Ryan Buenaventura - Defense in Depth – A Mile Wide, A Mile Deep

everybody welcome to my talk defense in depth the mile wide a mile deep I hope everyone's having a good time thanks for coming out you know it's Sunday and you're missing your normal Sunday ritual so this is a pretty cool event the fact that we have so many people showing up and coming out on a weekend um so about myself Ryan Buenaventura I.T security and compliance manager for a large local government entity I've been a senior security Analyst at a fortune 200 company that dealt with transactions for oil and a litigation services company that protected a lot of different uh intellectual property patents that were part of lawsuits that were never ever to make it out into the open

so we dealt with a lot of sensitive data and patents probably I've seen a lot of the companies around here that a lot of you work on um I work for a computer forensic software company out in California as a senior security analyst if you look it up it was after they had their major breach just easy to clarify and I am a Bachelors of I.T at UCF so you can finish and uh it's kind of cool being up here actually I'm really enjoying the experience so far oh sorry uh I'm my cissp my NC certified examiner and I'm a cisa uh just a quick show of hands how many people here are new to information

security getting into it are relatively new [Music] I saw a lot of college students yesterday so the talk uh mile wide a mile deep for some of you you're probably familiar with defense and depth strategy already so this might be a refresher but what I did was I tried to put in some tips and tricks for some of you that do this day in Day Out to see if it can help you because what I like to do is uh when I attend talks I like to try to get at least one thing that I can take with me back to work so hopefully I can do that so a colleague was uh I'm sorry step

away from Mike colleague Was preparing for the cissp exam and she brought up the famous quote a mile wide an inch deep and if you know the Sean Harris book which I'm sure a lot of you that have taken the cissp or prepared for it you know the term and you know the exam and it really is a mile wide an inch deep she was stressing about this terribly stressing about it and it's somebody that I hired two and a half years ago as a a junior analyst and she uh has come a really long way really good with servers really good with operating systems and just she knows her stuff she just hasn't had a lot of experience with security

so anyways in the last two and a half years she is easily gone a mile deep in pretty much every aspect of security anything that our team does log monitoring vulnerability analysis uh web app vulnerability scanning things that she probably never imagined she'd do or anyone in security probably didn't think they were going to be dipping their hands into would go into so I thought it was kind of funny that she was stressing so much about this exam exam but it's understandable because the exam is not a walk in the park uh the quote I always thought that was an interesting quote that was used in the beginning of that Sean Harris book it goes as far back as 1890 by an

American humorist to describe the Platte River it has a very large circulation but very little influence covers a good deal of ground but it's not deep in some places it's a mile wide and three quarters of an inch deep so it's basically saying people know a lot about everything but nothing about a given topic I think it's kind of interesting that they always use that to describe the cissp because you're supposed to know everything and you're certifying as a professional our field it's uniquely complex [Music] it's multi-disciplinary basically that whole mile wide concept all these terms up here everyone in this room it seems like a majority are in security already you've dealt with a lot of these terms

you deal with them day in day out you know them you eat them for breakfast these terms as well more or less going towards uh complianceness standards HIPAA there's just a lot of there's a lot of disciplines to cover in what we do a lot of areas where we're expected to know all this information or at least know where to get it critical decision making another thing that makes our area uniquely complex if you think about a traditional I.T group like a service desk let's say they mess up a service ticket what's the worst that happens they don't meet their slas you think about a level one Junior analyst reviewing your firewall logs or your sim and they miss a exfiltration in

plain sight huge amounts of data what's the repercussions of that it's every decision is critical if you're a mid-level analyst even and you are called to go and check out a workstation do forensics whatever tool you have in case ftk and you're taking a look at the machine and you miss an indicator of compromise that you should have got you know what's going to happen next how many more machines are going to be infected how many more machines or or is that the main pivot into the network everything we do in security everything we look at it's it's strange how that is but one mistake and who knows what can happen and then when I say at every level just think

about going at the manager level personally if I don't do enough to fight for budget for training for my staff and now they don't know the latest threats the latest trends the latest malware how to reverse it then now what does that mean we can't keep up with guys that aren't sleeping at night that are just hacking away if you go to the CTF room I don't know how late they were out there but I'm sure they were there pretty late and then finally moving all the way to the top your sea level when they're looking at your budget and they decide your operating budget your regular renewals your sim they say you know what I'm

sorry the business isn't doing well you got to lose your sim how many people here would be in straight Panic what would you do without a SIM these days if you're used to having some we're expected to be experts this is uh and I'm sure everyone in here has experienced this where you know if people aren't coming to you because they can't figure it out on their own and I'm talking about other I.T groups they typically will come to the security team because you get all the logs you may notice some anomalies and they can leverage that and if if you do security right you really do become that trusted advisor but uh you know that can

backfire sometimes because something happens and then everybody is you know of the opinion how did you let that happen you're the expert what happened there how did you miss that we're paid to be paranoid that uh we're just talking about that in the beginning uh Andrew right up front here is the most paranoid guy I know we uh that's that's what makes our job really unique in that our salary is is based on that paranoia and how much we're paranoid I mean if you uh I'll say this my boss always asks me this question how do you sleep at night because he you know we have a good communication I tell him everything that's going on he doesn't understand

everything he doesn't you know he has his own perceived risks but uh he knows that our group has to stay paranoid and he knows that's what he pays us for there actual risk and perceived risk there's Bruce schneier who who writes a lot about this to make good quality decisions Security Professionals must accurately account for risk and differing perceptions every person in your organization has different experiences thoughts skills and it's your job as a security evangelist to convey what the real risk is because that's what they understand they don't understand uh you know okay risk equals threat times the you know the famous equation they just want to know all right how are they going to get in what

are they going to do how bad is it going to be how does that affect my department and every Department within your organization is going to have different perceived risks so that that's a tough part of the job to weigh actual risk versus perceived risk [Music] So based off of all of that defense and depth strategy allows you to deal with this complexity going a mile deep is the only way to be effective in your defense in-depth strategy now the talk is only 45 minutes so I'm not going to be able to cover a mile deep in all the things I'm talking about but I can start to for those of you that haven't gone a mile deep in certain

areas and I picked a couple areas in particular and a couple um cases in particular for this talk so what we're going to cover what is defense in depth for those that are new to it why defense in depth how do you apply it a couple cases and reasons for defense in-depth non-home Depot Target or Sony I like to look at things that are not really talked about because those are the things I find I can most relate to I don't want to relate to a Target or a Home Depot or a Sony tips on starting to dig a mile deep for those of you that are new to it and as I said hopefully you can pick up one thing

from this talk so what is defense in depth it's the strategy of adding layers of controls and safeguards so that if one fails you can rely on the backup control the most simple extreme example which I'm sure everyone has heard of is you have have two firewalls from different vendors if an exploit gets her firewall a it won't affect B and an attack on firewall a wouldn't get through firewall B that's an extreme example that I don't know how many of you your organizations have this strangely whenever I evaluate a cloud provider or SAS vendor for our organization I always get this architecture document and it's you know checkpoint and then Juniper and you know they're at the front and then

you start to ask them questions and you say oh okay so you know what's your patching like what are you running on checkpoint and then they're like oh r29 here what's going on here yeah why you go with two firewalls but you're not patching them so why defense in depth it protects against and helps detect your attacker every layer of defense is a chance at stopping or detecting because your people are going to click on those links they are going to get fished there's been a lot of other talks that talk about that it's not hard for that for that to happen so you know you want your web content filtering systems in place you want your

IPS you want to you want to pick up all the things that your people at the front were not able to see so how do you apply defense in depth you consider your attacker and their motivators because everyone is different and you build your layers through people process and Technology people are critical they're critical control through Senior Management commitment because you've got to get in the buy-in of your management if you don't have the buy-in of your management then it is a very very difficult job to secure an organization because pretty much you're the only person crying wolf your people of course and users are your first line of defense and then process keeping your defenses

up to date and we'll go more into that technology covers the area where people in process aren't feasible to cover your IDs your IPS your DLP all the systems that we've been talking about through this weekend so your attackers and their motivators before you can apply defense in-depth strategy you got to be aware of their of the attackers and their motivators some motivators financial gain social injustice hacktivism it's a common thing in the news these days Pride reputation malicious intent and then of course state-sponsored Espionage where we see all the news with the White House Russia you never know what will happen so just looking into a couple social injustice hacktivism cases and you know it's

something again I can relate to because I'm in a large local government entity you have Dane County a shooting of an unarmed Man by police officers you also have this in the news recently with South Carolina you have the city of Fort Lauderdale they uh create a new law against feeding the homeless and arrest a veteran when he goes out to feed the Homeless I can't speak for these counties but I can tell you that in my Organization no one imagined that that was going to happen as far as the repercussions so we look at Dane County and you've got attacks that blocked official Communications their internet their email some police and fire dispatch services so just imagine that

there's this event that occurs and all of a sudden you have Anonymous and some hacktivist group taking out all your operations as a County Government your County government is responsible for your 9-1-1 system responsible for a lot of things traffic lights substance abuse treatment medic protected health information waste water Drinking Water scada Systems Port of Everglades a lot of people don't know that the airports your major airports are run by your county now it may be a separate agency division but it's the county and when you undergo attacks they see that oh Orange County Commission there's their IP block they're not saying okay well I really want to get back at the police department or the sheriff they're just

attacking and they're taking down whatever they can and in this case they took down a lot of things and that that's just a scary thought to think that they can take out police and fire dispatch services City of Fort Lauderdale so they uh set out the law against feeding the homeless and basically what happened was Anonymous posted a video on YouTube when you have a chance take a look at that video it's uh it's pretty interesting I watched it with our public Communications officer disclaimer I do not work for these counties or cities and uh the first thing she said was oh my goodness this is like terrorist how do we who are these guys what do we do and the video

is pretty creepy and then she said what are you gonna do with my computer do you need to confiscate my computer I go no I think you're all right don't worry uh so what happened as a result of that and and you also have to consider that a lot of local governments and smaller municipalities they're not going to have a lot of large security teams if any um I know Fort Lauderdale was posting up for a ciso for quite a while I don't know if they ever filled that but um what was interesting in this case is the 430 000 in remediation so half a million so your websites are uh are taken down actually what was also

interesting is they made the decision they said you want to shut us down okay we'll go ahead and shut down our servers so they shut down their servers which what kind of solution is that but um 430 000 in remediation a majority of it was Consulting if you if you look at it in this particular article from the Sun Sentinel or you do your own public records request to to get more information which you can do that with a lot of government agencies and you can get a lot of helpful information from that um four hundred thirty thousand dollars so this is this event happens and all of a sudden your sites are down and now let's

spend four hundred thirty thousand dollars to correct the problem odds are they're going to get attacked again and I don't know that that four hundred thirty thousand dollars is going to stop that attack that's uh a little disheartening especially if you're a taxpayer in that City alrighty defense in-depth strategies for DDOS so looking at that situation where they had DDOS what I did was I just put a quick little all right if you went an inch deep you you know you tell your analyst hey go research DDOS and put it in our incident response plan and don't add much more information than that but if you really want to dig a mile deep uh you need to do a couple things so

from the people layer of Defense in depth work with your networking team uh in a recent DDOS attack I went under one of my networking people could not get the packet capture uh our firewall was maintaining State our CPU was running incredibly high he couldn't do anything he didn't have a plan to get back inside if this situation occurred work with them they're willing to work with you especially after something happens because after this happens they're coming to you because you're the expert what do we do next time set up your procedure tell them to document it tell them new all right what do you have you have an edge router can you do it from the edge

router do we need to buy a span Port do we need another box out there that is just you know no IP just sitting there sniffing you got to get with these guys and you got to work this out and you got to get it documented so that you can react quicker work with your management and Communications your peer office on damage control if you take a closer look at what Fort Lauderdale and Dane County did I mean shut down your servers the mayor goes on TV and he says we're undergoing attack we shut down everything it's just it looked like they didn't know what they were doing you need to be prepared to let your

customers your constituents know that that you're reacting and you're doing something about it even if not much is happening right away which is the case in DDOS it can take you down for a while so research the latest DDOS attacks on one mitigation is to prevent check with your ISB in a procedure to quickly no route or black hole the offending traffic this is uh this is a quick tip but you'd be surprised how many people have never gone under DDOS and don't know who's the right person to call or the right person to escalate at your ISP some isvs you're going to call them and you're going to get the wrong person and they're they're going to have no idea

what you're talking about what do you mean no router I don't know I gotta escalate that to the networking team um and some of them just are depending on your ISP and what kind of tier they are they're just not going to have experience dealing with this so technology uh ACLS at your internet Edge router and this is really just kind of your ongoing research review you know keep up with the latest DDOS attacks in the ssdp attack which you'll always see from Source Port 1900 it'll be UDP and it'll be going to your web server that they want to take down there's no reason for that traffic take it out at the edge don't do it at the

firewall because firewall's maintaining State and your CPU is going to jump up and you'll have the same problem so do it at your Edge router and again that also comes in with people working with your network team showing them what happened create your incident report if you don't have an incident report use your threat intelligence those uh talker yesterday was talking about how they print out those guides that show you the typical signs of the attack explain that walk it through with them because your networking team is there just to make sure things are up they're not there to understand those attacks but once you explain it to them they know the layers they know the protocols

and then they go oh I can just do this that's a five minute change all right we're doing pretty well with SD sdp now ntp as well those are a uh those are some of the attacks I've seen personally anyways and there are obviously several other ways to do it and then check with DDOS mitigation vendors on what's offered for your environment in our organization we have two different circuits for our egress points and one vendor has nothing like nothing they didn't even know who to refer to I don't know if it was we just caught the wrong sales person there but they didn't have anything and then they sent us to their engineer who said

oh I think we can null route which doesn't help you because you're you're down but what's great about the mitigation vendors is you know they handle all of the direct scrubbing and allow traffic legitimate traffic to still pass through so you can either go to a third party you've got companies like prolexic which I think got acquired by Akamai you have um doing it in-house Arbor networks if you're a large organization you can get your own scrubbers that's if you have staff to manage that and there's a lot of other vendors defensive depth strategies for threat intelligence this has been a big common theme I've seen over the last couple of conferences I've attended and you know

going into inches subscribing to a feed starting to dig a mile deep you have your community participate in your community share knowledge share that's why I attend these conferences that's why I speak with a lot of people when I have a particular issue I always like to see what other people are doing for that and I've learned a lot of new things that way that's one of the easiest ways for me personally doing threat intelligence I guess at a low level joining ISAC that's been talked about a lot during this uh conference information sharing and Analysis group they're funded by um particular one that we use is funded by Homeland Security or at least they

sponsor it for several things it's pretty good they're uh we just finished the application to join for it and there's a ISAC for everything Financial Services Health you name it it seems like there's a nice act for whatever field you're in or whatever organizations you cover um I've called up a lot of references to validate that it was in fact a helpful group check back with me in a couple months because our application just went through and I could tell you firsthand but from what I've heard directly from other people they've leveraged it they have dedicated analysts that you can send packet captures to I verified that other organizations are doing that and leveraging that because they just don't

have the knowledge in-house Issa we got president of South Florida Issa here and several board members great group we meet once a month we do a lot of networking we do we learn a lot of new things we do a lot of knowledge sharing htcia high-tech crime investigation Association that there's a lot of law enforcement there but there's a big push to have more infosec people there because if you look at the crimes these days the financial gain crimes I mean follow the money you hear at Bitcoin it always involves something that the traditional Le forensic investigator never had to worry about isaka compliance infraguard mailing lists basically get involved reach out to your internal I.T groups

ask them about any strange activity several times I've heard from our server team where they say hey you know what this particular IIs server is acting funny I know you get all the logs can you see if anything has changed when you return the favor and you know even if it's not a security related topic you'll end up seeing that they become your Hands-On eyes and ears right on the systems and in fact uh in one case in a past company all our security systems didn't catch something in particular and a server admin was on and he just saw this funny icon on there and the next thing we knew we had a big problem

seminars conferences b-sides besides Orlando you're all here I don't need to tell you that process review the latest security threats and Trends reviews of breaches and root cause I consider this a big part of going mile deep I meet with my team every week we look at what's out there in the news we look at what's posted on Sans we look at the infraguard bulletins it's the only way that we can make sure that there's nothing funny going on our Network we we search for those strings we look for those DNS queries we look if anyone's visited those sites in our web content filtering system but we do it weekly we never used to do that in the

past but I found since we've done that we've really got ahead of things that are published or just got in time HHS Wall of Shame it's just another source the Department of Health and Human Services uh in my organization again we deal with a lot of protected health information and this information other than being protected by HIPAA just can't get out it's people's livelihoods it's their their medical conditions it's their privacy the HHS Wall of Shame is good because they keep it up to date it's anybody uh any breach over 500 records by law it's required to be posted up on their it's called The Wall of Shame it's basically a breach notification site technology monitor internet Twitter

pacemin do Google hacking on your organization it's interesting when you look through paste bin and you look at your domain names and you find you know employees are registering for these forums or mailing lists that end up getting compromised and has nothing to do with your organization but they're using their you know company email for that Isaacs also monitor the underground sites that you may not typically monitor again they have some dedicated analysts and threat feeds And subscribe to commercial feeds or Services there was a great talk on that yesterday so it can be a lot of money and there are a lot of vendors out there supplying this now here is the Wall of Shame this is a

screenshot from last night so you can see how current it is I use it a lot especially if you're in the um the health side of things uh it's every time we go through this with our phone business owners and our different um health agency substance abuse sexual assault treatment you name it if someone's being treated in the community for it then there is probably a service in a county Organization for it but when you go through these with them and you sit down and you you know evangelize security and compliance and you look at these incidents you look at this you know what's happening here paper you know think clean desk policy everyone in

the health field relates automatically to every one of these incidents because they're dealing with this day in day out going to wrong fax numbers because they're not programmed there's a lot of things there and that's a whole other discussion HIPAA and Security in the health Realm um one particular one that was on there uh just to segue into um defense in depth for lost or stolen devices this adult and pediatric dermatology company they had 150 000 fine because they had a stolen thumb drive from an employee's vehicle I just think that's amazing like HHS after you do the breach they have to go in and do an investigation so it was just a USB drive probably uh you know

how much are they these days ten dollars depending on on the size and then all of a sudden now you've got a hundred fifty thousand dollar fine you've got HHS on your back going through all the safeguards and having you a test that you're doing all these things and of course they immediately find that you're not doing it which is why you get the hundred fifty thousand dollar fine so it's uh it's just another interesting scenario so defensive depth for lost or stolen devices instruct the user to report it stolen that's you know going an inch deep people train your employees on all your policies unattended devices clean desk uh clean desk policy and language in

those policies you got to train them on it or they won't know it and then they'll leave their laptop in their car or they'll leave it in the uh they won't leave it right in the uh the main part but they'll put it in the trunk but I can tell you several incidents I've had to personally deal with where they were followed from our company's parking lot to them all to me with clients and next thing you know they come back to their car and the trunk is popped and the laptop's gone immediately send awareness reminders when multiple devices are lost or stolen that's your it's your quickest way to get an effective message out because then

people are already talking about it they're saying oh my goodness 10 like one scenario we had multiple laptops stolen from a trunk of a car uh it just it gets it out there quick people stop doing that they leave it at work when they're meeting with clients and they just cable lock it or they just don't bring it with them process conduct regular audits of your assets you should have a centralized inventory asset management 101 in some of our more critical areas we our group takes it upon ourselves to create a spreadsheet and we basically hire part-timers to come through go through regularly audit it's a cheap cost-effective way to make sure all your USB drives that are meant are you know

allowed your laptops and actually at the same time that we do that we have them go through and make sure they're bit lockered we got encryption if it's not BitLocker to somehow miss the policy and we got to push that through that's a you know there's there were some talks yesterday about getting ftes it's very difficult to argue for a full-time position in security and compliance so I get around that by calling on College interns whether they're free or paid or using contractors or part-time people to just go around and do these things where you know you don't have the time to deal with this you can't go touch every machine but they can touch every machine

file a police report maintain your incidents um file a police report you should always do that with a stolen laptop when you eventually run into one missing device a second one a third then a fourth and there's a pattern that develops you want to make sure you have that first police report because when you take this to HR and legal and you say all right we have a serious problem here we have assets missing here's my documentation here's my incident report and on top of that here's my police report so pretty much an open shut case you don't have a police report you don't have this documentation it's not an open and shut case and then they're asking you more

questions and if you provide this I also find that you don't have to go through any any kind of depositions or anything like that that's uh really what documentation is about just having everything there and ready uh lost or stolen devices MDM how many people here have an MDM solution mobile device management slowly growing people are still getting a feel for it there's so many different uh devices out there it's hard to select one but um if you don't have one and you have exchange and you're an exchange environment you can do some things there you can do a remote wipe of a uh a device you set up your policy everyone signs off on it if they're using

organization owned or personally owned devices still have them sign off on it because they're using County or um organizational email and that has your data on it and depending on what that uh that person does there could be some sensitive data in there register find my iPhone just uh it's you know this is just making sure you're covered going a mile deep in lost or stolen devices researching everything you can do if you don't have an MDM these are all things you can do and encrypt your devices uh obviously if you don't enable passcodes and you can also enable passcodes through exchange then that encryption is is pointless BitLocker and this more or less applies

to your laptops and your Windows laptops and your USB devices if you're a window shop you can set your BitLocker policy you can use mbam to manage your keys and it's all pretty much built in your Enterprise agreement depending on what level you are fishing threads so going an inch deep hitting the spam button sending to your vendor or sending it to your junk folder depending on how you're set up and who your spam vendor is so people uh we send out monthly newsletters on phishing basically we look at the latest ones that came out and the latest ones that are our users are falling for and we send it out pretty regularly and that

has gone a long way because there are a lot of people that reply back to that and they say oh I just saw this or oh here's another one and you know your anti-spam vendor is not going to catch all your phishing emails it's just impossible fish your own people through a third party or do an in-house in Metasploit has a module you can do it with that or there's a lot of fish me a lot of different platforms they're a little pricey this uh doesn't take a lot to do on your own so I would recommend just going that route especially if you're just doing it here there maybe getting people that are repeat offenders that are always you

know their quota is always over the limit and they're always putting in their password on that that Google page that was set up process give your organization's Workforce a way to report phishing email to your anti-spam vendor with our anti-spam vendor it's pretty cool they have a plug-in that you can install into Outlook and we just rolled that out you can put multiple buttons and set it up to different ways so we have a button for reporting spam directly and we have a button for reporting phishing so reporting spam those false positives and whatnot they go straight up to the vendor reporting phishing they get routed through security I I always want to see what phishing scams are going out

I want to see what that link is I want to see if our web content filtering system is working I want to see if my antivirus catches whatever that that drive-by malware was or whatever happened so you know I'm big on that develop a procedure to quickly block reported phishing scams this is just it's it's a formality it's a process it just makes things the same if uh you know I'm out or someone else is out on the team they follow the procedure to the T all right sandbox click this link let's see where it goes all right what's next block it to in our web content filtering system work with your spam vendor press them to

ask for more info if things still aren't blocked they'll probably ask you for the header as the original email anybody else get it uh they don't give you much of a response just keep pressing them you're paying him for it if they're not working out for you move to another one it's not that hard to switch to anti-spam vendors I mean everything is even if you're going in the hybrid model and you're moving your email to uh Office 365 or whatnot you have a lot of different options for routing your mail and picking your vendor technology play with your reputation filtering sensitivity on your anti-spam Appliance or your service you can get this to the point where you

know people tend to say okay let me go with the highest o it's blocking all our mail distribution stuff and all these emails that legitimately need to come in that are spoofed because they're coming from another Cloud vendor you can play with that and you can get to a point where you can reduce it a lot web content filtering the block the links it's uh your layers of defense and depth within technology and your IPS can block known bad DNS queries as part of that that phishing link when you click it it doesn't have to be all about the web content filtering you can set your reputation in your IPS so that it's really sensitive but of course you

get a lot of false positives we all deal with false positives and then taking it The Next Step Up threat emulation or behavioral monitoring systems these are you know over the last couple years you've seen them a lot of different vendors they're all pretty much the same they roll it in a VM or they look for indicators of compromise and those are things that obviously you as an analyst can't just do on your own in a expedient manner defense in-depth strategies for human error or fraud going an inch deep is check marking we're doing separation of duties going a mile deep starting to No One communicate your organization's applicable laws and regulations you'd be surprised how many people in your

organization have no idea what laws apply uh you got hippo you got PCI you got this year uh the main focus is the Florida information protection act which if you're taking a look at it a close look it's really interesting because they basically take HIPAA and and all the other pii and data breach notification laws reiterate it but there's some interesting things in there like for personally identifiable information they now stated and I kind of want to know who who helped write that that law but it um they put in there if you lose 500 records first name last name and um a uh the secret question reset your password and the answer because we all know that

we probably use the similar questions answers for our banking you have to do a breach notification I was never in Florida before I think that's that shows just how far the laws are coming and there's a lot more laws in the pipeline I now communicate this law and pretty much everything I do it's it's a lot easier when you're a Florida organization to refer to this especially when it's new and you know you can show it to them walk them through it and explain to them the risks and the fines and the repercussions and then especially the requirements to do data breach notification write your training in the active voice you don't have to be an English major

but to communicate effectively you got to write in the active voice I've seen policies awareness training that are in passive you know your end users must do this period whatever it is uh this is a big thing which a lot of people don't think about but that really is going in a mile deep is is figuring out how to communicate better what you're trying to accomplish test your employees before and after your awareness to measure Effectiveness you can do those fishing campaigns I find it really valuable to do the fishing campaign before and then Implement your awareness training and then do it after and see what kind of Effectiveness I mean I honestly I think

that is by far the easiest security metric there is it's it's so hard to come up with security metrics that management can understand or you know how many vulnerabilities were remediated but this one hands down no one ever questions that metric they're like wow look at this you're telling me 300 people clicked and 50 people gave the password and 10 people kept trying to give the password and still log into this fake system process get the buy-in from your Senior Management if you don't have senior Management's buy-in again that's a problem in a security awareness tutorial that we built from the ground up I was able to convince one of the top level people of our organizations to do

a a video and um it's interesting when you're in a larger organization not everybody knows who the security person is and you're walking around and all of a sudden you're here did you hear that video crazy that video the Commissioners are they're taking this seriously we can't we can't let anything happen to our systems we can't let a Dane County happen we don't want to make the news nobody wants to make the news in government nobody wants their emails on the front page either pilot your security awareness with your legal and HR teams get their buy-in this is crucial especially during Insider incidents you can refer back to the policies uh if you're dealing in um

in government uh entity where you're dealing with unions collective bargaining agreements this is also critical because you have to have all your documentation and they'll immediately if you've ever had to sit in one of those or even if you're not in that and you're in a uh an Enterprise I've had this question where's the policy where does it say I can't do this to do technology selfishing platform went over that already develop your security awareness tutorial in-house I'm a big proponent of this you can buy a lot of off-the-shelf uh tutorials Sans got has the uh securing the human which a lot of those videos are very good um and you can you know shell out the

money to get some sort of uh pre-built one but it doesn't speak the language of your organization and their culture and what you find is a lot of people start to fall asleep during these tutorials but if you can put it in your company style and you've got the video of Senior Management up front and you're asking questions that pertain to them and you know you can use a bunch of different things to accomplish this PowerPoint keynote Captivate like Torah are a little bit more robust they're they're more for your instructional designers but they're not too hard to figure out and then finally defense and depth strategies for vulnerabilities subscribe to a vulnerability feed going

an inch deep but starting to go a mile deep people work with your internal I.T groups walk them through a scan from beginning to end in a lab show them an exploit and the criticality of the vulnerability if you just go and you run your scan it doesn't matter if it's qualis rapid seven tenable whatever you have and you export that report and you throw it on their desk that is the worst thing you could do for my team we go through and I don't even use those reports we we export out to excel because then we can parse it later and put it in another system but I like Excel what I find is a lot of the

IT people the server admins the networking people they just want to open up the email they want to look at the Excel document and they already want you to go through and Mark all right we know this is a false positive don't worry about this fix this fix this fix this they go through it a lot quicker they appreciate the time they appreciate when you show them what the risk is and that goes with that whole perceived versus actual risk they um they work with you a lot more I've gone into organizations where prior security person left and I see this huge folder of just qualis reports and then I go to the different groups and I'm like what are you doing

with these and I'm like oh yeah we didn't do much with that because that person just never explained what to do with them with the vulnerabilities specifically review false positives that's an ongoing uh battle with a lot of these tools open up tickets with your vendor get them to fix it and then um start with your critical servers and then move out I've seen in other organizations they go and they buy the new vulnerability tool they get 6 000 licenses and then they start scanning like crazy and there's just no Rhyme or Reason to it and then all of a sudden you're having you know the service desk people run around to certain printers and you're having the

server team run around to a server that is going to be decommissioned anyways so start with your critical servers where's your pii where's your sensitive data what are crucial to keeping your scada systems online start with those and then move out to the rest of your organization use multiple tools to provide a complete picture every tool is different tools within web app vulnerability scanning database operating systems uh I noticed every scan is always a little bit different obviously they're going to always get the main credentialed ones missing Microsoft KB this that and the other but use different tools we've used a lot of different tools for web app scanning and one thing catches the cross-site script here another one

doesn't here and one thing all of a sudden shows oh you have a SQL injection it's crazy how the vendors and and they're all seem to be at the same playing field but you just still get different behaviors and different responses from these tools and thus you get different vulnerabilities use open source tools before you run a commercial scan just run an end and a map scan first you might save yourself some time what I do is we run a nmap scan and then you know we find okay well they're running telnet and they're running this version of Apache I don't even want to deal with doing the full vulnerability scan I go to them and I

just show them the nmap scan and I say listen before we go and we ding you for this full scan look what you're running on this machine upgrade the firmware do something I don't want to submit this scan for you you know work with them because you're all Partners in this security is everyone's responsibility um it it goes a long way when you do that so parting thoughts the defensive side of information security is not easier for the faint of Hearts I think everybody here knows that it can be fun though unless you have a large breach if you like chess you'll like infosec if you love chess and you'll love defense in-depth strategies it takes a lot of time and effort to go

mile deep I'm still learning every day to go deeper and deeper attending these conferences going to the CTF learning some new things that I didn't know before I'll go back uh tomorrow and test and see if I can recreate that in my environment use your resources your tools your teammates your peers policies and procedures and Technology my boss always asks me again what keeps me up at night all of this keeps me up at night going a mile deep the paranoia but you know I do manage to sleep but tonight Game of Thrones any questions yes

what do you recommend in terms of like you know different antivirus or malware or spyware detection for individuals um well it's interesting that uh it always comes up to every security person here your your family member your mom or colleague says what do you do somebody that just doesn't know about information security I take the same approach you know I I tell people read up on these sites uh a lot of business people I know they appreciate when I direct them to Krebs they look at the you know Krebs on security blog it's easy to understand he just writes really well and it's it's things they run into ATM skimmers uh you know for their businesses things getting

transferred out or wired and all of a sudden their bank account is empty um I send them to you know have your antivirus a couple cases I just if there's a repeat offender I'm not going to name names my mom set their home page as browsercheck.collis.com and then I just say hit that fix it button every time it comes in you know of course you have to reduce their privileges so I end up doing it anyways but so she calls me and says hey you know it says fix it fix it all over the place but uh there's just take the same things you do day in day out just break it down to more of a plain language

level again you know you it's a different audience when you're talking about individuals small business consultancies um firewalls pretty much tell them go is a sonic wall or anything like that because if I tell them to go with anything else in ASA then I'm going to be the one configuring it so uh you know but you know when they when they get something I will depending on what the situation is I'll help review yes you have mentioned uh

anything you found updating their signature version um iron Fort which is now owned by Cisco has been pretty good for us and I've used iron floor for a long time um trying to think of some of the other ones that I've dealt with in the past I know uh Office 365 they actually do respond to you and say oh okay we'll take a look at this and the next thing I know something similar ends up in the junk mail any other questions thank you everyone for listening to my talk and thank you [Applause]

foreign