BSIDESLV 2018 - Hire Ground - Day One

[Music] [Music]

[Music] [Music]

[Music]

[Music]

[Music] [Music] [Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music] [Music]

[Music]

[Music]

[Music]

[Music]

[Music]

from oath who is been very patient with our technical difficulty and all of you been very patient with our technical difficulty we really appreciate both sponsoring a higher ground and with that I'd like to turn it over to my shoe thank you so much so thank you everyone for being so patient with all this scrambling on stage apparently it took like 11 goons to fix this so so thank you so much my truck is called redefining the hacker and I just want to set expectations that it's actually more about inclusion and the way that we include people into the security job system and what we think of when we are interviewing people and interviewing candidates and what we

think of when we think about expanding our teams a little bit about me I'm munjin I am a security director at oath formerly Yahoo I'm a woman and I'm a security leader I'm in a group called the paranoids at a company called oath which is formerly Yahoo like I said there's a recruiting booth right back there and the paranoids is a really large security team of almost over a hundred and eighty people that have been with Yahoo and now are with well and Huffington Post and TechCrunch and and gadget and all those brands altogether and where the security team that manages all those brands people don't always know what oh 'this i thought i explained

up I'm also an ambivert meaning I need my downtime and I need my social time so takes a little bit of energy for me to be up here but and also recharges me to to be at conferences and hang around my friends and see you guys again and girls I'm also a night owl most people know me as a severe night owl and most of this content was created at 3m I want to talk a little bit about the definition of a hacker so we this really surprised me you know I see square which is something that we are many of us are members of it had this definition in this type of security lexicon and it said that it's a slang

term meaning a hostile human so apparently we're all hostile humans and it is a threat to IT systems and IT security professional or vulnerability researcher or an amateur security person so I saw a lot of trigger words in there I have saw amateur it's a hostile I'm Scott threat and I don't think that really defines who we are as security professionals and so it is really really concerned that ISEE is setting that out as their cybersecurity left to confer for newcomers so then I went to merriam-webster and I said okay well how do they define it so there's a couple different definitions and pretty much it's something around illegally gains access and tampers with information ok

that's a little bit more accurate but I wouldn't necessarily say legal all the time everywhere it's it's also not an accurate definition problem-solving I think I like that one that's the most the most accurate one that I've seen and so moving on I also googled it and it says that a person who gains unauthorized access or also references pirate keylogger cyberpunk activist which as we know for many of us who've been in security for a while our references to how some of the security research work and war driving and war dialing and phone phreaking and all of that stuff that the good old days of security that's how it began so I'm not satisfied with any of those definitions

and I don't think it correctly represents who we are as security people and who we are as security professionals it also doesn't represent anything necessarily that all of these booths back here recruiting for so let's talk about what it actually means before before we do that let's play security person or not security person we have challenged some of your biases here so okay this is a tinfoil dude and he I guess there's a security person right well maybe not he may just have an excess of tin foil so so the next one is your your standard RSA graphic and this is what you see in every brochure this is what you see when you google any tech

company that has any security services this is what you see on the front page does that really accurately reflect everything about who we are and what we do I don't think so let me challenge your assumptions if this the security person alright I don't know but uh okay what if I told you this person teaches Python security at the University of Bucharest is this a security person what if I told you that she has had 54 submissions on hacker 1 is this a scary person she is actually just sleeping at her desk and watching movies so that is not is this a security person she's actually helped a complex identity management system get working in her company and she's studying for

her OS CP right now did you watch her is this a security person Oh somebody said HR Wow okay she is actually creating a Kanban board and remediating vulnerabilities in her company so she is a security person I just challenged you a little bit there on what your definition of a security person is and what they're supposed to look like and what they're supposed to be doing because they're not all crouched over in hoodies hacking all the time I recently went to a security conference called day of security security and I had the honor of sharing the stage with these lovely women all of these women are security professionals and many of them are very well known in the industry

tweet a lot blog of law and published books some of them are actually represented here today and will be represented throughout the conference's throughout the week but that's an example of all the diversity that exists in the security industry that actually does not go recognized when we're recruiting and when we're hiring and when we're staffing so a little bit about me I'm gonna tell you my personal story and just kind of throw it out there it's kind of personal so I am manju like I said my personal story is that I've been in security for about 20 years I started in security for the government and I started a couple years before 9/11 and as far as my background

before that we can go way back to my childhood I emigrated to this country so I wasn't immigrant and many of the privileges that someone would would have on breaking the law or testing their boundaries we're not afforded to me when you're not a citizen and I just want you to think about that for a second because I had friends and colleagues and stuff like that who constantly brag about breaking stuff and hacking stuff and all that and while that is absolutely a skill that's absolutely necessary it's something that not everyone can do if they're actually worried about their very ability to stay in this country or any country I before I actually joined security I had 11 jobs

11 different jobs nothing to do with computers nothing to do with security so that means that I had that many professions that many different things that I was touching and let's see I was a dental assistant I was a secretary I was in food service I was in sales I was also working in a bank I wasn't doing many different things and I think that one of the one of the flaws and recruiting is that we want someone to be consistently in security and that's not always true and we don't really look for that opportunity of all the different things they would have been in and how that actually leads to them being in security so I've seen a

lot of breaches in my industry and have seen a lot of I've worked on a lot of breaches I the first breach I ever worked on in my career was actually 9/11 and did some investigations for that and throughout my career worked on things like TJX worked on others and on some other big brands and also work to help investigate the yahoo breach so breaches have been a consistent theme throughout my life but I gotta ask you know for being elitist about security people and what security people represent and what they're supposed to what skills are supposed to have why do we have somebody breaches right so if they're we're so elitist and we have

such special skills that no one else can have and no one else could be included in why are we doing it wrong little reflection for you there the other personal story I have is from a woman named Fatima I met her at a security conference much smaller security conference years ago and she told me her story that's not actually her just so you know because you know what her photo used but we take computers for granted we see them every day and we touch them every day and we think everyone has access to them and we think everyone can learn to program and be a hacker and everyone's Maslow's hierarchy is completely taken care of and that's

actually I would I would want to challenge that a little bit so we take computers for granted she was born in Delhi in the slums she often didn't go to school she sold vegetables in the market to help her parents when she became a little bit older she got a job as a cafeteria worker at a university and she went on to try and study at night whenever she was when she whenever she had free time she actually taught herself herself systems and programming she also had the ability to try and read and all these same literature and things that she did was not afforded in the past so that was her first hurdle that she taught herself

systems we don't realize that people are going through all those hurdles to get where they are but FEMA did not have the support of her parents at all her parents wanted her to get married at age 16 and she challenged them and she went behind their back and kind of you know dark guarded them from her other life which was improving herself and getting into IT so let's evaluate you know couple you've heard a couple stories now and let's see both of these people and many many more out there gained unauthorized access they were unsupported they solved problems they found a way to get in they wanted more or they got more and they would change access that sounds pretty

hackery to me so I just wanted to to challenge that and say sometimes people have what it takes they may or may not have security on their resume but they have what it takes to start their career and security here's the problem we are facing a shortage right everywhere you go you hear just this stat that we're so understaffed we also hear that it thirty two percent of companies take six months for them to fill a role right so in 2016 they said a hundred thousand jobs and now their way up to way more than that they're predicting by 2022 there's gonna be a 1.8 million I've even heard like 2.3 million and all those those stats

waiver of it well we can't agree on is that there's a telling gap and what we can't agree on that 11% of the security under industry or less are women I didn't go into the other diversity stats in this but that that is something what you do know and we do know there's a massive shortage so what are we doing to increase it we need to let more people in and we need to stop checking boxes right now people I just I've been on interviews where I've seen candidates get drilled against cissp books and that is not the way to get candidates in the door I've also seen candidates that are assumed to have years of security experience for junior

role and there's a misalignment there for the hiring manager and it's up to the people who are recruiting all that to set that expectation but what we're expecting of our workforce is way too much for what we need we need to fill these roles and we need to be more inclusive so what does it take what does it take to be a security person it takes attitude perseverance aptitude intelligence and passion there's lots of studies out there that say that attitude an aptitude and passion are actually the most important things perseverance also is extremely important in our industry because it's always changing and we're always challenged and intelligence intelligence ironically is the least of what we need but that's the first thing

that we test for so we need to change that Entrepreneur Magazine said that 80% of our success is based on our EQ and only 20% on our IQ but we're testing only for the IQ so what's holding us back why aren't we moving forward and filling all these positions and why aren't we moving forward with hiring people in the right role and why aren't we moving forward with giving people opportunity who've never before been insecure it's because of unconscious bias so if you don't know what unconscious bias is it's a prejudice that is a favor against one thing person or a group compared to another usually no way that's considered unfair unconscious bias gives us mental

shortcuts preconceptions and flawed logic I don't want to go make this session about unconscious bias but I really want you to go and read on it yourselves it's a big part of how will change the hiring for the security industry many big companies are actually doing talks and training on unconscious bias if your company does not have that I would encourage you to ask your company to start having that so then this is developed over time and it's subconscious and you don't know you're doing it so then how can you actually stop it because it's narrowing the pool that's getting hired and it's narrowing the pool that are getting promoted what you need to do is you need to slow down and

you need to examine your own biases potentially go through that training you need to make uniform decisions in your process is every candidate being tested against the same thing if it's a junior position is the bar too high is it more important for you to get a flow of candidates in and potentially increase your hiring pipeline and your organizational growth than it is for you to have the ideal candidate another thing you can do is you can challenge yourself and others you can challenge yourself by reflecting on your unconscious bias and that exists in many forms that exist in not just the people you interact with but the way that you experience situations in we're in the

workplace there's actually four kinds of unconscious bias there's affinity bias which leads to favor people who are just like us that's not gonna win us any points on increasing staff this confirmation bias that leads us to search for an interpret for people and remember associations and perceptions so-and-so reminded me of something that I experienced in the past or so-and-so reminded me of a situation that was positive or negative there was a halo effect that's a third one which is someone having done something great so what happens in the halo effect is that one person that organization says this person is great or someone in your peer group or affiliation say this person is great and you just believe

them that they're great through association not judging on your own and the fourth way is something called cloven hoof effect which is generalize the negative aspects in other words someone tells you someone's awesome or horrible and you generalize the horrible you generalize the negative more and you remember that that person with a negative association instead of a positive association those are all things that actually lead to unconscious bias and conscious bias in organizations and team growth the thing that I would ask everyone to do is practice empathy and get to know people get to know their stories and get to know the deeper selves of the candidates they're interviewing I want to bring something up called the bravery deficit deficit I

don't know who's heard this room okay a couple couple of people have heard this so racial mr. Johnnie she's the founder of girls who code and just wanted to throw a tidbit out there while you're managing the unconscious bias she did a study on girls and boys and the way they learn and the way they speak up and the way they volunteer for things and it turns out it's not a question of ability it's a question of the difference of how boys and girls approach challenges so we're raising our girls to be perfect and girls are driven to be perfect or have all the answers before they actually apply for a job or actually finish a task or actually finish a

project in the third grade class she asked girls to code and she found that women or girls in this case were more likely to have a completely empty page and when she looked a little deeper the boys had lots of things on their page and then many of the girls had nothing and she looked a little deeper it turns out if you backspace or undo a few times the girls had written a bunch of stuff and undid it and they didn't keep it on the screen because it wasn't perfect and they didn't have the answers so what do you do you need to socialize your women and your girls to the opposite for need for perfection we're socialized from the

beginning to think about perfection and often they're afraid to raise their hand and ask for help when they could actually be on the path to achieving their task

it's it's not out of the scope of my interest but probably I'll get to that personally with you I think it's a combination of all three of them it's a combination of societal pressures and how we're raising them some would say it's also biology but what you can do if you're raising young women and girls is to teach them that showing a little bit of effort or a little bit of work as better than showing perfect and that perfection is the enemy so you can teach them that at this age they're also the last bit on my point is that they're also very afraid to raise their hand often women and girls who tend not to

volunteer for things you know tend not to speak up in class because they're afraid to raise their hand and because why because they don't have all the answers and they're taught that if they don't have all the answers they don't need to raise their hand but we often see little boys raise their hands without all the answers so last bit here's a resume I want you to look at that doesn't struggle with bravery here's one person that doesn't struggle with perseverance or bravery she has no no humility actually she seems to have she seems to be having zero humility about her brilliance and I wanted you to look at this resumes somewhat comedic Lee but somewhat challenge your own

perceptions and your unconscious bias because if that person walked in and sat across from you for a candidate as a candidate or a role you would have that unconscious bias before actually knowing her resume and with that I want to close out with a very inspirational quote from a really awesome security contributor Tara wheeler on the topic of bravely bravery and perseverance if you aren't being rejected more than you're being accepted you're not asking for enough you're not reaching high enough and dying yourself enough try new things ask people who scare you to help you and begin to believe failing really is learning if you're winning constantly you're in a rut so here's to failing and winning and

enjoying the rest of the conference I [Applause] want to apologize that we started late for your presentation do you have a few moments to answer any questions so any questions for measure Chris

maybe it's more to lose more to lose if they've built a career they've built a salary and if they're shown to not know what they're you should know they might lose their job

yeah could just be that obviouly but no I actually think that actually brings up a very good point there's different contributors in the workforce at different stages and genders and identities - through the security workforce and I think that a b-sides talk on ageism in tech or ageism insecurity or aging insecurity would be a great top for next year I I'm saying find the right people to do the talk hi I'm from Brazil and I run I come for a hacking conference there which is the biggest hacking conference in Latin America but we still fight a lot with fewer women it's very rare to find women that can go into my stage and give a

speak with confidence in what they're saying because it's not that we don't have good tech girls it's just we do they are rare because it's mostly men but even the good ones they are stage fright because hacking is kind of a new thing in Brazil it doesn't have even 50 50 years there so still a very toxic very very toxic community like full of haters and trolls so it's death threats are very common even for me that doesn't show up a lot because I'm an organizer I don't go up on the stage but we are trying to do the conference this year 1/2 1/2 I have women speakers have women workshops have everything and it's being really really

really hard I'm learning to give lectures so little girls can look at me in in this age and have the courage to do so as well so I would really like to ask you some advice since you were a woman Ennis of international conference what should I do to inspire those little girls I mean I don't know enough about security in Brazil the culture there but I think we an overall need to start holding sessions for kind of like Toastmasters for women help them want to be present and help them want to be outward facing help them want to be in that limelight and not be afraid again it goes back to that perfection or bust they feel like

they have to be perfect in order to be up here it's also that presenting is a process it is not a lot of people think that presenting is a hand-picked situation rather than understanding that there is researching the conference there is understanding what you need to do about the submission process and that is not something that is taught anywhere there are more and more conferences that are actually providing workshops to do that I'm actually presenting on that at Diana on Thursday so because we realized that meant

the good news is we're making space we're making space now over the last few years for people who didn't traditionally grow up in a computer science or tech background to be a part of the security community because we're realizing the security is much more than just tech I just want to say that uh the conference she's talking about is called a Rhodes SEC and I've been to that conference and it is an amazing conference and I think that perhaps among the people in the room we have maybe a stronger network than just her to reach out to the women that we know in the industry and encourage them to submit to that conference I think that

is a problem that we can help with in this very room in this very day by helping the publicize that that is a goal that they have and that the conference is really great and the the security community and culture in Brazil if you have not been is amazing everyone there is so passionate about it and you should go and see that for yourself and we should encourage the women in security that we know to submit so that's all I wanted that Thanks great we had one more question

is it on I want to thank you so much oh I'm getting emotional and I don't usually I want to thank you so much for what you had to share and I want to thank you so much for being here I have something I really want to say and I hope it comes out okay let me get a handle here I've been around a long time and

I'm angry no I'm just I'm angry that I'm emotional yeah it's I'm trying I mean I'm going there I'm going there so I'm really impressed with I'm really impressed with these two young people that just spoke I've avoided these for a long time and

one of the things that I want to say about security and our gender differences is that and I I'm not good with words and it's so hard me behind the mic but I really want to say this they're one of the things that brought me here's my first view sides really glad to be here thank you so much sure took me quite a bit to I'd gave a lot of free hugs to get my badge today and I'm grateful for that one of the things that I do want to say as far as the wonderful stories that you shared and a lot of the women that are up there is this world can be violent and our hacker community

is no different and I think one of the struggles that we as women face when we go up and I'm not emotionally because I'm weak I'm emotional because I'm so passionate right now but what I'm about to say when women speak up and we're afraid to one being perfect as one but I think there's another underlying thing that we forget is that when we speak up and someone disagrees with us or if we make someone angry in many cultures around the world not not just America but many cultures around the world what we face is not just dissociation or someone being not hiring us what we face is violence we face death threats we face harassment we faced so many

juvenile things that I don't see my male counterparts in the past years hit I mean they say some but they they handle it a little bit differently and they're able to to bring it down but I think there's a fear-based thing that we also face other than just not being perfect and I think what it takes and what I have seen in just the last few years so grateful for this I'm not emotional I said we just emotionally cuz I'm so happy about it is all these women that are coming and doing this especially women like this who say I'm doing this it's really hard I can't and I guess I wanted to ask is 11 percent still is that really the

correct statistic for women and security right now so um that really bothers me and I think if there's especially young people one of the things that I'm so grateful for you bringing up there was a young man that spoke over here this new generation is amazing the new male generation these young guys I have seen some of the most amazing ways that they will speak up they will support they will say things and I think it's really there and I just want to thank you for being part of the beginning I really think this is the beginning of something really wonderful and I'm glad to see it I'm glad to be here and and I face a lot

of death threats I face a lot of things and I'm grateful for for you too I'm just grateful your being here and I just want to say if you're young and you're getting these kind of things you are not alone there are so many of us out there facing so many horrible things that some of this hacker culture can do just you're not alone and please keep coming back please people keep presenting and and I hate the mic and I hate talking but I force myself to do it because it's good for me and thank you thank you for being here please keep come back and on that inspirational note thank you my shoe for

bringing this topic up so we have this conversation thank you all for being here we have one more panel and then we'll end our day so I'm just gonna ask my panelists to come up here and we'll go from there and thank you

[Music] [Music]

[Music]

[Music] [Applause] [Music]