Synthetic Identity

foreign before I get started I just wanted to take a few minutes and say a few things first of all I wanted to let you guys know how absolutely fortunate you really are I have had the privilege of speaking at b-sides conferences literally all over the world from Barcelona to Texas to the Caymans you name it I think Toronto I think I've done like 23 different b-sides and to be honest you know RJ if you haven't met him out there please take the time to do so the organizers here he asked me last night what is my favorite b-sides and why and the truth is it's this one and it's not for the reasons that you

would think oh we'll get to that in a minute this in my opinion is probably one of the most authentic b-sides that I have ever been to this is truly Community Driven you know between James RJ Ozzie Diamond you guys have put together in my opinion one of the best conferences for an actual Community Driven you know cyber security event and I am honored and grateful for the opportunity to come back but you guys have done an amazing job so quick Round of Applause for the organizers and for besides [Applause] so having done that let's have some fun so thank you guys for coming uh the title track for my talk today is called synthetic identity

all right let's see if we can figure out the fancy Clicker oh it works all right so if you didn't catch me last year my name is len no n-o-e so I am a technical evangelist a white hat and a biohacker for cyber Arc software uh if you're wondering about the biohacker thing my best advice is to actually look up my talk from b-sides came in last year you can check that out uh I've spent the better part of my life actually as a black or a gray hat and came to the security side of things kind of in an unnatural way uh I basically started having grandkids and decided that you know if I don't

want to see have my grandkids meeting me behind bars I needed to make some changes and in doing so it basically gave me the opportunity to take the skill set that I had Acquired and that whole think like an attacker methodology mentality I don't have to worry about trying to think like an attacker because I am an attacker I'm also one of as I said one of the world's thought leaders in bio-humanism or transhumanism uh uh if you're not familiar what that is I am actually an augmented human with about 10 different microchips in my hands that I use for offensive security uh I'm extremely active on social media uh I have all my contact information up

there feel free to reach out over LinkedIn check out my YouTube My GitHub and follow me on Twitter for additional security related stuff so let's get into the nitty-gritty identity identity seems to be the big word in the industry today we hear about identity theft identity monitoring identity validation identity security everything is tied to Identity and and with very good reason our identities are the most valuable thing that we possess it's our likeness our voice our Behavior patterns it's our friends our families our Hobbies likes and dislikes it's what makes us us but is it the physical us is it the digital us and is there even a difference between the two anymore you know I think it's a really good idea

for us to start with just a simple definition so we can all be on the same page for the purposes of this talk according to the Oxford dictionary identity is the unique set of characteristics that can be used to identify a person as themselves and no one else and this is the context that we're going to be using for the rest of the talk today when we look at all the data that we actually just leak during our normal day-to-day life we can see how quite a bit of this information can actually be weaponized against us and it's my hope that by the end of this presentation that we'll see that when we talk about

identity it's all encompassing and the perceived lines that we've drawn to separate the different facets of ourselves simply don't exist anymore so this brings us to synthetic identity you know so let's look at the bigger scope for just a minute we have our physical identities we have our individual digital Footprints we have computer identities and the multiple accounts that encompasses the full scope of Who We Are with account sprawl as well as data Harvesters basically in every single application every purchase we do wants you our email wants us to take a survey The Human Experience is for sale and the Market's good fishing and targeted spear fishing are becoming more and more effective due to

the availability of what we used to consider pii that we're now just giving away as part of eulas we see targeted Advertising based on our search patterns and data analytics we see doxing in the public disclosure of individuals for nefarious purposes in the news pretty normalized these days we have ai chat Bots that are in the news almost daily now we've been the commodity for quite some time and I don't think people realize just how valuable this type of information is what if we were to see the melding of Predictive Analytics combined with AI used against all the information that we're leaving behind this is the synthetic identity that I just mentioned it's not an individual but more of a

collection of an individual's behaviors mannerisms interests likes dislikes posts essentially everything that we do depending on the size of the data model and the online activities of an individual there's a very high probability of analytical success from that type of a data set think about all the little nuances we do when we're online things that nobody else would notice unless they were actually watching us every single minute of every single day we have the ability to interact with that data in a user-friendly way now and I'm actually going to be demonstrating that to you before the end of this presentation so we live in a digital world let's look how every aspect of Our Lives has

basically turned digital everything from Smart TVs and the to the cars we drive everything has a username and a password every service wants to know more and more about you and your life think about the last time you were able to do anything without the need of some tech stack behind the scenes practically everything we do wants some information from us as the user every business or service wants to know more about us do some you're going to go grocery shopping get a loyalty card so they can send you targeted coupons want to buy a new car take the survey need a doctor they want to know every aspect of your life the requests for

your data are everywhere if you actually stop to look there are even some parts of our national infrastructure that have actually been converted to Smart devices and there the this is the only way they work now there is no way to do these particular functions manually anymore there are even everything is asking us our physical identities to attach to more and more Digital Services every time we add a new app or a mobile device another piece of software is asking for permissions to reach deeper and deeper into our private lives and our individual beings so you know we've all seen to look at our life very compartmentalized for example we see our work life very

different than our home or personal life but the truth is there's so much overlap we don't even see the forest for the trees anymore anybody that has ever been to one of my talks before has probably heard me say the days of keeping the bad guys out and keeping them on the DMZ just doesn't work anymore not that we don't want the security but we've moved into a different type of Technology model this is a world where corporate assets are not stored on corporate properties anymore this is a world where we are seeing more and more business use on our personal devices BYOD is essentially commonplace we have more remote workers now post pandemic than ever

yeah we do everything we can from endpoint security anti-virus EDR xdr BitLocker hell I could talk for another three hours up here of different security controls out there but the truth is as soon as these devices leave our environments we just gotta hope that we've done our jobs correctly as well as hoping that our end users remain Vigilant in their efforts to keep the company safe you know we sit back and watch our laptops and our mobile devices walk out into the world that as we as Security Professionals know is a digital war zone what's the first thing that's likely to happen when we take an asset out of a company anybody what are we going to do with it

bingo these assets are probably either going to be plugged in or logged into a home network and let's be honest on our home networks do we have this anywhere near the same number of controls that we have in a corporate environment how many of us are doing patch Management on our routers our Nas home Nas devices and God help us if you've got a smart house and you've got iot you know do you have a system for updates in your for your home technology do you have a life cycle management for your internal devices for the second time we're not going to go down the iot and smart road but think about it maybe we got to share your home

internet here's one that should be relatively easily recognizable everybody here remember no Minecraft oh yeah maybe you're like me you got kids you've got grandkids some people may not be aware that Minecraft is actually used to teach computer science to elementary and middle school children to try and get them to understand code but at the same time depending on which version of Minecraft you're running that is extremely susceptible to log 4J what if somebody in your household is using the BitTorrent Network you know currently the estimation is what is it I think it's two out of three binaries on the torrent Network currently it contains some form of payload be it a rat a Trojan or a virus

so our attack surface is literally everywhere and we haven't even brought up machine identities yet and how that can actually accelerate account sprawl and overlap how many self-service portals are using the exact same questions I mean if I'm using my mother's maiden name for my Netflix is it that my mother same mother's maiden name that I would be using on my Office 365 self-service recovery do I have two mothers maiden names and is this something that publicly we could get you know let's if we look at some of the Digital Trends and the numbers you know these this data was taken from July of 2022. the total world population around that time was hovering right around 8 billion

globally now let's use that as the comparison point the total number of online users at that same time was around 5.3 billion social media users at the same time 4.7 billion e-commerce 4 billion users you know I love numbers numbers don't lie then we can look at the AI chat GPT actually set a world record for 1 million users in its first week 35 of all companies right now are investing some type of capabilities or investment into technology related around AI and 44 of the private sector companies plan to invest in AI this year alone one moment please I've said it before I'm from Texas I can handle Heat but the humidity here is causing me to

melt like a Snowman apologies so so these are the technologies that are coming at us Fast and Furious so I told you that today's talk was about synthetic identity so how do we create a synthetic identity we're going to start by talking a little bit about oscent if you're not if you've never heard this term before osin stands for open source information technology and as defined by the United States Public Law this is intelligence gathered from publicly available sources that is used to address specific intelligence needs the U.S Director of National Intelligence and the Department of Defense also cite this definition according to Nato considering that's a little bit broader scope oscent includes information from publicly available

sources as well as other unclassified information that is not widely distributed so basically this is public information there's no hacking involved that's one of the key points I want to make about oscent this is not hacking to get information this is just leveraging information that is already there that people may not be excuse me that people may not know where to look to find and this is the heading that the rest of this talk is actually going to be under we're going to start off by taking a look at some of the bigger commercial operations that are available for a fee a couple of examples of these would be Checker been verified First Advantage maybe you've used some of these services

in the past you know then we have the open source tools and for the purposes of today's discussion we're actually going to be going over three different ocent tools iky which is I know you spider foot and blackbird each one of these tools will add a little bit more information to our synthetic identity so let's go ahead and show you guys what this actually looks like in real life so before we get started into the actual meat and potatoes of the video take a look at this for the sake of argument and in the for the purposes of full disclosure I'm going to tell you guys you're going to find out some things about me today that

I if you guys were in the same position you may not want up on this screen but the truth is everything that I'm going to show you today any single one of you would be able to go out and get the same information but this is from a pay service called been verified this is on the header page of every single report that you run and if you look at what it says and I know it might be hard to read from there so I'm going to read it for you please remember you are restricted from using this information for employment screening hiring of household workers tenant screening for housing educational qualifications credit or insurance

purposes or business transactions initiated by an individual so if you're not allowed to use this information for any of those purposes what is the legitimate use case there isn't one it's somebody just selling our data for the sake of selling it so let me show you what it actually looks like hello thank you so this has been verified and I'm actually not going to obfuscate any of this because you can go to the same app run the same report and find the exact same thing so there I am Leonard Keith no 48 years old Austin Texas so let's actually go ahead and run this and show you the kind of information that we are making monetizable

I'm 48 years old I was born in 1974. that is my home address that is my phone number that is one of my email addresses so social media some of these are my social media accounts look at what the headers are there on the left phone numbers email addresses address history relatives name ancestry names Associates Neighbors jobs and education I can even run criminal background checks in here possible owned assets that's my car that's a truck that I sold four years ago that Jeep Wrangler I got rid of almost 15 years ago so that Explorer sport track a long time ago we're starting to see a pattern here I can look up DEA license weapons

permits professional licenses you know I'm just running through here how about Associates these are people that are known to be affiliated with me some of these are some of my ex-in-laws you getting the point yet how about relatives that's my wife that's my daughter this is my ex-wife's husband that's my ex-wife that's my ex-wife's current husband but you also notice there are dates when these are available so that's my mom that's my dad that's my brother that's my sister-in-law pretty scary and it's only going to get worse there's my employment history cyberark ADP westnet Technologies education there are some of the acloud guru there's the college I went to New Horizons that's a lot of information

there's all the places that it knows that I've lived in the past if we're looking and get this one all the way down here you see that one on Cowan Road that was my first apartment when I was 19 years old every single address that I've ever lived at with the exception of when I lived in Puerto Rico is on that list so you have family members relatives previous addresses and that was the commercial stuff what about went back went too far what about the open source tools that I was telling you about so I'm gonna let's run those I'm gonna fire off all three tools and we're going to show you iky we're going

to show you spider foot and we're going to show you Blackbird iky is an email scanner Blackbird is a username scanner and spider foot is basically the ultimate Swiss army knife for searching and we're going to fire up all three so this is iky we're gonna fire off spider foot and all I'm going to put in here into iky is my business email .no at cyberark.com we're going to let that run anybody that knows me knows that I go by a hacker handle of hacker213 so we're going to use Blackbird and we're going to search almost 600 websites for the existence of an account named hackery213 and we're going to go into spider foot and we're going to do a

full web scan for the individual name of Leno and then we're going to see what type of stuff we can come back with spider foot will actually let you do email addresses domain sub domains IP addresses users reverse phone lookups pretty much anything that you could ever imagine so as these do take a few seconds to run keep in mind when we see these I do not own every account that is hacker213 I own a lot of them but not all of them so let's go back to iky and remember this started with just my business email account found my industry found my company if you look over on the left here you'll see an email reputational details

down on the lower right the leak graph from any leak Maps social media accounts social user scan then we get down it found an Eventbrite page from one of my previous talks where somebody signed up and now we're going to get down into the Yandex and the actual web searches let's see what we find because I'm a public speaker and I've done a lot of interviews podcasts there's a lot of information out there on the web about me you know so it's going to actually give you raw data as well as analyze search results and through all of this information we're still going possible other usernames hashtags I've been Associated let's go into profile keep in mind this is my work email

address wow it found the places I've lived other possible emails found my my actual phone number and this is just off of my business account found a bunch of the social media tools that we use at Cyber Arc the every one of these that are green there is an account named hacker213 again I don't own all of them but if you want to try and find the attack landscape and actually try and get to me you just found a bunch of information I bring this up this here is a LinkedIn profile that I found about two years ago that's not me and what I find really really troubling about this is look how many followers

there are and that is not me that is a counterfeit I knew about this one remember I we kicked off that uh Spider foot scan and said scan the entire internet for anything that's related to Leno this is what I found When I Was preparing for this talk if we go under social media presence I actually came down here went what the hell is this this is another counterfeit account that I had no idea was even out there so it becomes very very easy to manipulate so now that we've seen a little bit of what I can do from just a commercial and people finder as well as like some opengnu tools but we haven't even talked

about the companies that we have to divulge pii to in order to even access their services I'm going to talk about the big tech companies that we have integrated into the fabric of our lives in order from worst to the best when it comes to data collection what do you think is the largest what big tech company is the one that's collecting the most on us anybody throw it out Facebook wrong Google tops the list and collects 39 different types of data from its date users daily across all of its products and services stores everything from domains including a lot of private data like browser history location history user activity on third-party apps Your Health Data

from Google Health it also stores every single email from your Gmail account for fun if you're a Google Android User you want to know how deeply Google is ingrained into your life go look at your Google timeline you take a picture it'll geo-locate it and put it on a on a nice little chart that will tell you the time location metadata you can't get away from it who who do you think the next one worst is somebody come on throw it up who's who's the next worse data Harvester Twitter Twitter collects 24 different types of information from its customers and the thing is if you actually look at Twitter's privacy policy it says write in their privacy policy

everything you post on the platform is available to third parties through programming interfaces this allows businesses to comb through Twitter and analyze your data to learn as much about you as possible so that they can do targeted advertising directly to you next

yeah Amazon sorry Amazon comes next 23 different types of data and honestly Amazon in my opinion is one of the ones that scares me the most Amazon can collect your name addresses searches recordings when you're interacting with your Alexa all of your orders content you watch on Prime contacts if you've enabled the email feature as well as cookies you know according to Amazon it's for personalization and that's just big Tech speak for using your data improves your online experience but you may not realize it can reveal an absolute ton about you for example if you use just Amazon's retail store or via the website or an app Amazon will collect data such as the purchase dates

payment and delivery information and according to Rwanda Felding who is the director of data protection and consultancy Miss IG geek from that information alone Amazon can work out where you work where you live how you spend your leisure time and who your friends and family are just from ordering on Amazon and at the same time Prime video and Fire TV information about you they can figure out potentially your politics religion culture and economical status just based off of what you're you're viewing on Amazon Facebook come Facebook comes in fourth with 14 different types of data Believe It or Not apple is the most privacy conscious of all of the big Tech they only are nice enough to collect 12

different types of data account information device footprinting payment info transaction information fraud prevention data usage data location health and anything shared directly with apple under your Apple account you know these are the ones that we have to basically give up a lot of pii in order to use their services but we haven't even talked about the wonderful things that we'll sign up for things like classmates or ancestry and if you're not familiar with classmates because it's an older site that doesn't get a lot of you know notoriety anymore this is essentially a social media site that allows you to stay in contact with people you went to elementary school with Junior High School high school and

college if you haven't figured out yet where we're going with this talk we've kind of talked about a lot of things that might be self-service recovery question answers aren't we so if we take a look at the actual data science it shouldn't come as a surprise that hacking and data science they both have a lot in common despite being on opposite sides of the legality you know we have everything from utilizing AI for targeted spear phishing we see AI being utilized to create new types of malware and ransomware that we've never seen before you know and I believe the reason that it's happening is because we now have access to these types of services that

we never had before AI was typically reserved for universities and governments now when we see we have open AI we have things like mid Journey we have Google AI uh chat GPT is being integrated into the Bing search bar we're putting this stuff everywhere cyber Arc Labs even was able to use chat GPT to create polymorphic malware you know and if AI isn't such a scary thing why is it that the government is looking to actually create regulations around it you know we talk about real world threats this was actually a public service announcement that came out in 2022 stating that people were uh Bad actors were actually trying to get remote I.T jobs using stolen pii

these are actually two identity markets off the dark net if you look you can get an American passport for as little as two thousand dollars I wanted to show you this one order process after buying an ID or passport send us a message with your age and gender so we can find a matching data set where do you think they're getting the data sets it's all of our stolen identities we're seeing AI use in the wild we see police and governments using AI for predictive models for crowd control in different scenarios we have new companies like syntelx these if you look at their website they specialize in intelligence and law enforcement we can even now get a master's degree in

criminal justice data analytics so this is now going to be a very big part of the our future so let me ask you guys the questions after seeing all the kind of things that I just was able to pull you think I could figure out what street you grew up on what about your the elementary school you went to your first car how about your relative's birthday maybe your mother's maiden name even your first job realistically anyone with LinkedIn we've turned our LinkedIn profiles into a living resume so let me set the stage for you guys here I took all of the information that I was able to get from been verified as well as all of my osent searches

I shoved them all into chat GPT and then I said let's see if I can interact with this so here we go tell me about Len no well Len is a technical evangelist and white hat for cyborg oh gee this kind of looks more or less just like one of my BIOS that I would put out for one of my talks not really impressed I mean it worded it nicer than me tell me more about Leno okay let's see what it comes up to this time lenza technical evangelists pretty much the same stuff that we had in the first paragraph not oh wait one unique he's a biohacker or a transhumanist uh oh he's also appeared on various

podcasts okay we're starting to get some information out here tell me about Len's family this one shocked the hell out of me my parents Leonard Keith and Donna Fey Brothers Tracy and Trevor is Grant granddaughters oh what his grandkids call him Robo Papa which is true it took my my relatives from one scan took a quote that I made in a podcast and was able to correlate the fact that my grandkids call me robo Papa here I said tell me about what Len did last year so it's gonna it went out and found all the different things that I did in terms of presentations during 2022. if I had a larger data set imagine what we could do with the same

type of Technology so the in closing we're down to the point where we have to ask Ai and chat Bots identity business identity home identity they're all the same there's no lines separating them anymore so is this new technology that we're all putting our faith in New Friend or Foe because I just made it look like it could be weaponized against us honestly I guess that's what it depends on who's asking the questions and what controls they're currently in place to keep those answers within a proper set of parameters I know there's been a ton of controversy around the new this new technology and everybody's got an opinion on it everything from targeting individual and

threats of ruining personal users careers to not providing correct answers during live demonstrations for chat Bots you know there's been conversations about AI chatbot ethics morality bias as well as any number of additional topics and these are all things great conversations that I can see happening in the relatively near future but the truth is we need to realize that this is technology is still technically in its infancy and we need to proceed with caution because we don't know what we don't know so we leave digital artifacts everywhere and we need to realize the truth of the matter these are all different types of data that we're just leaving behind and if we don't the problem is once it

hits the web it's there forever so what do we do we start looking at ourselves and applying that same zero trust methodology that we've all gotten so used to in terms of our Digi yeah I know I know I got five minutes I know

that's okay I am the tsunami so as I was saying we are the product and we are our personal information that we're using on things like Netflix you know you saw the questions is your the street you grew up on in Netflix the same street you grew up on in o365. you know so the call to action is actually two-fold just like back in the late 80s early 90s when we had to learn not to click on links in emails we need some behavioral modification you know when it comes to physical identity security access your home infrastructures update your patch management realize that what goes on in your corporate life is the same type of things that would be going

on in your D your personal life look at what's being asked does this entity need this information if you're going and to say an electronic shop to buy a new computer do they need to know where you live do they need to know you know what your spending patterns are you're buying this computer if you're at a grocery store do they need to know about Who Your Friends Are everybody wants more assess the situation and realize what you're giving them do they need it slow down when it comes to social media realize that a lot of these stupid tests that'll give you your rock star name or whatnot are actually personality quizzes and they're meant to actually get

information for to map you out as a person they're trying to decrypt us as individuals look at the apps that you've loaded on your mobile device I mean how many people aside from me actually look at the permissions that are being asked before you install an app why would a notepad need access to your contacts your camera and your microphone think about it as far as our digital call to action adaptive multi-factor Authentication Here I Am the tsunami but look at adaptive multi-factor you know take you can look at some of my other talks there is not a single biometric authentication that hasn't been bypassed compromised or or spoofed so all we really have is the ability to

lock it down with multi-factor adaptively and for the love of God I personally think two-factor authentication should be considered a profane word and we should never speak it again MFA does not mean two it means multiple two is the minimum username password OTP UT printed device different protocols if you're online or if you're off land is it coming from a region that I know is safe if it's coming in from China at 3 30 in the morning it's probably not me zero trust like I said everybody understands zero trust from an architectural model when it comes to digital Solutions we need to apply those same concepts of trust and verify to our individual identities because the idea

that something that happens in my personal life not Following over into my work life not a guarantee anymore especially when we have so much work being done on mobile devices if you're on a mobile device and I compromise your mobile device and you're on a VPN guess what I can probably ride your VPN right into your Enterprise verify your users verify your devices single sign-on we've seen how I can pull almost every single recovery question if we know that these particular answers are available through open source searches don't use those answers come up with something else if it's your mother's maiden name maybe spell it backwards do something that me as the attacker or the guy looking you

up isn't going to be able to find and just stick right in think about it password managers also with single sign-on you will reduce the number of Self Service recovery portals that you will need the limit the number of times those particular passwords or answers to questions could be utilized IDs Next Generation firewalls privileged access management Network Taps and actually security security orchestration with that at the end of the day what does identity security mean we have one definition that everybody seems to understand when it comes to a digital perspective we need to make sure that they those same principles follow over into our normal physical lives because there is no line anymore so with that

I would like to say open it up for a couple of quick q a and I thank you guys very much for attending my session [Applause] okay I are I hate to do this but I already promised she's got the first question as soon as she shuts off the Tsunami alert

oh actually go ahead we'll let the mic whoever wants to ask the actual first question raise your hand and then our mic Runner will bring you the microphone anybody with a question raise your hand make sure that we speak into the mics because of the live stream on this so um kind of a funny first question so true um I watched your presentation on being a trans human just so as a person whose fiance and now husband was um subject to intense um uh uh um what's the word as searching by the TSA in the New Orleans airport oh yes for a Wrigley's chewing gum wrapper in his pocket uh I wondered how you get through the

TSA or other that is the one question I get more than any other I will demonstrate how I walk through TSA ready I want you to see this because this is very complicated this is how I walk through TSA they've never found me number one there's not enough metal in my implants to actually trigger a magnetometer number two they're actually inside my body so if I'm in within the United States I have the law the HEPA laws that are protecting me and they're considered Medical so you realize when when in airports the magnetometers women can walk through with earrings and a necklace on they are not set that sensitive honestly most of the stuff that's in my implants is

biomembranes and silicone the only metal is typically copper on The Wire antennas and the titanium and the iron in the magnet in my pinky so they they've never they've never caught me they've never asked and I've never been questioned any other questions about those people who are harvesting your data where do you see Microsoft in that list Believe It or Not Microsoft came in lower than Apple and the reason that apple and Microsoft came in so low on the data collection was because they are not as dependent on advertisements for Revenue they have actual product so typically Apple Microsoft are pretty much the same they keep enough data in order to maintain the account but they

don't do a lot of overreach like your social media because they're actually gaining their revenue through advertising streams uh thank you very much yeah I love your presentation eye-opening but aren't we already all trapped aren't we already what and we all already trapped yeah I mean within the system yes in terms of what you shared in the latter part of your presentation yeah to do it's already out there and that's why I was saying if we know that these particular answers to these questions are out there these are still the standard questions for a lot of self-service recovery portals so if now that you know I can figure out your mother's maiden name or the street that you grew up on this is

where we as enlightened Security Professionals go okay if they can let's say my mother's maiden name was Jones if that's the recovery question maybe I spelled Jones backwards maybe I put something in front of it like Mother Jones you know don't this is where now that you understand that this type of information can be actually harvested modify those answers because a lot of times they're not going to let you create an account without those recovery questions so don't make the answer something that I can find through public information you know modify it you know and to be honest this is one of the reasons why I under our mitigation strategies this is where password managers that you can

actually rotate the passwords on on a daily basis single sign-on lower the total number of actual recovery questions and portals that you need to utilize uh look at identity security products you know adaptive multi-factor uh possibly pki style certificates you know get away from what we're using and if you're forced to use it use it with the knowledge that these types of answers can be actually harvested and modify the answers so that you're the only one that actually knows what the answers are anyone else okay oh one more in the front all right

yes okay so um I did a part of our ministry's work has also been to pass legislation in the Cayman Islands that is going to create an identification register and the possibility for a digital ID system that is um using the estonia's x-road system so I wondered if you would comment a little bit on govern the relationship of government and ID and how it just seems increasingly like all the information you've given is is our own ID and this Nexus between us and the Digital World um no system is going to be perfect no there isn't and and as much as I hate this I got to give some props to my one of my my companions that cyber Arc he

actually gave me the greatest and worst explanation of a layered security concept that I've ever heard if every one of our security controls is one piece of Swiss cheese there's not a single security control out there that doesn't have some hole in it so if I put one slice of cheese up here I can get through well I put another slice of cheese up here the holes are there but they may not be in the same places and if you put enough controls in there there's no straight pass through anymore and that's honestly the unfortunately that's the answer is there is no one silver bullet and you need to look at things from an actual layered security approach

so that you have that complete coverage identity security privileged access management Network taps with Sim integration uh data analytics against your Sims uh Security orchestrations based on if there's something detected in the Sim you know maybe it detects a logon of a privileged account domain administrator that during an irregular hour from an unknown Place automatically through security orchestration take that particular host move it into a different non-author interactive OU and prep it for digital forensics and incident response you know we're never going to be in front of the eight ball you know I I was asked a question and I'll close with this you know is a threat really a threat if it hasn't made it into the wild yet and I I

think the answer is it's individuals determination of their own risk as to where you go with this but as long as you have enough controls you will security is a state of mind it is not a state of being you know for you to actually say I am safe I feel bad for you if you say I have put enough controls and security measures in front of my systems that if somebody gets through my dwell time will be minimal I'm more about detection and mitigation those are the people that I think are going to do well because every single day there's new zero days found and as much as we're trying to secure things there are other individuals out there

that are trying to tear it apart and they have a much greater desire than we do just based on the financial gain any other questions thank you guys so very much I know it was early I hope you enjoyed it I will be available out in the back if you're one of those types like I was used to be where you're like I don't want to ask a question in front of a bunch of people um hit me up I'm a really approachable guy and thank you guys very much for taking the time to come and listen to My Big Mouth this morning enjoy the rest of the conference