Ten Years of Penetration Testing

all right I have exactly 34 minutes left to do my talk so probably not going to be time for questions but I'm not leaving after this talk so if you have questions and I run out of time then please just grab me in one of the breaks or something like that also the next talks coming up we've got Hardware hacking The Internet of Things here so that's an easy one but if you are more of a detection as Cod person that's upstairs out the door and upstairs so make your choices now whilst to talk because you might not have much time to move by time I'm done um this uh this talk has has asked to

put something together like the opening talk for the day something um high level to inspire you all not sure I'm going to achieve that I've got some notes in the slides to try and help me with that and Lead You towards a high level inspirational talk but if anybody's seen me talk before most of what I do is computers are awful this industry is awful Isn't it all just awful so this will be 95% that and then I'll have one side at the end that says but maybe things will get better if we work hard or something to that effect um also I should probably mention that you know when when we have talks like this we all

have bias we all have a certain background um I'm a penetration tester so most of the time I don't really care a great deal about governance risk compliance policies all of that kind of thing I can I hack the thing and if I can hack the thing what's the worst case scenario from that so a lot of what I talk about is kind of that offensive side of things and just really like um academic resear search is awesome but can I hack it today so if I seem a little bit biased in that direction a little bit biased towards defensive security than I am for those who haven't seen me talk before I'll do one

introduction slide so you know who on Earth you're listening to and also to enable me better networking because you'll know what I'm interested in and if you want to talk to me in the networking breaks then great you'll know what I like um I had presented I i' prepared about 30 slides which are as previously mentioned computers are awful Isn't it all awful um but we're in a second going to go into a short detour uh because we're talking about security and I flew here so uh airport security what a wonderful experience that is and uh some of the um other speakers we were just down the front here plugging our laptops in checking if everything was

working and the other speakers who had flew here all had similar stories of oh dear God isn't security awful so do a short detour to talk about that if you haven't seen me talk before my name is Holly gr Williams I'm a penetration tester at a company called a Kimo call I hack things for a living that's a short story um I also work for rescue I'm in the bow and penine team so I like to TCH grass a lot and drag people of mountains and also I'm a sorter operator if you're not the right kind of nerd to know what Summits on the air is don't worry about it if you are networking break let's

talk there is a sort of summit less than a mile from here if I disappear at lunch that's where I'm going right so um as asked to put together a presentation and I put together all of my slides and I get everything sorted and I think I have a good story for it's not all awful but if we work really hard it get better and then last night I flew here and had the wonderful experience of going through airport security which thankfully one of the other speakers has informed me is not as bad as TSA in America so whilst I'm going to complain an awful lot about airport security and and how I think in

part it's a little bit representative of broader security and certainly somewhat cyber security uh it could always be worse it could be TSN so um one of the things I want to talk about I've kind of uh roughly got three things that I want to come out uh from this presentation one of the things is uh I want to talk to the students out there and the people who are new to this industry and talk to you about how cyber security isn't going away and the fact that we keep getting told that uh computers will replacers and AI all replacers and all of that um in fact when I was writing my notes this morning to make sure that I had a a

cohesive story uh one of the things that I remembered was when I was much younger than I am now as in um school I remembered saying that I wanted to be a computer programmer I was obviously wrong but don't judge me I was young penetration test is much better but at the time I thought programming is what I wanted to do so on our careers day and I have been 14 or something like that at the time uh easy math for you all 20 years ago uh I said I want to be a a computer programmer and my uh my form tutor at the time said what's the point of that don't computers these days

practically program themselves and that was like my first kind of public I think I want to work with computers and immediately getting shut down so if you're a student or if you're kind of new in the industry you know less than two years something like that um it's a fantastic industry and it's not going away and whilst I got told computers are going to program themselves you'll probably get told AI is going to replace you and you won't have a job soon it's not true or at least it wasn't true for me and I don't believe it'll be true for you um so that's the first thing and the second thing is I think an awful lot of

cyber security is kind of performative and a lot of people uh do some things in security because it looks good and we can point to an action that we made uh and you're all professionals I'm not saying any of you do it but I am saying it's a very easy thing to do uh both consciously and unconsciously I'll talk about fishing in a little while and no doubt um fishing is a great example of this where oh we run fishing campaigns to improve our security awareness does it really we'll talk about that in a second um but just generally I want to introduce the idea of security theater and I'll talk about that in a second um

and then for those that are interested like I say I'm a penetration tester and I'll talk to you about how my job has changed over the last 10 years um all Al I've not been testing for 10 years but we'll get to that in a second uh how my job's changed over the last 10 years um and the short story is it it hasn't pen testing is a fantastic job it's very very interesting I get to do some really cool things I hack computers uh my job's awesome there's two or three slides in in about that but this short detour the thing that I wanted to stick in here is this idea of um security theater because

boy do you get hit in the face with the idea of security theater when you go through airport security so as previously mentioned I'm the kind of nerd that's interested in Radio Systems so I'm coming through airports secur going have this bag with me there's nothing interesting in this bag it's yesterday's dirty laundry now I'm afraid because I flew out yesterday a waterproof jacket and a high frequency transceiver and an antenna system which airpod security don't know what is and of course I expected that I am traveling with some unusual Electronics who in the room isn't let's be honest you know you're all probably traveling with some weird things some of you may have even

had to go through airport security so I knew that this was going to be a problem and I knew that there's some items in my bag that there would be uh some more interested in uh one of them is I'm traveling with a a lithium battery aircraft don't like lithium batteries but it's fine it's below the threshold all of that kind of thing so I'm prepared in my bag got everything in pouches so that when I get to the bins where you have to strip everything out I can go laptop HF transceiver antenna system and it's all nice and laid out and whichever bit they want to look at they can and I go through security and

I'm watching the as the bag goes through the scanner and of course it gets pushed off to the additional screening section we knew that was going to happen and I'm trying to guess which which bit is it that they're interested in so uh they they point to one of the pouches and they go what is in this right so HF transceiver right I mentioned that previously it's an amateur radio thing it allows us to talk across the world it's very very nerdy and I just kind of go a radio and they go okay move on to the next one and eventually we get to this thing uh which is on the side of my bag and anyone

who''s seen photographs that I've been posting I may have seen this already because I posted this on LinkedIn and she pointed to this on the side of my bag and she said what is this and I said this is an antenna right if anyone seen antenna systems before it looks like one of these this is an antenna it goes with the radio and they go fine can you demonstrate its use I can demonstrate its use I'm now standing in airport security holding up a very very long line whoever's in charge of the lights don't worry I'm not going to hit them but the point is this thing extends to 5.2 M and I am demonstrating its use in uh airport

security got plenty of room before I hit anything important let me know if you hear a thir right it still goes up so I'm standing there in airport security demonstrating its use and I was wondering about the other things that people might be traveling with somebody told me a story of they have like a folding comb like a hair comb and it looks a bit like a pocket knife so when they went through airpod security they said what is this so it's a it's a comb for for my hair it's for combing my hair can you demonstrate its use this wonderful thing that somebody would think this might be a knife and give you it and say can you demonstrate

its use while to me so I'm sing in airport security with this thing not quite all the way up for the same reason that we have here but I'm like it's an antenna it plugs into the radio what do you want me to do she looks at me sternly and she goes I have to swap that for drugs and that's it so this is what I'm talking about about some security theater aspects um if I was a drug meal and for the record I'm not get that on the transcript I'm not a drug Smuggler I don't know an awful lot about smuggling drugs but if I were smuggle drugs putting it in one of these things the

most suspicious looking item ever seems to be the wrong way to go about it and I sat there and I was at security for so long whilst they swabbed every area of the antenna put it in the little machine and went oh well no drugs on you go and it was just one of those times it's like when she said on you go I was like that's not how I thought this would play out just left no additional screening no second run through the the airport we're talking about um TSA pulling your bag apart and searching every little item none of that wiped my antenna down for cocaine didn't find any let me through security theater I've got another more

cyber security related example of this kind of thing we see it an awful lot and I'm not saying that this aspect is bad security but what I'm trying to get you to do is think about when we apply security controls think specifically what is this control intending to do and then try and come up with tests to determine if that control actually does the thing the most common security control that I come across I haven't actually done a survey or worked out or anything I'm just saying very very common one of the most common security controls I come across is password complexity pretty much every window system that I test has complexity enabled the intention I am

told of password complexity sorry I keep saying complexity if you if you're new to the industry you've not come across this time before complexity is that thing where you have to use uppercase lowercase numbers and symbols Microsoft's complexity rules are three of the four uppercase lowercase number symbols that's complex see complexity enabled everywhere and when I talk to people about complexity like what is the intention of complexity said to make users choose more secure passwords and then I hack active directory I dump all of the passwords and I see that so many users are using password one with a capital P and complexity has done nothing in my opinion as a pentester complexity is security theater is not achieving the

goal um I had a really interesting one um this week I uh hacked a system it was a really silly vulnerability quite a little while I'm dumped all of the hashes and and I couldn't crack a lot of the hashes and I was doing my usual thing of dictionary words with um suffixes if anybody's interested in which word list I use I use the Urban Dictionary because it knows more expletives than I do and it also knows more football clubs than I do so just list of common words and I add suffixes so capitalize the first letter and add you know um maybe up to four digits or six digits and then a a series of

symbols that's the kind of thing that I do in this particular instance not many passwords were coming out and I was curious as to that was and with a little bit of uh extra effort and a little bit of kind of thinking about why this might be I started cracking a few passwords and I realized that the minimum password length was very long something like 14 character minimum password length and I realized that as soon as the first password popped out that was company name 0000000000 0 padding until the minimum password length so another thing to consider not saying complexity is wrong I'm not saying complexity is the devil I'm saying if you're implementing security controls think about what are

you implementing the control to prevent and then test it to see if it actually does prevent that and when I hack a user who's got password 1 2 3 4 5 6 7 8 it didn't help okay there we go there's a little bit of a detail about uh uh airport security and kind of the the the rant that I wanted to do there and the first lesson of this um slideshow which is uh around security theater and making sure that we're not doing performative security but what you are implementing is actually helping um cool so this presentation was titled 10 years of pentesting I haven't been pentesting for 10 years I've haven't been pentesting

for I think if the maths is Right 11 years 10 years sounds better there you go I've been in uh cyber security since 2011 I've been a pentester since 2013 so I think we're now 11 years either way going to talk about breaking things for a living I told to write a keynote and I had a little look online of what makes a good keynote and came up with these three General ideas that I want to put out there explain how the industry has changed over the last 10 years let's see uh explain how the industry might develop in the future and then inspire people for the future I'm at least going to inspire you for the

next talks if that's uh if that's the thing so uh one of the things I want to get across is as I mentioned if you're new to the industry if you're a student those kinds of things um security is not going away we hear all of this uh this stuff about how Next Generation artificial intelligence stuff is going to solve security and it isn't and I think one of my justifications for that the first bullet point on why I know cyber secur is not going away is um software is awful and bus will continue to happen um here's one of my favorite bugs that you may not have come across and if you haven't It's a Wonderful

example of just users doing things the developers didn't expect and weird things occurring this bug has been fixed now it was around 2019 that this occurred which is around um iOS 13 and what would happen is in uh iOS on iPhones if you scroll back in your calendar you know that app you use for like booking meetings and scheduling calls and things like that if you just keep scrolling back to about 1842 for those at the back that can't see the slide too well just weird stuff happens um August has not the right amount of days in it and September has two the thirs oh August has two the fifths as well I'd love to see how this

transcribes on the transcription machine for subtes point being I'm software is awful we're going to keep making mistakes um in part I think some people might say that um this is because user did something that the developers didn't expect other people might just say writing software is really hard writing software that does not fail is really hard and but yeah the iPhone developers probably didn't have a test case for what happens if you scroll all the way back to 1842 and if you do weird things happen right quick audience participation don't worry this won't take long and I'm not going to ask anyone individually to do anything also if you are a speaker later in the day

maybe have a look around at some people's answers here um so all I'm going to do is I'm going to ask a series of questions and ask you to put your hand up so that I can gauge the audience that we have here and see who we have in the room put your hand up if you do not work or study in cyber security you're a music student you do a something like that there is a few of you I would be interested you individually afterwards come and tell me what you're doing instead of cyber security because it's probably better than what we're doing okay um so uh I'm going to uh say next uh put your up if you are studying cyber

security you're doing a degree doing a PhD something like that how many students we have in the room more students cool uh so we've counted students now so just moving on to people who work in cyber security put your hand up if you've worked in cyber security for two years or less so five years or less 10 years or less really really good mix of the audience I'm not going to ask you to put hand up if you've worked in cyber security for more than 10 years I'm not sure it'll go up I got one I got one hand up there thank you everybody very very surprised one of the hardest things about um writing

presentations like this is is gauging um who is the makeup of the audience and who we got out there and how do I make something appealing got a lot of people in the audience who are either studying cyber security or been in the industry kind of less than two years so are somewhat new to all of this um that that's interesting to see and at least one person who got the hand up there for more than 10 years so you're in the same bucket as I am sadly so looking at the last 10 years of testing uh since you know what 2013 2014 something like that what's changed I think very often when we look back at systems we kind of

struggle to actually Place well um when things happened and kind of how long ago an item was so quickly a look back at 2014 and to place in your mind when 2014 was okay let's have a look um who has got an iPhone phone 15 I was worried then cuz no one put the hand up like you all Android or you all old mobile phone people a few people is iPhone 15 is currently the latest one the iPhone 16 comes out tomorrow for those people that are that kind of nerd um but current generation up until tomorrow and this slide deck becomes out of day iPhone 15 right 2014 iPhone 5c there you go you've now got it placed in

your time frame when was that how far ago was um the the uh 2014 the iPhone 5c the six came out of like September 19th or something so we're not quite there yet um so what's changed in the in the last 10 years for for an awful lot for my day job the day-to-day of what I do of trying to hack computers and I these days um spend most of my time looking at web applications and Cloud systems but earlier in M it's probably more infrastructure more on-site work there's some differences we do less infrastructure more Cloud now but generally the day-to-day steps of what I do and this is the shorter story of the

methodology you have a pentester that can give you the day-to-day of what I work through um is the same now the specific vulnerabilities that I exploit the specific um technique that I use might change but the day-to-day of a pent test and how it works is roughly the same when I was writing this slide I I'd had like a series of really good customers and had had a series of of quite difficult tests to do it's a bit of an odd thing as a pentester but if you have a difficult test and you're not really finding a lot you feel bad as an individual because you want to show off your skill you want to show off your

capability and you want to make the feel like they've had a good engagement and if you found lots of stuff great you've had a good engagement if you've not found lots of stuff that could just be the systems nice and secure and uh you're not finding stuff because they've done a good good approach and that's also valuable to to the customer but it feels awful to write a short report um so that that was kind of like i' had a series of customers like that where things were going well and then the last couple of weeks it's been the opposite um who in the room is a pentester who works uh solely in offensive security

stuff wow surprisingly few people okay are we a Dying Breed or something excuse me um so the pentesters will know but other people might not know um this week I exploited vulnerability called MSO 8067 it was a famous vulnerability some Chuckles in the room uh if you aren't familiar with ms8 067 we should not be finding it in 2014 it is radical that I did find it you might know Microsoft patches though Ms so8 the vulnerability was fixed in 2008 067 67th patch so generally Q4 of 2008 if you are unfamiliar with that vulnerability I strongly recommend looking it up Microsoft's got a write up about how they discovered it all of that kind of thing brilliant story but yeah

that's the week that I've had where I'm trying to write this inspirational presentation about how everything's getting better and I've had a good series of like difficult pentests then this week I propped MSO 8067 which is um start metas SP and click go done I'm a domain admin so occasionally we have that kind of test whether there's just something dumb on the network or something's badly configured whatever it happens thankfully now that's pretty rare but generally the overall steps of my day haven't changed a great deal and uh what I wanted to go on to then is talk about what are the concerns that we had back in 2014 and maybe in 2018 and then in

2024 and see how those concerns have changed what are organizations working on from a cyber security point of view what what do they think is the next big thing but just quickly before I do that uh I I came across a statistic that I hadn't seen previously and I thought it was interesting enough to um to present to you what percentage of large and small so there's two sides to this large and small what percentage of large and small organizations get pent tested does anyone want to fire a number at me large organizations what percentage get tested 65 okay 65 any advance 30 okay okay what about small organizations ormes five you pessimists anyone think higher than five

anyone think a a higher number don't let the pessimists win cool six I've got two slides to show you and um one is the um the 2015 statistics cuz of course we're looking back 10 years ago 2015 is the the furthest back that I could get you I realize this slide is very very small but blame the government they made it and uh I'm going to read it out to you this is what percentage of organizations have active technical testing such as penetration testing and Cyber attack simulation the dark blue is large the light blue is small that is 50% this is 2015 50% of large organizations get some type of security testing like pesting and um 26% of small

organizations so you might think oh yeah we're we're in the right ballpark right somebody said um 50 somebody said 65 um the pessimist said five no that's a really big number in comparison to five uh the 2015 what do people think the numbers did for 2024 similar uh large organization sorry this is now broken down into so all organizations they broken it down into business and Charities because they want to make statistics hard for us so this is the the average all organizations um companies penetration testing 11% yeah this is really weird the reason I wanted to put this in there is not only is it interesting that it seems to have been less organizations are doing

pentesting I assume they're doing something else instead but it's just interesting to see that slide um and also because of my own bias every company gets pent tested because as a pentester every company that I work with gets pent tested so my experience is that everybody has pentesting but it was F to me that 11% of organizations and slightly less for Charities get uh pested okay cool I'm not going to have time to show you every example within this because we're running a little bit behind when I got started but I just want to talk a little bit about back in 2014 what cyber security predictions were people making it's not going to be exactly 2014 2014 2015 2016 that kind of

thing but around 10 years ago what predictions were people making and what has changed since I'll give a few of these as examples to to show you kind of my experience uh with the industry and how going uh so Cloud outages in 2014 were Cloud outages a major problem yes probably uh in 2024 Cloud outage is a major problem yes we haven't had a major Cloud outage recently have we there has been a couple of changes though so for those that don't remember all of them um in 2017 so this is February 28th 2017 AWS um suffered what became quite a famous outage um was the EU East one went down um S3 went down it was really

really bad um but the reason that this outage is memorable to me is AWS hosted their own status page so when their systems went down they couldn't update their own status page so we have learned some things I don't know what the solution to this is I'm not prepared to look it up because it scares me I'm assuming as your now horse aws's status page and AWS horse is your status page but I let sight reliability engineer get on stage and tell you that story so back in 2017 Cloud outages huge aspect and AWS hilariously could not update their own status page jump forwards a few years we've got 2021 kind of marking for me this Middle Point and we have um ovh

having a major outage uh and their status page also being interesting that we'll get to in a second um don't judge this gentleman the CEO of obh octave claba too much for his English I can imagine when your data center is literally on fire uh you're under a little bit of duress and also he speaks more languages than me so you get a pass on some of the English here we have a major incident on S spg2 that's one of their data centers the the fire declared in the building firefighters are immediately on sign but could not contain the fire the whole site has been isolated we recommend to you activate your Disaster Recovery plan this outage

was very very funny for me because I followed it on Twitter this is 2021 before Twitter became awful and some people will disagree with that statement and um I was following on on Twitter and um some organizations were absolutely a Gass that they would have to to have a disaster recovery plan no a cloud provider of the person who was supposed to have a disaster recovery plan and that is an actual photograph of their server room not a nice time um and I mentioned there's something interesting about um their uh status page and what what occurred during this time was uh the CEO live tweeted the incident as two of their data centers burned down and

one was partially damaged don't worry too much about the specifics here it's just the the guys tweeting like once an hour of what they're up to when they expect recovery times to be at some point he was posting like kind of Vlogs about what what what they're up to in both English and French ovh being based in France and and just uh very very interesting uh to see that occur but 2017 magic CL out is still a huge thing 2021 data centers on fire isn't it wonderful uh and then I don't need to dwell too much but 2024 had a couple of outages I think that's fair to say so um Cloud security outes still a

thing so a problem cyber security if you're new to the industry if you're one of those people that put the hand up for either being a student or being in the industry less than two years cyber reliability engineering is not going away at least um and certainly uh cyber secur is not deep FS this this is another layer addition to the slide deck Google CEO said out loud AI is more important than fire or electricity this is actually like a compression of his quot his actual Direct quot thought was AI is one of the most important things humanity is working on it is more profound than I don't know electricity or fire I think the full Court's even

better and but the reason of course I want to bring up AI is deep F and the developments of AI and how it's impacting us from the point of view things like um security awareness training and things like social engineering and that kind of thing anyone want to guess when that was said wasn't last week was it 2018 2018 get rid of Fire and Water we don't need it um I tried to find the earliest example of a deep fake actually being used in an attack and I think what I what I have I think is a good Contender for that if anyone knows of an earlier example um please in the break or something tell me oh like hit me up on

LinkedIn or something I i' would love to know um but in September 2019 an article was posted that was at the time described as the first of a Kind attack as criminals cloned a CEO's voice so this is AI voice cloning in uh the article was posted in September 2019 but there's somewhat light on the facts as to specifically what the attack time frame was um but yeah deep FS things that we talk about now no doubt in in this conference people will be talking about the use of AI in deep FS um if there's no speakers talking about ai go talk to the vendors someone's going to say I to you aren't there so um AI yeah

not not a new thing not something we need to worry about um I won't dwell on this slide too much but I keep trying to use AI for cool things and it keeps failing me um this is me asking chat GPT uh to make a color diagram of a UK 3 pin plug um they made a diagram of a fever dream that's for sure I won't on that too much but I keep doing this I keep trying things like chat GPT and having um awful awful output I currently have a project ongoing to do AI voice cloning so if somebody is deep into that area please hit me up in the brick have a project

that would require that and I'm having this amount of success with it and ransomware attacks I'll I'll I'll quickly cover ransomware I don't think I need to belab the point um oh go on I'll have to go on first ransomware attack somebody give me a date just a year first ransomware attack yes do you know the year it was in the 80s that's close enough uh who here was born after 1989 you're younger than ransomware and also PowerPoint I think PowerPoint was 88 if I remember correctly I don't have it in my slides uh yes the edion thank you very much the edion uh it wasn't ransomware it was called atran at the time it was physically distributed on

floppy the big floppy you guys won't remember those uh I say that as if I'm like C I'm not I was born after 1989 as well well of 1989 the Edan physically distributed on floppy disc and demanded not cryptocurrency of course $189 to be paid by a banker's draft to a peel box jump forward from 1989 to 2016 headlines jump forward to 2024 headlines I mainly included this slide I wasn't going to Bel the point of frare but mainly included this slide because this uh newspaper used the title testing times I love a good p cool um and the last thing before I kind of summarize the broad point there was for the students and for the people who are new

to this industry you will hear constantly constantly constantly that why do you need cyber security AI is going to fix it all in the same way that I was told why do you want to be a computer programmer computers practically program themselves 20 years ago today all of the same thing but another funny thing happened um something that we've been working on recently is um during penetration tests so during um either infrastructure tests or when we do perimeter breaks and we get on internal networks is to looking around for sensitive data um this is a a penetration test I don't have the exact date on this but it was somewhere like 2016 2018 a test that I did I found an

organization exposed its WordPress backup I found that through Google doing because that's a cool thing basically putting into Google company backups and then it's like these backups downloaded those backups pulled out the hashes from their WordPress site cracked a whole bunch of them can log into WordPress um the action of data mapping trying to find data in place is where it shouldn't be and then laughing at them in the pentest report to be like look at all of this data that I stalled stalled sto uh hasn't changed uh but the manner in which we do it has so one of the things that my team are working on at the moment and I'm sure many other

teams are is using artificial intelligence to make data mapping faster because I'm lazy I don't want to look through Network shares all day um but if you uh show me a network and a penetration tester says I have checked all of the network shares on this network and have not found a PL text password or Expos uh personal information I will show you a pentester who has not looked hard enough it's a surprising thing but on pretty much every pentest I find something in an Expos Network share that shouldn't be there um two really interesting wins that I I keep finding not reg not like every pentest but like they do keep coming up is um virtual machine backups

that are exposed getting um virtual machine discs and then downloading them uh and certainly uh backups of things like domain controllers things like um key servers and those kinds of things and that is one of the weirdest feelings as a pentest because I'll find a network share that Network share will have like a backup of the domain controller or something I know if I download that I've won and I can extract the credentials and that's the end of my pentest it's fantastic but it'll also be like 150 gigabytes so I do right click copy right click paste on my desktop and then wait hope for the reliability of the network to allow me to pull 150 gigs across the

network and also see if anybody's going to notice me just absolutely ramming the network with all of the data and in my experience nobody ever does nobody ever seems to um find those kind of um internal data exploitation problems and eventually I'll uh I'll pop a domain controller I'll either boot it up and pull creds out or more accurate more often just pull the creds off the disc uh and that's game over and it's one of those weird things because sometimes when that happens maybe I'll find the share at 10:00 a.m. 11:00 a.m. something like that and by time I've managed to download this copy of the the domain controller and pull creds off it it'll

be like 4 or 5: p.m and I tell the customer oh have full compromise isn't this awesome great vulnerability and then they go I'm surprised it took you so long and I'm like get a faster Network so use artificial intelligence to pull things like um uh pii those kinds of things not a challenging problem if you're looking at learning artificial intelligence if you're a pentester or um someone on The Blue Team and you're just looking for an interesting AI project to get you started um data mapping for pii is pretty easy show it a bunch of things like utility bills show it a bunch of things like uh birth certificates and it'll very quickly become very good at

detecting that data and it'll find it all over the place in places that you wish it wasn't um and then one more point on on handling Data before I close out this presentation because I've got one minute left um is uh handling data in general is bad I keep coming across organizations that use Microsoft Excel for things that they shouldn't this is uh risk register in Microsoft Excel who here comes across people at work using Microsoft Excel for things that they shouldn't Microsoft Excel is the second best tool for every job right close uh fishing I won't dwell on fishing um if you can't read this from the back this is a fishing email it's one of those 419

scams um I'm a Nigerian prince pay me $100 and I'll send you $10 million uh but it was a physical fact so fishing's changed um this is an unclaimed permanent life insurance policy for 10, 950,000 a big number uh $10 million um give us some money and we'll give you some money it's one of those physical facts so fishing's changed revolutionarily all right and I I'll close that now fishing has changed because now it's emails not faxes um but so what's the all the point should we all just give up and no of course not this is supposed to be a satirical comedic presentation to get you all a little bit fired up about some

interesting areas of cyber security but the truth is we are making progress and I don't just mean fishing has gone from a fact to an email but the truth is it is a hard problem and we when we look through all of these things we're learning as an industry we are developing as an industry it's just sometimes things don't look like they're making progress and sometimes things take longer than you want them to and you will hear people saying what's the point of that AI will just take over but we need to kind of you know Stand Fast and uh do our best here so final thing and then I'll shut up is I mentioned at

the beginning this idea of security theater and one of the things I see a lot of organizations uh doing is implementing controls because they've been told to implement a control or because the control is available things like password complexity and anytime you uh either Implement a a controller you're looking through your systems and kind of auditing what you have in place think through the process what if what is the goal of this control have the goals been clearly communicated to the end user and how will we test this control to ensure that it is effective because there's a huge amount of stuff out there like password complexity that doesn't do a huge amount there are other

controls of course I'm not going to go into all of the technical detail of those but band password lists are probably better than making me use password run rather than password um so yeah as you work through these in every aspect think what is the goal of the control and is it actually achieving that goal and I'll shut up thank you [Music]