BSidesMCR 2018: Diversity In InfoSec (Not That Sort!) by Victoria Walberg

an adapter and so I'm Victor aerobic and that most people online name is Nicky Jay I works in nutrients committee consultants along with my own company which is logically limited the type of work tend to do test roles such as information security managers security consultant and I know that's a bit vague but I'll talk a bit more about that later on in part two of the talk but the short version is have been doing a post-hoc for about 15 years now and the talk today is diversity and Cossack but not assault since talking two parts in part one I'll use the OSI 7 layer model as a talking point about the diversity of areas where can we search in areas of

concern across the internet spectrum and it's a bit more techie and then part two in rock stars versus plumbers I'll talk about where that enterprise security people do across the layers and how that relates to rock star researchers and security business compliance so with both parts not to provide a broad overview people those new you're thinking about any training in Cossack and entering the industry and also those who've been focused on one specific area and particularly areas of work or research and so you've been a background about why I've chosen these topics to talk about so goes to quite a lot of comms and meetups and sometimes they can be quite siloed so you get the more techie one so

some of the b-sides bents I've been to like lots of talks of what top talks a little bit about malware research or they've all been about reversing or pen testing and there's lots and lots of other techie conferences out there and then you go to no massive events and their variants DLC focus and dev suck-ups and code and then you go something like an icy squared meter and letting people more focused on enterprise security and governance risk and compliance it could be quite a high level and it can't feel quite tribal at times so part one I'm going to use the OSI model and for those not familiar with it it's a it's up there so the

seven layers that I'm going to play the terminology a bit and broaden the scope so I'm going to be taking a few liberties with that so and one of the reasons I'm using this as a starting point is bridging their selves stairs a network engineer and since I've made a bit of hosting there's been a lot of roles as we've done a bit of everything and in some ways things have changed there's been an evolution in tech generally wells tend to be a lot more focused people companies are looking for people in your skills in a particular email server product rather than just generally hiring since I've been or they want this assignment you know one

specific version of Linux rather than just having general UNIX experience or they want a network engineer who has certifications from specific vendors and it's the same one developer well it's two and a lot of other tech roles these days and that's not sort of forgetting that a lot of those things I've talked about I've now moved to the cloud or starting to move to the cloud so there are a larger variety of roles and technologies and there are lots of things that exist now that didn't when I started so and so as a security manager or consultants I have to think about everything across all these layers and beyond and sometimes having that broad and diverse background can be a benefit

so start with the physical so the risks with things like physical tend to be things like taps which tend to be more nation state but for most organizations it's going to be things like building control building access it's going to be things like disasters dealing with fines and floats on the offense the social engineering there's been some talks a lease today about social engineering and it's nation-state access and it's accidental damage as well or organizational failures and unfortunately here in Manchester so be aware that sometimes that convenient errors of attacks so and for those of you who last night it can also just be the guys from Pentos partners with some bolt cutters but in terms of defense it's usually

people like security guards sometimes in tech my something has to deal with CCTV systems in data centers you can only got things like sensors pressure pads fire suppression systems dealing with the backups dealing with your off-site locations and typically in big organizations this will be dealt by a dedicated person or team but quite often there is that overlap with an IT and particular when it comes to the data centers or when you're thinking about data protection issues as well particularly in terms of CCTV and there's also being the other side of physical are we're starting to see more things like row hammer and Simon saves a bit more there on on tapping that were things like row hammer where they're

starting to use an interesting physical attack they're using application attacks to have that physical attack on memory cells and course those disturbance errors and this think about error checking to help mitigate that but it's an interesting area of research that isn't your traditional physical issues so on to data and this is really what it's all about it's really what all of your information security is about and in lots of organizations it's seen as the crown jewels for those of you not familiar with the term is used quite a lot especially in the enterprise organizations and it covers all sorts of data its intellectual property its trade secrets its your HR data its finance its payment processing it sounds and

marketing data as we've seen recently with their Dixon's Carphone and they who else received this email this week this was one that I actually received yesterday morning and then in healthcare in the public sector you know if the data is quite literally vitally important and we've seen in the US that this has been recognized with HIPAA and then there's personal data and there's a lot of it lots of it hoovered up by social networks an e-commerce sometimes with votives the information society service and it's the sort of thing that we used for manipulation of a person such as in voting or for blackmail or extortion sure some of you've seen Facebook apologies around bus stops and

that sort of thing so why do people want the data so aside from the standard day-to-day running a business or for making money that's the main driver so if some dude legitimately want it for research particularly in science and healthcare nation-states might want the data criminals are very interested in the data because I've touched one date can be used for influencing political elections and referendums and it can also be used to court for espionage and this is more personal level financial data can be traded for money as can blackmail or something for political gain so how do we defend that data whether that's keeping it private but intended or ensuring that it that there's been Tegrity there or just

making sure it's available for people and it's needed and that's where governance comes in so lots of organizations will have internal policies in the standard standards you might have had an energy policy whether that city at the company working at all here at the University and for IT staff there's normally technical standards and systems configuration to a deity but there's also commercial standards such as PCI DSS there's regulations such as gdpr and also such as NIST which is the security of networking information system regulations and there's industry certifications such as the ISO series ISO 27001 being the most well known but there's an entire series for the 27,000 series and they can get very very

specific so ISO 27000 and 3:9 is information technology security techniques selection deployment and operations of intrusion detection systems there's a specific ISO standard just for IDs but regulatory controls are in place for certain industries such as the nuclear industry such as financial services and things - only apply to operators services and the UK government is taking a beating on this and you'll find more details on the NCSC website as to who that's considered but it's normally utility companies and that sort of thing so in terms of threats to data data leakage it does happen happens quite a lot and it might be a riot with variety of reasons and some basic not just technical and but the non-technical

reasons it's not down to people just hacking so earlier this year the CPS were fined they've lost some DVDs I think would actually set the dad's Brighton no it was just where I've come up from and Talk Talk refined last year's second time around that they refined and that data was lost to a third party misusing that data and they were using that data to try and help with identity theft so there's a potential for a financial loss and the consequences to individuals members of the public by having that data loss like an availability as well can have a major impact whether that's things like the health care data's we had with one I cried last year or people being unable

to banks they were have been with TSB and data integrity again with TSB the reports area if people say we cracked information online or saving letters in the post intended for other customers and it's become such a saga the the BBC you've got their own topic site now on BBC News website so and there earlier today they're having to double their customer complaints team just to deal with the fallout of that IT failure so ensure all controls to help mitigate risk to data and there that are better to support the business so confidentiality integrity availability or said regulatory aims but in a true OSI sense at the data layer you've got attacks that include things

like MAC address and ARP spoofing which has potential for loss of confidentiality or integrity with an optimized Zeus can you lead to things like session hijacking you've got my people D HPC starvation's people can't get on the network got spanning tree and VLAN hot thing as well if anybody saw Paco's talk at security earlier in the year and he actually mentioned there's no led to in the cloud which I found quite interesting so for threats to dates in the generic sense they're typically used out carrying attacks at the other layers and sometimes in combination so such as using social engineering to nail enable an application level attack and defending your day so it's really defense-in-depth

it takes more than one control design to help defend data so so network very quickly in an RSI sense and you've got things such as tax such as ping of death routing so Rickett ass packet sniffing IP spoofing and in defense of those things you've got your standard appliances but access control lists you've got firewalls and things like sauce garden authentication and encryption you can help mitigate some of the attacks such as a packet sniffing so in a general sense attackers want to gain access to your network and gain a foothold in able to gather the data so transport their and with TCP traffic and connections established at the transport layer so but objection attacks

so you've got TCP level attacks such as man-in-the-middle gotten injection taxes picnic attack and the defensive surround last source to protocol so initial sequence numbers must be difficult to predict and you use controls across multiple layers to mitigate the attacks such as TLS to encrypt traffic again you've got things like syn flooding the defense various in cookies and an up tack attack congestion control and the defense that is using analysis so if you want some more information on that there's a year out layer at the bottom it is quite a long presentation but it's a really really interesting presentation on can support their attacks so session presentation and application layer focusing on session and presentation

layers you've got protocols things like NetBIOS sip on PC and these we use getting that accessible data and you'll find quite a lot online about sit attacks and defenses against attacks at these layers again it's firewalls its patching and it's using TLS and mitigates and the application their application issues are probably the ones you're most familiar with whether this is a pen tester or consultant or just generally ones that people are familiar with and hear about on the news so it's things like XSS is sequel injection and it's WordPress vulnerabilities which is how attack has got in with the first talk talk attack threats you've got security scaling tools people out there looking for says people using things like shodhan

you've got people doing unofficial pentesting as we've seen particularly when people make wealth claims about things being unhackable and you've got malware and ransomware craters utilizing the vulnerabilities that are out there so risks at the application layer they're normally down to a lack of design or miss configuration across the layers so it could be something as simple as missing firewall configuration not enabling the right levels of authorization and access control a mistakes with the design sometimes in some cases that's just having no design or like a processes such as force modeling or having design and build documentation and standards ideally you'd have some sorts of oversight on that process but also we come down to

development problems it might be a lack of awareness of with the developers such as how stupid coding or just somebody simply making mistake there's also a lack of testing as well can prevent you picking up on those problems after implementation so to defend against the application they're looking at robust design data mapping threat modeling

implementation change control processes secure coding it's things like making time for continuing professional development and that isn't always training for people and sometimes it's just supporting people in gaining new knowledge and having a time of learning new technologies and threats so if people are wondering why I come to conferences it's because they hate the help keep me aware of what's new whether that's threats or defense techniques and on the threat modeling it's really useful and there's quite a few different methodologies out there there's Microsoft stride or the posture which isn't a lot talked about a Lhasa Oblast events and Microsoft do offer free threat modeling tools there's a generic one and there's some for was your but the other thing to

consider testing quality check how things being built design is the design robust are there new threats what if a change has an unwanted side effect so some of the basic testing it can be automated and I've seen quite a few bends around its security Constance is selling those automated tools but I've worked with quite a few pen testers from some of the great companies sponsoring today so we're how useful the manual testing can be especially as it's not always easy easy to codify threat model more generally in the industry the security in my way with researchers so like Google projects they're out and who are making discoveries before some of the black hats and for commercial

vendors its seem to give them a competitive advantage but in minimum think about the massive top ten when it comes to application security but ideally some threat modeling and testing says Felix key up there the stride this table everything else is dried leaks on the Microsoft site and at the top that is the talk that Tony gave at a bus the up second Hugh Belfast last year talks about the pastor approach there's also a rate as some people like to call it for people so there's the risks that people present people misunderstand things especially the technical side of things and an accidents can happen it's not always malicious you know things can happen accidental deletion not realizing

an email contains virus but you do have the malicious to consider as well social engineering bribery the blackmail so with the with the top top final mentioned earlier that one was due to some outsourcing and offshore says and there was a vulnerability there of people using that data so in terms of defense preventative measures four layer aides background checks having physical security as a site can help some of those malicious threats and the technical measures can help with defense to and so things like hantavirus and I've it's been a bit of a backlash recently against that but it can help with things like drive-by downloads users accidentally clicking on malicious links in an email and

triggering a virus or malware across the systems and backups as well can help mitigate an attack whether that is an accidental deletion or whether it's been ransomware honest assuming you can have that recovery and obviously there's things out there like multi-factor authentication but really I think it comes down to education and training helping users to detect problems so looking at things like phishing emails guidance on reporting and not having that blame culture that this company culture that encourages reporting and not blaming so on to part two of the questions at the end so I mentioned earlier I go to quite a few conferences and meetups and how they can feel quite siloed or tribal and so I've been being

asked about you know ride out talk and I've been quite hesitant and I don't stuff I'm not cool they do research and hospitals sometimes I can't always talk about what I do at work and that's the case for lots of people in enterprise security because it presents a risk potentially to the employer or clients and a lot of people are under NDA's and but sometimes the times when I go to a real techy conference and feel the reaction some of the researchers say sir if it like this and then I go to the more fewer more formal meetups and like that I think some people awkward but there are lots of really great people in

a place like and I feel that it's starting to improve as times go harm there are great tip techies within typical organizations within those enterprise IT organizations and the lots of researchers who are sharing their knowledge and time a lot of them here today at besides fence so enterprise security can be really broad it can be everything from securing your physical environment meeting US allies managing risks applying controls vulnerability management raising awareness getting in maintaining compliance governance incident in crisis management detection rickles analysis systems at patching it's really really bored there's a slide up there from Utah State for me they've put online their enterprise information security management program and you can see how how bored and just at such a

high level how broad that is so it's not sexy work but it's important and it's no longer just the internal enterprise IT staff we have to worry about there's all the online services because ecommerce its marketing it's working lots of digital companies auto I reckon it's Bella PES it's hosting it's a sand cloud providers they're moving to digital apps Internet of Things is brands try to innovate or provide information society services to use that phrase again from the EU and presents more challenges so how does that relate to security researchers with lots people in reversing working for antivirus companies or managed security service providers or even having those major vulnerabilities exposed by the likes of

project zero so with the Work Projects the array there highlights the importance of patching or even how difficult it can be to secure my design with the recent specter meltdown bugs so Mike University a productive path said your customers are not you they don't look like you they don't think they don't do things that you do they don't have your expectations of assumptions if they did they wouldn't be your customers they'd be your competitors so people in enterprise security have different priorities that there to support a business they have different challenges and they may not have the support from business to do the right thing whatever that minute might be so that could be the patching or secured by design or

hiring better coders so from an enterprise point of view you know we want to have good networking application security and researchers help enterprises are safe three of the products and services that they offer vulnerabilities exposed can help secure more more support from business and the work that we do and that certainly can be the case and predict particularly small things are happening in the news and there's been a lot more recruiting in the security space it also brings the answer compliance so it's not certainly exposing vulnerabilities that can help enterprise security folks from getting support from business and the compliance programs can help them to and though there's a lot of different opinions on security versus compliance I think

everybody is in agreement with talis here that compliance doesn't equal security but I do share you with red spin that there is a mobile app there so the compliance standards such as ISO 27001 and PCI DSS require that some of the basics again if you've actually new user management they're carried out and it's getting the basics right rather than the shiny blinky light boxes that help most organizations stay secure so three searches sometimes product such as anti viruses and services that you've managed to suck and pen testing that they're put in place and deployed because they pass for an organization endearing to compliance standards and PCI DSS so my advice to enterprise security in governance folk is if you

meet someone who isn't suited booted or look how you think they should look please they write them off for some weed geek who doesn't understand business and/or enterprise security or GRC and don't be an enterprise Rockstar and dismiss slowly tech work or that it's just for kids but why go to tech events outside your day to day work what value does it bring for me I think it helps keep tech skills sharp you're going in insight and understanding into emerging threats and how this relates to environment and helps you think about a data your risk models it gives you a sense of work and effort that goes into security products and services why you might consider one vendor over

and why can't also run it all in-house and it can help but you you say fire sensor but also learning something you can be fun and interesting and it could even pique your interest in loops or change in focus or role so my advice to researchers if you meet an enterprise security your compliance person as a tech conference don't buy them off they may have more tech skills than you realize there's some people particularly large companies who have very very technical people working for them the fact that they're a conference shows they're interested in learning there's no magic money also there's no magic money training so unless you're in a really privileged position to be an independent

security researcher the chances are you're either in academia possibly self-funded or you're being comparatively underpaid or you may look for private sector work in the future or you're working for a company offering security services and whether that's a solo pentester for hire or you're part of a large consultancy or MSSP both of your salary is funded by enterprise security teams buying something your company office offers whether that's product you're involved in develop developing or a skill or service that you're providing such as ourselves our core pentesting and then we'll say it gives you an opportunity to meet your users and customers so my advice to all is whatever type of in place like here you are in the worlds of

Wil Wheaton that beer dick so any questions pilots