2016 BSidesLV - Proving Ground - Day One
Show transcript [en]
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
set of here might be a little
flatter
should I put this yeah it's got
stand
all right good afternoon everyone welcome to Proving Grounds uh I'd like to start out by thanking our sponsors in the Stellar Stellar level Fair Sprite pertivity tenable Amazon and source of knowledge uh they're all out in the chill out area so please thank them so this track is being recorded and streamed so at the end when we do do Q&A we're going to be running mics and there's also a mic up here in the front um so our next talk is on hacking the high seas cruise line security assessment by Chad Dewey let's please welcome
Chad good afternoon everybody uh thanks for coming I appreciate it thank you bsides for having me uh thank you Adam bran for being my mentor and actually making this presentation what it is today uh okay so uh we're going to be discussing hacking the high seas it's originally started out with just Cruise Lines uh but ended up going a little bit further as you'll see here in a minute all right so who am I my name is Chad Dy I'm computer science and information systems instructor at sagov Valley State University Small University in uh Michigan I have degrees in stuff uh I do pen testing from time to time and uh I'm curious about weird stuff like cruise
ships all right so this is not the intention of this talk you know obviously I don't want this to happen uh cruising uh just just a little bit of background my my favorite way of uh vacationing is on cruise ships I've taken several cruises and we'll go over that here in a little bit uh but uh this was human err by the way all right so disclaimer this is the cover your ass part okay um no unauthorized access to cruise ships or cruise ship systems were obtained or even attempted okay okay all righty then uh most of these observations are in-person observations especially when I was on the cruise ship uh cruise ships uh and uh review of
publicly available resources they're out there any everything I've done here today any of you can do okay uh using showan uh showen showan potato potato Aaron who is and the manuals of some of these systems okay um I'm not releasing any of the names of the cruise ships uh or Cruis lines at this time um I've done my due diligence to try and uh share this information with them and only a couple of responded so far uh right now some of them are pretty probably thinking oh or something anyway uh so uh I've obviously done a lot of cruising over the years uh starting in May 2005 and uh had a little bit of a Hiatus and then
2011 I ramped it back up again so all right so overview of the presentation uh before the cruise hooking yourself up with goodies and little perks here and there uh during the cruise kind of taking a little look at their Wi-Fi and the physical security of the ship and then after the cruise were probably the more interesting stuff is internet connectivity system vulnerabilities forward- facing services that sort of thing okay all right so starting out hooking yourself up now before you start a cruise you usually have to sign up on a cruise uh for a cruise and this is usually done online you make reservations you give them your credit card and a lot of money and everything's
supposed to be good to go um some of these Cruise Lines do not have um good sanitization of the the information that's given to them for example this is my uh profile on one of the one of the cruise ships here um and uh this is the things you can do within your account okay for example update missing information such as ship or dates uh that you traveled in the past in case they might have missed something okay now uh again this is my real profile I blacked out some of the stuff and you know if you've cruised before then you know you might be able to guess who this is but anyway um so
this according to this it shows that I've cruised uh on seven different cruises each of them a seven-day Cruise um it looks like I've done seven cruises not really um I've only actually cruised four times with this Compu uh this particular Cruise Line and those are the four real ones okay um I never Cru or I did Cruise in 2011 okay um but only one time okay um now the purpose of showing you this is uh um you get perks okay each Cruise Line has its own little tier system you start out with blue maybe go to Gold Platinum so on and so forth with these perks you get uh I don't know free Wi-Fi you know
so you get internet connection on the ship um sometimes they give you other perks like have a drink with a captain that sort of thing some of them even give you tours of the ship okay so um as far as uh starting up and uh uh signing up for your cruises here again uh there's a double there okay so I wanted to go a little bit further well let's see I never cruised in 2009 so I could see this okay maybe they they're doubling it up because I actually did Cruise then well they didn't check to see if I checked or if I cruised in 2009 I did not okay I did Cruise in 2005 on this particular ship
the Ian ship but I did not cruise on the crown ship why well because it was still being built okay it didn't have its maiden voyage until June of 2006 okay so again they didn't check anything um not a whole lot of harm is done here um you know I just get my crew status elevated a little bit okay other uh perks on some of these crew ships beforehand before the uh the cruise you can tell them uh you've had an anniversary a birthday you've graduated uh you got married what whatever the case may be and you give you're given certain perks uh for these things couple of these perks well I got all three of these because it was my
anniversary again um and uh I got a $25 gift card for wine very overpriced wine but hey it's a free bottle right and uh I got a photo and it was very nice of them and they and they do this sort of stuff um just as a perk for you know thanking you for cruising with us so on and so forth um I've had anniversaries in uh December February March and may all right there's my bottle of wine all right so now we're on the cruise so this is during the cruise so you definitely want to be careful all right wireless security okay um this is this is uh slowly gotten better over time the first cruise I went
on in 2005 uh was protected with WP encryption okay it's 2005 things could have been better whatever anyway uh so internet access on these cruise ships can be very expensive okay $25 a day on the last cruise that I went on okay that that's that's ridiculous and the internet is not all that fast either it's satellite internet okay uh so anyway mov right along here so Wi-Fi is expensive if you start looking around and poking and prodding at the Wi-Fi you'll notice that uh if you're in the room there's not a whole lot of traffic down there you're in the belly of the Beast so you you know if you're going to start looking around you're going to
want to look at a I don't know a more uh active place like by the pool okay and I really didn't have a whole lot of luck I I was on vacation okay I'm not really going to sit there and you know uh do all sorts of stuff just trying to get free Wi-Fi because there's other ways of doing that which I'll get to here in a second okay now remember that Platinum Status earned you some free Wi-Fi okay uh fortunately you don't necessarily have to be platinum in order to gain free Wi-Fi how well some of these cruise ships uh give away some personal information by posting your information outside of your cabin so you have a
cabin number first name last name and one and all the cruise ships are nice enough to say oh you're a Gold Member you're a platinum member all that's required and you get 150 free minutes on one particular Cruise Line in order to get those 150 free minutes what do you have to know first name last name cabin number and you have to know that you know your platinum of course so you could technically piler somebody else's free Wi-Fi minutes okay all right um and encryption has gotten better so on and so forth okay so other physical security issues safe was they all of them have safes in the room some are numerical some of them use a
magnetic Strip Card uh the magnetic Strip Card was an odd one because they said you should either use a credit card or your driver's license no you don't need to do that I used I think I used a gift card to LongHorns or something like that but uh anyway so staff doors are almost never locked some had no locks uh and as you'll see in the next slide some even worse uh doors to ship internals were almost never locked uh many had again had no locks so you could technically wal right in there if you wanted to staff laundry so I've been told staff laundry uh could be found along with forgotten name tags on them
so you could technically act as if you were uh you know one of them okay there's uh you know anywhere from a th to 2,000 crew members so they don't know everybody so you could get away with something like that um I found a total of six passenger B badges sitting by the pool with those they're associated with a credit card that's where it gets a little bit SC because you could take it charge up a bunch of drinks and put it right back and uh yeah they might not know until the very last day the cruise when they get built so there's you know that's not necessarily the cruise Line's Fault by the way that's that's just people being
people uh picture verification of Passenger when a card is swiped the employees are supposed to take a look uh when they swipe their card for a drink it shows a picture of the person okay uh the problem is they they don't look at it you know they just they're just they're just busy cheering out the drinks okay so there is a safeguard in place it's just not very well utilized by the employees okay all right so again uh a lot of crew areas are don't necessarily have locks and some are not very well guarded there a little bit of a closer view on that kind of looks like freezer curtains so you know that's going to
keep a lot of people out all right so uh here we are engine control room okay okay I have never been in an engine control room I have never been in uh uh the bridge some cruise ships allow this depending on your member status uh on certain Cruise Lines not all of them okay so I found this on the internet okay so this is the engine control room obviously heavily computerized this is the bridge okay um again I just found this on the internet if you look a little closer you can see the uh well you can't really see it here but the navigation system is a sper marine Vision master master ft the issue with this is it runs Windows
XP they all do okay and they're still all utilized uh and the ships there's not really any upgrades going on there okay so you can see a problem there so after the cruise oops went too far sorry all right so the inter yeah inter so public IP addresses each ship has a IP address range associated with it we'll get into that in a second they're all on something called The Maritime telecommunications Network okay the MTN uh basically handles uh well I'll get to it here in a second I'll actually go into more detail uh and there's several internet facing vulnerabilities and we'll discuss those here in a second um again all I had to do is use an Aaron
who is and uh showan to do all this so like I say any of you could do it okay looking at things from the outside the maritime telecommunications Network uses this IP address range so all of the ships or I can't say all most of the ships whether it be Cruise Lines or military vessels so on and so forth uh are normally connected to the maritime telecommunications Network okay so the internet of ships okay this just explains what the MTN is and what it does um see if I forget anything luxury yachs oil rigs government military vessels and cruise lines all use the MTN for internet service providers when out at Sea okay so again all these ships have
IP address ranges that are actually specific to each of these ships tahan princess Diamond Princess Island Princess Emerald Princess so on and so forth okay and there believe me there's many many more I just kind of let it slide I'm going to skip right past this here okay uh this one is my trust fund uh again luxury Ys those are the jokes people that's that's that's all I got this one you might want to be a little bit careful of you can probably guess what's in this range hope right there's also another one called like uh was it uh uh Carnival HQ wonder what that is okay that speaks for itself right so anyway uh a few statistics here using
some uh old encryption methods here um obviously they have uh vulnerabilities associated with them some of the services running on these These are again these are forward- facing Services some issues there PC anywhere uh Windows Windows Remote Management and the most clever thing I think I've seen Tel not on Port 2323 they were the first to figure that one out all right so this is where it gets a little creepy that top one though okay Debbie and for uh lost support back in what 2010 I don't remember what month but obvious obiously it's a little old um some like a you can read them uh Voiceover IP systems on a ship with remote access using the default username
and password um several ships containing old Linux kernels a Microsoft Exchange Server 2003 okay U this just goes into cves and stuff like that several ships running drop bear so another again a lot of issues these aren't even all of them these are just some of the ones that kind of were the creepiest to me all right and much much more um enough vulnerabilities to
create all righty then all right so some Cruise Lines don't bother to fix some of these issues for example the free stuff right a bottle of wine a massage uh you know whatever the case may they'll give it away because you're spending you know anywhere from $500 on up per person to go on a cruise okay um so I actually contacted that particular Cruise Line and they're like we're okay with that I'm okay with that too but you know um okay yeah right so uh anyway uh some of the other issues I haven't heard replies on you know they maybe they're thinking oh and they're kind of doing what they got to do now I understand that some of
these things take time imagine these navigation systems trying to upgrade those Windows XP uh they're going to have to take the ship out of service for at least a little while uh so you know just to try and upgrade that and so on and so forth uh over the last 10 years though each Cruise Line has steadily increased their wireless security with better encryption we hope so uh their internet KSS have gone from PCS with Windows XP now this is 2005 so you know uh but now they're using Windows Vista using Chrome and incognito mode with deep free so at least they're trying okay um anyway uh okay that's all I got I'd like to
thank Adam brand again uh for being the B my bsides Las Vegas Mentor he's been a huge help I still would have been working on this if it wasn't for him so he helped me find some efficiencies here uh Dr Lon Decker and Dr Scott James for uh guiding me through this whole process not necessarily with his presentation but I guess in life uh Chris Roberts obviously you know I kind of uh followed his lead on some of this stuff uh Christina lay and my mother for their inspiration and support through this entire thing all right if you have questions uh I have an email address here for you feel free to Conta did you cut
out yeah I was just gonna say feel free to contact me um I'll send you the slides uh but that's about it I'm not going to send you a bunch of stuff that I found so you can you guys can look that up for yourself any questions yes hi thank you for the talk um could you go into a little more detail about how you uh got the free you know the Privileges and the the anniversary celebrations like I guess a breakdown yeah bottles of wine oh yeah uh when you sign up for a for every cruise I've been on um as you're signing up for the cruise they ask you check the box have you are you expecting an
anniversary is there a special event no right just well you know one of them but if you do pick one pick anniversary that's usually the most lucrative I don't I don't suppose you've looked into the jurisdictional issues uh of hacking a cruise ship for instance like if you're in international waters uh on a Barbados Flagship who comes after you if if you do something you shouldn't do well first off you shouldn't do anything bad no no no no obviously no never never hack anything ever but if you do hack something who arrests you you know that's a good question I think if you should accidentally okay theoretically okay um I would assume there's some sort of
maritime law regarding that as far as who comes and bust you I guess the next Port of Call or maybe at the very end if you left out of Miami or Fort Lauderdale somebody might be waiting for you uh or they know who you are where you live and they
already oh yeah is there okay I'm not very familiar with Mary time law so I'm actually gonna have to look some of this stuff up well I mean I guess I don't really have to I've done nothing wrong but it's good to know knowledge and power and all that also running
yes question how's it going um I was just wondering if you when you were talking to these uh Cruise Line operators if you ever bring up the subject of like denial service especially with their Wireless links like what if somebody were to plant a box on a cruise ship or any ship that basically disrupts all GPS signals or vsat what if somebody finds One open on showan and like turns it off I wonder what sort of you know that's something I hope I never see especially when I'm on the ship yeah yeah so I just I don't know if that subjects ever come up when you like talk to them or well I would assume they
have uh several backup systems again they're on they it's part of a satellite Network so maybe there's other things they could do I mean I'm sure there's some kind of backups I would hope uh but do I know that for sure no uh the satellite navig systems if you've ever been on a cruise ship they have these big globes outside okay well that's it and you can usually touch them over the rail so it's kind of creepy yes sir yeah um obviously container ships won't offer you the same perks if it's your anniversary and you're shipping cargo but how much of what was on the cruise ship such as navigation and and security of physical facilities how much that
would carry over into the containership fleet pretty much the same thing except for the free stuff um speaking speaking of which um I actually submitted this presentation February 7th of 2016 I didn't find out until May um I was doing some Google searching and found that uh some Somali pirates actually compromised uh a containership Manifesto to make themselves more uh efficient at being Pirates so they knew where all the good stuff was because they got a a Manifesto of everything that was on the ship so so what about the navigational data coming back you know on the on the public side of the ship it'll tell you basically where it is MHM all the time
yeah there well there's actually Maps uh online maps to show you where every ship is pretty much all over the world in in international waters is there anybody else any more questions all right thanks Chad all right thanks a lot everybody appreciate
it
oh
sure
I'm not surprised I just didn't know like why we know they're there so what's the point in in
hiding oh thank you appreciate that
yeah I love it it is
way oh yeah it's great good to know awesome myun oh cools okay like I can't see but video recording yeah well I had more to the presentation but I hav't cut down 25 minutes so yeah I know original slide was like 60 slides May yeah yeah absolutely I've never been on Disney so be interesting to see
cool
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
so this talk really came out of this tweet from W Pond back in October of this past year he was talking about how manufacturers a lot of times uh make legal threats to security researchers when they're disclosing vulnerabilities and he was pointing out like hey consumers can't really make um legal threats when they buy software and it's broken and something happens they really don't have a voice and a way to use the legal system right now I was like yes having just gone through a few years of last school I understand why but it's kind of complicated um and I thought it might be interesting sort of explain to people why that is and there's a lot of
talk these days about software product liability last year's black hat was a lot about it it's kind of Buzzy um so I want to talk about the current state of it and why it might actually start changing not just because a lot of people are talking about it but because internet of things is going to change some stuff that affects the reasons why we haven't had software product liability so far so let's start out by comparing two different situations let's say you go to Target you buy a coffee maker and you bring it home you plug it in and something happens the glass caraffe has a flaw in it and it explodes and cuts your wrists or it catches fire
or something in this instance as a consumer um you might have medical bills and you can go to the person who made your coffee maker um sue them in a court and have them pay for your medical bills this happens all the time with uh with defective products and then let's compare that to another consumer who buys a router she brings at home and plugs it into her home office and there's a flaw in the software on the router um and all of her information gets exposed she goes through identity theft and so forth this consumer does not really have any recourse under our system right now she's also been harmed but she can't bring a suit or she could
but it probably get tossed out a court pretty quickly so why what is the actual difference between these two situations we have two consumers who are harmed by products that they've bought and they're facing fundamentally different situations in the court so to start with that I need to explain to you a little bit about how the American legal system works so generally if there's an agreement between two people as a contract this is super common in the software world we have click wraps we have ulas we have terms of service and essentially how the American legal system works is that if you have a contract and something happens any any um sort of Damages or so
forth are going to be governed by this contract so basically unless there is some really Grievous physical harm what happens in that contract gets governed by that contract on the other hand you might get harmed by someone who you don't have an agreement with we have car accidents maybe a roller coaster goes flying off of the track uh we use Tor law to address that Tor law is for when someone out there who you are not in existing agreement with hurts you and it's how you have your medical bills paid for and product liability law is a subset of tort law it's the law that governs um basically purchases of products and if those products are
defective so let's think about what you need for a product liability suit in our legal system right now you need more than what we call Pure economic loss you need a physical harm to the consumer like that glass kff exploded and cut your wrist or something or you need property damage maybe the coffee maker caught fire and it burned your kitchen so now let's think about what happens with the Internet of Things software has always just been on our computers and we've had buggy software we've had problems caused by software but it was not capable of causing any physical harm out in the real world and this changes with iot we have software in fridges if someone
hacks into your fridge and raises the temperature of it your food could go bad it could cause you to get sick we have software and drones a drone could fall out of the sky and hurt you this had been a really fundamental um or there's this really fundamental shift in the sorts of ways that software is going to be interacting with the real world that changes one of the fundamental assumptions that we've always had about why there is no such thing as software product liability so this is not actually the first time that software or that product liability might be changing so I'm going to go all the way back to 1916 it was a very influential case that
sort of developed the product liability as we know it today day it was called mcferson versus Buick this guy went and he bought a car from a Buick dealership it's 1916 so for whatever reason at the time they made wheels out of wood and there was a flaw in one of his wooden Wheels he's driving down the road and the wood breaks um the car crashes he's injured and he goes back to his Buick dealer and he's like hey you know there was a problem with that car that I bought from you and it injured me and I'd like you to pay my medical bills and the dealer goes okay well sure there was a flaw but that came from the person who
built your car all I did was sell it to you so essentially the guy who bought the car and the seller were what we call in the legal World in privity they had an agreement but the guy who bought the car was not in privity with the person who built the car who was also the person who introduced the defect and so the court said oh we have a problem this guy was injured and he can't have his medical bills paid for and as a society at that time they were moving away from you know everybody being a farmer buying things in General stores where you knew the person who was selling products to you and they were shifting towards you
know mass production um Supply chains and so forth and the court recognized that this was a change and they decided to allow the guy who bought the Buick to go recover from the person who built the defective product and so they developed the idea of um basically the ability to go have your medical bills whatever paid for from anyone who had built a a product or sold it to you anywhere up and down that chain so in the courts we recognize three different types of defects um these have all developed mostly since the that 1916 case we have manufacturing defect which is probably what a lot of people think about when they think about defective
products that would be like that flaw in the glass of the coffee maker this one instance of a product came off a factory line and there was a problem with it we also have what we call a design defect so maybe that coffee maker was built such that if it's on for more than 3 hours it might overheat it could catch fire it could cause problems and there's a little switch or something that the coffee maker manufacturer could have installed in the coffee maker but chose not to and so if it catches fire the consumer can go into court and be like hey this is just a really poorly designed product you probably should have put that switch in it wouldn't have
cost that much and it would have eliminated the danger and finally we have failure to warn failure to warn is the reason why your McDonald's coffee cups say warning this is hot um why there's uh stickers all over everything um so in that instance maybe we can say the coffee maker you know has a tendency to overheat after 30 minutes but we could just put a little sticker on it until the consumer you know don't leave this on for more than 30 minutes and so that will allow the consumer to be aware of this problem and take action to prevent it so product liability is what we call strict liability which is liability without fault and this sort of feeds into the
question of why can you go buy knives but you can't buy lawn darts if we think about it these are both sharp objects that could injure you and yet one is freely available in the American Consumer market and the reason is really risk utility balancing and that is also the reason why product liability is not really strict liability so foreseeability and obvious dangers really play a big part in this so an obvious danger like the knife you know I can look at it and I can be like yeah I can see that this is something that could hurt me but it's really useful we need to able to buy knives or you know I go home and cook dinner and I'm going to
have a lot of problems preparing my dinner or as La darts they're fun they're sharp they're not super useful our society is kind of running without them right now um the foreseeability also plays into how you use a product so if I buy a step ladder and I decide to do something really dumb and set it up in a robo and I climb up on the step ladder and the robo and it collapses and I now broke my leg if I go to the manufacturer and I'm like hey I was injured by you know your stepdad they're going to go uh-uh like in a rowo no not going to happen like that's completely not foreseeable you were doing something
dumb there um I could take a coffee maker I could mount it on a drone because I want to be lazy and I want my coffee to come get delivered to me over on my sofa and then someone hacks into the Drone and causes it to you know sort of wobble in the air and it dumps a hot coffee on me like that is a legit stupid thing to be doing you are not going to recover under any sort of scheme um so some of the reasons why we have product liability really is that it serves an insurance function our society has decided to sort of push the burden of making products safe onto manufacturers rather than requiring
every consumer to be their own you know consumers research sort of people and have to go investigate whether these products are safe you know I can go to a Target I can purchase a blender and I'm not super concerned that this blender is really going to harm me because I have this reasonable expectation that if I buy this product and I use it in a fairly ordinary way that it's going to be okay it's not going to harm me and this is something that might start changing with iot so the people who build blenders are totally used to building blenders however they are not really totally used to building software we don't know right now um how common it is
for them to build blenders that can be upgraded do they have experience with accepting three reports from the security Community about vulnerabilities do they understand what sorts of uh features they should put in to be secure there have been things with like iot te kettles that were leaking Wi-Fi credentials because they were just poorly designed from the software side and all of us are like well yeah that's really stupid you know but we also have experience building software these folks who are starting to put software into things that can interact with the world do not yet have that background so this is kind of cool we can Empower consumers and they could use uh software product liability but that's
a big fuzzy thing like how would this actually work in a court you can't just go into a court and be like I feel like we should have this sort of uh liability so failure to warn is one framework we could use and one way we could think specifically about it is that maybe software companies or companies that are using software should have to warn about known vulnerabilities failure to warn is a pretty welldeveloped field in product liability and it really breaks down into two components one of them is the risk reduction warning like if you're going to use this chainsaw we goggles we could think about that in a software World by saying hey if you're going to run this
particular software make sure that you know you upgrade the Java it's running on you know go do these particular configuration settings so that it's a little bit safer for you or we have informed Choice warnings the informed Choice warning is incredibly common in the pharmaceutical World We Tell the consumer there are these risks out there they exist I'm just going to let you know about them and you need to to make your own risk calculation so we can think about that in the software world we could say well this software has maybe this vulnerability and we're going to tell you about it and you need to make your own decision about whether it's important to your business to keep using
this software and maybe you can figure out in your network how to set it up and protect it and one of the uh things we can think about is that failure to Warrant might provide incentives for better software development practices we can think about encouraging the people who are making these internet enabled smart fridges to design items that can get patched um following for example maybe the open web application security projects top 10 if you're going to um have like a a web application for this sort of thing we can talk about making it easy for researchers to disclose problems that they' found rather than having to force them to go through endless csqs triaging issues and releasing them
these are things that software companies are really used to you know we can get in a uh a bug report and decide whether it's a serious problem it's exploitable if it actually needs to be addressed or not and that's something that companies that aren't used to building software are not used to doing one part of failure to warn that we really should worry about if we're going to start thinking about this with vulner vulnerabilities is warning overload um so this is a picture of my coffee maker covered with a million in a half hot warning stickers like if I saw this I would just be like I don't even know where to touch this anymore this is
complete warning overload um and we really worry about telling consumers too many things and so they take in no information and we're back at base zero they haven't actually been effectively warned about anything there's limited amounts of attention that people have you need to think too about whether warnings are reasonable you know we all joke about that warning on the McDonald's coffee cup of warning this is really hot like okay yes I know it's hot do I actually still even read it should I have been warned about something else if we think that consumers have limited amounts of intelligence and we tell them 30 different things but we bury the most important warning in number 30 is that
really an effective warning and one that particularly concerns me um with support vulnerabilities is what if we have people warn about unpatched vulnerabilities you know we got this report we need to tell you about it but we have no plans to patch is that just going to be a big like hey Go reverse engineer this particular uh thing over here so obvious risks I love this image um you might not be able to read it it says please make sure you have made the right decision it's a little ducky that can plug in that is like the perfect warning uh so inferior to warn you should have known is completely obvious if you notice your kitchen knives at
home do not necessarily say warning sharp because you guys should all know that knives are sharp um this also allows you to it plays into that foreseeability of useing when I talking about you know like hey what if I use a step ladder and a robo and that's a dangerous thing to do um if you just have bad security practices you know and that's the actual root cause of your harm that's going to protect a software creator so people freak out a lot when they hear about software product liability and open source it turns out that we can analogize to some existing product liability uh doctrines um so for one there's a big focus on commercial
sellers a product liability you can't really go to like an Etsy seller and be like hey your product was defective I mean you could try but you're it's probably not going to go anywhere in the courts um but the thing that is a little more important when we think about open source is the component product liability so product liability understands if you build a gear and it goes into a machine and the Machine goes into a product and the consumer buys it and there's some problem like in the engine in this product the person who built the gear that goes in is not really the person on which the liability is going to be pinned like yes we have
liability for the retailer we have liability for supply chain we have liability for the person who built and assembled the engine but the component itself would be deemed to you know like we'll say okayy this a little individual product here that just went into the larger defective product is not responsible for the harm and therefore we can exclude them from liability so we can take all of this I think about how does this relate to the way that we currently develop imp patch software especially as they going to be putting these into iot devices so let's think about what happened after 1916 um when we had our poor guy who bought the Buick and it you
know dumped him on the highway consumer safety really increased um in large part we got used to how to build things in factories we developed standardized practices for Mass uh production so the Buick case was kind of a what we can think of as a trigger case it caused the law to adjust because Society had changed and we wanted to develop sort of this insurance function because it was going to allow us to sort of put the risk of these products onto people who we thought were in a better position to handle them and this sort of shift could happen again with iot so with iot we're really now having software that can cause these physical
harms and physical harms are something that we're used to having liability for um we can say you know right now a lot of iot products are released with some pretty questionable security practices a lot of them don't have the ability to patch and using software product liability as a way to affect um basically as a lever to make those things safer is something that might help us protect consumers so this is so much not a perfect solution there's tons of problems um we talked about what happens if it's unpatched vulnerability should we warn people about it you know like this might be this informed Choice warning like hey hey there's a bug over here we want you to know about it um
before you decide to keep using it a lot of times you say software liability and people go oh my God Innovation we're really concerned about that that's something that has really driven our industry to be the success that it is um and we don't want people in their garages or small companies to be burdened by um this sort of scheme we also if we're going to warn about vulnerabilities seriously need to worry about the warning overload fatigue um anybody in this IND knows the number of security vulner vulnerability uh announcements that are made and patches and we joke about patch fatigue this is actually a serious problem so let's think about where do we go from here um we do not necessarily
have this sort of liability but we do have a standard set of practices that a lot of us agree on you should be testing there are guidelines out there on how to improve your software development life cycle um people talk about using bug Bounty programs um generally you should probably already be taking reasonable care to put Safe products out in the marketplace and probably preaching to the choir on this one but if we did ever get this sort of liability you could go be like hey I am following standard industry practices there should be a presumption that I have fairly safe products here so thank you very much um I love talking about this sort of stuff uh so come find me
and do I have time for questions cool so does anybody have questions awesome um so uh crystal ball 5 years from now what do you think the reasonable standard of care will be for iot providers for what providers for people who make like these Internet of Things devices um I think definitely and I am a web developer so most of my development experience comes from that from work middle War Services whatever but things like being able to patch um alerting people about you know what vulnerabilities you have and what fixes are available um getting your stuff audited um doing code reviews and following what's out there in the industry like the open web application security guidelines is sort of you know
well agreed upon things that you should be checking for um red teaming your products and so forth you know I don't know specifically what they will be but we're moving towards consensus for a lot of these things and courts will look to that sort of thing and say what does the industry think is fairly standard just curious what's your take on you know uh the whole Tesla craft with oh you know that kind of is a really interesting wrapper of software and you know consumer product so just curious yeah I am not super familiar with the Tesla crash um I did literally just spend three months locked away with law books thinging for the bar um but
yeah I mean this is something where they need to be making sure that this is a safe product they put into the consumer hands um if a consumer gets something and can use it in a completely unexpected way and some harm happens like I'm not that concerned if the consumer is using it in what would be a fairly normal reasonable way and there's a bug and it causes a problem that's where we would start looking and say like well can we go say you know this is a vulnerable is the sort of thing that liability would help protect the consumer for but it's hard what happens in the courts a lot is it's a lot of
sort of risk utility balancing it's a lot of Economics that goes into it like how much would it have cost them to make something that is really safe I mean like cars are unsafe cars are not square boxes of square Wheels built out of 100 tons of steel because that would be safe but it would be unusable and expensive and like our society has decided where we want to place the risk on that and we need to move towards that in an iot sort of world yeah oh sorry um any comments on mudj and Sarah zco cyber UL as part of trying to beat the insurance companies into doing stuff uh that's actually a really good sort of
um indication the kind of thing that our industry should be doing to move towards what's accepted practices you know they're going to be putting out like labels and saying these are safer versus less safe um that fits perfectly in with this kind of thing and I think it's awesome that more companies should be doing this sort of auditing of stuff out there yeah I was wondering uh would it wash if a company said warning this product uses a default username or a default add admin username and password combination please do not expose to public internets FYI were doing something stupid uh it's sad to say that actually does work a lot of times but on
the other hands we don't have laund darts you know it what happens is you'll have these outlier court cases that will say yes and outlier court cases that say no and then the way the law Works in uh the US is it kind of builds towards this consensus and that kind of happens you know as juries who are the ones who decide this I buy Time by saying warning so I could buy Time by saying warning we're doing something incredibly stupid you're aware of it you took on the risk courts do actually recognize that sort of thing will will lawn darts ever make a comeback iot there you go Wii it it could I mean so New Jersey
actually outlawed uh swimming pools as being unne like completely unreasonable dangerous in about the 1970s and you can buy swimming pools and install them in New Jersey so courts realize they're their failure do we have any more questions all right great thank you thank you [Applause]
guys
hello testing all right if we could get everybody to please clear the room even if you're interested in the next talk um I don't know why
but to stretch your legs and I guess get us a good count of the people that are in here yeah it also gives everyone outside a chance to see the talk yeah you can without for no I took the bar I don't
know
e
e
e
e
e
e
e
e
we're good are we good to go can I put this here cool hi everyone and welcome to Proving Grounds so I'd like to I'd like to start by thanking our sponsors uh verse Sprite privity tenable Amazon and source of knowledge please go and and visit them out in the chill out area so our next talk is on how to get and maintain your compliance without ticking everyone off by Rob Carson director of security at sherwell he loves building and improving immature Security Programs and he looks really Dapper in a purple suit um so what building building no like improving ier yeah all right before we get started I just want to say the track's being
recorded So at at the end when we do questions I'm going to be running the mic around let's give Rob a warm welcome all right thank you guys all right so how do we get and maintain our compliance without pissing everybody off so one realizing that hey it's never going to happen they're going to have perfect compliance so let's just move on past that you know talk about some of the challenges that professionals face uh basically being compliant but not necessarily fully secure right and then how creativity and op should get the job done who to engage how to engage with different business units and then uh still being able to call yourself a true
security professional and not just feel like it's a big uh swiss cheese right everyone hear me okay all right so my background director of uh security insurable software uh prior lives as well I've done ISO 27,1 twice I've had a couple zeroing aits also done PCI Hippa uh going through fed rank right now so it's a whole new adventure with this steroids and uh to be work with your officer all right so initial implementation so this is a lot what it feels like if you're kicking off you know an ISO compliance program PCI or anything like that and one thing to recognize is that just as these young marines here graduating from you know going through boot camp right you
graduate from boot camp you're a infantryman you're a provisional rifle infantryman you go to special on school follow on schools things like that you're not necessarily A marock operator special force is ninja so understanding that hey just cuz you got you pass your first audit does not mean you're going to be some you know allar ninja all right that's how it goes so how do you do it
one and I got my security architect in here and that's a lot it's like planing with him sometimes two try to boil the whole otion I've been guilty of this for sure uh a lot of times you wind up you know I triy to the whole I wind up you know just doing the North Atlantic and that's still is why I'm not here anymore but we'll get it there so what should you consider as you're kicking off a program so those impacting Factor so depending on the size of your organization you're going to have different things so Personnel changes so people are going to come and go you're going to have potentially 247 support staff depending
on what kind of uh company you run explosive growth could be a big thing that's a a def a huge challenge is how do you as you're going down the road trying to do your program also change the tires while you're going down the road resistance to change because change is hard you know sometimes you get off of Free Hug sometimes it feels like like it's you know people people are used to doing things a certain way why can't I do it this way you know those kind of things like how do you you know you get to overcome those challenges um an ability to execute that's another big piece too is that you know one of the
things is nobody has unlimited budget nobody has time so you have to stay focused on what's the most important part and understanding some things you're going to have to improve later on and then external so you have changes in stat regulations uh increasing customer requirements and let's face it uh I don't know how you guys feel but I get these things from customers all the time why aren't you nerk why don't you have sock 2 why don't you have this why don't you have that because we've been auditing hell all year long if that's what we did we just you know picked up every single certification there was and then we also have new vulnerabilities
you know the it guys have it easier sometimes because let's face it they have a new version of Windows a few years we have new vulnerability every day so who here has ever felt that someone in their company might feel like this yeah so and that's one of the things one of my favorite Frameworks is ISO because it demands uh continuous Improvement and that's one of the best things about is so you're compliant but you continue to improve it so you don't get to just stick with well we passed it we're good let's just stay the way we are so where do we start right so the first thing is to start with people so
who are the people not only on your core team but also who are the different uh different business units of stakeholders who are you going to be working with to implement this because it's not just going to be you you're going to have people from it depending on your scope it might be Professional Services it might be uh people who uh if you're an mssp people who hand customer data things like that you're going to be having to deal with different stakeholders so figuring out who they are and finding those people that can can preach the security gospel and those that are going to be a big pain in your ass figure out who they are and start
working around working with them and then process right so the first one of the most important things is to figure out what your processes are so instead of writing these beautiful you know 50 page Sops of a process that you don't even come close to following write down what you actually do okay start there if you can just make sure that everybody's doing what they say they actually do it's actually a great start in the right direction because at that point you can start wrapping technology around it to either enforce that process or uh you know control it in different ways and then let's talk about one of the pieces to start with processes too
so one of the mistakes I've made is that I have done you I'll start rolling out an HR security so before I even have some of the core processes I need to have in place first so what are those core processes you need to have you know your committee procedures how you going to meet how you're going to write your documents control records control control documents Sops your audit sop your train sop some of those core Sops and maybe corrective action preventive action because if you roll out the other Sops how are you going to audit it to make sure it's working how are you going to handle it if it breaks you need to
have some of the core infrastructures set up first before you start growing out the uh the the big Network you know operations so things like that if you don't have those things in place first it's going to be very difficult to deal with those as those things need to mature and improve so scope yeah no one toine your scope and don't over complicated so what is your most critical assets what what are the things that drive Revenue that's probably going to be your scope or maybe it's it operations because that touches everybody but they don't necessarily have to feel it okay as much but picking your scope and understanding you know what is the most important to you so
where I work is our customer data at the end of the day I'd feel really bad if our employee data got leaked out but that's not going to stop Revenue all employees to apologize to so you know figuring out what the real scope should be and then those boundaries all right those so keep it clean keep it enforceable tering around right what are those boundaries what is the scope so especially if you have a PCI CDE environment you know what are those actual boundaries of your perimeter for fed ramp same kind of thing you know you have to really understand what those boundaries are and understand how that data Flows In and Out so maturity all right so one of the
things to think about is that when you start off this can take you know depend on the size of your organization take a year it can take two years depending on how big you are right but once you hit this manage state where you actually have you know at least they might be manual processes but you have those in place you're able to start really quickly accelerating getting to that quantitatively manag spot and that's where automation comes into play all these awesome tools that they sell out there that's great stuff but if you don't have good if you don't have a process what are you automating you know figure out what you need to automate
first what is that process how is this supposed to look what are you going to control so maturing to the next phase how do we go from a bunch of Iraqi army soldiers to the Marine Corp drill team all right so that click pop right it's pretty sexy or you can be like that which is what you know you probably start off when you get started right all right Lessons Learned anybody ever serving military no lessons you learn the gas train pretty quick all right so compliance fails so you know organizations stopping once the policy's drafted one of the things you have to recognize is that your procedures are going to change even if you wrote the most perfect procedure in
the world if your organization grows at 10% a year it's probably going to have to change at least 10% just to keep up all right so understanding that you have to do that so you know one of the things I recommend is getting a good piece of sop management software I've used uh policy Tech in the past it's like an AK I don't sell that thing or anything of that it's not a plug it's just thing works because it lets you make sure that you can you can control your you can push out your Sops make sure you can get people to read them when they've changed and of I've seen at the last place I was
at uh they were tracking sop approvals via email try approving that to an auditor like that's going to suck so think about those things those are some of the core things I would you want to get in place if you can um just because security technology is implemented it's not protected you have hips with an any an rule do for you but you know you're comply um four configurations you know policies for the of policies uh when I got to to sherwell they had an eight page password policy I did it was horrible like I didn't want to read and this is what we do right so cut it down to two paragraphs and put it in acceptable use
and move the heck on right keep it as simple as you can so and that's one of the things when I started they had 50 sop 50 policies three Sops okay so they these policies they're works of art should be frank aage password policy that's pretty impressive but at the end of the day what good is it right no one knows how to follow it so if you all policies you got to make sure you want s so you want to make sure they know how they actually can follow the policy or the procedure that you're actually trying to enforce out control you know a lot most people will try to follow the procedure if it's clear but if it
doesn't say go here send an email to this this R you know that's how you make sure you're actually able to make your procedures useful um policies you know talk talk about that policies don't make any damn sense you know one of the things I struggle with is uh you know we have you know you have rules like no by yod yet you can bring your phone but you can't bring a tablet right think about it though right your tablet it's the same basic OS right so what's the point right so let's you know those are challenges I have and I'm happy to talk afterwards about how you guys have tackle those ones as well so compliance wins yeah it can not
suck totally all right so Baseline Baseline of your of your security controls so at the end of the day when you start off at least now you're actually looking at it from a holistic standpoint and not just looking at it from one spot now where you improve is going to be dependent on your budget your ability to execute as well as what is um what's really relevant to you what's your data you know where you really want to spend your effort you know physical security matter that much um as long as they can't connect or where where you want to spend your time you can't spend your time everywhere so it helps you start to figure out where you can slowly
increment incrementally increase different parts of your controls um and they address a lot of people in process so you can do a lot of free security with good people in process you know yeah you know for all the pen testers out there oh well I can still do this and that and this and I'm looking at a couple guys I've hired a few times along the way and you're like well I can still do whatever but that's fine but what's the people in process let's what's the process let's make sure you're following it because then I can put those technical controls in place right so but and that covers a lot of it you're still dealing with Insider
threats I get it but it's a starting point you have to start somewhere because you can't get that incremental progress if you don't start somewhere and just move move from there all right mandating improvements that's why a little ISO and mechanism for budget so the way my risk assessment works when I do a risk assess I do business process and the information assets it creates right I don't do a risk assessment on a server who gives a about the server what we really care about is the data on that server what business processes are critical to that server and so when you're sitting down with the CFO it's a whole lot easier to say I need this to
protect this business process this line of Revenue that drives this amount this x amount as opposed to I need it because it's cool you know like why do you need this you know it's for this business process that actually can that res a lot better with an executive team than it will with um you know just getting to the bits and bites of well I need a need Ana scanner qu scanner I need all this stuff like for what why what are the business processes we're protecting why are we doing it because that's what we're this isn't a nonprofit we're doing this for one you know to maintain Revenue right to make sure we protect that Revenue protect
that data so our stuff's not out there and then toolkit so one of the things I use Cloud security Alliance questionnaire so when you get those uh RFP questions from your customers and like somebody sends you one Excel sheet with 70 questions next guy send you one with 20 questions the next guy send you one with 300 um this is a way to streamline that so this thing has 300 300 questions and it will literally answer everything that customer is going to need to know it's a very nice uh compliance piece and sometimes that'll save you time as supposed to answering their questions answer them answer them ahead of time um I recommend and the nice part about it
too is it actually has a mapping for every single framework out there so it's got nerd fura everything out there so you can actually say okay you're a you're a sock 2 you're an sa16 shop that's what you care about here's how my ISO controls M to this as opposed to well you don't have this you don't have that this is how you can get through those uh those those issues when you're deing with compliance people on the other side uh Excel you know a lot of people start Excel it's fine compliance management software out there if you if you want to um management software compliance veterans so finding people out there that have been through this
how did you get through this how were you able to uh tackle this this issue how did you handle that control finding those guys out there and then kis and kpis that's one of the big things that we use so we use key risk indicators and that can be my you know how many vulnerabilities of age past a certain date or you know whatever but the key performance indicators would be more like hey uh background checks versus employees hired every month and that way I can make sure that my process myop is actually performing as it's designed so I can check the performance of it as well as the risk you know those are things you want to think
about and then a poor man's threat feed you know so this is talk about you have external external thing so this this a screenshot of what I use so this is a tweet deck it's free but the nice part about it is I can plug stuff in I think's interesting I have like location so I have spots you know I look at different offices see what's going on there uh look at sherwell so I'll sit there and figure out you I don't make sure no one's tweeting something pis to see you doesn't get on a a rampage about something crazy you never know you know I mean that's happened to uh one the casinos in this area uh and then you
know looking at Brian KBS stuff like that right hopefully he never calls me um so I'm leaving all right how to work with others so people be professional plan K everyone you meet right General madis all right so sales it is all about them so when you're engaging with sales and any do their security training hey if you don't do your security training how am I supposed to call the customer and tell them we're secure you like selling let's make sure we do our scary training marketing they're arts and crafts Masters right so if you deploy something like Titus you know it's a document classification thing let them pick the font let them pick where it sits who
cares let them pick that stuff they're happy as long as you have a classification on it right you know one of the things we did with control of Records control of docs is opposed to wrri out this big thing of we're going to use Courier new or New Times Roman 12 we said we're going to follow whatever marketing is using and that way marketing is happy because we're going to help enforce what they're doing and at the same time I'm not getting in a battle over Trillium 11 or whatever font they want to use like it's not a battle worth happing right so make your compliance easy you know Finance it helps you control spending so use them
you know can help you so when they're buying new software hey make sure we check it beforehand they're happy to delay a spend if they can so that's an opportunity right audit be ready this is what I wear to my audit why because it's fun right and I'm treating it as seriously as I can right so you know if you show up in t-shirt and shorts you know it might look sloppy right you want to show like you got your aame on take the fight to the enemy so what I do is I literally a month before and about the weekend before I go through every single control and walk through how I'm going to prove all of
those and where that evidence is and so when I'm sitting before the auditor I'm taking them to it so this way at a minimum I might wind up with uh maybe a minor maybe an information finding as opposed but I can show them some good evidence before they go look at the bad evidence you know because it may not be perfect but at least you can show them that you are trying to follow the process think about how you're going to improve it because the Auditors smell blood they're sharks so if you sit there and you're like uh it's all quiet when they ask you a question it doesn't look so well so take the fight to them drive
them they're only there for so long you know finding a GRC process doesn't suck at least totally you know that's important think about that figure out how you're going to handle those those those corrective actions those preventive actions things like that so one of the challenges I think we all have from time to time is um trying to understand what the control actually means you know from a security standpoint well I got to have this well it doesn't really say that you read Hippa and do you even really have to have you know data rest encryption or you just have to make sure the data is protected you know so there's things to think about all
right risk assessment hey you know lot of the processes integrate with finance and legal so ask yourself what is the financial implications legal implications of these processes failing and assess the value of the data so look at it from an information asset standpoint more so than from a server or USB stick right and that's it any
questions how you doing good um what experience do you have with the risk management framework for federal information systems so you're talking about n yeah the N standards yes so it's basically planning do check back it's if you sorry yeah so that's a great question I could definitely follow up further off offline but um the federal risk risk management framework is not that much different than the old ISO risk management framework or the 31,000 series it's plan do check act it's it's a little bit different but it's it's all basically the same you know it's assess the you know you make your sorry what is your you know what's your own mitigated risk and once you
mitigate risk being able to quantitatively prove that is one of the big pieces too you know so making sure you ask yourself repeatable questions as opposed to well I'm going to give myself three points for because I've got proof point right or whatever do you know that's great but that's not NE you want to make sure you have good questions on on the on the downward side as well that help I guess why I'm asking is because I looked at that compared to the certain set of the iso controls versus their RMF controls and it looks like there's like a ton more of controls I'm like why is there so many oh so you're talking
about the actual n the 300 controls they have yeah I mean that's that's a lot a lot absolutely it's more granular and it's a little more specific and it's definitely less uh you know ISO says you need to meet the control um but it doesn't necessarily tell you how whereas it gives you guidance whereas with with n it's going to give you especially fedramp which is basically nist on steroids it's going to be much more prescriptive on how you're going to make that control I don't if that helps not not really sorry but thank you all right any more questions let's give him a rounds Round of [Applause] Applause uh I will have to do a video
real quick yeah
I'm
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
uh this track is being recorded and it's also being streamed so at the end when we do Q&A we're going to be using the the mic uh just raise your hand and I'll run it out to you so our next talk is on pushing security from the outside by Chris DSE please give Chris a round of applause all right thank you okay just so I get a feel of everybody from everybody who's here how many people here actually work in the security field uhoh okay how many people don't work in the security field okay great so I have something for both sides uh and I think you'll be able to take this one over this next 20
minutes we'll be to take something away from this but like uh like it was said I'm here to push security from the outside so what's the outside I guess that's the first question so I don't work in security Actually I don't even work in the IT department in my company but I'm out there pushing security I do lead a team of software developers and we're generating software used within our business but like like unlike most teams in our company security is not an a thought it's it's an important thing that we talk about every day in my group today I want to talk about my experiences during my career related to security and how I've tried to push
security from non-traditional roles basically outside of it some of the things I'm going to cover with you is how pushing security can be both fun and rewarding how we all need to try train how we all need to try to train people to think like hackers and what is responsible disclosure and if you're in the information security team how can you create an environment to allow everyone to push security whether it's from the inside or the outside so as I was working for this talk working on this talk a question and idea that came up again and again is security is everyone's responsibility I think everybody here will probably agree that's the truth but at your company is that really true
so at my company safety is the number one priority but how do we get to the point where both Safety and Security are everybody's responsibility it's going to take some work and it's going to take some works from both sides and if you don't do it you're going to end up with something like this so I picked my first lock today thanks to my mentor but I'm pretty sure even though I don't know how to pick box very well I can bypass the security and if we don't have everybody pushing security from the outside this is what we're going to end up with so I talked about how pushing security can be rewarded and the way I have chosen to do
that is mentorship there is a developer in my company who I often talked about security related ideas and and practices this guy's passionate about security he also knew how to develop secure code so as we talked I knew this guy needed to get out from doing software in into our infect team so when a position came up I encouraged to to apply and then once I got him to apply I mentored him on on the process and made sure that he he was successful that he was successful with his interview and he got that job and now he's in information security and even better they assigned him to the responsibility of securing the code within our company so that mentoring has
has been a way one way for me to push and help help secure help Security in my company he still comes around and we still talk about things and what we're still I'm still getting him ideas on how we can put you can push security within in the company but I talked about fun too right we want to have fun work so what's the most basic problem we have in security people don't lock their workstations it's been it's been a problem my whole entire career every company I worked at we' run into this problem so what can we do about it well I'm going to go from pushing hard to maybe not pushing so hard so probably the worst I've ever
seen is an admin who doesn't want to lock his lock his screen and when asked about it the response was I was only away for a few minutes what could someone do so here's an idea to teach somebody what they can do if you don't know and this is a Windows example but you in the registry you can replace any program with other a Deo program so why not take the accessibility tools and replace it with a command prom then you're going to get something like this you're going to get a Windows loged on screen with a command prompt with adding rights access to the uh start menu and in a to besides C.C this is very simple thing to do and
it really it will really drive a message home now you got to be careful you don't want to just do this and leave it cuz you just put a security hole in the compy but it's something you can demonstrate you can take a a a laptop that's not on the that's not on the domain and show them how it can be what's that system yeah this is a live stream it's it's basically uh you can go into the registry and replace using the debug functionality replace it with a command yeah just Google it it's there using debug to replace the registry okay so that's pretty aggressive let's do something a little more a little less
aggressive uh one of the favorites of mine this one works really well is to go into their monitor and invert the screen unlike unlike Tom Cruz and Top Gun most people can't work a mouse when it's inverted and when they do get undone they'll probably lock their screen because they don't want to do to that happen again and I only got one person who I've done it to so many times he actually is very good at using the screen as Inver but you can only try probably the easiest thing you to do uh I was at a company that that made these up this is just sticky pads if you're in a Windows shop everybody
should know Windows L is the quick easiest way to lock your computer when you step away super simple and super effective you find unlocked computer you put the sticky there and you lock for hopefully they get the message okay but earlier I said you need to think like a hacker so let's talk about that so I work with software developers and this is the talk we have over and over and over again is it a feature or is it a bug and those are great conversations but sometimes we need to escalate that conversation isn't a feature bug or security risk so one day I was in a meeting and we had to look something up and that
required us to log on to our website on on our internet so we log on to get the information and the guy running the meeting is reading with a password reset form this password had expired well he didn't want to reset his password during a m meeting so he hit the cancel button next thing we know we're looking at the information that we're supposed to be looking at yeah oh that was the same thing I did and and in fact the meeting just went on everybody else just kind of said you oh we got the information let's talk about it and I actually stopped the meeting said hey what just happened I went to the meeting leader he said oh I just
said cancel for some reason my uh password expired I didn't want to reset it but still let me get to where I need to go so the meeting finished and then I'm kind of sitting here thinking what just happened obviously in my mind we just found a pretty big security hole on this website and the next thing being a guy leading the software development team is why didn't this have help in testing surely the tester did some testing on this password recet Well turns out they just test test the case that they knew of a good user is going to if they're told to reset their password is going to reset the password they're not going to
worry about that pesy cancel Buton but if you have people thinking like hackers the first thing they're probably going to do is press that cancel button to see what happens turns out what does happen when you hit that cancel button is you get a a cookie anyways it doesn't matter if you have expired password or not so what do I do well if I'm not pushing security I think great hey this is a feature I just found out I got a non-expired password on this website I just put in my old password hit the cancel button and I'm in but I'm not doing that so what do I need to do I'm sure I don't need to tell anyone around
here about responsible disclosure but think about at your company what's the responsible disclosure policy do you even have one you might have one for external users but what about internal users what are they supposed to do so I start asking around what am I to do I think I just found a security hole I got some suggestions including ignore it you found a good feature which I obviously I did not go with uh one was open a ticket because we all know tickets get taken care of I mean I've had tickets lost misg grounded we get tickets all the time for the wrong thing so I wasn't going to do that so I talked to some friends I
contacted I who able to help me who find out who was responsible for this website we worked together I got in contact with them we set up in their test environment we verified that this truly was happening and and security hole and we got it fixed but we got to remember this would have never happened if someone wasn't thinking like a hacker or if people were thinking like a hacker and they knew about responsible disclosure so one of the things I always try to do is never passive an opportunity to talk about
security passwords is a great thing to talk about when I'm in me when I when I often times when I go the meetings I log in with my 20 plus character password and the first question I get is why do you have such a long password the password policy doesn't require that much that gives me the opportunity to talk to them about we shouldn't be using passwords we need to use pass phrases people are surprised to hear in Windows that you can actually put spaces as part of your password I also tell them you know if you can at least do 14 characters greater than 14 characters on Windows avoids the landman hash problem they might not need to know
about the landman hash problem but if you tell them 14 or more maybe they'll do that and if they keep asking questions I'll talk to them about password managers obviously that has to go with personal preference and policy in your company but things things that you can do so the other thing about passwords that I did recently is I was sent to a public speaking class hopefully at this point you're not thinking whoa what a waste of money that was our our class assignment was basically learn about how to be a public better public speaker and we we did it by doing a 5 to S Talk 5 to seven minute talk so I thought why not talk
about passwords we have a whole convention on passwords surely I could get five to get five7 minutes of material for that for that for my talk so I gave the talk three times each time I add a little bit more to make it really interesting for the team and to try to get them go thinking like hackers and looking for problems the last time I went and I created an email account I added second Factor authentication and then I gave him the password I said prove to me you got into that email account and I'll buy you lunch now luckily it wasn't this group that I was trying with and I didn't have anyone successful
but I had a lot of people who try and I felt that as a big success because I got them thinking like a hacker and some of them even tried the social engineer me they're all trying things that they didn't even know they were trying so you might be thinking now I can't do all these things but surely you can do something how about just fixing the problems you can influence okay this isn't the file I was given but at one at one point in my career I was given a file much like this a password. XLS file no problem with that right it was even better because when I asked what what were to do about this
they said don't worry it's password protected I didn't have time to teach them about how easy I would be to bypass but I did take this opportunity to fix this problem so I took this this this information I got it off our our share Drive where that's where it was located I set up a a key pass instance with my team and then we added second Factor authentication I know you're saying that's probably not the best solution but it's way better than this solution matter of fact I found I've never found a password. XLS file other than one I've been given but I found a lot of other information on share drives I found financial information
performance plans Staffing plans and what do I do well why take them for myself right no I don't I do take them but not for myself I take them I move them off a public share to someone where they're safe and I go ahead and notify the user hey you shouldn't have this information out there here's what you can do to secure and you need to be very careful one of the most interesting play one of the most interesting things I've seen is data leakage on calendars so I'm going to give you an example this is my calendar that's just a mockup let's say here we have 9:00 on Monday the manager meeting with HR about
employee employee performance plan in the HR rep's office followed by an employee meeting with the HR rep and the HR rep's office what's going on here someone's going on a performance plan that's probably information that you don't want to broadcast it's real simple you just need to be cognizant of the information you're put on there so here's I have a secret meeting going on at the neon Museum on Thursday so but I know no one else knows about it because I have lock here so whether it's Outlook or if you're lucky enough to use Lotus Notes this feature still happy [Music] not okay so I talked uh about I I told you I lead development team um one of
the things that I hear often is or we we talk about often is secure code vode so what can we do about secure code VOD not this this is often the response you get from developers when you talk about information security nope not my problem I don't want nothing to do with it infos is going to scan that thing and once I pass the scan we're going to production right I'm sure youall seen it but is that really the way to be doing this some of the things that we talk about our team is how we can secure our our both our code and our environment from the beginning so you need to think about things like what's the type of
information you're storing how you're going to that information what's the security model that you're going to use there's a bunch of good information out there on developing secure code you can choose to follow it or do this I recommend fallowing the other thing I've trained my team on is default passwords once again back to passwords so I think I've got them to the point where they know this I I can be a master hacker in our company if they're going to do things like this so if they put a piece of equipment or a website up whether it's in Dev test or production and they leave a default password they know I'm going to reset it
at this point they don't do it anymore but there were times when things got put out there I reset it and then they had to come to me to get the password I don't know why they just said reset again just reset P themselves but we have to talk about that at another time so I've talked a lot about pushing but I also need to talk about pushing too
hard one of the ideas of me giving this talk was to even push security within my company I thought it was a great idea if you would be if I was up here talking about the first version 1.0 this talk I'd probably leave this room and get a call from the ciso cuz I was push in way too hard and I I took the help of my mentor and some friends to talk about the obset issues I had with my talk and just the things that I was revealing with this talk so thanks to cat for that but there's another good reason why we shouldn't push too hard who knows who Rand Schwarz is okay if you don't know who R Schwarz
is you should you could know about him because he was is a pearl developer he's one of the most one he goes by Merlin maybe you know Merlin he's one of the more notable Pearl developers uh but early in his career and sorry this isn't really meant to R this just kind of friends of R side uh he decided that he was going to push security with within his company he was working as a CIS admin he was unhappy with the security practic practices so he was going to show that he was going to push security so what he do he did some authorized pen testing what happened so this is back in 1995 he got he got big trouble when I
say big trouble we're talking one three felony three felony convictions and one misdemeanor think about that so we don't want that to happen I don't want that I don't want you to go from the talk and say Chris told me to push so I'm going to push and end up like this so for Randall this took took 12 years and in excess of $200,000 to clear up but he eventually got it cleared up but if you're going to remember if you're going to remember anything about pushing too hard remember the story of grand okay most of you guys are info so I want to specifically talk about you so I'm talking about I'm talking about pushing I'm giving people
ideas how to push you want everybody to be able to push so let's take the example these guys pushing this boat up to the beach looks like a fun thing to do right sure yeah so I'm sure that the guys out in front if they were the only ones pushing they'd have a tough time pushing this boat up the beach but everyone together is ly this be success so if you think back to that picture in the beginning everybody around the lock helping push security that's what we want to do so where are some things you can do first just encourage people to talk about security every some someone doesn't be be the information information security
team to talk about security you might want to make sure they're pushing the right things or saying the right things so train them but it's okay for them to talk about security give them the tools to talk about security spend some money buy those windows out s sticky notes recognize users who are are being secure outside of information security formalize an advocate role if you can I I feel like I'm doing an unofficial Advocate role but there's no reason why you can't formalize it and if your HR if your HR Group would allow it give them some work to do everybody's short staff these days maybe you can have a rotation program and have them come work in information security
for a little bit or make them honorary random blue team members if you do that I'm sure someone who's interested and had the opportunity would love to do that I would if I could so talk about a bunch of different things if you're not information security which is a small group of of you some I hopefully you can take some of these ideas and use it to push security within your company and if you're in that information security part sector of your company why don't you go ahead and try and create an environment that will allow people to push security and if you didn't get that out of that talk come find me CU like I said you should never pass up
an opportunity to talk about security
[Applause] thanks uh yeah when you talk about pushing security from the outside um it sounds like in a lot of Corporations it's going to be uh a culture change what are some things that you found would that were effective in getting that culture change and what are some things you found that were not so effective at changing culture for security I think the hardest thing is the based on my experience uh the information security team has has basically walled thems in and they don't really allow Outsiders and I think it needs to start first with information security culture to say we're going to allow this guy in so we're going to say Chris we're going
to let you to push but if you're going to push these are things that you want you to push on and we these are things that we don't want you to push on and just give some training I mean everybody I don't think anybody wants their company to end up like Sony right I hope not maybe there are some people who do but so Z hey Chris uh you mentioned that you have a uh there's ciso in in your ciso in your company yes um I'm curious where does where where does he fall I mean has he been supporting you and your efforts I I I guess I'm at a loss here like how where is he in this picture like has he
been supporting anything have the supporting to to tack onto your question about the culture change I'm I'm really curious uh short answer no um we we we've talked about ideas but uh I think so I I I work at a company that's a subsidiary of company and I think he's being he's being given guidance that causes problems for doing things like that so he's he's doing the I think he's doing the best he can he doesn't know about this so so I think I proba say that I stop there if you want talk about after I think we have time for one more question come on one more good question I have one if uh yes sir so to follow up
with what Ming was saying um where does the permission come into play with the ciso and and kind of how far you go yeah uh so my advice would be to uh probably check before pushing I didn't do that and there's a reason I didn't do that but we'll see what
happens well it's it's like I said the version 1.0 of the St probably would have got me a lot more hot water so we'll see but I'll put the I'll put the information out on here list and if if after this talk I'm looking for a job you'll knowwhere to find you I got to thank Cat s for all the good help again great thanks [Applause]
Chris [Music] yeah I know
time
e
e
e
e
all right hi everyone and welcome to improving grounds so I'd like to start out by thanking our sponsors especially our Stellar sponsors ver Sprite productivity tenable Amazon and source of knowledge so this track is being recorded and uh we're also streaming uh at the end we're going to have a Q&A session and I'll be running the mic around so just please bear with me and uh wait for the mic uh our next talk is on DNS hardening proactive network security using F5 I rules and open source anal analysis tools from Jim nit hour there you go got it perfect I got it perfect awesome very all right let's uh Jim mors is a Senior Systems administrator at app
River uh please join me in welcoming Jim I'm only here to speak I'm not here it's not here for me all right so I had trouble with the projector yesterday so I'm going to roam around hopefully this laser corner will work hopefully everything will go well my name is Jim N Senior Systems administrator at app River I've been working in app River since 2006 first I want to thank my mentor Dave Lewis back there thank you for your help and assistance I appreciate it and I want to thank besides for inviting me to be here today how about a big hand for all the volunteers who put this on everyone deserve all right see if this works hit
the wrong button already there we go so a little bit about me how did I get here well I went to noon in 2015 and was sitting around talking teaching people about a few things that I was doing in app River a couple guys overheard me like this says here and they said why don't you come speak at our next event well so apparently you say a few things and so people over he you're a security expert so realistically I've been with that River uh since 2006 this certificate is not mine because my name is Jim I'm not Jack um when I came to app River uh in 2006 I started out on their uh security team right now I'm in
charge of running their global data centers worldwide we have 12 data centers we run all of our servers out of and eight offices globally we run a secure tide which is a spam filtering platform and secure surf which is a DNS uh filtering platform uh the opinions expressed here are not necessarily those of my employer they are mine mine alone so if you have any trouble with it come after me not after all right so today what I'm going to do I want to lay out challenge what we were Faceook I'm going to tell you a story about how we went and put put together a solution to secure our DNS infrastructure and when I'm focusing on DNS here I'm talking
about our secure surf DNS infrastructure and just the fact that it's just think of it as a DNS cach resolver and don't worry about what the service does other than it resolves DNS any of the things that I mentioned here the different um platforms I'm not endorsing anyone of them we just pick them and we use them for our platforms so I'm not here to say one vendor is better than another you just use what works so I'm going to do is lay out the challenge that we Face going to examine some of the security flaws that we ran across when we brought on our service I'm going to look at some of the tools that we use to solve those
security tools or those security issues I'm going to assemble those pieces into uh to show you how we put them all together I'm going to show you some of our results and we're going to discuss some of the future possibilities that's a lot in 20 minutes I'm not going to go into a lot of detail about some of this stuff a little bit later after the talk I'll put some more technical blogs at tripwire and on the P list blog so the first thing we start with Basics before I came to app River they had version one of their secure surf service they rolled it out the service did what it was supposed to do it secured your DNS the
problem was it took about 500 to 1,000 milliseconds to resolve DNS query so if you really likeed your DNS slow that worked well it didn't work too well so they started from scratch and rewrote the whole service when I came on board they were about to roll out the service for the second time and what we ended up finding out the minute we rolled out the service was that when you put a service out there that anybody can connect to you run into all kinds of problems right so what they ended up doing at in our DNS service our DNS service works at application layer 7 obviously and a lot of people will secure their DNS at layer
7 basically by setting rules where you block IPS and only resolve for certain domains that sort of thing but we couldn't do that we had to work at layer three layer four layer five and layer seven so what happens if you a secure DNS layer 7 you end up with something like this right you're going to blow up your DNS servers there's so much traffic out there there's so much malicious traffic you're not going to be able to support security for that platform so what we ended up doing was developing a plan to figure out how we could mitigate some of the challenges without closing that DNS we the reason we didn't go with a whitelisted IP based DNS service is
because some of our customers are actually remote customers so they move around they have Dynamic IPS they're small businesses they don't have a fix IP they don't want to have to log into a captive portal put in their IP address and wait for that information to be propagated back to the service so what I'm going to go over today are the basically the security flaws that we found in DNS that you probably see in your own environment and I'm going to show you how we went to solve those problems in general detail and if you want more specifics feel free to come find me I'll be here the rest of the week I'll be at Defcon be glad to sit
down and go over some specifics I'm not showing any live demos today because we how those go when we do those in talks all right so the first thing we came across if I get tell me DNS amplification attacks who's seen these on their Network are you been a participant or a victim dis canot disclos right so they a man in the middle attack where somebody Spooks an IP address sends you a bunch of small packets asking for a bunch of big packets and sends them to the spoofed IP address typically a bnet network you can rent time on them they'll do these of several hundred thousand botet members over the course of 15 20 minutes your DNS just doesn't
work okay DNS amplifications attacks are a big deal they really will bring your DNS down or make you look stupid for participating in them so you have to be careful about these the next problem we face is kind of an interesting one we saw being a Spam and virus filtering company we very aware of what's going on in the botnet networks who sending out spam and those sorts of things but we saw this in our DNS there's a a Tac that the malware developers use called domain generation algorithms and what they do is they're built into their malware and they generate these randomly generated domain names along with the domain names that are real and connect to the botet
community control networks and they do this on a regular basis so that what they're trying to do is obate their real DNS command and control in this scatter traffic well the problem is on a small Network you may never see them on a big Network like what we're doing we're doing 60 70 880,000 DNS queries a second on our Network these things become problematic because they generate a ton of NX domain lookups so your DNS servers become very slow and don't respond very quickly the third thing we saw um Bad Name queries in our DNS so everybody here I'm sure your DNS never relays a DNS request outside your network that it shouldn't right so one of the big ones
there's one on here you all need to be aware of I think it's listed here wpad queries if you don't have those shut down on your network I advise you to dig through the internet and figure out how to shut those off immediately if you don't have a proxy server on your network these are bad news your users can go and this isn't aside they can browse and Wi-Fi anywhere else it will send out these queries somebody can spoof DNS queries and reply to them it will set the proxy server on their browsers and send all their traffic to that proxy server okay disable that if you don't use it in your domain take me
seriously on this but what we also saw were some really strange lookups I don't know if you can see that there's one there there's a couple others down here some pretty poor malware writers what they were doing was using these domain generation algorithms to generate domains with botet command and control traffic but they weren't smart enough to make them fully qualified domain names so they just end up creating a lot of havoc on it so we saw these in our Network another thing we saw when we started to examine DS traffic and initially we're examining all of this traffic using wire shark and some other capture methods we saw um malform DNS packets there's two kinds of things that we saw
in this one of them was malform packets designed to basically d off your DNS or bring it down and the other was really interesting I don't know if you know about DNS tunneling where you can actually tunnel other protocols through DNS it's done by packet injection and the packet headers that go through your D server and you can see that in your DNS requests if you look at it on packets so this was a problem these kinds of traffic should never never ever reach your application servers they should be blocked at the edge the next thing we saw was um data extration via DNS this is pretty slick so the nefarious people register a domain like
ps70 is one of them then they go and they do drive by malware downloads send you some malware via B for example installs some hour on a computer starts generating traffic looks for the data that it's looking for on that infected machine as soon as it finds it it starts taking that data off the disc and creating this encoded subdomain well the problem is that all of this is legal DNS right goes out to the route finds the name servers goes to the various name servers it returns an IP address the other thing it does is it takes all this data here in a subdomain and reaggregates it back on the nefarious side so they're data this is what this
is data being exfiltrated from an infected customer so you can catch that in your DNS and we were able to mitigate that through some of our f5i rules another thing that we saw because we didn't want to close our DNS resolvers down is we wanted to be able to block IPS that we knew were bad there's several lists out there this particular one uh is a drop list from span housee it's free you can subscribe to it you can download it whatever you want uh we wrote a little C program to put in the right format this is the format that an IAL data group takes but it's basically just the data gotten from spam house put
in the right format we're able to have this data stored in a central location and then distributed to all of our F5 load balancers globally with um a bash script and chrome jobs that are run every so often on on the F5 load balancers so we're able to aggregate these we get this data from various feeds uh including AR spam filtering information the last thing we saw is um actually an interesting way that you can use DNS to do DOS so several probably a year and a half two years ago most of the major DNS servers put in a feature that allow you to force certain queries to be reased over TCP so somebody wants to do a DNS
amplification attack they hit your server with an any request on 53 your DNS server says I'll be happy to answer that you got to ask on TCP Port 53 well the bad guys aren't going to initiate a DNS attack against you over Port 53 TCB because then you know who they are but what they will do is they will spoof the IP address and the TCP packet and send you a boatload of queries directed at the malicious IP or the uh the IP address that they put in there the wrong one so what do you do you end up initiating a syac flood against the target IP address so one fix for vulnerability creates another
vulnerability in your DNS so be careful about these in Windows if you run Windows DNS anybody know what the timeout is for TCP Timeout on Windows five minutes five minutes that's ridiculous and stupid nobody needs five minutes of uh time time out wait timeout you can change that in the registry the lowest windows will let you set it is 30 seconds but set it to 30 seconds that will protect you quite a bit all right so this is we saw the last thing we saw on our DNS were DNS floods this was kind of interesting when we first brought the up several years ago this was a big deal people would just try to flood the crap
out of me with these DNS requests the latest one happened um last year I think it was October or November anybody remember what happened to a particular magazine they made an announcement about the content that they were putting in their magazine the next day the unhappy people dosed Ultra DNS for about 4 hours in the afternoon took them offline this was Playboy Playboy magazine so anybody chose to ultra DS that afterno had a really afternoon all right so what did we use I'm going to go over the pieces that we used to put all this together first thing we have our F5 load balancers these were in place when we got there we're just working with the tools that
were in place so basically an F5 load balancer has a public facing IP address to endp point for a service could be email could be DMS whatever uh it's called a vent virtual IP address and it's load balances to a pool of servers in the background in our case there would be 4 53 here and DNS servers in the background it also supports something called ey rules which are very cool I'm going to go over those in a minute it lets us actually monitor what's going on with these and load balance across many um servers in the background has some other features it uses an operating system called tmos stands for time managed operating system nothing fancy it's just
F5 operating system and it has the ability to do tmsh commands which run functions within that operating system another another cool feature that it has are ey rolles now this is just a view of a sample ey roll in f5's free ey roll editor that you can download online so irules allow you to manipulate traffic at the application or network layer both inbound and outbound and do things with it and it uses a language called TCL tool control or tool command language I think that stands for so anybody remember TCL from a long time ago well it's back all right so what we also were able to do with threat Fe design spoke about these a little bit earlier that's the
address you can go to that one and look up that particular threat feed um if you have a router or something a firewall that takes in these IQ feeds I would go look at this one in the E drop and just drop that traffic from your network never let it touch your network there's one called drop and there's another one called e drop it's free list that you can download so I was hungry for baking this morning but I didn't get the breakfast in time Wai for my badge so I put that in there other thing they have you to do is remote logging and this is where we kind of put the pieces together F5 lets you
log locally obviously but you don't want to do that anytime you're logging locally on public facing device you're creating iops on your disc slowing your device down so what this allows you to do is set up paths to remotely log all of your data we remotely log all of our data to gry log gry log is a choice that we did it's basically the open source alternative to Splunk right people use Splunk we chose not to use it we generate so much data the cost for us to get involved with spun it's a great product but for us we needed something that we could manage a little bit more the volume vog data that we had is
tremendously high so grey log is you can run it as a single machine a cluster of machines uh put the cluster behind an F5 load balancer send all of your data to that F5 load balancer load balance it across the gry log servers gry log has inputs that ingest this lob data takes that log data and writes it into an elastic search clust that behind this so we're using elastic search as well the elastic search cluster then indexes all the data based on the fields one of the cool things about gry log is that it gives you the ability to import data in a format called gelf I'm going to go over that in just a second what what
that is so gelf like elf but not a gnome or anything like that the other thing allows you to do is write custom Java plugin so you can parse data when it's coming in so how many of you use like kiwi anybody remember what Kiwi is loud server was good for its time it's hard to get information out of that right because it just takes straight up sis log format dumps it into a file with the volume of stuff that we're doing it craps out very easily the elastic search gives you the ability to do flexible search you can format your data in certain ways I'll go over a little bit of that here coming up
the other thing that Greylock has now that's pretty cool is it let you from your windows or lenux boxes you can ship your logs directly to it and it has a feature that's called called um gyog sidecar it's a application you install on Windows server or Linux server and it manages either NX log or log stash but the cool thing is it reports back to your gry log so through your gry log web interface you can manage all your remote endpoints you can tell it which files and logs you want shipped back to your gry log servers so NX log is basically think of a log router you point it to folder that contains your logs it ingests logs it
will do a transform on them put them in the format you want and then it will send those logs on to whatever input you tell it to grabs the log does this thing sends it off that's all it does it's a middle man so what we use this for this this part of it is because we wanted to actually look on private networks what was happening in DNS for customers so in DNS most of these customers have active directory DNS servers active directory DNS servers have the ability to Output your log information in the debug logs right it's in a very crappy format it's very difficult to read and it's also difficult to make it
rotate now if you want to know how to do that I can I put up a blog post about how to do it right so your logs rotate and everything else works the way it's supposed to because what happens by default in adns if you put on the debug logging it will keep the file up until whatever size you set it at 500 EGS 50 gigs whatever size you set it at and then it'll delete that log and start again your data is gone with Powershell you can set some functions that will let you roll those logs over and keep those logs for a period of time so gelf gelf is called is short for gry
log extended log format it sends data in a Json formatted packet the first parts of this packet are required for gelf format the last parts are the cool Parts where you can actually parse out and add your own fields which we did to a high degree I'll give youles that but you could add 100 Fields here if you wanted if you can log if you can grab the data you can put it in there if you do any net program any other kind of program there's guil libraries available to do this or you can do it natively which I'll show you in a second in our F5 I rules what we did is we actually told in
TCL this is how you would write one line of code to send one log message to uh through the F5 in gelf format but it's pretty straightforward there's your bracket all the information here's the fields that we were adding right so we're adding these fields down here at the end all that data then hits the g l server in format there a gelf input on a certain port and it puts it right into elastic search the last thing we just started experimenting with in how to visualize our data is Cabana I'm not going to go into too much about this but it links up directly to the same indexes that are created by grey log in your um
elastic surch cluster very cool solution so last part of this puzzle is something called critical threat notifications this is built into our secure surf so basically what happens is if a customer hits um a domain that we know is either part of a botet command and control Network or is a drive by download it will trigger one of these alerts and it'll give the domain that they hit and how many were blocked and I've taken some of the data out of there to the customer data and the IP address and all that but tells you what policy and everything else so what we do then with this is there's a time stamp on this and we can go back to our data and
actually find in the data where that is and I'll show where that infection is and what machine on the local network is infected and I'll show you that here in just a second so real quick overview basically a customer from a customer perspective they'll have a DNS server or multiple ones their DNS servers are set to forward their DNS requests to us when they forward those requests they hit our DNS VIP we have an I rule in place it's basically 900 lines of cod several sections each one of those sections addresses one of those vulnerabilities that I talked about earlier the packet passes through those Cascades through that I rule if any of the rules trigger a block then the
packet gets dropped but everything is logged to our gry log cluster so we can see right away what's happening when somebody does a DNS amplification attack for example the uh F5s then have a chrome back and a bat scrip that go out with tmsh and a server that's in one of our data centers and it pulls out the data from those threat feeds it does that every so often so if we find over here that a particular domain is creating a DNS amplification attack for example and it's not in our threat feed we can add it and within 5 minutes it's globally blocked on every DNS server that's out there so it's a very quick way of
pushing data to a whole lot of endpoints very quickly so let's look at a little bit of the information that we get out of this this is a gy log interface the fields that are coming in are over here uh the time frame is up here the query is up here this is actually a histogram showing you per minute uh this particular one is a DNS amplification tag I don't know if you can see the domain name here but that's the domain name and it shows you how many are coming in I believe that's about a th000 per minute coming in and that's from a very small attack coming in globally now I know that I happen to be
blocking these but this is the number of queries coming in so we record all the queries that are coming in we can actually split that out in the ray log you can take and expand one of the fields click on quick values in this case you'll end up with a list of the top values in there there's that domain name that was doing all the nefarious stuff over that time frame it made that many queries it was that much percent of our traffic if I want to narrow it down and click that button and it'll narrow the query down even more we have dashboards that run in our um network operations center where we can manage
this this is showing an hour view so over here these are all the in this case DNS any queries that are coming in these over here are the ones that are getting blocked so what we can do is we can compare the two and if there's something missing over here we can add it to our iroll data group have it pushed out and have it blocked pretty quickly this is an example of uh remember the spam house list I showed you I think that's the name of the list up there these are all the blocks of people trying to hit our DNS servers coming up here um so there's that many hitting it and these are actually
getting blocked so we can tell that our blocks were working this here showing Network compromise there was a particular domain that we saw in in a CTN we were able to go back to our public facing VIPs and find out the two customers were generating those by their wi IP addresses contact those customers and get them in the process of cleaning up their Network this is examples of the we get out of the DNS debug log these are the fields that we created in our um custom Java plugin that takes the normal active directory DNS debug logs and breaks it out into useful information not the craft that Microsoft has in their DNS debug logs you can actually search it
find out what's going on I have all the fields blocked but you can turn on the source and destination IP narrow it down to a local internal IP and see all the DNS traffic that a particular user on your Network's using so if you want to spy on or find out what your users are visiting you'd be surprised if you put this in in place you could build a VM and point the stuff to that and figure out what's going on very quickly I only have a minute left this about about two slides out here this is just some more debug data same thing and the last thing is we could actually take that debug
data narrow it down by the domain name I broke out I didn't show the IP address but this shows one machine that's compromised with 18s queries over the course of that week we're able to tell the customer that machine on your Network's infected take it off the network fix it and that's the kind of information you get another thing we can do is we can look at where infections are coming from it has built-in geolocation once you install the GE location database we're able to tell where any kind of data that IP base is coming from so there's a lot of flexibility in this um we're about out of time so our other possibilities that we can look at we could look at
some of these other things and create rules create anything that we can do to export data and analyze it can be looked at from a security perspective I know I gave you a lot of information it was pretty high level and if you have any questions you can reach me there and we're good to go right thank you and also if there's any questions are you going to be I'll stay around here I know there's next talk coming up but any I have any quick questions I'm sorry but we we don't have time for questions right here we're going to have to take them outside yeah we start yeah no no you just hit the full 25
minutes
e
e
e
e
e
e
e
e
e
e
improving grounds I'd like to start by thanking our sponsors verse right productivity tenable Amazon and source of knowledge I'm not clapping for tenable I will that's why I'm sitting in the middle so as guide guy dude F guy mcdude fella guy mcdude fella I said um we're going to be recording this talk and uh I'm gonna be running the mic so just please wait for the mic before you ask your question so have you ever wondered why call for paper reviewers drink so much are you tired of having talks rejected from conferences without knowing why would you like to know what really makes reviewers happy or irritated we'll stick around for our next panel on call
for papers 101 so please join me in welcoming the panelists so we're going to start out with introductions right great okay hi everyone I'm David I'm your Earth while moderator today uh otherwise known as d of the CL cfp oh hi I'm Megan Toten cof uh I'm a senior security analyst with uh or consultant with rapid 7 uh my name is moy I avoid work on a regular basis so I'm in management I'm guy mcdude fella I am a compliance audit research engineer for tenable network security which is way better than rapid n oh um so really quickly David before we get started and all honestly and I was giving Eric a little bit of a hard time
earlier I think there's going to be two types of people in the room right now either one people who are part of cfp review boards this is why we don't take you places you're not my real dad um either people who are part of cfp review boards and want to make some make a comment or something and we we want this to be conversational this is bsides afterward uh overall and then um also people who have active questions so um if you do have a question at any time feel free to interrupt us raise your hand Eric will run over there with the mic and uh uh give it to you and we could we could talk about it so sorry
about that right so I mean actually want to touch on that a little more so I mean ostensively this was about you know how cfp works and how to get your talk accepted but if you have questions like Mo said about you know you're on a cfp committe and you're trying to figure out you know how do you decide what talks to accept or not accept or how do you figure out that criteria things like that please you know feel free to ask those questions as well we're we're very very agnostic as long as it has something to do with acfp u we're good why do I have two oh two two two token
cups okay so I think I'm going to start just we were discussing this earlier uh and the first rule which is actually also the second rule for cfps is follow the directions and follow the directions so there were a couple of submissions that we received this year that felt that some of our um fields in open comp were optional if we put some something there we want you to respond we want you to give us that information don't just give us a couple line blurb for your abstract and think it's sufficient for your outline as well CU it's not uh right if they ask for X Y and Z give them X Y and Z don't add anything
um don't feel like Z is optional uh if there's a you know a 2,000w limit in the field try try to use as much of that as possible what you want to make sure you do is you're conveying your thoughts clearly uh and but more importantly you know how to follow instructions this is your first introduction to the con overall so you want them to know yeah working with me is going to be a positive experience because they're putting some trust in you and and if if you're if the con if the the cfp instructions are things like new talks only don't submit the talk you gave at at bsides on ter if if it's calling for new speakers
don't submit the talk you gave at Defcon you're not a new speaker there are instructions there are the cfp committee is looking for certain certain types of talks for certain tracks of the conference and going against that isn't going to win you any favors and also just a little bit about that so with the Proving Grounds track in particular we ask for new speakers only and it's a little cloudy because we have to do the announcement via Twitter what does that mean so we say no national conferences things like Devcon um Deron shukan bides Las Vegas and bides San Francisco are included in that as well but if you've spoken at another Regional Conference like uh one
of the smaller bsides or another um Regional Conference that wasn't recorded you're still um applicable to apply for Proving Grounds so one one of the things that it was alluded to is that you know unless you are an incredibly well-known speaker and even then with with the committee when you submit a cfp this is your first impression and one of the things that I encounter a lot I'm pretty sure my my panelists you will agree is that people don't always spell check or grammar check their submission so I'd like to hear your thoughts because there was there was some rather St language being used in the speaker room um guy I think you had some some
good thoughts on that if you have if you were of the opinion in high school that English class was something you were never going to use you were wrong use punctuation use capital letters follow a style guide go go get a style guide go watch James arland's talks on how to how to communicate to other people cuz the man is not wrong a lot of a lot of people in infos are in technical roles and so we're not responsible for direct communication with clients or direct communication more than you know two or three sentences in in a ticket or two or three sentences in an email unfortunately when you're writing a talk or writing a cfp
response it is the exact opposite you need to be verbose you need to be clear you need to be concise and you need to be well organized and we get talks that look like a E Cummings poem so but with less structure with less structur um and and to build on that you know even if you're not going to go and get a style guide there's tools out there that will help you out I'm not a great writer I know that that's a weakness of mine um but I use things like grammarly to help me out to review what I'm going to submit before I submit it to make sure that that you know I'm
I'm good and I'm I'm signed off you have to to look at it from the reviewer's perspective as well in some cases and and David could talk to this even even a little bit more you know these folks are reviewing tens if not hundreds of submissions so immediately not being able to cohesively understand the writing is going to put you at a disadvantage because it's like I I have to figure this out in order for you to convey your idea to me what makes what makes me think that you're going to be able to do this you know in front of 50 100 people cfp board will sorry no go ahead a cfp board of reviewers will
spend on average two to 5 minutes per talk in the first round just to figure out whether or not you are sane enough to put in front of a group of people right and if you're not able to convey what you want to talk about in 2 minutes of writing we're just going to ignore your talk and you're not going to make it onto the second round of review so I do have something to say about the verbosity thing I actually am fine if you're concise yeah like if you can clearly State what you want to do in 10 words and instead of 50 that is totally fine I just need to be able to understand okay
this is what you want to talk about and the why and how you're going to get me to um the main purpose of your talk but the thing is that you really can't give a CF committee too much detail about your talk exactly and also no say so and actually I'm want to start to take that back because we actually had several submissions where people were actually pasting code like and Sample code into the into the and that's not actually a good example of that's actually a little too much detail because my case at least for a lot of yeah it would depend on the audience I would argue so for things like uh Defcon for example you know you might
want to submit code to be like Hey listen I'm not just talking out of my butt but that's a situation where if you can submit supplemental materials right exactly that's you submit that you don't put it in your extract or you don't put it in your ex that's what supplemental materials are for are things like presentations white papers things that establish your bonafides or your qualifications to speak even if you're a new speaker say look here's this white Pap by Road here's this here you know here's a link to my GitHub repository it's more code oriented conference here are blog posts are written on the topic here's a sample presentation I did elsewhere um and also if you have sources that you
used while you're writing your talk like okay this is where I'm drawing my ideas from that can be helpful too I mean I love it when someone submits a citation saying hey I'm talking about this but it also relates to this other talk in a different way and then I'll go in and look at it I'm like okay that's kind of interesting actually and I can see okay this is a pre-existing talk that's been done before yes but this person has a new or different outlook on it sighting work when you're submitting a cfp response shows us two things first it shows us that you have a a a grasp of the subject matter and it also shows us that you've
done your homework and you're not just trying to reiterate something somebody else has already said you're building upon it and that's important I mean the whole point of giving a talk in front of people is to advance the stateof the art and so by showing us citations in your cfp response you're showing us that you're willing to do the work in order to advance the stateof the art so and and speaking of since we're Serv on this on this General Trend one of the places where that we've significantly seen issues over over the past several years are talks where someone is releasing a new tool or discussing a new tool that they've been involved with and they don't make it
clear whether it's a free tool a commercial tool open source shared Source whatever and what ends up happening is the submiss the submission end up reading like a product pitch and the feedback we give is this sounds like a product pitch and really a good CH of time the person comes back is oh it's open source and you don't need to you know it's being released by my company who happens to be a commercial vendor but you don't need to use the rest of the company's products you can use independently you can build it yourself and we go tell us like and does anything look like a product pitch just like every conference is going to get
automatically rejected you know at bsides especially we're not here to let you advertise if I wanted to hear product pit is masquerading as talks I'd go to RSA yeah anyways yeah some and plus a lot of cfps when you sub when you read the instructions will actually say we don't want vendor pitches exactly so that goes back to following directions and a lot of cons will actually have a separate area for vendors I mean you don't need to do product pitches in talks at black hat when you've got the entire vendor floor with in Auditorium directly for product pitches to that black one ofs where are just to add on to that there's conferences like those where
there are tracks that are designated as you know what we could think of as pay for play like it's clearly it's it's kind of like when you go to Google and you search and you have their search results and you have the sponsored listings that are clearly separated and they're both useful in their own ways as long as they're separated exactly y any questions so far or any like we you don't have to stick to the model make this man work folks yeah okay so one of the things that's frustrating to me I I I probably submit to somewhere between five to 10 conferences a year and a frustration of mine is that it's kind of a black box um when I have asked
about how do these talks get selected I've had varying answers all over the board sometimes there's a system where they get scored and that scoring process is a matric and it's very organized and they use like open conference and there's that and sometimes it's like uh you know we kind of sit around and drink a bunch of beers and if we like it then it gets Advanced and if we don't like it it gets turn on the floor um do you see do you see any conferences moving towards some transparency when they say we're announcing a call for papers and we use a three-person panel with a scoring system like this and these are the
people on the panel because that makes a huge difference in the way that I submit and I think that providing that transparency might help give some context to the people that are submitting so besides Las Vegas is uh one of the conferences and David could actually talk to this so uh whether you're submitting to Proving Ground or you're submitting to the general cfp here you know we we have our our cfp panel that reviews but everyone is required on every talk that they review to provide some kind of feedback uh we typically did correct me if I'm wrong we typically especially on The Proving Ground side we will send that feedback directly to the submitter um just so
that we're saying hey we didn't think this was fully baked out or we liked it and but we we were you know we had some better content or or what's going on um I know in previous here before guy has has joined us uh we actually would sit down with people that were not accepted and say okay this is what happened we have half an hour hour calls on that yeah yeah so in in in the past at bides we we have published to the cfp committee is and we should actually get back to that and kind of f down purely because there was too much to do not enough time to do it all um for the
purposes of transparency um what we do here for b side of Las Vegas for the for the main tracks is that we have a scoring system all talks get scored on a scale of one to six um and then we look at and then we basically break down the scores by track that you submitted to and it's it more or l we have enough talks that basically falls out on the curve and we sort of pick a a spot we don't have a hard spot sort a spot where it's clear anything this line this year is a clear accept anything will this number is a clear Decline and then we end up with with each track every year
is like 20 to 40 talks depending on the track that would be fine for like that score-wise are great for the conference but we have like six slots left and that's when in Pastor just me and in this year I have a co-chair we down and we look at the talks all these talks and say what makes the most coherent conference what do we think really pulls that tra together in a coherent frame of thought or is there a topic that we think is really important for people to see um and then we sort of go back and forth and you know there's a little hand Wy stuff at that point honestly and we say okay this looks like the best this
is the best talk we can put together the best conference we can put together that'll make for the best you know that the attendees will enjoy or find the most uh useful and then we sort of go down a little bit and say okay you're the backup speakers you think we'll continue that Trend and then we say damn we have another 15 talks that we just couldn't accept and that's that that sucks um actually can I just continue on this question because I think it piggybacks well off a point we want to make a little bit later but really around um it is I I hear what you're saying Jay because it is frustrating cuz
I've had some I have had talks accepted at derbycon but not accepted at sector um and and things on those lines I think it's it to kind of internalize it you really have to understand your audience right and ensure that hey not every talk is for every venue um and it may not be anything on your submission or a problem with it your submission directly it just me to to David's point they're trying to fit a specific theme or fit a specific feeli to the event and no offense but maybe you're talk wasn't part of it cuz like I said my talk I've had this exact same submission great detail on both Derby took it seor said n that's okay
and also there's quite a few places that don't give you feedback by default so do make sure that you follow up for feedback for those of you who aren't familiar with that like we try to give uh each of us give feedback for why we rejected something if other than not following the directions but uh I mean it takes a while to Art Tastefully State why you're rejecting certain things yeah it's it's I've had I mean and again it's it's okay to ask a cfp board why a talk was rejected if you don't get feedback I've had talks that I've submitted to shukan that got rejected and the first time I was just like oh man this sucks the
second time I was like why did you guys reject this talk and they said because the subject area is good but we had talk like this in previous years and we want to give the subject a rest for a little bit and that's reasonable like okay it wasn't me it's the fact that they're trying to keep they're trying to brought in the perspectives of the Ted of shuko but but frankly bid as a movement started 8 years ago seven years ago something like that like lost track whatever we're at um because a bunch of us had talks get rejected by black hat and the feedback consistently was these are good talks and we still have enough
room we said you know what we really want to give these talks and said I have a house come to my house and SC we'll have our own conference with Blackjack and hookers and someone else said I'll I can I work for whoever it was and we'll stream it for free online we said D and we showed up and bid became a thing um purely because we had more there was more content I think this happens to Black every year in death as well they get way more talks than they can accept and to a certain extent it's the ru of the dice remember how I said a few minutes ago that we take two to five
minutes per talk in the first round that's because you all submit a ton of talks we don't have time to sit down and and give every talk a measured unfortunately we don't the cfp boards are are relatively small and it's impossible to go through and give detailed Nuance feedback on every talk and so sometimes when you're at a you're talking about a conference like Derby or Defcon or black hat or sector it's impossible for the cfp REO to give you the feedback that they want to give and that's why it's important to ask and that actually leads me to next question for my panel then we'll get to your question which is we were discussing earlier uh titles
matter and title even harder than writing a good abstract is coming up with a good title and it's an unfortunate truth that so bides had 180 some submissions across the four core tracks that's a lot of submissions to go through and I've been on the review board for shukan and they get even more than that I know RSA gets literally thousands so you need to and you know especially the scale RSA they're going to get 10 talks about the same topic it's they're almost identical and you need to be able to catch reviewers eyes just so they you get more reviews people looking at your talk and spending more time on it um and a catchy title is
really hard and I think my panelist will share some of the formats or the sort of macros they're really tired of okay guys if any of you submit a talk that is word colon word ever again you're going to make everybody on the cfp board have a sad also blank for Fun and Profit it's been done stop stop please you just you just gave you just made gica happy I'm glad okay so today I delivered uh my first presentation at Proving Ground I congratulations and the feedback has been good as this man has attested um so where do I go from here I I want to keep giving presentations submit them to other cons do I submit the same one two other cons
do I have to now come up with new stuff if I come back to bides do I never come back to Proving Ground it's only the other I will never be back here ever again okay because that's that's the design so so I'm I'm I'm done with the single a I'm now in the double a league yeah okay so on that note as a guy who's local to you and who's telling you that the bside cfp is opening next week yes conference some conferences feel different I don't know about the rest of besides LV different confes feel differently about the same material my man is I never give the same talk twice sometimes I give the same talk twice but
it's not really the same one like it's it'll be uh the same basic idea but it'll have new material or updated or ongoing research or whatever oh so if you are going to submit the same talk a a lot of cfps have the question have you submitted this pres presentation before and if so where and it's your job to say okay yes I gave it before but here's how it's marketly different or improved from before because otherwise you know you're just giving them old material like I gave a half hour here so if I'm applying for an hourong slot obviously there's more material okay um is it kosher to submit more than one cfp absolutely sure yeah yeah okay AB
vot or submit and submit often an important thing though is so like we had over the years and this happens every year we have someone who will submit almost the same talk multiple times so they'll be like they'll change the name slightly they'll change some of the wording around but it's really the same talk and pretty much as soon as that happens I go click click click Denine ball remember this the the whole point of giving to advance the state of the art and if you're giving the same talk multiple times you're rewarming leftovers you're not advancing the state of the art so I back to the thing I'm submitting yeah for submitting multiple ones you're saying that if I say well I
have an idea about this X and one about Y and one about Z that's great you may say well X and Y but Z ah had someone submit three talks about three different topics and we said maybe a yes yeah but then also or we had someone else spit two talks I was like oh man I wish I could had both of these talks I'm going to go for this one and I really wish I could have accepted both but there's only so much time and I want to you know diversify speakers so I'm going this one I'm sure this other one will get accepted somewhere else yeah just my only warning about that is
be careful cuz they may be accepted and then you have to do the work cuz I've been in that position as well where I've had multiple talks yeah I'm like oh yeah it's stressful as a speaker yeah and I I can attest that I I had two talks that thankfully I co-presented they got accepted and placed back to back so just and the more Community the the event the more probably likely that you may get accepted for multiple talks so yes that's actually a problem so RSA in particular it's traditional to subit multiple talks because it's it's so much of a crapshoot uh two years ago I was doing end up giving five TOS yeah and one I had do twice there was
six six slots in 3 days and it was murder yeah I guess what I would say is yeah feel free to submit multiple talks as long as you're following the directions follow the directions as long as you're following the directions follow the directions it's not that hard you guys have been doing it since well no you guys haven't been doing it that's why we're all here but in this one case follow the directions yes I have a question and I'm happy to hear this from either side even before the submitters or the reviewers because like Boe like I do a lot of both um one of the things that I get tired of and bides LV is
fantastic about and is I'm tired of going to conferences and seeing everybody look like me you mean like like like like a white dude with a beard and a black in a black shirt I mean that's just a real I'm wearing a blue shirt yeah like I'm young well youngish okay well I'm not right right right no but we in other words it is important to me for a lot of different reasons I know it's important to a lot of people that at is certainly from the speaker level we get people who are not traditionally as represented I am curious both from the side of how do we encourage more of these submissions because I want that and how can we make
sure that yes so how can we make that happen more from your perspective I I think I'm hitting a hot button here I'm just like Jesus Take wheel um so T T's moved back to the South and this is my response this is my response so first of all as a reviewer the name of the person so with open comp we don't see the name of the person when we first review the talk and I would actually caution against looking at the name or Googling the handle until after you've determined whether or not you want to accept the talk because I'm going to be pissed off if I find out that my talk was accepted because I'm a
female versus the merits of my talk right however as someone who has involved in several conferences I have very little problem when getting to that window of we have 20 talks that are that we would like to accept and four slots to make sure there's diversity because if they are all on the same yes that's the thing well please I'm down to the bucket I don't look at names until I have my bucket up I have 10 talks and four slots I'm going to bias because the thing is there's a lot of inherent bias in the system as you as you know yeah and so and so that's just my the thing is like when when bside started we had
almost no one in submitting yeah and now we had that panel on the first B sides right that was the only one that's that was submitted and I right exactly and now the submission is like 40% female yeah and F like last year half of our because one of the ways you get more women submitting is by having representation of women and now it's not a problem because we didn't submit now because trust me so there there are far smarter people who have given far better talks and presentations on this than I but one of the reasons why why I love this program why I love The Proven ground program is because you're pairing people with mentors and I
think mentorship is one of the biggest things that we can do to sort of work towards solving this problem because a lot of people come from backgrounds and a lot of people women especially and friends that I've talked to are think well I don't know if I'm good enough to submit this talk I'm like you're doing amazing work in Cutting Edge areas with really cool you need to submit this talk imposter syndrome is really strong and mentorship is one of the ways we um this is going to okay having a code of conduct on the website to start with matters yeah it actually will change the your submission metrics hugely yeah just for basis of that an
explicit statement to that effect y so I would say Mentor like even outside the bsid program if I was talking earlier one of the other involved were little sorry one of the other comps I'm involved in we were actually inspired by Proving Ground in particular so when we were first having the discussions you know because we you have you have three buckets right you have the talk you're absolutely not going to accept it's just not going to happen you have the talks that you really want to and you some that maybe you don't know right that they with the right thing so we're trying to find ways to assign mentors um or or do some sort of mentorship in
some bias speakers were less well known yeah so that was what I was going to say when I have 10 speakers in four slots I'll look at the names see their speaker resume and those who are the least experienced or have something that's actually like a fresh voice I'm more willing to choose those individuals exactly and frankly like I don't need random speaking slots yeah I mean I've given literally hundreds of talks at this point in my career oh I'm [Music] old and frankly that's the thing about proving ground and this is true is that conferences need good speakers they need speakers period And I got told by a a mentor of mine 12 years ago she said you should be
speaking at conferences I said I have nothing to say she said trust me you do um and once you give a two or three talks people will you become a known quantity and then you'll start getting asked to submit to conferen and it's totally true even now and yeah the best mentoring you can do in the community is even I was talking to someone um at the airport I sitting on our way over and they're like well I I've been think about talking to conferences but I don't really have anything to say I said what do you do and they said well I do I work at a storage company that does storage in the cloud and I said look and
I have to make sure I run security for them I'm like so how do you deal with compliance and your customers like you've got a talk okay you have a talk right there write that up you're submitting to proving gram next year they said okay yeah and they got accepted didn't they no this is this was literally like this year we have a Storage security talk this year yeah this is like they cloud storage cloud and he's like I'm like okay you have the submission now and they're like okay I'm improving next year so um yeah and the other thing I'm sorry I just want to on diversity for one more second the other thing we do in
improving ground to to kind of rule that out as a as a factor at all is a lot of our process and TDY hit it on it on the cfp review side is that's blind to us we don't see names we don't see anything but when we're doing our pairing between speaker and Mentor the speaker and me or the the mentors get to choose their speakers they don't know who that speaker is so they don't know if they're choosing a male or female so they're they're basing hey I really want to jump on this based on the content and why this talk is chosen so uh that's another thing is is try to remove that diversity
as even a factor because the content standing standing on itself Yeah question awesome uh so we've been talking a lot on the sort of bsides or larger conference style uh where you have way more talks than slots and I'm curious about the other end of the spectrum sort of what you've seen on that side where you potentially don't have enough talks and what you can do about that whether it's trying to Garner more more people restricting slots lowering your standards like what sort of approaches do you take there this is this is really don't lower your standards no um hit Twitter hit Facebook in you know find people you know who have given talks in the past are willing
to give talks ask around try something different try doing you know redesignate a section as bir segment as birds of a feather session where people show up and sign up spur the moment to do things or start say find someone who's willing to do a free training yeah no just go ahead yeah it I mean to your point there's so many different things I mean at the end of the day if you're if you're an organizer you want to bring content and that content could be in several different formats and and trying to again get content that fits your Venue and the theme that you're trying to hit think one for your first think one day one track then you only
need like six speakers yeah um in fact we recommend is a if you talk if you email info at Security besides. Org uh we can send you your we have a s of certif Kate for doing a bsides which applies pretty much any conference the the big recommendation is one day one track to get started if you run the conference before particularly a smaller on a smaller region a question back there yeah I had a question about putting in a cfp that is not a specific technical talk in infosec so I was in improving ground and I was a past software developer in law school and I submitted a legal talk and I kind of
really struggled with the cfp on how I'm going to come in and do a legal talk how much legal background do I need to put into the cfp so you have any idea what I'm talking about do you have any recommendations in general when it's not a super technical so that was actually one of the things we talked about earlier so excited this by the way Wendy had a fantastic talk today you all need to go up and see the recording it was fantastic but Tony had some thoughts earlier today about specifically this topic about the cfp section so I think if you submit something that is related to the infosec field but not super
technical it ALS it would definitely help to use the uh words and terms that we can understand understand and grasp because a lot of lawyers speak goes way over my head but if you can give me metaphors and analogies that's more than sufficient short one short one words are good I feel like half of my mentor's job was I don't know what that word means to you yeah exactly so that's good feedback because if he if they don't know what it is then chances are the audience doesn't know so we have a problem in infosec where we're kind kind of stuck in this Echo chamber where we just like preach to the choir we're like oh we need to talk
about user awareness and it's like oh um well you guys know about user awareness what we need to do is bring in people from other fields to talk to us about things like privacy compliance auditing management whatever L law psychology um and then we need to go out to other Industries and talk to them and in order to do so in order to be successful with this we need to use a Common Language one thing I would would actually this is actually something I've had a discussion with with a number of colleagues if you're having trouble getting your talk submitted to a security conference submit it to a non-security conference there are tons of development conferences there are
tons of of other industry specific conferences there I mean Tech is is a large umbrella we are one small part of it and we're the ones that focus on security but that doesn't mean that people in other fields need to hear about don't need to hear about this as well submit a security talk submit a web application security talk to a web application conference so so we it was actually two pie of advice that your question brought up to me that we were discussing earlier uh as we were planning our our panel here one is that when you're submitting your talk alter your bi you know focusing your bio on the parts that are relevant to your
talks content um you know and also in most security conferences no one's going to care if you're a cisp you're not andless your talk is about about certifications in which case it may be relevant um the other thing is um and I'm sure I kind have some thoughts on this is that the whole many eyes make all bug shallow so if you're not sure about your abat even if you're POS get someone else to read it particular I mean just in general make sure you have bring people say is this a talk you would want to see like does this excite you but the other thing is particular if you're in a field that touches on
security say legal stuff like that bring that to someone who is not a lawyer or who's not training legal and say would you go see this does this make sense to you right um so you can get that that perspective like your Mentor was giv you going I don't know what these 12 words mean this could mean anything before I submit any talk I have three friends that I asked to review I have a very technical one you have three friends for the purposes of this I I wouldn't be friend to this are you kidding no no uh
so I I have someone very technical someone uh someone very technical someone who's not Technical and and just a third party just another set of eyes someone who I consider a peer at work or something that will review something for me just to say hey is this something you would like to see what are your thoughts uh just to kind of bounce that off and and sometimes they have given me very harsh feedback technical guys a lot of my talks are a little bit more soft talk was like no I don't want to see this and and also this also falls into the whole know your audience thing so you're not going to want to go
to um I don't know I don't have a good example don't take a deer talk to the compliance folks yeah vice versa and vice versa right don't take a secure development talk to the compliance folks one thing that I like to do is before I submit a talk anywhere I'll look up the conference that I'm looking to submit to and look at the past two years presentations and say and say see okay this is the kind of talks they accept would my content fit this would the audience be interested in this any really was another question yeah okay hi I'll preface it by saying I only speak English but I'm just wondering if you guys have ever received talks who
would consider um in another language like not English yeah so we have a lot of non-native English speakers uh presenting at our at Proving Grounds actually this Proving Grounds too I think this year we had at least one or two yeah yeah and so yeah Virginia Robbins is is French and she's presenting a talk on FIS malware and she's giving a fantastic talk so for non-native speakers I would actually I don't know if you would want to say that you're a native speaker in the cfp or not it's usually it's pretty EV it's not always evident but sometimes when it is evident I try to take that into consideration when I review like okay this content's still good and if
they have something to share I still want to give them an a venue to share I I would I would actually think the opposite and the ones that that I've read at least sometimes their grammar and their English is probably better than native English speakers yes so just just to clarify um so so not necessarily accent based like the actual presentation itself like if it was entirely in French is that something that's uh cuz like there there's a conference so besides Paris yeah I mean generally in the I mean most conferences these days are actually in English regardless of where you go in the world um I mean there's lots of the lots of conferences that are language
specific but anything that pulls an international audience is generally English um unfortunate well un good for there are a lot of Latin American confer Spanish that's true but but they will often have an English language track at that right so I I actually spoke at a conference in uh in colia and all the talks almost all the talks were in English uh and um they were doing simultaneous trans they had trans they had simultaneous translation into uh Spanish French and Portuguese and Japanese actually uh going on for people who were non who were not comfortable with English uh it's another little at scope if you give a talk to a nonnative English speaking population jokes don't work and you need
to slow the down because they're translating in their heads but seriously jokes just don't work yeah time for one more question they in the back and then we need to wrap it up yeah because food yes because food hi uh thank you for you know being there and answer our questions um I actually this is my first time to bides and welcome um so I I'm really excited to actually present here um sometime whenever either here or somewhere um because I you just told us that I mean unlike blackhead and Devcon where they see your bios and you know how many times you have presented and how famous are you you actually look at the content
cuz honestly I was attending one talk and and and I have a startup I'm a founder of a startup and and I the area I was working on I was attending those talks and it was interesting to see how customers are thinking about that problem and and I think there I don't know how you feel about it but I think like as a vendor not about your product but as a vendor I felt like talking about the challenges that we have to reach to these customers and get their data and share with us and work with us to build these products so I wonder if you give a chance to people like me to speak and
and and if yes what's the next step that I should be doing for the next event absolutely Proving Grounds toing grounds if you yeah submit to Proving Grounds if you haven't been doing public speaking at at a major conference uh clear you know please submit to you know the main traps as well um every year um I don't we having this year most years we have a few talks that get submitted to Proving Ground where the speaker is just so outstanding that we actually actually last we had two talks we had one that we kicked over this year yeah they had two talks last year that were so good they kicked it over to us and
actually both of them were given in I think Common Ground uh but they got they got to keep their mentors so they got their but the talks were good enough uh that there was too many there was too many too many proven grp Grand submissions and there were two talks that these two said you know what these would be great in the main track since they had mentors and they gave they brand new speakers never spoken but gave 50 minute long presentations and they were awesome yeah um I I mean something like that is is just really how you position it you know we we kind of hit on earlier we we not necessarily want to hear a product pitch
but you know if you were to position that something like how do you work with vendors to build better products you know and under so that people here could understand that the life cycle you know cuz I I forgot who was presenting earlier but you know no one raised their hands when they say oh who likes talking to vendors right oh oh yeah but but you know I I if we could understood well vendors are part of that conversation that's a way to introduce your topic appropriately just don't call your talk vendors how to work with him however and follow the directions but com in vendors vendors vendors might actually get accepted I would actually I would
actually bump that up just developers developers developers developers right exactly developers developers but I'm cool with that okay so we we we need WRA it up um any final thoughts I know my final thought is read the directions and then follow them um so I I have one final thought um something that we didn't cover is um when you're submitting if you have the room um provide an outline um show us that I mean probably I know I do before I submit you have a thought process of what's going on what you want to present how you're going to present it use the space and show how you're going to actually get to your talk uh that
provides us as the reviewers a a good clear understanding of where you're going to take this talk and and what's going to go what's going to go on you know a quick bullet list these are the the five seven topics that I'm going to cover this is the format I'm going to cover it in even if it's not fully baked out I mean start sketching that out really helps us as reviewers details details details to to follow up on Mo was saying having that outline in place saves you a ton of work when it if your talk actually gets accepted CU now hey you've got a basis for your slides yeah and so mine is kind of like a
two-parter first of all don't be afraid to submit something just because you think someone has covered it in another talk it's okay because you might have a fresh perspective or give us information in your cfp that we might not have seen in a previous talk and then also if you submit a cfp about something you're really passionate about that comes across in your writing and we're more excited to accept it because it's something you're actually interested in and we can see that by the level of detail you give us the information that you give us instead of something like oh iot is cool right now I guess I'll do an iot talk yeah so um raise your hands if
you've if you've done a fa if you if you speak regular conferences I would say that I I do as well I would estimate that anywhere between 30 to % of my talks any year get rejected yeah yeah right yeah giving to CF writing cfps is really hard and the only way to get better at it is to do it a lot so don't be disparaged if you when you submit to if you submit to a conference and it gets rejected don't be disparaged if you submit to three or four or five conferences you will start getting talks accepted particularly if you can get good feedback on what's going on but the first couple are going to be hard even
if you've been years you're still get oh yeah I've been speaking for I mean look at David's hair I mean and he still gets rejected I do thank you all so thank you for [Applause]
coming oh good yeah I'm so
glad
Related talks
51:51
32:48
33:48
54:33
31:06
20:51