Opening Keynote

good morning buddy and let's just to say thanks very much to Warren and the b-sides birth class crew for having me here today to give your opening keynote it is a honor to be given Makino because the the pressure is on you to sort of set the tone for the day so I will apologize straight away to Warren and the rest of crew for the holiday it's going to end up but so I want to talk to you about given a keynote is is it's kind of strange when you give talks at conferences and especially at a tech conference that's very focused like b-sides are you can talk about technology or hacking or some fantastic

red teaming or whatever as you did but giving a keynote it's kind of setting the tone for stuff so as you can see I'm still very young ish who have been in cyber security since cyber was a dirty word I started my career back in the 1980s and I've titled this back to the future because I want to talk about some of the stuff that we look at and when I was trying to figure out what we're going to talk about today well Halloween was off the team I could just talk about scary zero days and all that sort of stuff and I says no the crophopper exists but I think you know especially today today was meant to be the day but

obviously that's something I'm sure we're all sick of hearing about praxis cyber security month so tomorrow if we can all go back together nothing aware of security any more brilliant but there are key things but actually what really struck me when I started looking at this sort of stuff is happy fiftieth birthday to the Internet October 50 years ago on two days ago 29th of October 1969 the first message was sent over DARPA net that's what the internet looked like 50 years ago so what for and four points on it this is probably a more realistic picture of what it looks like today we're all connected in many many different ways with that connectivity and that dependency we now have on the

internet there are much more restore that we have to look at and if you look at the World Economic Forum there Burress report which the issue each year after their meetings in in Davos in Switzerland you would see the cybersecurity is the number tree the top likelihood in risk in in terms of likelihood against the global economy so right there behind extreme weather events natural disasters and cyber attacks are the tree top tree risks to the world economy at the moment and the impact and on the right there is a number six is cyberattacks if a global cyber attack is to hit the world economy the impact would be the six most severe that could happen to our economy so that

karna sends a message to us all that these computers we play around with and hack but they actually do play a significant role in our daily lives how we do things change from business to everything else to communications to warfare it's all changing and how we do it we're all very aware our own economies and our democracies have been under attack from cyber security and statistic the Cambridge analytical scandal with regards to Facebook and how people's votes were influenced Jim Brett said and also during the u.s. elections and now the UK elections coming up in December you can be guaranteed there's going to be more influence in there as well so you know this is some serious

stuff but when we talk about cyber attacks and I know there's going to be lots of talk today very interesting talks very technical talks about very complicated attacks but if you actually look in the real world at all the different attacks that we've had and a great source to look at that is the Verizon data breach investigations report and so people who familiar with the Verizon DB or those of you who aren't I would strongly encourage you to go to Verizon's website and download their report they take data from many different sources from their own customers about cyber attacks they've had but also from the likes of Europe all the FBI our US Secret Service the

Australian Federal Police Symantec McAfee all the big security companies search around the world they take that data the analyzers and the produced this report and nice easy ways that you can digest it to figure out what's got goes on so you can see the majority of attacks happened from from outsiders majority attacks are financially motivated which means criminals are now getting more more involved in in cybercrime it's no longer hackers playing around the internet taking down websites defacing website we all know that but this is evidence to show that things are changing and if you look at all that data and you try and extrapolate that and look into the future we go well what are the future

attacks going to be like well it's going to happen in the future and I just have to say it's going to be more of the same as I said I started off in as worked in IT security in the 1980s and computer viruses were the biggest risk we had then computer viruses still the biggest risks we have but just just called ransomware now because it sounds different what's more the same and if you take take Europe off the internet so they're into organized crime threat assessment again another very good report for you to download and read and see what trends are happening in cyber security here's one of the key things the major threats we face today such as ransomware our

business email compromised have been around for years my dad is 83 he does not understand what I do he keeps asking me Brian what does your job do so i actually sat down I think about a month ago instead looked at we try make people's computers more secure I said people get these letters asking them to you know from a Nigerian prince to sent it can they take twenty million dollars into your bank account and then you keep 10% and ship it on or they send an email saying the you know you need to pay this invoice really really quickly and it turns out that they've it's it's a criminal trying to fill the concrete into pain that the

invoice home attack goes really and I said yeah I actually thought I had him and he goes when I walked in the 1970s we got those things on the telex and the fax machines so criminals aren't going to use the same techniques they have used all along because they work they're just going to transfer them into the cyber world I'm the biggest threats we face and the bits of risk risk to all of our businesses are the common run the day run the mill cybersecurity attacks current premise will continue refining attacks that have been known to work and the last one that even read the unsophisticated frauds that leverage social engineering for great monetary gain

so criminals are not going to be using a just arrow days they're not going to be using the latest hacks they're going to use email on the phone to break into a lot of companies and if you look at many using the data from Verizon and octa and even from the serta are one in our and we get about 30,000 instance per year the majority of the instance all come down to this it's poor passwords it's missing patches vulnerabilities old outdated web platforms ColdFusion WordPress not being updated etc out-of-date antivirus software and lack of monitoring the Verizon data breach report will say that on average most companies will not detect a beam breach until months after the beaches happened

so that's like having a burglar alarm on your house I mean now here in a corn off onto six weeks after the burglar has been in and triggered alarm off you know so the that Lister root causes well there is a very famous saying insanity is doing the same thing over and over again and expecting different results and we are developing new technologies we we have I you know the Internet of Things industrial control systems we're all trying to bring everything online what we're repeating the same mistakes we made over and over again and we don't learn this is Martin Rose where he's a senior director of research at Trend Micro and I remember a few years ago in

Brownsville and a conference were a chatting away about this Martin said this two minutes that still could be since we don't learn in cybersecurity when a breach happens this is the reaction most of us have I can't believe it they got hot my god they're so bad the security sucks how could the Agha hacked now hands up here anybody who has to patch 10,000 computers every month hands up here who's the patch one computer every month whose job is easier yeah so it's all very well and good for to say yes you should be patching stuff when you have to patch 10,000 computers with dependencies it takes a lot of time I'm not trying to give people a get off the

hook quite likely but we do have to get away from this victim-blaming people who are hacked are victims I walk out of here and I get mugged out in the streets I should not be blamed for being mugged the criminal who moves me she'll be the one who's been blamed companies that get hacked should not be blamed for being hacked there are victims of a crime and the criminals who commit the crime should be now yes we can say Brian you walked out the street what you are hanging out your back pocket your iPhone in your hand and you weren't paying any attention no wonder you got mauled but still I'm a victim company of our victim

we should stop the victim blaming and get away from us because what happens is this is how we learn in cybersecurity we become too afraid this is how we teach people to develop and make things secure is by books it's by courses he didn't learn to ride your bicycle reading a book you learn to ride your bicycle by fallen officer I'm not doing that silly thing again that's how we need to learn and we need to get those lessons back in again because we are too dependent everything really we rely on needs to be made more secure this is our future we are going to be be looking at all these things we keep making the same mistakes we're gonna

have a very insecure future ahead our economy is going to be insecure our society is going to be insecure our democracy is going to be insecure so we need to take responsibility and learn and improve things ourselves so that got me think well for how can we and where can we learn from so entry enough October I'm so glad you guys had besides Belfast October because this is photography so much worse than it wasn't well October 100 years ago KLM celebrating 100 years so well don't KLM that let me think about the airline industry like 100 years ago if you look at the erickson fatalities over the past 100 years you can see the 1920s not so

many air fatalities what do you know why that's because there weren't so many airplanes and there's a nice spike there in 1940s I don't know what happens around there and to cause lots of people to die in airplanes but on a more serious note if you take this past 50 years from the 1970s so fatal aviation actions per million consumer flights so so six per million so that the one they're not incentive that there were six people per million flights died so there that's how many the rate that the rate that the fatal aviation right down to last year 2020 2017 you can see hello down there now last year okay it's fight again because Boeing and the 737 max but

overall it's a very downward curve slope we need to get that into cyber security we're probably upward the 1970s are right now we need to start learning and improving how we do that because when you look at that everything that we have is insecure the internet was never designed to be secure it was never desert the software we have is not secure out of the box I don't care what's our free time but Windows Macintosh Linux they're all insecure the hardware we rely on is insecure look at all the phony base that we found in Intel chips now there so you can harden your operating systems much you want put the chips they rely on are just as

insecure as well so everything in airplanes have to be SPECT you can't go out on to it to some to eBay and buy a jet engine for your plane I'm and pull it on your airplane you have to buy from specific manufacturers to very specific tyria to allow that to be set up in your airplane oops everything has to be maintained properly as well that's one thing that we kind of fall flat on a lot of plates and IT is we don't do good UPS management or change control or looking out for our systems airliners have to be maintained on a regular basis to exact specifications as well and testing testing testing testing your application

is not running a pen test when it once it's gone live are as are launching a bug bounty program once it's gone live you need to have security built in right from the very very beginning to ensure security all along nope along the way that by the way is they're given the the airplane water ingestion testing see how it will become withstand water going to the engines etc things a cool picture but there's also international agreements you hijack an airplane it's an international crime you're going to be done first we don't have the same level of international agreements for law enforcement or international cooperation against cybercrime if I commit a crime here in Belfast against

the website in Russia and use that Russian website to hack a website in the u.s. that's three jurisdictions I have to get involved and many of them aren't you know that's going to take a long time we need better international agreements to sort that out we need better training you can't just jump into an airplane on flyers you have to go to a specific training that's very strict I'm very rigorous and you have to get at the end and once you do qualify you still have to follow Reba's procedures every flight has to go through a pre-check flight the same on all the time to make sure it will work we don't do that inside in NIT we launch

systems on the internet and we keep suiza it'll work don't worry we fixed that problem in the next release yeah you can't fix your problem the next release when you're at this house with feet in the air and the passenger that are taught how to survive is one doom research for this I actually discovered the other hours ask myself if I'm flying from to Germany why did they have a life vest underneath the chair cuz I'm gonna crash land on ground and I was told life vests aren't there to save your life actually they're totally find the bodies easier so that's a cheerful Nell free on Halloween and we have air traffic controlled because it's national

cooperation people work together to make to make flights safe or etc and then there's regular checks regular updates make sure the thing works make sure it's every time a plane lands it is checked to make sure that it's going to be safe and then security we make sure anything we put on it is ready secure I know we all hate these scanners but they do say for server server purpose the amount of hijacks etc have fallen dramatically from what from the 1970s and 1980s and then when things do go wrong you have error investigation accidents come in and investigators and they will investigate the accident and they will publish their findings warts and all we

don't do that in cybersecurity a company gets hacked we don't know the one that always strikes me as and I remember the Equifax hack so if you read the report you will see that they said yes we had our vulnerability scanner scan the system but never detected that the system that the patch was missing I would love to know either a what that Funabashi management software was because Mir one of my customers using that or B was it a an error on behalf of somebody who's using that tool but we don't have that data so therefore we're not learning therefore some BS is going to have the same problem down the road and they're going to become a victim as

well so we need to move away from being the old way we need to move to something to do something new first of all I think we need to stop the foot and forever no the foot is the fear uncertainty and doubt we love it we love being the scary man in the corner of the scary press in the corner gone oh booga-booga-booga cybersecurity if you don't put your systems are going to be hacked I say to my team every time you discover a vulnerability or a security issue with a client ask your question the question cell wash so they've got her played on the website so what what does it really mean and keep asking that

question to figure out what the impact is because he can't go run into everybody go on the sky is falling the sky is falling we need to get away from it we need politicians I mean we need vendors to stop putting lies on the side of buses yeah we need to stop focusing on the apts in the zero days we need to make sure that we focus on the the stuff that really is going to cause somebody get hacked it's not an apt Caesarea run it's going to be put somebody's password so spend time and they've been multi-factor authentication instead of trying to worry about the ladle a zero-day but with all that said one

thing I don't want to kill here is the passion that we all have for the jobs that we do at this great energy in this room and even last night's speaking to be from the tireless team and so even when they're on their downtime we're all talking about cybersecurity how to make it better so we have a passion that that passion has brought you here today to give up a day of your own time or take time off work or whatever to be here that is passion that we need and we need to nurture and keep it going but we need to direct that passion much better while the Internet is 50 years old cybersecurity we're probably still

in our late teens and we're still that stroppy teenager that we and we need to grow out of being disrupting teenager because one thing we need to look at as well is what what is a cyber security professional if I want to get a plumber I have to get somebody who's licensed about to get electrician I have to get somebody who's licensed if I if I get my dad to water my house I break it well in a lease in Republic of Ireland I in a breaking the law I can't sell my house if it's not certified I nod to get a certified I need a qualified plumber an engineer RIT anybody can just go up and say yeah I'm a pro I'm an

expert you know so we need to professionalize the industry so those of you who don't know this is Javed Malik and he has a very famous video about sis and such as fashion assist care now I'm not advocating everybody John is c-squared why I'm saying though is we need to professionalize our industry we need to have accountability that have you or me or anybody else screws up we are held accountable first because the amount of times we've come across shoddy work where people have gone in and sold a pen test to a customer but it's actually been an SS can but they've got to give an advice to a customer on something and they don't

have they credentials to back it up just because I'm an expert trust me we can't we have to go beyond that now and we're going to have to embrace compliance I know we hate the words compliance and regulations and stuff but it's happening we already have GDP or and that has seen significant improvements in cyber security we've seen in pH consulting we've seen a huge drive and people trying to improve the security because at each PR before GDP are oh yeah we take data protection seriously don't worry about it we're secure now they're going with GDP are can you make sure we're secure can he give us assurance as we are the network information security

director from the EU which came into effect last year as well focuses on critical network infrastructure which includes banks telcos etc that's improving security and if you work in those industries you have to work against that directive as well the EU Cyber Security Act came into effect this summer that is going to start improving securities you can see these regulations coming in I want the key things which I'm instance see how it's going to work is the use of secure has a certification scheme in it today if I move on to sell an IP based CCTV camera to you I just have go to China I get somebody to make the device I have to make sure the electrical components

and the physical components of that device meets certain safety standards that when you plug it in it doesn't blow up or go on for the software put on it though there is no standards on that that is changing with this obscure yet you will have to certify software to be secure to be able to sell it that is going to be a big game-changer in our industry cuz gonna force vendors to take responsibility for super security third thing is gonna be big drivers insurance I've already seen one insurance company say we will reduce your your premium if you're using any of these following products so the insurance companies are going to be getting data they spent

centuries analyzing risk they're gonna bring that discipline to cybersecurity we're going to see a huge change and that's what we need to embrace that as well and the business people are demanding better security now 15 years ago when I sort of pH consulting I was talking to IT people now we're talking to the boards they're the ones who bring us in they're the ones who care about cybersecurity so we still need to have that passion we still need to fight today for a better tomorrow because with this dependency and cybersecurity and it depends in the internet there's a lot of other people start and get interested in this field not just us and they're not

geeks these are people who political motivations business motivations and they have certain things they want to get done so we don't and shouldn't stand alone we need to work together we need to work outside our industry and outside our community with other industries to fix a lot of the problems as well we need to make sure we embrace the business side of things and talk to business to see what they need to get done we need to ensure we continue hacking stuff defined for our the weaknesses are so we can improve the systems that we rely on we have a very fight role under is making sure the stuff people a lot people rely on be

they there are autonomous cars be that they're there medical equipment in a hospital be that the nuclear plant that is give enough power that those systems are secure we have a responsibility to make sure that keeps happening the same time we need to make sure that technology is not abused so mass surveillance we need to keep ourselves focus on that and avoid that happening likewise encryption backdoors we need to educate people why encryption backdoors don't work and we can't have this one side of the iron golem but somebody think of the children we need to have back to us and encryption so we can catch the bad guys and on our cyclone you can't break encryption don't

predict this we need to meet in the middle because we need to educate people on that size of why you can't backdoor encryption that's mathematically impossible it's like saying well crime happens at nighttime so therefore let's stop the Sun going down and we need as I said software vendors to take great responsibility many people here have an Apple Mac laptop a Windows laptop how many of you own the operating system on that lot on those devices no you don't your are leasing your licensing the operating system you don't own it and that's a nice legal legal trick by the vendors together of any liability they have on selling your product because you don't own it they don't have to fix the

problems in it so we need to force the vendors to take better responsibility on securing the systems and devices they sell us these things take time we won't be fixing these things tonight because what else the after party is going to happen but tomorrow night even but it's going to take a while but we need to work together and we need to embrace each other and all the different backgrounds people have so that we can make the world a better and more secure place for everybody else as well it is our future is what we need and it's what we need especially people my age we need to make sure that the mess we've created

on the Internet because we didn't create a secure internet we didn't do pretty good with the climate either so listen guys you know please we need to work together better so that we can fix everything as well so with that thank you very much