Cybersecurity Is War: Lessons from Historical Conflicts

and our next speaker is georgio bieswas and he's going to talk about cyber security in his war lessons from historical conflicts he's going to take a look back at uh wars in you know years and years and years ago and um how to look at that to learn about security cyber security security uh in 2020 and on hi joe hello there can you give me uh yeah i can hear you now have a great talk take it away all right so let me just start sharing my screen and let me know if it is visible all right is my screen visible oh can you guys see my screen hello

uh was my screen visible earlier okay sorry okay uh yeah i just saw the chat uh just give me get uh let me get back to the screen all right perfect all right uh good afternoon guys uh it's a pleasure to be here speaking to you at besides connecticut uh the topic of my presentation today is cyber security is war lessons from historical conflicts uh now this is not as technical a session as some of the ones that i've had the pleasure of sitting through today uh there are no log snapshots there are no tools screens but hopefully uh i can retain your interest for the next hour or 40 40 odd minutes on a saturday

evening i feel that this is something that is irrelevant today and that's what this is about my name is uh shojo biswas uh the bunch of letters after my name uh show that i'm good at taking tests which involve uh multiple choice questions hopefully that translate uh well into me being a better uh security consultant because that's what i have i work at the ncc group we pride ourselves in being the uh the largest pure place cyber security consulting firm in the world and i have had the privilege of working as a consultant advising security teams as well as part of such secret teams availing of consulting services i've worked across industries and in organizations of different sizes and

maturities what you can determine from that headshot on the left is that is one example where i'm okay with using deprecated information unlike most things security uh one thing you'll notice that i am definitely not a military expert however i am an enthusiast of a military history so just one quick second while i ensure that everybody is able to see this i just want to check out the chat all right perfect good thank you i'll get back to sharing my screen again sorry for that all right cool uh as i said i am not a military expert but i am an enthusiast of military history and i've tried to merge my passion with my profession

specifically this presentation combines uh my general interest in the history of warfare with my experience working in infosec uh now why do i why am i calling cyber security as being like a similar to a conventional war what are the perils here so i'd like to start off by quoting uh this italian philosopher uh because this is all about learning from history and he wrote those who cannot remember the past are condemned to repeat it i'm sure you have heard this quote in one flavor of or the other now speaking about the perils right if you think about conventional war that basically involves an attacker a defender or like two parties that conflict fighting over a

valuable asset right it has happened in the past it has happened in the ancient past in recent past it's happening now it's going to happen in the future uh the the picture on the right the silhouette that soldier on the left you can see that person is holding an american weapon while the soldier on the right is holding an ak series rifle the picture the map that's the folder gap in germany and that is the area where for several decades nato feared nato feared that the warsaw back countries of the soviet bloc the tanks would actually roll through in an invasion now today right i mean today again we have a similar similar situation in cyber security

right we have attackers the bad guys and the defenders are people like us fighting over valuable assets usually information and of course we are using multiple tools and of course as you can see that history keeps repeating itself now before i move on to the core of this presentation which is about learning from history called conflicts i would like to uh first take uh uh like a minute to explain how we have divided the different historical eras right so i have divided the history of mankind or specifically the history of human conflict into three eras ancient medieval and modern uh these uh kind of kind of align with how the history of mankind is divided by historians i don't go back

as far as like the paleolithic era the stone age and all that but i start off as early as 2500 years ago and i would like to start off by quoting aristotle uh also an ancient philosopher you will see i use quotes a lot i i kind of love them because i think they help bring context right uh outside like technology or anything like that and aristotle said that war is a school for virtue right so war brings out the based in people right unfortunately the best in people that includes the attackers as well and in and in our case where we are the defenders the enemy's best is obviously not good for us now the first example

that i would like to cover uh are the ancient greeks and military ciphers right so now this uh diagram that you see on on the uh this picture that you see on the left right this is the earliest example of steganography right so steganograph is the technique of hiding secret data within an ordinary non-secret file or message so what would happen is that a secret message would be tattooed onto the on on the head of a slave right on a shaved head the hair would be allowed to grow out and then that person would be sent across enemy lines right to their forces um to to allied forces where the head would be shaved off and

the message would be revealed right and this particular example was mentioned as being used around 500 bc by hero tutus uh herotutors is called the father of history and uh as you can see that uh obviously this must not this message must not have been time critical right because it does take time for here to grow out and cover the message right before it can be subsequently shaved off but it's interesting how the greeks kind of use this of like hiding secret data in plain sight uh another example that i would like to talk about is the skytale cipher right uh here a piece of parchment across a rod would be wrapped around a rod and

written across and this picture is uh it's very good at explaining this right so if you think about it uh you can see the message right send more troops to southern flank land obviously this is not an ancient greek but it kind of uh conveys the uh essential of this particular cipher so once this piece of paper is unwrapped then it would be a gibberish sequence of letters right so in this case it would be sdsf then ero and only the message would be revealed in this entirety only if the paper is wrapped again around the rod of the same diameter right uh this is called the skeital cipher skydl the word comes from the greek word

for baton scottell i'm sure i'm pushing the pronunciation but uh this was again uh estimated to have been used around 400 bc right uh again uh you can see that this is this is like similar to symmetric encryption today right where the same key is used to encrypt and decrypt data in this case the the key would be the diameter of the rod and this is obviously information that must have been decided beforehand between the sender and the recipient now from this example what is the lesson to be learned right the first lesson is know your data right by the way this meme on the right i i extensively use star wars memes so i hope there are star

wars fans out there in the audience so uh coming back to the lesson as i said knowing your data right storage is cheap right so it's important to reduce data sprawl because if you don't know that it exists in the first place you won't be able to protect it and the second part of this is that you should only collect and store what you need because if you collect everything or rather a lot you you basically have to also protect that large piece of information right i mean wherever that data exists so the the advantage is if you collect less you don't have to protect it the second lesson is kind of obvious that you encrypt sensitive data

and that in that includes encryption at rest in use in transit but encrypt only what you need to protect right because there is a performance cost there's a performance cost to encrypt data as well as decrypt data and of course you should leverage appropriate tools and techniques uh thereby uh avoiding insecure protocols like tls 1.1 and lower avoiding insecure algorithms right like this md5 sha-1 nist actually has authoritative guidance around this so the general rule of thumb is to follow list guidance the second example from ancient conflicts is the battle of thermopylae and the 300 brave spartans who basically uh they did they were part of the most famous last stand in the history of

warfare uh the picture that you see is uh the picture of the actual pass in thermopilot is only 46 feet wide across and that enabled only 7000 greeks to hold off 200 000 portions because a few people standing side by side can basically block that pass of course any mention of the battle of thermopylae is uh not incomplete without a mention of the graphic novel by frank miller uh which was uh faithfully brought to the big screen by zak snyder of course uh there were certain uh liberties taken with history uh for example uh if you if you have seen the movie um the the persian emperor versus was not a giant with the strange body piercings

there is no record of war elephants being actually used in that battle uh of course uh the meme uh you can see that is uh the battle cry of this is sparta that that actually lends itself to memes and that is what i've done here uh i love the quote in this movie which says go tell the spartans sponsored by that here by spartan law we lie this is actually uh on the on the gravestone or rather the memorial stone that is uh that has been directed at that place so now that we have the example what is the lesson to be learned here the lesson is to reduce the attack surface right it's all about hardening

your environment and that's why i have that meme of han solo hardened in carbonite uh hardening includes hardening your networks right so that you have a single point of entry to a trusted network uh bastion host which allows traffic from whitelisted ips only the firewall which denies all traffic by default other than what is specifically allowed in and then once inside the trusted network you can implement hardening by segmentation by dividing the network into sub networks and controlling traffic between them you also have containerization of getting increasingly popular nowadays where you run apps in isolated processors you can harden your servers by disabling unnecessary ports because any unless report any open port technically can be used to exfiltrate

data and infiltrate malware and any open port can be forced to respond to traffic requests this can lead to denial of service so obviously you can see the first the first to kind of affect confidentiality and integrity of the cia triad the second uh point affects availability of the ci attract so pretty much all three elements of cia can be affected by unnecessary ports left open uh you can harden endpoints and again this is something that i've seen with a lot of my clients in silicon valley where there is a there is a culture of trust the right they believe in not monitoring employee activity they believe in giving employees every kind of access right basically

they can use anything to get the job done um in other words they have a full local admin access they can install anything they can even uninstall software and that can include things like the antivirus right so as you can understand this is not really conducive to good security and that's why hardening endpoints can involve disabling local admin privileges and allowing installation of whitelisted applications only now the final example in ancient conflict that i would like to cover is hannibal and the crossing of the alps so hannibal was a carthagin general uh they were like traditional enemies with the romans now here i think one i would like to just mention this quote by sun tzu in the art

of war and he wrote that if you know the enemy and you know yourself you need not fear the result of 100 battles so hannibal actually implemented this in practice right he knew right around 250 bc that the roman navy was all powerful especially in the military in seas so he didn't want to go through the roman navy right the chance of success was lower so it dis so it decided to circumvent the navy and attack from the supposedly impregnable north where basically the alps stood so he crossed the alps right hannibal across the alps and he did it with war elephants right and this this seems kind of like unimaginable right and in fact to the

romans it was right uh uh hannibal once he crossed the alps he he won a string of great victories he was ultimately defeated right but such was the shock and awe right of this particular attack that even after centuries after hannibal's attack the cry of hannibal is at the gates that was a common exclamation of fear in in the in the roman lexicon uh and by the way this this actually happened uh scientists have found proof of a mass animal deposition in other words a lot of animals defecating because other than 37 war elephants there were around 9000 horses and there's actual proof that hannibal did cross the alps with this huge army so what is the lesson to be learned here

the the cyber security lesson is expect the unexpected right and that includes uh considering unexpected threat actors uh for example state actors right is your ip valuable enough as cyber security consultant or cyber security professionals you must consider the possibility that your ip is valuable enough to attract unwanted attention from state actors for example at this client uh who who was who uh this this organization worked on quantum computing right so cutting edge of research but they were a very small organization right they didn't even consider that they would be targeted by chinese state actors until it actually happened right so maybe even if you're a small organization is you your ip is that valuable to

attract that kind of unwanted attention uh now with organized crime is your information lucrative enough can your information be stolen and sold right for a profit is it located enough to justify the level of effort that organized crime syndicates would kind of spend to get access to that data in terms of activists is your organization unpopular enough to get again that kind of unwanted attention right are you in the news or are you associated with any kind of uh movement that can be that can basically make you a target for hacktivist uh also part of this lesson would be considering unexpected attack vectors right are you securing your entire environment right what about your third-party

vendors and contractors are you restricting their access to the minimum required to do the job are you monitoring what they do are you ensuring that once they have access to the to your data that they are actually protecting the data uh one one example that i would like to mention here is the target breach right so in uh 2013 uh hackers stole data acro approximately 40 million credit card and debit card information and this breach was traced to network credentials uh stolen from the hvac provider physio mechanical services that were then used to implant malware in target's point of sale terminals right so you can see that while target may have been diligent in securing its

own environment it is it is possible that this diligence may not have carried over in assessing its third parties or or their connectivity to the target network right thereby opening up this unexpected opportunity of for the for the cyber attackers for the cyber criminals uh then in order to identify this possible threat actors and vectors which may be applicable to you you should do your due diligence right you should do threat modeling and risk assessments run regular vulnerability scans and now you can actually leverage machine learning for proactive threat hunting so you no longer have to wait for something bad to happen uh you don't have to detect an indicator of compromise but you can detect possibly an attack

that is going to happen right and that is like an indicators of attack so you don't have to wait you don't have to react you can actually go out and do things proactively now that kind of ends the examples and lessons from ancient conflicts now i'm moving on to medieval conflicts and the cyber security lessons that can be learned from those again a quote and i would like to quote again this great conqueror from the medieval age genghis khan and he said conquering the world on horseback is easy it is dismounting and governing that is hard so i think this translates very well to today right i mean if you think about it uh we are trying to maintain the status quo

right as cybersecurity professionals and we have to be right all the time whereas attackers need to be right only once they want to change the status quo so to speak and uh the the mongols that's the first example that i would like to mention the mongols and professional mobile warfare so in the 12th century when genghis khan operated most kingdoms had conscript armies right farmers who were given weapons to fight however the mongols under genghis khan had a professional army they trained for war and what's more it was a true meritocracy for example subutai he was perhaps the greatest mongol general he was the son of a blacksmith and started his military career as a guard to the genghis khan's stint

and you can see that the result of this professionalism that the mughal empire covering 9.27 million square miles was the largest or actually it was the second largest until until it was stopped by the british empire but that took 700 years later another defining aspect of the mongols was speed right they this enabled them to attack from multiple fronts feign retreats and circle back to attack again and to and for this purpose they trained for this purpose uh they lived off the land right so they didn't have like long foot trains to slow down the progress of advance and each soldier rode with four to five horses so no one particular animal would tire out

as a result the mongol army could move as fast as 100 miles a day right completely unimaginable in those days and as a result the forces of hungary and poland were defeated on consecutive days right this was like completely unexpected especially in that era so what is the lesson what's the cyber security lesson to be learned here so there are two that i would like to mention focus training and improving speed of response so the first one providing role-based security training so again i've seen this at many clients they have like a general security awareness training and that's it nothing more while that is important it is necessary it is not enough right it should be

supplemented with role based training and this can be based on the job description for example incident responders should receive specific ir training and it can be also it can also depend on privileged access right for example administrators executives they have additional access and for example like the executives right uh they are targeted in phishing scams right and this this targeted phishing scams uh towards executives they're actually a term for that called whaling right because the whales are the big animals executives are the big uh are the other people who have the big access right they have they have privileged access right so let's say if somebody phishes an executive steals the credentials sends an email to accounts department

asking for a payment to be made to a third party like it's not a vendor but basically a fraud account it is less likely that the recipient of the email the accounts personal would actually push back because that email is actually coming from that executive let's say the ceo and there's a there's a term for this right it's called business email compromise and the fbi actually had put out information saying how big a problem that is uh the next uh lesson is to respond to sacred incidents quicker i feel that this uh meme about the 80 walkers this this is relevant right because if uh if you've seen the film you've you've seen that they are really slow

and unwieldy and that's why the rebel alliance could literally fly rings around them so responding to incidence quicker is obviously very important right earlier it is contained and recovered the lesser the impact and there's numbers to back it up um this cost of data breach study found out that if that detection to containment window is more than 200 days the cost is 4.56 million if it is less than 200 days the cost falls by more than a million dollars of course uh in order to respond you first have to detect that incident right so you can't respond if you can't detect an instant and for that purpose you should have suitable tools and very important the

human resources to use those tools it's not enough to just implement tooling without having enough people to let's say respond to such alerts and speaking of alerts the tools should be configured properly the rules should be set up to reduce or i mean if if not element but reduce the false positives moving on to the next example from medieval conflicts crusader concentric castles now you can the picture is self-explanatory you can see these like different concentric layers of walls right and this started in the crusader region earliest example is from 12th century 80 and the outer wall it protected from siege engines while the inner wall provided out flanking fire now this concept became popular it

spread outside uh areas of israel of course there was no israel then but uh it spread to europe as well and this is the other picture is from the whales and the concept also expanded to cities now what's the what's the lesson to be drawn from this particular example the lesson is to establish difference in depth right and uh this is a very pertinent because if you think about it the traditional difference in depth right with administrative physical and technical controls across like different layers protecting a trusted environment another word for that is the castle approach right so you can see that there is definitely apparel here of course as uh assets have moved away from on-prem to

the cloud there there has been more more modern implementations of defense in depth you have the network driven the osi 7 layer and then there's also the fan approach right where you have a controls protecting the perimeter the network endpoint app data separately one important takeaway is not to ignore physical security right even even if you are in the cloud and i i had a i had a client the ceo he actually mentioned he said that my production environment is in the cloud i don't need physical security so this organization was housed in a building with shared access as in like that building had offices of other firms uh there were multiple doors right there

was no badge system there were there was no cctv surveillance right so i told him that okay think about this hypothetic hypothetical scenario that you're logged into your aws admin account right and you walk walk off to get a cup of coffee and i walk in and walk away with your laptop right which is already logged in to your aws account is that a concern for you well he said yes but then he pushed back right he said that okay i agree but a lot of my employees who work remotely right i'm not enforcing physical security in their homes so why should i do it here so i told him that okay if i am

targeting your organization if i'm specifically targeting organization where do you think i'm going to show up right where is where where is the higher probability of me showing up is it your employees homes or in your office here so the takeaway is that even in this age of cloud physical security matters now the last example from the medieval age medieval conflicts and this is the first battle of panipat and the rise of the mughals another picture that you see on screen the taj mahal right i mean i'm sure you have seen this picture this is the building that is most closely identified with my with my motherland india and this is the culmination of the mughal dynasty right

and mughal dynasty held sway over india for two centuries however it had very high a very humble origins right it began with this minor uzbek chieftain called babur and he won this great battle the first battle of panipat he won it against a superior opponent right this opponent ibrahim lodhi he had 10 times the soldiers and he had thousand elephants right so if you think back on that example of hannibal right he had 37 elephants and that caused panic among the romans right and in comparison lodi had one thousand elephants now water elephants were a fantastic a very powerful weapon in the battlefield until barber introduced field artillery right cannons for the first time in

india and when this cannons fired the the elephants panicked right so they ran back and trampled their own forces right so what what is the lesson to be learned here was the cyber security lesson the lesson is to adapt to new challenges and opportunities for example adapting to new assets right with iot internet of things the attack surface has substantially expanded right now you have computers in pretty much anything electronic your smart speakers your smart fridges and researchers have actually been able to hack all of them right even the ecu's the the electronic control units the small computers in your cars they have been hacked as well right and i believe there was an article in wired

where a researcher was not able not only able to hack into the entertainment system right and that's not a big thing right you're just forced to listen to songs that you don't like but the researcher was able to get control of the driving as well and that is scary adapting to new threats right that is very important i mean ransomware wasn't that big a threat a decade back nowadays not a week goes by uh before i mean and not a week goes by and you don't hear of a ransomware event ai generator defects right as i mentioned the earlier example of business email compromise where the ceo sends an email asking for a payment to be made

earlier you uh the recipient could verify that right or rather not verify it by calling up that person right and obviously the ceo hadn't made such a request the ceo would deny and then that that payment wouldn't be made and the organization would lose money but now the attackers can actually uh kind of res uh simulate that ceo and not only the voice but also the face right and the what you see on screen are obviously the good examples of using ai generated images or ai generated characters right the grand moff tarkin and princess leia i mean we enjoyed those but obviously i generated defects are a major concern nowadays in security so what you do you adapt to new tools right

you have new attack factors you have new uh your new technologies being used by attackers but you have new technologies on your hand as well for example file integrity monitoring right thin i mean you can use that to detect mass encryption during a ransomware attack and hopefully stop it before it spreads much further and uh there are ai-based threat hunting right as i mentioned earlier which looks not only at indicators of attack not only at indicators of compromise but also indicators of attack so instead of reacting to something bad that has already happened you're proactively you proactively search out and find an attack before it actually happens now moving on to the last era uh modern

conflicts right and the cyber security lessons that you can learn from those again a court and here i'm quoting the legendary us army general george peter he said battle is the most magnificent competition in which a human being can indulge it brings out all that is best it removes all that is base so now for these examples in modern conflicts i have restricted myself to us history only just because of the audience here and the first example is from the american revolutionary war now it may surprise you that this is part of modern history even though it happened 250 years earlier right but it makes sense right i mean uh america is a young country

and during this war right uh americans obviously threw off the yoke of the british empire and benedict arnold he played a major role he was a rising star i mean he was a major general during this conflict he was admired by george washington himself and given charge of fort arnold which was again named after him a great honor and he was given charge of this fort however a belief in being passed away for promo passed over for promotion and an expensive lifestyle which left him deep in debt and finally uh his wife also sympathized with the enemy the britishers that lead bennett arnold to treason right he planned to surrender the fort to the enemy

i mean that that plot was discovered so he himself fled and later on he led british troops against his against the troops that he had formerly laid in the u.s army so now the name benedict arnold is a byword for treason for treason and betrayal and uh there's a valuable lesson to be learned here right and i'm sure some of you can already figure that out and that is to protect yourself against insider threats the picture the meme on the right gallon or so right the designer of the first uh of the first death star and he basically designed that exhaust port that tiny exhaust port where luke could fire a torpedo and that led

to the catastrophic failure of the entire battle station so it is very important to be aware of and protect against insider threats because possibly an insider threat is more dangerous than an external threat and one uh one is that i've seen a lot of companies be very aware about external threats um at least they're they're cognizant of of the of the risk there however with insider threat they are not so aware because again there's this culture of trust they believe that they hired the best of people however and inside a threat if you think about it can compromise security easier right because they already have the credentials they already have that privileged access and even after they do something bad

they can be more difficult to detect right because again a lot of excuse me a lot of organizations don't even think about that so it is important to establish suitable controls around that this can start with restricting access to information assets based on the principles of need to know and list privilege so basically give access only what the organization based on organization need and what is needed to do the job the minimum needed to do the job eliminate conflict of interest right for example if i need access to a server that i don't have today i shouldn't be the person approving my own request right that's a clear conflict that's a clear conflict of interest

another control would be to conduct background checks and again repeat for privileged users while most of my client organizations have seen them do background checks very rarely i've seen background checks being repeated but things changed right i mean situations life situations change a person who would not be an insider threat 20 years ago maybe that person went deep into debt right maybe that person is already doing stuff which should kind of raise red flags but nobody is doing those background checks which can help find out right maybe that person uh that credit history has gone real bad but unless you repeat background checks you won't be able to discover that and finally obviously monitor for

suspicious activity right uh late logins mass data transfers very large printouts maybe like taking printouts away from their own desk so these are again not necessarily indicators of compromise but they can be indicators of attack and combined together they can help kind of detect insider threat before that insider threat has a chance to do real harm now i spoke about malicious insiders right but we shouldn't forget a very important threat here the accidental insider right basically user error and obviously uh any mention of user error uh is not complete without a reference to charge our bings the great blunderer in the star wars universe uh and user error can do as much harm as a malicious insider right

and open aws s3 pockets i'm sure you have read about this you have seen this a lot and this is a problem that keeps happening and this is not because of a malicious insider right this is someone an authorized user who is not doing their job or not i mean doing their job incorrectly so again this also falls under insider threats now the next example the battle that turned the war in the pacific i am referring to the battle of midway during world war ii but first the story starts with the attack on pearl harbor right december 7 1941 as president roosevelt said a day which will leave an infamy so japanese forces caught the u.s navy

unawares right and this was actually a very successful aerial attack there was significant damage to the u.s pacific fleet very little japanese losses the picture that you see on screen that's actually the uss arizona uh and uh around 1100 1100 people right died on this sheep practically half the death toll of the attack of the entire attack however things turned around six months later while the attack on pearl harbor was a failure of u.s intelligence the battle of midway was a triumph during this battle the us navy defeated the most powerful naval force seen till death the the imperial japanese navy excuse me and uh this this this battle was so impactful so monumental militant military

historian john keegan called it the most stunning and decisive blow in the history of naval warfare the japanese force lost all four of their aircraft carriers to only one of the u.s navy and had 10 times the casualties so this is kind of the battle which many many many students feel it permanently weakened the japanese navy and it definitely turned things around and this was a huge triumph of us of us intelligence so what are the lessons to be learned here the lesson is to learn from your mistakes and keep it simple stupid that's kiss right learn from you learn from your mistakes as well as other successes so as i said the the paul the attack on paul harbor the

u.s intelligence dropped the ball there but uh six months later the americans crack the japanese novel codes right and this neutralize the careful planning of their opponents and in cyber security you can do this right learn by participating in information sharing programs such as like if by fbi infra guard you can do it by attending conferences like this besides connecticut uh but even operationally right in your day jobs you should conduct post incident reviews you should document lessons learned after instant response and business continuity tests then keeping it simple again this is very important get the basics right right basics around access control volume management security awareness because without the basics advance tools won't help

now specifically uh for the battle of midway the japanese navy which had as i said a much larger fleet but they had overly complex plans and as a result the japanese fleet was dispersed too widely to press home their numerical advantage so in cyber security it is better to implement a few tools better than to have a mini which are not implemented properly so you should have the mechanisms in place as in documented procedures and the right rules in place to trigger alerts and of course have appropriate resources and train them to operate these tools then finally it is important to be flexible in the battle of midway bound by strict japanese doctrine uh the japanese admiral nagumo

he hesitated in launching his aircraft until he had the proper armaments and fighter cover and all that in contrast us navy admirals spruance and fletcher they launched immediately after getting sight of the enemy and basically within 10 minutes the the japanese navy was devastated so there was this very small window of opportunity that the u.s navy was able to exploit because they were flexible so while it is important to follow established processes right it is also important to be flexible especially if these processes are delaying decision making then they should be changed then the final example in modern conflicts and the final example of my presentation today close encounters of the thermonuclear client a thermonuclear kind now this picture

that you see it's a poster of a movie from the 90s broken arrow uh i'm sure a lot of you actually seen this movie this is this is an amazing action movie and this deals with a broken arrow right a broken arrow being a nuclear weapon that is lost stolen or inadvertently detonated obviously the last one has never happened thank god but we came actually very close in 1961. so this was happening in the 1960s when i when icbms and slbms the ballistic missiles were not very mature so these bombers with nuclear bombs they were the last line of defense against the soviets what happened in 1961 was a b-52 bomber broke up in mid-air it was carrying two four

megaton nuclear bombs so when these bombs fell down one was destroyed when it hit the ground the other one actually the parachute deployed and very alarmingly three or four arming devices activated so just one more and it would have exploded and possibly the other one would have exploded in sympathetic detonation right so that's like eight megatons now consider that each of these bombs was 266 times the one that was dropped on hiroshima and you can kind of imagine the the devastation right possibly we would have a new coastline in north carolina so what's the lesson the lessons to eliminate single point of failure obviously any discussion on single point of failure is incomplete without the

without the death star right as the meme said says it has the power to destroy into planets but was defeated by a single explosion in one exhaust port right that led to the catastrophic failure so single point of failure it can be administered as security right where and i've seen this happen at clients where every all controls are handled by one key individual who doesn't follow established processes so everything is in this person's mind right so obviously very intelligent capable individual right but what happens if this person were to win the lottery or get hit by a bus similarly in physical security a data center with a single utility line that's a single point of failure ideally

it should be different connections by different providers and additionally supplemented by ups and part generators in technical security an example would be a single server delivering a critical service with no load balancing with no failover obviously this makes that particular server a single point of failure and to detect the single points of failure i really should do an exhaustive risk assessment every year or even earlier if there is a major change in the operating environment now with all these controls that i that i covered we there's still one important control that didn't mention right and for this this particular quote is very relevant brush nyer said amateur sax systems professionals hack people now even with all these controls

organizations are still getting breached right and that is because as you can see in this cartoon a wonderful piece of work that with all these controls you still have human error in the form of dave apologies if there are any daves in the audience but uh it all boils down to the human element i mean humans can be the strongest and weakest links in cyber security strongest if they know how to operate all these wonderful tools and weakest if they don't so education is key now in conclusion i would like to quote this great philosopher kanye west who said i was never really good at anything except for the ability to learn so it is very important

to share and learn mario poser wrote that a man with a briefcase a lawyer with a briefcase can steal more than a hundred men with guns now you replace the lawyer with this briefcase with a hacker with his or her laptop right and today in this connected world threats span industries they spam countries right so it's very important for cyber security professionals to share and learn and a forum such as besides connecticut is obviously a great avenue to do just that as darth vader the great philanthropist said strong people don't put others down they lift them up now finally it is good to share and learn but it's also important to ask for help if needed right because

even if you're very knowledgeable even if you're very experienced you can still suffer from confirmation bias you may be looking for answers which kind of speak to your own prejudices and in these cases an impartial third party can help obviously this is a pitch for cyber security consultants like myself but sometimes it does make sense to bring in that impartial third party to come in ask the tough questions and basically play the devil's advocate so that's it that's the end of my presentation thank you again for your time i believe i have a few minutes uh yeah 10 minutes approximately and i'm happy to take questions