Target, Snowden, Heartbleed ... Oh my!: Keynote by Rob Cheyne Security BSides Boston 2014

good afternoon everyone how's everyone doing today excellent and is everyone enjoying themselves excellent cool so again just wanted to uh re-emphasize uh cpd credits for today anyone wants to be credits please make sure that you have actually entered your name and your email on the sheet there's a different sign-in sheet from yesterday so to get your cp credits for today please have your email and name on that sheet regarding the conference capital app for those of you who want to link with other members or conference attendees it's only for android but download dads and feel free to link with other members regarding hallway con it's actually happening right now as well it's from one to three 15 minute

lightning talks with no presentation it's actually right by the cpf room right in the cdf room to the right of the registration table and other than that oh and also wanted to mention the resume room it's happening from three to four p.m today in the ctf room as well so feel free to exchange business cards exchange your resume as well so it's coming it's going on at three to four pm today and without further ado i'd like to welcome mr rob shane let's give him a round of applause

all right so i'd actually first like to uh for those that saw dan gears talk this morning i'd like to mirror what dan said uh writing a conference is really hard so i'd like to actually acknowledge the people that put this on so for the volunteers and guys that run the conference please give them all a round of applause

you don't realize it until you run one it's really really hard i just took on source boston this year for the first time and it was more work than i could possibly have imagined up front so with that said someone here who actually saw dan's talk this morning awesome it's good wasn't it so um dan mentioned that we are he believes that at an inflection point where we're about to see something big happen i also think we're at an inflection point i'm not sure that my inflection point in dance budget where the same inflection point but there's clearly some significant overlap okay so uh where did those markers go so i'm a trainer so i like to draw so um

so when i got into security i'd have been i can i can almost say that i've been in it for almost 25 years now and i don't know if that makes me any wiser or just older i'm not really sure um so i got into security around 98 which was also an inflection point how many of you were in security in 98. remember what was it like back then it was better than it was 88 right now

so what i remember from 1998 is that most things were still pretty open right we were coming out of a world where we had built the internet in an academic setting where everything was meant to connect with everything i remember the mid 90s being able to r shell from one box to another without having to type any kind of password it was so easy so convenient right so that was an inflection point that was a point where we clearly needed to get better because suddenly we were noticing that people were breaking into the computers so people were breaking their systems so there was there was a huge effort around that time period and i remember this um

around the idea of penetration testing systems breaking in seeing where the holes were and plugging the holes and there was a lot of work done during that time period and but then we hit kind of another inflection point this probably you could argue when exactly this happened but it was probably somewhere in the range of 2003 to 2005 i would say is where that next inflection point happened and it was the inflection point where we realized that what we had been doing was not skilled what we've been doing at that point required the really smart people to show up and break our stuff and there was only so many people compared to how many things needed to be

broken lots of things need to be broken so the next big inflection point started and so down here basically in the first one we ended up you know some people got better some people actually got worse because those that had already been doing the right thing suddenly said oh i don't have to you know maybe do so as much here um this was this next phase is the compliance phase compliance and standardization

and this was a necessary phase it had to happen because you know at this point here some folks were really good and most people suck frankly right so we needed to find a way to get the folks that weren't doing anything up to some minimal level that's where things like gci come to play various standards and compliance regulations now the problem with that is some of the folks that were down here that were doing a great job actually lowered their games they're like why would we do all this extra work we don't need to do that much work to stay competitive anymore we just need to do that bear minimum so that kind of leads us to where we are

now

here we are today is 2014. and how are we doing i don't know we have we've in the last well i actually had an interesting conversation i was at um the security things conference earlier this week and i had a conversation with somebody about this very topic of are we have we gotten better have we gotten worse have we stayed the same and the answer kind of is it depends on your perspective in some ways we've gotten a lot better right in some ways some of the things that you have to do in order to break into a system are a lot more sophisticated than they used to be but in other ways we in you know in that same way we've read

a better bad guy you know the bad guys have had to get better in order to get into the really high end sophistication now that said there's a lot of things that just aren't very secure at all which i'll talk about so i think we're at this point now where we need to go somewhere from here and we need to figure out what that looks like i i believe is an opportunity i'm an optimist so i see opportunities not just downsides i think there's a huge opportunity here for some strategic thinking because at this point everybody's got one of everything everybody's bought all the toys and you know we've been saying since down here that you know the vendors they got they

have all the cool shiny boxes but that's not the solution i apologize any vendors in the room but the technology is is an interesting part of the solution but it is not the solution and i think right now we're kind of seeing that we everybody's got one of everything yet we're seeing some of the biggest breaches ever and all along the cost of a bug hasn't really changed that mythical one dollar bug that you find during design is still going to have a multiplier as you go into development it's still going to be more expensive as you go into testing and it's going to be exponentially more expensive as you once you roll into production

this has never changed this is the classic ibm study that shows the cost of the bug now i've never seen a one dollar book these are multipliers and you know classic example we just saw it the target breach 40 million credit card numbers stolen from november to december of last year you hear the numbers on the total cost of that breach it's going to be over a billion dollars so they're getting more expensive they're getting a lot more expensive and you know this didn't really come as a surprise to anybody what's interesting about the target breach though i have an interest i i've noticed that they've been getting a little bit of unfair press it's almost like everybody's

writing these articles is like haha look at those guys see how much they screwed up everyone needs to take a look at the mirror is what they need to do what people should be doing is asking themselves how am i similar to target in what ways am i open to the exact same kinds of risks as target because i can tell you for sure i've done some security work at target and i've worked with some of their security teams and at least as a few years ago when i was there i can assure you they were not compliance focused they were security focused their mission was let's make it secure first and worry about compliance second because if we

you know security is a superset of compliance if you're secure you're also going to be compliant just because you're compliant doesn't mean you're also secure right and that was their mindset now i'm not sure that mindset went all the way to the food chain maybe but that was the mindset and some of their facilities are so good that the fbi trains in them everybody else should be basically crafting their pants right now because everybody else is probably worse than that okay so all the bad i mean it's some of it's justified clearly they had it isn't it they had something getting to their point of sale systems which is an issue but it's not because they weren't trying and they

were trying in ways that most companies would dream of being able to try it okay just just as a data set level setting kind of point of view

now the upside of the tire breach is we're probably going to get chip and at least six months earlier than we expected to the ironic side of it is that wouldn't have solved the problem in the first place that's the funny part so again once again we're we're going with technology this problem but they're throwing it at the wrong problem it's not a technology problem

we saw we had another pretty amazing incident last year the one that everybody knows about now my mom knows about this one the snowden thing the nsa you guys all know about this right so you can you can have different points of view on this you can say whether it was right or wrong those are all interesting hallway conversations but honestly it doesn't really matter at the end of the day you know in some circles of the world right now he's the devil in other circles he's the messiah and you know most people somewhere in between but regardless of that what happened happened so what now what where do we go from here that's a much more interesting

conversation to me what do we do now so on the one hand i think a lot more people are going to be using encryption but once again we're throwing technology at the problem but that's going to happen i've already seen here's here's a preview for next year's rsa conference i guarantee you there will be a whole bunch of vendors that claim on their signage to defend against nsa style attacks and it's a style snooping and i know this because i've already seen a couple letters do it last year say in february so somebody was ahead of the curve but that's going to be a thing so you're i think we're we're hitting the point finally we're going to see a lot more

end to end encryption because that in a lot of ways solves some of the problems that solves this fine problem at least that problem but it still misses the point i think the problem i'd like to see it address is this from

you probably some of you guys are probably gonna see me draw this picture we have two things here an onion and we have an egg now for years we've been using this as a metaphor at least i have and i'm not going to stop until people actually start doing it um this is the defense and death strategy you have one layer after another after another after another right that's the classic security through layers that model works in a lot of ways that's not perfect no no security model is perfect but it's this is a hell of a lot better than we typically do in most companies organizations which is half pa you have this supposedly hardened outer

perimeter but once you get past you get to the software inside now honestly we should have abandoned this model 10 years ago but in 2014 do we really have any illusion that there's any such thing as an outer perimeter the hell does that even mean how do you even define that now back in the days where you had you know a big main frame in a room you could define an outer perimeter and you could put an arm card there but nowadays there is no perimeter the printer extends at your phone i used to say it extends your living room your hotel rooms with your laptops but it sends your phone the mobile devices that you're bringing

to work and they're bringing home and back and forth and everywhere else and it's it's this model doesn't work anymore but i can tell you for sure i have had a very interesting set of data points over the last 15 years my role as a consultant and as a trainer traveling around the world and seeing lots of different companies and probably seeing i don't know dozens at least and i've spoken in front of 20 000 people teaching information security things so very various topics and i've gotten interesting feedback from people so i've seen a lot of interesting elements of different companies and they all have the same problem almost every single one of them they all

have the insider security problem i see a lot of people nodding so you guys know what i'm talking about if you're wondering what i mean by this every company every organization has at least one system and that's being generous but at least one system on the inside that you know we don't have to secure that because it's an internal system show of hands who's heard that statement before look around the room hold your hands up like almost everybody it's like 89 so you know what i'm talking about here what i would like to see as a balancing uh or kind of a a repercussion of a fallout of the snowden thing isn't to care about you know are we

encrypting our data from the nsa because that's why they're going to get it anyway but more of you know let's take our data and think of that as the thing that needs to be protected instead of what we've had for years is this outside in kind of model of security right that's how we typically design a lot of our systems that's where the firewall comes from right wouldn't it be more interesting if we started from the data itself and said how do we protect this data wherever it moves to so it's more of an inside out model i think this is a mindset shift whose time has come and it's absolutely required if we're going to make any progress from here

we can't think of it like this anymore every time somebody's come up with a way to protect stuff from the outside somebody else clever either finds a way in or it just becomes a trusted insider i don't care what kind of external protections you had you weren't going to defend against the snowden attack because he was the ultimate insider he had access to everything and those systems like most systems were not designed in a way that would indicate that an attack was occurring right you're not going to defend against everything but you can certainly notice a lot of things and that's those systems weren't really set up to notice it wasn't until he actually started

making pressure announcements that people noticed that's kind of funny

all right so where else do we need to go from here clearly we have a lot of grass roots energy in the security community that's great i think we should leverage that um when i started working on the source conference in 2007 there weren't nearly as many conferences as there are today today if you look at the security conference calendar there's like one a week you could literally have a full-time job doing nothing but going to security conferences i think a few people in the industry have actually figured out how to manage this because they seem to be everyone that i go to and i don't go to the mall but i think what's really required here

is top-down leadership you it absolutely has to come from the top down and i it's interesting when i saw the news last week that the target ceo is being asked to leave in light of the incident now it seems like there might be other mitigating or complicating factors as to why he had to leave but the fact that that was even one of the bullet items was interesting because i think until you get a situation where the executive leadership is asked to step down if there's an incident people aren't going to take it seriously if that started becoming a regular thing like every time there's a big incident the ceo gets fired you bet there's going to be a lot less

security incidents in the next like we could probably solve like several of the top 10 oath issues in the next 12 months just by doing that are you kidding me because these guys strangle the budgets right you can argue about you know security as a technology problem but if you have no budget to solve it how many of you work in an organization where your budget could be a little bit bigger than what it is oh look that's 100 people again interesting so you've seen what i'm talking about so in my experience security is this interesting balancing act between business and security requirements always always the more secure you are the less convenient it is the more convenient you

are the less secure it is that's just how it works guys you all know this i see i see more headlines so when it comes down to it push comes to shove which gets more weight business requirements or security requirements 100 of the time correct just about now here's my challenge with that i as a i'm as much a business consultant as i'm a security consultant i don't have a problem with that per se except for one important detail the executives making that decision often have no clue what they're talking about around security and they don't go out of their way to get informed on the issues before making these decisions that is the real crux of the problem

these folks they they wouldn't know a reverse shell if it bit them in the butt uh they don't they have no idea what medicine is or what it does or why it's important and from their point of view pony express is some old-fashioned way of delivering the mail right there's a fundamental lack of awareness in most organizations in a way that most people don't get a chance to see even amongst the development teams who you think would know better on certain some of these issues i always do a few things when i teach classes around security i always ask who's heard of sql injection awesome who's seen it you know and hands go down every time

most people have heard of it not as many people have seen it who's seen it used to get rooted in a box right and amongst a developer crowd most hands go down now somebody asked me the other day why is that important here's why it's important if they don't realize you can use it to go all the way to root ever then they don't take it seriously okay same thing then you get into prostate descriptive who's heard across the scripting who's certainly seen it who's actually seen it used to steal a session identifier or something interesting right i know in this room everybody's a lot of people have seen it but outside of this we're on our own

echo chamber here guys outside of this room people have no idea what it is we do for a living they have no freaking clue you know we've had we have the oauth top ten we've not even solved the top two because when i get to crossfit request forgery most people haven't even heard of it outside of this room and you think oh but it's in the list yeah tell the developer to go read the list until i show up usually in most organizations and physically show them the list and explain them how it works they've never even heard of it and this is in 2014. i had a class just a couple weeks ago i

had i actually was out of the training circuit for about a year and i came back and i was like oh things must have gotten better no people are still solving 1999's problems in 2014. now some organizations are far further ahead of the curve and you get into you know everybody's talking about devops is the solution and agile is the solution part of the solution and i don't know you know chicken or the egg here but they're clearly pushing each other forward and both things are happening i've seen more uptake in agile in the last 12 months that i've seen in the last 12 years suddenly everybody's doing agile like actually doing like not just pretending

to do it and doing like he's half-assed like partial agile partial waterfall people are actually doing agile for real it's kind of interesting now there's some upsides and downsides to this the upside did you get more iterations the downside is it's super easy with agile to go enthusiastically in the wrong direction and it's like three or four or five sprints away before you realize oh we went the wrong way and you gotta back it all out and then you gotta say oh oh we should have gone that way all right and you start enthusiastically going right wrong direction again you're like oh crap we should have gone the other way we really need to go this way

right and that actually happens and what i've seen in some organizations recently is that when people realize here that they've suddenly started going the wrong way and they actually say hey hey we want to pause management steamrolls and they say you can't pause during the sprints so agile is not the solution and while a lot of ways it actually amplifies the problem okay so we need to evaluate what are we doing today and is it helping is it not helping what are ways we can still augment and add security into things like agile and devops in ways that are actually productive and don't allow us to go too far off the beaten path before we

realize we screwed up

and i think in a lot of cases um the cloud and things like internet of things those just amplify this problem altogether because like all great new technologies we've been running full steam ahead putting everything we can into the cloud and a few of us have been waving our arms saying hey guys slow down here but you know to no avail because everything is in the cloud now and i think hopefully now that with the nsa thing people take a second what have we really put in the cloud here is it actually secure what does it mean for it to be secure who protects the crypto material that make sure it's secure i don't think we asked a lot of these

questions before we put it into the cloud pretty sure we did not

so in a lot of ways in my mind it comes down to something pretty simple

i think we have not one but three separate communications gaps that occur in the industry you definitely have a communication gap between business and technology right everybody's experienced this the business folks speak with different vocabulary than technical folks too this has always been an issue but there's also we have two different communication gaps that we have to manage as a security industry we have the gap between obviously the security and the business side which is different by the way it's not the same exact gap isn't between the technical and business side development teams have different things they have trouble communicating and the security teams do but we also have another gap to manage which is the gap between the security

and the technical side the development teams do not understand how to read threat reports and vulnerability reports it's greek to them it requires a level of translation that a lot of us seem to miss sometimes if you want to make a good career move right now at the beginning of this third curve become a universal translator we need as many universal translators as we can get because in order to get the business side to understand what really needs to be done requires us to speak in their language that make sense if you go in waving your arms about how you know the server's going to get hacked they're like why do i give a that's what how they're going to look at

it why do i care get out of my office and you can it's evidence in a lot of ways by how we train the various groups so i happen to have been in the security education field for a little while and i have some interesting data points here so the security folks live essentially in the lab of luxury here the security folks get to go to security conferences they probably have time allocated throughout the year to do security training classes usually a week or two plus in addition to the security conferences plus the various e-learning modules they get through watch they get all this all these various perks they may not see those perks at the time

they really are now you get over to the developer teams they might get their own set of perks around development but when it comes to security they're going to get the one to two hour awareness module that includes privacy and basic awareness how to not you know ep with your computer kind of a thing and they might get one to two days total in the year of security training and they usually don't get to go to security conferences and if they do it's like one small local one near them and that's if they're proactive seek it out is that why you're here so i'm kind of in addition to being a geek about lots of other things i'm a

learning geek so i like to learn how to learn and i like to learn new things and i like to teach people how to learn and one of the things they always say is if you're in a mastering particular skill you need ten thousand hours everybody said this now that might be true but i think you can become if you want to be a master if you really want to be an expert a thousand hours is plenty if they're focused in the right way and you can be pretty darn good at something just in 100 or 200 hours now if you compare that against the you know 8 to 16 hours these guys get per year

it's like it's like more you know scooping um a bucket of water out of the ocean it's not really making a dent it gives them a little bit of awareness and energy around the idea for the time maybe a week or two after they take the class but unless you're going to follow up with it and have it be something else a part of a broader program it doesn't really work very well and this is coming from somebody who sells security education and that interestingly enough the folks that you know we always say security is not a technology problem it's a people problem how much money do you think and time did we spend training the executives and managers

almost zero they get the the two one to two hour per year awareness and don't be dating with your computer module that's you for most organizations that's hit that's not true 100 of the places but i would say a pretty broad swath of the industry across every industry falls into this and i see more head values so you guys are validating what i'm seeing here so that gives that's kind of creates some problems some more water

so one of the things i've seen in addition because these things aren't there i'm not saying that these are broken but they're not enough is what i'm saying so one of the things that i've seen that works really well a lot of leading organizations are doing things like creating programs for what they call security deputies or security champions or local security coordinators or security ninjas now here's a little pop quiz for you of the things i just said security champions security ninjas um what's the other one i said local security court is what do you think appeals to the business side the most

these guys love being ninjas these guys love you these guys really love being ninjas right these guys they're like what the hell was the ninjas so you have to speak their language they like the security champions because it's very kumbaya kind of feeling we are the champion that you have to think and speak in their terms if you want them to come along these guys have better things to do to be security majors they don't care in fact that actually is the antithesis of what they want to be they don't want to be security experts they see it as why is the security thing getting way of my job right how are you on a timer

funny i just wanted to know where i fall so those kinds of programs i think work really well and i think they can be an extension of what we already have here i think that again as an industry we have a lot of really good community activities that happen now that didn't used to happen 10 years ago i remember when i first started learning about security i went to the bookstore there was like the three books and i mean that literally about three books and now there's hundreds of books there's lots of resources there's all these community activities where you can go and learn from people but it can't just stop that that's great for this part but we need to find ways

to so how many of you guys consider yourself social engineers or at least admire social engineering right so you can use your social engineering lessons to get this information over to these other groups run about a brown bag watch invite people to show up you want a good way to get security deputies security ninjas security champions whatever you want to call it host a brown bag lunch on an interesting security topic and see who shows up those are your first recruits some of you have heard me say this before that's i've been advocating for this for a while you need to find a way to get them more involved that's that has to be the answer because if

if these guys don't get it then you're going to continue to run on shoestring budgets you're going to continue to get the rock pulled out be in the last minute when you otherwise wouldn't need to and when we get together we really can do cool things heartbleed is a good example heartbleed came out as one of the most serious security issues that's come out in years and within a few days not only was it you know on its way to being fixed but everybody knew about it even the people outside of our sphere knew about it i went and did a training class and a group of non-security people two weeks after heartbleed and every

single person in the room knew about it and still most of them didn't know what prostate request program was so we did something right we managed to get to to get the noise up for that and get go past the drowning out but that was because it was a really serious issue if we were to take like one issue per year in the os top 10 and just make it all right this is the year of sql injection 2015 we're going to eradicate sql injections forever and as an industry we just decided to make that happen we could probably do it it would require a lot more work than what we you probably think is going to

require though because it's not a security issue you got to convince these guys they need to spend money on that's the trick now how do you do that you have to speak their life

so i have a few closing remarks does anybody have any questions while i'm going into school what is their language with respect to sql injection how are they how do they why do they care has anybody successfully sold defending sql injection want to answer that

what's your before and after uh i was running a social media startup you know packing together

but you know i saw the problem and i said hey you know it's kind of an issue with we're getting more popular and then some guy from russia ran a bunch of tools on it was probably sql or something and we got active we get the entire database dumped up luckily there's no credit card information in there but a lot of people's phone numbers and email addresses hey guess what we should work on security now right nothing like a bridge to get people's attention um

part of the issue isn't just you know speaking the same language because a lot of times security people were technical people so they can't speak a lot of the same language but rewarding it i've never seen a developer rewarded for being secure they get rewarded for being performance yep i've seen it occasionally but very rarely and it does work well when they do find ways to do it but you have to make it a priority enough that you're going to grade people and are you secure or not now one thing to answer your point your question is i have found that an appropriately placed demo you know the picture speaks a thousand words a good demo speaks ten thousand

but it better be a good demo so if it's a demo where you show up and you start getting down into the weeds of all the technical reasons why this is an issue and all and you put them to sleep then you've missed the point you missed your opportunity but if you can get in quick and be like look your sql injection is because of injection floss ejection flaws occur in the following 27 different languages sql injection is only one and then you go and say all right well here's this example of an application that's using sql let's type some things into it you show them single quarter one equals one and show them how to bypass

authentication and then you're like all right but then it gets worse and then actually show them how to execute commands and things and within 10 minutes you get their attention but most people when they do demos i've noticed they want to show everything they want to show all the details and all and you've got to cherry pick what you show them and you got to get to the point so whenever i give just here's a little tip for you guys anytime i give a presentation of any kind or a demo of any kind always ask yourself the following questions what do you want them to think do or feel at the end of your talk or your

demo if you cannot answer that question in like five words you're probably going to fail yeah you talked before about translating business language into executives and talking about things that way uh do you often when you're trying to sell security represented as an roi um to make that impact sure um so here that actually kind of i didn't pay you for this i swear so again we live on moore's law and according to as dan mentioned there's there's multiple different versions of moore's law but let's just keep it as one exponential curve so as technology increases we have the opportunity to build more cool toys right the fact that i have iphone in my pocket

that could that wasn't even possible 15 years ago all right that's because of moore's law but i get that full toy a few years ago um suddenly we started seeing cloud-based file storage things like dropbox and box.com various other iterations of that that up until we reached a certain point where we had enough bandwidth to pull that off it wasn't possible so that also isn't now every time we do this we create new security issues now i am going somewhere with this i promise i believe that the hacking community tends to follow this curve fairly closely because as an individual or a small organization it's not very hard to you just buy the latest toys and you see

what they do and you keep up with the latest things on github and you know or wherever you get your code from and you can pretty easily keep up most organizations do they follow morris law at the exponential speed not even close right it's much more of a linear deployment every once in a while there's a little jump up but it's still basically linear so what that means by definition if you buy into that premise is that the gap if this is time and we were to put say you know 000 here in 2015 here which for any given 15-year period this curve probably applies the gap is getting bigger and bigger and bigger and to dan's point this morning i

think we're almost at a point where if we don't do something now it's too late yeah so how about in terms of geek speed jail time so the sec has enforced you know new regulations and also so in terms of sec speak and geek speak how about jail time so again seriously the sec has said you know you are liable you for negligence you can go to jail you have to dock in what your ip costs are for your loss it's easier for a software company it's particularly selling software it started with symantec so today it's with any public company if you're a public employee you can comment on training for that too at a management

level and for technology and development who's it oh we gotta get ski on the mic is

so you were talking about the big challenge that there is to communicate to the business and so on and uh i was writing a few things one of them is uh hartley there was that xkcd comic a couple weeks ago that i thought did a very good job of explaining in fairly non-technical terms uh what the technical aspect of it was and also though emphasizing what the end impact was and i was reminded also rob by a demo that i did like 10 years ago that was a non-technically focused but a live demo not to the board but to the spouses of the board members non-technical people and it was a direct i used a

zero day or near zero day direct reversal vulnerability to show deletion of all the pictures in your folder and showing it live it didn't have to show a lot of the technical explanations of what was going on because they don't understand and they don't care the emphasis was much more on the impact and we did it and we did it live and that was you could hear the breath go out of the room so just to reinforce i think the notion of demos that emphasize the impact was really useful i i've not found anything more impactful than demos even for like even for the business crowd if you if you adjust the level to where you're not

talking in such a technical depth that they can't understand you if you adjust the demo you can show across every request for you to a ceo it's totally possible uh if you can't do it because you haven't figured out it's totally possible equal injection is possible across the scripting is possible i can't do that what does that say okay my eyes aren't that good yeah so at what point does it become fun it's that's a good point it becomes fun when you're alive right it becomes fun when you're when you're basically making claims about things that aren't really true but if you can take an off-the-shelf piece of software even if it's a little bit old and demonstrate how you could

use potentially to go all the way to root on for a particular issue that's not but it's real it's using actual software actual vulnerabilities um you know if you kind of do that the arm waving dance while you're doing it i don't know maybe then you cross the line i don't know there is there is a fine line you have to kind of walk because you don't want to just be the guy that's going around saying the sky is falling all the time but if you look across um you know the cw list cve list like in a lot of ways the sky kind of is falling or it has fallen many many many times so

educating people on the ways that the sky has fallen over time i don't see that as fun i think that's just educational because honestly most people think it's a lot better than it really is most people have no clue when once you really start to get down into things like what's a root kit how does a root kit work what does it do to your system what are the various layers of root kit you can have in your system and once you once you have no clue that stuff even exists that's not fun it's just that this is informing um do you think we and the security professionals do you think we as security professionals do a good job

articulating the risk because risk is the common concept that's understood by everyone and maybe that's the key to uh communicating to business sure you're actually again you're setting me up for my final point um so i think that the language of business is finance accounting and risk that's it if you want to if you want to learn how to speak to an executive those are the words they typically speak in finance accounting and risk it's usually in some way it boils down on some level to the numbers and the risk of those numbers going one way or the other now i'm simplifying a little bit but that's those are clearly key points um and what's interesting about that is that

you have on the business side you have basically finance accounting risk on the security side we also have risk but it's not just business risk that we worry about as security people we also have technical risks they're not the same thing necessarily just because something can be broken into and should be patched or could be patched doesn't mean that as a business it makes sense to in every case right they're not the same thing so we need to learn how to shift our language from here into the business side and understand how what we're talking about affects the business because that's what the executives care about how does this affect my business what is the risk of not doing something

versus not doing something here right but in a lot of cases they're making those decisions from an uninformed point of view that's my point wait in the background

all right so speaking of specifically sql injection as someone who's been programming single for a very long time uh i want to share with a bit of a smile a 100 solution to uh never having to deal with sql injection if you use a nosql database you will not be compromised by sql injection now that doesn't mean you won't be compromised in some other way but on a serious note things like sql injection can be in some cases eliminated in the design stage for example if you're worrying about you your website being compromised by injection in a programming language you could conceivably compile the code rather than use a programming language that's interpreted and even if you use a sql database

once you're at a scale of tens of thousands of machines they usually don't scale up that far so you end up writing an api layer between your sql database and the rest of your website anyway might as well make that api layer deal with things like sql injection right so this is all for any given issue there's always an answer right that's a good that's a good set of answers that's a good set of possible answers that may not work in every environment but it's a good possible set of answers but for any given issue there's a set of answers it's not that we don't know the answers right it's convincing the development teams to business teams that the answers

are the right thing to do so we need to work a little bit more closely with them i think in a lot of ways security needs to be something as part of what we do as a business rather than just you know something we do as an industry yeah

it is not solved is because it's called cross-site request forgery heartbleed had a cool name and a logo and i think that's i think that's a big driver for why it was so successful in getting penetration and c-level executives i mean how many people even c-level folks i know talk to uh they know about crypto locker now crypto locker sounds kind of cool sql injection doesn't sound that cool and cryptolocked is easy to explain sql injection not so much but i mean how many people remember i love you and melissa and you know it seems almost like it's we need to focus more on marketing sometimes yeah exactly like marketing can maybe win the day for us and not so much

focusing on the technical yeah all right another question back how do you suggest implementing security as part of the business process we're going to start you mean ask me more specific questions um i've noticed that a lot well the issue is most most executives don't even think about security as part of their business or business process and i think sometimes the security guys don't actually get involved with how the business process works and so therefore they are unacknowledged of how a department works and how the security effects and then i think how does the security person say hey this is insecure and how you're doing things to make it secure right so i can tell you

um a couple data points that i think help um one is that when security is part of the it organization it's not going to get the right level of visibility the projects i've had the most impact on are ones where i've been able to go in and have carte blanche to just ask whoever i want to so what do you do for a living what is your what is your piece of the pie how does it work how does it fit into the bigger picture here and being able to address that all the way up and down the stack is kind of what's necessary so i think we need to see more i was actually talking just the

other day about this we need to see more c-level positions at the security level right it shouldn't just be an adjunct of the cio's team there it should be at the same level as everybody else the joke the other day was that security should get a seat as a big kids table and oftentimes it does not so that again that requires top-down leadership and requires us to find ways to teach the executives that needs to be at that level this is a process this isn't going to just magically snap your fingers it's going to require a lot of our social engineering skills to make this happen over time we have one one last question over here all right

one possible way you could uh address this if you ask a business stakeholder what are the three absolute worst things that could happen to this business yep and if any one of them have a root in addressing it securely it's their works you told me that these three things keep you up at night so let's talk about how we make those things right so here's so that's the i'm gonna rip off that for a second because i've actually i have a good technique that works for this so you guys play with this acronym not not the organization but confidentiality and segregated availability so here's something i've done in my architecture classes a lot i go in and i'll say all right

confidentiality integrity availability choose one which one's the most important which one's the most devastating if it fails and a lot of you folks don't know how to answer this because they're like well they're all important like pick the ones the most and then i walk into an exercise and say for confidentiality suddenly all your confidential data suddenly ended up on the internet how screwed would you be and they're like oh pretty screwed i'm like good so now we're going to have something we can measure the level is screwed right so then i say all right integrity suddenly all of your data integrity fail everybody can change everything all the time what does that look like for you

and then finally if suddenly everything is shut off and it's off for a week what does that look like for you and for most people most organizations all three would they be pretty screwed but usually just to having that conversation it is kind of a lighthearted way of getting them to figure out which one really matters to them the most and for each one why it matters and that that actually is a really good way of convincing upper management i've actually used that technique a lot so thanks for giving me that value there all right so i think i'm just about out of time somebody has a really burning weight when i have to get out

over here in the front one more quickly all right this will be the last one in the beginning when you talk about the three humps that you're facing you said that the last hump is going to go into strategic thinking so i don't think it necessarily has to go there i think it should go there so how would you tie the last knot back to your strategic thinking and um all i'm hearing so far is the strategic thinking for the security industry is to become good communicators and raising an awareness with executives so what else how do you tighten that back to your strategic thinking what's the next step in that so that's a that's a great question all

right so

yes we're burning one that's a burning all right let me let me think about that for a second before i just start spewing out everything um so i do believe in a lot of ways because i've been fighting this battle for 15 years now i really do believe the key element of it is communication but what are we communicating that's an important element of where we communicate i think communicating the idea of defense in depth is important i think that's a key one um the the moment of zen i'm going to leave you with at the end here you know dan gear mentioned that everything must die and things need an expiration date and i actually i'm not supposed to say

this but i heard him give this a similar talk the other day and uh so i heard that quote twice and both time kind of struck me as fairly profound like the point of living is to die but you know if you follow any kind of eastern philosophy everything has got you know a little bit of a duality to it so if the point of life is to die all the point of life is also to move and i'm going somewhere with this i promise i have a lot of bonsai trees and things at home and i've seen them like some of them you can even cut up a leaf and they'll grow just from the leaf they

really want to live and the security industry in a lot of ways i remember a time when there wasn't a security industry and what i've observed like all good industries is that it's all the same patterns as every other industry which is it needs it needs to grow in order to survive in order to grow and eat more money in order to get more money we have to sell more products and in order to sell more products we have to engage in more fun and a bunch of other craft that we all find distasteful so i think that the answer we're going to find here isn't going to come from the industry per se even though we're all

part of it it's going to come from the places where i've seen where they make the most impact the fastest where they're the furthest along the curve i would say are the ones where you have i'm gonna i'll call out somebody specific somebody like bob rooney's is liberty mutual who's really making sure and driving home that security must happen here it must happen now it's very important so you kind of need that champion to step up and do it another good example is agamon you get andy ellis out there you know doing the same things and unfortunately those we should look at those as examples of what to do and what to follow because there's this path

that's been tread before and so in a lot of ways it's kind of latherance repeat and follow what has been done that you've seen it has worked but every organization's a little bit different so there's really no one-size-fits-all answer as much as the vendors would like there to be because that's where they can tell you the shiny box i really believe that the answer is a people problem and it really does require looking at every organization that we're that we're talking about and trying to understand what are the actual problems that we have here what are the assets that we're trying to protect what are the risks to those assets and based on that you come up with a

plan for how do we communicate to everybody what needs to be done because it's got it's it's going to marry my voice advice that was kind of along with the crazy answer question i hope if you didn't answer your question come ask me afterwards but my time is up so thank you all

see your outsourced for next year