Machiavelli's Guide To InfoSec! - Arron 'Finux' Finnon

so traditionally how does it go hiya so um wow what an awesome event have you all enjoyed yourself firstly it's a great honor to be closing besides liverpool when jen spoke to me back in november and said i want to do b-sides in liverpool i was like [ __ ] yeah uh let's do that so when it came around she asked for sponsors we were super happy to get involved so what i would like you all to do is give skalsasek jenny all of those a big round of applause because today wouldn't happen without

okay so i'm gonna do machiavelli's guide to infosec put your hands up if you know who machiavelli is awesome you guys get up here i'll sit there so um okay before we start this is the emotional bit uh if i start crying i'm sorry uh i'd like to dedicate this talk to my uh to our much miss brother uh our much missed brother mike who passed away at the end of march after a nine-month battle with uh bowel cancer he left a huge hole in everybody's heart but i would like you to try and remember mike for saying wonderful things like this

super i'm not going to read for you by the way right you can manage and he would appreciate that too um but he's left a huge hole in our heart and one thing that i was kind of hoping that you would all do for me is maybe after three that we could all tell cancer to go and i think he would appreciate a big cheer of cancer so after three one two three [ __ ] and suck

[Applause] and deep breath um you're all very privileged because i didn't cry once there so that'll be your turn later on once i'm finished like oh god is he not sharp yet i want to go and get burgers so anyway me um this is this is me i'm sure you can see that um some stuff about me because i'm supposed to do that right so i'm a cto um i'm the living embodiment that they really will give that title to anyone um and actually double cto right now so i'm an intern an interim cto for another company at the same time because that's fun uh mostly i help build security teams um because [ __ ] why not um

they're very complex very complex people we love hacking [ __ ] that's the obligatory uh we've seen this a million times we do some very weird incident responses we do some normal ones but some of them are quite weird um i'm not going to tell you anything i'm just going to leave you like now we do some defending i'm sorry i mean blue teaming i believe that's the popular term for defense nowadays every now and again i have to speak to some greybeards at work and they've been struggling to get their head around what devops means until i explain to them that's what we used to call linux system admins and they were like oh [ __ ] right got you um

so yeah the blue teams are what we call defending back in the day i spend an ever increasing amount of time talking about risk um that's not risky no but this is i spent a lot of time talking about recognizing risk uh which is if i have to explain this side to you right it's been a very long day i'm sorry um and of course i spend a lot of time telling people that a lot of risk is bloody predictable um he must have known this was going to happen come on um who remembers this story lol [Music] and of course one of the biggest risks that we deal with mostly is people being dumb

i i try i try to be patient very patient but sometimes i just wonder could we try a couple of years without the warning labels just maybe maybe we could let the universe help helpers um oh [ __ ] yeah and one of the weird things that happened to me is i met my actual to god nemesis last week um don't worry i will explain um it's quite weird i mean i know what a nemesis means um and if you don't well let us already explain it to you um but i became an interim cto for a company recently i'd done a lot of work with them for a while so when everything went they called me and called our company in

and off we went and i spoke to their customer care team they didn't feel like they had much input with the the the technology departments of the company no great surprise there in that story right and uh they spoke to me and i said hey look i tell you what don't mean to sound like a prima donna but i run six calendars at the moment speak to my assistant and i will we will sit down and we'll work this list out and get through the problems cool no problems so anyway my colleague came up to me and went you you you've got an appointment with loki right and like what he said no no you've got an appointment with someone

called loki so enter stage left loki so um right enough my colleague was right i did have an uh uh an appointment with loki now the reason that that might not sound very interesting to you is it took me a second to realize why my colleague had asked so here is loki put your hands up if you know who loki is cool right so as you know i work for a company called vindler actually i'm one of the founders of the company so i spoke to link to loki and i said to her uh we had the meeting business meeting conference room she walks in i walk in and says is it really loki always loki really yeah so

that's [ __ ] brilliant my colleague was you concerned my colleague recently so why i says well you know i presume you know the norse mythology about your name yeah of course cool well avindla we really love norse mythology too we've got a [ __ ] we've got a viking ship there's a logo right we love it i said so um you might not know but villa's actually named after a norse god too i said really which norse god i said well heimdall and we both started laughing but i appreciate that you guys might not know who might not know the significance between loki and heimdall being in the same room um but we kill each other in ragnarok um

which is cool and i said to her at the time i'm like wow it's not often you actually meet your actual nemesis at work because if you know the norse mythology you know that loki and heimdall have been enemies forever and they kill each other in ragnarok and she was like wow that's amazing it's cool i mean yeah yeah yeah it's cool obviously we're a bit concerned that this might be the end of the world but you know by that how's things going so um i said to look i'm going to ask you a really strange question yeah sure i said can i take a selfie with you i've never had something this with someone before and i know it's

a little bit weird and she's like yeah sure that's cool i took the selfie and then i said okay so now the weird part i said that what do you mean the weird part well i'm speaking in a conference in liverpool and i wondered if i could use the the picture and she's like uh yeah so everybody this is loki um and she's promised to leave her sharp things for me at home on ragnarok but i don't know if to believe her or not anyway but like i say meeting your nemesis is quite an interesting thing right so anyway i die cooper anyway i digress so what am i talking about i'm talking about machiavelli's

guide to infosec or really using yesterday's knowledge to kind of secure tomorrow's future just for that spin right just i feel like i'm in the cyber world right now so here's machiavelli he was very devious looking um not to be confused with the other machiavelli um tupac changed his name towards the end to marchio valley uh read the book in prison and actually the album cover is a uh a parody of each other but we're not we're not talking about tupac they talk about uh nicole machiavelli so he wrote a book in 1513 and it was a little bit controversial to say the very least um as a rule goes if the catholics don't like your book

so much so that they make an entire list that says these books are not allowed to be read and the person that started that list was machiavelli i probably want to read machiavelli right at that point so he was super controversial but really the book is about an a moral guide to power and governance right uh it's had a bad press over the years some of it because a lot of [ __ ] have read it too to be fair but you know moving on did i mention it was controversial um kim davis recently rosa parks i don't [ __ ] think so uh but the prince so back to the book super controversial put your hands up if

you've read it long time ago everybody says that right so as i said it is a rule about governance it's a rule it's a book about how to manage or obtain power and how to keep it that's why people like nixon had it by their bedside however uh as we know this is not nam there are rules um but the prince is where we get the term machiavellian from obligatory wikipedia quote blah blah blah blah but anyway he was a diplomat in the florentine republic italy renaissance italy he used to live in a state that was governed by the medici dynasty and the medici dynasty was quite the thing at the time right and eventually the medicis were kicked

out flor kicked out florentine um and machiavelli became kind of like an ambassador then became a chancellor he basically became prime minister in the end but started off as an ambassador and in that time 14-year period he was involved with some of the most influential players in renaissance europe that you can think of right he was in charge of a town lawrence right here in the middle of renaissance italy and this is basically game of thrones real life right period um you're talking about a period in time where your allies are your enemies your enemies are your allies and we still haven't done lunch yet um and this changes constantly so he was involved in

issues with well all over uh and very very diplomatic problems eventually the medicis come back into florence and nicola machiavelli is arrested for treason and tortured for about three or four days um held on to not confessing to being a uh part of a conspiracy against the medici dynasty you know they put him on the rack i think that he's quoted as saying that he went on the rack like nine times blah blah blah blah and eventually a interesting pope came along um leo the tenth and uh leo the tenth is quite an interesting character so what he does is he does a general amnesty uh and uh machiavelli is pardoned and is allowed to live in exile

away from florence but in his town house about 10 kilometers away also interestingly enough do you know that this is the pope that gave do you know that every british monarch since henry viii has used the term defender of the faith right and most people think that that title comes from him starting up the church of england it actually isn't the term defender of the faith is what this guy gave to uh leo the tenth gave to uh henry viii after writing a rebuttal to martin luther um the other famous protestant which is quite strange but anyway leo the tenth pardons uh machiavelli unfortunately he's never in high esteem again he's put off to his vineyards he

has to work there and he has this idea that um he's going to reach out to uh the medici that is in charge of the florence the florentine dynasty right now leo the magnificent and he's going to write a job application right he's going to write a book specifically uh to learn magnificent that says you know hey this serves my thoughts so it's basically a job advert it wasn't meant for to be published and read 500 years later for stars so his opening gambit uh just to give you a rough idea um is quite cool basically what he says is hey look people will try and give you gifts to show you that they love you right you're

magnificent and whatever those people value will be the gift that they give you so if they value horses you'll get horses if they value gold you'll get gold me i don't have much to give but the thing that i value very very much is the things that i learned dealing with powerful people cool so with a little bit of artistic license and for fun let's see how security can do through machiavelli's eyes right so the thing is over the years i've been root on lots of things lots of things and i once rooted solar panels right i i know it's a bit weird um there's a whole lot host of really random [ __ ] that i got shell on over the

years and mostly because it was harder to fail than it was to succeed you know in a lot of cases i owned it by doing admin admin you know uh cool while i would like to be lee i'll take the win no problems i've got no shame there but in a lot of cases as i say it's harder to fail than it is to succeed in a lot of cases why does this happen well there's a few different reasons why it happens but one i'd like to pick on particularly today would be the fortress mentality we've all seen it before we've all heard that story of ah but it's an internal system we don't have to worry it's inside the network

like yo do you know what the internet means that means interconnected networks so it being internal everything's external if you try hard enough um but they don't get that also we've all heard this before right yeah yeah the firewall handles that uh this happens constantly recently i was told that the firewall scans malware like oh [ __ ] i don't like the firewall doing firewall things never mind malware things now but okay cool but this is what we see in corporate states all the time and the reality is in a lot of ways your fortresses suck um they've decrepid the falling you haven't invested in them they don't do the job and when you own a com when you open a company's

developers it sort of put me off because my slides are slightly over if any of you have got ocd yeah [ __ ] sorry um company's developers or compromised the it department um it looks like a career in 90 right there right um i'm gonna digress for a second it's an absolutely awesome story i'm really sorry right so my daughter um called me up one day and she said to me aaron what do you do well dad what are you doing on the 11th of february 2019 this this this was in april last year i'm like um i'm i'm not sure but i guess like it's a very specific question for a 10 year old why

ah med school was wondering if you could come and talk i'm like aha why well they'd like to that they'd like to speak to a hacker like why does your school know that i'm a hacker well i told them okay what did they say to you well they didn't believe me am i aha why did they believe you now well we watched you on youtube all right it seems legitimate right so anyway eventually i end up in a school in scotland speaking to a bunch of 10 year olds which are 10 year olds and 7 year olds are two classes and it's very cool because the 10 year olds they were all trying to play cool right

so when i come and they're super interested but they're very much worried about what the person next to them like oh no and my daughter's got this big smile on her face i'm super nervous i've done lots of public speaking but the minute they said can you speak to your children your child and her school friends i'm like no don't make me do it please don't make me i'm scared no no i plea let me go and speak to the infosec crowd please don't make me do it but of course i can't say no it's my daughter so anyway i do this talk to a bunch of seven-year-olds and they are very different from the 10 year olds so

firstly the 10 year olds are all sitting cool at the table and like yeah i've got snapchat and blah blah blah and all being kind of nonchalant about everything trying to play it cool and the seven-year-olds they came into the room running and it was just chaos i'm like oh these are my people awesome i love them carry on do you want some here's some red bull go on eventually they all got their cushions and sat on the floor so i got my question to sat on the floor teacher made me stand back up again i'm like sorry um and i started speaking to him i started speaking to him about cyber security right sorry for the buzzword and i've

been speaking to them all and saying hey how many of you have got snapchat and i was generally mortified when i asked my daughter's group because all of the hands went up like but you're 10 why do you need snapchat and basically i said to him you know what cyber security advice were given who set up the account blah blah blah blah so i start talking to the seven-year-olds i'm like okay so who set up your account my mom my dad my brother blah blah blah great everyone that was set up by an adult keep your hands up what did you get security advice from them you know how to how to behave online half of them put their hands down

there's a bunch of seven year olds i'm like oh [ __ ] and the other bunch i said you know what was the advice you were given i was given uh not to accept strangers i'm like okay what were you given not to accept strangers what about you not to accept strangers like okay so did everybody get told not to accept strangers yeah what else did they say i'm like oh okay cool so i'd like to ask you a question how do you know someone's a stranger because your mum pretended to be you set up a snapchat account and then added your friends so how do you know that i'm not pretending to be one of your school

friends and doing the same and the the kids had great answers but there was a little boy and i'm not gonna lie he looked like he had a career in it at seven um i i mean i had a warm spot to him when i said to the whole class like okay does everybody know who a hacker is and boys hands up like that they're intelligent people that like playing with computers like i [ __ ] love this kid who is he um and later on he puts his hand up and i say to him how do you verify who they are and he says well the first thing i do is i tell them to

take a photograph i'm like uh-huh and i tell them yeah hold three fingers up or touch the nose or hold the ear or something that i know that they have taken that photograph so i say to him you know and i'm like oh [ __ ] this is a seven-year-old what's going on here and as i'm about to say to him great work he says oh the other thing that i do when you go to google you know what i've got that little camera icon what i do is i upload the the avatar picture to google and i see where else it's gone i'm like holy [ __ ] the seven-year-old is explaining to me

google reverse image searches and how to validate if the image is genuine or not and like who taught you this it's like no i worked out myself whoa cool have you ever thought about security do you want a job what's the minimum wage do you need health insurance okay um so uh i will not share the young gentleman's name but we'll call him the seven-year-old hacker i hope that they uh they find some use for this kid's skills because otherwise i imagine we'll go to visit him in jail when he's about 15 right oh [ __ ] he's got better upset and security skills than actually all of my customers and i they i spend a long time working

with them this kid boom but anyway i digress and the only reason i digress is just two people that look like they should be working in nineteen sorry so anyway compromise and i t department or lol pulling the wi-fi because that's not hard right or own a bunch of these printers or any other printers because hey hacking printers we've been doing that for years let's do it some more there's a whole bunch of new hacks in there it's [ __ ] awesome lol wreck some voip phones and then all of a sudden your big security fortress is a bunch of rocks awesome well done so the fortress mentality has some flaws but what would machiavelli have said

about using the fortress mentality and if we look to chapter 20 of the book it actually has a specific uh schtick about fortresses and it goes a long way to say you know uh if a prince is scared of foreign invaders he should not be building fortresses if he's scared of his people totally build fortresses so that's kind of really easy to steal that in security right that a security team who is more afraid of their users should be using fortresses but the security team knows more afraid of of strangers should maybe focus their security efforts a little bit more robustly than building high walls obligatory uh lebowski picture and the thing is is historically speaking uh

the fortress the issues with fortresses have slightly been well documented i'm not sure if you know but people who hide in fortresses we know where you are it's the big building with a high wall you're in it so for starters your enemies know where you are before you even start and secondly you don't actually have to be effective in a siege to [ __ ] a fortress just like you don't have to actually be that effective in a ddos to to cause problems to accompany and if you're wondering this picture is this is the famous uh athens versus sparta does anybody know the story about this so this is a great story about should have

updated their antivirus basically so athens and their big fortress decided that they were going to eventually destroy their foe the spartans and the spartans went low we we we are warrior people enjoy philosophers wow but we've got a navy like bring it so the athens did and they started a war with spartans they'd done it a few times to be fair so they started war with the spartans and they go and hide in their big fortress and they shut all the doors don't worry we're going to be supplied from our naval feet we will stay in the fortress and the spartans will stay outside and they'll eventually either have to go or they'll start attacking us because

they're frustrated but either way we'll get them because we've got a plan right awesome unfortunately they also got the bubonic plague um and that'll really screw up your attempts to piss off your neighbor apparently so eventually in the fortress the spartans didn't even do it they just waited they just sat there and waited and eventually the athenians brought in the bubonic plague everybody got ill the military leader involved in this died so the plan went to hell in the hound basket and then eventually they were completely and utterly utterly annihilated by the spartans that had to do an unconditional surrender in the end right but of course they had the security infrastructure and the advancement of

the military infrastructure that would be the navy there were far more superiors in navy so this is the problem with fortresses that they're very good at keeping your people in check but they're not very good at dealing with problems like the like we've got the bubionic plague well that's cool we're stuck in these four walls and we're all gonna die that's not a good position to put yourself in right um but fortresses are not the only thing the book talks about we can actually apply uh some of this to red teaming or threat hunting or proactive security or whatever the the new term is probably purple team soon or something like that all right is there a purple

teamer in the house right okay you know you guys are a parody 10 years ago right i i'm sorry i'm not trolling you really um so red teaming and we go back to chapter 20 again right and basically what machiavelli is talking about here i'm not going to read things out to you um you're all adults but you're all adults in age probably not in spirit um later on tonight though but basically what he says is is that for a prince to be successful he really needs an enemy right fortune if fortune loves the prince they will give them an enemy because it's only in the struggle it's only in the struggle that you can be victorious

and loved right cool so we can sort of reapply that again right so instead of you know the prince what we can say is it's be good for the blue team to organize some [ __ ] with the red team and actually win but by the way just out of interest uh should the blue team at least win sometimes no right okay hands up if you think the blue team should win sometimes okay and the rest of you i don't care what you believe you are the good people right the the red team has to lose sometimes right it has to because otherwise why do you keep on testing them they suck you've proved it

now help them grow but anyway as we say michael valley sees the importance of causing chaos of being attacked of defending that and as all of you know that we learn the most insecurity once we've been hacked once we've been attacked because all of those plans all of those ideas all of those things what's the what's the famous mike tyson quote you all have a plan until you're punched in the face um and security is very much the same thing paraphrase it but it is something everybody's got a plan until you i hit you in the nose or something like that but anyway as a re as a as a as a blue team you should get your ass kicked every now

and again because that victory will give you confidence it'll make your people good it will make you stronger right i know i'm a bit like this at this moment right but what would machiavelli say about building a security team well machiavelli was quite a complex character and you'd probably be interested in if you inherit a security team or build a security team and i've been involved in both uh both processes um and what i can tell you is the kind of person i am i much prefer to build a security team because you get to see the people you get to know the people you get to to work with them when you inherit a security team

what you have is a lot of complexity that you're only going to be able to find out on the ground right you're not going to find out that your your senior pen tester actually secretly has been searching for new jobs the past three months blah blah blah you'll only find these things out on the ground when you see it and i'm not going to read the wall of text again but basically what machiavelli says here is yo if you take a new place over that's different in customs uh and all of this sort of stuff if it's different different and you're gonna change it you need to go and live there and he talks about uh alexander the great here

uh when alexander the great was great at stealing other people's land apparently but at the end of the day he was very good at holding on to it too and this is because in a lot of cases uh he would go and live amongst people and it enables you to fix problems earlier on this is another one that's super simple to adapt we can just say yo look if you take over a new area and you are the security officer that's responsible for it please don't do this job remotely you can't be effective yeah i have to be on the ground with the troops because it enables you to see problems straight away how many of you

have had senior security people making decisions about your security on the ground they have never even been to your office right i mean seriously um [Music] of course there will be problems with this of course they are what happens with that famous firewall when it detects ransomware oh my god please stop clicking on the [ __ ] things that say xc i'll tell you a small story i got a panicked phone call from a hr department a while ago they're like um we've clicked on ransomware what should we do like uh don't click on it i'm like no no no like what should we do like unplug the system we've done that already okay then cool just tell it to roll it back

no problems but can you send me the files just so that we can have a look yeah no problems we can't send them out the firewall's blocked hang on a second how did they get in if you're going to block them on the way out it turns out they were reading the inside of zips very properly and they'd received a zip with resume.doc.exe and resume.pdf.exe and the profile picture and they're like nobody nobody nobody at any point went that's a bit odd they just unzipped it and double clicked on it and it went oh [ __ ] ransomware unplugged it the first question that you have to ask yourself is why did it evade sophos

right i mean that that's the first thing that we should say here because clam iv picked this thing up instantaneously and i'm gonna say that clam av is that should be your bare minimum i i believe but anyway cool it's really like this you know when you look at it right it's super super and really the problem is you know the obligatory lebowski picture again um but we didn't really train anybody properly here we can blame the tools right we say well the av didn't pick it up and you know what the the the anti-malware device didn't pick it up and blah blah blah the security utm blah blah blah blah didn't pick it up

but it [ __ ] looked dodgy and what we hadn't done is taught the stuff the importance of you see if that looks a bit weird probably not to do it right actually machiavelli it's almost like giving staff tools arms to be able to defend themselves against strangers trying to to steal things from them machiavelli has this great point and basically what he says is when he goes into principality the um where the citizens have been unarmed it's super wise to arm the citizens because they will be forever in your great forever in your gratitude for releasing them but more importantly they'll be really good at defending you as partisans so arm them so hey we can do the whole user

awareness training under this too that it doesn't make sense for a security officer to go into a new place and be very restrictive it makes sense to start educating as soon as soon as possible to arm people up because the only effective firewall that you're ever going to have is your users unfortunately right and we need to wake up to that because there isn't going to be a next-gen 2.0 blockchain assisted blah blah blah blah blah blah blah blah other thing right it's just going to be pish as it always has right your only effective firewall is people educate them and you know what maybe they'll [ __ ] up every now and again but

so do you guys so it's all fair now i know it's supposed to be half an hour i know i'm slightly over so i'm gonna wrap up a little bit right so the talk was supposed to be about a little bit about fun but it's really about good governance our industry is about good governance i knew that things are really crazy when the long-head hacker in the business meeting was saying you know we really need some good policy here that's when i'm like oh [ __ ] the world is inversed it's upside down maybe when they were making black holes in swiss mountains the parallel universe happened but when you have hackers start talking about policy and governance as

something to be able to help users survive your security's pretty [ __ ] at that point right but we as an industry tend to a lot of geeky things but we don't tend to look further back for other solutions uh we find that in tech industries every innovation is is a new revolution right um but a lot of lessons can be learned in history about good governance helping users to be safe is a governance job right that's what we're there to do also super hot take but machiavelli wasn't very machiavellian and i can give you probably two big reasons firstly he was a bit of a loser um so he never got employed again he basically wrote a few books but after

he wrote that job application it was thrown in a draw and forgotten about and published five years after his death do you know the prince was never called the prince in machiavelli's lifetime uh it was called that after his death when it was published by the publishing house so it was never supposed to be that also not super machiavellian to actually write the rules down and then give it to people um it seems to me the more machiavellian would have been i'll shut the [ __ ] up and benefit from it and i'll win that way so yeah here are the three hot takes that i want you to take away today remember fortresses defend you from your

own people right that's what they're there for and of course we do have to defend ourselves against our own people from time to time they do do some dumb stuff right they're human but we have to be vigilant that when we say our security is the security that starts out of the firewall um because otherwise you're just the athenians waiting for the buponic plague um if you get hacked it's a great opportunity um don't forget though like if you are doing good work people will target you and learning how to defend that will make you better so don't panic and remember failure is a natural side effect of trying or trying is the first step towards failure

one of the two right i can't believe that you missed the joke though okay i feel bad i have to explain it but okay and with that i would like to uh i'm 10 minutes over right sorry okay and with that i hope you've enjoyed your besides liverpool and uh enjoy the after party you have to like leave very very soon right cool thank you very much you've been awesome goodbye