← All talks

Security BSides Delaware 2021 - Day 2

BSides Delaware · 20218:15:37149 viewsPublished 2021-11Watch on YouTube ↗
About this talk
http://bit.ly/BSidesDE2021Schedule The discussion is on Discord! track-1-chat-and-qa Discord access is in your Eventbrite registration email/the Virtual Event Space #BSidesDE #BSidesDelaware #BSidesDE2021 #SecurityBSides
Show transcript [en]

[Music] [Laughter] [Music] [Laughter] [Music] you think I'm funny huh you think I'm [Music] funny [Music]

[Music]

[Music]

[Music] [Music]

[Music] he [Music] [Music]

[Music]

[Music]

[Music] n [Music]

[Music] n [Music]

[Music]

[Music] he [Music]

[Music] Bright Lights might BL my eyes but the darkness is a harness Bright Lights my

eyes

all right this is is quadling Josh marpet on day two of our second virtual bides Delaware and I really should learn to pause twitch when I do that so uh we are in our second virtual bides Delaware uh 2021 we are hoping that this again will be the last virtual bides Delaware I'm telling you right now it is and next year we're going to be back in person uh bigger and better than ever we're going to be back at a university we're going to be hopefully we've still got to make negotiations with that look this is a weird time but we're having a good time here we're enjoying ourselves we're learning we're we're meeting people and

we're having a great time we've got oh my gosh we've already got uh five or 10 people in the classroom today if you are not in the class right now where you at get in here come on in here let's have fun because today for the first time here at bides Delaware gidia is going to be doing Mortal Combat with fuzz butts and uh we're going to be running a it's a game isn't it and fuzzbutt versus fuzzbutts Red Team Versus Blue Team tabletop exercise so we've got three separate red teams we've got all sorts of things going on and you're able to participate and be part of the stream and so we can totally

profit well okay we're nonprofit but whatever we can totally have fun with you at your expense and we're going to watch you do a tabletop exercise now the good advantage of this is watching people actually do a tabletop exercise wow how many of you have have actually done it properly before we're going to have our very own gyia from Leviathan doing a tabletop exercise thank you so much and I'm going to turn it over and walk away have a nice day guys hey everybody so yeah I'm Whit I am from Leviathan I'm our tabletop practice lead so I get to play D and D for Fun and Profit I don't know anyhow so we're going to go through pretty fun simple

game not too mentally taxing for stupid o' in the morning um called fuzzbutts B fuzz buts so with that if our good friends at PowerPoint want to actually help me there we go all right here's everybody seeing everything cool um all right so this is the story so far this is the Red Team Versus Blue Team game we're going to get into the rules in a second but I really like to start with the story to kind of bring you in so fuzzbutts dcom ont very important is an upand cominging cat picture aggregate aggregator site they allow users to S search for cat pictures by color breed size and sassiness uh their claims that their deep purring algorithm harnesses

the ability of real cats to recognize and hate the out of each other to allow for excellent fine sorting and discrimination they have a security budget of yes but they have small Dev team and and their corporate mandate is everything they do and all their spending has to be done by consensus their CEO is Billy cotor who's yeah think Elon Musk would with a much smaller footprint so once again our good friends are here's the other players so fuzzbutz is the blue team in this game the other players the red teams are minur they're obviously pz buts is intelligent they're like all right we're worried about people getting into our data and again in a fit of Good Sense they're like cool

let's hire some white hats so their goal find the most likely attack vector or vectors and report back to fuzz but their budget is moderate like don't go crazy but if there's something within the realm of possibility I'll allow it um other second red team power borers bunch of script kitties you see what I did there um they have just you know these are they're trying to make money they'll do whatever they can they kind of just want to start trouble um buzzb is coming up getting a lot of Buzz for being you know cat memes and they think they might be a good Target they have no money but they don't give crap about the

law finally there's fuzz butts.com see the letter T um but they have a different maybe not NSFW uh business model um and they and they were trying for confusion they lost in court uh Billy culture again think Elon Musk you know pasted them on Twitter and so fuzz butts wants to basically take out their competitor here uh not they're not doing quite as well especially after having to spend all that money on that lawsuit but you know they're not they're pretty well healed again reasonable things I'll let you get away with so here we go red versus blue what are the rules blue team what we're we're going to you guys are going to decide what teams you want to be on so

any number of people can be on any team that's fine you're just going to split up and kind of do this on the honor System blue team gets a move um a move is a discrete step that fbot is going to take to harden their systems before an attack you're going to play this a little fast and loose we accept any reasonable uh any reasonable suggestion I'm going to suggest that one person speaks for the group or types for the group either way uh but they get three moves and you get to do it first so you're going to confer privately and tell me what you're going to do um again however you've got to agree unanimously

and that's the problem um or Solutions depending on how many of you are awake um again you've got up to one month to make these changes so you're basically fuz about to not something's happening they get an idea they have a sense of the three kind of groups of threat actors but they don't they don't necessarily obviously know what they're doing so you're trying to basically get as much protection as you can using three three moves any reasonable changes to your system architecture whatever the hell you do will be allowed red team each of the red teams and again you can self- select uh all the red teams or you know up one two or three of

the red teams can be in play y'all can decide what you want to do there each of you is separate each of the red teams gets one move so again a move is a discret step that your team that your character thinks is going to get you toward your goal uh again split into a separate Discord or if it's just one of you fine you're going to DM me uh y'all can assume up to one year's planning like minur would know what we're doing I mean them uh um you know the borers have been working on it fuzz butts has you know lawsuits aren't short they've been planning their Revenge so but it's got to be reasonable again I'll be

reasonable or at least funny and I'll allow it what's the end game both sides are going to present your moves publicly first blue then red I'm going to adjudicate them based on a combination of reasonability appropriateness I may ask you to say okay why are you doing this and how and uh probably go to the dice I'll usually approximate a percentage like on a usually a d10 a percentage of How likely it is if it's likely that's fine if it's not it's not and then I'll tell you what happens you know I ask in the end don't fight the scenario don't be a thore winner don't be a thore loser and let's enjoy the game

afterwards if we have time we can talk about what worked what didn't what would you want to see more of less of with two hours enough you know what do you think because not only do I like playing these games and running them I'd like people to be able to take something away from them because a lot of us have to play them a lot of the some people have to run these so let's think about what value this is to you if we have the time if the game's Really Cooking then I'll take my answers offline um and would this be useful clients and clients being really broadly defined you may not be a consultant but

there's somebody you're doing you're saying for even if it's just you so maybe give a little thought to how this type of thinking about security this sort of gamified thinking about security is going to work for you or whatever your concern is and at the end my cat M this will tell you so that's it now that is it for the need for the slides though I'm happy to go back to any of them uh if necessary to describe anything this is where we are going to split up actually I'm going to ask you guys to split up but let's get a sense of how many people are here okay cool like we have besides me a total of

nine so there's eight of you um feel free I think you guys can unmute right um and let's talk about who wants to be on what team and what where we go from here this is this is only going to be as fun as as how interactive you all want to be all right go just testing to see if we can unmute that's yeah everybody should be able to unmute Okay cool so yeah now just this is much more about talking back and forth like any game would be all right so

is excuse me really we're going to do this now we're going to do this with par go back go back all right let else go into this okay so let's get a sense who would like to be on the blue team who is interested in playing as

clb I can be blue team okay who do I who was that cool all right CA Fage you're blue team anybody else want to be on Blue Team I mean if you're the only one then that's going to really make um that's going to make conferring really easy uh anybody else want to be on Blue Team I'll I'll also assist with blue team okay cool all right we got one more all right right if I don't hear any blues let's see who is interested if if at all in being minur nobody wants to be mour it's not as much fun right how about the

borers or fuzz

butts anybody we have a blue team I mean I'll I'll play you know I'll play the other sides if we have to but it's way more fun if you guys do let me know what you need I'll play any player oh all right let's I think I think that fuzz butts the the the competitor is probably the most fun out of the three if you only have one red team that's probably the most fun so we have two people as uh we have two people as Buzz butts.com as the blue team we have one red at least playing as the uh Buzz buts their competitor any anybody else want to jump on either the red or blue

teams I'll jump on the uh red team to even it out I guess okay you can either jump on the competitor or you can choose your own choose one of the other two uh which would be minor which is this like basically the the white hat group or about the competitors since I've not done one of these before so that sounds good okay so we've got two people playing as the competitors we've got people playing this blue team anybody interested in playing as either the security the outside Security Consultants or basically you know the anonymous the out there the group that you can kind of sculp any way you want who's just trying to wreck their crap

and make some money anybody interested in those okay what nobody wants to be the hack the planet people come on right that's what I'm thinking right those are the people but like let's be honest nothing's that fun at 9:15 I think Rando should be hack the planet um as the person running this stuff I wasn't really paying attention but [Laughter] sure nice I love it your job's just going to basically be to come up with some some attack God did God damn it quad like what I'm just GNA I just gave you the opportunity to scream into the microphone hack the planet it's too early for that hack the planet all right I'll shut up whis whisper quietly or slightly

angrily hack the planet so for the blue team how um you know how good can we assume their basic security posture is like we we have three moves and that do we have to I don't want to say waste them but do we have to spend them on like basic things like they have a SIM they have xdr they have like you know endpoint protection all their their their M Points like it are those moves or can we assume that like really basic hygiene is covered let's for the for the purposes of this yeah like your your Basics are covered I know you Al Dragon you're idea of Basics and everybody else's idea of Basics is a

little different but I'm going to go with be reasonable if you come up with something ridiculous I'm going to tell you that you have a you know a 10% chance but yeah like I yeah you don't have to uh waste one of your move to be like I have we would like this thing called it him no that be cool and you know if this is going if we make our moves you know you make your first set of moves oh and feel free to be talking amongst yourselves on the moves while while I'm talking um ideally you'll be the folks that are on Blue Team you know throw up the or open up your own DMS be

talking about what moves you want to make red teams think about it um and you know feel free to jump in too if you don't want to actually play one of the moves one of the players but you want to make comments it's fine we're sitting around a virtual gaming table this is this is Chill so yeah me give me anything reasonable if we go around and it's going well and I apparently don't die of my morning coffee um you there you may get a response real so red teams may screw your you know screw with your [ __ ] and you may get a chance to respond and go back and forth a little bit

because we got a two-hour slot if people are interested we'll keep playing the game um so I'm hoping at this point actually since you've got the classroom you've got this class as long as you want well there we go so so we can keep playing as long as this is fun um or you know talk about or talk about tabletops you know the the the thing about doing these and again I hope you guys are thinking and talking in the background the thing about doing these is like just like a real regular you know like D and D or you know I play and design Indie tabletops for fun um they go at the speed of the players to a certain extent

you know the person and this is true when you're doing them for real you know when you're doing them for a client sometimes it's pulling teeth which is kind of why I try to design these um and there's you know you have options there you can get a little crazy which you know you can run out run up cat memes um if you've got that one dude who that one old head who just like knows all the answers and nobody's talking you can what I call bad Clans them out like okay great y'all went to lunch and you had the bad clams you're out for the rest of the scenario you can really you know you can

put injects in which is you know dropping bad [ __ ] in so my favorite is what I call the Arizona Bay scenario like okay guess what the entire West Coast has dropped into you know earthquake dropped into the bay H or dropped into the Pacific Ocean Arizona now beachfront property which also means that like all of AWS West just drops all of everything else just dropped and how do you deal with something that sounds ridiculous but could happen maybe not that much but like how do you deal with real catastrophe so there's a lot of ways to go with this even if you have to do tabletops or IR thoughts or you know writing standards

and you know you're really trying you're trying to figure out the worst thinking of this in these kind of ridiculous terms is often useful like are you really preparing for the west coast to drop into the ocean probably not but what what sort of you know what branching Pathways does that get you thinking about and it's a lot more fun to do it like that than it is to be like okay and then this backbone went down and then this happened and then this happened you're going to get the same effect but you're going to enjoy it a lot more and you know there's a lot even if you're not doing it you know formally there's a lot of nice game

gamified tools you can use to be doing this stuff like back doors and breaches elevation privilege yada yada all right checking in with our actual players blue team have you come up with three moves that you are ready to uh DM me or you know let me know secretly because obviously I don't want red team red team's getting all sneaky and changing um we have Sho moves in a bad joke we're that is perfect okay so we're gonna I'm GNA let you I'm G I'm going to let you do those given the way we're doing it here usually I'd have you send them to me and I would do a little adjudication on it and then red would

respond you know would respond secretly but in this case because you know we're going for a little back and forth and because you promised me there was a joke we're just going to go with it so blue team let's move one okay um move one is a well implemented Dev SEC Ops workflow where all code is deployed through a a cicd pipeline that automates vulnerability scanning um and does stuff like sass D SCA um and flags vulnerable Upstream code that needs to be patched all right that sounds reasonable absolutely reasonable given your finances you've got a small team tell me a little bit more about how you are and I didn't Define small so and that's fine

I'm again playing this a little fast and loose because morning um how is that happening remember you've got one month to be doing this so how are you making that happen with a reasonably small team but a budget of yes uh we bring in an outside consulting firm that that are experts at um at at doing that sort of devop stuff with the security embedded in it and they set it up and train our developers on how to um push their code that way okay you know what I'm GNA say that's totally that's reasonable I'm gonna you know I I am going to do a roll on it but it's I'm going to say that you've got an 80%

chance of that going pretty smoothly given the parameters that I've Set uh if I thought about it I would have done my dice roller in the second screen but nobody actually gives a [ __ ] yeah 90 you got that that that works that is reasonably that is reasonably in place now we'll see what the red team has to say about all that but I'm going to tell you that that's that's reasonably in place so what's number two Zeno Fage you want to uh explain number two yep as soon as I can find my mute button uh number two is uh we have an internal threat hunting team um that does their thing on a daily basis so you know they

they they're out there kind of trolling the trolling the network looking for uh looking for pretty much anything that's that's wrong or or shouldn't be there um and tracking it down okay did they exist prior to to this month when you started getting some Intel that these attacks were going to happen was this a pre-existing thing or did you spin it up the company had the company had a security department that had you know sort of a um a full-on yeah I mean they're a little bit more advanced than than you know your general yes no security team so they they weren't doing threat hunting prior to that um this is something new that they

started because they've they've been made aware of the threats um but they're they're kind of jelled as a team and off they went okay all right I'm going to say given that uh I'm going to say you got and this time I'm actually going to do this um yeah I'm gonna say you've got like 60% on that one so I think that's you know reasonable a reasonable thing that happened but you know that you had going on but you know so if I've get you know six or below you're good fun eight great that happened um so that's part of your security posture at this moment um all right give me your third hold on give me a moment why

didn't I put bailees in this I mean I'm a professional all right hit me with your third so we're slightly concerned that you'll rule this unrealistic but we have users who um paid attention and took their security awareness training seriously hey there's the joke yes I I I I swear to God I was just getting on to say that um I mean I'm going to give it a I'm going to give it a two so that so that there's actually a chance of you making this rooll uh [ __ ] no in fact in fact it's so much fun um okay so the problem is I rolled a nine on it um so you give people this

training but you decide to do it live you decided to do it in person as a mandatory everybody do it at once PowerPoint slides that you and that you hand them out you print out all the slides you hand it to them um and it's at like 800 amm uh and half of your people are West Coast anyway and you're doing it 8 Eastern and it at least a couple of your people all they see is the shiny things in here oo click on the shiny thing if we email it to you you know you because you say all right you know we'll follow up on this you know over the course of time and at least two people say you

know get a really blatant fishing email and click on it so now you've set up all of these great things and now you're going to be at sort of a disadvantage AG before the red team gets in because you've got a malware incident on your hands because you all decided to get funny um I'll say at this point you you are 40% of 50% of your team is now investigating a malware incident so good job that went about as well as real life right you see that's see you and now you know why we're sitting here all right so red teams and if you've been listening to this and you've just decided like okay I've heard this and I

I want to get in on this that's fine um let's we'll just I'll go through the the red team players and if you're like or the red team groups and if you're just like oh yeah if I were X I'd do this do it all right let's start with I think right all we had staffed so far was the competition so folks playing the competition what would be you know assuming you get one big splashy move against these guys what are you

doing my idea was that we leverage our very similar looking domain name to um do a fishing attack and since the training went really well maybe he'll actually get a couple hits all right I that is I'm giving you an 80% chance that that's going to work because they're training quit horribly let's do it that works that you you absolutely get it in fact the they can at least right now prove it but it seems like the malware might have come from y'all um however that being said you know the competitors unlike the power borers do have to worry about the law so I'm going to say you guys have a pretty good budget so but I'm going to say that you

guys need to I'm I'm going to in real life you know I'd have you guys make a role but I'm gonna say that You' you're going to have to survive whether or not it gets traced back to you so I'm gonna say there's a let's say 40% chance so let's see what we got here let it get STC back to you it does not so you've inod you have absolutely through a brilliant uh fuzz butts related fishing scam hit them they're dealing with some sort of malware we'll deal we'll figure out what that is probably in a second speak up who's to say one of our user accounts wasn't um you know hacked and used to attack our competitor

accidentally just know accidentally exactly no that's exactly right they it doesn't come back to you obviously everybody thinks that it might be you but nobody can really can't really prove it and you did well enough that right at least right now I'm going to say that there's like not social media blowback against you not reputational damage the role went well enough had it been a little lower I think people would be more suspicious but right now it's just in they like could be could have happened but didn't does anyone want to make an attack on behalf of the outside security company not not the one that not the ones that fbut said they hired to harden but you

know pentesters does anybody want to make an attack from the point of view of of some hired

pentesters all right I am then I I'll do it I'm going to say that um they assigned some fairly Junior people to this because after you know looking at it after finding out how profoundly expert your staff is um in listening to your training they H they uh they assign associates they assign Juniors and so the Juniors just decide all right we're going to just do a real basic PT scan and see if we see anything open like that's their first attack you know not Terri sophisticated but that's where they're going to start based on putting the least effort in um for this so I'm going to say there's like a 50% chance they're going to find something because you did

you did actually take the time to harden your security posture it's just a you know you know PPC Evers all the way down they find they do not you know somehow uh somehow they did not find anything on a basic Port scin so so far doing well does anybody have any ideas coming from the point of hack the planet I think we had somebody that we got volun told to do that okay I was volun told to do that uh all right remind me what I'm coming up with again I'm I really was concentrating on other things and then quadling sold me out yeah no you're fine you're coming up with an attack against How would how would a hack the plan kind

of group hit a hit a like late age startup that's decently well set up like and your goals are you know your goals are what they you want them to be ideally you'd like to make a little money but you might just be going after their reputation you're just kind of a a loosely associated group who is trying to make trouble whatever way you want sure um one of our operatives um took a stroll to get some coffee past their office and dropped a few USB keys out in their parking lot um which uh have some things that are going to happen when they get stuck into the machines okay uh given given the wonderful training uh I'm going to say

that that's like 70% likely let's see what happens well the magic will die oh yeah that that works so tell me what what was on those keys um to tell me exactly what was you know tell them what's in what they're coming up against now sure uh they were um uh a once the um once they get plugged in and the auto run launches the uh auto run launches the the USB key to open um it's now had it now has uh popped a shell on well assuming and and I don't know well I suck at these games because they assume a lot I'm going to do it you assume anything you want if I

think it's unreasonable or out there I'll push back but or I'll let the dice decided so I'm going to assume a late stage startup has employees with laptops that have administrator privileges on them or that run as administrators um and once that pops up uh that then um opens a channnel 2 uh to a um C2 callback server that's totally reasonable I'm not going to even make a roll on that that's yeah especially you know I didn't say so but especially if we're talking the last couple years you know that's definitely going to have had to happen Okay so this is where we're at blue team do you have a sense have you at all been talking

about how you might respond to that so can we um get a role for whether um either the EDR or the the sort of outbound traffic monitoring to the to the Sim and the the sock picks up the the evidence of this yeah and I'll say that's you really did put effort into that so I'm going to say that's that's you've got a pretty high likelihood yeah you you catch it son of a [ __ ] yeah but catching it and do doing something about it is its own issue so we've got some stuff so let's deal with it in line blue team um I'll tell you right now I'm going to go in terms we'll

we'll discuss uh the ransomware and then we'll discuss um or rather the malware which okay guess what um ransomware and then you know they and then what you found next so I think that covers the two I think that covers the two major things yes because they because you yeah the fourth G didn't come up with anything so let's start with blue team how are you going to respond to to the um malware that definitely didn't come from your competitor no way no how no chance and blue team I'm going to say that you know if no let's just go let let's just go from here and let's hear what you've got okay so we we detected it um and are

there's two let let me be very clear there's you've got two things going on first we're going to resolve what happened from the other team like uh from your competitors they you know they got ransomware in there um and then there's what you know colum hack the planet got through the USB keys so let's start because you didn't ask at any point whether you know whe you know when and where you caught the first thing so let's a first deal with the malware that your let's just call it ransomware that the your competitors manag to hit you with because your employees are so listen to you so well so um first so so we we detected

the the ransomware right I mean we we're going to say we detected both of these attacks yeah I'm just handling them in sequence because it's it makes more sense there because they're going to have different effects on you you detect so you detected actually let me tell me how you would have you feel like you would have detected the ransomware how would you have found that um so hopefully our our our EDR system would have flagged um the ransomware I mean ideally it would have flagged it before it executed and started encrypting things but we could say that it yeah you don't that's your hope all right I'm gonna give you I'm gonna give you a 50%

on that to see at what point you found it oh yeah not so much I mean you you learned about it I wouldn't say you found it but you learned about it when you f when you you know somebody reported they couldn't they they couldn't get into the customer um like the the oh my God I'm too tired right now the database of people who have uh signed up for customized cat memes I'm way too early for me to whatever so you basically you know that database you can't access you find out about it because somebody goes and it and you get a splash scream [Music] saying so that's how we found out about it that's how you found out about it I I

I rolled a one or I I rolled a zero percent so yeah that did not go well for you so we we launch our incident response plan that we absolutely have um from from it being part of the basic cyber hygiene um to assess how damaging the ransomware has been how many of our systems are inaccessible now what did that okay you have an IR plan I'm going to say that you have a well-written policy in fact you you have you have a wonderful policies procedures you even have a Playbook um you know it's beautifully written your outside Security Consultants know what they're doing and will give you the finest documentation possible um how' you get that information to your

employees it was absolutely printed out so when their computers became inaccessible they still had it all right let's see you've got a 30% chance of that it actually happened you had it printed out that's amazing cool so you have physical copies of this I'm going to read I'm going to ask the question again though how did you get the information to your employees how do they know how to use this you mean other than the documentation yes or maybe the let me a better question would be is this was written within the last month I'll even let's even say like somehow you they handed it to you and it was beautiful and perfect on day two of the month so

you you've had most of a month how Have you communicated this like besid handing out physical copies to your employees do they know about it before this thing happens yes um they they were notified about it through email and we held a a training about it oh wow your your employees are really good with training though I'm going to say this was your security team so you're going to get a better chance at this I'm going to say that there was a 60% chance that most of your people read this yeah okay people have definitely read The Playbook they've read the policies and procedures um given the short amount of time they probably haven't had the time to drill it they

haven't had time to do a tabletop but they've at least seen these things before okay so give me a sense of what that might look like what are those you know uh what are the what does it look like what are you actually doing and if there's another you know Al Dragon you rock if there's somebody else on Blue who wants to talk about this or even somebody else just in the group who wants to give some opinions on what this thing should look like you know feel free to help out blue in the interest of having more interesting discussion about what what A playbook for a m for a ransomware incident should look like what you would

hope that these guys had in it

all right um you know Al Dragon if you've got some ideas or you and your team member over there have some ideas hit me okay I don't want to monopolize the talking time um I mean if somebody else has ideas jump in at any time like don't worry about it but yeah so um I'm going to say that um our our IR Playbook is pulling machines offline um and you know quarantining them cleaning them and investigating What's um you know been infected and then restoring them from backups okay um could the other member of your blue team is it Xena yep that's me cool all right so you've heard heard what uh you've heard what Al Dragon just said about that um

how long do you think it's going to take for that to happen what's your goal what well the goal would be to so we would prioritize um you know the different groups based on uh business need you know who's who's making the money who's protecting you know Etc um so we would sort of prioritize the different departments and then work through them and it I mean TimeWise it's going to depend on how big the infection was I mean was every Everybody hit or was it just a a bunch of people in marketing or did do we have that sense of that um I mean from a from an IR Playbook perspective it's it's you know we it's a prioritization of the

different departments making sure that everybody else is disconnected and bringing on bringing back online the most important bits first okay and yeah we're going to say that basically you what's what's locked is your is your customer list like everything internal is working in fact I'm even going to say because the roles were really good that for right now the only people who are noticing it are your customers who have signed up for your um for your special like um you know in your inbox get the finest cat memes tailored in your inbox so those are the only people you're hearing from right now so you're going to say that's your priority getting that up uh yeah yeah and if we can I mean if

if we can leverage the existing security like EDR and everything that we have to make sure that there's a a signature out there for um for what we got hit with okay um let's see technologically let's see that's going to be seems reasonable uh you're going to do it but it's going to start it's going to take a while so you are starting to Blue Team you're starting to get customer complaints um you know it starts with a couple of emails but you're getting overloaded you're doing really well and it's not hard for people to you know you've got a really great like report a bug of vulnerability disclosure thing on your privacy page so now you're starting to

get some pressure from the outside um you're starting to risk reputational damage how are you going to handle that uh the way that all good companies do we're going to throw money at it and and hire some firms um so we we need we need some marketing firms to make sure that you know the right people uh crisis management firms to make sure that the the right message is going out there and we'll bring in uh an outside security vendor to help uh clean up okay uh and I'm going to say you know Al Dragon do you have a sense of a vendor that you would want to use in such a situation Leviathan oh you pandering I

love you panderer I love you I I I love this but we don't do reputation you know we don't do PR I was thinking specifically on PR um I know nothing about PR firms but um let let's let's say whoever whoever are CEOs Brothers cousins you know you know whatever knows that that that heard about the situation and got on the phone really quickly to make the the sale that's kind of what I was hoping for all right and you're big enough that that Billy culture really does know some decent firms some say like there's a 60% chance that you get somebody that 70 that's not and it's completely monstrous okay so you've get so you hire an

outside firm that's really good at triaging the individual customers like they are they are definitely doing that they're somehow like putting enough person power on it that like everybody's getting a personal response they don't Unfortunately they don't seem to know what Twitter is so yeah your stock is starting to go down a bit and um and as a result let's just say that Billy culture again Elon Musk in a skirt um is starting to scream at you so let's leave that at that point right there because you've got another red team issue to deal with that being um God damn it I've forgotten the other thing that you've caught the hack the planet stuff the USB

stuff how do you know how do you figure out because you catch it how do you figure out that that's not the same as the ransomware you don't yeah that that's a tough one I mean it's it's a different tactic um and obviously we can assume a different strain of malware but I'm I'm not sure we could ever be 100% sure that it was it wasn't the same group so what do you do about that how do you respond to that attack at all like you caught yes you kept technologically you kept that from [ __ ] your [ __ ] up but I love say on stream oh well I did um oh hey um Kelly

I'm Sorry by the way do you have like a running so so I put a scoreboard up on the screen do you have a running Point tally for this or no it's a scoreboard like not useful I am no that that absolutely works I've just kind of been mentally mentally going back and forth but I'll take a running tally all day like that's cool okay uh so I have it and I can just change whatever so if if if you want to give a periodic score update I can always update on the stream for anybody who's coming in late nice what do you have what do you have I have the scoreboard up that's it you the

score okay um at this wait I'm gonna think uh red zero right now no that's not true red one because they actually got the malware in um Haack the planet did not succeed so that's red red one blue deflected that yeah deflected that but is really up the creek so right now it's with the malware so it's one1 okay I will update the scoreboard in a couple couple seconds and Red's going to get a chance to jump in again in just a second um it's you know there's just there's so much here um actually blue I'm gonna have you think about the idea of how you're going to respond you know how you're going to try to prevent the

second the US kind of stuff from happening again uh I'm we're going to go back to that but let's go to the red teams and anybody who you know again I'm going to go through the three the three teams uh three red teams and if as you've been sitting here you've been like oh no I want to get in on this or you have any ideas jump up you don't have to be the player that was there to begin with so whoever was playing people who were playing uh the competitive you have been watching you know that you you you know that the payload was deployed you don't know what's going on internally but you definitely see what's

going on on Twitter and you know they're CEO so they you know she's oh [ __ ] so that is what you know based on your original attack buz but.com now what do you do I have one good so where all about chaos uh and we see we see they're taking hits we imagine that their team is busy so we want to make them a little bit busier they they they had mentioned that they have a uh bug Bounty program correct oh yeah so there's nothing to say that during this bug Bounty program that we have to tell them that we found anything so we go to their uh we we do scans of of their environment uh figure

out where their web server is and we throw we we throw some scans at it and see what it has and it turns out that it has a vulnerability and we then deface their website because we're just not well I don't want to say just because we're a activist uh thing but we think that's uh more more public the better so we to face their website and that to get some attention cat memes deserve to be free yeah cat memes deserve to be free no CAG cat memes free range cats for everybody um and then we we po yeah so we do that because we know it'll be public uh and we know that it's going to cause a

little hopefully it causes a little bit more Chaos on on their uh on their reputation okay so yeah so this makes a lot of sense initially now you wouldn't have known that this you know your your red team wouldn't have known this but you know initially we know that you didn't the the Juniors over at Minotaur didn't find anything uh when they did a for scan but you're absolutely right it's freaking chaos and that's probably not priority one so I'm going to give you I'm going to give you like a 70% chance of finding something there so let's find out oh magic magic not eight ball oh yeah that works the website is tell me tell me what the website reads

right now um the what does it read right now um it uh it reads that all of all of the cat memes and pictures have been stolen from other creators uh We've uh We've created some uh other social media accounts to have those same things and we've we've uh We've created some accounts complaining about it that point to it this is all of course completely false but um yeah it's okay so you're s the site says that but you haven't you haven't set up shell like fake Twitter accounts no no no no we have okay you have that's what I want yeah so because we wanted power along with the defacement we wanted whatever else was

out there so we set up some fake social media accounts and things like that complaining about these very same things um and that um and hopefully that affects their stock nice um yeah no absolutely okay the player playing player or players playing the competitors from the outside you see this like Twitter was like their social media presence was being hit their stock was starting to slip before that and then this dis spacement happened so at this point looking at this what is the comp the direct competitor

doing who did we have as the direct who did we have as the direct competitor I don't remember um I was one of them I think yeah was the other um I'm not sure um just a negative PR campaign um to point out you know all their deficiencies and try and you know lessen their value um smear campaign type stuff I don't know yeah no that's that's absolutely legit I mean one of the things I like to point out in these games and encourage is like it doesn't always have to be a technological attack you know um yeah a smear campaign at the right time matters you know social engineering matters you know there's lots of [ __ ] so yeah that seems totally

legit just pile on the dis the danger for you guys is blowback right now about you know looking like bullies now RC or The Blue Team CEO is known for looking being a bully anyway so even before this she was not you know beloved on the internet so I'm going to say there's a 30% chance that well there's two things let's see number one if it's successful I'm going you know in dragging their reputation more deeply through the mud dropping their uh share price and I'm going to say that's an 80% chance because they are screwed right now that totally happen however I'm going to say in terms of blowback looking you you guys looking at

bullies 50% chance of that happening because the internet is thickle and full of trolls that does not happen so blue team blue team you are you know I know your security people may not care about this but your CEO but Billy ctor like definitely cares about this the stock is dropping and you know what you may care because you know that IPO is around the corner was all supposed to be around the corner and your stock up you know like your your early retirement is definitely on the brink right now so I'm gonna say at this point at this point you Billy cotor is like basically comes down from on high to wherever your IP war room is and it's

just screaming while you're trying to deal with this issue and the issue you're dealing we left for you to deal with at this point so now we've got three issues for you there's how are you preventing the USB key type attacks from happening again what are you doing about we still don't know exactly how we're going you're going to resolve the ransomware and you um and you're getting screamed at and your websites to face and you're getting screamed at so your life sucks right now so blue team how you prioritizing this what are you H what are you going to deal with first and why I think we'd probably continue with the the ransomware first um since that's

that's that's kind of a direct Revenue um piece that we need to to handle um yeah I mean we already said that we're we're we pulled in marketing firms for um for part of this so you know I would hope that they're handling the reputation part of of all of this as well uh as far as the USB sticks go um that's a group policy no more no more USB on the computers that just that Port doesn't work anymore for anybody okay um well let's let's resolve and okay so the pr firm let's say I'm gonna see if they're stopping the bleeding I'm on on Twitter it's going to be hard but I'm going to say it gets

better it gets a little better but it doesn't matter because your CEO is still losing her [ __ ] and there you you've got a human element here like you know everybody knows that it's getting a little better and you're communicating well but you've still got a CEO calling for people's heads functionally who how do you deal with that when you've got a screaming person that can can can you in your offices Al Dragon I have I know that this has never happened to you so why don't you practice how this would go so I we're we're a small team but somebody is in charge of the security team presumably so that person has to

tank the CEO and get them out of the it area and into a conference room where they can discuss the situation all right that sounds reasonable and with a group this small she probably hired that person so I'm going to say it's fairly likely yeah this happen however that means your security elad is in a boardroom getting yelled at right now so this never gets better for you blue team sort of um so yeah okay you're clear um you're absolutely clear I'm also going to say that yes disabling the USB ports absolutely key so now you you have two big issues one is that you're you know one is that the you're you you've still got an um locked

up data and the others that you have you you have your website is defaced which means it's a little more difficult for you to be communicating to the greater world what's going on you do have a security you do have a PR firm working that so I'll say I'll say that part the talking to the customers we can at least put on the back burner um you know you've stopped the bleeding with reputation getting screamed at so all right let's go back to let's go back to the elephant in the room what are you going to do at this point in terms of the fact that you that in the ransomware rain hard morning what's your next steps

I've already forgotten where we left off with the ransomware so we we contained it we were restoring from backup um and I I think that's where we left off I think you did um Al or or Zeno when is when was your last backup um I'm going to say that that we have a a continuous back backup system so the the point in time recovery is uh is an hour um let's say like an hour recovery Point going back three days and then like a week recovery Point going back from there and then eventually becomes a monthly recovery Point okay also on the scoreboard um that's going to be heck the planet P them so that's

definitely going to be one for them um the opposite the um their competitor did a great job at launching a campaign without getting blowb so that's a point however they did manage to calm down their CEO so right now I think it's red three blue one uh blue two all right so where all right you're doing continuous backups are you on Prem or in the cloud either one of you can answer or hybrid my my vot is both there's an on Prem backup that then gets back up backed up to the cloud sounds reasonable um all right uh yeah that's fine and I'm not going to ask like which which Cloud it doesn't really matter if you're in Google Azure

AWS for for right now um yeah fine all right let's see yeah that that mainly works um you're able to get it yeah you lose a little bit of time but yeah you're back up and running pretty well at that point so that's another point for blue um all right so you've you've got that you're back up and running um you're back up and running you found the damn thing um that's fine what do you do now customer facing stuff is up that yeah you're you're back running with minimal loss what's the next step for the blue team forensics um find out the initial attack Vector for the malware and also the website defacement okay let's start with the website

defacement uh I'm gonna you you're pretty sure it was hack the planet and so I'm going to I'm going to say that I'm going say that's about 90% certain that you can trace that back to them you've you've also thrown so much damn money at this all right so you know pretty much without beyond a shadow of a doubt it was hack the planet um who def face your website how what do you do with this information turn it over to the FBI and rpr firm and let them work out the best way to deal with with it that's fair hack the planet you know you you know you know they've you've been nailed you're pretty sure you've

got enough you've got enough you know tentacles and enough things that you would hear and have a and be pretty sure that they know it's you do you care no and what steps if any are you going to take about you know regarding law enforcement or anything like that uh I don't know we'll probably just sit back and watch and like they're not going to find they're not going to find us um however that's assuming that everybody had really good opsc and that it was that people are using you know nobody has like that little program that they wrote didn't get traced back to a certain person that left their GitHub open or some [ __ ] uh uh yes you know

so so as I set back and left I'm like I'm actively I'm actively like picturing myself in this situation going oh [ __ ] uh so and that's exactly why these games are important yeah so I'm I'm am going to begin uh I I'm going to check my my hubris and go back and uh see what we have facing I'm going to go look at our at our code that was generous see if I could trace back anything do we have any gith hubs that are Trace back to us I'm going to start scrubbing um because as as funny as this was now that we know Leo is coming um we're gonna start scrubbing yeah and I'm going to say like

you've got experts you y'all you know how to do it but you are pretty distributed so that's going to you know that's a lot of that's a lot of surface area to scrub and you know when something like this happens a lot of people are going to go to ground so I'm going to say there like it's a half and half that you're able to successfully do this you are you're fine you somehow managed to cover Your Tracks like ELO knows or something but they can't you know they can't really nail anybody they can't do much of anything so you definitely do it um so yeah you you covered your ass and you're okay um you

hit you got out and you're happy you seem to have met your objective so point for extra point for red team one of the red teams absolutely met their objective I got I got like actively anxious when I thought about that I'm like going that that one guy that got drunk and forgot to use tour it's that one [ __ ] who like was just like let me use code that I've used in my public dissertation [ __ ] sure and that right there like if if if I could have snapshotted two minutes of any game you know I've or of a game I've run and explain like why this is important that's it right there I'll go

back and create a highlight of it for you like it's it's all being recorded that's perfect because like like you you go through these if you go you know if at work or whatever you have to go through tabletops like those I've noticed those moments don't happen like every once in a while you're like oh I should have done this but like that oh [ __ ] moment I've only ever had happen in the game of five months um and I think it's because you I mean my theory is that people are thinking out of the box they're chilling they're thinking about things that seem that at first blush like you exactly as you just did you're like well

this could happen this wait a second as I'm thinking about this this could be best because you're going you're going down that route um awesome so there's where we are there um competitor competitor you you know they you hit them theyve still you know they're dealing with things forensically um we haven't quite resolved the rents and wear forensics yet so right now I would say you're doing pretty well you you absolutely hit them you did right did actual damage probably Financial damage reputational damage you managed not to get blow back from your own kind of whispering campaign kicking them when they were down if you you get let's say you can take one more shot you're seeing that

they're coming up you can see from the outside or from you know whoever you your information tentacles um that they're working again they haven't lost a lot of data they're slowly rebuilding holding their reputation um their IPO is definitely now an extra year away because they're going to have to go through a mountain of paperwork and just to rebuild for Value um that's their posture right now um is there another hit you want to take yeah I would I would say like when they started having to do PR and you know they're you know you know noticeably in the public that they're that they're hurt and they're paying security firms to you know repair damage done and stuff

like that you know they're putting out a lot of money um for ads on cat memes so now is like a really good time to appeal that um Court decision and take them back to court and hit him with more lawyers and and legal fees you know maybe that the money won't work out yeah yeah that's a good point the copyright thing yeah the copyright thing was probably settled or rather the trademark of fuzzbutz versus fuzzbutz is probably settled absolutely but there's as a former litigator um I can say you know there's always something there's always something and you know even if the court even if the case gets dismissed there's there's good stuff there um lot team that gives you another

wrinkle because um because I'm I'm going to let definitely going to let the competitors file lawsuits like there's no question that they've got enough money and lawyers to file some at least nuisance suits where they go is its own thing but blue team especially Al Dragon you should freaking know better here at no point did any of you did either of you say I'm GNA get in touch with legal or compliance oh [ __ ] so you yeah so you're on the back foot um I'm going to roll I'm going to say it's about 80% chance you get blindsided by this you do you do so you are now you're you've been your company has been hit with a shitload of

claims by your competitor um and maybe they're it doesn't matter whether they're frivolous or not uh at the very least you're looking at a couple of years of litigation because legal is not involved your CEO is picked again um so what are you doing with this because incident response is more than technology so we're going to update our incident response plan and make sure that legal is involved yeah y might as well learn some lessons there yes um are we still dealing we're still dealing with the reputation uh issues right absolutely and this ain't helping um this is not helping um we this is I I don't condone this at all but uh it may

be time to replace the ciso and and start clean cleaning house a bit make it look like we're doing something um to kick that reputation up yeah okay so all right I'm going to say that I'm got to make a roll I'm going to say that's 70% successful and actually you do that and your reputation starts say you know and people the infoset community at the very least loses their [ __ ] and like you're scapegoating this that and the other your CEO is happy because she doesn't know [ __ ] about [ __ ] she's just like we've made you know she's out on Twitter saying we've taken decisive action but like the infoset community

is not happy the cat mem like lovers are like team SCH um so yeah you're you're you're really taking more reputational hits while this case grinds through um let's H back to the forensic uh on the malware um so you know we do know you're not going to trace it back to the other side they did pretty well with that oh red another point for you because you you lawyered up successfully um so Max and malware forensics you're not going to have traced it back to the other team because they they covered their asset pretty well but you know you still have this issue of this is a thing that happened um you know you you might have UND I'm going to

say you understand how it got in you know a combination of you know vulnerability and your idiot employees um but what are we what are your steps to keep this from happening again so that was the important part is the understanding how it got in so now we can we can improve our processes fix the the vulnerability on the website um yeah that was that was the main concern of the of the forensic finding out all the Pathways in and then being able to either patch them or add security controls for them or find some other way to account for them um excluding the idiot users because you know that's that's Perpetual yeah that's exactly it you

know it's never we're always saying it's not you know it's not if you have your next incident it's when like it's going to happen no matter what you do um in this case you didn't one thing you didn't have to deal with was somebody actually I shouldn't have even called it well probably shouldn't have called it ransomware because nobody was actually asking for ransom because things went a little differently um but yeah you know that's that's something you would would have had to deal with which hopefully would have triggered legal all right so I'm gonna say that yeah you've You' cleaned up your you're you know you're in good shape for what's coming next you're looking

um you're still however I think the last sort of leftover tendril here for you guys is reputational damage and um the CEO is quiet but yeah you're still taking the reputational and uh legal tick damage is there anything that you think that you can do to help that you know to do with that because really what's at stake now is your early retirement are tasty tasty yeah yeah those of you who are still with the company um you know congratulations person who has uh who has just been promoted to ciso um whether or not they want to um what are you going to do like that's the last thing that's sort of the last uh loose end that's there for you

guys I I I don't know a whole lot about restoring reputation um on a on a scale like that um I mean from the from the security team side um I think we'd probably you know maybe the new ciso is is more of an open person and um decides to start you know being a bit more transparent about both to the public and internally about what's going on in the security team and and what we do and how we do things so you know start blog entries and and talks and Etc with with sort of uh recapping of of what happened how we dealt with it you know Lessons Learned type stuff yeah all right yeah I mean I think that's a

reasonable answer Al did I see you unmute for a second so I I also have no idea about about PR reputation improvements at all so I'm I'm just going to go off the rails completely and say you know we we partner with a cat shelter um to bring kittens into the into the office and we set up webcams all over to just live stream it um as a as a PR campaign does anybody remember as's uh the point thing about deploying office kittens their proposal to deploy office kittens which somehow is scrubbed from the damn internet and I can't even find it on the way back machine um yes that I'm there's no role for that

you just you just deployed kittens in your office you are that blue team I want to give you two points for that um but I won't for fair but blue team definitely gets a point they they they involved kittens like that's if there's an iWin button on the Internet it's kittens um yeah so that's that's a very quick run of fuzzbutz Z fuzzbutz I think you can see if the game you know with larger teams with more people how this game I love this game because it can scale like you know we had a two-hour slot but knowing it was early you know we can definitely do you know do some wrap up and and stuff like that but this

is a game that scales this is so much fun really well isn't it and my and I will put this up this deck this deck and its materials and a couple of other scenarios I've done are up on my SlideShare so I will I'll definitely throw those up or throw a link in uh so and they are free to use like I those are mine uh one thing I love about my company is all of our IP stays our IP so when I create these things and I put them up you know I'll scrub them of client data and yall can use them um what are some like does it did anybody have any ideas of like hearing other

people like oh I would have done that differently like one thing I was thinking towards the end with the um with the reputational thing is maybe leverage the board you know if you've got one you know leverage the board to get the [ __ ] CEO out of there but she's toxic yeah I was uh I was kind of like internally screaming about why didn't you go to Legal why didn't you do that that but that's me like I'm I'm very much I'm I've always been very much like okay nerds let's get the adults involved first and say like here's what's going on and but that you know I've also you know you're everybody's life experience

varies and stuff but I've been in a lot of situations where it's like yes we have to address this but there is now PR and marketing and they are very much often the people who are who are loudest first and um like you need to you need to do something with them um but yeah that's I mean that's a really important part that we often forget about as as you know security people and nerds yep I will say so one of the ways I'll do these is role based like I'll do character classes and like you're legal you're this you're that um and I'll usually make people play whoever is you know make people play the thing that is

farthest from what they are ex to get like security to understand legal the set and the other in games where I do not do class-based stuff 75% of the time nobody thinks about calling legal in compliance think let's see do know I did I see you unmute yeah I was just going to say I booting the CEO never even surfaced as an option I mean it's it's I guess it's one of those ingrained things where you're like that person's Untouchable I I I didn't even think to say like you know maybe the the the board steps in and and does something about the CEO yeah I mean yeah cuz like at least to me like my in in my this is playing

out over a very short period of time so if that happens like God the politics and that I wouldn't have even thought of that either yeah I think from like the competitor standpoint you would have probably more above the board you know actions taken like targeting board or CEO or or hostile takeover type weird stuff busy things and just you know not getting in way if it just happens that they're psychic gets hacked and their PR goes down the tubes because that would you know further their gains but didn't really think about CEO or board specifically in this no um yeah can I throw something in the mix always so not specifically about this scenario but every time I run a

tabletop like every bloody time I try to run multiple iterations and when I start going hey guys have you cooperated with the other teams and start looking at me funny like what what what are you talking about and just have you consulted have you cooperated have you determined who's responsible and accountable for the various pieces of this these issues problems these whatevers like I had one where I had it security and compliance and I told it and security you know have you talked about which tools you could buy and use and they could use your tools and save their budget and they went we don't do that well you'd save half the money because you're

duplicating everything yeah like unbelievable cooperation even in the commercial space not even the governmental space where it's legendary but cooperation is so foreign consultation cooperation you know what I mean oh yeah no that's that's absolutely true and you know whenever I give a talk or something on like you know like uh September I I did a thing in Colorado where they wanted us to run a a 18 person game um and then do a little wanted me to do a little talk on like what are the BuzzFeed five most important things to get through a malware incident and I was just like communication communication communication communication communication and they last and I was like no really um because you're right

and one of the things you can do really well in a tabletop game is exactly make that point um I didn't hear because it seemed I I was you know we had a smaller group but yeah that's freaking key it really is one of the ways I love to deal with that which sometimes works and sometimes doesn't if I'm doing it virtually um this is something I got to do a lot this year was I will just tell everybody okay here's a two-hour block and everybody has to be on call during that blog and I'll start out you know like you everybody has to be on call on teams or God anyway we're in that 2-hour block

and I just pull people in as they're requested so I'll start with all right customer service you know you're the first person head of customer service you start getting reports of and let them pull people in all right I'll do this and this okay cool you know who do you talk to next and let them pull people in and it's fascinating to see when you act when not everybody is sitting around the table and you actually have to think of who you're pulling in and what you're doing how that Fosters communication and I've definitely had a lot of people say like oh wow I'm I'm never I've never been in the room really with legal or with

something so you know an interesting way to make that happen and make people understand that the problems are solved more easily and efficiently when you have the right people in the room is make them put those people in the room because you know once customer service is there saying like yeah and I got this complaint cool what are you going to do about next I I don't I don't know that's Security's problem well all right all SEC security think security and security does this and then security doesn't call legal and you know and doesn't call seite or whatever but making people sit in that moment of pure freaking Terror when they when they're like I don't know

what to do Brit drives that point home really well um so this ransomware didn't go full Ransom because just the way the dice rolls you know if I was doing this for if I were doing this for compliance like a sock 2 or an ISO or something like that I would probably push it into somebody calls you in ransoms uh you know actually called up with a ransom to force them to get legal in so that like we could test that process um so just throwing it out there uh and blue or red can you know anybody can answer how do you think this would have changed if like would have changed what you did if

there was a demand um either somebody put a demand on t or you know or directly contacted you how do you think this might have played out differently well then it gets into convincing people not to pay and discovering whether they um stole anything that could be used to extort us if it got released publicly because I think I think we at least succeeded with the backups so we didn't need to pay the ransom to get our operation back up and running but there's always the the extortion threat of releasing confidential data publicly I think your CEO is going to be a wild card there too I mean if they're based on how the CEO was I I I can

imagine they're just going to do whatever they can to pay that Ransom to get it out of the way um you know throw money at it and then probably at the same time start going crazy internally to to uh screaming and yelling at people to make sure it never happens again what are some good reasons not to pay the rent you don't negotiate with terrorists um paying the ransom doesn't mean that the ransom where people have deleted the data I mean it's there's no there's no way to prove that they've actually gone through and and gotten rid of whatever damning evidence that they have so so I mean for me it's you know you pay and the the ransomware guy goes

oh cool they paid we'll come back next week and do it again and just use the same data and then you know or you pay and they release it anyway cuz you know it's just for the laws yeah I think that's true and you brought up something that blue team y' didn't address and I decided you guys had taken enough hits so I didn't go down that route but yeah you were stored from backup but who knows you don't know if that data got exfiltrated um and if it did yeah that's its own problem it could be released or whatever um another dimension another direction we didn't take with this one was this is sign up stuff people sign up

which means you almost certainly had pii um you know not calling legal could have been catastrophic there because you you're doing you're doing pretty well your cat means you almost certainly have more than the 500 or a thousand or whatever you know each AG you know attorney general in each state requires um and you know and God help you if you have any gdpr exposure there because you would have on top of that had the I think it's 48 72 I don't know I look it up every damn time because the place where that should be in my brain is filled with mid90s song lyrics but yeah I mean that's another thing you know something

is stupid as a cat aggregator like a cat meme site you don't think about it but as soon as I said cool what's locked down is the customer you know like your customer mailing list information that could have SL should have triggered checking out you know evaluating for a making it not just an issue but a breach so I'll throw that out too had it been more of a you know had it been more of a breach situation how if at all does that change the way you go about this on the I mean on the technical side I'm not sure that it's going to change a whole lot because I mean you still have

to clean it up and and restore um I mean it's mostly going to be on the legal PR side um I mean that that happened and and we just have to own up to it um or you know depending on the CEO try to hide it Al I Al Dragon I think I saw you unmute yeah but that's what I was going to say I I don't think it does change the the technical side it just adds legal and and PR complications and and Reporting requirements so and this is actually where getting people in the room who don't talk is important right because a lot of you and reasonably so don't get me wrong reasonably so are like I don't

know what legal and PR do and that's totally fine um you know I'm I'm kind of the rare duck that straddles them a little bit though I'll say I'm much more you know compliance than Tech when I in fact when I design these if they're crunchier I almost always you know I almost always consult like what does this Tech what should the Tech ACT look at um but it's important right like you don't have to know the law or you don't have to know exactly what forensic tools but having a sense that you know of what the process is for the other person and the other people is important um just have a bunch of people who've never been

in the same room together play one of these or swapping roles in character classes is fun um you'll see somebody if you check out the my slideshares you'll see a game at least one game where I've done that and I like to give them a power you know because obviously everybody should have a power um yeah it's that's why the stuff is fun and that's why you know the game way of it doing it is fun so let me open it up more generally um what worked for you guys as we played this what worked I I thought all of it was awesome like I don't nothing comes to my mind where I'm like that suck don't do that

again I like well you know what I like the most is like the fact that you threw multiple red teams at them cuz I the fact that like there's just these little these little [ __ ] running around just creating chaos is I I like that one yeah I'm glad well and that it's all different goals right so I was able to say like all right you know hack the planet you've met your particular goal because your goals are different than like the pentesters they just they want to do a good job and also enjoy their job the competitor wants to see the company syn for their own reason so yeah it gives it makes the blue team

especially have to think about it's fun for multiple red teams and it also makes the blue team team think like [ __ ] it's not just we don't have to think of hardening in some like weird amorphous way we got to think of like who wants to [ __ ] with us and why Al I I like the dice mechanic as sort of an adjudicator because it cuts down on the tendency to argue about whether something would be successful or not like you know there there were a couple times where I'm like well that wouldn't have succeeded cuz we said we you know did X but and any control can fail and there's always the you know did

the person who implement it do a good job so I I like the idea of well you you know the dice didn't roll in your favor so you know that control failed and now you're screwed in that in that particular aspect and you have to deal with it yeah the key with doing that while running these um is be reasonable about it you know you know if I was an [ __ ] and be like no's 30% no you know you don't have to you know especially in something like this is a more casual game you know I don't have to get super granular but yeah uh a reasonable random you know reasonable randomization to deal with the fact that yeah any

control can fail um you know these get crunchier if I'm doing them for a you know a compliance thing yeah I like it I like a little bit of Randomness um you know I I'm actually working on a book on this that will take forever but one of the things I'm that I explain is why Randomness is important and then deal with Randomness and what I call like um crunchy crispy chewy rule sets and uh and needs and this would be a be like a chewy like a just a little little randomization so I'm glad that worked so I know some people I I've heard do these tabletops some you all have been in these

tabletops and some not at all but what do you what do people think they can take out of this for themselves or their clients or whoever well it really and I've seen this like up like up close at a lot of different places of the most one of the most important things is like involving other people outside of a technical space because there's there's so many silos in different places not every culture is the same I've been in startups that were like an Enterprise and I've been in Enterprises that were like startups and it's it's getting all the relevant players together and realizing now is not the time to be the first time to do

that like that that should have been the corporate culture from a long time ago and if it wasn't why wasn't it who who wasn't advocating who who didn't have the foresight to do that so that's the the most important thing for me is when that comes out and even still you'll go back a year later and they didn't learn their lesson and say hey didn't we talk about this you know or some people really take it to heart so yeah getting getting all the stakeholders far before the [ __ ] hits the fan yeah yeah this is the annual thing too is really interesting if you're doing it for compliance you're doing something that's got to be on an annual

Cadence like we did the thing to get you ready you for like we do I do this you know I we did the thing to get you ready for your audit here's our findings you know here's the deliverable K you know my part of this is done I'll see you next year and come back I'm like really are youing kidding me like really same [ __ ] anybody else find any particular value in doing you know tabletops or especially tabletops that are more fun than your average bear well in general it promotes just like the conversation and and you know if you if you make it fun enough I mean you can it can be part of the culture too so I

mean just blowing off steam and and doing something like this at work um you know there's there's not necessarily any major consequences to to what happens at the tabletop um Everybody kind of learns a little bit about each other and and you know you know just the overall fun of and do you this do you feel does anybody feel like by doing this in a more gamey way it takes some of the pressure off uh as opposed to like a regular tabletop where you're looking around absolutely like yeah 100% this is so much better than like here's all your binders and and like no 100% I like I talk all the time and and when quad was like Hey you

could be one of these people I was like oh no and then it got to be fun immediately and like yeah that's so much better than the stuffier other ways I've seen it done one of the things I talk about is stress versus suspense like tabletop regular tabletops can be really stressful not so much because of the scenario but because your boss is sitting there half the time like if you're on the security team and your security leads there like hopefully your relationship with that person's cool but if it's not you're like want to you know I don't want to be the person who looks like they never read the information didn't because bers suck

um so yeah like I've gotten feedback saying like by doing this everybody gets to step out of like their like everybody gets to step out of reality a little bit especially if it's silly like cat me like but you know I've taken these silly scenarios and depending on the client like all right I'll run it completely straight lace the same damn scenario but if you put put a couple of cats or dogs or something in it all of a sudden people want to know what happens next as opposed to like looking over their shoulder so that's pretty cool I think using something that's not the company that you're at it makes it easier for people to make decisions and

and call things up because then you're not at the end of it there's no there's really no way to point fingers and say you know you should have done done your job better yeah absolutely and like people will innately be can just be stress like that's just some people's Natures but if you throw in fun things it's like an automatic diffuser when it comes to it because somebody just has to remind like hey look cat meme and you're like cool and then like that little stress level goes down a little bit so but yeah like like Z face like if you're tied to the actual company and this is all these things now you have all these like

institutional uh uh like grudges and [ __ ] that start coming up but if you just throw it in it's like a cat meme thing it definitely diffuses it yeah yeah like and and that's the idea like the process was the same I me we had like we had that Rando had that you know light bulb moment that is very real right but you know you know like very real a useful thing that you're going to take but yeah without it being without pointing fingers and stuff like that so like you know to the extent that I I've definitely people who have heard my feel about this but not yet played in one of these games like well nobody's going to

take it seriously like you don't have to take it seriously as long as the messages are there like that moment of oh crap did I get could we get everybody to scrub is the [ __ ] point um and people are going to remember it too that's the other thing if you're having fun like you're going to remember it you're not going to just say well we got through our we got through all the binders you're going to just like with any like you know any tabletop game you're going to remember that time that somebody did something crazy like y'all are going to remember that blue team in the first round decided to try to rely on their on on

training and how horribly that went um and that's going knew you know next time somebody's doing a training you're G to that you might think about that like oh yeah there was there was that time whereas I find you know you don't retain I don't retain stuff even when I'm running them I don't retain stuff from the straight LA game like oh right I I'll go for like the next year to do again security Cadence I'll do the next years of one of my clients that really like wants it to be straight Lac and I won't remember yet about their findings from last year I'll look at my deliverable and be like oh you did that

but the people who do I get to do this with I think it's just they it it works out really well any other questions comments concerns things you thought worked didn't um anything like I'm happy to answer anything about this these games any of or to give you 15 minutes of your life back I just want to say thank you for doing this especially this early yeah I I appreciate it uh I appreciate the opportunity um and I know I you know I answered the cfp super late because this last couple of months has been insane with going around the country doing these and getting used to traveling for the first time in two years so what your totally SP what's

your you know what that actually brings up a question and yeah we do have we have a good five more minutes until I got to transition everything um what's been your so you're playing this now with a bunch of like hackers and nerds and stuff on a actual hacker con uh what's been the reaction the way that you do this in the actual Enterprise and in with companies how do they respond have you gotten companies that are like this is too fluffy and this should be more blah blah blah or do you have do you get positive responses doing this I have gotten everybody who has ever played in one of these I've gotten a positive response I've had a couple of

times when I've done you know like the presentation to the client like okay you want a tabletop yeah okay well we can do it straight Lac or we could do it like this and there's a Continuum between like straight lace and all cat means and I've had some clients shy away from doing that um uh re just a couple days ago I had the weird experience of I was pitching the idea to a group of cisos like do you want you know let's run a tabletop and they were like and as soon as I and they're like well what do you mean oh it's like DNT like they jump back as if it was like they were on fire

like what nerds do so but anytime I've gotten people into a game playing it always it's so far always been a really positive experience but sometimes it's just selling people on this idea that you can be you can do this get this done and have fun which is part of the reason that I'm writing this book like it's kind of like a game gon to be the isly a game Master's uh manual and H how to do this trying to make it look more make the steps of Designing run of these more formal to kind of um to kind of maybe educate and have people who might shy away from it because it sounds too nerdy

be more into it but yeah as soon as I get somebody into a game and you know you saw it as we got started like everybody feeling out their space once that happens they always sing and it's nice it's a lot of fun and um have you done it like across different verticals like do you find like Finance or retail or you know blah blah blah and do you find they react similarly to it so the one I did in Colorado was um was an investment firm that was doing a retreat and they wanted they got their technology Partners which was everything they were like cisos accountants um yeah lots of different verticals and they got

it too and this was one of the ones where I switched roles where they had character classes and it was cool because what everybody said was they were uncomfortable didn't know what they were doing and but they left with a deep understanding of what people on another vertical did so that's super cool um I'm actually in the process of planning one for December for 40 accountants who you know who their their CYO uh no their CEO sorry wants to scare the crap out of them because they don't want them to be the employees from the that The Blue Team dealt with yeah so that's going to be fascinating um I think it's going to I think with a

mixed group it's really interesting because people can inform themselves I'm really interested to see what it's going to be like to do it for a you know a smartphone level Tech group yeah well you're awesome you this this was this was so good and and you were you were an amazing game master this was a lot of fun thanks well I'm I'm here in Philly for you know running things for Fun and Profit um like I said I'll put up my slid share and every once in a while I'll you know poke people saying hey I'm testing out a new game anybody want in so I'm happy to run things sweet okay well then we are right at the time we

need to be at uh perect Kelly thank you so much and for everybody who else is watching on stream uh all of these videos will be cut up later this entire game will be available for you for uh playing again and um up next we have what is it why is cyber security like soccer but uh yeah about 10 minutes and uh we will be right

[Music]

back

[Music]

[Music]

[Music] [Music] on [Music]

C

[Music] [Applause] [Music]

awesome all right all right all right welcome back to bsides Delaware day two 2021 we all all virtual this year for our 12th year but hopefully not for long my name is Rando I am your MC again for the day and um I have more energy today than I did yesterday cuz I didn't really talk at all but this is not about me this is about our next presenter he is Mr John Stoner uh is going to talk about cyber security is actually a lot like soccer John take it away sir all right good morning everybody thanks for being here thanks to besides Delaware for having me I am super excited to present this talk um so hopefully you have some

coffee or some other things to keep you going this morning Monster Energy drinks you know Tequila whatever whatever you need um I'm at one Mr Stoner on Twitter I'm on Twitter all the time so I'm not going to spend a lot of time on my background real quick I was in the Army for 10 years doing signals intelligence um for about 11 or so years I've been really focused in cyber security mostly in the dod space I've had a whole bunch of different roles I hold a whole bunch of different certifications but more importantly is I have 36 years of soccer experience I know more about soccer than literally any other subject at all I

also am a US certified soccer coach so I'm super excited to give this presentation to combine two of my passions soccer and cyber security this is mostly going to be um a less technical presentation but I think a really important one is uh we use all the soccer analogies to sort of explain some things in cyber security that I think are really important sort of on the human training aspects so I want to start off talking about person this is one of the things I care a lot about and if you're new to cyber security you're thinking about getting in cyber security this is probably a really good presentation for you if you manage people in the cyber security

space this is probably an excellent presentation and if you fall into one of those categories you should be taking some notes so write some things down okay all right the first thing that's really important is that within cyber security there's at least 50 specializations if not more right so so I often use a lot of medical world analogies to help describe cyber security as well but we have so many different things you can do in cyber security that when you're starting out it can definitely feel overwhelming and I know that adds to the impostor syndrome that a lot of people face who are just getting into this field and really there's two general types of

people in cyber security we have people who focus on one particular area and become very deep technical or non-technical experts but become specialists in that area and then we have sort of these broad all-encompassing Personnel who've done a lot of different things across their career and in soccer we have the same thing in soccer we have super Specialists like Adat Tre Ur Who currently plays for the Wolves who's like super strong and one of the fastest players in the Premier League right he is going to do very particular things on the soccer pitch that Milner is not going to do it Liverpool right but Milner can play multiple positions he can play center defensive midfielder

he's filled in at Center back for Liverpool when all of our center backs were injured last season he can play right back he was actually a right winger originally I can probably put Milner in any position on the team and have him be pretty successful but he can't do what tayori can do right that's a deep level of of specialization as a very Speedy attacking direct player that is going to do that and I can't play tror at Center back I can't ask him to play out of position it's not going to work right they're are Specialists and they're are generalists and I want to talk about this a little bit more this is a big

part of this presentation because when I am you know seeing people pop up on Twitter or I meet them at events like a bsides event and they you know they're looking for some guidance if they're new in their career or maybe they're maybe they're not just starting out but they're thinking about maybe their next step in their career right we get into these conversations about professional development and sorts of training that you ought to do so the just some examples of some some really deep Specialists that come to mind for me malware analysts reverse malware Engineers right and then that rabbit hole goes deeper depending on where you work right if you work at like a fortune

10 Bank you may have some teams that analyze malware and maybe you know you have some sophisticated threat actors who've attempted to use malware on your network then you sort of like you know you and your buddy you know you just analyze whatever malware comes in that day but in my world you may have some like really deep technical expertise and that person she is the malware reverse engineer for Chinese advanced persistent threat actors and that's what she does all day every day and while she might fill in if like Billy the Russian maare Engineers on PT got hit by a bus she won't have that same deep technical level of knowledge about the Russian

threat actors as she does on the Chinese threat actors right dfir analyst right that's a very specialized field right it's a very specialized field and just like coutinho I need to have these players in the right positions in the right organizations tinho is a free kick specialist an offensive creative Force he's not that big he's not that strong right he's similar to Pio when Pio used to play that attacking creative fluid playmaker I have to play them on offense they're not going to play defense they may have heard of Defense but they really don't do that right so I have to ensure that I know who these Specialists are right I don't want to have the

malware person and then ask them to try to go do some red teaming right those are different specializations those technical Specialists have to work in those technical Fields right and you can eventually Change Specialists this doesn't mean you can never change Specialists which I'll talk about later but this is just an example specialist then you have generalists I think the best example of a cyber security generalist is a sock analyst and also while we're on this topic it is neither Better or Worse to be a specialist or generalist right it is it is not derogatory to say I am a generalist I do a lot of different things in cyber security right so I also want to make

sure no one is thinking that that's what I mean right the ma analyst is very valuable for what they do right if I work at a dood agency I need Jill to analyze the Chinese advanced persistent threat malware and I need that level of expertise if I'm you know at a new startup and we have sock analysts I need really skillful sock analysts who might be able to tack Le sort of any problem that comes into the sock right so they're a generalist they're going to develop technical expertise but not like super deep focused on like one particular thing you also see these job ads all the time and I know you see them cyber

security analyst we are hiring a cyber security analyst right and then the job description makes it look like it's seven people's jobs well if you are in a role like that where you're just asked to tackle lots of different things then you're in the generalist bucket right I often describe a lot of the dod policy analysts I work with right the people who work in the policy realm right they don't just work on ransomware policy right they're working on lots of different policies they're the people who like you know maybe try to make cmmc make more sense um there are the people who are like working on like nist 8171 or nist 853 right they may be asked to look at

inter agency agreements does does NSA have the right authorities versus what SZ is trying to to do right so these policy analysts are generalists they need a lot of information and Knowledge and Skills about probably lots of different areas of cyber security so they're not a specialist I would also argue your your technical leaders technical program managers directors cios czos issm issos those are generalists they need to know a lot of different things about the cyber security space and domain right so like my man captain of Liverpool Henderson I swear you could put this bloke anywhere on the pitch and he is going to do a super adequate job right now if you play him in his Center defensive

Midfield position he's going to be pretty good right he's probably not the best center defensive midfielder in the world but he's pretty good at that position but if you ask him to play up further up the pitch to be more of a creative Force he's going to do that he also filled in at Center back when like every single one of our center backs was injured last year right I could ask Henderson to kind of play anywhere on the pitch and he's going to do an adequate job same with David Alba like if you've never seen this this guy play before like he's amazing he is like a really really excellent Defender but he will often push up into a creative

playmaking like attacking role as well I could probably ask Alba to play anywhere on the soccer pitch and he's going to do a pretty good job right I can't ask coutinho to play defense like it won't work he is a specialist he is not a generalist specialist generalist we have this in cyber security it is rarely discussed and I think it's super rarely under discussed especially when we are advising Personnel on Career paths that are available to them training whether it's formal training University training certifications boot camps we don't think about all the different specializations and jobs that are available cuz there's lots of really deep technical Specialists and there's lots of generalist type roles as well just since

this is about soccer and cyber security right like James Milner like a pretty pretty solid all-around player you can see the the FIFA sort of chart there at the bottom but you can see he doesn't really have any special specialities like his speciality is like I can kind of do everything right as opposed to coutinho right he's got acrobat as a speciality right like Milner's not an acrobat like it's just not going to happen he's also more physical than cantinho now he's certainly not as fast but we can also see coutinho really sort of like maybe has heard about what defense is but doesn't really do it whereas Milner can play defense he can also dribble and pass but he's not quite

a good a shot as coutinho he's not as creative he's not as fast he's right different players and coutinho is a specialist right here's another example of this just to drive the point home a little bit like an IR dfir specialist versus ack analyst right I think aak analyst is is the quintessential example of a generalist for the purposes of what I'm I'm explaining right so again it's going to depend on the sock you're involved in the size of the company um you know are you a tier one sock analyst tier 2 sock analyst right you're going to have to deal with lots of different things that come into the sock right now an IR specialist maybe is also pretty

broad but they're going to be pretty deep into the IR realm of skills and you know knowledge skills and abilities ksas that an IR specialist needs to know right and if you look really at what a sock analyst might have to deal with they might have to deal with anything right so it's a lot different roles and they're both really critical right all of these roles are critical for the teams and organizations that employ these types of personnel you have your Specialists and your generalists so the other thing that I'm going to spend some time on is about training professional development I see this happen on Twitter all the time something along the lines of hey I just got my Security Plus

certification what certification should I get next that is a terrible question and the people that answer you on Twitter are not people you should listen to if their answerers like oh you should get C next what is it that you do at work where do you want to work what would you like to do in your career those are the next questions before I can give you an actual answer as to what training you should go to next right so there are specialist trainings and certifications in this world and there are generalist certifications in training I have only included a few here there's lots of different resources that are good when you are talking about

professional development right but like I see people talk about oh I'm going to get my ejpt right but they don't work as a pentester and maybe they aren't really working towards becoming a pentester so why are you taking pentester certifications right it doesn't make any sense at the macro level unless you have a goal to become a pentester well then it would make sense right nobody should just go get ocp just so they can have it if it's not relevant to either what they like to do in their free time or you know they work as an independent you know pen tester outside of their work or if it's related to work right you shouldn't just go get an ocp because

it's a well-known certification right and again like there's Specialists like I grew up watching Jor compost play for the Mexican national team who was a goalkeeper SL Striker goalkeeper SL Striker for both the Mexican team and his Club teams right that's a specialist he can both be the shot stopper and also score goals there has pretty much not been another example of him as far as I know in the whole world and it's like d Maria over at PSG like he's a great Pro for PSG right now although they have a lot of problems because you can't take him off the pitch because he's a fantastic Winger but how do you get D Maria mbappe um n Messi and Neymar all

on the pitch because none of those people play defense I can't have four people on the on the pitch and none of them play defense I mean at least mbapp pretends to play defense none of the others play defense they don't even pretend neyar and and Messi in particular Neymar will sometimes play defense for Brazil but that's a different story right those are Specialists Specialists and you have generalists like if you are studying Network Plus or security plus there's a lot of information regardless of how you're studying whether you just have the book you're doing self-study you know you go to something like Professor Messer you take a college course that covers that material or a boot camp the

material contained in order to pass those certifications are broadly applicable right Network plus will tell you all about networking Security Plus is going to cover a whole bunch of domains related to cyber security right so will Casp so will cissp it is a broad cyber security management certification just like sism right so if you're sort of on a generalist path or like maybe your goal is to become a sizo or like a a virtual sizo or a director a technical manager then these sorts of broad generalist certifications will make a lot of sense to you because they will cover a lot of really broad cyber security topics that you will need to manage a diverse team of really highly

technical people right so if you're if you are you know a sock tier 2 analyst right now and thinking I've done my time in the sock I want to you know do something else I don't love being in the sock um then your training and professional development should match where you want to go as a career and you need to think about which sorts of technical specialization fields are available that interest you and which sorts of cyber security generalist fields are available and and Target your personal training plan appropriately based on whether it's a specialist or generalist field is to you know is your end goal like Emy Chan for example a former Liverpool player like he's like a

sort of a not quite as good version of Henderson um and you can play him all over like he's pretty pacy he's pretty physical he's pretty technical he can play some defense he can definitely play some offense you could probably put him anywhere on the pitch and like he would do a pretty accurate uh adequate job and like d Roi for Italy like I swear to God you could probably play him at any freaking position you wanted on the pitch and he would be amazing like you could put him in goal he would do okay maybe not Luigi Buffon level of like good but like you know I just feel that you could put some of these players

anywhere into the soccer team and they would be value added right they're not Specialists right they like d rosi is not going to do what D Maria can do out on the wing right but I can't ask D Maria to play Center Midfield it's just not going to work it's just not his position right he is a specialist there are generalists as we're talking about the training you could be working in a particular area let's say as a cyber threat Intel analyst which is kind of what I know the most about and you want to continue training as a cyber threat intelligence person like you want to increase knowledge skills or abilities in the same technical field right so we

are now tweaking your focus areas in cyber security right do I want to be more technical do I want to be able to do some of the initial reverse malware analysis that my job requires are we looking at pcaps and I want want to be better at pcap analysis within my role as a CTI analyst do I want to become a better report writer do I want to become a better presenter right those are all sorts of skills that depending on your particular role as a CTI analysts and your organization and team are tweaking areas so you become better at the specialization that you're working in right so like you know the person on the

screen here from FIFA like we do this all the time in soccer like I am a leftwing do I want to slightly tweak my leftwing skills and abilities right do I want to be more of a wide playmaker do I want to like cut inside more and like Drive the goal more so I want to work on my shooting right cuz working on my shooting and working on my Crossing are two very different things both can be related to my role right it depends like what does the team need what is my manager telling me I should work on like am I a Winger but we like are often getting like hammered by the other team

so like the coach wants me to work on my defensive positioning and my tackling a little bit right so like that's normally not a Winger's main skill but I could still improve that and still be a Winger but I would be start to become maybe a little bit more versatile right so you can tweak areas in the ksas for your particular specialization or job that you have right and and you could take any cyber security um area and and apply this same mentality as far as like tweaking your skills and training and what also you can do and this is really important especially if you're newer in the field or just breaking in is developing new expertise

so I have career changes right you can also think about this as lateral movement to a related but different expertise lots of people who work in cyber security have overlapping ksas we have overlapping knowledge skills and abilities right so a lot of what I do in cyber threat intelligence might be related to ENT open source intelligence and an ENT analyst and a cyber threat intelligence analyst probably have a lot of overlapping skills that a new dfir or IR analyst digital forensics investigate uh incident response dfir um might have some overlapping skills that you would need to move into an entry level right dfir role a dfir analyst might have a lot of overlapping skills with like a a

true IR analyst right someone who like really is just IR um I would argue that those are still kind of two different things I think dfir analysts are a little bit more Broad and an IR analyst is a little bit more specialized right you could say that those all have some overlapping skills with maybe a forensic analyst right so how do I go from I am an ENT analyst today doing a lot of open- source information searching and reports to like being a forensics analyst well you would figure out what knowledge skills and abilities that field and those jobs need and you would develop the new expertise through a personalized training plan to develop that right you can't just apply I can't

work as an oan analyst do nothing and apply for an entry-level DFI position because you'll never get hired right that's not how these things work so um so we can do the same thing in soccer all the time right you might have Alexander Arnold here who plays for Liverpool in England he's a right back but he kind of really seems to like the offensive side of the side of the pitch right like with his crosses with his free kicks like he has a lot of offensive skills to the game so maybe at some point you know his coaching is and he decide he should actually be a right winger right so that's a much more

offensive focused person on the soccer field now he's currently behind Mohammad Salah at Liverpool so he's probably not going to be a right winger for them right now but like maybe he plays right winger when he's called up to the England national squad right because they have a ton of right back it's actually a huge problem with the England team how many left and right backs they have um so maybe he plays more as a right winger with them right I mean that's possible but but then he's going to have to develop the skills to become a right winger he's going to have to improve his shooting his his one-on-one ability to dribble past a Defender right

he doesn't really have that right he's very Speedy so if there's an open Lane on the outside of the pitch you know he'll go down it but he's not like beating Defenders one-on-one most of the time he's not a Jack greish or a Phil foden sort of character or pulisic um go USA by the way with that important win over Mexico last night so like you can do this throughout your career so like you might be an osen analyst and then you take some training go to uh go to some conferences like do some do some um you know training at the conferences maybe you get a certification maybe you go back to school and and you develop

some skills that are necessary to get an entrylevel forensics job right and then you tweak your resume which is a whole another topic we're not getting into right now you tweak the resume explain what it is and why you're apply apping for a forensics position and you can have career changes across specializations and I've known people who have done this who like every couple of years like reinvent themselves through focused training and development to change specializations and those people will make the best sorts of SOS you've ever worked for because they will have worked a variety of different jobs as well right so that's another way to think about your development as you think think about your 10 or 15 or 20 year

plan for where you want your career to maybe sort of peak so to speak right if I've worked as an ENT analyst and then I've worked as a dfir analyst and then I've done some forensics and then I was a cyber security analyst sort of tackling anything and then I did some policy because that was sort of really needed at the time and then I'm 15 years into my career you know maybe then I start to look at technical manager roles with the goal of eventually becoming like a sizo or something right you're never going to be able to work all 50 or 70 specializations in cyber security I also know people who have done one very

focused thing for the majority of their career right some people are penetration testers that is the thing that they love to do and they will be a penetration tester pretty much for their whole lives right there are people who are forensics analysts and even within the forensics analyst there are certain you know Focus areas and I've known people who have like been a a very um sort of focused uh forensics analyst but maybe as iot becomes a new thing they develop some more technical skills around forensics analysis of iot devices right but they're still in the forensics world and they always will be there's no right or wrong way to shape your career in cyber

security but it does need to be thought of and shaped in three to five years stin and with an end goal in mind so that you're on the appropriate Glide path for where you want your career to go are we you know sort of oops I clicked off my slide are we tweaking Focus areas for the job we have or are we developing new expertise for sort of you know linear moves across specializations that's the level of information that you and your Mentor should be talking to so don't go on Twitter and say hey what certification should I to get next that's a terrible question don't ask that question find mentors have these have this level of

conversation with your mentors so that your training plan and career can go in the right direction right so again we can talk about individual analysis as well uh my buddy Andy Paz actually has given some talks about doing some individual analysis on yourself as you set out on this of like you know sort of rating yourself of like I'm really good at these technical things maybe I'm I'm in this area so that can help you to figure out a training plan for both the job you're in now and perhaps for where you want to go if you want to change specializations right so we again this is what happens in soccer all the time I

might have I might have a player who you know wants to play Striker because a lot of players want to play up front and try to score goals but if they if they don't have the qualities for that you can make individual training plans and this is something that US soccer taught me in my licensing course for coaching right once you get to a certain level like high school or you know pretty competitive travel teams the coaches should be putting individual training development plans together for the players who want to play at that sport who want to play at this sport at that competition level right they're taking it that seriously right so you may have a striker and and

you hear this all the time like you can't teach speed you actually can teach speed like there are skills to improve quickness um so like maybe you decide like you you're never going to be the absolute fastest person but maybe you need to work on Sprints right so we come up with a plan if it's a physical thing like you need to be a little bit faster to get to the ball right maybe it's shooting maybe it's shooting with your non-dominant foot right like a striker really needs to be able to shoot with both feet right my my Center attacking midfielder my midfielder my Wingers okay maybe I don't expect them to be amazing right everybody's not going to be lonol

Messi or D Maria right but my main Striker if you want to be like you know the main guy at striker then you need to be able to shoot with both feet even if you're non-dominant foot is never quite as good as your dominant foot or maybe you want to be in like more of the firmino model as a false nine well then it's about link up play then you got to like really improve like your ability to see the field anticipate what's going to happen do the quick little touches that's all that creativity that's coutinho that's Pirlo that's firminho right that's a different type of Striker what is it that you want to improve and then you can rate yourself

and improve those particular things for your career or you know your soccer skills and then there's the whole team analysis so this is sort of the next level right so we have teams this is going to depend a lot on what industry you're in what size of an organization what level of cyber security maturity they're at is it a startup in Los Angeles is it you know a fortune 10 company a Fortune 500 company a a department within the federal government a state department all of these things play to the team what is the team responsible for what are our strengths and weaknesses what individual people on my team can I bring to different problem sets right as a as

a leader then you should be thinking about this even if your team does one thing let's say I'm only in charge of cyber threat intelligence analysts let's say I have 10 cyber threat intelligence analysts at a large you know Fortune 20 financial institution right well I still may have people that are better at different things even though we're all doing cyber threat intelligence right I might have some really technical people that are like super good when we have to analyze some stuff coming in from uh Linux systems right I might have somebody who like just kills it when it comes to like smartphone phon Android iOS right they just that might just be the thing and they're like really good

at that I might know someone who knows like everything about um you know fin7 for whatever reason so like if anything comes in about one of the financial organized crime groups like we give it to to um Jeff because Jeff just has you know followed them for a long time uh maybe we have someone else who's more of a generalist than the Cyber threat Intel team and I know Amy really likes new challenges so when we get something and we don't really know who to give it to we give it to Amy first because she really likes having to work on new stuff all the time because I'm a good leader and I've actually talked to her and

maybe her plan is to like move off the Cyber threat Intel team to do some other things so she wants to try to get exposed to as many different sorts of things we deal with as possible but I would need to actually have some team analysis and not be a shitty manager so I can actually manage the team properly man management we all hear this in sports all the time man management do you know your your team do you know what they want to do do you know where they want to go do you know what their training path is if you're not a good manager you won't know and then people will just quit and everybody's unhappy

and you don't know why because you're not spending the Cycles to actually have effective man management for the people you're in charge of and let me tell you in my personal experience most managers aren't good at this and there's a reason there's a lot of turnover in our field when most people leave a job they primarily say it's because of their immediate supervisors that they left the job this is another huge problem not just in this field but since I work in cyber security I will apply it specifically to this field we need a lot better Management training as well so that we can manage the teams better so that we are helping the people on our

team get the professional training and ensure they're on the career path that's helpful to them it won't stop turnover they're still going to be coaching I mean if Amy has been with the team for 18 months and seems to be enjoying it but like you know another competing firm comes in and offers her 30% more salary if we don't match that she should go and that's the reality of the world we work in what's our strategy for the team like what strategy overall right this kind of ties all in together what's what's our strategy for our cyber security team right do I have a plan overall for what I what I will do if there is turnover do

I have a training plan how do I onboard new people so they feel they're part of the team that I make sure that they have the technical skills necessary like let's say I on average on my 10 person cyber threat Intel team lose one person every 18 months right there's just a turnover these are very high demand people they have a lot of in demand skills and I just tend to have a turnover of at least one maybe maybe some of that's internal right maybe some of it's internal if we're really large organization but every 18 months I'm sort of bringing on a new person well if that's a if that's a constant thing that

I'm doing I should have some some Playbook some uh standard operating procedure some sop some guides right do I have sort of right seat training on the job training make sure that they know which tools we use how our reports are written if I don't have this level of plan that turnover is a lot more burdensome because I haven't effectively onboarded the new person to be part of the team both being part of the team and welcoming them and making sure they feel integrated especially if we're virtual right now but also technically integrating them into the team into our processes how we do things what tools we have access to do they have the right

accounts do they have a computer do they get ship to them do they can they log into email do they need access badges all that kind of stuff team strategy excuse me if I'm Lester I might win the Premier League and surprise everybody one year but I'm never going to be Man City I'm never going to be Man City if I'm Lester and if I'm Man City I hope I'm never Lester right and that affects everything that affects everything if I'm PSG I can just buy the best players and put them on the field if I'm benefica I can't do that right and most companies and organizations that you work with are a lot more like benefica than PSG right

PSG is basically like fortune five right PSG Man City Barcelona Real Bayern right maybe it used to be Manu there's very few teams that can operate at that model very few that can operate at that model there's a whole lot of teams that operate on whole smaller budgets and maybe instead of always trying to find somebody when you need a person at the pay range for your geographic area maybe a better way would be to like have more paid internships paid internships pay your interns paid internships that result in us having a pipeline of talent that we kind of know them so there's a little less risk to hire them because we've known them and

they're going to show up and they're going to do good work right and then we have a career path because then we can bring people in and they can get promoted right but a lot of companies just never have invested the time or Cycles to kind of think about this process and it's a contributing factor as to why hiring is completely broken across cyber security but if you had the sort of wellth thought out plan to backfill every 18 months that cyber threat intelligence person that gets turned over or the tier one sock analyst that like we just kind of tend to lose one every six months maybe because because it's pretty intense right and

maybe we're a smaller organization and our pay isn't quite as competitive but it's the best we can do for a tier one sock analyst so like we just have a quite a bit of turnover like maybe there are other ways to think about Talent recruiting and talent management and maybe the sock analyst just quit because you have no plan for their Career Development so you just hire them into the sock analyst and then a year later when they update their resume they're just getting post because you've never talked to them about what the next steps are and you don't offer them any Career Development there's all sorts of team overall organizational strategies that can be done that rarely are being

done most of us aren't PSG most of us are Bena and overall if you're in charge of strategy and management you would it would be beneficial for you to consider some of these options and really think through your strategy specialists Aken fena the reason I know who this player is because he was routinely the strongest person on FIFA he's a striker he's now 39 or 40 he's probably in his last season I also know him because he plays at AFC Wimbleton which if you don't know about AFC Wimbleton and you like soccer you should check it out John Green plays a whole bunch of their uh a AFC Wimbleton on FIFA it's very entertaining um he's a

specialist he's a really strong holdup Striker right he's not running by anybody he's just not running by anybody um Aken fena and womach play the same position she's now retired from the national team in soccer they are both Strikers they don't look the same that's one thing that soccer you got a lot of different players on the pitch that play the same positions that also don't look the same um but she's a specialist right she was the person you brought on if you needed to score a goal it in the game she was good in the air she was has a big physical presence but she's not going to like run by people you're not

going to play over the top she's not Jamie vardy Payette I miss watching payet in the EPL right free kick specialist very offensive um possibly has heard of what defense was I's not going to play defense I can't have him play Center Midfield right he needs to play in his very particular position same with Lamar Speedy outside if you want a speedy outside person he's probably one of the best 5 to 10 players in the world for what he does for what he does because he is a specialist you got generalists and some of you are like how is Harry Kane a specialist how is Harry Kane a generalist he's a striker he's a striker

that can basically play as a center attacking midfielder he can play as a false nine um the Spurs unfortunately for my significant partner you know are not having a great um season um but like he's done all sorts of things that like other Strikers aren't going to do he can make the pass he can be less selfish man um Juan ma who I think is still on the man united roster even though I don't think he's played any minutes like you could probably put him in anywhere goo ke pretty much plays anywhere on the pitch covers more pitch than anybody else he's one of the best players in the world I would I would love it for him to

win the balandor um you could ask K to play anywhere on the pitch and you would probably get a super super good performance anywhere uh Marta for Brazil I think she just competed in like her fifth or sixth Olympics it was like a record um I think she's 42 I don't think she's retired yet from the Brazil team um but like you could ask her to play anywhere anywhere and you would get an adequate performance all right last slide before we get some questions individual career progression Pep Guardiola is arguably the be likely a number two I hope I'm oh my Discord just did some crazy stuff yeah you're uh your stream no your stream ended can you share

again yeah uh bear with us besides Delaware while we hammer out some uh Hey There we go yeah it was weed this just like crashed that's fine are we good yeah we're good go ahead all right so last slide and then we'll see if there's any questions so Pep Guardiola arguably the world's best manager um I think clot maybe is number two um Greg ber Holter is not in the top 50 I can't believe the US team keeps hiring these trash coaches Guardiola was a center defensive midfielder but he played as a as a playmaker right so he would take the ball out of the back out of defense and then look to progress the

ball down the field as you know as that first part of the attack right so he was a very technically skilled ball playing attacking player who also had a lot of technical qualities as a Defender right and then he became a manager right and we know that a lot of players Michael Jordan who become managers aren't good managers right it just doesn't work most of the time but Aaron Robin who's one of the world's best soccer players ever says Guardiola was the best coach right he coached Messi he coached Iniesta he's now coaching Phil foden Sterling like all of these great players and he's making really Tech technal players better I thought like Jesus and Sterling's career

were sort of plateauing as offensive players so like as you think about your career what is your individual career progression like do I want to continue to be a technical expert right and like I am P pette I am akena I am treor or do you sort of mature based on the needs of the team and how your career and like you become a James Milner right I've played a lot of different position positions I've played right back I've played center back I've played rightwing I've played midfielder I've played center defensive midfielder because Milner might make a fantastic coach at some point because he's played a lot of different positions on the pitch he really understands the totality

of the game right and the other thing I think that's worth noting which I kind of talked about already is if you don't have good managers then it's going to be hard for you to retain good players right the best managers in the world have players and the best players who want to play for them right I think that while I like the fact that Nuno spto de santz was the Spurs coach I don't think he had the respect of the players because he just wasn't a world class manager so you know Unfortunately they had to fire him and go get K right I think it's why Manu is having some problems like I think if zenan zadan

came into Manu he would immediately command respect from Pogba and Sancho and Fred and Ronaldo and like that team probably would immediately be better so like if you want to be a Pep Guardiola at the end and be one of the best SOS or best managers in the world you really need to work on all of that work on your technical cyber security skills but then work on your man management work on social skills active listening how do I deal with the people in the team what's my um my method for solving problems so that's my last slide about career progression I will now attempt to take questions as long as Discord does not crash on

and once again thanks to bides Delaware for having me today I'm on Twitter uh you can find me on LinkedIn I'm not the John Stoner spunk that's a different person I'm the John Stoner at boo Allen Hamilton right now uh so John I am now monitoring the track one chat Q&A and our very own besides Janice says uh thinking if the good managers versus bad managers analogy to Security in leadership I'd be curious what kinds of other mistakes are made in soccer that align with organizational security mistakes or mistakes that infosec practitioners make TR I would say a thing that comes to mind is you have to know the Personnel in your system and like we see

this in American football a lot you'll hear the term like systems coach you have this in soccer as well you have systems coaches like Barcelona just went and rehired one of their best players on Earth zavi um because they weren't able to play the Barcelona way under Ronald cumin right because he was having them do other things and it wasn't the way Barcelona wanted to play so they went to go get a coach that knows the Barcelona system um Lester are always going to be a counterattacking team right they're not going to be a possession based team so I know it's a long-winded way of answering the question but like you have to understand your team and the function

right and the system and the strategy so that whatever you're doing in cyber security can be most effective right so I I think that goes back into a lot of both technical skills knowledge and abilities that people in your team have versus having management and leaders who understand the people on the team so that we can most effectively utilize them for whatever our particular mission is and lastly are you measuring things for Success right this is a big topic right now and it pops off on the socials all the time like and the government's really bad at this and I can say that um like we want everybody back because how do I know you're working if you're not

here it was like if your measure of success is I'm present that's not a good measure of success to know if the people on your team are effective so like what other metrics do you have to know if both individually and as a team we are doing well or how do you know that we aren't doing well right it's just because you see me here at work does not mean I am working there's a lot of people I work with that are really good at looking busy and not doing anything right versus super efficient people super efficient people who are really good at their job but maybe like don't seem like they're working all the time

because they're just more efficient I don't know if that 100% answered the question but yeah and also that brings to mind of like well how do you know that I'm working have I been working this entire past year is it okay okay well that's how you know uh like right the like like the question answers itself at a certain point um like again that's the management like did did you think I was working they like if I if I have been doing a good job like you should know that if I haven't you should know that and then they and then they'll naturally respond with well yes you have been working having a good job how do

you know that oh well you did blah blah blah blah blah well there's your metrics and now you answered your own question again like it's one of the stupidest things um let's see uh somebody else in chat said uh I don't nearly oh by the way your answer for Janice was good um I don't know nearly as much about soccer as you but can definitely appreciate your passion about soccer and your related uh um insights into job roles I didn't know there was so much involved with soccer John quite honestly I will tell you um I just I never thought like I was like oh they flop around a lot but you're you're passionate for and your

explanation I was just like I'm I'm gonna go watch soccer now well Tuesday we have an important match against Jamaica so like we're we need to qualify for the World Cup this time cuz we didn't last time so we won against Mexico last night which was big but we have another big match against Jamaica if we can win that one we should be good to qualify for the World Cup what do you think so I was having a conversation and and real quick we got we got about three minutes um I was having a conversation with uh Mike Murray from uh scope security and we were we were chatting about how and I'm not sure if you watch like do you watch

Ted lasso I have not we're going to binge it when I have my daughter for Thanksgiving so I've seen some clips I know about it okay I I mean naturally cuz Hey soccer uh but also what Mike was saying is like not only is it interesting because of that and and the it's it's written well but it's a really great show about management uh and and management techniques so uh my wife watched the whole thing I only seen a couple episodes it's really good um but I thought cuz soccer um so yeah countries are in this country yeah uh so yeah uh other than that no we don't I don't see any more questions in

the Q&A there is the track one uh post uh post Q&A where you can go in on a voice Channel if anybody wants to hang out in there um and we are going to be breaking for lunch now until 100 p.m. I believe um so yeah go grab a bite to eat everybody and uh besides back John thank you so much man you were awesome thanks you never walk alone Liverpool thanks for having me rest of the

[Music] conference [Music] [Music]

[Music]

[Music] [Music]

[Music]

[Music] [Applause] [Music] [Applause] [Music] he

[Applause] [Music] [Applause] [Music] [Applause] a [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] a [Applause] [Music]

[Music] a [Music] yeah [Music]

h

[Music]

[Music]

[Music]

[Music]

[Music] [Music]

[Music]

[Music]

[Music] [Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music] a [Music]

oh

[Music]

[Music]

[Music]

[Music] n [Music]

[Music]

you [Music] [Applause] oh

I had a dream last night I'd be with you tonight and we danced all night underneath the star lights now your dreams come true she's got her eyes on you you got nothing to say now she's running away dreams come true when I'm with you my dreams come true when I'm with you my dreams come true when I'm with you my dreams come true and I'm with you yeah [Music] yeah I had a dream last night I'd be with you tonight and we danced all night underneath the star lights now your dreams come true she's got her eyes on you you got nothing to say now she's running

away

dreams come true when I'm with you my dreams come true when I'm with you dreams tell the truth when I'm with you my dreams come true and I'm with [Music] you

[Music] [Applause] [Music] sh

[Music]

n

[Music] okay you under my suspicions until you learn to ask the questions why if you give Ro on this there'll be no there'll be noy time love lost in the jungle girl on my world CU to hide [Music] water nothing to lose away

inise the crazy things we I could never live without you I could never live without [Music] you I could never live

without up the M th on the the only way to play sa song The here is gone I'll keep it rocking all the way that we W I'm [Music] love but we lost girl on my world to [Music] hide lose in

Parise the crazy things we do I could never live without [Music] you without you never I could never live [Music] you I never I could [Music] never I could never I could never live without you we got to got [Music] to we got the we got [Music] the we got the Liv we got the Liv I never live without you

[Applause] [Music] [Applause] [Music] nothing lose way Wild the crazy things we do but I could never live without you yeah I never without you I could never live without you [Music] about [Music]

[Music] oh [Music] [Music] [Applause] [Music] [Applause] [Music] a [Music]

e [Music] a [Music]

[Music]

[Music] n [Music]

[Music]

[Music]

[Music]

[Music] [Applause] [Music] [Applause] [Music]

[Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music]

[Music] [Applause]

[Music] n [Music] St [Music]

[Music] w [Music] [Applause] [Music] oh

[Music] [Applause] [Music] he [Music] ch [Music]

[Music]

[Music] [Applause] [Music] oh [Music] czy none of us here knows what Mega the Russian government is known to be trying to change human behavior by external electronic input we do know that much and we know that some kind of Russian transmitter is bombarding this country with extreme low frequency radio WS for what purpose we don't know are they're trying to reduce us to zombies stumbling and droping around and waiting be told what to [Music] [Applause] [Music] [Applause] [Music] do

[Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] [Music] breakdown

[Music] oh break down break [Music] [Applause] [Music] down [Music] bre [Music] down

[Music]

down

[Music] oh [Music] [Music] [Applause] down [Music]

[Music] [Music] go [Applause] [Music]

breakdown

[Music] [Applause] [Music]

oh [Music] there is a lie you there is a [Music] li the looks this tonight

[Music]

[Applause] t [Music] [Applause] [Music] C

[Music]

[Music] [Music]

[Music]

[Music] he [Music] I want

to I got tell you don't want to I'm going [Music]

you there's something inside you something inside you it's hard to explain it's hard to explain talking about you boy you boy you're still the same you're still the same there's something inside you something inside you it's hard to explain it's hard to explain they're talking about you you you're still the same you're still the [Music] same [Music] I want to drive through [Music]

the I'm here you I tell you how I feel I want to try through the light down the hills I going tell you something you don't want to hear I'm going to show you you there is but have no fear there's something inside you something inside you it's hard to explain it's hard to explain it's hard to expl they're talking about you about you but you're still the same there's something inside you something inside you it's hard to explain it's hard to explain they're talking about you Bo you're still the same you're still the same there's something inside you something inside you it's hard to explain it's hard to explain they're talking about you about

you you're still the same you're still the [Music] same [Music]

[Music] [Applause]

[Applause]

[Music] [Applause] [Music] [Applause] [Music]

welcome back besides Delaware my name is Rando your MC for this afternoon we are back from lunch and I hope uh you got your lunching and food Comas settling in nicely we return with Mr Rob Slade on security lessons from covid-19 take it away Rob thank you very much um I it's not just after lunch for me I haven't even had my breakfast yet I'm out here on the wet Coast uh of uh Canada so I'm an untrustworthy alien from your perspective anyways uh and uh bearing that in mind uh there's the QR code that you can get all the information about me uh quite safely bearing in mind that I got my start in

security doing malware research so I know every way to trick people to installing uh bad things on their computers now uh it's listed in the uh uh slides as as BCP and privacy lessons from covid-19 you'll see the title here is security lessons from covid-19 this is uh normally actually the third of of three parts of uh security lessons from covid-19 um but we'll uh it's a bit of a catch all but yes we are going to be talking about uh business continuity planning uh privacy a little bit about application security and we'll see what else has dropped into the slide deck while I wasn't looking okay um just to uh refresh your memory uh everybody else

said the pandemic started March 11th uh 2020 because that was the first day the World Health Organization was willing to use the word pandemic and there was the infamous basketball game that uh ended Sports as we know it although uh uh we seem to have started that up again uh it's important to do the important things in life yes uh but for me it all started in on March the 10th and and that particular morning um here in Vancouver uh the March is a is a big month for security we have uh uh canac West we have uh normally bside sometimes we have BC aware um and uh the the Vancouver security special interest group always

has their their monthly meeting so uh I was slated to to go to two conferences I I had two speaking engagement three conferences actually yes I and um uh I I remember talking about it at at coffee that morning with with somebody and by dinner time bang it was all gone so uh life can change rather drastically in a very short space of time and it's important to bear that in mind when you're thinking about business cont planning and how it's going to work um uh it it's not everything not every event affects everybody equally and and uh uh this is this is actually an old uh illustration but it uh was um sort of

case numbers for uh uh basically pretty much everywhere uh over five million population at the time and and the numbers in involved there and I'm uh in a bit of a privileged position because that little blue dot right at the bottom that's British Columbia so anyways um I uh will make a a suggestion particularly for those of you who are interested in uh security awareness training or really any kind of communication of a complex and and difficult subject uh I really recommend the Dr Bonnie show which is not called the Dr Bonnie show on on this YouTube channel uh this particular YouTube channel is the uh BC government uh YouTube channel so you may have to set up a VPN and and say you're

from Canada in order to get at it but it's um if you will look up the covid-19 uh updates um on that channel uh we have a secret weapon here in BC and that is uh Dr Bonnie Henry and uh she has provided a an absolute master class in effective communication of difficult topics and situation so just uh throw that in there as as uh uh a benefit uh to you those of you who are dealing with Communications or education in any way it's uh it's really really um uh Exemplar uh material there uh oh and and seeing as how we're talking about privacy partly uh by the way you're you're being recorded as I

understand here so uh uh that will be uh something to consider as as you participate or not um so again uh in terms of privacy here um some really interesting things that we have contact tracing um is is something that uh uh is important in in terms of Public Health in a in a pandemic or any kind of epidemic really um but of course there's always the the privacy concerns and the confidentiality concerns there um the issues of vaccine Administration and vaccine passports um really interesting that the uh term vaccine passport um has changed uh from the beginning of the pandemic when people were actually talking about passports being able to get into another country

um uh but now uh when we say vaccine passports what we're talking about is is generally the little either slips of paper or QR codes that uh your local uh health authority where they that's uh state or Regional whatever it may be uh gives you to say that you have in fact been vaccinated so that you can get into you know restaurants and gyms uh and and stuff like that so um it's interesting that the differences in uh the uh importance and and the Privacy uh protections uh that go into it whether you're you know talking about something just to get you into a restaurant or something to get you into another country and and so you know interesting

um variations in the discussion of of what is a vaccine password what does it need and how it needs to be protected uh so lots and lots of that um uh here you may have noticed we're going through the CIA Triad confidentiality now Integrity um Miss and disinformation has been huge in uh the pandemic during the pandemic there been all kinds of problems with um with misinformation uh on the one hand you you know people uh taking ior mecon and and things like that uh poisoning themselves in in many cases there have been many many more cases of um IAC poisoning than than people who will you know say that they have been protected by the stuff um and

there's been a significant drop in the use of news media sources during the pandemic people have instead been turning to uh you know friends neighbors and just random strangers on on the internet uh to pick up their information and and very often that's it's wrong um the there again as I say there's a significant increase in the use of social media as news sources during the pandemic and all kinds of really interesting factors here uh qinon uh of course course you know not as big an issue as as he was back in uh Trump period but uh the C on what whatever Source originates this garbage um produces what are referred to as breadcrumbs and and these are sort of

hints that U people then have to follow it's sort of like a paper chase uh to go and and find the information and and so doing it in that way makes people think that they have actually done research even though they're just following a trail of breadcrumbs that somebody's laid down for them and it makes people much more resistant to correction in terms of the misinformation and disinformation that's out there so um you know some some really interesting uh stuff that's that's happening and I'm sure in in the years and even decades to come uh people are going to be going back to this period of the pandemic in terms of research into Miss and disinformation and how to deal with

it uh availability and and here of course we get closer to our our BCP stuff you know toilet paper really I mean honest to goodness uh I uh you know defer to nobody in my admiration for toilet paper I think it's you know the two greatest inventions of the 20th century were toilet paper and the internet but um really uh you know there is nothing magical about it and and the fact that you know you could not buy toilet paper for months uh you know it's just so bizarre that that people were rushing out buying toilet paper um you know the pandemic certainly was an issue in terms of Supply chains and and certainly there's there's been an issues

in in shortage of of various things but uh uh toilet paper is is you know it's got no medical properties um uh it's you know uh really kind of weird that that that was what everybody went out and bought uh but of course the supply chains we've seen um the uh problems with uh that stuff the um uh issues uh around uh the supply chains um you know we're we're seeing that everywhere in in terms of of production uh chip shortages uh raw material shortages you know Christmas coming up and and Retail stock not being available um the the you know lack of choice uh in all areas of of retail availabilities and that sort of thing but in addition

um we've seen uh other problems with the supply chain such as for example solar winds uh people relying on on uh solar winds as a means of managing their I infrastructure and yet at at the same time um you know that makes it a single point of failure and somebody managed to get in there uh drop something into that supply chain as it were and uh got into the the systems of of all kinds of people all over the world uh so um you know we have to think of of Supply chains not just in terms of you know can I get this particular product is is this going to be available to me but in addition is

this uh particular point in the supply chain uh secure in and of itself is it going to um affect me in in some negative way uh by it being compromised itself um and that's you know solar winds of course uh you know we we're dealing with uh it infrastructure all the time um but there's issues in terms of physical Supply as well um uh well going back to uh pandemic issues uh the uh supplies of medical equipment and personal protective um equipment and uh all of a sudden people were seeing uh shipments of gloves masks scans whatever it may be that did not uh meet the standards they were supposed to cover um so uh lots and lots of issues

uh to look at in in those areas um it's you know anak again as I say um the issues of uh Supply Chains lead us nicely into uh business continuity but a few things to uh address in in other areas of security risk management of course you know big big area in in security and of course always the cost benefit analysis um really interesting to look at the issues of you know isolation quarantine uh uh lockdown mandates of of various types versus reopening the economy and of course uh when we are talking about uh issues um security serves business it's you know we're not doing this by ourselves we you know we are there to support the

business uh but at the same time Life Safety is the number one priority so how do we balance those uh in terms of that kind of cost benefit analysis um and uh Emergency Management I I so many so many issues around this uh um uh We've we've had disasters uh a number of disasters during the pandemic you know which is you know problems fed on top of problems and and it's it's tragic and that sort of thing but then you get these people um you know going on TV and and saying well they put us up in a hotel but it's not very good hotel well for crying out loud you know Emergency Management is for

emergencies um this is not a time to uh complain that that things are not perfect because you know this is a vast imperfection and uh it's it's always more important to have the actual uh even even if it is not perfect uh than to strive for Perfection and and not deliver anything at all uh so a number of things oh oh again and in terms of Emergency Management and again this is something that you would unfortunately have to uh uh go to uh you know set up a VPN and tell you're from Canada but if you can get it attached to knowledge.com uh five-part documentary there called search and rescue Northshore um it's shot in my backyard

so absolutely gorgeous scenery around all of it but a an amazing piece of film making as well they you know have cameras mounted on people's helmets cameras on helicopters cameras on on teams on the ground people going in uh with the teams uh but in addition I mean you know they put cameras on ropes that that were hanging gear in and flying into area so um and and the editing to put it all together is is quite astounding but anyways uh an impressive piece of of material there um again one of the things that the pandemic has has pointed out is that people do not understand uh risk uh overall and and you know the fact that it's it's not not

a binary issue there's always you know statistics involved and and probability um but particularly the concept of defense and depth and layer defense that we in security know and use and have to rely on all the time you know staying home isn't perfect distancing isn't perfect handwashing isn't perfect masks aren't perfect vaccines aren't perfect I'm sorry you know it just doesn't happen but you know uh we have to look at it in terms of of layered defense and and defensing depth um and oh in in terms of physical distance this this was uh uh rather amusing as a uh this is a uh an ash vaal uh grinder uh that was uh uh near my house

uh while I Was preparing this stuff and and here's a sticker on it that says you know that you have to maintain 2 meters of social distance and you know I I just kind of wondered you know I I know that it's for the workers in in uh operating around the machine and and just you know General uh uh instructions to everybody in the workplace you know now we have to do physical distance but for crying out loud you know who is is going to need a warning to say 2 meters away from an ashalt grinder uh anyways just just amusing and again in in terms of masks uh this mask won't protect you from

covid-19 but it sure help with the social distancing so uh lots of of issues there uh and again in terms of of physical uh distancing social distancing during the crisis during the virus crisis if you must go out note that you might get coughed on or sneezed on and since disinfecting fabric is much more difficult and cleaning flat surfaces you should wear older clothing that can be discarded if necessary you have old torn clothing that will not be missed is probably best since face masks are in short supply of scarf one over the nose mouth and lower part of the face may offer some protection if you are infected and must go out for some reason

take a staff to Aid you in Walking should you be overcome with respiratory distress and need something to lean on best to have bells hanging from the top to summon Aid if needed as you go it is best to give some verbal warning to others not to come into close contact since you may encounter uh some people who may not be professional in English it's probably best to constantly call out something simple such as unclean unclean and this is not meant to make fun of anybody who actually has handsome dis but anyways um oh another issue in uh there is is cars and insurance so many comments that that I've heard from people you know saying you know well you

during the lockdown we couldn't drive anywhere why don't we get a rebate on our insurance look I've seen the way you guys have been driving since you uh got out of lockdown um I I know why the insurance companies are not giving you a rebate um uh this was this this was interesting that um again uh as you know during the lockdown people can't congregate and that sort of thing but I I found that um the the smokers uh were were really interesting you know there's you know no smoking rules indoors and how far away you have to be from doors and that sort of thing but you know why did they always choose to be beside the natural gas

meters at at the mall I I really kind of wondered about that then so um all kinds of things that uh came out during the pandemic all all kinds of ideas and and one of the things was was ultraviolet um and uh ultraviolet light does kill viruses yes but unfortunately like with spraying bleach around places um the intensity of of the UV that you have to have to kill the viruses is actually you know possibly enough to harm you certainly when when they're doing you know in this 15 second stuff uh to disinfect and and there were wands there were um uh things that you pushed your shopping carts through there were robots that would go

through uh airplanes and what have you and and just you know the intensity of of ultraviolet that you need to kill uh bacteria viruses and that sort of thing uh it's is you know really very intense and it's dangerous I know because I worked in a hospital and and we had uh UV um devices for debriding uh infected wounds we were not allowed to use it only Specialists were allowed to use it because if you didn't use it properly if you weren't careful uh to it was enough to strip the skin off your arms um so you know uh lots and lots of these you V lamps that have been sold are you know really if if they're weak

enough to be safe they're not strong enough to do you any good in in terms of killing viruses so it's very interesting uh one of the the things that suddenly struck me uh you know as as we're getting nervous about you know actually meeting people um and uh then I was you know looking we we watch a lot of old movies and that sort of and you know so parties and and uh that sort of thing that uh go on in in the movies are uh the older movies are are just you know uh oh no can't you know that's that's dangerous you're too close together um and it was it was really kind of funny when I was thinking about

this in in the mall you know uh I'm walking down the middle of the mall and and going around coordinators wide so that I'm not going to actually bump into anybody by accident um and and so these you know movies where somebody suddenly jumps out of a dark corner you know it's sort of like you know what are you doing walking that close to a dark corner uh but the other ones gangster movies where there you know whole bunch of armed guys you know with paranoia ratchet it up to 11 are all meeting in a huge Warehouse um and and that you know spread out uh you sort of look at that and hey you

know you guys have got it so whatever ah uh yeah probably um don't need a break but you know uh the the German government is advising people to stock up on sausage and cheese it may be a worst case scenario so uh business continuity planning now in in business continuity planning we are always after management Senior Management to you know actually do it to to build the budget uh to to address these issues and as uh this guy from T chemical has said the best way to get management excited about a disaster plan is to burn down the building across the street well for crying out loud you know uh for the past couple of years awful lot of buildings

have been burning down across an awful lot of streets figurative speaking anyway so use this as a reason for business continuity planning use the you know the fact that all these changes have happened to uh provide a reason uh to management to address this issue um to uh help out to you know to to make sure that you are uh uh addressing uh the dangers properly um it's you know it it it is not um too much of a stretch to to be able to say you know we're in the midst of a disaster we have to continue to think about disasters because if we get hit by another one uh some other way um this

is uh not the the time to uh have a an unintended impact on our our business um you know it it may seem like this is uh not the time to do any extra work but really you know this this is the primary time to do the extra work to prepare um the pandemic doesn't mean that everybody else has you know every other disaster uh has finished I mean you know California burned down my Province burned down um you know there have been hurricanes um there have been floods there have been disasters the disasters will not wait and in fact because of the pressures from the pandemic it is more important to do business continuity

planning here rather than less um a number of lessons that uh the the pandemic has has taught us which really we should have been addressing uh already but um the uh a lot of the stuff in in terms of risk management a lot of our literature in uh security does come from the financial industry and it's it's really interesting when you go into it in in depth um and look at it you will find that what um financial industry is talking about when they talk about risk is capital risk Financial margin do you have enough money to uh weather some change in the commercial environment um do you have uh enough Reserve to we a a financial storm that

that may come along um everything that we think about uh or or we you know tend to think about mostly um in in terms of our uh you know risk management and and uh uh risk assessment they tend to lump in in one small carer which they call operational risk so you know they're they're concentrating on the capital risk and we unfortunately have not and we probably should be looking at that more and and certainly a number of companies have experienced during um this during the pandemic that there have been sudden changes in the market and and massive changes now you know some people uh this was great they you know made out like Bandits they you know uh

Amazon for example everybody's ordering everything online so Amazon is you know doing great guns except for the fact that Amazon can't find enough employees to actually work for them so you know that's another change in the market the labor market has changed um and and all kinds of of uh uh industry sectors have found that themselves you know restaurants um during you know reopening situations there you know uh uh there's a lot of demand for the the restaurants but they can't find the people so you know different kinds of of Market changes um and that issue of of not being able to find employees also uh sort of leads to succession planning um and you know we've we've seen this we've

had a pandemic you know a lot of people have died or got sick you know some people will get covid and and they don't actually die but about 30% of people who get covid um get long covid and you know so if you've got your Senior Management people now with long Co and you know afflicted by fatigue and brain fog and that sort of thing you know they still can't do what you need them to do you know certainly somebody who's got brain fog is not somebody that you want making the major decisions about policy and ongoing uh long-term stuff so um having succession planning is very important it always has been important in in all

kinds of disasters uh but you know the pandemic has has has pointed out uh a number of areas that need to be addressed in uh succession planning there and again the the uh issue of Supply chains we've we've talked about that uh briefly but uh certainly um you know major issue in a number of things there um including the issue of hoarding and uh hoarding is is you know sort of one of the little dirty little secrets of of capitalist society that you know uh everybody is individually responsible for their own provisions and so you get a lot of people that's why you couldn't get toilet paper was everybody was hoarding toilet paper um you know that is a problem that

is created by everybody trying to do the best thing for themselves um and so you you need to plan uh issues address addressing some of these social factors into your business continuity planning um other things about business continuity planning full scale uh business continuity plan for a a large company really takes about three years and and so you know you need to do it beforehand you you need to do it uh in advance you know the the P you know it's uh BCP and and Dr P both of the PS are you know is planning IRP instant response planning planning planning has to be planned in advance so you you've got to start early to do this you know

the middle of the disaster is not the time to try and do business continuity planning not for This Disaster you got to do it for something else um and again the the issue of the uh the best is the enemy of the good um it's it's know we aren't looking for Perfection necessarily and we we always want it to be as as good

as apologize besides Delaware I think we're having some voice technical issues see if Rob is still there hey Rob I don't have any audio from you right now hopefully he can hear

me I would continue Rob's talk for him but he's much smarter than I am so let's see if we can bring Rob Back hey uh Rob if you want to if you can still hear me and you want to stop presenting um and then start presenting again maybe we can fix this real

quick nope nothing Rob all right we're going to hit to uh an intermission just a little bit early uh I think we lost Rob and uh maybe we can get him back a little bit later apologize for the technical glitch besides we will be right

back are we oh hey are we online hey Rob there you are you back yes I'm back okay uh so let's um all right sorry we we uh we lost you for about two minutes there okay uh let me let me see here just making sure that we've we've got everything yep I got your slides I got your voice you're ready to go okay okay uh uh so let's uh back here I just make sure that we yeah anyways uh any job worth doing is worth doing badly here I've just uh demonstrated that uh very uh effectively uh but yeah um you know this is this is emergency management this is this is you know trying to do the best in a bad

situation uh so again the actual is is better than the perfect um in uh business continuity planning leadership is is very very important and and the leadership we have we have seen a number of issues of uh leadership during the um uh the pandemic and um how uh that works um and uh one of the things that uh has been important that uh in in a number of those examples is is consistency you've you've got to uh be consistent in in your your basic principles now very interesting of course again in a pandemic and particularly in a pandemic you know this is a uh a virus of a class that we didn't even know up until the

1960s uh Corona viruses uh were discovered and it was rather interesting in terms of of the name there I had thought that it you know was the the spike proteins that Crowns All Around the surface but actually when they were first discovered uh electron microscopes were not uh did not have enough resolution to to give that level of detail and so all people could see was this a kind of hazy outline a a Corona around the virus and so that's where the name came from uh Corona virus um which is uh interesting in terms of Canadian content time because the electron microscope is Canadian invention but anyway um the uh the facts of change you know we're

we're finding more and more data on on issues um uh a number of of things have have come out in the course of the the past two years in discovering about uh Corona viruses in general and and uh this particular family of viruses and the mutations that have come along um but the uh the consistency of background principles has been vitally important and and people who have not had those uh you know background principles driving what they do um their leadership has has not been very effective uh during this whole crisis and and so that is an area to be addressed again um uh looking at the Dr Bonnie show um the the consistency that Bonnie Henry has shown

over the the course of uh the pandemic is is impressive and and she's you know saved a lot of lives kept a lot of people safe I'm I'm really big fan um in terms of uh business continuity this this is something that we have seen um uh in terms of uh technical stuff when when you uh recover uh you go into recovery when a disaster has happened you recover the most important items first and um this has has been uh an example or the pandemic has sort of been a special case of this um you can do lockdown you can stop fast and and you want to do this early um and we've seen this over and over again that places

that did not go into lockdown early have taken much much longer uh to get their recovery going uh but when you go into restoration when you've had the disaster happening and you are star to get back into your original location ation you restore the most important stuff last and so the restarts of the economy in the pandemic have been slow um so you know stop fast restart slow is is sort of important principles in in business continuity planning um this was was interesting what I've seen in the uh pandemic the uh the issue of efficiency and and I mean you know we all live in a capitalist Society um you know just about everywhere uh is is running on it um any

any other uh types of economic systems have have really had uh massive problems but um uh capitalism has has worshiped at the altar of efficiency and and reducing margins um and for about 40 years I I've really been looking at this and uh this efficiency at all costs and wondering why it is and that I've been uneasy about it and the pandemic and finally showed it up in in a large scale here efficient systems are brittle when we reduce the margins um when we we know really go all out for for efficiency um we uh set ourselves up for problems we we don't have that margin we don't have that slack um and so again in terms of

building resilience into your Enterprise um at at all levels which which again is part of business continuity planning um look at that issue of efficiency you know yes you want to do things you want to avoid flat out waste if you possibly can but uh know and consider uh you know when you when you cut things to the Bone there's no further to cut when something bad happens so again you know efficiency is not the be all and end all um you know again have some redundancy to build resilience in into your Enterprise uh you know do you know yes cut down the margins but but uh not too far um now again uh planning

like I said you know the P stands for planning planning has to be done ahead of time uh do do it in advance um it's really interesting here in in Canada we had uh well we've even had a federal election over the course of this uh not too bad but a lot of people you know every time an election was called we're just you know freaking out you know how are we going to conduct an election during a pandemic um and uh we had an election here in BC and it was it was done fairly well and I'm in terms of risk management here uh I am old I am male I am fat I have high blood

pressure and diabetes you know if any stay SARS Cove 2 lands on me I'm toast so you know I've got to take extra precautions here and so I planned ahead when they called the election I signed up for you know mail-in ballots um I found out where the office was uh went and and actually you know I didn't even mail it I I dropped my ballots in at the the elections office um so that I didn't have to you know line up on Election Day and and that sort of thing um so you know that's planning um Newland had uh other side of the country um uh they also had a uh an election uh during the

pandemic and they did not plan as well for the the pandemic response and um they as they started into the election they got hit by a sudden wave and and so their election was a bit of a mess uh there's also issues again um uh Long-Term Care Homes have and Facilities have been hit particularly hard they've been hotpots during the pandemic and of course a lot of people have died in in uh those uh Care Homes and that is always accompanied by you know uh weeping uh children uh well elderly children uh saying oh if only I'd known you know I I wouldn't have put Mom in a home and and she died there well you

know this is not something that was terribly hard to figure out you know if if you uh are now you know so terribly broken up about putting mom in a home you know you you left her in there uh you know if you were really concerned about that you should have you know thought about it and uh made some other Provisions uh for those types of situations okay what is happening here that we can't oh dear okay um let's get the slideshow back up and rning uh guys there we

go sorry about this uh you know ah this a business continuity okay you know anyways we're we're restarting here we will uh be back with you uh shortly and get the slides back

up and we go and back to uh sharing our

window skip through a few slides before we get to where we were where were we here this is all revision we can just say that that is this is review of the material okay so uh oh yes good old raw toilet paper for sale $20 some assembly required uh there as I mentioned toilet paper support cryptography um I actually wrote a book um cyber security lessons from covid-19 um uh during uh the pandemic it an interesting exercise um went through the the domains of of security and uh I thought you know okay cryptography is is not uh an area that uh the pandemic will uh you know have an impact on or any lessons from ah wrong um so the contact

tracing here is really interesting that um the uh dp3t uh protocol here just uses pure random numbers so we're not um uh providing any personally identifiable information so there's no uh uh issues of of privacy here as long as it's it's really interesting as long as we're only dealing with the random numbers it's okay but as soon as we start collecting and associating uh say location data data or even time uh data um with those uh uh random numbers uh we start to get um uh possibilities of of uh losing uh private information and and uh uh breaking confidentiality so really really interesting again you know a little bit of a point of of uh

addressing uh cryptography not an awful lot but uh but some uh application security uh testing the different types of testing um right now uh there's uh issues of um if you don't have a you know if you aren't fully fully vaccinated you've got to get a test or if you're traveling to certain locations like coming to Canada sorry uh yes it's not my fault the government uh decides these things uh that you've got to have a a PT PCR test and uh people are saying you know well why don't you do the rapid testing well the thing is the rapid tests give different types of information for example the rapid tests um very often will uh indicate whether

you have ever had covid uh not just whether you have it right now um so you know if you've ever had Co you may you know uh get a a positive there also the the PCR tests are much much more accurate the uh rapid testing things um some of their accuracy levels or rather their error rates are around 30% um and that's just you know uh when people are saying you know oh we we you know uh want the rapid test because they're you know they're uh easier and quicker and and that sort of thing but they uh you know what happens when you get a false positive you know how do you like the rapid test

now thing um and and then oh this is uh again a little bit amusing um uh during the pandemic a uh paper plant uh that was um uh well U was infected with malware and and so I I'm telling everybody who everybody who stockpiled toilet paper should safely depose dispose of it because it may have been infected by a virus and then of course I have to explain that's a joke it do you know uh biological viruses and computer viruses do not have anything in common and know you can't catch in your computer can't catch a virus from from Co and you can't get covid from a virus on your computer um the uh one of the things that um I

have known for a long time like I said I came from uh the virus uh well originally just viruses but more generally malware research community and um when I got more formally into uh security um one of the things that I learned very quickly was the Bastion model was uh you know everybody else's model insecurity and the Bastion model is wrong um the Bastion model says that you know we have you know we build walls around ourselves we're the good guys we're on the inside um everybody on the outside is bad you know they're attacking us and as long as you know we have that that wall um we're okay um under the Bastion model um if a a hacker

an intruder of of whatever kind is is attacking you um that's not my problem as a matter of fact maybe that's good because if the the Intruder is attacking you he's not attacking me but when you come from malware research and and particularly virus research you know if uh you you get infected with a virus that's a problem for me because all of a sudden you know you are starting to spread uh the viruses and and that sort of thing so you know the Bastion model we we all think you know we're on the inside we don't have to address anybody else we don't have to help it and knowing that helping others helps you is much more

important for security we are all in this together as uh many people have said you know we're we're not necessarily in the same boat but we're all in the same storm and uh that again is is something to address in your business continuity planning um in Security in general uh oh I have uh you know uh I am rather famously don't like slack and and I thought I hated slack until I was forced to use Microsoft teams and then I thought I hated teams until I was forced to use Discord but we won't say anything about that uh I found a bug in Microsoft teams the agenda view disappears after you scheduled meetings and uh Gloria my

wife says that this is proof that teams was created by kids who never learned to plan and do everything on an ad hoc basis and I don't have any evidence to indicate that she is incorrect uh ransomware and new virus dreams now uh first of all I got to say about ransomware everybody talks about ransomware and half of them are wrong because um there there are two things that are both being called ransomware incorrectly ransomware is about software that gets into your system and it encrypt your stuff and and then you know of a ransom demand um but there's also breach Distortion which is when somebody gets in takes your information and then threatens you and it says that you got

to pce a ransom or we're going to release this to the world that is that is not ransomware that you know wasn't dealt with by malware by software um and uh it's it's a different thing um ransomware um we know how to fix ransomware make a backup I mean we've been telling people for years to make a backup um that's that's all you need to do you make a backdrop you don't have to worry about ransomware um world pool has been hit by ransomware uh and I you know at the same time we've seen during the pandemic new more infectious more transmissible strains of the Corona virus uh discovered in various places uh right now I think you know that Delta is is

the big one but I know that uh uh they're keeping an eye on on things called ay 26 and ay 27 and and they're trying to uh figure out if they're you know uh going to be important and in both cases my response is so want we know how to fix this you know if it's ransomware we make a backup you're fix in in terms of new strains of the virus yes maybe it's more transmissible but we know how to fix this you know it's the five uh heroic acts of the World Health Organization you know stay apart from people wash your hands you know so on and so forth um the thing is uh you know

this is not a difference in in kind this is just you know uh maybe this new strain is more transmissible maybe this more strain new strain is more infectious maybe it's more uh deadly in terms of mortality but it's you know it's not a game Cher it just means that you have to double down on what we were already doing and you know the same thing is is happening we know how to fix this do not panic okay uh uh law investigation and ethics again privacy gets into here a bit uh and a lot of people have been freaking out over you know mandates lockdowns that sort of thing and and quoting Benjamin Franklin they that give

up essential Liberty to obtain a little temporary safety desire deserve neither Liberty nor safety you know well uh look I mean when people are dying um then that's you know not not an issue of Liberty there you know they say my body might Choice yeah do you want casket or earn um this is important um contact tracing and privacy we've we've uh talked about um uh forensics um the uh evidence the testing the data that we're we're getting uh you know all of that is is important in forensics and and we're seeing the importance of relying on specific data specific evidence uh real uh data uh rather than people's theories um during the pandemic here um really

interesting the privacy issues here um uh doctor's appointments uh have uh SE mostly by phone during the pandemic which is really interesting during a pandemic you know we're we're dealing with issues of help but um uh here uh the the doctors uh decided that they needed a consent form to to deal with issues of privacy um and uh so you go to a website you would you would sign this consent form uh which you had to pay for it was really interesting UHA to sign a form uh rather bizarre but anyways um interesting on this form they had no means of Correction so you know there were're violating one of the uh EU directors right off the top um and uh

there was uh you know there were several violations of accuracy and the right of Correction principles uh in this form so this for which was meant to address issues of privacy itself violated uh privacy protection principles so interesting stuff um again in terms of privacy and the vaccine passports uh early on when we uh were thinking that the the passports were going to be actual passports uh you know a lot of information was going to have to be carried on those things you know details of the vaccine which version did you get what date uh multi-shot did you need a booster did you have a booster um were we going to keep that information on the card on a central database um

what would happen with uh jurisdictions accessing health information from another jurisdiction they may not have been too terribly friendly to uh details of the testing uh of whether or not you had had PCR test or you know rapid test or whatever you know what type of testing what was the DAT of the testing so you know know tons and tons of information that we were considering at that point in in terms of the the vaccine passports now of course it's it's been somewhat restricted in terms of of just uh you know have you had a vaccine had you had both vaccines uh that sort of thing um yeah this is is kind of personal but

um I I'm very disappointed in in terms of the social responses to the pandemic uh it has seemed to to open the flood a bad behavior for a lot of people and and of course uh you know racism has has uh come full force um uh people have been uh making statements about Asians because the the virus first seemingly showed up in China um the the uh different uh ethnicities uh seem to have been affected differently by the virus that is is still something that needs to be researched because it's only you know vague indications that we've got um certainly uh any uh ethnic communities that we can tie to uh lower economic status um have been you know hit very

very hard uh by the pandemic they've been hit a lot harder than than those of us who actually have jobs and money and and those types of things um but uh you know the the issue of racism has has been um a very disturbing one you guys have had the the black lives matter um and this is a this is a Canadian joke uh a Canadian is DP with seniority um it's it's kind of multi-layer I have to explain that uh DP means displaced person it's basically another term for uh Refugee but it's it's also essentially a racist term because uh a DP is is somebody that you you know it was a prora of term uh that this was

somebody who came from a different culture and and very often from a different race um so uh you know it's racism shows up in in all kinds of things we have to find it fight it in in many many different ways uh this is Dr Bonnie who I've uh talked about uh a number of times and and she's saved a lot of lives and and I'm running out of time so I'll say that's all I'll say about that any questions hey Rob we do have questions in the Q&A but we are running right up against quad next talk so if you would be so kind as to hop in uh the uh track one post uh Q&A Channel and you can

answer some I believe Janice had a few for you okay I am on there sweet well thank you so much Rob for your second talk right you've given two talks so far this weekend yeah yeah a lot more material in the second one than the one yesterday but yeah well that's awesome thank you for that and uh we are going to hop right over to quadling thank you Rob okay see if I can do this on the Fly Yello Yello hey oh my god did I do it I did it what' you do I said I I was like I'm going to see if I can hop over this as streamless as I can we're we are

live right now by the way Josh oh that's awesome okay cool and I I went right over and I was like oh God I didn't screw that up all right besides Delaware uh we are now into our 2p talk we're a few minutes early but um I can never get enough of this gentleman one of the core organizers of uh besides Delaware and um God just what a handsome specimen Mr uh Josh marpet himself quadling take it away man hey man thank you Danny uh okay so uh wow so we're we're we're we're running along at bides Delaware it's very relaxed it's very calm and uh frankly again uh last virtual conference I ever want

to run I want to be in person from now on because I need hugs damn it uh okay I have been working wow for the last two years on standards and uh and by the way anybody that wants to join please come on in Discord join the classroom or in the classroom I really love discussion so come on over and join up and let's talk okay uh interrupt me ask questions we we got plenty of topics here plenty of info here but anyway um so for the last couple years I've been working on standards and one of the standards that I've been working on is bills of material what is that well it's all about what's under the hood what is

built into what you're using but we'll get into that so first there's my uh you can still see it right it paused it on my uh on my Discord but uh okay so this is me in in the fastest bio I think I've ever tried to do I'm a founder of a new startup called MGM growth we actually take small tech companies and teach them how to do sales and marketing because most tech companies suck at sales and marketing and rando's probably over there laughing because he's been an evangelist for I don't even know how many years and uh and most companies just suck at sales and marketing they don't understand how to get the word out so we

start I started a company to do that I've got some amazing people that I work with I've started a nonprofit the uh risk management information sharing and Analysis uh organization the RM isow I'm the co-executive director uh I'm the one of the co-hosts of Paul security weekly over on the Cyber risk Alliance and security weekly family I'm also an EIN faculty member uh I'm a dad um I'm a husband I'm halfway decent at those couple of roles and uh I have a fascinating and fun life there's a lot of other stuff I'm not even mentioning here I swear to God so uh that's me anyway what's a bill of materials so this is interesting what is in your software

your Hardware your firmware your security your compliance whatever doesn't matter what's in the truck let's start there what's in the truck what do you mean let's assume you got an 18-wheeler coming down the road okay cool I got an 18-wheeler what's in it well I mean there there there's stuff in it could you be a little more clarifying here and the idea is is that every truck driver has a manifest okay and he hands over the Manifest and the the person at the way station goes okay you've got 10,000 toilets or whatever the hell it is 40,000 widgets and you're you're a little overweight so we're gonna have to ask you to offload something and the the

bill of materials the Manifest is used to say okay well I'll have another truck come and pick up 20 toilets that'll put me underwe perfect we're good that's fine okay the bill of materials is used to determine where things go what things are on the truck what are what's part of the load that you have in the truck and the idea here is is that we build software the same way back in the day and I mean like literally 100 200 years ago when you unloaded a ship they literally would spread a net down and you'd put boxes on the net then the crane operator would pick up the corners of the net move it

over to the the op the receiving area p drop the net they'd pick Box by Box by box Longshore men that's what they used to be called I think they're still called that Dock Workers would literally pick up a box at a time and go load a truck with them now we have containers okay the containers have crap tons of stuff in it and one crane picks up a container drops it on a truck chassis and the truck drives off okay and we literally call it the same thing kubernetes and and and Docker they build what's that oh containers because back in the day 20 30 40 years ago all code was written by hand

you know Rando would sit at a table and a desk with a with a pack a stack of Punch Cards in front of him and he'd literally Punch The Punch Cards to put the instructions into the computer and not that he's that old I'm not saying he's that old he's no older than 70 okay but um but the idea is that you as a programmer wrote every piece of your program that's not true anymore these days programmers do a lot of coding I'm not dissing or imputing programming in any way but programming is more like Lego block building than it is like calligraphy okay you take oh I want that Library I I need to encrypt uh uh you

know some some rail stuff okay well there's there's a library for encrypting rail stuff I need to you know drop a a a a a form the results of a Google form into an S3 bucket do probably a library for that or a chunk of code or stack Overflow has some code for that okay okay but you didn't write that code you didn't write that Library you didn't write that whatever so the idea here is well where'd you get all these pieces where'd you get all these Lego blocks and bills of material will tell you that but that's software why do I have software Hardware firmware security comp blah blah blah blah blah blah blah oh

we'll get into that now you might know uh what's the name of the company black duck they were they're they're they're fairly famous they keep track of open- source software so if you have open- Source software in your systems then they will keep track of it and tell you hey there's new vulnerability hey there's a problem you're doing great you're up to you're up to date are you using version blah blah blah yes okay then you're fine are you using version blah blah blah minus two well yeah that actually is a oh critical vulnerability here you go here's your patch okay so there's there's entire companies that are massive that are tracking chunks of software and making lots of money off

you by doing it okay that makes sense that's cool yeah but what about the things you don't know about Josh what do you mean well when you get a piece of software an application whether it's a SAS application a shrink WP application whatever do you know what's inside of it I I promise you it's all legol blocked okay it is not that they wrote 50 million lines of custom code there's Lego blocks in there there's libraries there's dlls there's there's chunks of code from stack Overflow in 14 other places do you know what's in there because if you don't you've just introduced potential vulnerabilities that either you don't know about or the manufacturer doesn't know about or both what do you mean that

the manufacturer doesn't know about oh right because every developer logs every place that they got a chunk of code from stack Overflow and puts it in the uh in the notes sure absolutely I I I mean of course don't don't don't yours so you've roduced vulnerabilities or potential vulnerabilities into your the application that's running God knows what in your in your Enterprise this is a problem so the idea here is that if I can mandate getting from the manufacturer of every application that I use as an Enterprise a software bill of materials okay that's the software bill of materials then I can keep track of the vulnerabilities well how do I do that well I mean there services like black

duck and I think there was white Force which was a hilarious fact that they named that but I'm not even going there uh that will keep track of software for you so you go hey I've got these 70 libraries that I use and by the way there's thousands of libraries that you use if you're at a company of any size there's thousands and thousands and thousands of libraries modules chunks of code whatever that you as a company use in the software that you buy and rent and lease and subscribe to and in the software that you build and churn out to to feed to your customers thousands of them guaranteed so if you can keep track

of all of those or a third party can keep track of them for you and keep track of the vulnerabilities affiliated with those because again a vulnerability scanner is great but if it scans my application but the vulnerability is so far deep buried inside maybe it's a magic parameter maybe it's a you get the idea so software bills and materials actually are starting to have vulnerability bills of materials uh uh sort of plug ined as a plugin to them it's really kind of cool so that's software and I've been I've been harping on software forgive me but there's also Hardware what do you mean Hardware this is really cool I don't mean literally like like like computer hardware I mean

like crap do I have something on my table I mean like Hardware like components okay and and and and you know uh uh uh pieces of metal that you that you install in your house what what the hell are you talking about Josh we'll get into that this is really cool but then there's firmware same idea that's kind of software of sorts right okay iot uh firmware the firmware on your phone the firmware on your devices the fact that your X-ray machine is probably running Windows 7 don't even get me started on that and then you've got security and compliance what does a bill of material have to do with secured in compliance this is fun what if I can

take all of the security compensating controls that's where compliance comes in and I can take all vulnerabilities and I don't know if you can hear it but there's a fire engine going by if it's loud I apologize um that's really loud if you can take all of the compensating controls if you can take all of the different pieces of your security and your compliance and put them in a list and appropriately formatted we'll get into that in a second but you can put them in a list and you can say here's everything I do for security and here are the results here are the metrics here are all the pieces I get that from Splunk I get that

from my seam no no you don't you get whatever you program into your seam and and actually I mean hell I'll invite discussion I mean Rando you worked at Splunk currently unless I don't know something oh are you still there I apologize I didn't know that I lost track I Apologize I have friends working all over you know what it's very easy with me could be quite honest but I mean so Splunk keeps track of a lot of your security and compliance pieces I absolutely am on board with that I'm not imputing Splunk or any of the the seams that are out there they do great work but they only do what you feed into them they only track what you

feed them okay uh so if you feed them logs from only this half of your industry or this half of your Enterprise they don't feed they don't track the stuff from the other side basically correct yes okay so with a build of materials you manually go out there or with a compliance automation system or or with your seam or with a lot of different things you can collate a lot of different information about your security and compliance and have basically a list of what you do how you do it why you do it what it helps what the results are Etc okay I I I've harped on this slide forever and I apologize let me show you a few examples that's a

nice slide though oh thank you i' I've actually been trying this is a little weird but slideware I've been trying for much simpler slides and doing more talking rather than showing if that makes sense much simpler slides and this circular graphic is anything but that well this is meant to be not something you read I just wanted to point out that this is from the ntia um and they they're the ones that with Alan fredman who's awesome awesome dude Allen is amazing and he's actually moved over to cesa with Jen easterly he's now over there at cesa doing still software building materials for the US government but this was from Nia when he was there and this is where the software

life cycle goes and the bill of materials assembly line and like it gets crazy and I'll send this to anybody that wants to it's in a public report of theirs but the idea is that you can build a software building material as your as part of your cicd pipeline as part of your build process that's the only thing I wanted that graph to be there for okay just to be clear but I mean when I talked about Hardware there's actually a company right now who is using bill of materials okay um to keep track of all the lighting fixtures that they put on billboards because and here's the kicker every time they put they get a new batch of lighting

fixtures from their supplier they get put on 50 different Billboards they these big huge of lighting stuff because they do a lot of billboards if they get one that falls off a billboard it could kill somebody could hurt a car kill somebody whatever I mean these are Big freaking lighting fixtures they're like this like hundreds of pounds because they're meant to last forever basically so they want to track if one of them ever cracks breaks falls off whatever we want to know which batch it came from because we're immediately going to go check every single other one in that batch we want to know which installer installed it because if it turns out if it breaks off that's one thing but if

the the nuts weren't screwed down enough and the whole thing just shakes loose from the wind and everything and it's the same installer for 20 of them we want to go check the other 19 okay so they're using Bild of materials as a tracking mechanism to determine where things went if that makes sense and it's the same idea with vegetables you might have seen the IBM commercial we're tracking Tomatoes now through blockchain okay cool that's nice uh same idea we want to track provenance we want to track attribution and we're not talking attribution dice that they always say North Korea or Iran we want to talk about provenance of where things have come from and where they've gone and

who's using them and that's that whole library of software lighting fixtures uh whatever it doesn't matter okay and then what about with pentest reports and I just stole I blatantly stole offensive Securities illustration of a pentest report but with a pentest report or with the systems that it's reporting on can I take the artifacts from the pentest can I put them in as a bill of materials as a piece of evidence about my security absolutely why not okay can I use it as a metric well the pentest found 15 criticals 70 mediums and 4,000 informationals we thought that was a little weird yeah those are metrics those are artifacts those are things we can measure so they should be in a bill

of materials why well if a customer goes hey I want to see your security Bill and materials here and I've actually weighed and I I would love feedback by the way I've weighed calling them either compliance bill of materials C bombs or risk bill of materials because I can separate that out into security and comp LS so R bombs and uh I like C bombs better do you really because our R bomb doesn't roll off the the the tongue as easily because C and the S and this is just an alliteration thing for me it's just me SE bombs like it begins and ends with the same s interesting sort of the same sound thing I like that R bombs just it just

doesn't have the same ring to it so I'm going to lean heavily towards C bombs thank you no I like it I like it I like it like it I like it and uh I I I I it's cool and I'm gonna I'm asking for feedback by the way I'd love feedback from people at the end of this I think there's a I've got an email address

Related talks

31:02
The Security Vulnerability Assessment Process, Best Practices & Challenges
BSides Delaware · 2012
28:25
Post-Exploit Threat Modeling with ATT&CK
BSides Delaware · 2016
48:45
Cyber Security for the Industrial Environment: An Intro to ISA/IEC 62443
BSides Delaware · 2012
57:35
Presenting Threat Intelligence Automation Using Jupyter
BSides Delaware · 2017
22:25
Introduction to the use after free vulnerability and why it matters
BSides Delaware · 2012
40:35
Defense In Depth: Designing Networks That Survive First Contact
BSides Delaware · 2012