BSides 2019 Day 1 Track 1
Show transcript [en]
um
audio test you should start noise
what is it peter
cheers
maybe
please don't die
um
um
good morning [Applause] well i i must say our registration this year was a hundred percent less painful let's give it a round for our volunteers [Applause] all right so uh this is the clown car of conferences oh i can't even see the graphic there's totally a clown car there but you'll have to use your imagination um so return packing as much as we can um as usual so we this is a two plus one conference we did workshops yesterday for our elite members um i think we had like five uh workshops hands-on looked really fun and then we've got two days and in this two days we have 51 talks now that has sort of
created a lot of pain to be honest but we really wanted to give our community the opportunity to speak and share that knowledge and you know we fit in literally as much as we could and as much as many people as well in total we do have a couple other workshops happening on tuesday i think there might be a couple slots available so it'll be first come first serve to fill those if you hadn't reserved but there's one on security architecture hosted by our av extraordinaire george bajari give me a round of applause for doing the av and we've got one note two no three capture the flags so we've got a red team one that's run by us that's
you know very offensive uh hands-on we brought some guys out from ottawa that do the iot village so lots of hands-on hacking there and then if you're looking for something really outside of the box the open source intelligence gathering capture flag which is just around the corner is to help find real missing people so if that's something of interest to you get your hands dirty and start using some of those open source intelligence gathering tools as well we also are hosting women at b-sides hosted by the isaka she leads tech uh chapter so that's going to be a panel uh at lunchtime today um at i think the bottom half of the lunch so if
you are interested in being a part of that conversation please drop by we do have an after party tonight uh pass a couple details we did notice that um the spam gods are angry around this time of year and we're struggling getting emails out to everyone eventbrite was really failing us here but uh we'll share some more information and we have a job board so if you're looking for work the there's several sponsors that have posted job postings up there so be sure to uh check that out so a little bit about our community um okay we can see that image we've got people from all over north america and we actually have a speaker all the way
from israel that's uh speaking uh i think tomorrow which is really cool it really shows that people from around the world are coming to vancouver and we're teasing them with the fake fake weather that we usually don't get uh yeah really excited about that um so yeah we have 567 plus uh registered attendees there's a plus there because people don't read email and we've had some registration gaps there but hopefully we'll keep it under 600 and 17 of them are women which i think is awesome it's a number that we've been working very hard to keep raising within our community and and i'm really happy to see that and we have over 50 uh volunteers and board members that have
really helped put this thing together so we'll we'll thank them in the closing ceremonies more so let's make sure they actually do a good job but um yeah we couldn't do it without them so uh some housekeeping uh some information schedules we're trying to keep as you know as eco as possible so we're not printing too much stuff there are signs everywhere on scheduling and details like that however besides vancouver.com has a day of button click on that all the scheduled details are on there for you ctf details etcetera etcetera and if you are struggling add us on twitter because the twitter guy is eager to help you it's our tech support system space is going to be pretty limited i'm
really happy to see this room is really filled out and there's only the popular seats that are empty right now um but uh day two we lose one of the big rooms so it will be a little bit more cramped now our strategy is to have a bit of an open bar at our after party so that people don't show up super early tomorrow we'll see how that strategy works and if you can't get in a room you know we're not trying to be um as def connie but tomorrow will be a little bit rammed but we do we do stream these talks so if you don't there's plenty of uh lounges all around this facility to hang out um
so just keep that in mind um ctfs again there the open source one is down this hallway and then the red team and the iot village and actually rfid rfid hacking is upstairs one floor it's they've actually set it up it looks really cool in there there is wi-fi um there's signs everywhere to get on that please be kind to our wi-fi uh we are streaming and uh congesting the pipes will only affect everyone outside of our conference so we have lunch we're not catering this year because a lot of you were had a little bit of a problem with the hamburger sashimi sandwiches that we had last year so we've decided not to cater
there is a food court two escalators down lots of options and if you're an elite ticket holder you got food vouchers um they if you were attending the workshop and picked up all your stuff you didn't end up picking up the vouchers that's our fault so please come and see the front desk to collect your vouchers it's only for elite badge holders and and whatnot let's see what else here tons of chill lounges from safety and security perspective there's fire exits everywhere be familiar with them there's a security desk if there's any concerns and we have a reporting tool on our code of conduct page if there's any concerns but you'll see lots of volunteers with
the volunteer shirt if you have any problems come see them right away all right so from ctf perspective pretty much went over that so if you want to break things go upstairs and if you want to save and find people go over there and the after-party details so again we had some issues sharing the details but we are about 100 closer our venue this year than last year we don't have to bust people but it does require either a quick taxi ride a quick uber ride just kidding but you can actually take a train right here and it's like three or four stops to the main street uh main street okay and then it's about a five minute walk
from there a big warehouse gonna have some djs food a happy hour uh sponsored by check mark and some entertainment so definitely show up there and then this would not this event would not be possible without our community attending but also all our sponsors that have been able to support us financially and make this event happen so please come and see their booths talk to them let them scan you and and tell you all about their newest products they are important to the success of these uh events we wouldn't be able to do it without them and i guess that's really about it so you know without further ado let's give a warm uh round of applause to rob frye
who is our keynote [Applause] give me just a second here while i pull up my slide
good morning b-sides vancouver um i've been to quite a few b-sides before i have to say this is probably the most impressive one i've seen yet uh definitely thank an organizer uh if you see them today it is i've been an organizer at a conference before as a volunteer it is not easy to get 600 people to vancouver to do something like this is really hard so with that we're going to talk about security as a video game today my name is rob frye i'm currently the vp of engineering at chask if you look me up out in the public sphere i've done kind of a few different things uh if you if you if you look me
up where most of my work was the relevant stuff that you guys will care about uh it's primarily around netflix that's why it's the biggest one up there um i'm not gonna go into a lot of the different things that i did i'm just gonna get straight to the presentation since we're running short on time if you want to stop by and ask me some questions about anything up here definitely feel free so the agenda today we're going to kind of go over where this presentation started from this is like a five year thing that i've been living through that you guys all get to experience with me now um we'll jump into challenges and
security there's a lot of them and then we'll do uh you know video games i think we probably have a few video game players in here i've got data action to prove that we'll talk about security and video games and then we'll talk about some design principles so most of you have actually never seen me present before every time i present i always have a disclaimer slide i work on a lot of stuff that's kind of like out there you know like 10 years ago i was telling everybody go to public cloud and people were telling me i was crazy i was right but i put a disclaimer slide inside of here because a lot of the stuff i work
on is still in progress there's still studies there's still research that's still happening so if some of the things that i say that are based off of current theories that we have and you see me six months or 12 months or whatever from now and you're just like well you said and i'm like i got a disclaimer slide so there all right so let's visualize this um a lot of problems in security a lot of challenges in security what i want you to visualize is what is it that we're actually doing all right now i want you to think about data think about how much data we have think about the challenges we have with
data right i don't care if you're an infosec net sec cloud sec whatever it is that you you have a a problem with the data this is where like one of these things kind of kicked off with me but the problem as it relates to this i don't know if this speaks well of me or not but most of my conversations either start up or end up at a bar and so this one starts at a bar it's about five years ago i was at an issa conference and at an issa conference you know the first night kind of like last night we had a speaker's dinner drinks and we're sitting around the bar and we're talking
and that's kind of where this starts you know like what are the challenges and really what it came down to was two statements and one question all right two statements one question i'm a pivot now and we'll talk about startups because at the time i was working both at yahoo and netflix i i do a lot of work with startups um invested in them bottom helped them get funded like just all sorts of stuff and if you go back about five or six years that was kind of the start big data was already a thing and now startups were trying to start to tackle it all sorts of different ways and i'm not going to use all the
buzzword-y things that you guys all hate and i hate too but data was always a problem the reason i like working with startups on data is that startups are the most innovative when it comes to these types of things if you try and go to a big company a multi-billion dollar publicly traded company around innovation when it comes to these things they're not necessarily always the best at this usually the best at this are the startups and during my time with them i got access to some really smart people and it's it's you know it's one of those things that you what type of people go to startups so first they're crazy and two they're usually really smart
that mountain of data this is the challenge right every one of you right now sees this i don't care if it's elasticsearch or splunk or your sim or your antivirus if you go back to about 2011 2011 before that there weren't apis in security right this is a really kind of a critical thing before that what were you actually looking at right you were pro it was the security trust model you know i got this trust me i'm a vendor now so don't hate me but like i actually hated that because they would give you alerts and you couldn't see the data that was behind that to actually understand why that alert came now you
fast forward to where we're at today and every vendor has an api and you have access to all the raw data you expect it would you ever buy a product that doesn't have that anymore right but at the same time it created this big problem that we have and so as i'm working with these really smart people i heard this term i never heard of it before right so i'm a back-end type of software engineer not necessarily front-end i've done some front-end stuff but it's not pretty and i heard this term called design principles and basically what it states is that when you're trying to display certain types of data in a certain type of way there's a certain type of way
that you do it and there's entire courses on this right like they teach them and most of these people they go off to where hollywood financial services and video games that led me after i'm talking these people to something called cognitive psychology and if you don't know what that means i didn't either at the time it's basically an understanding of how we learn all right so if i display something to you and we'll go through some examples on this it's really an understanding of how you and when i say you i mean everybody of how you learn because there's a lot of repetitive patterns in this especially from a cognitive learning type of way and then that led me to universities
you know who does a lot of cognitive psychology universities and so i started meeting phds so we got startups we've got big data and i went to them to understand more about cognitive psychology what was really interesting is that when you start talking to them what were they using they were using vr in order to be able to sit down with students and all sorts of you know research lab rats and they were using virtual reality now what was interesting about this virtual reality how new is that right pretty relatively new anybody play virtual reality video games anybody they kind of suck right now you know why because their design principles suck they haven't figured out what they were the
right design principles are for video games but for cognitive learning it was really great because you could put people inside of virtual environments and trick their mind into thinking that it was real and learn how it is that they react to certain stimuli whether it's colors or shapes or repetition or all these different types of things and so now let's kind of think about security right let's start thinking about what we've been doing right a lot of bar charts a lot of pie charts a lot of line charts when you're looking at a massive amount of data is that really helpful well if you're if you're a manager you probably like to look at what your
team's doing but that's not my point um that led to search so everybody here does search and most of my conversation isn't about the search aspect of data to me that's a use case around you know it's something that you know that's like known and unknown right if i know something if i get an indicator from wherever i go search and go find it right search is a really great use case what i'm talking about is more of like learning and the unknown how do you find unknown and typically what we do when we go and we do search what it comes back at rows and columns um i'm a hater of rows and columns by
the way there's a good use case for it but if i do a search and i come back with a hundred thousand ten thou even a thousand lines right how useful is that to me all right i see some people shaking your hands like nah man i hate that i hate having to freaking like filter and reorganize and all these different types of stuff and columns and rows do i really even talk about this one all right we'll just let that one die but you know you looked at it back in the day when it came out you know you did um so ultimately after you know most of these interactions i had stopped after i joined my most current startup
but i ended up touching each one of these organizations and it was a lot of fun to kind of see how each one approached the problem and i had the opportunity to go and interact with the video game industry and introduce them to designers inside the video game industry i got the interaction to go to universities that were interacting with the military and everybody is trying to work on this problem this is not a unique problem all right we all have this problem if you think about different business verticals it's not really different our ability to aggregate data this this today is higher than it's ever been but ultimately inside of security the conclusion is we just don't know how to
display our data anybody ever seen like a well-designed ui like they're very very few inside of security so this is where i'm going to pause for a second and i'm going to say there's no such thing as a silver bullet i know you guys know this and i'm not preaching about silver bullets i'm preaching about the ability to actually do something we're not doing well right now and there's a whole host of reasons there's also a lot of things i'm not going to talk about that are closely associated with this talk and hopefully you can separate those out like when i start talking about forensics forensics is hard to do anytime you whether you got a ui or not typically you don't have
ui so i'm not talking about those types of things right i'm trying to solve one specific problem right the display of data now why am i trying to solve that problem well let's just real quick say that this conversation well i'm pretty passionate about it like there's some tug and cheek inside of this there's going to be some fun inside of it we've already talked and i've only said a few things so far and i've already gotten a pretty decent reaction from many people in the audience so it means you can relate to what's going on here but while this is fun um it's it's a serious conversation but it can also we can also have some jokes
inside of it so let's talk about challenges and security think about all the challenges in security i'm going to just nail a couple as it relates to what i'm trying to get at noise lots and lots of noise now product marketing doesn't help this you guys all know that um when it comes to the noise out there trying to figure out what's real what's not real is a big challenge so if i go back to that bar conversation i had what was question number one question number one that you can hardly see it's about the people it's always been about the people we can talk about all the challenges out there it always starts with the people right
specifically let's talk about this thing that's negative unemployment everybody knows about negative unemployment that's where you have more jobs than what you have people because you know rsa and ice soccer they did a report this year there's going to be about 2 million jobs that haven't been filled you know 20 issue is it cyber security ventures 3.5 million you know problems getting worse i predict that you know ai is going to take over by 2024 and it's going to exponentially we're all screwed by then so if you're not neo you better go find them which by the way another thing i like to do in my presentations is 20th anniversary comes up in a few weeks
still kind of relevant to the conversation so problem number one what these guys were talking about was the resource guy right you're sitting around a bar you're sitting with a bunch of sea sales what is their biggest problem right now can't find enough people i can't retain them and when i get them in there's too long of a ramp i can't get them up to speed fast enough bar conversation number two what follows this one so if i don't have enough people what's going to happen i've got the security stack problem number two is i'm not getting enough value from my security stack i pay a lot of money for it there's a lot of gaps in my network
there's lots of new tax coming out all the time and i just don't have enough people think about that right that's a tribute back to number one too so i'm inside this conversation i'm just i'm kind of listening at this point um it's not the first time i've heard it but some of the points that they had were pretty interesting and i don't know why but this this thought kind of jumped into my head it was a question about hiring tell me about your hiring bar right and people kind of get a little defensive about this right well my place is special my hiring bars appear well i have a sophisticated security stack my hiring bars up here
huh that's interesting that seems like a problem right now there's reasons why right we care about experience we care about intelligence background these are all the things that are inside of our our checklist when we're trying to interview people but we're basically saying is you gotta jump six feet high in order to be able to get in that's a problem and so we're back to the hiring bar i think that one could probably be attributed both number one and number two so it's a problem with number one because there's all these open jobs but we can't get them in because we expect so much for people coming in and it's problem with number two not necessarily because
you need that high bar i would actually come at it from a different angle and say that vendors are not doing enough to help lower the bar the things that are coming out are too complicated right that's kind of an interesting point there as well so there you go there's my theme that's what the theme is about right how do we solve these three things so let's go ahead and kind of transition from security to games anybody in here not like video games um because you're in the minority studies say that greater ninety percent of you play video games and not just granted don't hold me to this second one most of you probably been
traveling the last 24 hours but if we weren't traveling although you probably have a phone and you're probably playing video games on that so there's a bunch of video game players at this conference right now so what's interesting about that is the relevancy of video games if you go do a search on just minecraft and cognitive learning or learning or anything like that there's literally i don't know i've read a few dozen but there's literally tens hundreds of documents talking this right here if you can see it is minecraft.edu version educational version every freaking college right now seems to have for kids 6 to 18 year olds to go and learn minecraft why because of the
cognitive benefits of it there's just rampant it's just all over the place and so here's this uh norton meyer guy he's smart he's got a phd and this is basically what he's saying about video games when i read this i was like huh that's pretty interesting so thank you norton meyer let me uh let me go ahead and rephrase that for security because there seems to be some parallels there that are pretty interesting because it seems like every day of security this is what we're actually doing as well right i know i'm in canada i'm from texas so i don't know how the canadian military does it but the us army back in the early 2000s came out with this video
game america's army what they were trying to do was figure out which kids are the best for the us army actually try and recruit them by playing it's a first person video shooter game whether you like that or not the fact of the matter is is that it's not just me like this has been going on for for more than 20 years uh the whole the whole premise of this is that you know if you can go through and and you can show the character and all the different attributes that the military is looking for not just that you can shoot somebody but that you do it in the right way they were going to
look at you they were going to actually try and recruit you which was interesting u.s navy recently they just built a submarine with an xbox controller you guys hear about this isn't this crazy you know why because i can get a kid out of high school put them in college put them inside of there and the learning curve is super short to get them to learn how to drive us out right and if you go and you search this research this i don't care if it's drones tanks like the us military and probably militaries all over the world they are trying to figure out a way to get the learning curve shorter and what they figured out
pretty much before anybody is that video games are a great analog in order to get them into certain jobs why aren't we doing it in security two kids on a couch theory this is a study done 10 or 15 years ago i can't remember so you have two kids on a couch three hours a day for five days one kid super expert on a video game next kid doesn't really know that video game very much what happens by the end of that fifth day that other kid that doesn't know anything about that video game he's proficient he may not be an expert level but he's pretty good at it now there's reasons for this right
there's patterns in the video game there's design principles in the video game there's engagement inside of the video game that other kid wants to play but he can learn because of the design principles that are inside of that video game and you know this you play like any type of genre video game you're able to put one down and pick up the next one right that one that you played it's six months year old now i want to get the next one next one's coming out it's got better graphics better gameplay better something you pick it up and you're able to learn it like that right it's pretty easy and so the opportunity here is
around learning together and learning faster right so if you could design things in a certain way hasn't been expressed across different business verticals your ability to learn something faster and learn something with somebody else is super hot how many times like who here likes to hire a new person out of college and train them in cyber security anybody i've got one two out of 567 was that how many people are here right that's it's not something that even the tools that we have today it's not fun to teach somebody to do it's not fun to watch somebody to do it it takes a long time ramp up is way too long and so now i'm going to pivot into
real-time strategy games there's some real-time strategy game players here the ones i have up here on the board are old but if you think of what real-time strategy games are specifically to much of day-to-day operations inside of security it's basically a real-time strategy game one example fog of war so i was stealing a little bit from sun tzu but fog of war is basically the premise that when you get into the game there's kind of a black area around here that you don't know what's there and even if you spend your time inside a video game to go and clear it out and know what the terrain looks like you still have to send patrols around
there in order to understand what's still going on there that sound familiar inside of security at all it does to me i spent a lot of time in security before i became a vendor this was visibility was one of the hardest problems to both create and maintain so if you start going through the list of similarities this is kind of i don't know when i first saw this i thought this was kind of interesting so rts game build and maintain visibility remove a fog of war everyday security life build and maintain visibility to remove the fog war okay point taken rts game understand the terrain security life understand the infrastructure build structures and units it's the
whole premise of an rts game build structures build units get bigger get faster know everything security life built and implement software and architecture then hardware anybody still do hardware sorry i'm a cloud guy i don't know what this stuff is anymore um rts game prioritize incoming alerts and attacks real life security prioritizing alerts and attacks um procure more resources yep we got that probably already talked about it and then the micromanagement the macro management side of a video game right one of the whole premises of an rts game is is understanding how to manage everything otherwise you lose security is very very similar i think this is really kind of interesting but if we're going to talk about
similarities let's talk about the differences too learning in video games is usually easy learning and security is usually really hard rts games finding others is to play with you pretty easy like you literally can just hit a button these days and they'll go out and find people to play with you security no that's hard too rts game you get to start over think about that you lost what happens you start over you're losing what do you do your rage quit you hit the reset button you start over it's easy i want a reset button for security life right but no like there's consequences in our day-to-day lives when we lose we all know that uh gameplay
knowing good gameplay right there's a lot of games out there where it might not have the best graphics it has the best gameplay right you're talking about a game and how you interact with it how you almost bond with that video game right how are you bonding with your firewall your log management or your antivirus right there's not a lot of uh defining of the the good gameplay and then in games there's there's established uh design principles and they're pretty much none inside of security so survey of 300 managers and 650 professionals this was done last year by mcafee what they found was pretty interesting 92 percent believe that skills fostered in games would help them actually hire that would
actually be good for cyber security right
anybody here hired gamer yet yeah right so i got one so we did it um when i was at yahoo we hired a guy basically off of his world of warcraft skills he basically came in and said here's why i'd be a good manager he showed us his world of warcraft tribe or whatever it was they hired him that's the one i've had in my 20-some year career that's it but if you start to look at the evidence it starts to get pretty compelling around why you would do it right now we look at this and this is where the tongue-in-cheek comes in you're just like ah it's a security it's a video game blah blah blah like wait a
minute no like this is the real deal i'll give you another example i hired a lady she was in accounting she came over to security you know what she did vulnerability management she's good at it you know why because vulnerability management's all about numbers right the number of scans a number of things are outstanding prioritization right so there's there's it's not just video games this is the example i'm giving but it exists out there in other places so opportunity number two make it engaging if you think about what we're doing on a daily basis you make it more engaging and you're going to want to do it more side note good interview question you should add an rts
interview question think of this face when you do it too it was me um so let's start talking about some design principles that's right i just did two matrix references and one presentation this is how hollywood thinks about it right so if you think about this scene this guy's sitting in this chair how many monitors are there a lot and you're led to believe that he can just read every one of them and it's like second like apparently the brain inside of this movie has evolved to such a point where you can just read 500 screens all at once and understand perfect situational awareness except which one's imitating which one we do this this is our this is security design
principles 101. this is not unique right it works in hollywood just just fine just to be clear i'm not banging on hollywood they they do really great things all the time we don't in cyber security this is something that we should change and so let's let's talk about different business verticals just as some examples if you go across different business verticals they take this type of information and use it different ways so if you think about one if you think about like a day trade or high speed trading right like if you look at this screen that's really dark and you can't hardly see it the one thing you can see is the use of
red and green and then they have really big buttons that are green and if you start and i've actually done research i've gone across most of these day trading applications it's a very similar design principle and their use of bar charts their use of color but if you look at the data like what they're looking at it's relatively simplistic so their design principle can be very very simple much more simple than security westworld yeah you're gonna say it's hollywood it's not real well the guys that are designing inside of westworld they actually spend a lot of time trying to understand the problem at my current job i hired a designer away from a world from
from blizzard entertainment what i liked about it was he has no preconceived notion of security whatsoever you just tell him what the problem is and what the data is and he's going to bring it back to you that's what guys in hollywood do so while you're looking at these screens saying wow this this will never work in security i'm sitting there going like i bet it actually would there's actually some really cool design principles inside of here circles are a really great design principle in security
so let's go back to rts games if you look at the screen here there are very very similar design principles it's one of the things that allows you to jump from one game to the next this is pretty this is this is this should like start to ring some bells right like think about what you're doing every day think about what your vendors are doing every day because the common design principle right now in security now i love twitter bootstrap all right now it was advanced forward for a lot of ui development but what a lot of people do inside of security right now and it's largely based off of cost is i'm going to go
download bit twitter bootstrap and i'm going to customize it which you can and it's going to be good enough right people won't spend more money on that because the other problems inside of security are harder and nobody wants to tackle the design one because it's hard right and where are all the designers going not to security right so there's a problem even in security from getting good designers so this is not for the win so now we're back to that big data thing mountain of data pool of data what all the different terms for data data lakes data rivers i had a data pond the other day how many terms can we come up with this
stupid thing it's just data so what are we trying to achieve i'm going to run you through some little thought exercises here the first one being is the 15 experiment what it basically posits is you put a whole bunch of people put them in a room have them look at drawings of 15 coins of one cent there's only one that's actually accurate you know how many people actually could find that one coin that was that was the real one pretty much none of them and basically what it says is that people relate better with shapes and colors than they do with numbers right i think if you look a lot of your tools right now how many times you have to go
back and reference it because it gives you a number or something and you can never remember it now this is important what it's basically saying is is that when you think of coins when you think of some type of visualization you're thinking of the shape and the color more than the words and the numbers that are there i'll give you a perfect example stop sign anybody anybody not know that this is a stop sign go ahead raise your hand we'll help you out later please don't drive so think about conscious and subconscious thought right think about that for a second all right so now we have a bunch of signs here a bunch of design principles
we even have canadian versions now here's what i want you to think about i just i do this probably once a week i do one-on-ones with my employees a lot of times i'll do them i've got a 40-minute drive so i do them while i'm driving yes i know that's bad you know scold me later um i can drive from my home to work or from work to home and not remember the drive i'm able to do that because we have design principles surrounding us everywhere right this some people if you're in sports calls they call it muscle memory right you do something repetitive so many times you don't even have to think about it anymore right you do it every
day every one of you have probably done this in some capacity or another and that literally is subconscious and conscious thought it's part of that cognitive psychology that we're trying to learn about that ability to display data to you so that when you look at a screen and what was interesting for me it was um 2012 i think i sat down 12 threat researchers and [Music] had them go through a bunch of different malware and what i realized was is that even though they all they didn't go in the same sequence and they didn't use the same tools they basically were trying to accomplish the same thing which meant you could apply code to it
right so we basically were starting to automate sock analyst type of work we started to go look at soft analysis type of work right we sat them down we you know went to ibm and bp and a bunch of other companies just to try and understand like super mature super immature show us how you actually work what was fascinating for me on that 25 to 50 data points that's what a soccer analyst is actually going to try and go look at 25 to 50. why because they're gonna they think they're going to have enough confidence to be able to make a decision after 25 to 50 data points okay well there's also the fact that
they're probably needing to close between 10 to 20 alerts a day there's the volume of alerts that are coming in and they're only going to look at 25 to 50 because they have to get to the next alert do you know how many data points are inside of intact these days especially as you start to aggregate data all around right so the company i'm at right now like one of my challenges a single alert could have ten thousand data points have you ever seen an alert with 10 000 data points do you want to right if i don't figure out how to display 10 000 data points i lose right like nobody's going to want to buy a product
that can do that but inside of your daily life as you're looking at data points you're trying to get enough information to understand what's there the number of times i saw guys go get 25 to 50 data points and not look at that one critical data point that they needed and they wasted an hour or so two hours sometimes three hours trying to figure that out was huge because there weren't any design principles i'm going across all these different things everyone has a different design principle there's no consistency and that's a challenge so thought experiment as my time is i'm gonna yeah we'll go into the thought experiment boom
all right gotta get everybody looked yeah all right everybody looked
eighty percent of you looked at the very center of that screen i know that eighty percent of you did that because science everybody likes science science teaches is a slot the reason i know that is because your eye usually starts in the upper left hand corner starts to scan when it scans it's going to go after the first thing it catches his attention then because the lines will lead to the middle and i put something right in the middle you looked at the center of the screen it's a really interesting design principle because if i'm trying to display something to you that's super important and it's inside of security where should i put it rows and columns or in the middle of
your screen and what should it look like right i don't know here's a really cool design principle i can change it and you still understand what it means i can change it again you still understand what it means right if i do this you're going to hate me this is why design principles are important this one it doesn't matter about the location it was about the color right the color was important if you're starting to go through this right think about go back to the video games this is why video games are important this is why kids and you guys and security vendors should be designing video games for security and not whatever the crap we're doing right now
right let's do another one red green blue i've actually used this one before in both academia and going out to different customer environments so let's say this is a asn blue line asn out our line right there okay the inside ones are cider blocks green dots or the dots in the middle or ip addresses okay just an attack or not an attack it's not an attack they're all green everything we know about it today is not an attack you're not going to waste any time on this one right now what's interesting about this is um i had to work the opportunity to work with a guy named diad of opendns he's a master at this stuff
what was fun was i was using it one time when i was at netflix seven different thread intel feeds a whole bunch of other data like both of my my security stack and log management correlation all these different things just an ip address if i send it out to like let's say who is right that's a lot of data but if you start to go into other like thread intel feeds if you send them an ip address or a url it's going to get detonated it's going to tell you all the other ips the addresses the files everything that's associated with it you throw that back into the machine you just exponentially increased your data what we discovered
was is kind of the goldilocks zone was seven like you wanted to do that kind of re re putting data back in seven times after that the efficacy of what you're doing would go way down right when you start to look at stuff like this you can start to do real cool things based off of that all right number two good or bad it's at least suspicious right so based off of what i just said what you're looking at here is suspicious because of the surrounding pieces of information now stop and think about huh i got attacked all the things i was looking at were saying it was good right and then you start to go around you
start to look at all the other data that's around it and then you realize oh crap it was some type of other attack where actually that thing i'm looking at is bad this is the easy one if anybody gets this wrong you should probably hand in your security card right but what if i did this right you should see this all the time guys that would be staging attacks phishing attacks was a common one for fishing different type of drive by attacks they're staging all of their information way way way ahead of time right what if you had the ability to go in there and look at this data what if there was a way to actually like
you had a design principle where you're actually looking at it it made sense
so point number three is make it easier to learn and so to just kind of put a bow on this a few more minutes to kind of rant here i almost feel like dennis leary with kind of the mic here i kind of want to drop a few f-bombs but i'll kind of refrain um the challenges are there's not enough people we can't keep them we can't train them fast enough challenge number two is we're not getting enough value from our security stack challenge number three because our hiring bar is too high so as you kind of walk through the entire presentation hopefully what you're actually starting to see is that there's actually better ways to do this
so what is it that you can do well hold your vendor to a higher standard ask for this type of stuff look inside of other business verticals that are doing it if you're actually doing this yourself if you've lit up elasticsearch or anything else that is open source where you have the ability to do this establish what yours are like you're helping your own employees you're helping brand new employees i know from from my side like i spent three fourths of my career on you know in your guys seats i've only been a vendor for four or five years now but i'm trying to take this information and i've actually done this presentation for other vendors i've done it for
other places and what's interesting to me is that after you go through this like video games are a great analog there's a lot to learn in security not just from video games but other business verticals as well if you think of the automotive industry if you think of their user interfaces if we go back like several years they were pretty horrible right the cars now like you you know i'll mention tesla i mean tesla actually has a pretty cool user interface right why did they do that well because it's more engaging people want to actually use that type of stuff that engaging piece is really kind of critical inside of this if i said hey
you could have a security system that was like a video game would you be more likely to use it would you want to use it how easy would it be to get somebody that's never done security to come in and also want to learn about it for you to teach them right all the data exists there that says that this is actually true just we just have to start working on in order to be able to make it reality and with that thank you and i will take some questions
hey question uh the guy that was hired by yahoo as a as a gamer yeah how success successful was he is he still there uh yahoo is a company really isn't around anymore so he might be there i don't know he did actually a pretty good job yes so he it did prove to be true any other questions wait for the mic so that the people near the room can hear run run run thanks okay so if you make a security system like a video game one of the big differences you outlined is that the priorities often aren't well defined and have to be set by the by the circumstance so how do you imagine
building systems like this so that people can learn them easily but actually like also learn like the real actions they have to take or the subtleties of the situation or whatever rather than just i don't know gamifying it no that's uh that's a great question and it's like one of the next big things right so i've i've done different government work where they're around like establishing standards and they're painful and they take a long time the best way to do it is either through like a community open source project that gets adopted or through getting enough vendors to actually buy into this and do it themselves so once you do it and you get enough
traction if you think of other design principles that are out there web uis like there's different ones that have come down the track that eventually got caught on that's the best way to do it is just do it's monetary but it's it's better now the longer way to do it is to actually get uh government to step in and start to establish those the united states and different frameworks that will actually do that those guys take five six seven years to do it just takes too long so one or the other got it thank you let's do one more how much time do i get two minutes all right let's do another one see what happens so mine's real
quick um thanks for the bar conversation last night by the way uh yeah you got to start the bark uh i think there's a flip side to this right because you've got some vendors that let the marketing team build out the ui and you get no data no no useful date it looks really pretty but there's no data so that i think that's another issue you know you you got one one extreme or the other which is bad that we need to fix i think that was more of a statement than a question i think my comment is a statement but how do we fix that i mean that's the thing we got to be able to
drive the vendors from a community discussion and and push everybody toward you know the gamification make it easier uh lower those hiring standards kind of things not from a skill level but just a to get people into the security field so i mean with uh i mean product marketing i think there's a movement inside the cecil community i'm lucky enough to be part of this security tinker's one the csos are upset with product marketing right now and they're trying to force both investors the vcs and the startups to quit talking about what could be and actually talk about what is talk about actual real problems specifically like customer problems and so that's that's one way to do it is
for you guys actually put pressure uh inside of the community and on vendors to do it and that way product marketing hopefully will change uh one more question
i great presentation uh i think a lot of your your principles make a lot of sense but if you turn it around from a sales perspective if you're if your application looks like a game will companies actually pay for it and [Music] i see that as a big issue and one of the reasons that a lot of a lot of uh applications are not that easy to use so it's that that's a great point i was hoping somebody would ask me something similar to that uh where i'll pivot to is actually dark mode inside of a lot of applications security companies were starting to do it and was seen as cool i actually knew some of the designers
that have been behind it there's actually a lot of science behind it and what's weird is apple google insert companies slack everybody's going to that dark mode and so to your point initially especially from a sales perspective with these types of things it seems gimmicky right and there's been companies that have done similar stuff like this before and it was a gimmick right so what you're looking for from a sales perspective is to get traction with customers because it's based off of results not off of the gimmick over time that will you know develop momentum just like dark mode has in a lot of the uis these days all right i think that's probably for my
time i gotta wrap up thank you guys very much
you
you
you
foreign
you
you
you
please
um
all right i think we'll get started if that's all right with everybody ooh that light's very bright no not yet not quite yet they said not yet
is not that's not even a question yeah pineapple is not allowed on pizza we're going to rule that out right there
awesome all right i think we're ready to get started i'm going to do my best today to mic with this hand and click with this hand but i'm not left-handed so we're going to see how that's going to go good morning so my name is shelly giesbrecht i am the managing lead of incident response at cisco uh for those of you who don't know yes cisco has an incident response team and it was really i'm really excited to be here today because it's my first time at besides vancouver and i love coming out here so thank you very much to the besides crew for having me the reason this particular topic for me is really exciting uh is because i've
been doing this for a number of years and when i started in it and i'm going to date myself a little bit here so follow me back to the year 2003 when some of you were probably still at elementary school and who else remembers sql slammer who lived through that okay so that year i was working on the help desk at westjet airlines one of my first jobs in i.t and they got hit with sql slammer just like everybody else and i'm working the desk everybody's in on a saturday you know all hands on deck everybody and uh and i'm working the desk and i'm coordinating people and about eight hours in i'm thinking to
myself god i am hungry so i get up finally i wander into the kitchen and there are six empty boxes of pizza now first of all we had 50 people on site doing response that day so six pizzas for 50 people you do the math lots of people didn't get lunch and not only that the only thing left to drink was seven up and no one ever drinks the seven up right that's always the last one that's left everyone takes the coke first then they go the diet coke and you might have the dr pepper but nobody ever drinks the 7up this is really my first foray into incident response back in the day and one of the things that kind of
taught me was we need to think about more than just the technical response there's a lot of factors that go into what we do so today i'm going to talk a little bit about what we should have basically you know what the things that we all think that we need and that we have and then some the gap between the basics and where we actually need to be some really essential roles within your organization that you should have in play if you're going to go into an instant response and then how we keep things moving as we get into that instant response as we get started and and keep going how we keep going and then i'm going to talk a
little bit hopefully if i have some time about some stuff that helps so let's talk a little bit of the basics we all should have some really smart people in our organizations to help us uh solve the problems of an incident right we and i've never been into i visit a lot of organizations every year now uh with my job with cisco and i've never been to an organization where i walked in and people are like yeah i don't care people are great because they will drop everything for the most part 99 of people will drop everything and do everything they possibly can to help their organization recover from an incident and that's amazing and we also
have organizations that have processes in place to help them deal with an incident whether that's an incident response plan whether that's custom playbooks to help them deal with specific threats maybe associated policies like acceptable use information security policies crisis management drp bcp lots of things right but the question is do they all play well together or are they even in place when was the last time your ir plan and i'm not going to ask for a show of hands but for some of you in the room think back to when the last time your ir plan if you have one was updated in your organization a lot of times we go into organizations they go oh we we wrote it
in 2003 during sql slammer hey i'm sure we've looked at it since then well maybe we better have a look at it right and let's face it things have changed a little bit since 2003. i've got a little grayer you wouldn't notice but because i cover it up but the last thing here is technology our companies go out and buy hundreds of thousands or millions of dollars worth of technology to help us develop that defense in depth but if it doesn't work well with the people process and technology then how well are we going to be able to respond to an incident you know regardless of day-to-day when we you know we need it to work but
it's not an emergency that time when it's an emergency and we really need it to be functioning exactly the way that we the vendor told us it was going to come from a vendor and i still scare the crap out of my sales people because i say things like you know what technology isn't enough and they go don't say that no no say that so what's the gap gap sharks it's a thing gap sharks are the things that will eat us alive when we get into an incident and we have not thought out the silos that we create between people process and technology we even have silos within people how many of us work for
organizations where there are groups within their it organization or between it and the business organization that don't play well in the sandbox together right and then you get into an incident i worked i worked an incident with an organization who couldn't get their network team to come and work the incident because they were too busy we don't need your crap you're not nice to us and we're not going to help you during this incident that's a silo within only the people thing and then when we talk about make sure that the people know what the process is and know how to use the technology and vice versa all those things we want to make sure that we
avoid those as much as possible definitely that step we go back to the the sans model for instance for instance response we talk about preparation and that should be our largest thing this is very much in that realm so we have an incident we have somebody's detected that we have a first responder somebody might be uh might be a user it might be a server technician it might be a biomedical device technician i work at i work a lot of health care incidents recently and they're going to do some initial triage they're going to tell us what they saw what they heard what it did and they may or may not have the ability to declare it an incident
but they need to have some criteria around that how do we know whether it's an event something that we see here or just happens and it's actually an incident that is affecting us or has the ability to affect us in a negative way now for the itil folks in the room an incident is very different when we talk about it in the cyber realm and i uh definitely have a lot of discussions when i go to different organizations and help them build their incident response plan about how to meld that with an itil framework it's a it's a big topic of conversation and yet completely different talk but how do we figure out whether we have
an incident and can the incident responder actually do that is the incident responder the right person to actually lead the incident in some cases it is if you have your incident response or is information security folks and they detect an incident they may be the person that steps up and says i got this i'm going to leave this however if it's an end user that discovers it and escalates it or if it's a server technician they may not be the right person to lead the incident for you and they need to know what the escalation plan is that's again those things that should be all built into your incident response plan but is something that's frequently
missed so who are we going to call who do we need involved in our incident first and foremost and this is where this talk really came out of at cisco uh i spent the last three years at cisco and i learned very quickly when we were out doing incidents for our customers that one of the things that customers don't tend to do well uh is actually manage the incident so we developed a group called incident commanders we have a specialized group within our organization within the the customer facing our organization that just does this they manage incidents for our customers this isn't a sales talk and i'm not i'm a and i'm not going there i just want to tell you that the
reason that we did that is because we hear frequently you know we're really good once we get started but it's that first 24 hours that really bites us in the butt getting from detection into a rhythm of incident response we're good at the technical piece we know what the technical issues are but we don't know how to manage the incident so the incident commander is that rule it really should be the first boots on the ground once you get an escalation you want to elect an incident commander right away and you wanna it's sort of that tactical project management right so they need to know how to manage the people the process and the technology and all the
pieces that go in between they may not be the sme on every piece but they need to know the pieces in movement and who needs to get those things done they need to have the authority to lead remember i talked about that network team that didn't come to the table your incident commander needs to have the authority from your c level to be able to point at i'm going to point at you and i'm sorry i'm going to point at that guy and say you need to come to the table and here's the piece of paper that tells you that i have the authority and there will be there may be discipline involved if you decide your team's not
going to come to the table and obviously the flip side of that is we want to create those relationships and mend those relationships before we get into that problem but you need to have the authority to deal with it as well they need to understand both incident response and the business and i think we've all been in a situation where security uh loses out when business is impacted business still needs to continue and security needs to understand that there needs to be a good balance the same thing in incident response we're trying to get back to business as usual when we're doing an incident and so we need to make sure that whatever is still working is still
functioning and that as the incident commander you understand the balance between those things what do we need to get up first what's most critical where our critical services are critical accounts are critical customers who do we need to make sure is up and running first to make sure that the cash register of our business is continuing to run and they need to follow the flow of of the uh of the incident so they need to be right up to date and that leads me into the next thing uh i actually will mention really gravitas that's a big word at the bottom uh the incident commander has a lot on their shoulders they need to be able to
handle everything that comes at them with a great deal of gravitas they need to be calm they need to be able to deal with people who are going to scream at them because in incidents people get upset particularly your customers your business partners and your executives they want to know that something's being done and sometimes it takes longer than they think it's going to but we need to keep up with that and how we keep up with that is we also elect an incident scribe or more than one these are the folks that follow kind of behind the incident commander they are also equally well versed in the business and incident response but there's the folks that are going to
document everything for us all the action items who's doing what who's done what and so that we have that stuff going forward for the reporting uh as well as they're you know so they're going to be slightly behind they're going to maintain that timeline for you so you've got a visual timeline of what's going on but again these two rules are really important we want to make sure that not only do we have one person that we can elect but we have more than one because when we get started it's that first 24 hours that are really important but it might go beyond that 24 hours so let's talk about those first 24 hours to start
with in the first few hours we need to understand things like you know where are we going to meet do we have a place to meet who's on the call bridge do we have a call bridge how do we declare an incident what priority is that incident there's a number of things that we need to know and we need to establish rhythm for communications escalations notifications and those are three things i'm going to talk about a little bit more and explain what i mean by each one of those so how do we keep on keeping on how do we move through an incident when we talk to a lot of organizations as i said they say
when we get into the technical piece when we're containing when we're eradicating when we're we're re-imaging systems and we're getting back to business as usual we know how to do those technical things we talk about different incident priorities so if we talk about the low and the medium we do those on a regular basis every day we feel good about those because you know the the one-offs of of malware in fact you have a small case of ransomware that you know is affecting one system and maybe one file server and there's a lot of people in this room would go yeah that's day to day we can do that that's not a problem although when you say your that to your cso it
scares the pants off of them but you know a small amount we can deal with that right it's when we get into those high and critical incidents that there's much more complication involved around notifications again escalations communications but also day-to-day if the incident goes on for more than four hours eight hours 12 hours in the case of something like the sony breach months how do we handle that as an organization so that first 24 hours is really important to establish who's involved the cadence where we're meeting how we're meeting and then we have to feed people because just like me eight hours in at westjet we get hungry right the good news is is is that people tell you when they're
hungry right people will tell you when they're hungry what they might not tell you is when they need rest brain fog happens when people are tired and then mistakes are made and the incident may get worse so we want to make sure that people not only get sleep but they maybe get a little bit of down time we create war rooms but do we create a relaxation room when we're doing an incident having a room that people can just go sit for a few minutes and collect their thoughts maybe they're not going to go have a nap but they just need 25 minutes or or a half hour just to like sit and just not think about the incident and just
get themselves back into the headspace right but also day-to-day lives right like when as an incident is going on we have people who have kids or need to pick up their pets or take care of their parents we have stuff people going on vacation in the middle of an incident i had somebody who ended up having a baby stuff happens people get sick people get injured when unfortunately things like that happen and we also have the day-to-day stuff right an incident happens but that doesn't mean that our lives don't keep turning from a business perspective we need to keep the lights on there's projects ongoing that uh the the different teams that are involved in an
incident still have to uh support and so we want to make sure that we are able to move forward with that and the incident commander team has to make sure that they're aware of all of those things how do we move forward and keep an incident running keep our business running keep our lives running here's some things you might not have thought of how do we feed people do we have a budget for that whose credit card does that go on does our team have credit cards that we can put stuff on and how about if it does go overnight or it goes over or we need somebody to travel to pick up a drive or to do some
forensics or to help contain an incident at a remote at a mobile or remote branch do we have budget to put them in a hotel to put them on a plane to give them a rental car i don't know how do we pay overtime what about in the situation where our organization is also made up of contractors or unions do we have budget for overtime do we have budget to keep folks on site you know over their eight hours i've had people walk out to say i've done my eight hours i'm done for the day in the middle of an incident and we need to talk about prioritization as well right so that's a constantly
evolving thing from a uh is it a medium incident that became a critical incident and we have to revisit those priorities we want to make sure when we're going through and and we talk about the the the nist model or the sans model for for incident response that if we are into containment are we really into containment do we miss something and do we have to circle back to identification so we want to make sure that when we are building our out our plans to go forward and do those things that we're doing it in a very methodical way we need to make a plan for each phase we need to get approval from that so for
instance we may in a containment phase say we are going to go out and shut down every server in the data center and then we send our we send our plan for approval up to the business unit and they go no you're not figure it out and we have to go back to the drawing board and so we have to have that plan approved and then we have to go out and execute that plan now all those people doing those things might not be the same person so we need to make sure that it's well documented within the plan once they're done executing we need to validate that it's done properly to make sure that the thing that we thought was
done was actually done and then we need to document it to make sure that it's in our report that what we did is what we thought was done and that we can tell people later on that that's what we did because cyber insurers these days really want to know that you did what you did and that you're sure that it's gone i feel like i just went back there we go all right the need for smees this is my take off of top gun thank you very much the incident commander needs to know who their subject matter experts are they need to know who to call what names they're going to which means we need
call trees we need to identify those people in advance and again people go on vacation so we need backups for those folks but you need to be aware of all of those things and have those in your mind we have technical folks so we might have tech you know we have the folks that are identified as the core incident response team but what if we need a specialized skill that's not usually what we might need for for an incident that's very specific to that incident we want to make sure that again we've identified those folks we know where to find them we also have non-technical smes from internally legal communications uh pr team those are folks that we may also need if
there's an inter insider threat or we have uh you know we need to ask some questions around whether we're actually going to go to law enforcement or not which is one of our third parties we need to have those discussions know who those people are and again the incident commander that single point of contact for all of those folks how about third parties i've listed a couple one obviously law enforcement we want to have those relationships in place beforehand by our support we want to have a some sort of retainer or otherwise in place with one of the ir firms to make sure that we have help when we need it vendor support i t people are are
ridiculously bad at asking for help we have a problem we go no i can fix it just give me another 30 hours i've got it but we also have things we need to talk about now like cyber insurance when do we call the cyber insurer when do we get them involved because they are highly involved in the process these days as well external legal counsel more and more organizations are are keeping external legal counsel on retainer to help them when a cyber instance happens because their internal counsel are not cyber experts so we want to know when do we get those involved when do we invoke attorney-client privilege that's a big one these days uh you know
protect our work product protect our communications we need to know when does our legal team want us to do that so our incident commander needs to know not necessarily when we're going to do it but they need that they have that conversation i need to have that conversation all right escalations communications and notifications when i talk about escalations i'm talking about who needs to know right away in the chain of command who am i escalating to to make sure that the next person and the next person or the next person knows and as an incident increases in priority that is very very important and those escalations obviously get bigger and higher notifications are who needs to know
broadly so when we have a data breach do we have notifications that need to go out to regulatory bodies for instance or to our customers do we have slas slos with our customers that says if we're up within four hours eight hours 24 hours then we need to send a notification to let them know and then communications obviously from a broad perspective both internal and external who are we communicating with letting them know what's going on as much as we possibly can so from an escalation perspective we start off and i'm hoping this is going to work because this is very tiny all right so we talk about initial escalations right they're going to come from a
number of places and this is an example of a chart that we've used so we might have an escalation that came in from a web interface from chat phone call bridge email walk-ups from your seam or from text services right we might get a number of inputs for an event and then how do we get from come on there we go we report it to the service desk they say hmm this maybe meets the criteria for an incident i might declare an incident if it doesn't they're just going to say no it's going to follow the normal itil incident management process or they're going to identify log it and classify it as maybe a medium
incident we're going to decide whether it's p3 p4 medium or low and if it's not if it's that sort of p1 p2 high or critical they're going to escalate somewhere they are going to put it up to the next person in the line for instance your ins your information security team or your incident response team so that they can appropriately deal with that so that's sort of like initial escalations beyond that when we talk about notification who needs to know we also need to make sure that the people who need to know are going to keep our secrets if we need them to so do we need ndas do we know who's under nda right now
if we need to put someone under nda do we have something in place that we can easily use that's already templated that we can get them as quickly as possible and as we move through an incident we may need to revisit the priority as i said something that was medium may become very critical depending on lateral spread or or the virulence of the particular malware that you're working with if you have an active attacker on your network and so maybe that becomes critical and now your escalations and your notifications need to be revisited now who needs to know the incident commander again needs to keep all those things going in their brain what do i need to think about now what
do i need to revisit now what's our next steps communications i talked about this we want to talk about this early getting the cadence in place not only for internal communications daily updates to our to our executive making sure that everybody on the cert team understands what's going on that whole document validate uh execute your your plans make sure that they're approved all of those things but from a content perspective we want to make sure that when we create content that the person that's creating the content is approved to be an author right so we want to make sure we identify who's allowed to author particular communications then who approves those communications maybe you're doing an external
communication and you need to make sure that your hr or legal team is okay with the content that's going out so you have to identify an approver for that and then who's allowed to send it or who's allowed to actually say it having identified folks that are allowed to actually be the uh intended speakers for that message from your organization and having all those things again the incident commander needs to be aware of all of those things doesn't need to be the expert but needs to be aware that those things need to be thought about handoffs are an interesting one we worked an incident where a managed sock was involved and in the middle of the incident
some at some point they did a shift handover and we didn't notice because it was so smooth we said when did you do that they go oh we did it at 3am no one noticed because they did it so well shift handovers are huge because when incidents go on for more than an hour 24 hours weeks months we need to be able to again change over another reason that we need multiple incident commander candidates multiple incident scribe candidates we need to be able to follow those over because the incident commanders believe it or not also need to sleep most of mine are vampires they're fine but everybody else needs to sleep so what helps checklist
have a checklist we want to break down what needs to happen into small units and i'm not talking about the technical things these are very tiny but what you'll notice is some of the things are a little technical we want to do event triage and validation and false positives and declare an incident but also we need to contact all the right people get a war room ready activate our cert take attendance making sure that some people may not be invited and shouldn't be there we worked an incident where the organization used a email to send out the call bridge and the attacker was in their email system and attended the call bridge so we want to make sure that we know
everybody that's on the bridge we want to set up shifts as quickly as possible if we think this is going to go over eight hours we need shifts set up we need people to know what their expectations are for shifts and the people that are going to be taking the next shift they need to go home and get some rest and get their lives in order because they're taking the next one so we need to get all those things in order communications cadence if we can document all those things get them into a checklist figure out who's responsible for them what sort of category they go into it's going to help us respond better faster
and get to remediation that much faster having matrices a little bit different from a checklist this is a communications matrix a little bit of an example of one and it's the idea of making sure that you know when you're going to communicate something how you're going to communicate something who is going to do the communication like i said we need to know who's providing the content the author the approver who's sending it what format are we sending them in for instance do we have a template for that are we sending them via email is it going on a blog post how are we doing those things blocking that out beforehand and having the incident commander again completely
aware of these things having that to hand is going to help you be more successful from a logistic tactical project management perspective timelines this is where our scribe comes in why do we love timelines because timelines gives us a visual reference of what is going on in our incident and for me i'm very visual it drives understanding and i find i'm sorry for the executives in the room executives love pretty pictures it helps them understand something that maybe is way more technical than they are they are at a level of understanding and we can show them what's actually happening with with a visual we can do that in software or we can do that on a
whiteboard i prefer actually both i like to do it on the whiteboard in real time and then transfer that into software so we can put that into reporting or into status updates and we need to try to to practice and train this incident commanders and scribes are not born they are made and that's for with experience and with time we don't want to have to train our commanders and our scribes on real incidents it's it's it's an easy easy way to level up very quickly it's not very much fun so we want to do more than just your annual tabletop the annual tabletop that we all do tends to focus on the technical problem quite a bit and making sure that
our technical teams know what they're doing we do more often do sort of a tabletop exercise or some sort of small exercise that we focus on the logistics we did a a tabletop exercise with a large financial organization where we focus completely on the logistics every time they went to the technical we went i don't know who's your instant commander right now where's your scribe did you do a shift change did you feed people and we hit them like that constantly and it was that constant reminder that you're not doing the technical piece you're the incident commander you have people that are doing the technical piece for you and coming back to you with those answers
great practice and a really good way to level up those folks that you want to be able to step into the incident commander rule when you have an incident we want to practice those coordination and logistics make sure that everybody understands chain of command that that one person is the single point of contact for escalations and notifications and anything going downwards as well so what are we taking forward today first of all success is really understanding what your organization needs everyone's going to be different we can download a template from the internet that gives us a list but the truth is we need to sit down and really figure out for our organization what does success look like
from the beginning to an end of an incident and not just the technical pieces and not just the people or process pieces either how all those things go together and how we can fill those gaps with a role like the incident commander we want to make sure that we're feeding people because but the problem is starving people will tell you that they're hungry they will not tell you that they're tired or that they need to pick up their kid because they want to do the best that they can for organizations we need to think of all the things as we go forward about that we have the right amount of staff that we can staff for the week for the month
that this incident is going to go on and we want to identify that talent as folks come up against the commander in scribes and be developing that and practicing that because those folks are are the way to make sure that our we are successful in our incidents and that we can get from instant declaration into those first 24 hours in a much more successful fashion there is a phrase that says practice makes perfect that's not actually the phrase it's practice does everything it's from a roman commander named perry ander and it's sort of the same idea but practices it will get you to where you need to be so what i'd like you to do
is to head back to your organizations and start talking about incident coordination how do we get better at the entire process the nice part about this is that this isn't just about cyber incidents if you have good incident coordination within your organization if you good incident commander candidates they can handle any incident it can be a safety incident it can be a cyber incident it's the sort of the same pieces just slightly differently applied so from the perspective of of an overall sell to your organization it's actually an easier one than you think because we're not just talking about cyber we're talking about instant coordination as a whole i want to thank you very much for your
time i'm really pleased again to be here and and i'm excited i will be taking questions i think maybe if i have time right now and if not then in the hallway afterwards if anybody wants to ask questions [Applause] and this is where you can find me online
thanks shelly enjoyed it we were talking here about the incident life cycle models which one do you like better the sans pickerel or the nist one i would say i don't really have a favorite and i would say i subscribe to a little bit of a hybrid i tend to i think my inherent difficulty with some of the frameworks perhaps is that when we go to organizations and do an incident response with them identification is a lovely phase but more likely organizations have to start containment faster than than we would like as incident response professionals so i think um the the containment pieces tends to can tends to actually you know leap frog so i think uh
i would say it depends the the affair answer is it depends
so my question is on the commander specifically that position how that because a big part of it you said is creating relationships beforehand in that planning phase how does that look differently from an internal uh ir team and an external team specifically with the external how are those relationships built beforehand yeah that's a really good idea that's a really good question um i think the internal one is obviously a lot easier you know you're you're embedded in an organization you can go out and and build those relationships hopefully and build those bridges and make sure that the people that you need to come to the table will for organization when we go out and actually have to
engage with a brand new client and send an incident commander on site it's one of the reasons that we send them in first and make sure that they you know first of all is i say it's 70 percent uh padding on the back and 30 percent actually technical um i last year had my first cso cry on the phone with me um and it's not pleasant but you feel for the folks in the moment and i think that's what i'm talking about when i say that instant commanders are are really developed because it's not just project management it's not just technical it's very much an individual that has a number of different skill sets including a massive
amount of empathy and as i said gravitas being able to handle that situation and and so i would say from a perspective of going in it's a matter of we don't want to send somebody in who's not ready which is why we develop that team and make sure that our folks are are you know as ready as they are to go in but um internally you want to again identify those candidates and and and make sure that they are being developed in us in a way that allows them to gain that experience
thank you very much for the point on practice and the question i have for you is with respect to working with a scribe and so forth if you're working for a much smaller team is it fair to say that maybe your sme should take on that role if you are working up like a resource crunch of that sort yeah absolutely i think you know we talk about you know smaller teams and whatnot we have to fill those gaps where we can and again it's a matter of you know the scribe maybe also be an sme for you know a another vertical if you will or silo um we need to work with what we have and
sometimes very much so we have incident commanders who are also scribes because the resources just aren't there so uh it's a matter of and but sometimes it's also just pulling somebody in and just saying just follow me around and just write everything down that i say
thank you shelly um just two questions one is what are the key things that you watch for for an effective handoff between the shift teams second one is if the incident is a significant and large one do you establish shift teams at the beginning and establish two sets of uh instant response teams uh as well okay so first question um handoffs um the successful handoff is one that first of all happens um you know it's the end of my shift bye you know um you want to make sure that it actually happens but we want to sit down and and and discuss what a handoff looks like so a successful handoff is one where we are
recapping what's going on that they under so that the folks coming in know what the action items they're taking over what things what has happened and make sure that they can go forward and as i said the best handoff is the one that everybody doesn't notice because it happened so well um but it's a matter of planning is coming down to planning and making sure that that you know that's planned in advance so if the next shift is coming on at 8 00 pm you probably want to start the handoff at 7 45 or or earlier just to make sure that that that given that time to actually do that hand over second question around shifts
if it looks like you're going to be going for more than eight hours i absolutely look at creating two shifts two teams and try to balance those out look at the skill sets i don't know if anybody in the room has read the phoenix project by gene kim fantastic book i would highly read it if you don't it doesn't apply if you don't think it applies to you it applies to everybody in i.t and it's that idea of having one person who everybody depends on for their project so when we have you know well we want this guy on our first shift well we want him in our shift we want to make sure that we balance those out that we've got
a talent pool we can pull from and that comes down again to those incident commanders knowing what what skill sets we have where can we apply those and how can we find those best synergies to make sure that if we have to have shifts that they're balanced appropriately
cool all right thank you very much to everybody i really appreciate besides vancouver for letting me come again you can find me online here i'm at nerdyositynerdocity.com and also the cisco security blog i will be around for the next two days so feel free to come up and chat i love to network and make some new connections so thanks very much everybody
all right
oops
excellent good morning everyone thank you for joining me for my talk on a safer way to pay i'm chester wisniewski i'm a principal research scientist at sofos and former board member for b-sides vancouver i left the board last year after the event as my work got a little too busy and you can tell how much better organized it is this year now that i'm not on the board so i please find some time to thank our volunteers and the organizers because this is an incredibly difficult thing to put on especially here in vancouver we're finding space like this is so difficult costs are very high for us and to pull together all the sponsors in order to make it affordable for the
rest of us to be able to enjoy this is an incredibly difficult job and alex and darren and farsad and everyone did an amazing job and uh please uh please thank them with me uh when uh another thing i'm gonna mention is over lunch to remind everybody the uh the women in tech group will be having a panel in here and especially to remind the men in the room we really want everyone to participate this isn't just for women so just because it's called women in tech doesn't mean that the guys should not come into the room and that it's some secret club we as men need to be allies in helping support the women in our community and
help make them feel comfortable and help them grow and a lot of the workshop i think in the talk this afternoon will be or this over lunch will be about being allies so please everyone is welcome and we encourage you to participate and i think um the fact that you know alex pointed out that you know we're up to 17 percent of our attendees being women is still a pretty sad number and sadly that's that's a big improvement from the past but we have a lot of work to do and if you want to be help uh be part of the solution please join us over the lunch time period now i spoke at b-sides 2014 in vancouver it
was five years ago and i did a talk on a very similar topic this is some screenshots from that particular presentation a few of you may have been in the room at the time i was showing how a lot of the at the time stripe skimming magnetic stripe reading malware was stealing credit cards left and right we just all heard about the target breach uh at the end of the previous year uh ram scraping malware and stealing mag stripes was all the rage and i did a bunch of demos on stage kind of talking about how that malware worked and a lot of the ecosystem behind it and i thought it might be interesting five years later to say well you know
how far have we come what's changed where are we at now and what's the current state of affairs with regard to payment technology not just credit cards but also other payment technology but my apologies my voice is a little bit weak i think i have bronchitis and so i'm a little less energetic than usual usually i'm a very energetic speaker but i'm doing my best to if you can't hear me let me know so uh we have come a long way from this fortunately uh this this was a tweet i had in my slides at the time of people people are still tweeting out pictures of their credit cards which is just astounding to me to think that
that's somebody thought that thinks that's a good idea so not all these problems have been solved now how many are there a lot of americans in the room how many americans do we have some americans there's at least one or two uh i apologize but like usual you folks are a little different than everybody else in the world you're special and not necessarily in a good way um not everything i'm talking about most of this in fact doesn't apply to america uh but the rest of the world uh i'm gonna talk quite a bit about emv and how all this stuff works and where i know things about the us i will point them out because most of us whether
we're american or not are shopping and buying things in america frequently even as canadians and it's uh interesting to know the differences so some progress we've made a lot of progress with regard to emv here in canada specifically when we cut over in 2008 so as of 2008 the banks weren't allowed to issue cards without emv chips anymore emv's that little chip on your credit card i'll get into some more details but some pretty amazing things right i mean fraud has dropped 72 percent since the introduction of the chip and it's even bigger number than that in canada so that 72 drop still includes all the canadian cards that are getting skimmed in america so the 72 drop is more like a 92 drop in
canada uh but it's only 72 because we're still getting scammed when we travel outside the country where people aren't haven't adopted the chip as much but there's consequences to this which is all of our online purchases so fraud is up 211 of card not present fraud so the when merchants are looking at fraud calculations and looking at how you make purchases there's card present where i have the ability to cryptographically verify that card maybe collect a signature collect a pin those types of things so i know the person physically possesses a valid thing versus card not present which is telephone fax mail order internet uh all those types of fraud so though we expected to see this and and in numbers
it's still not too bad right because we've gone from 245 million worth of credit card fraud down to 67 million dollars were the fraud uh just by introducing these chips onto our cards so it certainly seems to be worth the pain of buying some new terminals issuing some new cards teaching people some new procedures to uh dip instead of swipe um that kind of thing and um 11 of cards in 2017 were due to fraudulent cards and so you can actually make fraudulent chip cards i'll talk a little bit about there's been quite a bit of research done in the uk uh primarily at royal holloway university and royal college of london on uh ways to bypass the the chip and uh
i find it you know some pretty interesting things in there and we're up to 93 as of 2017. these numbers are really hard to get reliably there's like a smattering of stuff all over the place so it's really hard to collect the information now here again we use interact for all of our debit um unlike in the us where you may have visa debit or mastercard debit cards we have our system in canada is interac and this shows again a very similar [Music] number and pattern for the amount of fraud in fact we're down to under 4 million dollars in 2019 as expected less than four million dollars entire country for atm and debit fraud um it's really
an astounding change to the process there are this is about half the number these are this maybe half the acronyms i'm going to use in the next 40 minutes so if you're a former military member you may be comfortable with acronyms you may not know these ones but i'm going to be speaking like i just marched out of the marines just a few of them to familiarize you with some of the terms i'll be talking about um you know the number on the back of your card will be referred to often as a cvv or cvc card verification value card verification code we already talked about cnp card not present cvm is specific to chip cards generally which is called the
card holder verification method how did you verify that i own the card did you check the signature on the back did you put a pin number in did you not do it at all did you just let me tap and walk away what method do we use to validate it the number we're usually worried about protecting a lot is the pan that's the personal uh primary account number so that's that 16 digit typically 16 digits it's not actually it can be up to 20 but typically there's 16 digits on the front of your card that's the thing we're usually worried about having stolen authentication methods dda cda sda which are all different types of authentication
the little chip itself is called an icc an integrated circuit card it's the exact same chip that you have in a sim chip inside your phone it's the same technology made by the same companies generally gemalto what else do we have in their msd i may refer to which is magnetic stripe data which is what we're trying to get rid of emv itself stands for european mastercard and visa cpp is another thing we use commonly in fraud so when you hear about one of these breaches and they go oh you know wendy's hamburgers got breached and we uh you know notified that 37 wendy's uh in the chain had credit card stealing malware the reason we know that is
through cpp common point of purchase a big bank like rbc will see lots and lots of customers reporting fraud on their credit cards they start comparing them all and they go ah they all shopped at the wendy's on 33rd avenue in calgary so clearly that's the common point of purchase everybody that has fraud on their cards they must have an issue or an incident and that's a very common method of discovering these things so modern cards uh that's a picture of my expired marriott card uh down below this is one of the problems i mean because this technology is universal and open it's very easy to acquire so i was able to buy a dozen
blank cards that i could screen print with any bank logo i choose uh on the internet for about six dollars because they're just standard smart cards if you use smart cards for authentication in your business the same chip again right so you can reprogram these very easily to do anything you want there's actually an operating system running on that chip most of the operating systems are are java and literally there's an operating system with applications in code and i i read that particular that's a tap chip there i read that chip with a reader on my android device and you can see in addition to the pan number the expiration date you see this card a id here
and if uh if i read that card a id i end up getting this that is an application id so there's an actual application running on the operating system on that little chip and when you put the chip in the reader it literally boots up the os runs the application and starts communicating to the terminal computer to computers so really we don't we call it a chip but it's pretty much just a computer running a very lightweight java lightweight java operating system oxymoron so this is kind of the beginning of how this works right so you stick your chip in the reader it does what's called a call to reset initially which resets the chip make
sure it reboots in case anything's stuck in the memory anything like that and then the first thing the terminal does is query those application ids what applications are on this chip and those applications will be well-known identifiers for things like mastercard visa interac amex diners club etc and that's why if you use an amex card you'll often notice when you go somewhere you put the thing and it'll go uh application error or no application found it means that terminal is not programmed to talk to amex it's looking for the the card is going this is my application id and the terminal is going huh i don't ha i don't know how to talk to this
application id because i don't support amex so then of course the terminal will do an application selection most cards that are credit cards just have one application on them mastercard credit or visa credit but in the u.s a lot you have credit cards that have credit and debit so if you've got a credit debit card the terminal will put on the screen do you wish to use this credit or debit because you've got to pick which application on the operating system you're going to talk to the debit application obviously works differently than the credit application so once the consumer chooses that it reads something called the application file loader which is literally a directory of files
which is what we saw on the previous screen so this here those are different files in the operating system around that file system in the chip it reads those files and they tell the terminal all kinds of things about the chip that it may use to decide how to use it it may say this is a prepaid debit card with a maximum of 100 it may say this there's a transaction counter this is the 398th time this chip's been used there's all kinds of data in these files that the terminal can use to make a risk assessment about the transaction um then we uh we kind of end up in this situation where if we're doing online meaning the
terminal is connected to the internet we don't really need to trust the card data very much we don't need to validate it necessarily because we can verify the pin directly with the bank and cut the card out of the transaction entirely if we're offline though we need to do data authentication this card says the pan number is this 16 digit number but what if somebody just stole somebody else's number and put that number in the application right we need to try to verify is this really the pan number has this card been tampered with in any way uh is this card being emulated is this just an app on an iphone or an android because of course this also applies to
when you tap not just when you dip the card so we have to do some data authentication and then we do cardholder verification based again on what files are being read on this card so that card may say i'm only i only support online pin verification most all of our cards these days sadly support four card verification methods including none which we'll talk about in a second so if we look at that again if i i took a picture of a couple different cards here this is an amex this is a visa we can see that the app tells us different things that this card has in its file system so we can see this one lists the card holder
verification methods it supports it supports terminal risk management which are things like uh allow purchases below 250 without a pin but require a pin if it's more money those types of risk management decisions uh and also issuer authentication which means there's a certificate that allows you to valid you know the certificate authority you can validate the certificate authority is digitally signed correctly it's uh got a question if you have a mic for a question on this gentleman over here in the previous slide you have one box that says data authentication in slide 10 and that says offline only so how do you do offline data authentication for a payment system for some reason this oh there it goes
i'll go through that in a couple slides so the question was around how do you authenticate the the chip when you're not on the internet right like an offline terminal which the most common thing if you're like me and you fly a lot you run into this on the airplane right you put your card in the reader on the plane to buy some chips and a coke and obviously up until recently most of those readers were offline right and you there's very rare to run into offline terminals in the us and canada much anymore almost everything is online but i'll go into some of the details in a moment this is not oh there we go maybe i'm
just my battery might be uh so here's where we talk about the authentication methods um starting with the top one so the earliest one which is being phased out is called a static data authentication and in essence each bank has a certificate issued by a central certificate authority and the terminal reads in all the data from the card so it reads in the pan number the expiration date all the different things that are available and when that information was put on the card the card issuing bank digitally signed it with their certificate and put the signature on the card so all the terminal does is read that hash basically and then takes all the data it got from
the card hashes it and sees if they match and if they match it then checks that the signature that generated that hash was from one of the cas that it trusts and uh it's it's very basic which the problem with that is it's vulnerable to replay attacks right so if i can get your credit card i can copy all the data off that chip i can copy the signature put that on my chip and it's still as good as your card and there's no way for the terminal to know that it hasn't been copied it prevents tampering but it doesn't prevent copying mostly everything these days ended up being cdi the next thing they introduced
was called dynamic data authentication and in this case the terminal generates my apologies for the industry credit card technology has developed over the last 60 years and it's been a hodgepodge of people and processes being smashed together in this unholy mess that is what is in your pocket and so they use a lot of terms that mean the same thing but these different terms because in the 1970s we called it one thing in the 1990s we called it another thing and in this case they call it a 32-bit unpred unpredictable number which i might call a random number or for any of you that are coders we would probably call in nons but they don't call it a nonce they call
it a nonce in different areas in this area they call it an unpredictable number so what happens is the terminal generates a 32-bit unpredictable number and it sends it to the card the card then adds the unpredictable number to the card data and then signs it with its own certificate which has been issued by the ca at the bank that the terminal trusts and then the terminal can verify that that public certificate was issued by a trusted ca and signed the data for real right now it hasn't been replayed because that unpredictable number changes every time the card is put into a terminal so the unpredictable number needs to match or the hash won't validate
and bizarrely again the technology it's using there is it sha-1 hashes it and then signs it with a 200 the specification literally says 284 byte rsa key which is 1984 bits um i'm trying to figure out the other 64 bits where they went there must be 64 bits of memory on the chip that they need to use for something else and so they just reduce the rsa key size by 64 bits but that's how it does it so it ends up being pretty much the same as sda but it's replay resistant because of that unpredictable number being put into the hash mostly things are now doing cryptogram data authentication here in canada i believe sda is no
longer allowed in any of the terminals issued but that doesn't matter because i still have to be able to use my card in croatia or alabama and that's where sda is still used commonly so if i don't have it in my card i can't use my card there so i still have it in my card just like the mag stripe on the back um but this is much more complicated of course because then the car this time the car is generating a 64-bit nonce because we stopped calling it an unpredictable number and then the terminal or sorry the card generates a nonce sends it to the terminal the terminal generates an unpredictable number combines it with uh some padding the
original months and all the data headers about the transaction encrypts it using the card's public key and then that allows the card to then decrypt the message it got from the terminal so you're getting non-repudiation here we know that the terminal has a valid certificate that we trust and it's it's signed you know it sent the message to our public key so now we've got a full interaction between both sides of the conversation validating one another that they're they're um they're genuine then it goes to the next step so if if it needed to do authentication or it does that now we go on to card holder verification so uh the most obvious and secure thing
maybe we'll talk about why it might not be so secure but is online pin right you entered the pin in the pad another acronym the pin entry device the terminal and then it's in ciphered by the issue we're using online pin verification process and i put that there because that's a whole separate thing i have another slide for that so how that pin gets transferred to the bank is not well documented i made some educated guesses combined with some knowledge of atms and i put the two together and it fit what happens so i think that's what happens and i'll explain it the next of course is offline pin encrypted and this is uh interesting so the card
has the pin and the bank has the pin usually and the pin is collected by the pin entry device it grabs the card's public certificate and ciphers the pin using the card's public certificate hands it to the card and says is this the right pin does anybody see the flaw in that process i can just say yes i don't need to know the pin um and this is what some of the research that's been done has shown how you can bypass this quite easily if you can force a terminal to be offline by say connecting the telephone wire from the back of it or maybe messing with the wi-fi and doing a you know bump uh an attack on
the wi-fi to knock the terminal off the wi-fi so it's offline and it falls over to offline verification instead of online verification now if i'm able to tamper with the chip i can just say yes to any pin it doesn't matter if the pin is right because the terminal doesn't have any way to validate it it's just sending me the pin and going is this right and the researchers at will holloway ross anderson's team if any of you read the book security engineering the best book in our industry by ross anderson his team of students did some research on this a few years ago they were able to build a shim that was a millimeter
thick that they could put on the chip on their credit card and then go all over campus with other people's cards and make purchases at the canteen and the quickie mart and all this kind of thing without knowing the correct pin by just saying yeah that's the right pin so there's a lot of problems in this system still but that's how it works offline um the other method of offline pin is offline pin not in ciphered where the terminal literally just unencrypted hands the pin to the card and goes is this right and you can still just say yes you just don't have to mess with that whole digital signature stuff and uh the other two methods are
signature uh which is still the most common method in the united states although that's quickly um it's bizarre uh really in my opinion um it's okay it's one thing that the us issued non-pin cards that's a decision for the banks and the risk management people in the us to deal with but what's weird is when we're traveling there with our cards that do support pin 50 50 even if it's chip it still asks us to sign because the terminal only supports signature verification which is pretty weird because they all have a number pad on them i don't know why it doesn't let me just put my pin in um maybe it's a good thing considering the
pins either not ciphered at all but it's just kind of weird but the cardholder verification method is a match of what the card and the terminal support so obviously the most preferred is online pin and then offline and ciphered and then offline not in ciphered and then signature and then the last verification method is none um and that's there for a good reason uh there's a lot of times where when you're at the coke machine you put your card in like there's no way to really verify you if it doesn't have a pen pad um you can't sign so none is a very valid thing to have it's also valid for a tap and pay where you want quick
transactions and people to move on without having to monkey around too much the signature stuff just still feels very 20th century to me but um it is the terminal gives its list it's very much like uh https tls negotiation right i support these ciphers i support these ciphers we'll pick the best one of the two lists that match the highest common denominator if you will and it's just for some reason us terminals are setting their highest common denominator to signature now online pin verification is a dog's breakfast these are research uh some images from the royal holloway research i was talking about earlier um if you're really interested in this stuff uh it's very easy to find if you
just google the name of the paper enhancing emv opv where they propose how to fix uh online pin verification which suggests that it's broken because it is um this is kind of how it works right you've got the pin entry device here which generally talks to a payment terminal operator which is not necessarily a bank it's the companies that sell and lease out or manage these payment terminals that restaurants and merchants buy and it then uh in essence needs to get the pin from here to the card issuing bank so that's what cid's card issuing bank schema operator is mastercard visa amex jcb union pay diners club um and these are unknown intermediate nodes like all different banks and part of the
payment processing chain that all link one another to the scheme operator and this is literally how we believe it works the card sends the pin on the the card is in the terminal the terminal gathers the pin because we're online it doesn't send the pin to the card doesn't trust the card which is good because the card just says yes um the pen instead is in ciphered with a key that it shares with the company that manages that terminal and then then they decrypt it and then cipher it with another symmetric key for their provider and then they decrypt it and they use another symmetric key to send it to their provider to their provider to
their provider to the card issuing bank and it's all symmetric keys that are hard coded in the terminals and and baked in ahead of time as part of the process and if any of those keys are compromised the all bets are off for uh pin collection from the um and this is one of the so if you ever have a chip and pin transaction that's a fraud on your credit card i highly recommend you fight it and you give me a call because there's so many ways to prove how broken this is that there's no way they're going to be able to hold you liable then go oh your pin was used you clearly shared it with the criminal um
if you didn't share the pin with anyone it's highly likely that one of the 27 things that could go wrong in this process did and somebody's been collecting pins at an intermediate operator for the last eight months and we don't know it um and this is still being litigated with cibc bank in ontario there was an 81 000 car purchased on a credit card i'm not sure who allows people to buy cars with credit cards and who has an 81 000 limit on their credit card and there's a lot of questions in this whole case but um the canadian courts have not yet uh made a decision to my knowledge i was not able to find any evidence that the
ontario supreme court has ruled on that case yet but there's so many so much brokenness in the way that this validation is done that i would not um i would not like to be held liable if something went wrong so then we go on to what's called processing restrictions these are things like maybe this card only supports online verification these are all things that are in those files on the file system the most common ones you're going to see are things what's called a floor limit i'll allow you to be offline if the transaction's under 200 but if it's over 200 i won't allow this transaction to proceed unless i can verify online um other types of floor limit might be the
way you have on your tap card where it's under 100 you can tap and buy whatever you want at the grocery store but if it's over 100 the floor limit says no you can't do tap you got to insert the chip and verify your pin or signature or whatever um the uh after the uh processing restrictions the the terminal has its own risk management that it goes oh yeah no it's okay that i'm offline i'm on an airplane that's normal here whereas maybe uh something that does debit or atm transactions has to be online or it won't allow it to proceed and then the terminal does its own analysis of that and goes right i've
decided that this can proceed with a signature and then it goes to the card to do its own risk management does the exact same process again the card has its own maximum minimum limits whether it's online offline whether pin was used etc and the two are combined to decide if they can proceed with this from a risk management standpoint do i need to go online can i stay offline what needs to happen and then if persons if online processing is needed we proceed to the magic of what the chip actually does so this is how emv actually works what will happen is the card has to create what's called an application request cryptogram that's what this arqc is
and so it uses a triple des key yes a triple des key that's what we're still using in 2019 it uses a triple desk key and it grabs this data from the card so it takes the the primary account number the name the expiration all that stuff the amount of the transaction that it got from the terminal 100 say uh the unpredictable number that the terminal gave it um what currency it's in there's currency codes for each you know is it us dollars is a canadian is it is it uh australian pesos uh whatever it might be uh the date of the transaction all this stuff it signs it with the triple does key and then it sends all this data
unencrypted with the signature and that's what this cryptogram is or what we call an application request cryptogram that application request cryptogram is sent from the card to the terminal from the terminal to the issuing bank through all those intermediaries we saw earlier none of those encryption keys are necessary all of this is unencrypted it's just the hash with the unencrypted data goes to the issuing bank the issuing bank has an hsm with a different triple desk key for every credit card they've issued so they go in their hsm they get the triple does key for that card based on the pan number and then they they do the same calculation the card did they take all the information they
have the unpredictable number the date the transaction amount the pan number all that they hash it with the triple does key that that card's supposed to have and then they compare the hash to the application request hash did they match if they do it must be that card that sent me this request because only it has that key that triple does key that we we know about so then we craft our response which is called an application response cryptogram which is the ar pc it makes crafts its response does the same thing it hashes the response with the key that the card has and sends it back to the terminal terminal can't read that doesn't know
what the key is doesn't have the the key toenail just sends it to the card and goes here's the cryptogram is the transaction approved or declined if the transaction is approved the card signs a transaction certificate with its public key or with his private key and sends the transaction certificate to the terminal and the terminal goes ah it's approved and that transaction certificate is actually what they submit to their bank to get the money if it's declined they get what's called an aac an application authentication cryptogram which makes no sense at all because it only is issued when it's declined but the application authentication cryptogram tells the terminal nope failed you know take the milk and cookies back
from the customer got it pardon me so next payment method tap to pay you may know it as pay pass pay wave for about three minutes in history amex's was called express pay it's not anymore for some reason uh if you do debit you may have interact flash um one comment on debit for anybody in the world i do not ever recommend using debit for anything um you are protected similar to the way you're protected with your credit card transactions except while you're arguing with your bank about the 81 000 car you don't have 81 000 that money is tied up until you resolve it you do not get your money back until the bank goes yes that was fraud here's
your money back and that you complied with all the things you needed to comply with and if you need to pay the rent that might be a problem if it is actually fraud so i'm nothing against interact their system's great i've looked into it and it's actually reasonably sophisticated and i think they're doing all the right things but the problem is on the liability side between you and your bank you need to i i was unable to confirm but it's my understanding with a credit card you have 30 days from the statement to issue a dispute and of course during those 30 days if you're disputing it if you're like me you don't pay the bill
until the dispute is resolved i have the power in that transaction with the credit card company to say no i'm just not paying it until you take this fraudulent macbook off my credit card whereas in the case of debit of course that money's gone until you can get the bank to refund it and it's my understanding you have to report it within seven days of the transaction so you don't have 30 days and uh it's the transaction not the statement so much more protection with zero liability on visa and that type of thing than you have from debit and uh i just i i get comfort in knowing i can just not pay the bill
um i'm willing to take a credit hit over somebody else buying a macbook with my credit card so uh sadly america has done it a little bit to us again and us in canada we have our cards generally support both what's called msd and emv msd is magnetic stripe data because america decided not to roll out emv terminals until yesterday we couldn't use emv when we rolled out tap to pay 10 years ago so we had to emulate magnetic stripes to make tap to pay as insecure as magnetic stripes to be compatible with american terminals so almost all canadian terminals um the the drop dead date did i put the date in here i don't have the data in here the
drop date date i believe in canada is october 1st this year that terminals are no longer allowed to process msd transactions but in the us it's still the most common method used for tap to pay so because we like using our cards in america our cards have both msd just here you can't use it overseas it's converting along now so most the terminals in the us that accept apple pay are using emv simply because they had to update the terminals in order to do apple pay and when they did that most of them by accident got updated to being emv compliant which is really good it's not totally insecure all the card data sent in the clear
except well all the car data sent in the clear let's be honest but the cvv unlike the three digit number on the back of your card is dynamic so that cd's it's called a cvc3 and it's a combination of that triple desk key that the bank had with a transaction counter and an unpredictable number so this card's been tapped 111 times okay we'll throw 111 in with the card data and the terminal gave me that unpredictable number i'll throw that in there i'll sign it with my triple desk key and then i'll take the last three digits and that'll be the cvv that gets put in the mag stripe data that gets sent to the terminal so it's hard to replay it
or do anything with it right because unless you got the triple desk key to know how to generate that number you've got everything else you need to do to rip the customer off because you've got enough information to make a credit card now but you don't have the cvv number so you can only use that stolen card information somewhere where they're not validating that the cvv is correct uh oh there's the date 19 october this year it'll be um you will no longer be able to process any transactions for visa if your terminal supports msd they're making you turn it off uh emv is the modern way to do things it's the exact same process we just
talked about for when you insert the chip except i don't want to have to hold my card on the terminal until the transaction goes all the way to the bank and comes back i'm about to tap and move away so they've thrown out the application request or the application response cryptogram so the request cryptogram is the same and it goes all the way to the bank to bank so the bank knows it came from that card just like it did when i inserted it but the response cryptogram does not come back to the card because the card is probably not on the terminal anymore so the bank just communicates directly to the terminal and says accept or
decline because it's asymmetrically validated we have non-repudiation it's the global standard for tap to pay adoption varies if you travel a lot like me you'll notice everything in poland australia new zealand uh uk is like everybody's tap to pay for everything whereas in france and germany it's quite rare you don't see it nearly as often in the us it's really hit and miss whether it works or not partly because of this msd emv stuff here in canada it's incredibly popular obviously i don't know i'm a big fan of the tap to pay to be honest there's really no security downfalls to it when it's in emv mode and it's quick and easy and that's really um
why it was introduced if you are a merchant or you do work with merchants i encourage you to make sure your terminals have it turned on i notice a lot of terminals around metro vancouver have it disabled which is really strange to me because if you look up the mastercard interchange rates chart that shows how much you charge for credit card transactions if you use a chip in general it's 1.5 percent for most merchants is the bank interchange rate you may pay more because your company that services you may add on something but one point five percent in general with tap to pay it's five cents for under fifty dollars six cents for fifty to a hundred and
seven cents for over a hundred uh flat flat rate uh so at the five cent mark i can accept credit cards for a pack of gum and it doesn't really hurt me um and it's so cheap that it's uh in canada i believe the break even rate is three dollars and forty seven cents so if the transaction is over three dollars and forty seven cents is cheaper to tap for the merchant if it's under 3.47 it's cheaper to pay the interchange rate tmi too much information more another acronym uh apple pay and google pay i'm a giant fans of this because all apple pay and google pay do is implement emv with tokenization in essence so
there's a few things that are unique about it compared to just tapping your regular mastercard one is your phone can communicate to the terminal that you biometrically validated or that you entered a pin and so some terminals will allow you to have a higher transaction amount if you validated with biometrics or a pin so it might be a hundred dollars for a tap to pay credit card but 200 for tap to pay apple pay because i now i know that you just face id'd or that you just uh whatever the fingerprint touch id kind of thing same with google pay another difference is it uses tokenization i mentioned i'll explain that in a second and
the another nice thing as a consumer is it can communicate directly to you without you holding your thing against the terminal that it was accepted or declined because you've got an internet connection and it can send you a message and say hey by the way approved you were just charged 86 and twelve cents um and i like that feature on my phone i use google pay and i'm quite happy with it um this is how the tokenization works uh the you wanna enroll a new card in your iphone or your android uh you take a picture of it or you type the numbers in whatever way you do you put the credit card information so the credit card
information gets sent to apple pay apple pay doesn't keep that they don't store it they don't do anything with it all they do is encrypt it and send it to the token tokenization service provider which is provided by mx visa and mastercard each have their own they then generate a token mapping going right this pan number i'm issuing this token that represents it they store that in a database probably in hsm i don't know and they generate a token they send that token back to apple or google they don't keep it they just send the token back to your phone and then your phone stores that token in a secure element which is a chip for storing uh encryption keys
that's tamper-proof that's embedded in your phone in the in in the nfc chip that does the wireless uh tap reading and writing uh yes that if you're paying close attention that's a chucky cheese token i couldn't find a picture of a token um so that's how that works and now your phone has this secure token apple does not have it google does not have it they are not able to track your spending or sell your purchase information because they don't have it when you go to a merchant you tap your phone and start sending your pen
oh i'm wavering on battery but somebody's going to fix that right um so uh when i tap my phone it sends the token instead of my pan number and the token goes directly to the token service provider they look up the what that's associated with they then send the transaction to the bank say hey this credit card's buying this the bank goes oh yeah that's approved send the approval back to the tokenization provider and then the tokenization provider sends a terminal approval message your credit card number was never sent to the bank directly the terminal never saw your credit card number only ever saw the token and the only people know what that token is
matched to is the tokenization service provider apple doesn't know the terminal doesn't know the merchant doesn't know so it provides a high degree of an anonymity relative to other methods new stuff i'm running out of time and these aren't actually that interesting so i'll touch them lightly i looked at the venmo a little bit it was a hot mess until about a year ago they finally settled uh violations of the gramleach blighly act and other consumer acts that they were in breach of in the u.s last year with the federal trade commission paypal bought them a few a couple years ago and since paypal bought them kind of shored them up a bit what's interesting
to me about it is it's really really weird you should never use this with anybody you don't really really trust that you think has maybe got a lot of money in their bank account because it's a ledger based system in that i send you a thousand dollars your venmo account shows you have a thousand and i don't have a thousand but until you cash that money out to your bank account it doesn't actually take the money away from me so i can double spend it triple spend it quadruple spend it and then when you go to actually withdraw the money a month later there is no money um so yeah you know bible beware there's a if you do use these kinds of
things this is some good advice from investopedia explaining some of the features another problem with mrs by default it's a social network so it shares all of your purchases with everybody that knows you every time you use it unless you turn it off um so there's a lot of privacy issues there here in vancouver we see a lot of alipay and we chat pay these days we're not able to use these services because they're generally only available to chinese residents but merchants are accepting them payment because we have a lot of people from china coming here and spending money so we are seeing them they're also quite messy and questionable the idea that i can scan a qr code to
pay is kind of nice until i realize i don't know who put the qr code there um and that anybody can make them and the privacy implications are staggering there's a great report by citizen lab in toronto and uh i recommend you read it if you want to know more about this they've deep dived on all that stuff and so in conclusion uh for me looking at all this stuff i love my privacy so i'm a big fan of apple pay and google pay from that perspective if i'm going to pay with something electronic i don't want middle parties tracking my spending and it really does disguise everything quite nicely from a lot of the people in the middle
so i'm a big fan of that in the end cash is king like if you want your privacy don't use any of this stuff use your head go to the atm and and get some of our lovely plastic money and uh do that but i'm also uh [Music] i think the the wireless payment stuff is really where it's at uh it's the most secure and the most modern of all the standards used it makes the most sense and it has the least ability for fraud and risk so on that i'll conclude and if you have any questions i'll be around for a little while during lunch and i'm happy to answer them then and i
appreciate your time thank you [Applause]
my name is carl willis ford uh i work for a little company called general dynamics you may have heard of them um three years ago i was actually with a small company but we've been acquired twice since then and now i'm part of this huge conglomerate so it's kind of dizzying so you know there's a lot of uh talks at this conference about hardware a lot about software i like to talk about wetware which is kind of a cyberpunk term but it's it's the brain i like to talk about how people interact with security programs um so what we're going to talk about today is the third phase of insider threat first a bit of a disclaimer there's a
lot of tools out there and more every day that use behavioral analytics to look at activity and to deduct insider threats great but this is a problem that's not going to be solved by technology alone okay because the kind of talk the kind of actions i talk about don't get detected by behavioral analytics so we have to have multiple modes to manage the threat and what i'm going to be talking about and i'm sorry i have to i have to walk as i talk so we're going to be talking about people not just technology all right so um i'm from the states if you couldn't tell and u.s cert is kind of the think tank
for the federal government for information security and they classify insider threat as either malicious or accidental okay everybody kind of knows what malicious insiders do oh and these slides will be available um on the conference website in a week or two so um and my contact info on the last slide if you want to reach out and give me a shout so malicious ip theft i.t sabotage basic idea is they're trying to either harm the organization or benefit themselves right they're going to steal data to sell they're going to steal data to take to another company and give them an advantage there something like that then there's accidental you know the uh i can't believe
i left that usb key in the taxi cab right or i lost my laptop okay the problem is that those two categories leave a huge gap and that gap is what we're going to talk about this afternoon non-malicious insiders they're intentional which makes it different from accidental right the accidental insider doesn't mean to violate policy the non-malicious insider knows their violating policy and they do it anyway but they're different from malicious in that they're not trying to line their own pockets with cash they're not trying to harm the organization they're trying to get their job done so your morning humor break how many times has that executive been talked about as far as you know shoulder surfing
so non-motions non-malicious insider was coined by research in 2011 and they define it as intentional self-benefiting without malicious attempts so here again they're not trying to harm the organization but they are benefiting themselves because they think they have to violate policy to get their work done or to make their job easier voluntary rule breaking nobody's making them do it and possibly causing damage or security risk and i'm going to go through a lot of different examples of what you're going to see every day in your organization as far as non-malicious security violations but i'm also going to go through three major examples where harm was caused to organizations and it was started by non-malicious security violations
so the most common reasons for non-malicious make the job easier to make the job even doable or to help a co-worker and one of the most famous examples i'm going to talk about was all about helping a co-worker so common non-malicious security violations employees don't lock their screen when they walk away from their computer in their heads they go oh well it's going to lock automatically right 15 minutes boom my screen locks big deal if they're at starbucks and they go to the bathroom it is a big deal if they don't lock their screen when they get up and walk away okay i work in a very competitive industry i work in federal consulting for the us
government people would love to see what's on my laptop because i do solutioning to win contracts so trust me if i'm at a starbucks in dc and i walk away from my laptop there's going to be people wanting to see it post business related items on social media yep we all seen that for work email to personal email do they even understand the risk of that use personal devices for business without approval constantly see people in a solution session to win work drawing system drawings all over the white board and you see people grab out their phone take a picture of it and then use gmail to send it to their work account right taking notes on an unauthorized tablet
if your company has a byod program is there any way to tell if that tablet they want they pull out to take notes during a meeting is that on byod or is it their own personal tablet and they're using evernote allowing someone to tailgate through badge doors yeah we know that and then using cloud-based node apps so these are things that i've experienced working with other federal contractors in the dc area so network maintenance network maintenance was announced over the weekend the corporate email was actually going to be down for two whole days one guy responded well i'll just use my gmail account right so if you look at why he chose to do that
the company did not offer an alternative he wanted to get his work done he knew he had to work the weekend so his knee-jerk reaction was i'll just use my female business sensitive document review i love this we're working in sharepoint corporate sharepoint and i have someone send me a note saying i had trouble getting my doc my comments and google docs to transfer over i'm like google docs employees in a workshop needed to move powerpoint so i'm at another company in their conference room they want to do a presentation they need to get the powerpoint from their machine to the machine they're using for the presentation it was secure because it wasn't connected to the network
right so they say um let's see we're supposed to use an encrypted usb and we don't have one and they asked me if i had a usb that they could borrow like yeah sure i'll take that home with me they had no idea what i was going to pull out of my briefcase so here's major example number one a lot of people know mr snowden's name what a lot of people don't know is how he got the data that he released he had access to this much data directly he released this much data how did he get that extra data he's not trust me he is not a hacker he is not a technological wonderkind
what he did was he went to his co-workers at the nsa highly cleared contract employees and said they gave me this job to do and i can't get it done because i can't get to the data i need can you help not sure how many but up to 20 fellow cleared contract employees either gave him their account and password to log in on his machine or allowed them or allowed him to be on their machine while they were logged in and that's how he pulled the data that's how he got the data he released simple social engineering they knew they were violating policy no doubt in anybody's mind that they knew they were violating policy but they
were doing it to help a co-worker he wasn't seen as a threat they had been told anybody who anyone who holds a clearance in the united states hears about social engineering constantly but they talk about it from the outside they don't talk to employees about social engineering from within if one of those co-workers had raised their hand and said you know this doesn't seem right i don't know that we would ever have known his name example two fbi had a conference call with the serious organized crime agency in the uk talking about how to deal with anonymous the big hacktivist group within two weeks anonymous posted a complete recording of that conference call and people are going
wow these guys are good how did they know what trunk line to tap you know how did they how did they do that well it turns out that one of the irish garda officers didn't want to drive into his office that day for the phone call so he forwarded it from his work email to his gmail account policy violation right somebody not anonymous had already hacked his gmail account they saw the invite pop-up went huh i wonder if anonymous wants to know about this forwarded to them they dialed in and shazam they recorded the call no intent on that police officer's part to help anonymous or to hurt soca but the result was that anonymous knew everything they
talked about so again he knew he was violating policy he didn't understand the risk and last but not least this is a little older this is robin sage by the way the researcher pulled the photo from an exotic dancers website created false facebook twitter linkedin accounts so they all matched each other and then called himself a cyber threat analyst and started making connections and this research paper is out there if you want to read it it's linked in my one of my last slides for references made connections with men and women mostly focused on security professionals nsa dod global 500 companies she had senior deployed troops talking about troop movements or i should say he had right
um robin was his persona sent business sensitive documents for review had job offers from major tech corporations and people just you know as we all know from facebook you know all the quizzes you don't answer all the quizzes because the old way of resetting passwords where you answer personal questions those answers you know are to those questions um but he was able to pull data from asking questions and having conversations with her his her connections online to be able to do password resets um and that's robin sage is actually the name of a socom a u.s socom exercise and that's where he got the name from but
so all three of those examples again people knowingly violated policy and cause damage to organizations one of the concerns those of us who talk about non-malicious security security violations have is that it's largely an unrecognized problem u.s cert combines accidental and non-malicious into unintentional the verizon data breach report categorizes insiders as either malicious or errors right so back to accidental so it doesn't get the visibility it needs because you cannot treat non-malicious security violations the same as accidents and be successful in helping manage the problem so why did users choose or why do users choose not to comply with policy um and there's a it's actually a really interesting little book i think it was
published in 2016 called the psychology of information security and he gives a good taste of several different topics um not deep enough but it makes you want to read more so i highly recommend the book so he does kind of a root cause analysis on people not complying with policy and he basically comes up with three related ideas one is no clear reason to comply cost of compliance is too high right where policy is seen as an obstruction or a barrier or a hindrance and then inability to comply they just they can't figure out how to be compliant so no clear reason to comply why should an employee care about complying with security policy do we give them good examples
i can't count the number of times i've been in an executive meeting sitting around a table and looking at the vps and senior vps and none of them are showing a badge right great example for the troops doors propped open and i've got some examples in the next slide internal bad certificate errors check the box awareness programs where we build our awareness programs based on someone else's idea of what topics are important not that we ever actually talk to our employees and find out where their weaknesses are poor understanding of the risk of organization surveys over and over and over again show that employees think that their company's security posture is stronger than it actually is
so they think that what they do doesn't matter so and here's pictures from contracting companies that i that i work with you can see badge door propped open for construction nobody standing door watch every employee that walks by a propped open badge door they're concerned about perimeter security goes down one notch right because hey the security folks aren't worried about it why should i be the one on the left there is a network closet to get into that network closet you have to swipe your badge and enter a key code unless it's propped open with a cable box right again people walking by there their estimation these are you know your company's full of non-technical users
they walk by there in their heads not important this is one of my favorites we all know what that is right that's a bad certificate error this company was working on their vp working on their vpn for six months every time any employee logged into the vpn that's what they saw and the direction from their company was go ahead and click on continue to this webpage but it says not recommended oh that's okay click on it anyway so here again they're training their users not to worry about those kinds of errors that's a dangerous thing to do here's a survey of employees of u.s government agencies what they talked about is they asked them is your organization prepared for these
kinds of attacks the blue is the end users the red are the actual cyber security employees and you can see international cyber attacks well every one of them the end users thought that the agency was more prepared than the actual people who have to be prepared and the what came out of this survey is that people actually thought that their agency's security posture was so good that it didn't matter if they were compliant or not basically it's i'm just one person nothing i do on my computer is going to affect the agency so we have to walk the talk and that's everybody in the security business we have to get executive management on board we have to bring culture change to the
organization and it has to start not at the top it has to start everywhere every security person has to be willing to walk that talk as well as management we can't just rely upon management we have to lead from above from the side from below from everywhere right i am absolutely willing to call out a senior vp if they're not showing a badge in my company even if i know them because hey they could have been fired awareness programs and i i've had senior security professionals tell me awareness programs why are we even spending money on those because you know that no matter how good our awareness program is someone's going to click on a link
that's true but if we can keep 95 percent of the people from clicking on a link we have that many fewer problems to deal with and then i ask him so let's talk about your security hardware stuff how much of it is 100 foolproof are you going to get rid of anything that isn't and he kind of went fair point so you know it's the we have to hit all the bases right we have to have the hardware we have to have the software we have to have the wet wear everything has to be hitting on all cylinders to get to to get our security posture where it needs to be so each individual company needs to
target its most often abused policies we don't need to take our awareness program topics from the what the industry thinks is important right we need to talk about we need to talk to our users find out where they're weak and deal with them we have to and so many i review so many awareness programs and it's all about the what this is our policy this is our policy this is our policy there's nowhere near enough why why is that policy important and even less do we ever talk about how this is how you can be compliant with the policy right we're talking to non-technical people trying to figure out how to be compliant with your security policy they
need help from the research in 2011 the three significant indicators for people violating policy for non-malicious purposes are relative advantage for job performance that's a fancy way of saying it helps them get their job done perceived security risk they do not perceive their actions as increasing security risk and then work group norm aha that's a fancy way of saying well they're not following policy why should i right so it's it it becomes a herd mentality that's why you have to work and it takes effort to get them headed in the right direction so and treat awareness campaigns as a marketing or awareness programs as a marketing campaign so many companies i won't say mine's one
of them but so many companies awareness programs are once a year we'll send you a slide deck you click through the slide deck don't click through too fast right you click a slide you go get a cup of coffee you click another slide you do some work you click another slide as long as you don't go too fast you don't have to read any of it and hey you're certified you did your security awareness training right we can't keep doing security awareness that way you know and people will talk about what's the cost of security awareness programs well what's the cost of breaches right and act like your organization's future depends upon your employees following
policy so what about punishment almost every company i work with has something in their security policy that says if you violate policy the pen the penalty will be up to and including termination does that actually work for anybody no the answer is no right if you look at general deterrence theory which is what this is based on the three rules are certainty of detection all right and so many non-malicious security violations go undetected one of the companies i work with their main floor is actually kind of the it's built on it the building's on a hillside so the front door is up here they have a security receptionist badge door hottie hatty happy in the back is the parking garage
you come in the lower level and you have just a badge door with nobody watching it it has one of the the handicap access buttons right so i stand there in their lower lobby just waiting somebody walks up badges hits that handicap access button they're in hit the button to the elevator in the elevator before that that door goes shut anyone standing in the lobby could waltz in without them ever knowing it right it's awareness where is security in that person's head is it back here or is it up here so we aren't detecting it certainty of punishment do employees ever hear about other employees being punished for security violations in most companies in most organizations
it is a privacy violation to talk about someone getting punished for a security violation so as far as your employees know nobody ever pays a price right now imax and 80 in the navy they were very proud to talk about people getting punished they did it all the time but you don't see that in private organizations and then speed of punishment right just like you know your puppy dog perhaps on the floor you bap it on the nose two days later he's like what was that for right well if the employee never hears about someone being punished there is no solarity of punishment right they don't see that happening so the real answer is that phrase in your policy about
sanctions up to and including determination is to keep the lawyers happy it doesn't have any actual impact on your employees so the issue cost of compliance is too high and inability to comply because they're they're related employees want to get their work done this is shown over and over and over again right it's a bell curve most of your employees are in that in the peak of that curve and they all want to get their work done security if it gets in the way they will happily go around it security policy viewed as a hindra hindrance or an obstruction the path of least resistance is least resistance will always be the one they choose and we aren't helping right
company after company after company if they can even find your security policies they can't understand them typically what i'm my experience is that security policies are written by security professionals for other security professionals to review and approve right how many how many people are in companies that actually bring in non-technical users to review security policy to see if they understand it we do that for software we bring in focus groups right why don't we do it for for security policy so policy is not covered by our once per year training and i even i know companies that do like major overhauls of their their general acceptability or general usage policy and never inform anyone right i worked with a company last year
they were so proud of the fact that every new employee had to sign saying that they had read the general acceptable use policy great how often do they have to reread it oh they don't they just read it the one so i've been with my company 21 years so if in that case i would have read it 21 years ago you think it's changed since then
so for example astounding number of companies still don't have single sign-on right so we force employees and this is everyone in this room knows this story we force employees to remember multiple complex passwords we make them change them every 90 days every 60 days right and it just becomes impossible so what do they do we all know that they start writing them down right or they put them in their phones or they email them to themselves or they do something right not providing a method to transfer large sensitive files this file is too big to send in my email like i think the biggest thing the biggest file my email will send is maybe 15 meg
right and i work in proposal land proposals are routinely 50 or 60 meg so how do i get that to this guy well i whip out my trusty usb key that i promise has never been put in a computer anywhere else and transfer the file and of course the company policy says that i can't use a personally owned usb storage device but they don't buy me one so and this was a classic so they they realized that people were putting pii in email and they said up new policy if you put pii personally identify identifiable information in an email you have to encrypt the email and i said great i read through the policy actually it
wasn't a poorly written policy i was impressed and then they had a link to the process to actually teach me how to do the encryption it didn't exist
so and the policy that people can't use personally on usb storage devices company won't buy them there's no other way to back up a laptop everybody is buying usb storage devices whether it's a thumb drive or you know a an ssd or something they're going to back up there they're going to protect the data on their laptop if you don't give them a way to do it officially they will find a way to do it on their own and increase the risk to the company so we have to provide a balance between the cost of compliance and the need for compliance and this is this is my radical concept okay i've worked a lot in software
development in the past as a solution architect i'm kind of a foot deep and five miles wide right because i will write technical responses for scaled agile framework for virtual networking for super computing for you name it right but i'm not really deep in any of it but what i can say is that i've done enough software development work to know how seriously we take the human computer well back in the day it was called human computer interface then it was called user experience and now i'm hearing people call it human experience whatever we call it we take that stuff seriously when we're developing websites or applications right we bring people in we have them
walk through wireframe models we see how long it takes them to find something on a portal and we track everything they do as they search for that that item we don't do any of that in our security program right it's almost as if we don't care about the significant number of employees so my company has 40 000 people in it maybe 2 000 of those are internal infosec people so we're ignoring the other 38 000 it's almost like we don't care if they know how to use our security program because it's really for us right so why not test people's understanding of policy when we make a change to a policy or we introduce a new policy why not
bring in a group of non-technical users and see if they can understand how to comply first they understand what it's telling them second can they figure out a method to comply with it and third what do they think is wrong with it right you'll get some astounding insights if you do that find out what our users need get out there in the spaces a navy term when you're you're talking about you know getting out into the spaces where people are working in the ship to find out what they're doing get out there talk to them what's their frustration with your security policy what can't they do what what workarounds hey asking about workarounds you'll find
amazing things that they're doing to get around your policy you'll never know otherwise and provide a channel for feedback i'm still surprised that we aren't doing i mean every company out there has an hr number i guarantee you that they advertise a number that you can call if you've got an hr problem because you know we attach big lawsuits to hr problems but we don't do that for security where can we automate right we can't take we can't fully remove the burden of compliance from our users shoulders but where we can automate like single sign-on and things like that well we can make it that much easier for them and people will go oh but that's
too expensive you know small company will say that's so expensive well again what's the cost of a breach what's the cost of business sensitive data that you're relying upon for your next innovation getting into the hands of others so the goal is culture change managers have to provide a strong example of compliance security professionals are there to help not to mock and be condescending right i mean i was in i.t back in the 80s and you know it was popular to refer to users as losers and i see a lot of that in today's security industry right one of the examples i was talking with someone about last night on linkedin someone posted an amazon
uh a link to amazon for a it was called a password log book right where someone could write down their account and passwords and it's for home use and they're like oh this guy's anyone who buy that's an idiot and yada yada yada and i jump in there and go okay so explain to me real quick guys your security professionals you know how to do risk assessments right at a very basic level a risk assessment is what's the probability of something happening and what's the impact your business of that thing happening so let's do a risk assessment on this password log book that mon poc kettle are going to have at home well if someone's breaking into their house
are they looking for a password log book probably not they're looking for their television they're looking for their silver they're looking for cash on hand right maybe credit cards if the person or the billfold's there but they're not looking for a password logbook right so when we think about our security programs at work security programs at home different story right so when we talk to users in our employee in our organization our company we have to remember that you know they're looking at security from a different context than we are and we have to help them understand our context we have to understand their context so we have to get employees to feel responsibility for the organization's
security we can't do the sky as falling scenario because they will get tired of hearing that right i sit through security awareness programs i'm part of a nist technical working group that puts on an annual program an annual conference for improving security awareness programs and role-based training and i sit in there listening to presentations to us telling us about how dangerous cell phones are i'm like okay so wait if you're giving this to your users and you're telling them that cell phones are too dangerous to use what are you giving them as an alternate what are you doing to help them manage the threat or manage the risk of using a cell phone so that because i guarantee
you nobody's just going to go oh well fine i'm not going to use my cell phone anymore right that's not happening so again if we know they're doing something in our organization that increases the risk to the organization we have to give them an alternative we can't just say don't do that anymore right take the time to find out why they're doing it why is that work around established and then work backwards into probably changing what we're doing so that they'll change what they're doing the security awareness program goal moves from compliance to security becoming part of how everyone sees their work day right we have to take security from back here to up here
and the way we do that is that we help them get their jobs done with security here user engagement is really really really the key to the success of in managing non-malicious security violations if you don't understand why you're why your users are not complying you'll never solve that problem so human factors i don't care what you call it human factors human experience humor computer interface you name it go through and and this is a project that i'm i'm just now starting but i'm going to take the security program writ large right and all the piece parts that are in a security program whether it's firewall a vpn security policies awareness programs you name it
and identify everywhere in that program where a non-technical user interfaces with it and then look at that interaction through human computer interface or ux lenses to see how we can improve that interaction not going to say it's easy or not going to tas it's not it's going to be over fast but um i think that's what we need to do is we need to look at places you know and bring in hx experts to help you with your security program help you with your policy prioritize the end user experience we're too busy prioritizing our experience we need to again consider the end user in this think about the end user trying to follow your policy in their daily work rhythm
find out what they're doing avoid overly technical descriptions test policies for internal paradoxes because you'll you'll see them a lot and the best way to test them is to have someone who doesn't know the technology read the policy and nine times out of ten they'll go you say to do this up here and then down here you say to do that and we can't do both and like oh okay so non-malicious insiders are the biggest chunk of the insider threat problem the malicious insiders get all the attention right they're the ones that do that can do direct damage to your organization the non-malicious insiders nine out of ten of them will violate a policy and
won't impact your organization that tenth one is going to violate a policy and open the door right whether it's an internal malicious insider like snowden or an external malicious insider like anonymous it's going to harm your organization so educate people on risks get them give them a better understanding of why the policy is there and how to comply with it think about the end user trying to follow policy in the daily daily work bring in anyone who's doing software has hx people in their organization bring them in have them have them talk with you have them work with you and don't rely upon threats of punishment don't point to that and go well that's going to make
sure people comply because it doesn't so and all this really wraps into security awareness programs and if your only goal for a security awareness program is check the box compliance that's all you're going to get you're not going to manage this non-malicious security violation threat so like i said the slides are available um and that's me if you want to get hold of me i'm happy to talk about this and also the slide deck has a list of references for where i pulled a lot of this material um the robin sage paper was presented at a con way back in the day and that's it i'm happy to answer questions if people have them [Applause]
hi uh so what do you think about the concept of incentivizing uh security so like you know giving people a hundred bucks for the first person to find a phishing email or something like that i like the idea to an extent you run into or you can run into the same problem and here again this is this is a shared experience with everybody in the room where you know you get the you you see the ad of of you know come in and and buy this and you will enter your name into a drawing for some fabulous prize right and you're one of fifty thousand people so what are the chances of you really winning that prize
right if you if you say everybody who finds this will get this then you'll get more of a response but if it's the you know if you're the first caller right well how many p what's the chance of you being the first caller into the radio station to win the prize and that's the same problem if it's a general fishing campaign and five thousand people get that email the chances of you being the first one to report it you know so you typically what i see there is you get a a jump in interest and then it rapidly drops
so does the threat model on remote uh does the threat model change at all for remote only teams it changes yes it it it does change because um five minutes the the way they impact and interact with the security program differs greatly for instance i am now i just last summer moved from washington dc um working in headquarters to this little fly speck of a town called linden just south of the canadian border and so i'm remote i'm 100 remote now so i'm not going to be you know letting anybody tailgate but i can still circumvent certain things i can still go around my vpn right and believe me um there are days when i
want to because the vpn drops you know six or seven times a day and we use internally we use skype and our network isn't set up correctly because we just got acquired by somebody else so it's a challenge and and it would be easy for me to say hey let's just have our meeting on zoom right um so definitely the model changes but the threat is still there
so the question i have is based on what what we have seen in our like when we rolled out security awarenesses is more about how does security helps you while even at your home it's not only about company but what about you protecting your family and friends at home and those are the devices especially if you're talking about the remote users these are the devices connected to your enterprise network so if there's something in for them not only about company then i think there's a generally a very well accepted uh security awareness that goes out there yeah so the question was about um security awareness for it for your employees at home and um one of the things i do is i'm a regular
presenter for nasa's agency-wide security awareness program and one thing i admire about their awareness program is that they intersperse sessions for work and home like i've talked to their employees about um social media security at home right and they get a really really good response you just need to make sure that you're clearly delineate right whether you're making recommendations for home or recommendations for work but yeah employees generally respond really well to that because now there's a study and i'm not going to remember who did it but it was way back in the 40s and they were trying to decide whether i think it was automated automobile plant employees worked better with bright lights or dim lights right
so they would change the lights and measure productivity it turns out that the productivity increase they saw was because the employees knew the study was happening and they felt like hey they care about us the light level didn't make a difference just the fact that hey my employer cares about me increased productivity to your point right
hi there um you talk about the third face how do you do is there a good sort of methodical way to go about identifying how big it is yes it's a third phase but is it like 10 percent is it 30 percent 33.3 percent of the of the of the issue because ultimately you still have to focus on getting the most value out of your security awareness so i would imagine there's a bunch of sort of uh environmental items related to determining whether this is a big deal in this company or not like did they just did we just take away their local admin rights and they had them for 20 years or is it a lot of team collaboration
in this company or is there a lot of mobile workers i mean all these items must sort of play into that right yeah and so the short answer is no um i have not seen that yet um what in order to do that you need to i mean you'd have to deploy an incredible number of sensors right you'd have to be able to detect if someone was tailgating through a door you'd have to be able to figure out if someone and you know some companies do this they can detect if someone is sending a business oriented email to their gmail account right and and filter that but that's the kind of stuff you have to
do and you still won't catch all of them but you would be able to measure the size of the problem right now the research is just saying you know anecdotally you walk around your organization you see people doing these things you know it's a problem and then the big stories that we we see where it was obviously a non-malicious breach or non-malicious insider that allowed a major breach they point to those but i haven't seen any actual metrics i think that's it that's it um if you have any other questions please give me a shout this i love to talk about this kind of stuff so have a great rest of the conference [Applause]
hello everybody are you enjoying the conference so far everyone having a good time they do a pretty good job here right this is a fun conference i was here last year and i really like it so my talk today is about are you ready for cloud pen test my name is terry redekel i have a company in seattle called second site lab and i do a couple of things i do some training i used to train for sam's institute and i wrote my own class which is a little different and i also do some pen testing because it's spawn right in some other consulting so i'm going to talk to you today about are you ready
for a cloud pen test pen testing is cool right it's fun every time i talk about pen testing or retweet about pen testing everyone's following and liking it and many people aspire to be a pen tester even my friend who runs a restaurant he talks to me about how i should have been a hacker like okay so it's just really cool but the thing is that attacking things and breaking into them is so much harder than actually defending them so i just want to call that out we should really be in awe of the defenders but pen testing is good because we check our systems and make sure there are no vulnerabilities so i just wanted to set the record
straight here and give you some expectations if you came here looking for the latest and greatest ways to hack all the cloud systems this is not really what this talk is all about you may pick up some tips or things you didn't know but that's not the core focus of this talk the focus of this talk is are you ready for a pen test because i've been doing a lot of pen tests for customers and i just think wow if we could have done this a little bit differently maybe we could have had better results maybe you could have optimized the use of my time and also sometimes it took a long time to get things kind of set up
some of that just got easier i'm going to talk to you about that as well so why in first place why do we need a cloud pen test or why do we need a pen test at all well first of all there's compliance and there are different types of compliance that require you to have a pen test and this may be explicit you can't read this obviously but the pci compliance requirements are very explicit that say you need a pen test and why do we need pci compliance because if you don't have it you could lose your ability to process credit cards so we need a pen test for that depending on what level different types
of testing is required other types of compliance like hipaa will say you need to test your systems to make sure they're secure well how are you going to test your systems probably is going to be a pen test you're going to be looking at the security and testing it to try to figure out if someone could break in and the other thing is even if you don't need compliance you may choose to do a pen test because you want to prove that someone could get into your system maybe you want to prove to your developers that there are problems or you want to prove to your executives that you know look we need to secure these things
because here's what someone could do that's another reason for a pen test it's not to prove that someone won't be able to attack your system now what do i mean by that attackers have years they have years to plan and look at your systems and analyze them they have years to try out different things they also might just get lucky they're scanning the internet for everything and they catch you on that day that your ports are open a pen tester usually has days or weeks maybe longer but not years to go and try to attack all your systems so it's a limited time frame so in that time frame chances are they won't be able to find every single thing
about your systems but they can definitely find a lot of the major vulnerabilities that you have out there and a lot of things maybe you didn't know about okay so um what do we have to do to prepare so we need to do some documentation first of all and some of the documentation that we need to do versus a mutual nda because the pen tester will have things that they're using to test your systems that might be a proprietary and you have things that you don't want to get out and be public so you usually start there the next thing we'll do is we'll define the scope of the test and we'll be talking a lot more about that and how
you do that in the cloud how that's different from on premises the other thing that we need to do is our rules of engagement the rules of engagement are you know when are you going to test what time of day are you going to test who do you call if there's a problem just sort of the rules of the road when we're going through the test and then finally um we have the contract so the contract is going to define you know the time and the amount of money and things like that if you're doing this obviously if you're doing this internally in your own organization you might not have a contract but you will
still have you know some of this documentation to talk about how you're going to go about that pen test so what you don't have to have anymore used to be that the cloud providers especially aws and azure would require you to submit a request before you did your pen test and you would have to in the case of aws for example go get those root cr credentials they tell you number to use and pull them out of the safe or wherever you have them and go submit this request and the other thing i was able to work out was to do an account to account pentest because i was having discussions with various people about at amazon how
fixed ip addresses in the cloud were kind of anti-cloud and so i was able to do some things like that but you still had to submit a test and you still had to submit dns and and other things and that changed recently and it's kind of funny so i'll tell you about my last request so i was doing a class and i do a pen testing exercise and so i wanted to submit all the students account numbers and i forgot to get their account names and i was like oh yeah so i summaried this test or this request i said can you please approve it without the names if i have to go get them i will but some of
the people in this department know me by now or i think some of the people there i don't know how many um and i was just crossing my fingers that somehow this would magically go through and then i got back this email which is interesting and they said you know i wanted me to submit a pen test request and i had never heard this before and there's still some rules here i was like wow cool that's awesome and i had been talking to people at amazon about this so i was really excited i also had it on there's something called the aws wish list where you can put in you know requests and they'll sometimes grant
them so i went ahead and put it on twitter like hey cool you know this look this happened and then i went off to teach class and i came back and uh you can see here i had like 1300 likes and 836 people talking about this that actually got written up in geekwear it wasn't on the aws website yet when i got the email and i had posted it and uh some vp amazon and some other people confirmed it was legitimate so that was kind of funny but the memorial stories you no longer have to submit these requests so you are allowed to go ahead and go up there and test whenever you want um but you still need permission right
that doesn't mean you can just go test anything you want any way you want and it was kind of funny i had a guy contact me on linkedin and said i don't understand does this mean that i can just go attack everything now and i was like no no no no no that's not what that means and so i just want to clarify you still need permission you can only attack your own things and you can only test systems either you have permission or you are the owner right um you can't test anything that's off limits per the cloud provider so they have rules and we'll talk about some of those but for basic testing you don't
have to go out and fill out that form so you still may want to submit a form and even on azure it says you might want to let us know now why would you want to do that well you may want to test something that's on their list so you may have to put in a request for that or in the case of azure you may want to say hey i'm just letting you know i'm doing a test because they have a lot of automated systems that might just shut you down if they don't know you're doing a test so it's nice to do and um i did a podcast my first ever with tanya jenka
who's doing the keynote tomorrow she's awesome you should all go listen to her and uh we did a talk on this and she actually walks through how to do this on azure so if you want to go see that you can take a look so what's different in the cloud we don't have to fill out these requests anymore so much so what are the differences that you need to worry about well first of all there are dynamic resources in the cloud we don't have those fixed assets anymore right we don't have a server at a specific ip address that never changes and that was one of the things that was difficult about these scoping kind of forms that you had to fill out
and put in ip addresses because if you have if you guys are familiar with auto scaling groups you can have servers go up and servers go down and ip addresses change and every time a developer stops or starts a system the address will change so in the cloud we want to we want to handle that differently also we have layer 4 and app in the cloud so there are some things you might be used to doing in a pen test that you just don't have access to anymore we have a lot of new technologies and configurations we're going to talk about that as well and some underlying architecture differences in the way the clouds implement things so they're not
exactly like you're used to that affects some of the attacks that you're used to doing and i'll show you some of those so for the dynamic resources what do we do the ips are always changing things are going up and down so when you're doing a cloud pen desk and you're getting that scope from your customer or when you're the customer giving that scope you really want to focus on domain names right because those are going to be more constant you know what those are and then as the test is going on you want to constantly verify that you are using the correct ip addresses associated with that domain name because what could happen is you're
testing a particular ip address and systems go down and you know you go take a break you come back a couple days later you start testing that ip p address again and suddenly you're testing out some server that doesn't belong to that customer and that could be a problem right and then we have these things like glenda azure and google functions serverless right they're always coming down up changing all the time so those ips are going to be constantly changing so we're going to have to use those domain names to track all these things the other thing we have is layer 4 and up so pretty much everything you have access to in the cloud is layer 4 and up
so anything that you're used to testing below that router switches things like that inside the cloud you won't have access to i just took an advanced pen testing class from sans institute and it was all about how to attack vlans and switches and routers and all these things i'm like that's cool but it doesn't help you inside the cloud it helps you outside the cloud and it still could help you as i'll talk about but not in the cloud and then your web applications if you think about it it's mostly the same because it's layer 4 and up they're hosted on you know except for if you're doing a lambda function you know it could be up and down really
quickly got functions behind the scenes but a lot of the testing is the same the same type of attacks the oauth top 10 things like that they're pretty much going to be the same and why is it little foreign up because when you're in the cloud there's something called the the responsibility model and all the clouds pretty much talk about it like this and this is if you guys are familiar with the osi model and there's kind of the seven layers of you know networking that packets go through and pretty much you have the top part and you're responsible for that top part you have to look at your contracts obviously to understand this a lot more
detail but the cloud provider will be responsible for everything below that so you're kind of not allowed to test their stuff and on that note only what is allowed you can test so every cloud provider is going to have some pen testing rules they're going to tell you here's what's allowed they're going to have terms of service acceptable use policy they all have a pen testing page and they kind of walk through here's what you're allowed to test and here's what you're not and generally you're not allowed to cloud test the cloud platform itself and some of the other things to consider are what actions you can take so there are different actions that pen testers
usually take and a lot of times the scope document will list out all these actions and the customer will say yes i want this kind of test and that kind of test and go down a list and there are some things that are disallowed by the cloud provider so when you're doing that scope document you need to understand what you can and cannot do in the cloud additionally resource sizes i think they used to be more restrictive if i'm remembering correctly on aws i was just looking at this page again and it looks like it's a suggestion now they used to say you can't test nano instances now it's more like hey if you're we want your
test to be successful so you might not want to test these small instance sizes but it didn't look like a mandate anymore but you want to understand those sizes and those things you're testing and make sure that your scope documents state that if you don't want people testing that smaller size so here's just an example of aws and what is just loud dns zone walking demolish service port flooding pretty much anything that's going to overwhelm the systems because as you know in the cloud it's a shared environment so what you're testing on a shared infrastructure may affect the other customers around it so they don't want you to do that kind of thing and azure
pages pretty much just says no denial of service attacks and it talks about that a little more so um there are different types of tools that you can use in the cloud and some of them are called pre-authorized on aws and they are already set up to follow the rules so if you use these type of tools they will already be you know following the rules and they've already got approval from aws and so you if you're not sure about all these rules you could just use one of those and here's an example so nessus you can see here that it says in the title pre-authorized and i think this really relates back to the days when you had to submit a form
for any type of scanning but you could you could still use these tools and know you're pretty safe and not going to get in trouble with the cloud provider the other thing we have in the cloud are new types of configurations so have any of you heard of an s3 bucket they've had a few problems with those right um they're not something you have on premises so you have that's just one example of something that has a configuration in the cloud it's different it's this newfangled thing with the funny name every single service in the cloud has documentation and configuration and you'll want to understand it you want to know what it should be you want to know
the caveats of what is done wrong and those are the type of things that your pen tester will be looking at then we have new technology stacks so you know there's just a talk on serverless we've got containers container management systems and new types of storage so we have all these different things and there's definitely a lot of ways that these can be misconfigured there's also been malware that is affected for example dns mask is a service that got impacted with a vulnerability and it's part of kubernetes so understanding those vulnerabilities additionally there's a lot of problems with people misconfiguring containers and giving them too much access basically root access to the container which ends up being able
to take over the whole server and port misconfiguration so there's a lot of problems and i think some of these technologies are new and people don't really understand fully how to configure them so we'll be looking at some of those and trying to you know see if there's a problem there to break in when you're pen housing and then you also have the cloud provider tools so the cloud when you're talking about amazon azure and google it's really one big programmatic platform like to say it's a big configuration management platform they come with tools and their tools are awesome for developers right developers can code things they can write code that automatically changes the cloud platform
they can automatically patch things and they can go in and do all these cool things in an automated fashion over in the network so can malware soak in a pen tester right so if you can get handle handle on those credentials and you can use these same tools when you're pen testing and just want to be aware of that so before you do a pen test you might want to take a look at how you have these things configured and am i doing it according to the best practices some other things are the platform differences so in amazon specifically they don't do networking in a normal way behind the scenes they don't do arp it
will look like arp to you potentially if you're doing a packet capture on an instance but under the hood there's a whole long video about how they have this mapping service and they actually wrap the packets when they leave the nic in their own custom headers and so as they're going through their network there's like three different checks to make sure that packet is allowed and can go the right place so what does this mean to a pen tester one of the pen testers favorite things to do is our are arp spoofing right it's not going to work because it's just doesn't work that way on amazon so people go out there and try this it
won't work and you'll also probably get a nasty gram from amazon saying don't do that um and i have an article a little bit more in depth and i have a blog out here where i explain kind of this mapping service and as i mentioned there's also a like an hour-long video from aws ring vet and you can find on that topic so we have different kinds of tools and you have your old tried and true methods you have metasploit um burp things like that and they have some cloud modules built into them i found them find them kind of limited they're out there they have some tools and then you have some new tools
coming out like a company called rhino security labs in seattle and they built a tool called paku um i was talking to them when they're just starting building this tool they're like what can we do and i told a bunch of things that i'd seen maybe misconfigured at a prior company i worked at and so they went out there and they built this tool and they really work on being stealthy so there's a page on amazon web services that tells you what doesn't get logged and they use that and they also use that the tools out there that the amazon tools to break into your account things like that so there are new tools coming out in some cases i
just find it easy to use the aws cli it's very powerful once you understand it you can do almost anything azure has you know cli or powershell as well and if any of you are familiar with the term living off the land that's kind of what you're doing in the cloud right a lot of pentesters will go out and they'll use bash or command line and they'll be able to do all kinds of things without installing any tools and the cloud platforms are the same way a lot of times the vms will have privileges to do things and if you can get a handle on those clies and things like that then you can do a lot in the cloud
oh and at the last part i just want to mention um whoops the last one i wanted to mention was also you probably use a combination of these old and new tools so you'll be using the cli but you may also be using your old techniques so you're breaking into a website and you're kind of using your standard web attack and once you get in onto that instance then you will be using the aws cli to navigate through the system so it's probably a combination of things and there's a lot of resources out there so i just listed to here there's a great tony blix is a person that has posted a bunch of tools so he kind of tracks a
whole bunch of tools in aws that you can use and includes pocket and a whole bunch of other things and then microsoft has appendising uh website as well you can take a look at for more information so lots of good resources out there and so how does that all affect your pentest what happens is when you understand all these things um it will affect how you scope out your pentas you're going to want to hire someone who understands the cloud right to to do this you're going to want to define domain names instead of ip addresses you want to understand the cloud provider requirements and then the last one here is get someone technical in the scoping
process because all this sounds like gobbledygook to a person who is not technical right so when you're trying to define the scope of your pen test get you know someone on your security team or someone on your it team to help with that scoping otherwise it's just it takes a while or you might miss things so here's some of the things you can look at for scope right now sometimes companies will say well we're testing in the cloud so we're just going to test the cloud itself and that's it we're going to look at the cloud platform we're going to look at i told you about the cli and the configurations and that's it but as i mentioned
sometimes a combination attack can be used where someone will break into a website then they'll get onto a system you might want to think about that and there's another a lot of other components here so vpns exposed databases is happening a lot recently exposed elastic cache mongodb things like that um you have a lot of you know github credentials being posted online or internally whatever source control you use is that part of your scope and you have your there's a lot of other devops tools as well so jenkins has had vulnerabilities and things like that your credentials are very important you want to take a look at that and then if you have internal servers that have
access to the cloud you know maybe if you look at the cloud alone it seems fine but when you go take a look at these other servers maybe there's some way to break in so all these things play into defining that skill for a pen test and maybe everyone is the cloud and that's great but maybe you want to expand it a little bit so for network access you have as i mentioned it just took a advanced test for looking at routers and vlans and things like that and so you may want to include network resources in your pen test and find out if somehow they could be leveraged to access cloud resources when you know networks are supposed to
be segregated but really they're not and you have developers calling apis all over the place all different kind of networks calls and where are those going are some of those going to the wrong place people are logging into the console right are their browsers secure things like that and then as i mentioned the network equipment um you also have a master of the connected things right so sometimes you'll have like a slack server and it'll be something will happen and it will trigger an event it'll go to slack server or go to pagerduty or some other type of servicenow something like that you know so you have all these different connected tools do you want to include
any of those that are kind of connected and training events in your cloud and uh third-party systems i just mentioned that um anything that you want in our scope should be listed there and then the cloud platform as i mentioned is definitely out of scope so anything on the cloud platform [Music] you cannot test and you will probably get a message saying what are you doing if you are testing it and you should definitely respond right away and apologize and stop doing it this is a good idea otherwise you could lose access to your account potentially and the other thing is some services are just completely off limits so for example cognito is a service that
is used to log into applications it started out as mobile but now it's also used for web applications and i was testing for a client and i was like where is my request going because typically you define the scope you make sure you're not hitting the wrong addresses and so on and i'm testing their login page and then i realized oh it's going to cognito in between and that's awesome it's so i can't test that so at that point you're trusting the cloud provider that they have secured that particular service um so then you have your web applications and i'm a big fan of testing those web applications when you do a cloud pen test because as i said
there's a lot of mashup attacks and there's a lot of ways that getting onto any cloud server will then be a doorway into the cloud it will also potentially be a point of exfiltration they can be used for pivoting so there's a lot of good reasons why you will want to include these in your tests another thing to consider with web pen testing is you may want to not only test you know let's say you have that login page with cognito and now i'm stuck because i can't really test that you may want to give your pen tester credentials to your systems that you're testing and the reason you're going to do that is because
once they log in there's a whole bunch of other pages that can be breached and this was a starting point of the target breach a lot of people think that in target their the hvac system was attacked but it wasn't it was a vendor with login to a vendor system and that vendor system once the attacker got credentials got access to a whole bunch of other pages and then it was able to either escalate privileges or somehow pivot throughout the network so when you're doing your web it's not specific to cloud but think about testing not only the login page but beyond that and make sure there's no way if someone got in they get pivot
throughout your cloud so optimizing your results so one of the things you can think about is have you had an assessment so assessments and pen tests are two very different things an assessment is not going to try to break in but it will be more broad and look at things you know maybe in a broader way looking for all your vulnerabilities to a different level depending on what you're doing but maybe you're going to do that first right because if you've never had a pen test maybe you just want to find out about all those vulnerabilities and get those fixed before you take the next step one thing you can think about is uh are are you able to do some pen
testing yourself so if you go out and look at burp make sure you have permission like i mentioned but if you want to look at burp or zed web attack proxy which is free it's really easy to run these scans so maybe you could do some basic scanning yourself so that i don't have to write a 60 page report of a bunch of really simple stuff right get that out of the way and go ahead and find those things and get them fixed before you hire a pen tester so they can focus on the you know the tougher attacks the harder things the logic errors um another thing you can do is make sure you're following the best practices so
just go out to the cloud provider read those best practices make sure that you are following them and another thing to consider is giving a pen tester read-only access to the account because if you do um one of the things a pen test typic
Related talks
28:41
3:08:07
29:16
50:42
20:12
54:28