BSidesSF 2020 - How The Coasts Approach Information Security Differently (Sourya Biswas)

please welcome Shore Joe from NCC group hi guys last session of the conference right so I can see some people yawning so hopefully I can retain your attention for the next 20 odd minutes our little context around the title East versus West when I say East versus West I'm specifically referring to Wall Street and Silicon Valley in fact uh the financial services firms or FS forms in Wall Street and the tech companies in Silicon Valley I know exceptions exist right I mean there are banks in California there are tech companies in New York but for the purpose of this presentation I would be focusing on those industries which are most closely identified with this team

with these two geographies first a bit of introduction I don't know it would be such a large screen but as you can see from the picture unlike most things security this is one place where I'm okay with legacy perhaps deprecated information because this picture is more than a decade old and my wife told me that you know that they will be able to see you right so in terms in terms of my experience I have worked in both the coasts in banks in tech companies both as an operator as in insecure teams as well as a consultant advising such teams so hopefully I have the experience to talk about what I'm going to talk about

now before I move on to how information security is different in a Wall Street and Silicon Valley I would like to take a few moments to explore how these two industries are themselves different and I would like to quote mr. rudyard kipling here East is East and West is West and never the twain shall meet I'm sure he meant it in a different context but it works well now first when I when I'm describing the differences between those between these two industries I would like to talk about what I call decision factors what drives decision-making and the reason I I say this is because information security does not exist in isolation right it exists to meet the needs of the

business and in my experience FS and Tec are quite different as regards their business needs four FS forms the primary business need is compliance it's not that they are not concerned about customer customer friendliness but because of the myriad laws and regulations that they need to abide by our dodd-frank GLBA anti-money anti money laundering and the huge fines associated with non-compliance usually compliance takes precedence over customer friendliness on the other hand with tech they are more concerned in meeting the needs of the customer I know recently there has there have been all these privacy regs writer glba CCP etc however in general the regulatory burden for tech companies is less and that also kind of plays into the organizational

culture with FS forms it's all about going by the book dotting the is and crossing the t's moving slow as long as you are doing it right whereas with tech firms it's all about move fast and break things I'm sure you recognize the motto so it's a four tech forms mistakes are acceptable as long as you're learning from them and delivering fast now I would like to move on to what I call success factors what what kind of determine success and in my experience the Golden Triangle of people process and technology are responsible for the success of any program implementation and this includes an information security program as well in my experience FS and Tec differ in in their

maturities of people process technology this those three pillars so obviously green means good and I've rated both FS and Tec good in the people aspect and again this is not unexpected right I mean Silicon Valley is the center of technological innovation Wall Street is the center of financial center of the financial world I mean London may disagree reservist its ranking with New York but in general it's not unexpected that the Centers of these two industries would attract the cream of the crop that's why people are great in both Wall Street and Silicon Valley call up to you guys there for process unfortunately tech firms are not as mature as financial services so as I mentioned FS firms are all about doing

things by the book right making things insuring that things happen right the first time even if that be slow and that's why if they have very mature documented processes formal process ownership etc whereas with tech firms it has been my experience that they're more concerned about the results right process be damned or well not damned maybe not as important so they are really not good at writing things down it's all in the head of very some very intelligent people however that obviously is a single point of failure like this over dependence on tribal knowledge on the technology pillar again this is expected right I mean tech firms by their definition are better at technology than FS firms

obviously I will provide some illustrative examples to kind of support these points but that's for later now moving on as to how information security is different in Wall Street and Silicon Valley now before I move on to the differences themselves I would like to take a moment to discuss defense-in-depth also known as the castle approach or a layered security so as you can see from the example right the castle the knight on a horse kind of the attacker this con concept is fundamentally very simple right the idea is to have multiple layers of security such that even if a threat breaches one layer it would be blocked by another right and in the modern world the C soul

is the Lord of the castle protecting that castle the enterprise from the hacker and imp and to do that the seaso implements defense-in-depth through administrative physical and technical security now in my experience the decision factor the decision factors and the success factors that I mentioned earlier they kind of drive how defense-in-depth is implemented in FS and tech and again for a mysterious security I have rated FS as more mature than tech firms again this is not unexpected because admin security has a lot of alignment with the process pillar of the Golden Triangle that I mentioned right so FS forms are typically better at processes documenting processes and following them unlike tech firms for physical security also I've rated FS

firms as better than tech as you can imagine the yellow means cautionary the green means good and I have a couple of theories around this so even the today we are all about electronic transactions and create card swipes and all that FS form specifically banks if you think about it at one point of time they dealt with something very tangible cash right a physical asset and this asset faced a real physical threat from physical bank robbers right think about like the Wild West bank robbers riding in on horses Yahoo and all that right so I think that kind of contributed to this ethos of mature physical security at FS firms the second theory is something that I'm

thankful to Mike Johnson C so at fastly for because I was discussing this topic with him and this interesting of kind of idea came about if you think of the banks and other FS forms on Wall Street they're typically housed in this huge tall buildings right with a single point of entry on the first floor so unless the attacker is Tom Cruise on a mission impossible flying I mean dropping in from a helicopter or something like that they typically need to secure only that single point of entry contrast that with a Silicon Valley where the big players are in large spread out campuses the smaller players are insured working spaces none of which are conducive to

physical security now moving on to technical security again those this relative rating is not unexpected and also I will right some examples around this but tech films by their definition and the nature of the work that they do are usually better at technical security than FS firms now moving on to the six samples so around atmospheric security which is all about rules and regulations policies standards procedures security awareness training etc what I've seen are some of these examples and again the green is called the yellow is cautionary so you will see that for a top ten US bank I saw like extensive policy standards procedures with each process having a formal owner as well as a secondary

owner and at a client insurance company there were no local admin privileges use of years where I was prohibited contrast that with this quantum computing client of mine and you can understand right quantum computing right so the cutting cutting edge of science so to speak but they had a they had an utter lack of documentation and all the critical processes right IT and security processes were dependent on one single very intelligent individual now if that individual were to get hit by a bus or better yet win the lottery then pardon my french that company's screwed also at this IOT software developer on the client of mine I saw that they were actually advertising jobs saying that

hey come work for us you can use any software you want so basically all users had full local admin on their machines and there was no restriction on USB usage obviously that made data extrusion as well as malware intrusion much easier moving on to physical security also as I mentioned FS forms are typically better than tech firms so at again at a top ten years bank I saw that they had badge taxes with man-traps which were also being monitored by security personnel so basically three controls around that same area right badge taxes man-traps allowing only one person to enter at a time and again a security person was actually monitoring that compare that with this client of mine or they develop

software for rewards programs and I'm quoting the CEO for beti right he mentioned he said everything's in the cloud I don't need physical security so this guy this office right had multiple points of entry no CCTVs no badge entry right so I told him okay consider this hypothetical scenario you are locked into your AWS admin account you step away for a cup of coffee I walk in and walk away with your laptop is that a concern for you he said yes so as you can see even when everything's in the cloud there is still room for physical security again at this asset management forum client of mine I saw that their extensive CCTV coverage where the feed was not only being

recorded but it was being actually monitored life right it's not being recorded just for review in case an incident happened so that's like a kind of detective control they're actually doing it live so that becomes a preventive control compare that with this LMS developer client of mine and by the way I have seen this at multiple forms in the behavior so I go in to the office location I sign in on a tablet my host is notified and he or she comes out and escorts mean now note that note the gap here if you think about this I triple a quarter of identification authentication authorization and auditing so I provided an identity but I never authenticated it so I could have

put in any name right nobody asks for proof of the tiny entity and the fix is very simple right I mean ask me for my driver's license but again something that is often overlooked moving on to technical security obviously the situation reverses itself at this International Bank client of mine I saw that they were using deprecated technologies right so their systems weren't patched they were using insecure encryption like TLS 1.2 which has been considered insecure for quite some time also old browser versions leaving them susceptible to drive-by downloads at the social media company client of mine in the Bay Area make sure valid management faster incident response so usually technical controls are much better again

at this auto finance captive client of mine they had a vulnerability management program in a sense they were doing scanning right they were finding vulnerabilities but there were so many rules and layers of approval required to remediate those vulnerabilities that basically they're being left on patch for a long time so kind of shades of that particular company handling our credit credit information and the rapid she struts vulnerability right so compare that again with this mobile app developer they had this instead of this multiple layers of approval there was this bias for automation were they were kind of reducing the need for human intervention and that is good because as we know humans are the weakest link in information security

moving on why should it here why should I care about all these differences and I and I want to answer this question from two perspectives one that I call the Assessor perspective as in somebody doing an assessment and the other the operator perspective somebody actually working in this companies so my hypothesis is this that if you are necessary when you go on-site at any of the companies in this industries you place a greater focus on things that are not traditionally that company's forty or in this case that that industry is forty so I will often read this with some examples so if I'm doing a NIST CSF cybersecurity framework assessment right at a financial services firm I would put

a greater focus on controls that I've mentioned there for example PRDS to data in transit is being protected that's that shell Lysias of control right and the what you see the text in red those are gaps that I found I'm not going to read through all of them but you can see that for financial services firms I found several gaps around technical controls where at sorry for a service I found several gaps around technical controls whereas with tech firms usually the gaps are under are around administrative security and physical security controls for example I would like to mention this first one pric - physical access to assets is managed and protected so one of the things that I

look at when I'm evaluating the maturity of the control is the presence of alarms and again there's something that I've seen at many barrier companies there are alarms for forced entry but there are there is no alarm for that door just being held open so basically makes tailgating so much easier now from the operational perspective my messaging is this that operational personnel across the two domains should focus on their relative weaknesses and learn from the other strengths so let's say that I work in the security for a bank I would look towards my peers in the tech firms to understand how they've implemented technical controls so what I've done on this slide is I basically consolidated

all the pros and cons right so for financial services obviously as I as we kind of covered earlier strong admin and physical security with mature documented processes however weak in technical security and usually usually slower decision-making which makes them logger laggards in adopting new tech whereas with tech firms usually stronger technical security not so much for physical and mystery security but they early adopt us a new technology and there is this bias for automation however sometimes this excessive bias for freedom and excessive bias for action can lead to certain changes which are not security validated so obviously that's another con now moving on to the last section of my presentation how does it all come together and here I would

like to revisit that quote from mr. Kipling earlier and interestingly those two lines are followed by two more East is East and West is West and never the twain shall meet till earth and sky stand presently at God's great judgment seat in my opinion God's great judgment seat today is our shared connected technology ecosystem whether whether it be FS firms or tech firms they're using similar technologies that kinds of leave are makes them vulnerable to similar attackers right and unlike those bank-robbers of old who actually had to face the risk of being shot the attackers today can be on the other side of the globe possibly in a known extradition treaty country and they can

attack multiple targets at once and here I would like to quote Mario Puzo in The Godfather one of my favorite books and he wrote a lawyer with his briefcase can steal more than a hundred men with guns now replace lawyer with his briefcase with hacker with his or her laptop and any company in any industry can be the target so what I want to want to infer kind of a really emphasize on is that Wall Street and Silicon Valley must come together to share write and learn from each other because with all the three pillars of the Golden Triangle this edifice of the information security program will crumble without all the three layers of defense in depth this

castle of the enterprise will be breached right so it's important to share and learn and obviously a forum such as besides is a great place to do exactly that I would like to wrap up with my last slide here so I love this cartoon by the way right you have all these controls and on the other hand you have beef apologies to any Dave's out here I didn't draw this curtain but I loved it so if you recall when I was discussing the Golden Triangle right people process technology I mentioned that both Silicon Valley and Wall Street have excellent very intelligent people true but even intelligent people can fall prey to social engineering right because that is predicated on exploiting

normal human behavior and that is why for everybody across the board security awareness training is key now finally I would like to end with this whole message is that with all this font of knowledge all this information sharing sometimes it makes sense to bring in a third party to remove this confirmation bias to eliminate this conflict of interest right if you're doing your own assessments and obviously to keep people like me with a job so if in doubt bring in an external expert to play the devil's advocate thank you you [Applause]