BSides Edmonton 2022 Cyber Security Conference

other events is going to be hosted by Sentinel one it's a thread Ops challenge so it's just using their tool to kind of find threats in an environment and that is it so I'll wrap things up and hand it back to Thomas you mentioned something about asking you to get a Wi-Fi password I'm pretty sure there's lots of people here who already have the Wi-Fi password or have a means to get the Wi-Fi password if you know what I mean all right so just uh I don't know where he went where did Robert go is he was sitting right there we're going to introduce our keynote speaker so Robert Martin is the Chief Information Security Officer of Alberta Health Services and as the CSO Robert is responsible for all aspects of the information and cyber security program for AHS the largest Healthcare delivery organization in Canada AHS provides Health Care to the Empire entire province of Alberta and is fueled by over 120 000 staff Physicians and volunteers he is the co-chair of the AHS Enterprise risk management executive committee and leads the security operations policy governance compliance architecture awareness service manage is there anything you don't do service management teams with a focus on identifying and managing risk uh previously Robert was a trusted advisor and consultant in information security and risk management for a large and public and private sector clients in retail Healthcare energy and government so with his talk entitled trust stupidity and you please welcome to the B-side stage Robert Martin [Applause] I got to be uh figure out how to put the microphone in the thing okay good morning everyone thank you Thomas before I get too too carried away I would just want to say that um I'd really like to say thanks to harvinder and Thomas and the entire organizing group for this uh Thomas and I were talking about the uh the wonderful type Community we have in Edmonton here and and you really see this when everybody's coming together and uh shaking hands and hugging each other and I know many many of you uh and I have a very supportive crowd in the front couple rows right no heckling from from the team uh but anyway so thank you very much to the organizing committee uh it's very nice to be back here uh I'm wondering if I'm getting a bit too much of an echo is that is it bad or good okay just tell me if it gets worse I think we have the the hardest job in the world I think we have probably at this point in time the most important job in the world and I don't think that it just has to be the people that are doing the security operations center or the red team if you're working on a privacy impact assessment or a threat and risk assessment you're doing a security awareness you're doing any of those things that Thomas said that I have under my team or some of the things that we don't have under my team it's really important to understand how much impact we have on the world if we don't do our job or if we do our job poorly there's massive impacts and I want to relate uh the the massive impacts and and the re the reason that I wanted to talk about trust because I think trust is the most important commodity that we can deal with as Security Professionals if we do things to lose trust or to erode trust then all of the things that we've been trying to do as a society for the last 25 years to empower people to to operate digitally just go away so like Thomas said the themes I'm going to talk about are trust stupidity and you and I don't want you to form a sentence out of that I don't trust that you're stupid there's nothing like that but really what I want to do is is give you some Reflections on my career over the last 25 or so years and and look at some of the things that uh I see as we we've evolved from an information and cyber security perspective and and really have that uh focus on the trust so back 20 26 years ago 1996 uh a good friend of mine who was still in uh engineering at the University of Alberta was in the uh Eng 400 class I had graduated three years before him and he said uh you remember that class that you go to it's everybody that's going to get out of engineering and uh back in those days at least it was a a bunch of old white men give you uh uh speeches about the importance of professional accountability and trust and dealing with the public and the dean of the school of time Fred Otto stood in front of the classroom my friends was in and said if you're working with computers whatever working with computers means in 1996 you'll never be a professional engineer in the province of Alberta and half the electrical engineering students stood up and walked away and all of the computer engineering class stood up and walked away when my friend told me this uh later that evening I was insulted I was three years from University I was one year from getting my professional engineering designation and I of course my stuff is important and and you know why would he say something like that this the guys obviously doesn't understand but when I went through the process of thinking about the difference in the opinion between somebody like uh Dr Otto and what he perceived us doing with computers there wasn't that connection there there wasn't that impact let's give a traditional engineering example you build a bridge rush hour traffic there's 50 cars on there let's pretend that it's two people per car even though we know in Edmonton is only going to be one person per car but it's 100 people on this bridge the bridge collapses falls into the river a bunch of people die absolutely tragic situation uh there's a a huge impact to the people to the families that are impacted the city's disrupted because there's no Bridge the city has to spend a couple hundred million dollars to build a new bridge it's going to take many many years and somebody like Fred Otto would look at this and go that is why you have engineer because if you screw up that's the kind of impact that you have so park that for a second a couple years later there was a big Push by Kips some of us would remember Kips the Canadian information processing Society brand maybe anybody oh there we go at least two three people know kips uh back up until probably 2005 Kips was was the thing when it comes to I.T across Canada there was a couple thousand members in the Kipps Edmonton chapter alone and they did a lot of work to get an information security professional designation where they were trying to have the same argument that the engineers or the accountants would have with regards to public impact you met make a mistake you do something wrong from an I.T perspective and there's uh big consequences a good friend of mine was uh leading the the initiative in in Alberta and he asked me to to sign up and get that designation but I was still struggling to figure out how I was going to be a professional engineer and I didn't want to go down the path of this this other other designation because again I couldn't understand the issue of impact was the thing that I was doing actually going to have the same impact so what those two is sort of background information fast forward to 2017. fast forward to the Russian invasion cyber Invasion and attack on Ukraine if you haven't read the book sandworm by Andy Greenberg I highly suggest that you buy that and read it I highly suggest that you give that book to people that you're trying to communicate about cyber security issues uh if you know anybody like uh that writes for Wired or at the Atlantic or whatever they can take these complex things and put them in a context that makes uh makes it interesting and and readable so I took this book I read it last uh last fall and then bought a dozen copies and gave it to Executives in our firm and peers and in it and ask them to understand read this to understand the impact that happens if we don't do our job correctly so come full circle from 1996 to 2017 and I think it's obvious now that the things that we do have great impact on the organization have a great impact on society I think it's important to understand that if we don't do our jobs or if we don't do our jobs well we're going to get into a situation where we're going to be impacting people potentially like the bridge example right maybe the bridge doesn't collapse if we don't do our job but maybe multiple people lose their personal information maybe as an organization has a major breach and loss of shareholder value I know it's not exactly cyber security but what happened two weeks ago with Twitter and the new verified blue check mark process and Eli Lilly right somebody creates an account uh they're verified as Eli Lilly they post a tweet to say that insulin is now free and Eli Lily's stock price tagged right and it's not a hard stretch from what we do from a compliance perspective from a controls perspective to something like that and understanding that you know the mistakes that we make could have that same sort of consequence there's a lot of other issues of course breaches are something that uh come to mind a few of us were were involved in a breach uh about nine years ago where we didn't actually think uh didn't actually know for sure if the the people's information was compromised but we took uh and do caution we we alerted uh 11 500 people of uh of the issue in today's standards 11 000 people is nothing right from a breach perspective there's always in the hundreds of thousands of people are now compromised but I think it's really important for us to understand that 11 000 people received a letter and 11 000 people went what does this mean to me right even if it wasn't a mistake that we made even if the we didn't know for sure that there was that breach we took that initiative to make sure that people understood that and in effect trying to do the right thing we still cause those people grief so what happens now if it's a hundred thousand people what happens if it's everybody in the province of Alberta what happens if it's like what happened in Newfoundland just over a year ago and well I mean officially we still don't know what happened with their health system in Newfoundland but the uh the rumored uh price tag for the recovery from their outage in the health system in Newfoundland is around 40 million dollars right so if we don't do our job correctly not only are we potentially breaching people's health information but we're actually causing a great deal of cost and impact to the organizations that are that we're working for um so I I guess the the point really is if you want to be able to communicate your what you do if you want to be able to understand the impact that you have I think it's important for us to be able to communicate the potential impact I'm going to get back to this in a little bit when we start talking about some of the the quote unquote stupid things that have happened over the years in my career and and I want to make sure that people uh understand that I'm not pointing fingers at anybody uh In This Crowd I'm actually pointing fingers towards me when I talk about being stupid um but in the last 25 years we've decided to move towards online services we decided to move towards uh you know digital uh personas and digital uh activities and uh the underpinning of all that is the trust that builds from security so please don't uh please don't uh lose sight of that that's a little bit about trust we're going to come back to that in a few minutes I want to talk about stupidity now and uh and there's a lot of people here from a security perspective I would imagine that some of us are thinking that uh stupidity and then the first thing they think of is starts with the U users right I mean how many times have you said in your career at least I've said in my career that my job would be a whole lot easier if I didn't have to deal with users right um You can say there's a bunch of problems with users users click the link right while the user maybe uh maybe there's a a problem with a system or a problem with regards to a lack of knowledge and the individual does something that we would think is stupid there's a great cartoon you've probably seen it it's the boxing ring and the microphones hanging down from the ceiling and in the middle of the the boxing ring is the the referee and you're holding the microphone to his hand he said in this corner we have multi-factor authentication and encryption and firewalls and anti-malware software uh and in this corner we have Dave our Dave and if your name is Dave I apologize I'm not picking on Dave's um I'm not picking on anybody because really Dave is just the average user right Dave clicks on the link in his personal email and it encrypts his work computer that then encrypts to file share and causes a bunch of grief on a system you know maybe Dave didn't understand what Dave was doing maybe Dave's just trying to get his job done and builds a server sticks it under his desk and doesn't understand that he needs to patch that system maybe maybe Dave is responsible for some workflow and is thwarted by security or thwarted by it and says you know what I'm just going to go sign up for 100 bucks a month on my credit card and buy some some cloud-based service online because I just need to get my job done and we can we can shake our heads and roll our eyes and we can say you know how many times do we have to tell Dave that you can't just do this you gotta you gotta not click the link you gotta not have the server under your under your desk at work that you can't just go off and buy some cloud service the problem with it is that they're just trying to do their job like what what's Dave's job maybe Dave pays vendors Cuts checks for vendors maybe Dave runs a dispatch team to deliver you know gravel to your house maybe Dave is in customer service uh Dave is not an information in cyber security we are it's our job to do those things it's his job to go do whatever it is his job is and I think it's really important to understand that people are going to do quote unquote stupid things because people make mistakes because we all make mistakes so I don't want to pick on users anymore I want to talk about the things that we do that are stupid and to the point I made earlier I'm going to talk about some of the things from my career that make me kind of shake my head and uh I want us to think about so that we can learn from that and maybe change the way we do things going forward um so the first thing is uh around the perimeter so for those of you that know me for a lot of years I talked many courses uh 40 courses in about a five-year period largely focused on information and cyber security principles uh there's probably a couple of my former clients in this room as well where I had a a lot of time back in the early 2000s trying to get people to understand how they could use the internet for their uh internet for their business and I had this diagram this Vizio diagram with this wonderful little brick wall in isometric form and you know that was the firewall and I had a little dotted line that I would draw through the firewall and on the left hand side of the diagram there'd be this like ethernet Network and a couple computers and I'd write trusted and on the left hand right hand side of this dotted line in the firewall there'd be a big bulbous Cloud to represent the internet and I would say untrusted and in 1998 when I first did a diagram like that or even even 2003 or four when I'm teaching those courses I think it's okay to be talking about a trusted and untrusted network but if you really think back on that think of the damage that that does thinking about the fact that we can actually build an entire network that we trust right that means there's no computers on your network that you don't manage there's no computers that have been compromised on your network there's no insiders that are doing something against you on your network and so it's problematic to think that we actually would have ever created a trusted Network but as a consultant as a as a instructor uh even as a manager I was trying to communicate a very complex and complicated topic and I was trying to get a way for people to understand that it's important to have this firewall but the problem is is that over the years when you sell that story people then go oh Robert's here he's going to put in a firewall to secure us we all know especially now that there is no such thing as a firewall that's going to secure us it is one of those things that we need but it is absolutely not the only thing that we need and I think it's the Insidious thing here the thing that's really been problematic over the years is that it took a long time for people to understand that we're going to need to buy more controls the first time I went forward and said well now we need to go do this people said well you told me I needed a fireball I thought that was going to be all I needed to do right so we dumbed down the conversation we got it to the point where we could communicate a very complex and complicated topic into a single icon and an isometric form on a Visio diagram and people thought that was quote unquote all you have to do it took a long time to get over that and it was really not until John kindervag from Forrester came out with the whole concept of zero trust when people now have to understand that it's not that you have a a single device or single control that's going to take care of this for you you actually have to understand that there's nothing on there that you should implicitly Trust so that's the first thing from my career that I think is is uh causes us should cause us to reflect back on some of the decisions that we've made in the past the second one I want to go into is the uh the Dave cartoon again right he listed all these controls the the referee did talked about encryption and multi-factor authentication and anti-malware he basically talked about defense in depth and I think defense in depth is something that we should not talk about anymore it was one of those Concepts where uh there were some of us that were looking at every layer of the OSI protocol stack and thinking we needed a control at each one of those points we needed to have a control at every single uh intersection point on our architecture diagrams and what would uh what's the purpose of those controls the purpose is that we need to understand how to protect things my second day at one job I had a physician come up to me uh and he uh he pointed his his finger in my chest and says the problem is if you do your job I can't do my job and I think maybe somewhat to my credit I I replied very quickly I said no if I do my job correctly you don't know I exist and I think that's what we need to do we need to not say that defense and depth is what we need to do and not need to say here's all the controls that we need to have I need to have overload of controls and have a different firewall on the outside than on the inside and a different malware on our servers than on our desktops because that just causes burden that just causes people to slow down their work it just causes people to bypass us and go around and I'm not saying that we need to get rid of controls although that might very well be the case I think we need to be smarter about the controls that we have and I think defense and depth is one of those things where 15 20 years ago when we're coming into this industry and trying to figure out how to communicate this we try to find a topic that made sense to people well we need to have coverage of the controls and I think we need to be much more judicious in our control selection now and much more focused on the actual implementation of controls that will do what we need to do the last example that I'll give is around a situation about the same time as uh the dean of engineering made that comment and I was working for a consulting firm we were trying to build uh I was trying to b