Lets Make Fun of Cyber Security: Prashant

are you fearful of me or are you being it funny when I put this on Vincent said he's a little bit fearful you know you know in fact when uh when I went yesterday I was like you know it's a fun talk what should I do to make it fun like I should live it right I should live the talk so I went to Walmart and I was trying to find out can I find a Halloween costume and I found this one and it was like it should be scary clown it doesn't have to be a scary clown I can't find a funny clown um out in Walmart so anyway I said well I'll I'll put this on I actually have a

pan too but I didn't wear that one because it doesn't fit me uh it was a large that's the only option they had available so um I thought you know let's just live it and see how we can make it fun this is my first attempt ever to do uh talk about cyber security from a fun standpoint when bides came over I was like yeah I should try to find a talk which is not intense which is not uh technical can I make it something which you know everybody can relate to I'm not an expert I'm not a comedian I'm not a leader at by any means I'm just a lowly guy in cyber trying to make the world a

better place um so my talk today is about cyber security let's make it fun that's the only Google icon uh the picture I got like how can I make it fun is there something like a clown of cyber security that's the clown of cyber security you can find on a Google research um that's my um um my contacts and in case anybody wants to uh connect with me after the talk or otherwise just be friends have happy to uh to talk to you so what are we here for and I'm going to blabber about I said you know blabber about what is the definition of blabbering right so I I actually uh Google it again the

victionary definition of blabbering is to talk foolishly or incoherently so my talk doesn't have incoherence uh it doesn't have coherence I should say it's pretty much all uh um gibberish so I hope you can make sense of it so I'll read it through right I just want to be a comedian I'm not here to explain talk here I could have emailed you my PowerPoint deck you could have read it in 5 minutes but it let you sit here for 45 minutes before you break for the end of this day and let you go through what I want to talk about Point number one yank this hard as you can right so the icon and cyber laugh so this is an icon

whenever you find this icon in the presentation please laugh okay if you don't laugh that's fine if you laugh more than this icon talks about that's fine but I'll I'll I'll try to see if because that made me giggle a little bit I thought I'll giggle uh get you guys gigle as well cyber carriers the bright and the dark side right uh I probably would look more like that ad hoc cyber guy with this clown called on but you can relate to that I guess many of you can relate to it right I can relate to myself in which level of my cyber carer I am right now possibly a two maybe a three um but

uh you know life is how it starts you know we as our carriers in cyber security starts where we could be literally the neandertals of the world or we could be the Iron Mans of the world right so that's the Cyber talk on Carrier uh I was thinking through what else can somebody go through in cyber as a carrier so you hack yourself into becoming a leader in cyber security can you ever do that I don't know if anybody have been an hacker and then they went into surrender and puts his hands kudos to him Kevin mittnik comes to mind right we all know he was a big hacker then he moved on in his life and became

a great consultant and so that's one way you can be a hacker and you get into the uh the job market and uh you go ahead the traditional way is you get into college you get into University I teach in Concordia University by the way how many of are from Concordia University there you go these are my friends uh they're my students and uh yeah you don't better be a hacker you better go through the right ways of doing uh cyber security and and and get uh get rewarded for that come to the dark side of the [Laughter] moon who can relate themselves to this the teenage hacker room the reaction of a hacker when he

paes a box I can still remember myself 25 years 20 25 years ago in college a Linux newb and you actually rooted an account like oh man I could do that right uh it's crazy but you definitely get a adrenaline kick out of it I don't know how many of you have actually been hacking I'm sure many of you have tried to P in a box it's an ederland kick it definitely keeps you keeps me in um um uh you know in this field to be honest like you wake up every day like okay there must be something new a new thre intelligence a new breach somewhere and then you know you learn from it

so it should have been a cyber laugh I don't know how many of you laughed but that's all right cyber is hard for leaders curse of the ceso do cesos get to hack iPhones and clouds you mostly just fill out compliance checklists my dad is a fireman cool I'd like to be a fireman then B the sleeping positions right I'm sure many of come some some of you are cesos here I know of I don't know if they have that sleeping position but they're not on their bed if they're so scared that something is going to happen or what not right but it's a reality you know if you see on the other side rather than the fun side

of it it's a reality when you sign up for this job it's not just all fun it's not just all curiosity it's about what's going to come next and you got to be prepared for it you got to be prepared 247 this is a field which never sleeps right so I thought you know one is the fun side where do you really want to be a sees you want to be a farm man or the other side you know if you really want to to be a ceso make sure that you have a different sleeping lifestyle all right are you too important to be breached cus confession you see Pope and you see a small guy who sits on the

Pope's chair the idea here is to explain you or to tell you that we are not too important to be breached you can never be perfect You'll Always Find gaping holes back doors in your organization and people can creep in you can speak all things maturity you can speak all things cyber in your organization but you're always always ready there for a back door which somebody can literally go in with a fishing email a call to help desk change my password m fit fatigue you know can you give me your password all right I'll come to the password one that's another one uh we'll we'll talk the password serenity prayer and we'll probably take a note from from

the audience here how many will be doing the password serenity prayer this is the one other one I liked right bless me Father for I have SED it's been 12 years since my last server patched I look I like what you have done with our third party risk program and if you see there that vendors lines are lined up to take a confession because because they were connecting to that organization which has never patched their server and they got popped right we always talk about supply chain the other way like suppliers can be bad but you never know the organization might be infecting the suppliers even if suppliers are good right so it's a two-way street but um it

is what it is so you can be you know the best of the world but you can always be breached by your supplier you have never thought could be the uh the breaking bone I like this one I don't know if this is a cyber laugh on this one it is not it's a little involved presentation but I'll read through it because I really loved it you know when a PhD talks to an IA what does it say strengthen your infrastructure controls to protect against malware fishing by deploying risk assessment standards and policies to deploy end point protection all right okay what do you mean by that I I used to do PhD I'm an IT guy I had a

PhD I was doing it I couldn't complete it but you know you're so technical you're so research oriented you probably missed the boat right when a vendor starts to NG malware 3,000 stops the thread when can I can when can we install it right that's what the ceso says and when a security manager and a compliance guy talks about requirement 3.5.2 do you protect confidentiality integrity and availability I'm just having coffee give me a break right and then comes the sea level sweet right we passed compliance we have antivirus we have insurance security Sol I spend more money isn't that real yes or yes right and this is the hacker on the other side right they were developing

controls they were doing whatever they can but why they couldn't find you because they didn't look for me they were always looking for compliance they were looking for all the the best in the world but they were not looking for me and this world has to continue this is going to stay you know you'll always find these bad guys were always a lock Step Ahead uh from the good guys and actually that's you know however scary that is to be honest in my own opinion that's what keeps you employed to be honest that's what keeps you engaged and if folks who are curious that's the passion for many who come in and then they work and then they

say yeah I want to be in cyber security every day in day out risk management 101 everyone who works here and everyone who doesn't we we have solved the problem of security and the morak the preventor of Information Services security is more important than usability in a perfect world no one would be able to use anything to complete the login procedure state state directly to the sun this is when you take security to its extreme right and when you take it to its extreme usability takes a hit and on the other hand which is not depicted here if you take usability to the extreme the security takes a hit so you have to find a balance I'm a physics

Prof I'm a not a professor I'm a physics student and we used to do inverse equations if you have ever heard of them inversely proportional to so I always put that when I teach my students in Concordia security is inversely proportional to usability the more usability the less security the more security the less of the usability force is inversely proportional directly proportional to mass and acceleration f equals to me those who have been physics students probably know this right so it's a fun way to explain how security and usability play a role in our life

uh I love it I love it yeah yeah yeah Bring it on Bring It On ask questions I don't know what the uh the you know if we have questions in the end but end of day yeah it's uh if it entices you to speak about it it it entices you to think about it well Microsoft is so ingrained in our lives and then we have usability and then security issues and and whatnot yeah you can speak at length

but that's right all right as said I did risk assessment risk management assessment I concluded that there was no risk of any management do you have anything to add I'll get back to you you know every story every cartoon actually speaks a message right without the fun sometimes it's the management you need their support rather than them being a little bit of uh you know pain in the neck in trying to get your security right um so it's funny I mean no no comments no arguments here but it's it's how you perceive your risk management you know we can go on length what risk is what risk is not but unforeseen risk how can you be sure sure

that there are no unfor foreseen risks with this plan it's not possible to know if one has considered every risk therefore we can never be sure so I can still blame you for any problems that pop off yes that part of the process is still intact right like imagine for a second uh how much can now the message around this is how much can you actually Safeguard your Workforce and make sure that you are the one who GS gives them a safe heaven in having them do their job whether it's management whether it's a leader whether it's not because ultimately somebody's head goes on The Chopping board if there's a cyber breach and with no um um fault of

anybody sometimes breach happen for what they are that's the world of cyber security but we still get uh Through The Chopping board sometimes social engineering there's no patch to St human stupidity anyone who thinks technology can solve a cyber problem in fact does not understand the technology and the problem so so I actually like some of these acronyms because I tried to collect some of these acronyms right uh so one of the acronyms as like um you know um the human is the weakest link but there's a Beautiful parody I'll come to that later on but anyway this is a cyber laugh here right you can do all things technology but if you have a

human being who for all good reasons is very naive is not a bad guy but he can pone your system right we had this email messaging uh talk today about the million dooll CEO on in this forum itself and poor poor CEO clicked on any fishing email and everything was you know bad from after that almost a million dollar was about to get out uh funny enough they found it so yeah it's uh um it's where you draw the line between humans trustworthiness because we all trust each other before we untrust ourselves or others right that's that's the innate nature of human beings you can't untrust anybody from the get-go you try to trust them before you

unrust them zero trust 101 right thesis security is as strong as its weakest link antithesis people not the weakest L they're the most misunderstood link so I used to be a believer of the first thesis to be honest with you and literally I was sitting in my afternoon call and I thought and I was like no this probably doesn't make sense I was on a call two days ago and somebody put that on he's a he's one of the respected cyber security gurus in this field and he said no people are the weakest link they're the most misunderstood link so I leave it up to you to make a judgment I'm not here to make a judgment or tell

you why or what of the thesis are the antithesis We Believe humans are the weakest link but maybe they want to do the right thing they don't know how to do the right thing yes or yes everybody wants to do the right thing for themselves for their Organization for whichever environment they are but they probably don't have the tools the technology the awareness or whatever the case may be to enable them to do the right thing so you have to change your mindset a little bit I imagine from blaming human beings to making sure you give them the right environment to do the right things right

cyber awareness Walk The Talk AC Suite I have a new hobby it's called fishing I send fake emails to glibal Executives and I find out their Finance financial information and use it to steal the money they don't deserve dear customer this is your bank we forget your Social Security and password why don't you send them to us and we can protect money looks legit again coming back to the point humans are not wrong it's just that they have to understand how to do the right things right and on the other hand if you're leaders of your organization walk the talk right be the example you want your team to be is what I'm trying to say

here right like not blaming seite or the management what I'm trying to say is that they should also be part of sharing that awareness which they imagine their teams and their organization to follow through and again back to that email compromise presentation we had today a CEO clicked on an email and if he imagines all his other IT staff and everybody shouldn't do that there's probably a wrong example to to set right so uh it's the idea there I don't know how many of you laughed on that cyber icon but that's fine I'll keep checking once in a while privacy is dead privacy schy schmy schmy get over it I think Bruce Schneider he gave a

there's a beautiful article by a guy called Bruce Schneider uh privacy SCH uh privacy is dead get over it something like that anyway my emotions are encrypted to protect the security of our marriage mind if I clear my browser history first you can see a devil coming to take the soul of that guy and he's like no I'm so important right my privacy is so important I got to get out of it before I you can take my soul out instead of waiting for someone to steal my identity I'm going to auction it on eBay like imagine what was the first talk by Amanda Knight today in the morning right API calls you just give one call

literally login authentication all the patient data came out it's so interesting and so scary but uh do we really think we are our privacy is secure I don't think so I mean honestly it's a point where you can demand things but um you have to find ways to live with it it's just like you know the department of home homeand security secretary I forget the guy's name he said you know there are only two kinds of companies in this world those who know that they have been hacked and those who don't know that they have been hacked the world has moved on from prevention to moved on like assume breach and you got to figure out how you

do incident response when you have a breach so in the same way privacy is almost non-existent you can find ways to keep yourself secure but you know and even a normal citizen of this world I don't quote me I mean I'm sure around 8 to 10 websites or organizations government or private would have his data for sure right Google always has it I'm so surprised sometimes like it your signal goes out on your phone and you can still go from one point to another if you have a GPS and you have put it through right I don't know how they track it I'm not a technical guy on that front but privacy is that in my

opinion privacy breach financial planning will Social Security still be around it better be China's hackers are depending on it we had a massive data breach hackers got into the private data of all of our customers no problem we'll issue a press release that says we're sorry and it will never happen again that's what we said the last three times it happened our strategy is to wear them down right I mean looks like a cartoon but how legit is this like think for a second companies who got through breaches sometimes I mean not everybody would like to cover themselves and say okay we'll issue a statement go ahead and not do it once more again sometimes

we even change our names yes go ahead

omo exactly you know I'm still you know this is something which reminds me too like is there ever an Roi on security where you can say um that uh you know you this company is PCI Compliant yes I can make money I'm going to work with this company I'm going to going to buy stuff from him compliance is not security by the way so we'll come to that yes Darcy yeah kind of interesting right

privacy anyway exactly yes Martin you want to say

something

absolutely no I absolutely agree with that I don't know if you have heard that one I can speak it again right like safe way anybody they willingly give their information when it comes back to government or anything no we can't give you privacy important for us so that gives me another idea for next year's talk money is greater than privacy I'm going to talk about it so we'll talk about that because end of the day it's Financial equation money right you have that motivation to make more money I care less if my my date of birth or SIN number is out there well by sin you all probably know what sin is right it's not

social insurance number it's the sins you have done in this country they're recorded in your report there and you can't run away from it

wonderful so that's another talk topic for for future we'll see how we can make that happen yeah cool gdpr full form right the giant database of personal

records okay folks who laugh probably know what gdpr is then those who didn't laugh probably doesn't know what gdpr is or know about it but they didn't not know this acronym um I want to talk gdpr marketing already showed me all right it's a giant database of personal records our customers are complaining because we let hackers get their personal data so we have decided to change the name of the company and we'll disguise until it all blows over take a mustache from the bag and pass it around you should do bankruptcy come back start your new organization again I don't know how many of you do that I mean people can disguise themselves come back and say yeah we are a new company

new organization we have new people so we are not the same company anymore we actually take all your all your data by the way gdpr is a great uh is a great privacy regulation everybody should probably know what it is cyber warfare the USB missiles this is not the US Ukraine Russia War this is the USB missiles right you drop a USB you drop a laptop and imagine how many of us actually picks it up and put it into our corporate Network I imagine I'll be probably one of them because I'm very curious ious about what's out there uh but that's so easy like you have all the Technologies out there Chris one of my other friends here today was actually

giving me a quick rundown of what he does and he was like there was a laptop and the laptop was found in in the road of his company's laptop I'm going to tell his which company he works for but and uh and the Sumer inter actually said okay take that laptop and plug it into your corporate Network and see what it is so the laptop was out for a day or two they find it they plug it back into the corporate God be your friend we need to hack into Russia's system to get more information on US citizens isn't that so funny right or or Chinese uh companies for for that matter US Air Warfare us sea Warfare us ground

Warfare us cyber warfare this is actually the fourth Doctrine on on cyber warfare I don't know if you know in USA they actually had three pillars um the the air the land and the water and now they actually have cyber warfare which for you know we can have on another talk on what cyber warfare is all about right it's literally um going after without a lot of attribution on your or on your other organizations and and and nation state actors and whatnot so yeah political satire on Cyber Obama to confront China on Cyber spying no need we already know every word he'll say the US and China share much in common our corporate government secrets I want you to have and

the US economy compromise their National Security and shut down the government aren't the republicans in Congress already doing that possibly they are right I'm not a Democrat by the way I'm neither a liberal I'm just a Centrist or a small guy but this is true I mean if you go on the on the real front you'll have om hack you can look after so many hacks with the US government went through I won't I won't speak to that but uh yeah Senator I agree that we have a serious foreign cyber threat but there might be one or two bits of fla logic in this idea to surround our border with an alligator mode to swallow foreign

hackers can't we just put Lids on all the internet [Laughter] tubes you know again it's making fun but imagine for a second these leaders who actually make these regulations or who are the ones who make these policies or influence the policies sometimes don't understand for better for worst you can't come you know blame everybody the nitty grees and the nuts and bols of what the cyber community goes through right if you live something you can influence something better I'm trying to live to being a clown I don't know if I'm doing a good job but you have to live something to influence something better rather than being on the outside trying to influence something just

because you know a concept so did you finish the software yet no I'm still paying for the technical debt from the last programmer you rushed I don't know what that means well that explains a lot what technology when we have vulnerabilities right just a small vulnerability in a system can break the whole system bring bring the whole system down es bomb salsa we had a talk in the morning today um so technology is not the Holy Grail it's neither the process could be people but it's the combination of all three people processing technology the PPT it's not PowerPoint it's people processing technology um so technology is never the Holy Grail in my opinion Ransom to death

the captain ship actually got Ransom and he jumped to death who's hacked how much Ransom would you pay 10 million 18 million 26 million isn't that true like the MGM Resorts hack I think if I'm not wrong I'm not g deep into it they did pay ransomware they did not that's Caesar's okay okay holy Jesus okay wow so with all the I know agencies and FBI and DHS saying you don't have to pay don't encourage ransomware don't encourage hackers what is the truth at the end of the day if you get yourself into the shoes of a CEO or a CFO or coo again there's no right and wrong it's a matter of practicality like University of Calgary I think it

was the published news this is me being a little serious not being a cyber fund they went through a ransomware incident almost what four five years ago uh conference Board of Canada they did a presentation on that they actually paid rans for the basic fact that their PHD and research records were actually Ransom weird and you can't live without your research that is so important for you that you figured out you have to pay Ransom yes

Martin

exactly exactly yeah absolutely great Point great point right it's not about ransoming and getting money as you're right like it's about your reputation your money your your information is out if you don't pay a transome will actually D to talk password in need is a password indeed you got to know your password to actually log into your system right password Serenity Prayer okay go with me right grant me the serenity to accept that my password will be hacked the courage to frequently change it and the wisdom to come up with the better

one uku oh good one I got a good I got a good password from my newborn because he can't speak I'd like to copy that one right password change signup sheets I have seen that without naming a company I'll tell you people put passwords on sticky notes yes or yes it's crazy you the world has come so so far we haven't found a better solution than password yes MFA MFA fatigue you know three Factor authentication but it is what it is the life is you know have we have password hackers you have password managers password less authentication F two I don't know how is that going to be but the end of the day it's all about

passwords everywhere and it's hard to to to save them they've become such of a nuisance like imagine for a second I shouldn't like I'm a cyber guy right you have to remember these passwords for so big and not one or two of them um you know we went for camping actually over the weekend and my friend he had to pay the damage deposit on the camp on on the cabin it was in his name I was with him and the poor guy takes out his debit card puts it in he forgets the pen and takes another credit card out he puts it and he forgets the pin I'm like what's happening because he get I got five

different cards I've got five different pins I said learn from me I'm a cyber guy I've only one pin for five cards seriously and you can go beyond four digits right I don't know why that's fine maybe you can my password for the network isn't working fill out the help request online I can get online because my password doesn't work send me an email message about it I can't send email because I can't get on the stinking Network Gees you're worthless help desk right they follow process they have to follow the process they can't live without that well it's hard to find Cut Corners I mean they're paid for a job you know they have to

safeguard the company they have to follow process dog birs password recovery service for morons I don't remember my password is it 1 12 three that's just

spooky password I don't know there was a password hack by have I been pone.com I think password was the the most used password in the world Am I Wrong am I right for the last 22 years wow okay I'm still relevant with my slide deck here then that's awesome so I don't know what to say yeah it's what it is right so okay so that Inc come of well that's fine there was actually a beautiful lady she's saying can you give me a password and it's say kov Prin pardon me are you the key master are you the key master exactly awesome 100 points cost principle of encryption login password is admin so login admin

password admin right this just explains you the idea of how many of these technologies have default logins or default passwords in their environment whenever you plug it in you figure out you have secured it but there's not you don't have secured it because there is a default uh configuration somewhere where you have not dber anti encrypt ition software is a flash drive without our with our anti- encryption software don't let it get into the wrong hands or it will eliminate all privacy on Earth do you understand blah blah blah all software Murphy's Law on artificial intelligence when everything is going right humans must have become stupid I will use my Superior robot brain to enslave humankind that probably

sounds better than it could actually be how it would be I'm tired I need to recharge God I I hate own you metrics right Terminator how many of us are saying articles I see articles on Fox News CNN again I'm not a right-wing guy they say AI is going to replace everything the humankind Terminator is coming metrix is coming I don't know I mean really possibly possibly not I'm just a lowly human being who knows how to use technology can we make our lives Easier by using a hopefully J can do that all my students are here I give them assignments I tell them not to use JJ for the assignments how many of us do that I

don't know right we do a lot of use of chat gbd these days I go I'm not going to go into the details of it though can I interest you in the firewall for your toaster imagine for a second you know you'll have a shop of firewalls and everything and people go in just like they buy appliances buying cyber Technologies and you're actually helping them out find one may maybe that's the future if we if we go that route Internet of Things here's our software for Lending money and that's our hardware for collecting debts I come from India by the way in India when you don't you're not able to collect debts again this is not you know

anything bad about India but uh you actually have people Mafia who you can use to get collect debts and they go and they actually get debts out of you go ahead somebody wants to say something yeah clouds are infallible isn't that all Linux servers dad mostly thunder and lightning isn't God being angry it's Microsoft and Google fighting in the clouds mom's doing kubernetes cloud cloud everywhere where is the cloud everywhere right you have cloud computing but what is cloud it's all hazy out there is it that not internet is it not my server somewhere else yeah I guess I guess people can debate public Cloud private Cloud hybrid Cloud Etc Cloud there you go render man there you

go high five yeah I mean we sometimes you know redo certain things or reimagine certain things which have already always happened this is the this is a cyclic world of possibilities we go along there were main frames then came down desktop Computing thin clients back to cloud computing which is another centralization of Technology back to customization with iPhones which is iPhones are in hands of everybody you know back to something else tomorrow it's always centralization decentralization centralization decentralization and you keep calling it different names basically with different principles for that matter but for the Nerds and I have been ignoring our security alarms for several months now you have been doing what I figured if I

ignored them they then maybe they'd go away isn't that alert fatigueness yes so yes we had another talk on that MFA fatigueness alert fatigueness too many alerts coming in and that CEO's email got popped because there was a Defender alert but there were 20 other alerts coming out of it so who's going to look at it I don't know what's the solution to that but that's the problem Dilbert I want you to install the new firewall no why why why me the firewall guy gets blamed for every problem people will say everything worked until you change the firewall there will be no rest for me I will have to defend myself against a continuous barriage of accusations it's always a

firewall everyone blames the stinking firewall I surrender to the inevitable villagers grab your pitchforks and torches how did we get that way I blame the firewall the Holy Grail of technology which is going to save us from everything right firewall everything Next Generation whatnot Murphy's laws and disasters my it's my Innovation when a disaster has to occur it will is just my way of saying it I try to say Murphy's l in a different way Charlie we need to initiate our Network outage response calm down before you do that please make sure the network is really down oh I just disconnected router we definitely down foolproof Disaster Recovery plan we lost all of our company data and our

backups too so I hagged into our government secret database where they keep records of everything we say or do and got it all back I I feel as if I should have been doing something now n everything is working fine isn't that isn't that funny but isn't that real like sometimes your data is everywhere right privacy is dead you know if you feel like you have to bring that back I mean somebody must have already have it we need insurance for something we can see or touch cyber insurance policy What insurances do we have on property on Mo on vehicles these are things we touch and feel because the forces of nature can break them can the

forces of nature break cyber security I don't know maybe yes but we do insurance still transfer of risk right I don't know how many of us do that we try to do that we still don't get paid I get a couple of insurance claims I never get paid I still figure out why do I pay insurance anyway that's a debate altogether I don't know if Europe I heard in Europe they don't pay insurance or not a lot but in North America it's a culture you have to pay insurance because something can bad happen right anyway that's my two cents on insurance and cyber insurance I know Martin has a lot of uh views on insurance and he can

speak about that uh that's the end of my presentation Uncle Sam wants you to give me thanks thank you very [Applause] much