BSidesDFW2025 Track 2

Hello, hello, hello, test, test, test. Really? Okay. Just.

It was a small room, so.

guys hear me if I talk like this everybody's good everybody familiar with signal proxy to some degree or at least a signal messaging application so we're gonna talk about some bandwagon fallacies and infosec something with a good intention but if it's not thoroughly kind of researched and properly implemented it can lead to some pretty serious consequences down the line and i'm going to give several examples of that but mainly focus on civil proxy and kind of what they tried to do what they did wrong so who am i right um i've been doing penetration testing red teaming for almost 20 years um if you read the popular mechanics article that features the dallas hacker scene the guy they mentioned

about who talks about the polycom zero day found that allowed you to turn it into a surreptitious surveillance network um i also run the quarterly meetup o day all day which should be starting up in q1 of 2026 now the construction of our venues finished and uh self-plugged i created the advanced persistent threat card game that you can win at the raffle

So some common InfoSec fallacies, right? We've all heard these, right? Macs are more secure than PCs. Open source is more secure than closed source. Whatever language you want to put is an insecure programming language. AI is reducing the time to compromise timelines, and LLMs are the future of offensive computing, right? We all know Mac malware exists. A full Android exploit chain costs around 200 grand. sell it for around 200 grand, but a full iOS exploit chain, you can sell for a million plus dollars. So one's open source, one's not, one's more difficult, right? That kind of sets the bar for whether or not open source and closed source is harder or easier to reverse engineer. A lot of people like to pick on

PHP, but C as a language has way more vulnerabilities across its lifespan. And I don't really like time to compromise as a metric. it doesn't factor in zero days, which would make time to compromise moving to the negative. So what is a bandwagon fallacy, right? It's when people assume that an action is correct purely because other people support it, right? It's literally the blind leading the blind. So bandwagon fallacies of evangelism kind of go hand in hand, right? One's bad, one's good. You can't really say that anything really

and the impact right and how you kind of want to glom onto those things right you can have a good intention but still have a poor impact you can virtue signal and still have a good impact right so there's lots of different ways to kind of look at the spectrum of how these things can lead to a poor or a proper impact so what was our event in late 2020 inflation hit iran uh 45 percent The protest started and around 1,500 people were killed. And on January 24th of 2021, the Tehran Stock Exchange crashed. And on the 26th, Iran blocked Signal Messenger. Now, they said, they never claimed that they actually blocked it. They never confirmed that they did. But the service wasn't usable inside

the country. Because Signal's not decentralized, it relies on a central repository. information and connection information that didn't work the app didn't work and so signals response was in 2021 they wanted to help users in iran and they wanted people to run what was called the signal proxy and they released this code it would basically create kind of a separate hop for the application to connect to which would route through to the original signal server using just a custom domain or a custom sub domain and a lot of people glommed on to this and wrote a bunch of tools that would automatically spin these up or create a root domain and then spin up dynamic sub domains to try to like route traffic back to signal to evade the

iran proxy and it worked right it got around iran's core block of the the system but it didn't necessarily protect users in fact and i'll show here made users traffic more suspect looking and gave the Iranian regime or any other regime the ability to identify users who were explicitly trying to circumvent the signal their their own signal ban they were made aware of this signal was made aware of this people talked about it but in 2022 they did it again and they changed their marketing from help users to help people and then in 2024 they did it again and they said they wanted to help people, but not just in Iran, they wanted to help people all over the world and

in different regimes. So that was kind of my issue with it, is even though they know that there's these limitations and it was briefly discussed, they still kind of kept forward with this project, even though they knew that it put people at risk. So that was the event, the impact. Lots of influencers. information security influencers, evangelists, they started making content around it, right? This goes back to that bandwagon approach. They made a bunch of memes with the Ayatollah crying and anti-Iran stuff and started virtue signaling and tried to create a kind of clever viral marketing campaign, Iran, a signal proxy to try to get it to spread, right? Which again, good intention, right idea, implementation right so if you're not familiar with

signal proxy right this is their exact kind of statement on right unlike a standard http proxy connections to the signal tls proxy look just like regular encrypted traffic there is no connect method in plain text request to reveal the sensors that a proxy is being used valid tls certificates are also provided for every proxy server making it more difficult for sensors to finger print the traffic than it would be that Excel science certificates were used instead. In short, everything is designed to blend into the background as much as possible. When I read this, this is what immediately had me kind of dig into this protocol and try to figure out what was going on because

on the surface, just by reading it, if you're an engineer, none of this makes sense, right? All of the red flags are highlighted, right? If you're trying to blend into web traffic but you use no connect method, automatically going to stand out. A valid TLS certificate or a self-signed TLS certificate doesn't make a difference on the wire from what the traffic looks like. It's still a TLS handshake. The only difference is how the client interprets that to the user. And with those two things in mind, it automatically does not blend into the background as much as possible. In fact, it stands out from what they were trying to do. So we'll kind of look at each one of those red flags. go through them. So

unlike a standard HTTP proxy, connections to the signal TLS proxy look just like regular encrypted web traffic. That's their first claim. So here are two packet captures. Red is packets that were sent.

I

data as you're downloading images, JavaScript, libraries, various things, SVG files, whatever. And those things cause you to make more follow-on requests to download, more libraries, ads, set cookies, whatever. That's what a web request looks like. So obviously, right off the bat, without doing any investigation at all except for sniffing the traffic, you can tell from a nation state perspective that the traffic looks very different than web requests. The signal traffic on top doesn't look anything like a web request on the bottom, right? So we know that the first statement is false, right? They say there's no connect method in the plain text request to reveal the sensors that are proxies being used, right? Can we detect proxy usage?

They're saying they don't wanna reveal their proxies being used. So what they did is they created a thing called SignalTube, it's a domain. On the application, if you go to SignalTube, It basically reduces what's called user friction. So if I wanna give Hash the information to use my proxy and he doesn't know how to set it up or it's too complicated in the app for him or he's not technical, I can send him a link, he can click on it and it'll configure his device to use the proxy, right? Now it's not doing any man in the middle decryption or anything but it automatically configures it for him. The problem with that is,

it's distinguishable on the wire because you have to make a DNS request to Signal.2 which does a key exchange and then immediately following that on the same subscriber so imagine you're a nation state right you get the domain for the signal proxy or at least you get a very high likelihood that that's going to be a signal proxy that's right after the Signal.2 domain right so this is the one I use so keep that in mind as I go through that pop out, pew.only.fr is one of the main ones I used that I just pulled from the internet, right? So reducing user friction, if not done correctly, typically tends to reduce operational security, right? Just because it's easier for the user doesn't necessarily mean that it's better. And if

you use Signal.tube to automatically configure your signal proxy, you're definitely alerting your adversary that you're trying to evade that you're trying to evade them. So again, the traffic's still encrypted, but now they know that this subscriber on this internet connection within their country is actively trying to evade their censorship. So that makes them kind of increase the sus factor of the traffic. Right? But let's ignore SignalTube, right? Let's say you don't do it. Let's say Hash is smart and that he knows how to configure this manually, so there is no Signal.2 DNS request, and he can do it manually. That's where their next follow-on statement comes into play. They say they use valid TLS certificates, which makes it more difficult to fingerprint the

traffic. Does anybody know why valid TLS certificates would make it difficult to fingerprint traffic?

It doesn't. 100%. It doesn't. That's bullshit. Straight up. That was the first thing I heard. I was like, this is garbage. Like none of this makes sense. Yes, sir.

I don't know. I didn't look. In the next slide, we may be able to see which CA they did, but let's encrypt probably. I'm just assuming like they wouldn't just say CA set up your own signal proxy, you have to register your own cert. Most people use Let's Encrypt, but anybody could use anything. Yes.

I don't know that anybody inside NATO is going to respond to an Iranian's.

It wouldn't help them fingerprint, but it would give them a target to go after. Right. And so we can talk about that later, but you're definitely on the right track. just giving them more information to spider into your network of dissidents, right? It's like, oh, who bought the certificate? Where's the, where was that Q.langlet.fr hosted, right? Who paid for that hosting? What's on that server? Can we hit that server another way, right? You're just giving them more infrastructure to go after to round up, you know, your dissident network. So, like you said, they said that the valid TLS certificates make it So the way it works is TLS clients and TLS servers do a handshake and they present

information to each other and say this is the CypressSuite's iSupport. The server says this is the CypressSuite's iSupport.

that comes in that they say, oh hey, like, if I'm the client, if I'm using Chrome of a certain build on a certain operating system, those items in that handshake are always gonna be in the same order and they're gonna vary from version to version. Now, yeah, there's some overlap and it's not as definitive as it is, but on the server side, in SignalProxy's case, it's extremely definitive and they respond the same way every time. They don't shuffle their Cypher suites and their responses from the server. They don't change that up. They don't even use libraries for TLS. So you can see that the hash of all that information is the same on the one that I was using and another one that

I just found on the internet, right? So two completely different servers have the same TLS thing in front. So again, if I'm not running, I don't have to know what's going on in the traffic. I just have to say, OK, give me all of the TLS outbound connections whose servers fingerprint and that completely segments the targets that I have to go after right

so we know that that one's false we know that that thing is false we know that this is bullshit and then they say in short everything is designed to blend in the background as much as possible which we showed earlier is completely different right so it doesn't look like encrypted web traffic evidence that a proxy is in use, right? The valid TLS signatures don't do anything to help you. You can fingerprint the traffic, and it doesn't blend into the background. In fact, it makes it stick out. So this was brought up to Moxie in a Git issue about how if you connect to the port that the server is advertising, you can detect that it's a proxy. It doesn't pretend to be anything else. It tends

to be a signal proxy, right? And so his response

you will know that it's a proxy server it's nothing more than a simple tls proxy as an interim solution that's key an interim solution and he wanted to help people while they were working on something more scalable and more robust they could have done nothing but until then this works now in the media right so this was three years before their latest community outreach last year right anybody's an engineer knows this is a problem, this Biden said is a problem, right? If you put in an interim solution and it's successful, people will use it and it will cause problems, right? So what, right? So we have these issues. They're trying to do something good. It kind of didn't

work out. Not really anybody spoke up about it except for that one kind of issue. And what's kind of the impact of this not working, right? So,

imagine where i ran right we kind of talked about this earlier right we want to know who's plotting against us who's hiding their communications and where do we start our investigation right so first we look at all of our subscriber base everybody's in the internet in our country and we say okay all of these people are using signal right we block it media goes crazy everybody loses their mind right but where i ran that's what we want to happen right we want to isolate who's just using signal to use signal because they're privacy conscious and who's actually trying to circumvent our regime, right? So then we see a bunch of people who aren't so technically savvy using signal too. So now we

have a tier. We have two tiers. We have people who are privacy conscious and we have people actively trying to circumvent our block, right? So those are our first targets, right? Our secondary targets, if you will. signal tube we then use the TLS fingerprints and we can see who's actively not using signal tube and is still trying to circumvent what we're doing so these are kind of our top tier targets these are the ones that are smart enough to not use signal tube and still try to circumvent our kind of our filtering right so from more tech savvy to less tech savvy we now have a a pyramid of pain to go through and figure out and

start to unravel networks, right? The other thing is those domains that we talked about earlier that are used, those can be accessed and Iran can hack those and roll up different networks, right? If an Iranian decides to choose or an Iranian or any other country decides to set up their own signal proxy domain, it gives them more infrastructure to go after, more things can be affected. kind of where it's going right so some common fallacies right iranian dissidents can't do it without us right this is very kind of western mindset kind of the the kind of savior complex um we don't understand the operational tempo inside of iran and so corporations maybe shouldn't meddle in supporting dissidents in iran they don't understand it and

especially they shouldn't do it with interim solutions right a lot of people think data analysis at this scale is impossible a lot of people also think that iran is not a sophisticated adversary but they lack the expertise to do this all of these things are false right the dissidents in iran have been doing it without us for tons of years uh the data analysis at the scale is possible and we'll show an example uh iran is a sophisticated adversary and they definitely have the expertise to do this. Not only do they have the expertise to do this, but they demonstrated it to great expense against our own government, right? The CIA had a system that they were using and Iran figured out how the system

worked and rolled up all of the assets inside of Iran and then shared that information with other countries that caused devastating losses our country and our efforts in those countries, right? So that kind of proves that Iran is a sophisticated adversary, right? The way the system worked was, again, kind of the same mindset that Moxie mentioned was an interim solution. They had these webpages that you could go to. You could click a link. It would pop up an applet browser, log in, put in the secret password. You then write your message or upload your files.

people that Iran suspects they're going to look at that domain and be like this is weird and they're going to start finding other domains and that's exactly what they did they were able to use the code on this site that was reused a bunch and figure that out right you can read more on that story here where you did a great piece on that story dollars information they have a bunch more examples of the pages that were used not just Iran but in other countries and a lot more detail on how it worked and how Iran was able to unravel it and I think you can still go and see

main website which is pretty interesting so you can learn from other people's mistakes right according to yahoo news new york times that cia infrastructure thing was not built to withstand counterintelligence it was never meant to be used long term but like we talked about it was working well for too long and everyone was using it far beyond its intended use and again what does that sound like it sounds exactly like solution they're trying to work on something it's been five years they haven't worked on something new this is a problem right so what are the takeaways right interim solutions can become permanent problems this is an engineering you know this engineering 101 right this is

what legacy means right adversary capabilities improve over time just because the adversary is not sophisticated at the time the solutions developed doesn't mean they won't get sophisticated in the future, right? Any IT system engineer should be able to identify the problems with signals approach. And again, signals not bad or broken. I do think you should donate to them. I donate to them, right? But using signal proxy does increase the suspicious factor of your traffic and give your adversaries more infrastructure to go after.

That's my talk. You can win this game at the raffle, so definitely make sure you do that. anybody has any questions, I'll be happy to answer them now.

The only effective way is to use a modified satellite phone.

Yeah. Because you're basically on the fringes of direction finding that the adversary has to invest resources into. The satellite phone still has to transmit, but the spot being is big. So you can kind of play games with that. But if you even research that, there's lots of instances where in Ukraine and Russia, as you emit artillery, right? So obviously there's some sort of capability that both sides have to detect any type of beaconing, any type of RF, any type of spectrum, anything. I don't have that information, but you can just read about it, right? Like, guy pulls up a cell phone, all of a sudden he gets drone struck. Or in Israel, Gaza, they plug in the phone to charge, it boots up, drone struck,

right? So if you emit on the battlefield, a problem. So I would try to not admit. I don't know the answer, right? It's a very difficult problem. Just because your adversary might not have satellite detecting capabilities at the time you're using it, doesn't mean they won't get them the next day or the next week or the next month. And you can't even count on the device that you buy.

why

computer or whatever to the device doesn't mean like you're saying from that device it's been encrypted wherever it's going right the cell tower or the satellite or whatever that's the direct argument i'm making yeah like 100 marketing right like which i mean they kind of have to

as I know, none of the other services are claiming that they blend into XYZ traffic. So as long as they're not claiming that, you know, but as a user, you have to realize because they're not claiming that maybe my traffic does stand out, right? If my communication system is not decentralized, well, that means there's a central point of collection. There's a central point of failure.

to the admitting kind of on the battlefield right if you're trying to do protest software or or anything you you don't want to get you know you want to admit too far right you want to be able to have kind of peer-to-peer chat that can't be jammed you know across an entire street right those are very difficult problems to solve when you're going up against like a government right especially in a place like iran or any other place that like significantly restricts cell phone ownership or anything like that. Any other questions?

are they identifying them? There's no bad TLS fingerprint. It's just a TLS fingerprint. And so you would look at, they would do it the same way I did it right there, right? They would look at, OK, what is this server responding as? How frequently does it respond as that? Your different versions of that server respond with different fingerprints.

proxy server response to the client connection

so if you're looking at trying to blend in you would want to mirror what the most common thing is right that's where in America don't know what the most common server response to Iranian users is, we would have to be an Iranian user to be like, oh, here's the most popular websites we go to. Let's look at those server responses and then mirror those, right? Even if you just said, oh, let's just do Nginx or let's mirror Apache, right? That would make it harder because they wouldn't know if the user's talking to Nginx or if the user's talking to Apache However, the traffic shape would tell them that, oh, this is not a normal web request. So this is some sort of, in

an NGINX case, is this some sort of like transparent proxy going on or in a package request? There might be some like mod rewrite stuff going on that's changing the shape of that traffic, right? But again, that kind of goes back to my point of like, we can't assume that we know what Iranian traffic looks like from the outside, right? Or at least a company can.

better approach i still don't know if it would be great because even if you because again you still have the traffic shape issue so cool you've you've matched the fingerprint so they can't use that query they can't query that in their collect but you still have a shape and they can they might not be able to find you live but if they hover all that up and save it and then post process it okay who was the subscriber at the cafe or whose cell phone day at this place, oh, it's

Jack Sparrow with the red Sparrow. That one is not real. Someone actually looked at this and said, that is scary. I will fly that. Is this a do crime pencil? Yes, it is a do crime pencil. A little help? Okay, thank you. Shouldn't have thrown it.

industry either. Alright. So on the other end of that,

yes, you want to be a ghost ship, but without GRC, ghost ships become rudderless, become directionless, and the weakest link will sink your ship. If you have one thing out of place, you know, everybody knows, again, those zombies, somebody is going to click on that link that that they won a million dollars, you know, and all of a sudden everything's compromised and

the black hats win.

Paper titles. So one thing that I have ranted about and one reason why I used to be a very staunch pirate, like I said, I was 20 years in the army. lot of regulations there's a lot of things that you should check mark it doesn't necessarily mean you're secure those two do not are not the same thing compliance and security do not equate they are both necessary but they are not equal so you can become a paper tiger where on paper yes you You are fantastic. You are compliant in every way, but you have a giant hole that you can walk through. All right, so monster trucks. I've seen a picture of it. I should have grabbed it and put it

up here. There is a monster truck out there with a Jeep that has a 20 inch wheel on the back as a spare. That is compliant. They have a spare tire that will not work.

I'm sorry, I'm getting ahead of myself in the slides. All right. The basic difference between these two thoughts, and I am going way too fast. The basic idea between these two thoughts is

crew versus community. It is who you trust. Pirates. Trust who you know. You have to be able to, your crew is paramount. You're going to fix everything that you know right there. Whereas the ninjas, it is the same across the board. The reason why compliance is a thing, like PCI or HIPAA, whatever, is to make connections between organizations. do not have those, they're not gonna talk to each other. Because I don't know if you are safe. So you have to have a balance there. All right. I am what everybody hates. A moderate. Another pencil if anybody knows that reference. If it's not quick,

if you can Google it or whatever. All right. Sorry, I need to go back to this.

I apologize. Hi. As a cabin boy of the JSS Black Hills, I have found myself very much a ninja in the army. I was a pirate because I wanted to make sure that I was secure because I knew the regulations around me did not necessarily make me so.

So one of the regulations that I always pointed to came from

Tempest 7002. Tempest. Written in 1995. It's how far apart things should be. Guess how long until that one was updated. Anybody want to throw out a date?

Never is close. Actually it was 2015. So 20

I think somebody did say 20 years. 10? Oh, you don't get a pencil because you work there anyway. 20 years, technology has changed. There is huge difference between 1995

technology and 2015 technology. The idea that because that's what it was basically wrapped around this NIST 7002

is that if I pick up a classified phone, I might hear it on an unclassified phone. The idea that your packets will jump from a Cat5 shielded to another Cat5 shielded It's just, it's ridiculous to think that that could happen and would happen regularly. Even if it did jump one packet, the next hop is gonna drop it. To get an entire stream, I don't see it happening. Anyways,

that is why I was a ninja in the army. The other end, why I am more of a, or excuse me, I was a pirate in the army. I'm more of a ninja at Black Hills. Not because it's a bad organization or they do anything wrong. It's because we are a pirate ship and we do trust internally. And being in a confined space for so long, I kind of miss that. Maybe I'm just brainwashed. I don't know. Or what is it? Stopping.

It's the keel of the ship. The real threat isn't each other. I know where I came from. There was a big fight between the pirates and the ninjas. The GRC people did not like the people that actually did security. The security people thought that the GRC checklists were dumb.

else have that fight between your compliance people and the actual security? I guess it was just me. All right.

So I am actually promoting and encouraging a new triad. Everybody knows the CIA triad of compliance, assurance, The wrong one. Confidentiality. Confidentiality. Yes. Thank you. Words are hard right now, and I'm the one talking. All right.

The CIA triad actually came out in 1985, or it got codified. It was talked about loosely from the mid-70s, but it actually got codified of like this is a thing and not That's another one where things have changed. The verbiage has changed. You know, the only time that this ever gets brought up, honestly, is if something's not available. Everyone knows, or I say this, I'm pointing towards it like it's up there. The CIA tried it. The only time it's brought up is if it's for availability. has confidentiality problems and go, oh, CIA trad. Everybody knows that's part of security. Everybody knows that integrity is part of security. But it seems like everybody has to be reminded

that availability is. So that's one reason why I'm proposing that we combine those into security and add compliance. Because compliance is necessary. It is necessary.

It is on equal ground to actually securing your network. Yes, you have to have the house. You have to be built correctly, but then you have to have some kind of perimeter. I just mixed metaphors, but I think I'm conveying the right thing of you have to have both.

if you were, you know, contracting out a ship, you would not trust the flying Dutchman to do it because they are, or any pirate ship, you're not going to use it because you're not going to trust them. You don't know them. So that's why you get something compliant. But if you get one of those paper tigers that sure, is nice and shiny straight out of school and don't know what they're doing. They're going to get lost.

Without structure, it's going to crumble.

I just. All right. I apologize for being this short, but all I have left is a meme unless people have questions.

Any questions about the only controversial thing I'll say is the fact that I think that the CIA triad is outdated because it was made the same time Ghostbusters was. So if you add compliance to that. Yes. The idea of compliance means it actually states a lot in itself.

you have a measure that is stated, and then you have a score on that measure of where you are in the compliance. Compliance itself does say a lot, and I get that. I certainly think it adds to the triad. It would make it, if you will, more dimensional, whereas we can go to any instance in Measure CIA, just on a single app, a single protocol, a single episode, but if you take the compliance in the app,

The reason security in of itself, in my opinion, is if you want to measure it, it's are you breached or are you not? But at the same time, it is are you breached or have you not been breached yet or do you not know that you're breached? But don't you want clients to say, hey, I want to know before I'm breached. Absolutely. Am I breachable? reachable. I'm not going to measure that. That's that's where I was going with it is that there is no way to measure that other than compliance. Compliance is great. And one thing that I did leave out because my practices were longer than this is the fact that both sides actually need to not only talk to each other but be involved with each other.

We need people that know practical security to be helping to write those compliance Example of that is actually again going back to my army days one one of my great One of my bosses was doing a presentation to a two-star general if you don't know that's fairly important and He had this big demonstration on how he could use a PDF to infect the network and get in, get C2, all that good stuff. Halfway through, the general stopped him and said, we are going to stop using PDFs right now. No, that is the wrong. That is a knee-jerk reaction. And the boss was like, no, we still need that. There's all other kind of vectors. This is... what we need

to do. Luckily, he got talked down from it. But just I, a lot of compliance ends up being written off of buzzwords, which are, or they are outdated. So we need to not only increase the rate that we are writing compliances, need the right people in there to put the right things in fantastic

I see a lot of, there are a lot of people doing it right, but at the same time, there's a lot of people that they write a policy once and that's good forever. So it goes all the way on GRC. Also laws that get written, that's where I was really saying buzzwords on legal writings of things are very loose of

everybody must use zero trust, but zero trust at the time that they were saying that didn't have a good definition. So, and it means a different thing still to different people. So are you compliant with that or are you not? It becomes so gray that it doesn't help. On the other end, if you become too specific it will open you up to, again, I'm speaking in generalities of some companies and some lawmakers will be so specific that when technology changes, technology changes, that it will no longer be applicable of you have to have this setting a certain way hasn't been actually applicable for the last 15, 20 years.

Like I said, they are both supposed to work together. There's a lot of places that don't. That's one reason why the one that was up there before the new triad, I believe that they should be equal to each other and distinctly different. Now I'm losing my voice because I'm yelling.

Again, I apologize that I ran through it way too quick. This is my first B-Sides talk, but any other questions, concerns, complaints? Yes, sir. So you just like see the industry trying to transition from this overarching word cybersecurity to cyber resilience. Where do you see that fit? Like knowing that like someday you're going to get

The availability does need to still be there. The resilience, I would say partially, I think that's a buzzword, but, and I'm not a huge fan of those, but I don't know if it plays directly into it other than, yes, you need to be compliant and still be prepared.

are many people in organizations, especially in some kind of ops,

that as long as the checklist is done, that means they're secure. But sometimes there's things not on the checklist that need to be checked, which I'm sorry, I can't give you a checklist of things that you don't know is going to happen yet.

Right. You only know what's normal for you. So sometimes you have policies to you have to do that, which I encourage. But there are other ones that, no, you'll have things that these technologies don't even apply anymore, but you still have a policy on it. Or it's still in the user agreement that you'll unplug the computer every night so that you don't get a worm

seen policies last 20 years. A lot of our customers, because we're kind of picky about them, they're not. But yes, there are some industries out there. And it's a lot of ones that don't focus on the IT infrastructure. You know, if your main thing is

The main part of the company is not to have digital items, whatever. Your widget that you're selling is not some kind of digital. It usually gets pushed to the background of you are compliant because you have a policy and nobody cares. That is a generalization and it's not always. There are some great companies out there that actually do what I'm talking about. I don't know what it is or industry, but there are a lot of smaller companies that do definitely write a policy once and that's good enough.

industry or an area that, well, I guess if you're here, you probably aren't part of that, of somewhere that is behind on security. Find somebody that is, somebody to help you with it. Even the compliance or on the actual security.

for it being so short. 30

minutes, so it's fine. 30 minutes? I saw it was an hour and I practiced and for some reason I ranted less.

Can everyone

serving system got to do with IGA? Well, that's because Sarban Soxley's section 404, they found the page and that page said that you, every system, every company must know who has access to what, specifically your financial data.

your RPA accounts and all of that. Into the future. Well, why do you, the future notion is that why should somebody even go request access? Why? Because sometimes that's gonna take a long time, you may still not have the right access, so many problems with access, right? So the future state,

you set a baseline and then based on what access your peers have, this is predict what access you will need. So that's how much IGA is evolving around human identities. But here's the big thing. Agenting AI, right? When Endron did something wrong, we knew exactly who to arrest and who to put in jail. What if your agenting AI did something wrong?

Right? So everything that we wanted in an organization was all deployed into your own internal network. So instead of using an ID and a password for every single system, Kerbrows, which was given to us by MIT's project, Aetna, they said, let's use a trust delegation model. Why do you have to log in so many times? Log in one and delegate the trust to every internal system.

access to something in yours and yours. I have secured through Kerberos that everything within my organization can be accessed through one ID and password. And how about from yours, right? Instead of our users creating an account in your organization, your organization,

identity concept there. How do you know which user requested that access? So OIDC introduced the concept of shedding the identity profile at those applications. And on the other side, smartphones were getting smarter, biometric authentication came in, and a lot of companies started realizing that single factor is no longer cutting it. So multi-factor really really

haven't started exploring past keys, I would definitely

is to continuously monitor your identity. Just make sure you are still the same person, that you've suddenly not escalated your privileges from your regular use. It continuously monitors the use of your identity and not just at login time. The adoption of that across companies, a lot of products have already started adjusting ITDR, but how much this is going to get adopted pretty soon, a lot of

the system following all these rules still cannot be trusted. So we realized, okay, well, we do have session management, right? We've been monitoring the sessions, but mere monitoring is not enough. Let's analyze what these users do once they've logged in with their privileged account. So user behavior analytics.

password using API 2020 we have finally realized that human race is not to be trusted zero trust concept is here and it's here to live and in the world of privileged access we call it as zero standing privileges as in don't store anything right so your privileged access gets created dynamically

es bueno

a VPN issue. They had their employees enter their ID and password into a fake portal. These guys then took that ID and password, entered it into the real portal. Of course, they're prompted for MFA. Some employees also gave that MFA information into the fake portal. Armed with this information, the attackers eventually find their way into Twitter's internal admin

Thank you.

you with a new question.

If guided labs is your thing and you are willing to spend money on it go for it But again, it's a personal choice. We all have different funding restrictions We all have different ways to learn so if this is for you give it a try And if you're like I don't want guided labs, I've got this, I can do this myself. So if you want to install your own local

here?

even if you've not done labs, that's all right. Whatever you have learned, articulate back through LinkedIn posts or whatever. I'll speed up. Certifications. I always have this tie with certifications, and that's mostly because I've interviewed so many people over the period of my career. I've seen resumes with a tail of certifications, and they cannot answer simple basic questions. On the other end, I've seen with no certification still able to ace the interview. But my personal opinion is because the first step was not done right. If you are doing a certification just to check off a box, you may be able to get to the door. Whether you get through the door and whether you survive after you get in the door, it depends on

how much you invest in learning what you get out of the certification. We're just going to go through dumps to get the certification out

pretty quickly.

you have to do is to understand the domain you are in. Again, I'm going to repeat, understand with the intent to teach back or understand with the intent to teach back to a five-year-old. It does not matter which role you are in. If you do that, you will not be

you

where you must have it, password vaulted, right? So at least that way when they leave, you have the ability to rotate those passwords when they leave. Monitor an audit. I was in Shrivang's speech earlier in track one, where they were telling about a consolidate

Whatever you feel is critical to your organization, turn on the alerting. Always make sure you have monitoring and alerting on. Well, the cleanup that we did in step one, that is not a one-time activity. That is a repetitive cycle, right? You can't clean up once and then completely forget about it. You have to make sure that you continue to maintain that. And I have a question. Training and awareness. There are so many online training modules available today. If you have somebody onboarding new to your Please make sure that they are given the necessary training required. And then scale only as you need it, right? Just because there are so many tools in the market, it does not

take away from this, right? And if anybody says nothing, I may restart my entire speech. So you have to be cautious on what you enter here. But I would really like to see, or for all of you all to see, what did you all take away from this? What's the concept that you want to explore