Dave Lewis - Sharks Patrol These Waters

Thank you everyone for the opportunity to be here today. I do apologize if my volume's overpowering. I can't tell from here, but it sounds like there's a pretty good uh amount of volume there. Um I really do appreciate the opportunity to be here in Bsid Knoxville. And if anybody's interested in the back, there's all kinds of seats up in the front here. So feel free to come on up and I am going to kick things off here. And so first and foremost, my name is Dave Lewis. I am global advisory CISO at a company called One Password. And part of what I get to do is test the limits on uh a lot of things. Uh I get

to go around the world giving talks at conferences because before I ever got to this point in my career, I spent 20 years as a defender working for uh Department of Defense here in the US, the FBI, uh various banks in Canada, as well as power companies. And along the way, I've learned a lot of lessons and made a lot of mistakes. And it's been a very interesting adventure to say the least. Not to say the least of which was uh during the or not the least of which was during the pandemic. I ended up being uh part owner of a whiskey distillery as well as a soccer club up in Canada because reasons. H that's a

longer story for another time. So yes, I am Canadian. Terribly sorry. It is contagious. Um and for the record, we really really really like you guys. Just not one person in particular. Sorry. Hey, so I have worked many different places and this is just a sampling of some of the places that I've worked over the years. Uh some of the more interesting ones were like spay war that was a really amazing one getting to work on in Marset B and really interesting things like that and right up until today where I am working for a company as I mentioned one password and the reason I bring this up is quite succinctly because a lot of the conversations I

have are people like oh you just make a password manager and it's like well no actually we have an enterprise business as well that's the sum total of what I'll say there. I also work as an adviser to a company called Sighteline Security. It's a nonprofit that provides security services for other nonprofits. So something very much worth checking out. As well as I'm on the advisory board for BIOS.io and Gnostic.ai. Yes, I said AI. You can now drink. So a lot of my career in the early days was spent in soul crushing meetings. And it's just amazing how often I would be sitting there going, yes, that tired cliche of this could have been an email,

but there was a lot of reality to that. But I did learn a lot of valuable lessons like what I didn't want to do and I didn't want to be stuck in soul crushing meetings. And nowadays I'm in a lot of meetings, but now they're a little bit more productive. So unfortunately I missed this morning because I was in those productive meetings. Now, a few years back, I was working for an amazing person named Wendy Natherther. Um, and nowadays, she actually works for me, which is even cooler. So, if you don't know her, absolute industry legend. Um, but a giant pain in my butt at times. So, when I was working for her over at Cisco, she sent me this picture.

Um, and you can't see on the left side of the screen, which was just the tip of the wing, and she said, "Okay, I have work for you. You got to tell me where I am." I like, "What?" I'm like, "Okay, hold on a second. I am doing this project, this project, this project, all for you." And she goes, "Yeah, yeah, yeah, yeah. They can wait. Tell me where I am." Okay, so I could only use open- source available intelligence and things to that effect. I couldn't use anything from internal systems, but thankfully uh my boss had shared a lot of interesting stuff. So, I knew her favorite airline. I knew what conference she had just been

speaking at. So, I was able to go back track and wind it down and said, "Okay, so is this your flight?" She looked at it and she goes, "Yes, but that's only part of it." Okay, great. What's the other part? She said, "Tell me what seat I'm sitting in." Great, because I have nothing better else to do today, boss. Thanks. So, I pulled up the flight manifest over at seatguru.com and I started looking at it based on the picture and where the wing tip was. I was able to make an educated guess that I figured she was probably seated in seat number 5A. I said, "Is this is this your seat?" She said, "No." Missed it by that much.

Now, when you factor in the amount of complaining I did, going for a coffee, all that rest of that sort of fun stuff, how long do you think it took me to figure out what seat she was seated in from when she told me to when I complained to when I stalled to when I got it done? Any guesses? Got a 15 up here. Anyone else? 20. Did I hear a five back there? There we go. We got a winner. just under five minutes. The reason I bring this story up is to show how easy it is for an attacker to gain information about you or your systems in a very short order. I was only using open source intelligence

from a picture that she ultimately posted on social media and said, "Oh, where am I?" That's how quick it is. And as we accelerate with all these different platforms that are available to us today, it's getting easier and easier for attackers to come after us. So, we have to do a much better job at protecting our environments. because people like Dave come along. Not this Dave. Admittedly, I've made my share of mistakes in the past, but not this guy. This is normally where I have a coffee break, but I was here too late to grab a coffee, so I'm going to have to keep soldiering on. So, we are defenders. Whether you're on the offensive or

defensive side of the house, we are fundamentally all there to defend our enterprises, defend our, you know, constituents. We want to make sure that the people on our watch are safe and secure. We want to make sure the data in our enterprise is safe and secure. We want to make sure the AC doesn't fall off the ceiling there. Um, and that's just it. That when we have to frame it like that, we understand that we are all part of the same group moving forward. And when we look at the types of threats we have to deal with, we have to deal with the threats that are obvious. And then we like to look at the threats that

are on the dark web. or if I like to point out the Vanta web, which you know, I gotta have my fun there. But unfortunately, there's far too many instances of organizations, individuals out there that are shelling out stuff that is just complete crap or outright lies. And we have to figure out a way to be resilient to sort these folks out. There was a person several years back, actually quite a few years back now, that had claimed he had a golden toilet in his house. He was a cyber security expert, and I'll leave it at that. Um, and he was exposed to be an absolute abject fraud. Unfortunately, when these people crop up, they do have the

unfortunate ability to taint it for the rest of us. And we have to figure out a way that we can sort ourselves out. So if you look at all the different pieces of legislation around the world, the one thing that we have to take into account is the reason why all these governments are putting this legislation out. It is quite literally because they got tired of waiting for us to do the thing that we were supposed to do. We don't govern ourselves well. We are a rag tag bunch and I love us all for that. But they couldn't wait anymore. So they went ahead and started creating policy. A lot of times they don't take security input

from the right characters as a result and then we're left trying to sort it out after everything's done. We have to be able to move away from the kids table. We have to take the seat that we have earned. We just have to step up and grab it. Now back in 1983 when I started um with computers, yes, that far back um it was amazing. My father brought home this luggable computer. And is that an angel of mercy I see coming? Oh, it is. My dad brought one of these luggable computers home. Thank you. And in it, I was the first time I ever got access to a computer in my own house. And my father

was there. He's like, "Oh, this is just for work." I'm like, "Sure, sure. Okay." He would be out of the house all day, so I would play with it. And I became an absolute master of Visical. If anybody gets that reference, you're as old as me. Okay. And this was really what started my curiosity. And I kept asking questions. I was like, "How do I connect to the outside world?" And he's he was a finance guy. He had no idea. He's like, "I don't know." And I ended up buying video game magazines and figuring out how to get on u message boards and all the rest of it. And then we got the phone bill.

Yeah. I I wasn't allowed to use this again for quite some time. This wasn't the exact one, but it was as close as I could find in short order. But that little green screen was very dear to me when I first got started. Then the interesting thing started coming along that caught my attention. You know, this is much later on in my career, but this is an example of the weird things that I would keep stumbling across when Sony came out with their CDs of, you know, this is copy proof. And then a few people uh in the industry went, "Wait a second. And if I just use a green marker to go around the outside

edge, all of a sudden it was readable. Again, this is one of those things that always boggles my mind when we see these security solutions that really aren't helping. There are times where I have to ask the question about, for example, SSO. When you have SSO to protect your environment, it's only protecting certain assets within your environment. We have to be able to go beyond that. We have to be able to do better. So with these sort of stories cropping up, I started a site called liquidatrix.org. Um it's still limping along in existence, but it uh the way I set it up, there is nothing in the wayback machine. And I kind of regret that in

hindsight because I stood this up back in 96 or 97. It's still there, but there's no record of it in the wayback machine. That kind of bothers me now. At the time, I thought I was being really clever, but uh yeah, let's jump forward there. So, when I was growing up, I was part of that Gen X generation where we were meant to be seen, not heard. You know, you know, dad was off watching his TV and smoking a cigarettes. Mom was off at her book club. And I was meant to be the quiet one. That didn't really work out so well. Quite had a very different reaction. So as a result, I've been very active in

speaking and engagements around the world, as well as helping to co-ound and also run various uh events uh example besides Toronto. And I've been very fortunate to work on things like 44 con and other events to that effect. And the reason I do that is because guess what? I don't get paid for any of this. The volunteers here don't get paid. They do it for the love of the community. And this is one of those things you have to understand, especially with Defcon. The people that you see there are goons. I was a goon there for 13 years. And we don't get paid. Sure, they'll give us some food credits and things like that, but it's there. We're there for the love

of the community. We want to make sure that we're giving back. Something always keep in mind. And when you look at it, Defcon as an example is just one massive example because I've been going since since Defcon 7 is that it really becomes a family affair in a lot of ways. You know, the people in this picture in the bottom right are dear friends to this very day. Two of them were co-hosts on Liquid Matrix for many, many years. My son, when he was really little, he was always wanted to wear a Defcon shirt. So, I brought him one home and he's like, "Oh yes, this is awesome." I couldn't get him out of that shirt for

months until he finally grew out of it and he's like, "I need a new one." I was like, "Okay, here we go." Now, when we're looking at how we can better improve things, we have to figure out how to manage upwards. We have to figure out how to deal with the seauite or the ex executive leadership team because a lot of times they will clamp onto something so hard that may be completely misguided that will end up chewing up cycles. They'll end up chewing up cycles for you. And in one power company I was working at, the CIO came to me and he was very upset and he was absolutely beside himself because there was this published vulnerability

for a get this halfinstalled WordPress version that could lead to a root compromise. It's like okay and why are we worried about this? Well, because the board's worried about it. Okay, I'll ask the question again. Why is the board worried about this? Because it's a very serious vulnerability. Well, we don't have any WordPress in this environment anywhere, and this would not be a thing because a half-installed iteration doesn't happen very often. To be fair, uh quite a few years ago, I did find a version one of WordPress running somewhere in Russia, but I'm fairly certain that was a honeypot. And when we're looking at this, we're having this conversation about threats, we have to look at it and say, what is

the real threat? Often we see sharks as a threat. We see sharks as the stuff that we're scared of because that's what we're led to believe in movies and other types of media that this is what's a really scary thing. But no one ever pays attention to the ocean. The ocean that can actually crush the air out of a submarine can drown people quickly. These are the kind of things where we have to look at what are we focusing on? Are we focusing on the right things like coffee? Oh, thank you Adrian so much. And a lot of times we get vexed about data breaches like W to Cry. W to Cry happened because of a vulnerability that was how old?

Anybody have the number for me? How many years? There's no wrong answers. You should throw them out. I can't see you. So Oh, yep. Was that a five? All right, I got five years. Anybody else place your bets? Well, I heard a 10. It was just over 10 years. This was something that was well known within the security community, although nothing ever was done about it because oh, it won't lead to any real problems. Well, it led to problems. Then there was Solar Winds, Colonial Pipeline, various hotel breaches. And this is not to make fun of any of these organizations whatsoever. It's to point out the one thing that we need to get so much better at is having that

conversation amongst ourselves and learn the lessons from these events. This is something we need to improve. How do we do there? There's many different ways to get to that point, but we have to start talking at some point. Case in point, look at all the governments doing all the various cyber security policies without the cyber security people in the room. Because bad things can and will happen anywhere. Good old ransomware. Now, if we look back quite a few years ago, I actually don't even know. I think it's like seven years ago, the Marai botnet came to fruition. Anybody heard of Mariah? Wow, that one's fading into history already. So, Marai botnet was a botnet that was built out of default uh

credentials on internet connected devices around the world. And there was about 62 different default settings that led to thousands and thousands of devices that led to an attack that ended up being 1.4 terabytes of attack traffic. Just happened to be attacking somebody that was on the platform of the company I was working at at the time. That was a fun day. But we look at the credentials. Root admin admin admin root root user user. There's no excuse for this programmatically. There's no reason that when you start up a new box, it says change your credentials on first login. Problem goes away. And yet, we still see this sort of stuff happening. But it can be said, you know, Dave, that

was a long time ago. Not really a problem. Wait, how many years ago? Let's see. I'm sure this is an old article. Let me zoom in a little bit there. January 22nd, 2025. Marai botnet is still active, still a thing. This is a problem. We What have we learned here? This is continuing to be a clear and present danger. So, we have to go through our checklist of what we're looking at to better secure our environments. We have to look at the fine details to make sure we're not actually missing something. Oh, somebody got it. We have to look at things differently. My friend Miko, he uh I met him at a conference in some Nordic country years

ago and he was talking about at the time applications writing other applications. And I thought this is kind of surreal. And this project that he was referring to was literally the applications were writing applications and those applications in turn would write other ones. But it they ended up creating their own codebase that humans couldn't read. So much so that they ended up taking it offline because they didn't know how to control it nor what it was doing. This was quite a few years ago. Flash forward to today. Everybody's in a lather about AI. To be fair, chat GPT was a catalytic event in so far as it got people to start paying attention, start having the

conversation about AI, although it is an LLM. But we have to understand that now this is in the forefront of people's imaginations and that they're going to be worried about this sort of concept where their application may be outnumbered and outgunned. And we see things like this. How many people have heard of worm GPT? Oh, good. We have a few. There's also another one called fraud GPT. The attackers are making use of LLMs now. They're making use of AI. They're all over hugging face and various other places like that. And we have to be very cognizant of this. But the world doesn't see hackers the way we see them. They tend not to like us a whole lot. And when I say hackers,

I mean anybody in security that has an innate sense of curiosity. Hackers really fundamentally want to tear things apart, see how they work, and put them back together in a better state. It's not about just breaking it and walking away because that does nothing to serve anyone. The world sees us in a very dim light. And that is because we didn't handle or manage the narrative. The media, the press, all the, they took off and they said, "Oh, the hackers, the evil ones with the hoodies and the big gloves." The only time I've ever had to wear gloves working on a laptop was in a data center at 3:00 a.m. And the cold, it was

so cold in there, I couldn't feel feelings. Have you ever tried to type with gloves on? Yeah. Not really a good idea. Also the balaclav I never get that but what am I going to do? The thing we have to understand is the media sees us like that but the reality is hackers could be anyone anywhere. It could be anybody in this room. Shocker. But that's just it. We have to dissuade the external um folks of what they see as the narrative. We have to take that narrative back and own that as a group. Now, it it's really amazing how people see security. So, this ugly bugger here was me back in god 2006. They put me on the front of a

magazine and my father looked at that and he was a CFO at the time and he said, "Oh, if you were working for me, I would have fired you on the spot." Thanks, Dad. Proud moment for me. But this is just it. It just really frames how most of the world sees security. They don't see it as something that should be talked about in open company. They don't see it as something that should be communicated widely. And honestly, the more we talk about it in a public setting, the more we're going to get the right message across because this is often how we see the world. We also have to figure out a way to find a better place. I know I've had

very, very dark thoughts many times. spent two years in therapy as a result of these dark thoughts. That's not a bad thing. It actually got me to a much better place. But mental health, we hear a lot of talk about that in our community, is not something to be given short shrift. If you're hurting, find help. It's out there. Then we're looking at these things in the world that are broken on the technological side. We also have to look at things like Showdown, which is, you know, obviously Google for hackers. And it's really amazing what you can find out there. I remember finding a Hamilton Beach toaster that had somebody connected the internet. I'm fairly

certain they were trolling me because I've never been able to find it since. But it's it's absolutely staggering all the different people that have their webcams attached. I've seen shops around the world. I've seen bank vaults. I've seen things you wouldn't imagine. And none of that should have been easy to access. Then we run into the law of unintended consequences when we don't get a hold of security. We end up losing the thread again. So this is another example like I was talking about earlier with W to cry. This thing affected systems around the world. Law enforcement, retail, you name it, it was everywhere. And this sort of thing can happen again because the attackers know to go after the

lowhanging fruit. We saw it with Heartbleleed. That was something that it was a library that was used by every e-commerce site on the planet, any site that was using SSL for that matter. And it was a project that was run by 1.5 people. It is now well financed and TLS is out there. So that was a good byproduct of that. We shouldn't be doing it based on when things go wrong. We can be proactive. We should be proactive. There's no reason we have to keep doing this alarmist sort of, oh, things are on fire. I guess we should do something. We have to really let the world know who we really are. We are that dog behind the

keyboard, but that doesn't mean we don't know what we're doing. And yes, we do live very differently online than in person. And we have to be able to be okay with that. We have to figure out a way to communicate to the wider audience so they understand and embrace us as a positive. You all right back there? Um, everyone I I've run into over the years, not everyone, but a lot of people I've run into over the years, they always say, "Oh, security is a cost center." Horseshit. Security is a business enabler. Security is there to improve matters across the board. And we have to make sure that we own that message because I am sick and

tired of anytime I hear security as a cost center. We could save money by No, you can't because this is going to keep happening. Data breaches are something that drive me absolutely bonkers. Bless you. They keep happening. Years ago, back in 2012, I started monitoring data breaches on my own site because I apparently I needed a hobby. And at the time, the biggest data breach that I could find was on LinkedIn, not to beat them up, but they that was the news of the day, was I think it was about 6.7 to 6.9 million records. Nowadays, that wouldn't even get a second look. We're now dealing with orders of magnitude of billions of records repeatedly on multiple sites and

things like S3 buckets pop up. I know this is a very simple example, but I like simple examples because it makes sure that everybody in the room gets it. I wrote an article for for Forbes quite a few years ago about this very problem because at the time I was seeing data breach after databach that was wrapped around S3 bucket. For those of you who don't know this is a data repository or a bucket you can set spin up and put image files, text files, whatever you want into it. And if you don't set it up properly, it can be accessible by anyone. So when you go to start in there and you set it up, it

says do not grant public access access. They're very clear about this. Unfortunately, we end up with trolls because the trolls like to pick on us, say, "Oh, yeah, no, no, go ahead. Set that up. We're fine with that." And we have to say, "Okay, the conversation is not just about data breaches, but the way people are weaponizing information against us." And we've all heard this phrase fake news. But the problem here is that perception is 9/10en of reality. There are certain geopolitical actors out there in the world that use this much to their advantage and very effectively at times. We saw it in in back in my own country during the election where we were seeing visibly

false news coming out of countries overseas. We have to figure out a way to combat this because with perception being 9/10 of reality, we have to realize that the world sees security in a very different light than is presented. So when you're protecting your organization, you want to make sure you have the right people doing the right jobs like would you have a baker doing web security for your organization? No. But you can train them and that's just it. We have to figure out a way not only to train people better but have mentoring internally your own organizations at a corporate level. I've seen various bides around the world and it may exist here. I'm not sure. Um, of

mentoring programs to help junior people that are getting into the field. Would you have a surgeon create your voter database? No. But again, you could train them or would you have a philosopher running your practice? I have actually seen a practice that was run by a philosopher and it did not go well. And the attackers know this sort of nonsense happens because case in point, this was quite a few years back. I don't know if the year is on the article there. No, I accidentally clipped it all. I think this was 2006 or something to that effect where a hacker came out in an article and claimed that he had helped uh the Mexican president at the time win

the election by manipulating uh data, manipulating various things online. And we've seen other instances of this in various countries around the world. So we have to make sure that we're really cognizant of that and understand that sometimes the old ways just work. Paper ballot, you have a record. If a digital record is manipulated, are you able to tell what happened? Now I like to talk about hackers very much in the same vein as sharks. The reason being is sharks are there to serve a very clear purpose. They are there to help keep the ecosystem healthy. When an animal dies and falls to the bottom of the sea, they'll come along and eat it because that's their job. They don't

necessarily go hunting live stuff all the time. They will eat carryen as well. And we want to make sure that if we eliminate hackers or sharks for that matter, there could be dire consequences. When we remove those that are having the oversight to better secure the environments and systems around the world, we're really opening ourselves up to potential exposures. We worry about the threats a lot. We do tend to focus on this, but sometimes we end up arriving at analysis paralysis. We talk about things so long and for so much time that's wasted on this that eventually we lose the thread and then it becomes not takes on a life of its own. Now sharks keep the food supply chain or

in check and hackers really do help attack the supply chain and look at things like that in a productive fashion. I'm not talking about the criminal element. I'm talking about all of us in the room. We're there not only to just put things up and do the rompo peel method of set it and forget it. We're there to make sure that we're improving security overall. Sharks can hold clues for diseases because they live so long and they are so resilient in how they operate within their environments. Hackers, too. I mean, I've been doing this for 31 years. I love it. And I've seen other people that I, you know, graduated from high school with that look 30 years older

than me and they hate their jobs and they hate their lives. So maybe they should examine us. I don't know. Sharks help keep that carbon cycle in motion as do hackers within the cyber security community. We're able to go through and make sure that we're removing the the crust. We're removing the dead pieces. We're making sure that we're not having exposures. And we also are there to help inspire better design as a result of how we approach things. I've seen too many applications over the years typically that were written by engineers for engineers and the average user wouldn't know what to do with it. Very much in that same vein, sharks help to inspire smart design simply by their

shape and how they cut through the water. When we're cutting through cyber security environments and better to better secure them, we're helping to inspire better products by virtue of how we handle things. And we have to make sure that we're using that power very much for good because we do have a positive impact in our environments. And when I say talking about tools written by engineers for engineers, there are some that are really good, but I would never ever ask my mother to use them because I still want to get invited for dinner. If you've never used PGP, oh boy, it's a great tool, but it's not one that's easy to use to say the least.

We have to figure out how we can democratize security. And I don't mean that in a political sense. I mean we need to make this as easy as it possible for the Leites because most of the people we're protecting don't have any clue about security. They're good at HR, excuse me. They're good at finance. They're good at all what they're good at. Our job is to give them guardrails so they can be safe and secure. And if we're giving them tools that are very difficult to use or coming at them with, well, what password did you use? Did you try turning it off and on again? We can do better. Back in 2003, I had the unfortunate uh

luck of being in Toronto during the blackout that affected far too much of the Northeast. And this all started in in uh was it New York ISO? I think it was New York. Yeah, New York ISO. And it was like a cascade failure. We were on the phone with them for several hours. We kept calling so much they actually stopped answering the phone because we had alerting. Their systems did not have the same alerting going. And unfortunately when they went down it was a cascade failure. At one point the province of Ontario was keeping up several states as well as the province of Ontario with the lights on for 4 seconds. That's an unbelievable feat all by itself when you consider how

much power it was able to do for 4 seconds. But unfortunately, it failed. And we figured out a lot of things that we had to do to make ourselves better and more resilient going forward. There are still parts of the world that really need to do a better job of handling their power grid. I'm looking at you, Texas. Um, the things I know. Um, I should write a book someday. we have to figure out how to do a better job of things. And before I had kids, when I had free time, I remember those days. Um, I actually did a lot of security research. And these are some of the uh companies that I was

able to go through and find vulnerabilities with. The really fun one was uh my former company that I worked at was Cisco. And this was hilarious because I found a vulnerability in one of their tools and I sent it to him. I said, "It was a simple cross-ite scripting. I could manipulate the login page." And they were really good about it. They were very proactive. They worked with me and then they sent me a patch and they said, "Try this and let me see how it works." How many people here remember Peros proxy? Wow, I dated myself there. Anyway, so I had this tool running that was like an intercept tool and I went to launch uh

the new patch and the cross-ite scripting didn't work anymore, but I could suddenly get a shell back from the tool. And the only reason I knew that is because I accidentally left my proxy on and it was able to catch this and it was surreal. They were fantastic. They fixed that right away. But this is one of those things where it's like sometimes the fix isn't as great as it should be. Semantic the vulnerability I found with them took them 18 months to fix because they had different language libraries for every iteration of their product. Not a central library they could share across all of them. So they had to go through and individually patch every

single one of their libraries and it took them 18 months but they finally got it done. Websense is the winner here because it lasted two hours and they had pushed out to production a patch for theirs. So that was really cool. Those were the fun days. Nowadays they have bug bounties and I really wish that I was around at this had that sort of free time now because I'm fairly certain I could have made it in some bank but these days it's all spreadsheets for me. There's all kinds of good ideas. There's all kinds of bad ideas. But when you're dealing with security, you have to understand that sometimes a bad idea gets green lit that ends up being really

popular. Shark NATO is one of those things where it's like, why in the heck did this ever get green lit and then it has a fanatical following? It's amazing to think what can happen. And then when you're looking at things in a different light, you have to look at, for example, you know, when you're going out for a hike, I don't know quite what kind of critters you have to deal with down here, but in Canada, we have big ones with teeth. And if you're not careful, they can get you. So, you just got to be faster than the nearest hiker, but nowadays there's more than enough uh bears to go around in a cyber security

context. So, we can't just rely on, oh, you know, they didn't get they won't come after us because we're secure. We have to figure out a way that we can raise all boats and improve things. Now remember I was talking about orders of magnitude of billions of records. This is from a site called informationisbut.net. 1.3 billion records, 1 billion records, half a billion records. These are the kind of things that absolutely keep me up at night. If you're not familiar with the site information.net, please check it out. They do update this regularly. Sorry. Um, it used to be such that they actually had to change the way they presented the data at least three times

that I know about because the bubbles wouldn't fit on the screen anymore. And this sort of stuff is possible because dumb things can and will happen. At one company that I was working at was a high-tech manufacturer. I was there for probably about two weeks when I was tasked with going out and checking all the accounts that had super user status. And as we went through there and did the iteration through them, we found that there was 10 accounts there that still had super user status that people weren't at the company anymore. That was a bit of a problem, especially when you consider that one of those accounts had been used in the last two years.

Now, I use this story repeatedly, so some of you may have heard me tell this one before, but can anybody guess what the problem was with this 2-year-old account that had been access or this account that had been accessed in the last two years? Any guess? Throw them out. That's one way to put it. Yes. Anybody? I saw somebody else over here. What was that? They Yes, they'd been dead for five years. So, yes, they had left a long time ago. And this was really frightening. Thankfully, this was just somebody that had this access and they needed to go in, check a crown job, and then back out. They literally didn't know the ramifications of what they were doing.

They didn't understand it. Nor did they know that this was account was linked to somebody that had was passed because they had only been on the job for about 3 years. So, they didn't know. And that's just it. We have to figure out a better way to handle not only credentials um staff had removed processes within our environments, but looking at how do we manage the licenses? How do we make sure we know what we have in our environment? In one power company I was working at, we had seven different logging and monitoring solutions all ostensibly doing the same thing but for different parts of the business. And the reason for this was quite literally because these were all

project based deliverables. These projects would come through and like we need to monitor these systems. All right, factor that into the bill of sale. Do this one factor. No sunset provisions either. So a lot of these systems are well past their lifespan. But at no point had somebody sat down and said, "Well, we can just rationalize this all to one." And we ended up doing exactly that. Um, but this is one of those things that we have to look at. So yes, that person had been dead for 5 years. Hindsight is 2020. And a lot of times I like to talk about black swan events. I won't really go into it here, but this is basically an event that has massive

impact um, but in hindsight could have been easily solved. And a lot of data breaches fall into this bucket. So, how do we get better? We have to figure out how to learn from those lessons. Case in point, Facebook back in, this was uh 2017, they had artificial intelligence robots that started talking to each other in their own language. The engineers got so freaked out they took them offline. They didn't know how to one intercept the communications or even understand what they were telling each other. So when we're looking at security our environments, we have to think about things differently. And when we're doing that different thought process, we have to look at something like the 10th

person principle. If you've ever heard of this, this is really a case of if you have nine people all saying the sun is shining, the job of the 10th person to say, "No, it's raining outside and here's why." And that way we're not just going to blindly accept that everything is fine. when you have somebody that's quite literally their job to find all the worst case scenarios. And I know I'm in a room full of people that like to address worst case scenarios, but the reality is we have to figure out a way to better communicate this to the wider audience because if we miss a step, it can lead to a corporate extinction event. I've

seen this happen in quite a few companies. There was one travel company, it was like Hippo or something like that in Europe where if you had your ticket and you the number at the end of the URL, if you manipulated it by one digit, you got somebody else's booking and you could go through and you could walk through and pull everybody's plane ticket. They were out of business 24 hours later. It's amazing how simple something like that can take down an organization. And some of these problems persist. Now, Wendy Nether, who I mentioned used to be my boss, I'm now very, very fortunate to have on my team. Unfortunately, she likes to drive me up

a wall. This is a picture she sent me a couple weeks ago and said, "Tell me where I am." And again, here we go. Thankfully, I didn't have the time to be able to address this one, but it just shows that when you think you've solved something, it can come back to haunt you. And you want to make sure that you tackle threats before they grow and figure out how we can do a better job because we can. We have that capacity. This is a room full of very smart people. We can solve these things if we come together and we have to build that trust. When we're born into this world, we're squalling. We're looking for food.

We're looking for shelter. We don't know anything else. No superflous information. But a lot of us don't shed that as we grow up in our lives. They don't obviously go into cyber security. They tend to be the ones that leave their doors unlocked or think everything's going to be fine or think that their password of their kids' name and birthday is going to be okay. We have to dissuade them. And not only dissuading them, we don't want to vilify them. We don't want to make them feel bad about their choices. We want to give them better choices on how they can improve how they do security. I made I made fun of SSO earlier as being part of

a solution. We have to look at how do we extend beyond that? How do we find a solution that really grabs those extra pieces? We also have to come together and work as one. And where does it start? In rooms like this. You look around this room and if you don't know somebody in this room, make a h make a point of introducing yourself before you leave today. This is your community. and the Bides event organizers have done a fantastic job of putting this event together. They made the funny choice of having me here and I really appreciate it, but you know, got to have a Canadian here every once in a while, I guess. But

that's just it. There is safety in numbers and as we're going through and looking at how we can improve matters. Coming together is one is this really really simple aspect and from that we can grow from here. we can do better and we can understand that being the sharks in the ocean is a good thing because we're there to help improve things overall. Before I go, I'd like to do a little pitch for my Chasing Entropy podcast which has just launched a couple weeks ago. So, be sure to check that out on your favorite platform. And thank you so much to everyone for having me here today. I really appreciate it. This is a lovely town. I've never been here and

it's off my bucket list now. So, I really appreciate the opportunity. Thank you very much.