Audit Compliance != Secure

next presentation by victorious and John's on audit compliance not secured so we we would like to thank all of our Gold level sponsors and maybe university USA Trend Micro digital defense sense and our Silver level sponsors National Security Agency examing Accenture federal services open security titanium level sebacic jobs Denham Group LMO is a landmark solutions and so the presentation will be done by victorious and John so please give a big round of applause to thank you hello so I can actually talk much louder but I'm gonna try and keep the microphone and keep my voice down so the whole point of this talk if I go into the next one there we go so Who am I I'm an undergrad student

at University of Texas at San Antonio I'm in a master's program for Information Systems concentration and cyber security I am part of the red team a group that hangs out there but like we've now changed our team - Red Team hackers so a bunch of meemers one of the things for a recent job that I got is - when I was applying they said what would be the best thing to do on your very first day I said throw me into an emergency before the mundane I said literally if you could say what could be the absolute worst thing that could happen put me there because I don't want to do just basic training stuff because

I don't actually learn anything from that the source material for this is actually a 10 page paper that I wrote for my cyber law class I have it on my LinkedIn if you want to actually read through that and I'm very thankful for my mentor Elle who actually combed through that and gave me an outline for going through this so I tried to keep this at a minimum when talking about the other companies specifically with target it was about poor network design so they were certified in September of 2013 they were breached in December of 2013 literally within a couple months the problem is with the company that had certified them it was so additionally like another 15 to 20

companies that were immediately breached after they were certified it was with how they were incentivizing to certify quickly and readily it wasn't necessarily being aware of the setup and what could be the most secure environment for people it was hey you get 15 X 15 hundred extra dollars if you can do this in two weeks they had 24/7 security monitoring team that was sending out alerts regularly letting them know about stuff and they were just kind of ignoring them they said oh well misconfigurations happen and a lot of security teams are aware of this and they usually will say that happens - they had a 1.6 million dollar malware detection tool from fireEye that they

installed for the amount of money that they put into this there should be no reason for the problem but at the time they were updating their point-of-sale system so that's when security things can happen and go awry the Verizon report that was actually on this said there were no controls loading their access from any system including devices within stores such as point-of-sale registers one of the more shocking things was you could be in the deli section and on the register back there access the core of the network they had a complete flat topography for the network and the number of times I've talked to consultants one of the things they bring up is if you want to protect

your network you need to be able to segment it have subnets understand what's happening on the network be able to say without a doubt I have this many devices I know these certain ones belong to this certain department and try to implement those controls the other one that I thought about was OPM I was trying desperately to find any kind of company that stood out was monumental and huge November 2013 is when the activity began April 2015 they still saw suspicious activity after they thought that they had forded and pulled them out of the system people within the company knew that they were deficient for regulatory standards they knew regularly every time when it came up and when they

tried to check again in 2017 to say hey what have you done to actually improve for compliance you're asking for 11 million dollars what can happen they didn't have a really good plan of attack they had started implementing things but the encryption wasn't across the entire network it was in bits and pieces on some traffic and ultimately for the budget approval they said no we need to know more about this and what's going on so ultimately a stipulation for being able to give this talk was that I provide solutions and not just our con problems I have the great blessing of being part of a company into it and I got to talk to their compliance and regulatory team and

they said one of the best things that you can do is actually get down to the heart of what it is I put my own definition and I was like oh it's passing a regulatory on it somebody comes in and they say yep you're good and that's it that's the end that's why everybody checks all the lists and they go this is how we're gonna make the company better insecure they said actually the point of doing these is to demonstrate your security posture to your customers so for smaller companies medium business size as well as even your large companies if you were to say instead of going we have to pass this compliance this quarter how much can we

throw out the budget what does it need to do and immediately the next day ignoring it on doing all of it you can look at it as a selling point to customers and when you're trying to do security within your own company let's say you are one of the engineers and you're trying to make it better and you go I hate compliance I don't want to do any of this it's extra paperwork that I have to do think about it that you are cementing your job and saying I provide value to the customer so officially the enforcement comes from FTC and it's under Section 5 of the Federal Trade Commission Act and they are the ones who

swoop in and say we know that you're not doing the things that you need to do and it's all very vague kind of guidelines about what it is I went one too many there we go so I think of this meme a lot whenever I think of compliance is it's really a guideline they don't give you anything specific it's very niche in regards to what it is if you're doing PCI which is payment credit card information it's all in regards to that information how it's encrypted how it's stored where it's moving it doesn't say anything about the rest of your network it presumes that you're smart enough to put two and two together to do that but

if you do hip up it's all related to health information so encrypting that watching where that goes who has access to it and when it comes to trying to extend that and offering more then I decided to go over to a PCI document one of the compliance guys actually gave me and I just started crossing out cardholder data and went for the main hit points I was like so what's the most important things that you can do to your network to actually help to make everything better and like go beyond compliance compliance is just checking off the box so building maintain a secure network and systems install and maintain a firewall configuration to protect cardholder data cross out

cardholder do you actually have a firewall configured throughout your network for everything from there do not use vendor supplied defaults I have a friend who recently got a new job and he's telling me the lovely horror stories associated with the defaults everywhere admin admin for everything the firewalls the routers the security cameras the printers and he was like I keep creating accounts and I don't know where they're going I can't see them he thought there was another layer above there wasn't that's it that there was like no level of security at all and as soon as he brought up the idea of encryption and keys and having second factor authentication management's I never thought of that so if you've been

around people who don't understand anything related to security but they know compliance and they're like we have to check the boxes we have to make sure we're not being fined try and bring up more about the security posture are we trying to add more value to the customer but also to our business because businesses people process technology so people are people people will always make mistakes process is what is integral to how the company goes how it functions and a lot of companies will say that it's the information itself that is integral to keeping the business up so like if you were to DDoS the network or something and they don't have access to that information anymore

is it about the information or is it about the software that they use to do that if you were to just suddenly throttle the entire network accidentally unplug a cable or something can they still conduct business think like a hospital so if they have records everywhere of their patients and they need access to know that medication so they don't overdose them on something what if all of that suddenly is encrypted do they have backups do they have the paper charts they have paper charts everywhere it may not be the most accurate but they have some kind of thing in place and it may not necessarily be because they're trying to be within compliance because a lot of

them if they have a Medicaid Medicare accepted they have to switch to the new updated online for holding things but like protect stored data so whatever you have there are you protecting it are you trying to encrypt it if you're a small business and you happen to work within anything like health information or financial information or maybe you're an HR department or you know the HR department doesn't do anything they literally just scan the document and put it there on their computer it's on a shared local anybody can look at it are there any controls in place that like an engineer cannot go look at that one of the things that was disturbing and alarming was I worked at a place and the

engineers the lowest level engineers could look at the contracts that dictated how much was put towards a projects how much each tester was supposed to be paid and how long it was supposed to last that wasn't supposed to happen because they immediately knew this is just a three day project I don't have to work hard there were people who fell asleep and watched YouTube at their desk and I was super offended additionally encrypt transmission so it's a double-edged sword to try and do that because I was talking to the compliance people and they said when you start container izing on your network it's great because if anybody gets into that box they're literally just inside a

container they can't really do anything else maybe if they managed to break out of that cool they're only within that subnet and you don't have enough access to do anything anyway so what does it even matter versus a flat topography of a network if they just get in there's no containers there's no nothing there's barely permission restrictions on stuff they can start installing uninstalling getting through whatever kind of trouble and mischief that they want to do but with the containers as the compliance thing it makes it difficult to see in and then you have to work with your cloud provider to actually see that that's happening which can be a problem but it's well worth it to help in

security and controlling what's happening authenticating access physical access these should be basic things that immediately come up but there's a number of people who will say well it's okay I have a drawer in my office I don't have the key but that's where all the documentation is we don't have anything supported up online and that's all the documentation to prove that everybody can have access to the system nobody else knows where it is and I don't have the key to it either so make sure if you do have these controls in place that there's more to be able to like have a literal it's an Operations perspective so if you do encrypt things make sure

you can unencrypted them if you have a key to hold the documents make sure it actually works if anybody is in charge of one certain aspect of documentation make sure there's another one in case they go missing I went to a tabletop exercise where they said we had one senior system engineer and like it seemed like a red herring that they were talking about people that had gone to countries where oh their computer might be compromised it wasn't red herring because ultimately it was the one system admin that hadn't been there for two months and that was the only one that had the access to everything monitor things it's a great thing so if you're

within networking you actually know where the bodies are on the network you know who's doing what and you have the ability to say you shouldn't be doing that if you are in systems you should be able to set those controls in place and be able to say no you can't do that it's you can have the policy back it up but also have those physical controls in place and regularly test security systems so one of the other things is people will get these wonderful magnificent systems in place and say we have a firewall we have malware detection we paid a lot of money for it have you ever tested it do you know if it works is it correctly configured for

the number of times that people have ignored sock calls coming in alerts hey this is bad stuff are you paying attention to it no it's probably misconfigured we don't need to pay attention to it and then obviously maintain policy there's nobody likes dealing with policy nobody wants to approve it users don't want to add more passwords no more characters or anything like I'm up to 16 18 characters or something when going through passwords and I hate it but I know it's necessary for the sake of the company and people expect you to have a password manager at this point a vault of some kind because if you're doing it in a notebook the physical security of

where you are if you leave that notebook there it doesn't have a lock it's just sitting on your desk maybe you're in systems and you have 10 or 15 passwords that you've written down inside that notebook and you just leave it there you go out for lunch for an hour you come back everybody and your team's trustworthy they're not gonna go through it what about anybody else can you trust everybody else in the building to not go through your stuff I can barely trust them to not take my peanut butter I paid 6 dollars for that single peanut butter I'm gonna be super salty if they take it and trash it ultimately one of the best

phrases that I heard from the compliance guys is it's about the intention not the definition of the law because most people look at compliance and they say ok Tootie follow it make sure did we encrypt everything is it on there did we do it right did we go this way do we do everything that we absolutely can possibly do and that's not what it's about because like so imagine you're a small business owner and you work in a restaurant you're trying to worry about your overhead are you getting the freshest supplies possible how much customers are you worrying about the marketing are you bringing all of that information and you find out well I accept card data so I have to be PCI

compliant what does that even mean you start click going through all the stuff and you pull up PCI D SS and you're like okay I got to do am i doing it all right but you're not thinking this is about the security of everything you're just thinking this is what I got to do to make ends meet and continue going on it's about the intention not just that definition the basic definition is like make sure you're getting things taking care of that needs to be taken care of ultimately it is about everywhere all passwords all monitoring do you do background checks on your employees what kind of background check do you do do you just

sit there and say do they have a felony cool good enough for me there have been numerous issues with several businesses in paying no attention to things so like with Facebook is plaintext passwords that came out there were other encryption things that had come up same with snapchat it's happened to Twitter and a lot of these companies they start out and it's small and it's a little baby they care about it and they're like yeah it's getting bigger and we don't really have to do anything else you have to do the shots vaccines everything like going up the babies getting bigger you have to be it by the baby clothes you have to make sure the baby continues

doing everything because it will be a full-fledged business and enterprise that has to have everything taken care of and if you still have like maybe one of the first vaccines you show you have McAfee installed on the computers that's it is the babies still gonna have the same immune system has Anatole is the baby going to be able to handle if it's put in a kindergarten classroom with 20 other kids that may or may 6th at stuck their fingers you don't know where right so I that I'd like to think of it as it's a baby for a business that they care about it they don't want you to ruin the baby when you want to go in and

do a security penetration testing they're like no don't poke the baby it's my baby I care about it I've taken care of it it's gotten to where it is and I'm comfortable enough to have somebody look at the baby and say the baby is okay it is compliant with what it needs to be but don't do anything else to the baby and like as somebody who wants to do penetration testing find out what all is wrong you imagine that you're approaching someone's baby and asking can I poke the baby that that's what happens when we go in and I care about compliance and regulation but I also want to be able to do more ultimately

I'm sorry that there were not that many memes my boyfriend offered to put a China slide in but I didn't do you all have any questions what's up yes they are willing to throw as much money as possible at it but they're not actually looking to solve the problem they're like if we solve the problem at the basic it says it's doing the thing but they're not doing more of did we verify that it's set up correctly we paid God knows how much for Cisco to come in and set up everything did they remove the defaults did they tell us how to actually maintain it did they tell us what to do with it no but we paid a lot

of money and they said they configured it right

I don't know I haven't looked into the law what's up could you repeat the question Oh me okay yeah sure um so he's asking recent executive order that came out that she had managers are also on the chopping block if there is a breach I personally don't have any information about that and know about it right now it feels like it's trying to because one of the things that I've wanted to ask and interviews with companies is if I'm if I'm the engineer that screwed up I'm the one responsible for the security breach I did not encrypt the things am I the one that's fired are you going to train me what's going to happen I'm responsible for the

twenty million dollar breach what are you going to do are you going to fire me is it the networking department is it all of systems is it just me does everybody hate me now do I get any kind of training and there's no easy answer nobody wants to say that that's the really rough stuff because they're not quite sure what to do how big is the regulatory fine and one of the great questions that a friend of mine told me is if and when meeting other industry professionals that are older ask them what's your one big oops what's the thing that you did because at some point someone somewhere will have definitely made multi-million dollar or thousands

of dollars worth of damage it's encrypted it's gone oops we reset the server nothing's there or anything and everything in between if you get the chance to talk to them ask them what that big oops is and find out how their management dealt with it if they kept him if the manager was gone like there was reference for experience a saying oh it's a music person music people don't know anything my undergrad was in music and if you put a liberal arts person with a bunch of people that aren't going to talk the liberal arts person is going to be loud and talk so yes it's easier to blame the loud person in the room but people really

want to blame somebody at the end of the day yes they want to point and go that person did it it's their fault that doesn't necessarily fix it hey how's what's up I'm sorry I do not I'm sorry and like you can find my paper on LinkedIn as well if you actually want to go through that and like paying they had flat topography it's all their fault and bla bla bla I don't want to stand up here and hash that and blame that because reality is you want solutions you want to be able to fix it you want to apply more

yes they absolutely it's the double-edged sword of everything I think of it as like a little throwing star there's a lot of edges everywhere and you grab it you're gonna get hurt but sometimes a decision has to be made so the stuff with California that's going on right now is we're in a very shifty economy for trust companies don't know who to trust customers don't know who to trust and even at RSA it was a huge thing that they brought up because even if we try to implement a way for allowing that trust the system even if it's customer based if it's business based who's going to be able to ultimately provide that trust and I don't have a solid answer

for it but I know it will be difficult and it's going to be a lot of fighting back and forth is - is it going to be the industry is it going to be the government is going to be the consumer that's dictating that trust and what laws ultimately get implemented how much can actually be trust because I mean everything is going to be gone yep so thank you Victoria for your presentation thank you all for attending this one [Applause]