T9 - The hidden horrors that 3 years of global red-teaming, Jos van der Peet (@Voske1985)

My last 3 years of global reteaming in small and large organisations has shown me that there still are a lot of misconceptions about security. We all know the ‘onion’ model for layered security. While useful for the ‘defence in depth’ principle, this talk will show that in reality, rather than an onion, security is more like a pyramid. The basis is the hardware people work on (laptops etc.) and the top your business applications. In between is everything else. Operating system, network components, proxies, shares, servers and their software stack. Like any hi-rise structure, the top cannot be secure if the base is not secure. Defence in depth matters, but it can be quite trivial for attackers to sidestep certain controls to get to the data they want. Just securing your ‘crown-jewels’ is insufficient. This talk will revolve around how we have defeated security controls on various levels, ranging from the systems your end-users work on, all the way through to 2FA and 4-eye principles on critical business assets. It will talk about common misconceptions which lull companies into a false sense of security, while making life far too easy for attackers. For example the fallacy of focussing security efforts only/mostly on ‘crown jewels’ and how misunderstanding of why certain controls are put in place jeopardize corporate and client data. The talk will be supported by real-life examples I’m an ‘ethical hacker’ with over 10 years of experience in IT. Analysing systems, building systems, performing code reviews, architecture reviews and application and infrastructure testing. The last years, Jos has been using his experience in all these field to perform ‘Red Team’ exercises (including physical intrusion, phishing exercises and network exploitation) for small and large companies all around the world. Helping them identify weaknesses and improve their overall security posture. I am especially concerned with helping companies embrace ‘security’ as an enabler to confidently bring new offerings to market, rather than trying to work around the security ‘department-of-no’