The Definition Of Madness - Ian Davies

welcome to b-sides Liverpool and the rookie track my name is Ian I nameless taught the definition of madness most of you some of you will have heard the phrase the definition of madness is doing the same thing over and over again expecting different results and although I've only been doing this for a very short time I did my first intersect qualification last year at this time last year I have run across the same behaviors in the last 12 months and it seems a bit strange to me so before we get into the detail of that a little bit about me so I worked on my first computer in 1980 I worked on my first industrial system in 1987 I did my

first IT qualification in 1989 I've had roles in the military in small business a little business with 30 plus employees I've worked in education both as a technician and as a lecturer and I now work for a builders merchant group with businesses across four countries for those of you that weren't around in the 80s that's the first computer I ever played with I didn't own it it was owned by the RAF and we had it in a computer Club and we used to do programming basic on it I said we programmed basic on it we probably spent more try and keep the more time keeping the memory pack in the back than we did actually programming it

but that's a story for a different day that's the first industrial system I ever worked on it's a Ferranti August 500 it was an industrial control system the very variant that I used was I had a choral 66 compiler and we used it for a private military messaging system but the storage was one inch mag tape and it booted from punched paper tape so I've been doing it for a while but about a year ago I was asked to go and do this qualification by the company that I now work for and actually I haven't I've got the the reaction that I got when I gave this talk somewhere else but I have found that they get quite a

negative reaction for this from this qualification quite frequently I was really excited to go umm I actually really enjoyed the course bearing in mind that I'd been doing IT for the best part of 30 or more years before I got there and I came home with full of enthusiasm or wanting to learn more and do more and get more involved but actually I found that I was pretty well ignored by the people that I could reach out to I didn't know any of you guys the only people I could reach out to were on social media and the easiest form of that spoke social media was LinkedIn and Twitter but I really didn't get anywhere

at all and I was ignored I was put down because of the qualification that I'd done which had sparked this interest I said on there that I was ridiculed on it I think actually probably now that's a bit harsh it wasn't me that was being ridiculed it was that ceh qualification that I'd done and as a consequence of all that I found it very difficult to get any help or guidance or any direction on where to go and I was quite surprised at that for me what I learned on that course lots of really good positive things I learnt what data our systems leaked I learnt what we could do with that data and how we can then use

that to exploit the systems I saw examples of lateral movement which never had explained to me before I've never seen past the hash I'd never seen many cats working but I was able to see all of that in real time actually doing it we launched the ransomware we built root kits and I even played with Metasploit and yes it was all done on vulnerable XP machines but it demonstrated what's possible and that for me was will open my eyes after 30 or more years doing infrastructure to what was possible and nobody had ever explained this or showed this to me before anywhere in any of the roles I'd ever had so when I got home and I tried to

learn more this is what generally I got told everybody I spoke to said that I needed to go into a osep that was it I'd done this certified ethical hacking it was rubbish it wasn't worth the paper it was printed on you need to go and do osep if you want to be an ethical hacker but the distance between starting out an info sack and starting out with a CH and actually doing OS CP was enormous and I had no idea about what journey I needed to take or how I would get there it wasn't at all helpful and for a long period of time or a few months after I came away from from Dublin with that

that piece of paper I really struggled because I started to question I started to question whether I should have known some of this stuff whether I should have already known it I'd been doing it for 30 or more years should I already have known about it should I already have understood it where should I be in my career it seemed a bit odd that I'd managed to go all of this time and not know any of this stuff and I started to talk to some of the guys that I worked with I started to talk to some of the guys that had been in the RAF with I even talked to some of the suppliers

that we work with and their IT teams with good relationships with and it it turned out actually that they all had a similar knowledge gap they were all focused sis admins they were all focused on delivering infrastructure and keeping it up and running but with very very little understanding of information security or cyber security or just the infrastructure security in general they would do some stuff with Active Directory but they didn't understand beyond lying things that could be exploited they had no idea how breaches occur very little idea of how witches occur how vulnerabilities are exploited and more importantly I think very few of them realized that lots of what they needed was freely available on the web with

YouTube tutorials and and actually you could set yourself up as a little script Kitty in about five minutes and that helped me and I decided to go and do some more research about that and so I looked around again I only had contacts on social media I only been doing it for six or seven months by this time but I found some quite a telling posts on various social media outlets and this lady at the top her lady called Cassie in this state and she was told that she wasn't cut out for InfoSec because she was asking for people to go and study with she wanted to study with other people that was the way she learnt best

but she was told that she'd never make it in InfoSec because she wanted to do that which it's a very negative approach there's like I don't quite understand why you would say that but that was the feedback that she got I gave this talk of besides London a few weeks ago and after the talk a chap came up to me and he shared with me this other comment he's asked me not to put his name on it which i think is is telling in its own way that he didn't want to be identified but he went to a security conference as an IT admin and he was interested in getting into information security but the consultancy told him that most IT

admins don't make it in security which again seems a bit strange who shouldn't we be encouraging them in and not telling them they can't ever do it it's a bit it does seem a bit bizarre to me I don't know how many of you know about malicious or no malicious and C is an ex teacher and I've worked in education I've taught and Fe I've worked in education as a as a technician and I've also been a school governor but there is a different approach there's a much more collegiate approach in education to making sure that we keep our professional development I worked in a secondary school for five years and in that five years every Thursday morning

the whole staff would go to the staff room before school started and one department would do a presentation on some best practice or something that they'd done or some obstacle that they'd overcome and we did that every Thursday morning for 38 weeks of the year every year for five years so I was getting that professional development for free we were sharing that amongst can you imagine how much training and professional element we could get if we could get the helpdesk the devs and the SIS admins together for half an hour every week and just get one or other of them to share some best practice but we don't do it we don't admit that we don't

know things or we find it hard to admit we don't know things and this idea of we can't admit it we just need to try harder really in my opinion we need to change that approach we need to change the attitude try harder has a place but it's places in osep it's not in the wider information security of cybersecurity domain if we can't talk to each other and help each other and admit that we don't know something or ask questions about how we might understand something better how do we expect our helpdesk operators or our developers or our sis admins to come and ask us for help or ask us to explain things are we making

ourselves approachable to those people who really need to know because they're the guys that need to implement it to many of these people don't know about these things too many of them don't know about reconnaissance they they don't know about enumeration assessment exploit they are just oblivious to what goes on in in this world that we that we exist in and it struck me that for many years I worked with people who just patched their systems because they were told to not because they understood why they were doing it or what the consequences of not doing it were and we had a really really good example of that recently with blue keep so for those of

you that know about blue keep it's a vulnerability in RDS it's through the Microsoft RDP client and it's probably it's been proposed as that is the next one a cry if it gets out in the wild possibly it was everybody was warning about it Microsoft released patches for XP and for Windows and for Server 2003 as a pre-emptive thing not as a reactive thing and we decided in our business that we were going to found all of our suppliers anybody who had any connection with our network we were going to phone them all up and make sure that they were proactively doing something about it and we found this one supplier and they didn't know anything about it at all and

they outsource all of their IT to another company we phoned that company and they said oh they don't take our patching service so they hadn't even told them about blue key don't even told them how dangerous it was because they didn't pay for their patching service and in the end we convinced them that it needed to be done and it got done but it's a it's a bizarre state of affairs where the security of that business and an ultimately security of our business came down to the fact that they didn't pay for a patching serious in a managed service provider but the more we spoke to them actually I don't think the MSP the senior engineer we had on that call

he didn't understand what bleep was he didn't understand what that vulnerability actually did or didn't do and that's the was that they were patching on this cycle because they're told they have to patch they're not patching because they understand why and we need to help them learn more we need to be more open last year's course fundamentally changed my approach to IT security and it drove me to learn more it's driven me to go to besides London and driven me to come here I've only ever been to two conferences and I've given the talk at two conferences and that's because I did that thing that CH that everybody ridiculed so much it brought me to this

point today it's a journey InfoSec it never ends and it's got a start and it's got multiple destinations and it's got multiple roads that you can follow how do you try harder when you don't know which road you're trying or what you're actually trying this is a really good image which I think shows really well the InfoSec domain and the variations within Infotech so you might be a pen tester you might be in governance you might be an operational security you might be blue team you might be red team there's all of this stuff this is a mind map that was tilled by a sea so called Henry's anger New York and he's very kindly let me reproduce it and he's put

it on his LinkedIn page as a PDF as a JPEG for anybody who wants to go and download it but it really shows that you can't just have one approach to information security because it's different you don't need to code to work in governance how many times you hear people say you can't be an InfoSec if you can't code of course you can you might not be able to be a pen tester you can definitely work at information security but all we do or my experience is that everybody's giving you reasons where you can't do it and not finding ways of helping you to do it and that's why I'd like to change changing attitudes it's possible it

takes some effort it takes some work thank you it takes some effort it takes some work it's not going to happen overnight here's an example in 1980 when I worked on my first computer drink-driving was a bit of a macho challenge we'd go out we'd have a few pints we drive home and then the next night we'd go out we'd see I had 10 pints last night I loved 11 tonight drive home but it was a bit of a thing we did I'm not particularly proud of it but it was it was the way it was Oh wearing seatbelts wasn't compulsory in fact a lot of cars in 1980 didn't even have seatbelts in them if the

younger of you can even believe that speeding was never talked about and there were far less speed limits than I see now it was never talked about because it just wasn't a thing you know you just got in a car you drove you got home you got back in the car you drove you went to work fast forward that to 2019 drink-driving is completely unacceptable very few people now would even think of having a beer and getting in a car and driving it we've changed the attitude it's taken a long time it hasn't quite taken that amount of time but it took a long time and a lot of hard work to change the attitudes the same with with

seatbelts it took a long time to get people for those of you that remember click click every trip and all that it took a long time to get people to actually realize that it was in their best interest and you know we we have your car talking to you or beeping at you now if you don't put your seatbelt on but you wouldn't really get in a car and not put your seatbelt on anymore and speeding now is the new drink driving we're starting to see changes in those attitudes we're starting to see people come in and say oh I've got a speeding ticket off that camera the other day and now the answer is logicians have been

speeding them where it's not that long ago it would have been more likely to be where are those flippin speed cameras pain in the backside only but we started to see those attitudes change and so we can change attitudes if we're willing to put the effort in if we willing to go that on the long haul and I think we should I was Charlie and when I was preparing this talk for besides London to eat I was it was said to me you're having a bit of a rant so I am you're having a bit of a rant what you're gonna do about it how are you going to change it what your things that

you're gonna do so these were the things that I came up with I would like to build a new community where it's it's a shared community it's not just InfoSec it's where anybody can come in and ask questions about security but it's a safe place where you can come in and you can come in and ask and you won't get ridiculed and nobody will say you should have known that and there are always people who know more than you and there are always reasons there are always bits that you don't know nobody can know everything about everything so it's very small there's about six of us from besides London it's not a great community it needs more of you please

come and join us please share it I will be posting a lot more when we finish here today and I'll share their slack channel link again as well over the next few weeks several times on Twitter but please come and join us and talk to us because without you guys without starting this off we can't make the changes that we need to make we need to be more positive we need to encourage people in we need to get rid of the gatekeepers and we need to get rid of the gatekeeping that goes on and we need to stop saying your cards and start saying you can and so my challenge to you as seasoned professionals is to be

patient with newcomers please and challenge gatekeeping if you see gatekeeping behavior challenge it it's it's rife in our industry and we we really do need to try and root it out make it acceptable to ask questions because you've we've all learnt from somewhere and if even if you spent the last 30 years teaching yourself because there wasn't an Infotech community and you had to hack away and hack away and hack away for those of you that wondered where the word hacker came from its it do you really need to then go make other people go and do it the same way you did it or could you not just share some of that information and

again stop putting obstacles in people's way please don't tell people to try harder time to try harder if they do no SCP that's fine you can tell us you try Google or don't mind that but you can help them and you can direct them and we can encourage them and and we'll start to have a wider and a better community will start to encourage people into our industry and will stop being so exclusive and so elite or maybe that's what you want I don't know but that's my talk and I've been doing it for 12 months I started with ch I've ended with 2 talks at 2 besides I'm still going on I'm looking for other opportunities and

I hope you will join me and try and start to change some of these attitudes that we've seen or at least encourage people who want to come into our industry so that we can have an inclusive industry not an exclusive one and I'll take any questions if you'd like to ask Brian I don't know he didn't he didn't share the name of the consultancy with me he posted it on Twitter after we'd left um he said I did actually say I really enjoyed you talk and then obviously put that that tweet up home and I asked him if I could use it and he said you can use it well please take my name off it which is

which is what I've done anymore i tell you i know ii just take this yep since you are since you would force by your company to do the certified ethical hacking was your company at least in terms of its staff in the same right after you got your information did they ended up spreading did you end up spreading your message to your own company Oh s-sorry no we really bad at it to be fair it's a bit odd because we have 10 companies 10 IT teams and a lot of acquisitions and they all do their own thing and I go out and tell them or what they've got to do and then try and enforce it and so it's a bit harder but

we're we are fairly immature to be fair as far as security goes and and we are we're getting better for them but we don't share very well and there's only me well there's me and two others but that's that's not a big team to go in to go out sharing with with teams of ten or twelve or more across the business what we are doing interestingly is we get into the table at the start of projects and night at the end that was something that I learnt from a another conference that I went to and it's got nothing to do with my talk but as you asked the question I went to it I went to I went

to a Palo Alto conference sorry for the advertising and there was a chap there who said information security if you think about building a house you go and find a piece of land you really like it - ideal - right on the docks in Liverpool it's the best you know it's your perfect piece of line for building your house you go to your architect he builds up the right shoes you got the plans done it's the best building is your ideal home and then you take those plans to the planning office and they say you can't do that and we're that planning office or we could be we can be that planning office so they did all of this stuff and

then the security team come along say oh you can't do that that's not safe that's not secure so we get into the table early and working with them to make sure we do certainly on new stuff anyway try and do the design and build security into the design whatever that happens to be and that way we're not the blocker with it the we in Korea we delivering it with them sorry hey so I I was the infrastructure delivery manager I run a team of eight people who - all of the infrastructure across the UK for all shared services in a builder's Merchant Group and I've left that role now to go and do this security

role so I'm I'm just an operational security and a large part of that is just making sure that other IT teams do what they're asked to do or are delivering a level of security that's acceptable to the business there's answer your question any others yeah yeah yeah so the talk is a we should be and Corinne's everybody to talk about security and not making it exclusive so it's not it's not an exclusive domain it should be inclusive to everybody and one of the ways you can do that is to be at that table when you start those designs when you star that development I'm there's no point me going and sitting with the dev team because I don't code I

do infrastructure so I go and sit with the network team and the server team somebody ask goes and sits for the dev teams does that answer your question anything else anybody else I think that's just about the time up anyway to be fair M thank you very much everybody [Applause]