PG - Hackers vs Auditors - Dan Anderson

like an introduction thing I can do I can do it I'm good okay

ok welcome all right so so this talk is about hackers versus auditors some of the things i bought involved in I'm the local chapter president of isaca for the Utah chapter and I'm also involved with a local hacking group we have they're called the DC 801 it's a DEFCON 801 group my day job is sorry my day job is at Intermountain Healthcare among the IT security team I see one of my co-workers with me in the back here and in my background is that for a long time I've done putting systems together okay and so I've learned a lot about systems I've worked in healthcare for probably 20 years doing various kinds of IT work and

in the last 10 to 15 years kind of got into the security so I was down after haunted some years ago a couple years ago and we were having a nice discussion about what would we do or how would I you know interact with the hackers just by raise of hands how many in the group here our auditors of any kind see is a into a lot it 12 couple couple okay not quite half the crowd how many would consider yourself a hacker okay I hope by the end of the end of the discussion that you more of you won't think of yourself as hacker like to thank weasel for his great review and mentoring that was

really helpful he this was originally presented several times at isaca groups and and it was slanted really towards internal audit and so I think with some great changes in recommendations we've been able to make it a little more relevant also for hackers so so we're sitting around deciding and talking about well what how would we talk about the interaction between actors and auditors and and and so we came up with this idea I don't have any speakers plugged in but we'll see if you can hear my sound okay

I

okay so you're a fake what do you think was that a real hat or was it just select marketing okay but the point is probably select marketing the point is though that it's fun and some using to think about we have certainly a lot of people that can do way more intense stuff than that it's probably possible it's within the realm of possibility let's see okay so what are the elements right we have we have hackers right these bc 801 there's a lot of hacking groups Def Con hacking groups I always like to fill in the picture of the matrix because because my name is Anderson and I always think that's funny so okay what you'll notice with the

presentation too is we kind of go back and forth a little bit a little bit on audit a little bit on attacking so what's the mindset of an auditor okay spend a lot of time understanding scripts understanding checklists right hopefully you know we would develop some professional skepticism I think that's probably the main point you look at something or you interview somebody or you you know you're understanding what what it is that they're doing and you know you don't always trust them but you're not combative so that's what professional skepticism is about

all right what's the mind sucker mindset of a hacker like okay the hackers are really interesting in the challenge more more so than just the money aspect of of a hack I think persistence is a real good word you'll see that a little bit later on ok so in audit firms are after a certain kind of person that can do this right they look of course for certification and those things these are the things they're trying to do to improve auditors they have or this is what they would look for in folks that they might hire okay so who likes to document any anyone there's one person so it doesn't matter whether you're talking to the audit crowd or whether

you're talking to the people who are writing code generally nobody really likes it very much but it is important to do and it's a necessary evil and some people some people like it right they become really good at it so what are we doing hacking what happens making things do things that they weren't intended to do right making changes it can be simple changes could be complex okay so i think that second that second ball it's pretty interesting so it's not just related to the computer stuff right social engineering the human aspect okay here are here are some important things that that firms look for of Auditors okay analytical and critical thinking they've taken some polls communication

skills IT general skills risk management business acumen okay that's what they're looking for so what do you do when your exploit software you try to make it do something that wasn't intended to do okay so one of the points of this talk is to understand what our companies looking for right not just out of auditors but what are they looking for in in us all okay

today by doing a reverse engineering okay so easy or hard to do more fun right it's interesting some of the things that happen as you do any of this kind of work might be improving your speaking abilities right developing some board and community relations okay outside networking and contracting become a better person in persuasion working with the c-suite mastering new technology right and negotiating did anybody like to go down and buy a new car you know it's kind of fun if you've got time on your hands and you want to mess with the salesperson a little bit all right social engineering so we had an interesting social engineering thing happened last night we're at the black

hat VIP party and one of the guys thought I'd be really funny to get a group of table of guys to drink some Cosmopolitan's so he went and had been laid and he showed up the table with these Cosmopolitan's and he had to get help bringing him over but he didn't call him he didn't call him Cosmopolitan's because he knew these guys would never drinkin well they called them was dirty sheep Tucker's and so they proceeded to drinkin right well then the next guy up who was at the table wanted to give it another round so he went up to the bartender and order dirty [ __ ] [ __ ] well of course the

bartender didn't know you know the bartender didn't know what that was so that preceded all night long and pretty soon all the bartenders were there were about four or five of them around and they had it all figured out pretty soon but and and they were different every time right so so so might be Cosmo might be whatever but fun little social engineering experiment we laughed so hard until we cried so what makes what makes an IT auditor effective these are some of the things integrity teamwork continuous learning I think that's really important and always got to be learning and that's really one of the key points of this talk is you always have to be learning and a good way to do

that is to start to associate yourself with groups if you're in the only in the audit community how do you start to be involved in the hacking community or if you're in the hacking community how do you start to be involved in that audit community I don't know what's up with my it's the projector okay I thought that was just leftover nom haze from last night or whatever so we've all heard the three different kinds of hackers right [Music] they're good maybe take a quick look at it because my next thing is a video

okay no nobody move thank you so essentially the white hat hackers of the are the good guys right the other guys that learn how to hack to hopefully prevent other people from hacking black hats right Mel so easily the bad guys considered the bad guys they had somewhere in the middle

Oh

I've been on down and countries excited for probably two years now my handle is

if they had access to themselves usually usually when I package something it's a good contacts just right

c'mon I gotta tell you it's I have no idea i can tell you the person I thought your life is a cyber because I discovered it now the user space on to this zero

my opinion price target isn't kind of distribution source the branches and distributions

too easy to set up

vulnerable simply because the first then setting it up doesn't move the skill the first setting up a server should have no not setting these defaults until they not with the security exploits exactly i think the biggest thing the biggest severe equal as Cristino with computers and telecom is defaults and just sloppiness and laziness yeah and I think the call one of the biggest security social engineered so easily three trips so easily and I'm it nicks your back like absolutely on his best his best hacking was over the phone social engineering at an entropy

you can count on every box never rooted in

more sophisticated more marquee I in the background where is it going no it's critical salt always often overlooked but people you know every day are learning that it's more more critical as everything becomes far more automated

yeah I guess some counterculture on average i'm in my first corporate now working ten minutes I'm so easy to do commerce site hey guys software company here another dog on watch this is where capitals and eats my believe all those with lame internet security I salute you because there's a different thread every day you need more than firewalls in any virus you need internet security systems this is my masterpiece so one blows right through your firewall so guys crazy cocktail a hybrid gets in through a web email chat antivirus man can keep up kick it in one way get in five minutes it's like a symphony that will change the world oh no it's me in a

world where there's a different thread every day you need a different kind of security internet security systems so you want to let me go fine fine now because the simple past two years go below average appointees permanent because there's a different thread every day you need more than firewalls in any virus you need internet security systems

okay so anybody here was at DEFCON nine okay and that's great so they were bringing up a couple of interesting thoughts this is so what 2001 right and they were talking about web right and we saw what happened to throughout pit of the rest of the early 2000s with web and how easy it was to penetrate and there's been just a ton of stuff on that but that was a good early warning indicator if you think about it if you look back in history and say okay if I were an auditor during that time and I was hanging out at Def Con and I was hitting about some of the problems with WEP I would have a really good something I

wouldn't learn by a checklist or by a framework I'd be hearing about that and that's really the point is you know when you start to partner and spend time in in another discipline you're going to hear those things and and and do better so likewise in in the hacking world a lot of things have evolved since since that time we have we're up to like cobit five in framework and and so our checklists have gotten better and and so those things have gotten better so if you are on the hacking side how would you start to understand what those are right do the hacker hacker mindset we have a lot of interesting problems fascinating problems to solve hopefully you don't

have to solve it twice I'm a big fan of automation myself okay an attitude ok so the ongoing experiment right if you're an auditor begin studying with hackers spend time with them right come to DEFCON come to come to bsides come you know come to these different conferences and learn so it familiar with our eyes yourself with communities right there's a lot of them around and if it's of interest start to gain some certifications a lot lot can be gained from that they're pretty valuable not all of them are valuable but it seems like it's helpful to have a few okay I think the value is how much you put into it really so this could happen to you

this is what happened to me last year I was at the pool party you know in the audit world you wouldn't think that this might be possible but at the pool party because I was hanging out with you know this kind of a crowd and they had a monkey well and put it on my head because they thought it'd be funny to take pictures and we've had a lot of good laughs over that so the Swedes were a group of Swedes about five or six of them and it was it was kind of funny because they have really pretty good English but some of the ways they say things in English could be quite funny

and so they were given me quite a hard time about about that here's some of the benefits the answer why that's really important why does something work away why why should it work a certain way or why does it have to work a certain way or why do you keep doing things the same way right knowing your adversary on the hacking side the networking is really important having a little bit better ability to engage with the c-suite and depending on your level in the hacking world some hackers get all the ability they want because they're coming in usually to save the day right so the c-suite is calling them others are you know at different levels

they they might not have those opportunities so you can start to get some of those opportunities consulting gigs are always nice to have some of the possible common traits between between the two I've worked in both realms and I think integrity and work ethic are huge the teamwork we've talked about the desire to make the world a better place right that's huge so mark zuckerberg talks about the hacker lay if it's impossible that's an interesting challenge

so continuous learning and understanding improvement automating hackers can understand what honors are doing they can become more effective maybe a little bit more slippery it's kind of a great cat and mouse game actually right so we have a lot to gain by working together

you guys will all have access to my presentation some references in there for you any questions or thoughts okay really appreciate everybody's time today thanks for coming out