What Up Breaches?

this is a little bit different type of talk it seems the rooms pretty thin so maybe I didn't do a good job describing this is definitely a talk about breaches but not just breaches to talk about what is going on you know there's a lot of us out there who a little bit fed up with you know some of the stuff that's going on especially with with breaches nowadays and if you use Equifax and that's a company with plenty of capital plenty of money plenty of expertise on hands and how they let certain things slip away from them it is a little bit frustrating you know there's plenty of us who've been kind of preaching the

same thing for years and you know we're sick we're sick of listening to ourselves so when you see people get on the offensive and you see people say things that are derogatory just know that breaches can happen to everybody and we realize that but when certain places breach not just your personal data that you didn't consent to them having but it's also a breach of trust right breach you know breach in itself is not just losing your data that's been lost thirty times it's the level of trust that in an organization and it forms that relationship with you as a consumer and you know some good has happened with some of the breaches right so there's one thing I can think of is

that target target right now has one of the best blue and right teams in the country I believe I know the gentleman who run each of those teams at target and they're a phenomenal group now it sucks they they had to have a wake-up call like they did but it happened so as I get started here again title the talk is what up breaches I don't see a lot of children in the odd which is good because I'm gonna get a little colorful here and there but I want this talk to be interactive right this is a small enough group if anyone here has ever been to shmoocon before feel free to throw something at me they

won't injure me if you want to call I would love to discuss it if you have any questions speak up some familiar faces in here and there's gonna be some good examples so I had some ideas for this talk again I had some teenage daughters so you know indicative of that so the talk was almost titled dropped database breaches or drop your breaches unfortunately I did see a Splunk t-shirt like that years ago I was gonna do breeches are crazy but then I started to think about any implication so that and with that we'll get started quick intro I know I was introduced earlier Ralph is here he also runs the o Oz chapter with me in Columbia I'm

primarily an application security guy nowadays I've done a lot of things previous lives obviously started and helpdesk went to sysadmin network engineer some pen testing and bug bounty and I was a CIO so at some point in my life that was in the past personal life in case you care I am a husband a father I do have a farm believe it or not I like to break things I like to build things and most importantly I end up fixing a lot of stuff and again one of the motivations for this talk was just being one of those guys who's tired of being ignored for for years and years and years and I'm tired of getting the emails I'm

tired of getting the free identity protection I'm pretty sick of it I'm sick and tired of it and and that really leads me on to my next slide so I feel like you know we lose control of we lose control of some basics and by basics I don't mean I don't mean basics as far as things that Jack mentioned right Jack Jack had some really good foundation points I'm talking about basics of our modern-day info second application security departments those kind of basics basics that we function at on a daily basis that should be baked into the processes that we hold and they're not and I want to bring some of those points up I've seen what works

I've seen what doesn't I've seen too many mistakes again I'm nobody is breach proof we all can be breached but I think that we can do better again again you know sophisticated attacks do exist and if a nation-state or no days is targeting you from from China or Russia you probably don't have a good shot at being successful they're probably going to win but our nation states attacking you know most of the breaches that you're getting notified for I mean aside from you know OPM or or Blue Cross I guess anthem aside from those are most of the notifications that you're getting from people who've been targeted know you know is everyone in here facing

power system types of breaches on mass scale with Israeli governments probably not so those are the ones that I'm gonna really focus on here there's a lot of simple solutions out there there's a lot of tactics there's a lot of questions that can be asked and answered that aren't being asked and answered and I and I I just want to kind of play on those now so without further ado let's take a quick look at this I know that the slides a bit small and text I got this information from breach level index it's just one source of breaches but these were the top-scoring David reaches like it was a great achievement for them to be a top story

or something they're like hey we got tens yes right but what I want to focus on here is the source of the breach right malicious outsider do we have the insider yeah we have an insider we have one insider there and that was a Korea credit bureau right so every time that someone says the insider threat is real it is it's a hundred percent real but most of these breaches that pissed me off are not because someone's in there stealing USB drives full of company secrets it's malicious Outsiders right let's go back to my state sponsors sure we have an anthem here right state-sponsored you're not gonna win if someone's targeting you that you know you have the

entire government of a country focusing on you the chances are you're gonna get popped sooner or later with some tactic that's just the guile it goes but that's one right that's one the rest of these here are malicious outsiders the industries are obviously berries we have financial or retail being the top ones but but you know the fact matter is delicious outsider is using things to get in they are fairly common most of the time and I'll pick on some in a little bit statistics some scary stuff that's count decimal places we're talking trillions these are trillions of records but even worse every day we're talking five million records you break this out an hour and by minute by

it's ridiculous okay so let's look at this right breeches that were deemed useless because proper encryption was done 4% 4% of the data was encrypted that was stolen the other 96% was plain text that's that sucks we can do better than that the unfortunate part and you know hey I'm a dad so there's a lot of dad humor in here so you know if you don't like a lot of the memes and stuff then you can just ignore it you can throw something but sometimes breaches happen sometimes they have there's there's no there's no question about that and the main question I have is why there's a lot of reasons we went over these but there's

some here that I haven't touched on yet and these are the ones that I'm going to focus on so determine sophisticated that's your nation-state your insider yeah okay they do exist it's real addressing now as we go forward complexity and difficulty of environments no matter what this is usually has something to do with the breach our environments have become so muddled and disorganized that very very basic hygiene procedures are not being practiced you know how many environments out there that you say oh well just apply the patch and then there's the whole other campus says we can't just apply a patch do you know how difficult that is well yeah I do and the difficulty in complexity and

environments really needs to be wrangled and that brings us the patches yes/no ones that I see things all the time where there are not patches being applied carelessness and laziness that does happen again unfortunate and it sucks negligence that's interesting you Katie how negligence feels I think that they're paying one of the largest fines for breeches ever been levied fines are coming and you know a lot of the organization's also on the smaller side I guess smaller a medium resort to something like this and I've seen this we couldn't hire saying too many scary things about our computers yeah the chances are that there are a lot of scary things that are they need to be

said about your environment so we can't fix everything let's start with the ones that we can we can do better I feel like again part of the motivation here is we are focusing on too many vendor centric next-gen artificial intelligence machine learning blockchain magic blinky light boxes that are just pieces of that could do anything most people could do with decent amount of scripting there are good commercial solutions out there but there are way too many solutions to problems that may or may not exist we need to take a step back we need to breathe and we need to answer some questions the next few slides are real questions from real clients I have a former colleague in the

room sitting over here as named Jason Kent all of these questions have been fielded by us these are real questions and answers and these are the questions we need to start to ask quick things how many web applications do you have in your environment about we think I don't know well guess what the one you have sitting behind the Imperva that you're spending a million dollars on that's great you're securing that one what about the other ones the ones that you don't know about you don't care right there do you have an accurate asset inventory do you know what you should be protecting right Am I am i dropping Oh days on you know I'm asking you simple questions do

you know what should be security mostly mostly do you skin constantly are you constantly checking your environment for vulnerabilities all the time now we can because something could break if we constantly are testing these things you know we only have maintenance windows where we can test I understand that's great yeah so what you need to do is you need to put something out there that says that hey hackers you can only look at our systems during these maintenance hours during these hours where you're allowed to take a look at our systems and if your falls over because I run an nmap scan on it you have other issues if I cannot scan your enterprise database in a financial institution

because it will fall over and I'm using nmap you have a bigger problem real things and that currently exists at a very large place today what is your patching cycle what's your what is your tolerance for critical severity vulnerabilities if I find out that there's a critical severity vulnerability how long do you have to patch that how long is acceptable in your production environment is it more than 24 hours is it 48 hours how long does it take for a piece of POC code to pop up on github is that what you're racing maybe not usually a good answer there this is all real data none of this is okay none of this is fine we need to

do better on the basic questions and answers alright more fun I can't get away from these because this is one of my favorite questions do you know what your real parameter is and what is open on it and you wouldn't have a good answer for what your real parameter is excellent so there used to be a perimeter it used to be a nice you know fortress that you can build a big wall and put barbed wire up and that's your perimeter and you're good well guess what every web browser every mobile device every piece of connectivity every line of code that you have running that's externally accessible is your perimeter what's open no idea no idea ports that are open we

you know walking into a fortunate pain customer I can show you ports that are open on your externally facing environment you probably did not know that we're there it's pretty scary um training training training training no one wants to pay for training we have all these fancy tools well guess what if no if you don't have the right trained individuals to use these fancy tools that you're just spending millions of dollars on you're gonna have really fancy tools and a whole lot of data that you can't use or you don't know how to use to be basically you're throwing away money encryption usually everyone is quick to answer this question no matter where I am D is your sensitive data

encrypted every single time with 90% 95% of the time yes absolutely well guess what if 4% of the breaches never had any encryption on them I don't know 90% of people are lying let's go back to network security Jack touched on this they was the basis for a lot of what exists out there in pen testing teams it exists the basis of what exists today for a lot of info SEC teams to begin with is network security there's a gentleman whose name is Paul cog and I don't know if anyone knows and he's from Alabama if anyone has ever seen him talk he works for Wells Fargo he is a Cisco guy Oh old Cisco guy who

is now a network security guy he focuses on very advanced pentesting using only network layer vulnerabilities if you ever get a chance to launches any of his talks you'll understand and where I'm going with this is it's even scarier because this is turning to application so software-defined networks as the ends your old your cisco guys right your your network guys who are down on your net ops team how many of those guys write java well guess what that's where it's going so all of your automation all of your fallback all of your networks that are all going to code it'll all be software-defined and that will bring this a whole new level so basics I can sit up here and preach

basics but I'm not making this stuff up I didn't write this stuff these are your CIS 20 controls right basic controls are basic for a reason you don't need a shiny vendor product for many of these again what's important for your environment may differ from what's important in someone else's environment sometimes it's the little things like inventory and I think Jack did mention stress and egress filtering so let's talk about egress filtering for a second why does your point-of-sale terminal that you swipe your credit card on to pay for something why does that Terminal need to be able to talk to any IP in any country on any for why does that point-of-sale terminal need to be able

to talk to Russian hackers doing Chinese anime at midnight on a Friday like why Sidhu you think I'm crazy but the the exfiltration of the data from memory happens on these point-of-sale terminals and then that those point-of-sale terminals actually filter exfiltrate the data out yes a lot of the newer ones are using 443 and it might go out HTTP it needs to talk there but why do they need to talk your point-of-sale terminals only need to talk to one or two IPS that's it you should have egress filtering setup you should not have these terminals being will talk to everything target was a perfect example of that their point-of-sale terminals had egress to zero zero zero zero zero zero zero zero

so they could talk to anything anywhere at any time simple things if we don't need these point-of-sale terminals to be locked - they need to talk to a couple of IPS or maybe your basic control falls here now I can all I can argue that 18 is not a basic control but maybe some things about it are right maybe it's AB SEC maybe it is application security an application security can't be tough I'm a little bit I'm an app set guy here so I'm gonna dive into this for a second not so basic but a quick fact this quick fact is brought to you by a friend of mine who was formerly a horizons new

sponsor he actually published this Dvir this is his chart web app attacks we all know number one source data breaches why anyone know who this guy is anyone is Alan Jackson Aria we got one person in the room anyone know why well app said he's hard yes it is I thought I thought people are saying I thought this talk was going back to basics good catch and if I say application security is hard we do go back to basics but hear me out Alan Jackson reference top of the slide if you don't get it it's fine it slain them it's me remember when I talked about inventory now say we're talking about a normal inventory of IT assets

and computer systems what about your web app inventory it's also in inventory well I remember when I talked about perimeter and understanding what your perimeter is understanding what web servers are out there with what open that's all your perimeter yeah that so counts I talked about scanning and patching scanning and patching not just operating systems and network devices but patching vulnerable what if you're using a vulnerable library and whatever your applications that patch counts just as much as a stupid Microsoft Office patch counts why should that pack take any less precedence on your external facing system than an office patch or a Microsoft server patch an unfortunate reality is that those patches are getting pushed way down the line

compared to your OS patches and understanding that and applying those basic concepts to application security can help you remember when I talk about encryption yeah that's an important one for web apps maybe we should think about that too you know there's a big push for HTTPS and your little green shiny lock oh that's wonderful but what about the data that sits behind it maybe we should ask those questions too firewalls everyone in this room I guarantee has a network with a firewall right why why do you have it because it's important right you need a firewall there well now what about your perimeter applications why why should they be treated any differently you have a firewall sitting

in front of your you have a firewall sitting in front of your desktop at your desk that's sitting behind some switches and routers and things why shouldn't there be a firewall or something protecting those web applications that's also has critical data like your workstation versus a web app like there needs to be protections they're addressing the majority of the OAuth pop thing to me those basic functions need to happen and their application security just as your 20 critical controls need to take place multi-factor authentication to me that needs to be basic how many of these things can be protected with multi-factor authentication we are in the state of South Carolina everybody who lives in South Carolina please raise your hand

who has lived here from one state 13 to today okay all of you are victim to a breach that happened because there was no MFA there was no multi-factor authentication on the system that was able to get the data the person had legitimate credentials the half occurred with legitimate credentials so there wasn't a patch not applied they were credentials that were compromised so if I log into a state computer system remotely and I it's it's been fixed but if I let's hypothetically hear me out back when this happened I log into this computer system remotely I have legitimate credentials I'm using an IP address now okay let's pretend that I decided to use the local proxy so

the the local proxy doesn't look out of place I'm not accessing it from some server in China or something like that and I log in and now I connect I take all the data I want I compress it I encrypted I FTP it out whatever we talk about egress but that's a whole other thing simple multi-factor authentication for systems that contain critical data that breach which costs our state millions whoever has SC ID protection comm everybody in here that raised their hand could have been avoided with one simple multi-factor authentication that was that one particular instance I won't say it's good for everything but it happens now the other side we're all smart intelligent people it can't be this easy

I'm making it sound like people are simply choosing not to do these things if these were indeed basics and the basics could protect us why couldn't these large technically savvy companies with really capable individuals and budgets not solve these problems already why wouldn't the breaches just stop am i oversimplifying things let's go back to those questions real quick right do you think I'm oversimplifying things do you think anything I'm saying has been oversimplified no one's talked alright so the first thing we need to know as we dive into this and in those questions on the other side of it and this is important to understand both sides right you can't just be on the offensive you have to put yourself in

the shoes of making things better so making things better all it comes back down to we're all human we make human mistakes we screw up I screwed up earlier this week said something I shouldn't have said to someone I shouldn't have said it to it ended up in a slight breach of trust and it was a pain in the ass I screwed up we're spend too much time checking boxes I've been on way too many engagements where someone says will this cover me for X and X is checking the box and the answers like yes but and they don't want to hear it I think that a lot of the mentality of checking boxes really needs

to change and that can't change with that top-down security support top-down support starts at your sea level you know the unfortunate reality is if you don't have that support from the sea level you're going to be checking boxes and you're not going to be successful another thing that might have to do with this is that you know with all the security breaches in the news there are budgets and with budgets people like to spend the money and they spend the money so they can get another budget the next year because if you don't spend it you're not going to get it renewed so with that they buy a lot of stuff they buy stuff and with that stuff what

do you think they forget to buy they forget to buy training they forget to equal budget their products with their implementations consultants their implementations professional implementations they buy stuff and they're not focusing on that a lack of training again I can say this very firmly training Trump's tools be smart use bow but your training will always trump the tools now let's dive a little deeper we're gonna do a little scuba and a lack of understanding in the complex environment is key to understand why sometimes these basics get lost and I think that's kind of a given but the next one's huge right so why do these basics not always work - because we're spending money on these tools and we're

trying to show something that's almost impossible your ROI on security if I never get breached and I spent ten billion dollars on it can i I mean is there something that says ROI on security stuff is there something to say that if I didn't do it I would have been fine with only seven million maybe I think security also looked at as not a business problem but more of an IT problem when it's really not it focuses on your business everything about your business has now is now related to IT if you take the IT department out can your can your business function without IT at all if the answer is yes great throw this slide away if your answer's no then

obviously security is not just an IT problem it's a complete business problem and there's impacts yeah scan patch basics all things not just important things not just your main website what about your interfaces your middleware secure all of them all the weakest links and the unfortunate part again is something to avoid here this is a quote by Darren boozers the CEO of NCC data and then the unfortunate part is apathy enterprise companies today right they have the bribe procedures and teams to prevent attacks but the perception that your business is safe leads to empathy but no empathy for them apathy cyber criminals remember I mentioned earlier about the your maintenance windows cyber criminals are constantly looking for vulnerabilities

to stay ahead of this you're trained IT teams need to be looking 24/7 and upgrade packages of software and you know this quote is great I just hope you know I really hope that people can take it into better consideration a little bit of what the future will hold here's what I think I want to spend a few minutes on this slide in particular cyber insurance and guarantees with the amount of breaches and things that are happening out there there's our companies out there who are really leveraging to put insurance policies or sell insurance policies to corporations and those corporate and that cyber insurance would essentially limit their liability from any breaches or knock down their liability right if

not totally nullified but liability now that leads us to an interesting question what if I owned a company and I want really want feedback on this one please if I owned a company and I can buy a cyber insurance policy that would cover me for five million dollars a year but my security spend would have been ten million dollars for the year to cover me what how do you justify to your stakeholders that you should be spending the money on security and not just saying screw it and buying your breach insurance for half the money

I will come do an assessment of what you've done and I'll tell them they did nothing and they won't they'll give you your premium back perfect I mean they used companies like bit sites we found out like a FICO score okay where there were bridges and preexisting condition right so they're gonna deny you for pre-existing condition essentially right they're going to show a pattern there may be negligence yep excellent point so that brings us to guarantees there are companies out there who are guaranteeing with high amounts of money that you won't get breached if you use their services there's two things there one it's putting your money where your mouth is and two it's using the expertise that

they can offer and I you know I'm album gonna anyone have any feedback on the cyber guarantees of guaranteeing a customer won't get breached if they use us for X up to a million dollars

twenty years so when we point at it we say listening do what we say and I promise you won't get breached in fact back it up with a million bucks this is a sales pitch I won't tell anyone here who I work for you go google it but the fact that we can offer this service it's a lot of people to go well that's interesting and then they go back to not having inventory not patching right they don't come to us in probes like these sort of but they would simply because no one cares about this insurance it's not doing it at all there's no accident

there's no accident these two things are up there if anyone here follows Jeremiah Grossman or other people they know that these these things are real right the push for cyber insurance which i think is a terrible idea it's that agenda is still being pushed whether whether it's going to work or not it's still being pushed guarantees more and more coming out there now we talk about liability and fines now I I think that the liability for companies who can't do the basics now I'm talking about Equifax again because they pissed me off a little bit here so if if you have a portal open with admin admin is that neglect and externally facing is that

neglect like for a company like after Equifax not for Joe who owns the coffee shop on the corner maybe but for a company like Equifax that houses all of your sensitive data question

we're violating regulations when they got breach there are states that require notification of an average there I know for a fact that that they have not yet notified residents of the estates they're breaking existing regulations and that where does it coming the only thing that's going to hurt them is the wallet right when the CEO decides to leave but takes a seven or eight figure check with them they don't give a they're like hey this is great I'm gonna go on the beach have a nice day exactly for a company like that you know let and another thing bug bounties they work they're going to increase not everyone's a good candidate for them there are but

bug bounties work and I think that's something that needs to keep going forward now free pen tests for everyone this comes back to my earlier inclination of tests I promise you that whether you like it or not your company is getting a free pen test right now they are getting a free pen test right this second everybody that's sitting in this room that has a presence publicly facing presence is getting a pen test right now for free now the difference is these guys want to be paid for it but they'll tell you about it and the other difference is the other people they might want to be paid for too but they're gonna just go sell it undone

ioan somewhere and have a I stay in the dark web or who knows maybe just for kids but yeah exactly yeah this is what I found so bug bounties I'm a big advocate for always happen I more than willing to talk to anybody on that but I think they work very well I don't think that they replace pen testing I think it's a good supplement and I think that you're as long as your maturity level is an organization to understand the where are those and how to fix those vulnerabilities and address them are up to par then they can be super beneficial for you consultancies use them there are a lot of really good consultancies there

are a lot of shitty ones there are a lot of companies who will tell you who the good ones are and if anyone here works for Deloitte I'm sorry they're number one yes Gartner has put them in that Magic Quadrant in the top right they are the number one cybersecurity consultancy in the country according to Gartner so sea levels automatically are going to hire those right I mean they're part of the big three where is that 2017 is June published but they're still plugging it so if they're still publishing the article it was published in June so timing wise it's interesting but the fact that Deloitte is using that information to advertise today is kind

of still you know I don't know it's kind of ballsy in my opinion right but its marketing they need to make business and there are a lot of good people there I have some friends that are there so you know but pick your consultancies wisely a big push here that I like to see too and there's a really good talk later at 3:00 p.m. in this room about what to do when someone wants to disclose vulnerability to you I'm just going to touch on this real quick but adding the security about txt to all of your external facing that nations that simply has hey our security dresses this are put that in there I mean there's a lot of times that and I'm

Jason's gonna go into it in depth but there are a lot of times where there's just way too many vulnerabilities and we as hackers find these things and sometimes I find them by accident when I'm online shopping but anyway so being able to disclose these is not always easy so if you're trying to secure have a way for someone to report have someone have a way for someone to report something to you and I know that this is also part of a problem probably not so much lose it I don't care how many followers on Twitter you have I really don't know if you need help ask for it there are a lot of good people in this

room who have been doing a lot of things in different niche areas for a long time I'm looking around the room and I recognize definitely some really amazing talent so ask questions I would be sidon over there I see yeah so there's a lot of feel free ask for help network remember we're dentists with that I'm running out of time but before I run out of time you know besides is an amazing place I'm not up on a stage in front of a hundred people I'm not talking about Python bastes security systems like my last talk here we're not in the weeds with this talk on you know but what I like to do is network and I think that

the feedback and the amount of communication we can have is extremely beneficial so as a group we'll take the last couple minutes here I think we have the last four minutes or so and let's interact with each other let's ask some questions concerns let's get some things going if we could

yep come to my dog come to James anaconda 3d it's all about his name of a stock is are you ready and that's all how to respond because if you don't respond anybody else yeah [Music]

that's an excellent question I think so the leadership that takes security seriously and I believe I mentioned that one of my slides one of the key indicators there that I find a commonality with is people's support for training having people come to these events or come to black out or coming to training events getting hands-on training taking classes whether it's sans whether it's specific other training that injures people but keeping training up is usually a good indicator now I don't say it's a one-for-one but I will say that it's usually a good indicator of leadership dedication to the to usually people or places that are better off holistically on the security threat than others other things too are

you know having having red teams and blue teams on both sides and keeping those exercises to work and feed off of each other it sounds kind of old and stale but I'm seeing a lot of that do more good lately and you know morphing into these purple type of teams and things where you have exercises where you have attacks and defenses going on simultaneously and then sharing that information and knowledge with each other and usually anyone who gives that kind of flexibility to hiring you know the right kind of people and bringing those people in are you in a better spot anyone else

yeah so one thing that I left off here and it's my bad so I made a mistake these metrics it's part of that top 20 but I think metrics is a huge huge part of being able to show effectiveness being able to self report being able to report on what you've done and obviously what you're saying is even going beyond that right it's showing actionable metrics that you what you actually stopped and I think that metrics is a huge part and what you have to do is assess and reassess and constantly update leadership on those metrics so it's not just you know it's not just running the metrics but its presenting it in executive format presenting it in

a readable easily readable format and then doing it on a regular basis to show progress to show the curve show exactly what you're doing and how things are getting better what did you do to fix the problems that they found you know so metrics is good but as you mentioned definitely keep that in I think if any one more all right

but the scientific method repeatable reproducible make so mean time to failure do you see that happening in the industry like science I'm going to separate that myth though is that I'm going to use a lot of like so I'm seeing a lot more analytics and data science and that's it's related but the analytics related to large organizations that have data scientists that work together to be able to to increase efficiencies and show those values really have more advanced analytics platforms but if I am seeing that but it's really only the big people that are doing anything like that as you probably know data scientists are not cheap so advanced analytics and data science is definitely an area of growth and I see a

lot more large initiating especially your Amazons and things like that we're using those two for for efficiency and pertwee to

going once going twice almost sold yeah I I see no I don't see any immediate I see nothing moving in the direction of standardization for metrics across the industry as of right now if you could come up with something that'd be great but I don't I just I personally don't see it yeah all right I'm told amount of time thank you everybody here's my contact information pretty easy to find if you see me around I'll be around today if you have anything follow up thanks [Applause]