that there are so many different types of risks, issues, type events that could happen that could impact your business. One way to group them is deliberate threats, such as cyber attacks, accidental threats, such as something catching fire, my data center catching fire, or natural hazards such as a snowstorm or a flood taking out my data center, for example. There are a ton of examples. The distinction here is that the most I think the most common disruption, the most frequently occurring one that I see, is cyber attacks. All of these different things, fires happen, bad weather happens, but if you look at the news and what's happening around us, the most frequently, the most frequent issue, disruption that you find in

the news is this company was hit with a cyber attack. And so that's why I wanted to focus on it, and that's where the field of cyber resilience comes in. So how many hurricanes have we had that were very disruptive, like major hurricanes that we've had in the last, let's say five years? You can count them on one or two hands. Communications disruptions, like not being able to use our mobility services for a day or two. How many supply chain issues have we had with global conflicts, the pandemic? You can count those, the supply chain one is more of a slower burn. But then when you think about cyber attacks and how often that happens, And these things all happen to

all the companies around us, whether it's in Atlantic Canada, anywhere across the world. No company is immune to any of these types of disruptions. The specific thing with cyber attacks, though, is it's specific to one company or typically specific to one company and its customers if it's a service provider. And the reason I wanted to point that out is you get less of a pass if you're the company that's impacted. So if there's a communications outage, if there's a hurricane that swept through your province, you get a So there's a lot more focus and there's a lot less sympathy, which magnifies the impact of that kind of disruption. Same with, like I was saying, if

you do risk assessments, you know that there are so many different types of issues. And so there's a lot more focus on the risk assessment, and there's a lot more focus on the risk assessment, and there's a lot more focus on the risk assessment. And so there's a lot more focus on why you're not open the next day or the next day or two, unless you're a hospital or military. There's the disruption of operations or services, financial costs, reputation. But you can look at them in terms of, if we talk about cyber attacks or disruptions, the most immediate one that's felt is not necessarily the reputational harm. That happens a bit over time, or the

negative effects come over time. But the most immediate one and the one that the resilience field deals with the most is being able to resume services. And so we start from that side and then slowly try to work our way through the other categories. Because we're talking about cyber attacks, most of, or half of the battle is how does my business continue to operate while my systems are down, while the investigation is happening. And the other half of the battle is how do I rebuild those systems and get back to operation. And the reason cyber attacks are so disruptive is because there are extra steps that slow you down during the recovery. So the concept of disaster recovery, and I don't

know why this term caught on, like why disaster, but disaster recovery is typically used to refer to rebuilding your IT systems from backups, for example. I don't know, it's not the same as natural disasters. I don't know who picked the term disaster, but technology disaster recovery is the most accepted name for recovering your IT systems. I have two scenarios for you. So we're gonna talk about the scenario of disruption, and I'm really happy that we have all of these screens, because this is the only slide that I have with Small Fund. But we're gonna talk about two scenarios. The more traditional scenario where a data center catches fire, or a fire impacts your assets. And then the second scenario, and what the recovery looks like in a ransomware

attack. And then they both end up with a common objective of having your systems recovered. In a traditional scenario, FIRE HAPPENS, YOU HAVE TO EVACUATE PEOPLE, DECLARE DISASTER, GET THE FIRE WARDEN, WHOEVER, STABILIZE THE SITUATION. THAT TAKES A LITTLE BIT OF TIME. DEPENDING ON WHETHER OR NOT YOU HAVE INFRASTRUCTURE OR ASSETS IN A SEPARATE DATA CENTER, IT MAY TAKE YOU TIME TO GO PROCURE ASSETS, TO GO a cloud environment, so that could cause a little bit of delay, but you can directly go start doing that. So as the building is being evacuated, somebody on the other side or in a different office can start working on that recovery. Then there's the backup retrieval. So I have to go get my backups, that might take

time. If I'm transferring the backups between sites and the data is pretty big, that takes a little bit of time. And then the users have to verify that the data, the systems were loaded correctly. That takes a little bit of time. So when we talk about cyber attacks, the unfortunate part is that there are extra steps up front that have to be done to make sure that what I'm recovering can be trusted, and that takes more time. And the tough part there is a lot of businesses think, well, we can recover in four hours. But if we think about the steps that happen, the very first thing is figuring out what just happened. So quarantining

the asset, making sure that we draw a circle around the assets that were impacted, investigation. So sometimes it takes some time to get the forensics people to start their job. So you can't really begin your recovery until you have someone that helps you understand, well, how far back does the cyber attack go? That forensic investigation can take time. And a lot of the time, those assets, that environment is reserved for that investigation. They still want to check a few things before they give it back to you to blow away everything and recover from backups. You also have to assess which and so on. And so you see those extra steps that happen in the case of a cyber attack, that takes time. And the

main objective of showing you this and telling you this is the business is not going to be able to do it. And so you see those extra steps that happen in the case of a cyber attack, that takes time. And the main objective of showing you this and telling you this is the business is not going to be able to do it. So the IT folks, the security folks have a role to play, but then the business side also has to be able to survive manually to the greatest extent possible, even if they're operating slower manually. But they have to be able to do something in parallel while you're doing all of these steps, while

you're assessing the backups and doing the forensic investigation. They're not gonna just sit around and wait. They're supposed to have their manual processes, and I'll give you some examples of that in a little bit. So the business side has to be prepared. This kind of shows you the current state of things, why cyber resilience is a thing that we're talking about, the common delays that come out of it, but what can we do about it? And this is where the planning side comes in and the whole planning lifecycle. There are four domains that are in the resilience umbrella. So it's not just business continuity planning. That part refers to how How do I continue my

business operations? So I lost a supplier, I lost a system, or I lost more traditional things like a building because of weather or a fire. How do I continue operating? Then there's on the far right, the disaster recovery planning for technologies, which is how do I rebuild my systems? Both of those things are dealing with those two types of plans. They're dealing with recovery and resumption. there's a couple of things that have to happen. The very first one is damage control. So that's where we get into incident response, emergency response, depending on what we're talking about. So if it's like an IT issue, it's an incident. If it's a fire, typically it's called an emergency rather than an incident. But it's that immediate damage control, and that needs its

own plans as well. And then there's crisis management, which is basically, as those people on the ground are doing their evacuation and everything, what does that So what does the management team do? How does the management team get together, talk to the media, manage this as a crisis before we even get to those other two types of plans to actually recover and resume operations? A more traditional example that I have for you here is where you would have to use all of these types of plans is let's say there's a fire or an explosion at the main office site. People are hurt. You have to evacuate people. That's where incident emergency response are triggered. And

then shortly after, the news finds out, they start to blame the company for being very careless. The management team has to manage this as a crisis because people are hurt, the media is saying stuff about the company. They have to manage the fallout there and direct the recovery effort. And then we get to business continuity disaster recovery where the business has to continue operations because you just lost your main building. How do I keep serving my customers from somewhere else? And then also my data center was in that building, so I need my disaster recovery, IT disaster recovery, or recover those systems somewhere else. And that's an example of a combo scenario where all of

these are triggered. Same thing with cyber attacks, major cyber attack. It starts off as a security incident, it grows. The business has to keep working while the systems are not available. The management team has to figure out, was data stolen? If yes, what do we communicate? And so all of these four fields, all of these different types of plans have different teams executing them, and they all come together depending on how complex the scenario is.

I talked a little bit about crisis management and incident response. And they're typically two separate teams. The team that's on the ground, that's doing the damage control, they're in the weeds. At the same time, the management team is doing their part with oversight, trying to figure out, engaging the lawyers, engaging insurance providers. Those two teams have to be able to talk because they have the same objective. They're trying to do damage control, contain the issue, contain the fallout. And if they don't talk to each other,

to one team knows something or has an update for another, and it doesn't help the recovery effort. So how do we approach developing these plans? The plans are not the first step. The plans are towards the end of the life cycle. So I looked at a few different standards, whether it's the ISO standard or different guidelines from the Canadian government and so on, and they all revolve around the same set of steps. It won't be worded the exact same thing if you look at ISO versus something else, but these are the key steps that you have to go through. Starting with the first one, what is the nature of the business? How time-sensitive are its operations? Can I slice and dice this business

into different processes so that I can assess them, figure out how to recover one by one? That's the first box. The second box, which is probably the one that you've mostly heard of, is the business impact analysis. This is where we say, okay, if this process doesn't happen, what is the impact? How bad is it? Are lives in danger? Are we going to lose a little bit of money? Is nobody going to notice because it's a strategic type planning service? And you start to divide up the business into departments and their activities into time sensitivity. So sometimes people say the criticality of a business process, but it less criticality makes people feel that their process is not as important. So I'd rather focus on the time

sensitivity. So how bad is it? What's the fallout if this doesn't happen in each timeframe? These first two steps, even if we're talking about cyber resilience, have to be done on the business as a whole, because this is the business requirement. And in the business requirement, if we go and say, your scenario is only cyber attacks, people start to theorize and say, okay, well, I only need a cell phone for this process, so there's no impact. So you end up with a different set of time sensitivity impacts for those processes. So for the first two, you have to say, regardless of what type of disruption, how time sensitive is this business process? For the remaining

steps, this is where we get to say, okay, I don't have that much capacity to plan for every scenario that I showed you on the list before. I want to focus on cyber attacks, whether it's just against my company, against key vendors.

So once those couple of steps are glossed over, which is the risk assessment and the resilience strategy, I find sometimes programs go from, you do the business impact analysis, you have your business requirement, you go straight to developing a plan. But there are prerequisites that you have to have in the plan that could make or break it. So the reason we do a risk assessment is to figure out how exposed are we to these scenarios. Especially if we're talking about multiple scenarios, For example, if we're talking about my suppliers getting breached, you slice and dice your suppliers and think about the criticality and how strong they are and what's the likelihood of them being disrupted

so that you can prioritize stuff in the next step, which is the strategy. Another example that I'll use here is, let's say we have a remote workforce or remote sites. We're worried about telecommunications disruption because there could be, you know, someone needs to report a safety incident. Maybe we get them satellite phones. And then we get to the plan development where we say the satellite phone is on the wall over here, here's how to use it if communications are disrupted. Same thing with any type of disruption, especially for cyber attacks, there are things that we have to put in place. The easy example is backups. And then we have to use it if communications are disrupted. we just go straight from

business impact analysis, my recovery target is one day, directly to the plan, the plan says go get the backup, but if you don't invest in the right backups, it's not going to help you. And so you have to go through the process of at least having that strategy to say we need to buy things, we need to put things,

Related talks

BSides St. John's 2023
BSides St. John's · 2023
44:08
Podstawy cyberbezpieczeństwa (Basics of Cybersecurity)
BSides Warsaw · 2016
47:13
BSides DC 2016 - How to Join the Infosec Community
BSides DC · 2016
0:55
Networking with Kevin Apolinario, KevTech IT Support
BSides Tampa · 2025
0:34
Having fun with John Hammond!
BSides Tampa · 2025
11:08
Opening Remarks - Day 1
BSidesSF · 2023