BSidesMEsh21 Day 1

Name: BSidesMEsh21 Day 1
Uploaded: 2021-06-22
Duration: 5 h 58 min
Description: Live stream of Day 1 of BSidesMEsh21 Use Slack for Q&A and chat. Visit https://2021.elbsides.de or https://2021.bsidesmunich.org for more information.

BSides Munich · 20215:58:00481 viewsPublished 2021-06Watch on YouTube ↗

About this talk

Live stream of Day 1 of BSidesMEsh21 Use Slack for Q&A and chat. Visit https://2021.elbsides.de or https://2021.bsidesmunich.org for more information.

Show transcript [en]

[Music]

[Music] [Laughter] [Music] [Music]

[Music]

[Music] for [Music]

[Music] [Music] for [Music]

[Music]

[Music] for

[Music]

for

[Music]

[Music] [Music]

[Music]

[Music] for [Music]

[Music] he [Music]

[Music]

[Music] oh [Music]

[Music]

[Music] oh [Music]

[Music]

so hello everyone my name is Henrik Spiel and I would like to welcome you on behalf of the whole team to bsides match 2021 uh as we are all probably aware this is the F our first edition of bid MH and with some good probability it will also be our last one but let's see how this one is going to AG uh as most of you are also aware besides mesh is the joint cooperation between the team around bites Munich obviously from Munich and the team behind alides and Hamburg and we created bides mesh as a yeah replacement for our actually inperson on-site events that we had to cancel for 2021 and I mean unless you unless you're some

kind of historian watching watching a recording 300 years down the road to research it security culture of the early 21st century you well you you do know the context and to save everyone some time I'm going to skip over the obligatory Zoom fatigue jokes and dropping dropping out mics and so on and so forth but while we're at this point and talking about history let's St there for a second it's linger um both are original conferences were actually founded by people who already organized or were in the personal closer area of of people organized uh different inperson meetups like we used to do back in the days for besides Munich this was the MC Meetup and for alites this was

security. HH um and if somebody can drop the links in the slack Channel perhaps somebody will take the opportunity and join in real life when this is back actually and we we schedule new meetups um yeah both of these meetups were actually found by security enthusiasts or Security Professionals too who wants to create a space for other Security Professionals people who care about security people want to get into industry or just learn more about security and the widest definition of the word right so spaces to share knowledge to learn to meet people and build relationships or share your weird war St stories that nobody else is listening to in your circle of friends or family and sometimes also to to find

comfort in consolation in knowing that you're not the only one who has to deal with viruses AP Crews product managers or Windows XP desktops that still are in your in your office Network right um yeah at this point let's move on from the past to the to the to the present and let's talk about about talk about besides mesh and about our participants and how grateful we are to you guys I mean our participants that's obviously you in the audience um you make it uh you actually do make it an event that's more meaningful than just sitting at home working having video conferences talking to product managers as we talked about um we also have to thank our sponsors

obviously who make these kinds of event possible um to give back a little there please feel free to to join their slack channels on the on the bsid smes slack check out their websites and there are some good offerings there that also might help you in there in your day-to-day security work I can tell you that from firsthand experience with some of the products yeah further obviously I want to like I would like to thank on behalf of the whole team the people who did the trainings and the workshops for one the audience who made those a great experience these workshops took took place yesterday and we re received pretty good feedback so far uh obviously

we also have to thank the trainers who offered their time and their knowledge and and shared their insights with an audience they probably have never met before in their life so you're great thank you for that you're making this real Community event and last but not least uh I would like to thank our speakers you actually do make this a conference and this is this is great to have you back in earlier this year when we when we had a cfp we received a lot of good submissions basically without exception that was valuable content and as a paper committee or committee who selected the talks on the one hand that make our life made our lives hard and

the other made it easy it made hard for us to sort out all the good talks that wouldn't be presented to the audience but on the other hand we could be pretty confident that we could put together a mix of of good talks there that are meaning F to an audience like you um one of the core topics or one of the main topics that keep reoccurring in the cfp were obviously containers orchestration and and devops um pretty sure this also reflects on the state of the IT industry of the security industry and basically probably all the other industries that don't know yet that they are some kind of IT industry so having that in mind we are really

grateful to to have Thomas pier and his talk practical devops and Beyond as our keynote today um Thomas is from Berlin he is a well regarded expert on topics like kubernetes security critical infrastructure security and as I learned from his talk as you will see he's also an expert on medial defenses and fortresses um yeah without much further Ado Thomas I know that you are going to provide more information about you and your company in your talk or your companies in your talk so I leave that to you as you're obviously the expert on yourself um for everyone else after the talk there will be a Q&A session and Q&A for batsides mesh is not live it's not

call in basically but you join our slack Channel hopefully now you can you can join uh it's called practical death SE Ops and Beyond just as the talk and you can ask questions there I don't know if if Thomas is going to join and having having a chat there with you but afterwards we will also discuss selected questions from the talk on the stream for the audience that has not joined the slack and that's it from my side and without further Ado as I said I'll leave the stream on the stage to toas fer thank you welcome everybody to the bides Munich and abides conference my name is thas R I'm very happy to give the keynote here and the

keynote is about practical death sa ups and Beyond so my Approach is hopefully I succeed to introduce you into newer security Concepts which are more agile than the classic Model and uh I hope that you enjoy the journey uh we have have here together now on the conference my background is kubernetes security I've founded two companies uh endoc code which turns into a cloud company uh I'm the founder of Lil which is a cloud security company and I have several pro bono memberships in organizations dealing with security and critical infrastructure

and we start with the review so in the medieval times Castle Building started and this is a typical blueprint for all the castle which came after the period of the C Crusades and this is belor Castle in is here you see a photo from a drone and here you see a map of the castle and it's remarkable that it has all entities we already knew uh and we we still have in our current

infrastructure and the typical design is an architecture with several walls and one mode of separations so we have here One external mode with only few few Bridges uh two walls towers for intrusion detection the bridges are the only possibilities to access and this concentric design is uh the more or less a blueprint for the castle design of the for the next centuries and question is was it kind of successful or is it just yeah an interesting building no was really successful it was sieged and it has surrendered after 18 months of Siege so this means for a very long period it was quite a safe place and all the promises of security have kept and uh they made it

into um yeah a very well defined surrender if you look into our current models of Netflix security zones we find more or less the same architecture again we have an internal Zone the restricted high security Zone here it's Violet we have an high security Zone in blue we have several zones around this um the green and the light green and and red zone so the red zone is a DMZ which is the only Zone which has access to the outside world so the span and the internet and this means and and if you don't write it as a layer model but as a more or less yeah um Centric or core based model you have core zones and several and like

an onion like model several zones around it which protect um the inner Zone more and more this is a nearly omnipresent model it's um used in Germany from the PSI so the federal um Agency for security in it infrastructure it has being described by the British Columbia network security zones and it's more or less everywhere and for us this means our sec SEC landscape looks more like this so this is a picture of the naval Battle of Lepanto not in the Middle Ages but in New Times or in the modern times it is uh from 1571 so this actually means this is more looking like the security landscape we find today everything is moving you don't have a solid ground and

you don't even know in which direction um you find an enemy or a friend and this actually means we have to adapt our landscape to uh this kind of model uh for security what do we have as Alternatives uh at the beginning of the century uh your NIS and other invented this kind of a distributed firewall example for internets mainly and this means uh you put a virtual more L virtual firewall before every server on your internet and this actually means you don't have a well defined uh architecture anymore uh but you have a more fluid uh way of thinking security and this is exactly what we need in Cloud environments the latest example of this

are the service meesh so what are service meesh service meshes are microservices protected by a site car which is more or less like a personal guard to every micros service and the guard only knows where the microservice is allowed to talk to and where um it can be reached from so this means we have strict control you have more or less a private guard for every site for every microservice and this means uh we have more flexible and fluid situation the price for this is that you need a central infrastructure which means you need uh a server where you define Define who is trusting whom so you have this kind of level security by all the buzzwords are

here you have defense in depth you have zero trust Network which means you only Pro trust your personal guard but nobody else and of course you trust the central Authority instructing your personal guards this means you have full infrastructure you talk to and um you rely on on uh this infrastructure the personal guard in kubernetes is called a site car normally implemented by Envoy you have Central policies and uh you have privileged containers init containers and you have um certificate Authority um which obviously needs higher security level than anything else and here you can protect not only the traffic between the envoy entities but also the traffic to the outside and from the outside world so you have full

control by your private guard which is here implemented as an envoice

sitec and this is exactly what a service mesh means you have zero trust to network but you trust the certificate Authority you have a very Central policy implemented by local guards you have more or less certificates everywhere and by the way the infrastructure is a first class attack Target and um the implementation obviously is quite new so we have seen flawed implementations which is uh is4 instulation and and uh we must not use this def installation anymore and definitely we should use a cni container network interface based version in kubernetes which avoids the cycle but has also implemented a more strict Central policy these have all being technical topics so firewall service mesh access rules these are technical

things but there is more than a technical way of dealing with security you also need processes and in an agile environment you definitely need an agile process and an agile version of a security process which is also adapting devops is called a def SEC Ops process let's look into this picture those you might have seen all these um yeah representations of these infinity symbol in devops which is more or less showing that the processes all together have a feedback loop and they are um the results of the next step is fed back into the step before what about death Ops so death Ops uh and death SE Ops are very similar def secops is a process where you have

introduced security into every single step of defs process so this means it starts um you have everything from the coding until to the monitoring covered under a secure umbrella this means you add uh security to the coding uh you sign the code you pent test the results you digital sign everything more or less you transfer it in a secure way uh you have audits which must be there in a special Manner and you have everything together in a um yeah more secure way you can imagine there's a lot of effort I can tell you because I'm working in these kind of projects um and you have a reference design the reference design is from the

cloud native compute Foundation which is yeah more or less a spring of of the Linux foundation and uh they have written this documents together with uh the um Department of Defense so this is a standard process in military Security in the US now if it comes into agile agile processes and uh if you want to have secure devops processes so this is what def SE Ops in my definition means and you have to be aware that this is actually something which is based in military are not big Friends of the military but the process is more or less neutral and you can apply every part of the process in your secure environment without without being a

military what does it mean to implement a deployment pipeline in SE devops environments now you have uh the normal stages these are the colored ones and uh Additionally the red ones for quality and Security checks but you also have checks not only in development but also in production so after a commit you build a push staging test and in parallel you can do code quality checks security scans and report them and everything is fine you sign the images we are talking about signed Docker images or signed oci images here and push them to production in parallel in uh environments where you already have deployed something you can pentest them pentesters hate it because it's actually

security scanning but I say pentest because it's an automatic pentest and do the reports uh also to the production monitoring systems and then if something goes wrong you do an alert here and this means you have a full-fledged pipeline which actually is suited to secure environment and this means what you have done here is you have really added Security in every single step this is a very simple EX example because obviously you can do more you can do integration tests you can um do more stages you can even do load tests in these pipelines but then you have a very complex beast and then you have U the need because you need to automate everything to provide even

infrastructure for these kind of tests so here now we have a usable definition of Def secops it's a set of processes and rules and these processes and rules are implemented in a deployment pipeline agility means in an agile context every skill you need in your project must be present this also means security must be available not on a daily base but uh if you need security at advice it must be available in your process a big step forward in terms of reproducibility and security is if you can automate everything best approach we have at the moment is giops so before you deploy something somewhere this can be code this can be uh configuration of your application this can also be your

entire network U configuration it must go through a get repository must be approved in the process like um P request or something like that in your local or in a public git repository so you have now documented everything you have a base for everything and this means uh you can reproduce everything and even if somebody asks you what was a state last Monday evening at 8:00 you must be able to rep produ it in a way that you can say okay at this time we had this configuration and this is what our problem was at that time the cncf uh Department of Defense template is a good base to start but uh without the military um

touch I think we can use it I don't like the military personally but effectively uh it's the best you can have at the moment it's for free and it is more or less um yeah it is quality assured by the American government sources might be a good position where you have actually a document which can help you on the journey to Def zobs and it's the same with audits you can fully automate the audits and from on the on the left side you have developers contributing code then you have kubernetes clusters and you have logging systems where you can which you can query and on the right side you have an auditor and with this kind of

architecture and this audit pipeline uh the developers and the Auditors are completely separated the developers only know that uh the code and the operations are audited but they don't see what the auditor wants to see on the auditor is only must only be able to query the databases uh the query or query language or elastic search and this way you get all the information or the auditor gets all the information he or she needs and this actually means the auditor can trust the environment if this is also um pushed through full gitops pipeline you know that nothing else but the code you have checked into um the git repository is run in your environment this is an example how you

can build secure and auditable environments with micros service and kubernetes which are actually nearly fully automated and the auditor's task is only to look if he or she sees events which are not trustable and therefore you can more or less go into mode more or less replace the auditor by a permanent audit and and do an alerting on events like logins from people who should not be logged in at that time to that container in an agile devops environment self-provision in of resources is part of the philosophy and therefore kubernetes assumes that it can request storage or even network devices so this means kubernetes wants to send through its container storage interface a request to the data center

control Zone give me some storage effectively normally kubernetes cluster don't run in the highest security zones so the data center control Zone would be accessed through a cluster which is not in the highest control Zone which Minds a violation of the standard security policies we have to deal with it and then mitigate these requests from kubernetes to the data center control Zone this means we have to check every request we have to inspect um the concrete implement ation of the container storage interface until we can allow it maybe in a really high secure Zone this is not even possible what then happens if uh we allow this kuus requests storage and the data center control zone so the whatever

um storage provider here provision some storage in a not so secure Zone and then TS through this container storage interface we can use this storage and kubernetes is simply starting to use this storage and create persistent volumes on that this is actually one of these conflicts we have to mitigate uh which is a little bit um making security people nervous but uh by inspecting all the code in the container stage interface you can solve this conflict this is not nice it would be nicer if you had the standard procedure that the data center control zone is watching kubernetes and looking oh it wants a new persistent volume I give it a persistent volume to so to reverse this control here this

would be more compliant with these uh classic security models we have in the data center anything else can stay the same in the clouds for the container network interface this is the case so then you can simply watch uh the commun services do you want another service exposed to the internet and if uh the um data center control Zone looks into this and sees okay we want a new service then it creates a new load balancing Rule and a no rout or um an Ingress to this service which makes totally sense but then the control effectively is in the classic control Zone and kubernetes is just visited and observed for this kind of

events so these are the structured approaches but what happens if your environment is so big that you cannot control every interaction between vir machines the network the storage and everything so Network a few years ago had the same problem and they invented the approach of the chaos engineering and here you see the F friendly monkeys as the small monkeys are killing simply virtual machines the midsize monkeys are killing recks and the big chaos Kong is even killing an entire higher data center never say chaos engineering to fex or to Banks um because they hate chaos so call it resilience engineering effectively it's an um approach where you experiment in your production environment you are killing some of the entities this may be

a network R this may be a virtual machine this may be an entire region and look how your um infrastructure or your your services deal with this outages and in a good situation your customers don't even notice that you had an outage but you have to learn it so it means you are starting from small Virtual Machine Killing to a wreck killing to the bigger ones so you um grow the blaz radius until you are sure that you can even handle the strangest situation and the biggest out es which are expectable for your infrastructure and your service continues even if single machines or single Hardware or single software settings um are failing the application of chaos engineering to

active parts of your application is obvious so Netflix did it with virtual machines with servers with rexs with entire data centers but you also can apply it to security related uh entities like policies or rules who and when uh you grant access to a certain let's say a bucket or any entity on your cluster um our environments are sometimes so big you cannot simply decide if this excess is necessary or not and the good approach is to have lease privileges so normally you can do a lot of things to create access to a bucket if you simply say only um the necessary um access is granted but what is necessary so effectively uh in a

complex environment you uh can also here do experiment this means you look if certain policy looks fishy and then you deny the excess based on the rules of chaos engineering this means you test if your application is affected by a rule which does not seem to be necessary and if it's necessary you uh can think about it if you have to fix it or is it if it is a good idea to give this access to let's say a bucket um this is one of the things um which has turned into security chaos engineering and here's um I've linked two papers from Kennedy and Muhammad isan so these are the guys are founded a company Vil is her name and this is

actually an approach we follow to try to make chaos engineering for security accessible by everybody in the Amazon Cloud I hope you enjoyed your the journey and forgive me the Shameless advertising at the end if you have more questions please ask them now or if you have questions later send me an email or contact me on Twitter on LinkedIn thank you very much for your attention and I hope you enjoy this the conference hello everyone and welcome back to the Q&A part for practical death seops and beyond uh let's start with thanking Thomas for his great keynote and all the information he provided there um in the sele we already had a few questions and

if you have more questions there's still a little bit of time left to ask them and also if we don't get to to answer the questions in this Q&A Thomas will be around I hope for some time and he can he can then provide answers in written form or provide links and let's see where it goes so one of the first questions we had was uh for for people who are around in security for a long time old school security people um a lot of the termin terminology on Def Ops is is not necessarily familiar uh is there a way to map the new terms to to known and existing Concepts is there any reference that that Thomas you can

share unfortunately we don't have a full reference so it's more or less you do everything virtual now you can create virtual networks virtual firewalls and this means you rely a lot on automated infrastructure and this means that the automated infrastructure also must be maintained and will be a first class Target for an attack and this is something we have we have to have in mind that you yeah so even if you see this concept of distributed firewall it's just the idea to to continue the the the idea of a firewall into this more fluid environments and yeah we will have to learn um to picture these new entities this new Concepts okay thank you um hope this gives the other people who

have the question also an answer uh Thomas also shared a link to the temp plate to the this military example to the loop uh he shared the link in the in the chat so if you're interested in this check it out um another question we got was whether security activities should be dived small activities so that they fit the agile approaches a lot of companies have adopted or does it make sense to have complete Security Sprints dedicated ones or um if I can add to the question does it even make sense to think in an agile way for security um actually this is a good question if you see in the agile concept this simply says every skill which is

needed in the project must be present in the project so there is no development first and then security later in the agile mindset what we've seen in reality is that the security guys uh are more or less um if they are too late in the project they are simply saying no to everything so um it's a good idea from a development perspective to have them on board very early from a project perspective they give ins ites you can discuss concepts with them and you learn what's missing if it is too late in the project then it might be that you have something done which violates their security concept and then it's major effort to heal it if it's there from the

very beginning you can start it agile itself uh is not a sloppy process like somebody needs or everybody everything is s organized and just to note agile if you do it right is a very very strict process where you are self-organizing the team and this means you are creating a lot of discipline on your own so it's not something like oh we can do everything now and then we call it agile no this is a wrong understanding of [Music] agile okay thank you I hope that answers the question for a lot of people um yeah another question question we got was about automated security and compliance checks they are part of the pipelines or other automated processes and they

generate security findings um the the question is how do these what's the best way to get those fixed um creating a security dashboard and just hope for the best or automatically generate issues in the ticketing system for the for the teams that own these processes or the the offending components and do an automatic assignment declared a blocker or what would you recommend what what works from your experience yeah normally a security problem in the production system is always a blocker and should be addressed immediately so the entire team has to work in a way to remove it sometimes you cannot remove it because it's an external library then this means you have to apply mitigations on that change

the library update things test it again and this if this is much much easier if everything is automated so if you have an old library uh let's say a Tom 20 minor versions behind is probably a different version than you have it today and then it takes in a real project it took took six months to update from a two-year-old tomit to the latest version so plan this and use this pipelines from the very beginning as support for your security they are not in the way everything which is automated can be used quite fast does this new library work with my old code this is a question if you have to do it manually takes days

and weeks if you have everything automated then it's whatever how fast it compiles and tests so maybe only a few minutes but automation is a key uh factor to success in this kind of security yeah I see a lot of risk acceptance tickets popping up in this way but I mean that's the reality most people encounter in their companies right and talking about people attending this talk and then going back to their companies and having this whole Loop in mind from from end to end can you give any recommendation where to actually start where easy wins or quick wins where you can you where can you make the most impact with the reasonable amount of

efforts along with your day-to-day tasks when you're working in a security team yeah it's definitely easier to work in new projects uh where you can introduce it from the very beginning because removing Legacy is always painful and um it's questionable if it really makes um sense um we see Windows 95 systems control in traffic in all over Europe so and they they are isolated so just don't try to uh rewrite old code start with new opportunities and then do everything right in the beginning if you know that your project will have a time when it must scale then you have to automate anyway and if it does not scale you can apply smaller changes you do not need to apply

everything so for example if you run your code only in your own data center um probably you would not start resigning your code but if you have to spread your code to a thousand customers and they rely on this and it's security critical then uh signing code or Sig signing images is definitely um something which helps you a lot in rolling out and deploying your containers thank you another question we got is about when to perform risk assessment or when to when to discuss risks is it does it make more sense to to discussed this in a during a requirements analysis phase a security requirements analysis phase non-functional requirements analysis whatever you name it or do you want to

do you prefer to do threat modeling during architecture design phase um I think if you starting in the world of containers there must be an awareness in the very very beginning because normally um what I've seen so far developers have 100 times more code on their hard disk than 10 years ago and they cannot uh get stay up to date with all the security flows so they there must be a basic introduction the architecture must be um fixed in the very beginning but then there should be an ongoing process and at uh latest if you are going very close to life then then you should with view it and ask somebody who has already done

this and uh this is something I would advise in in every project okay so another question that adds on to what was already asked I think is as a security professional no matter if I'm very old school or not how in the this light of containers orchestration kubernetes how much of a developer or kubernetes admin do I have to become myself how much do I need to know there yeah if if you um so kubernetes has everything inside to create very secure applications unfortunately um it's not turned on by the4 if you would turn on kuity security by def4 all the examples even the simple engine X example uh which has been taught by me and others in in classrooms

doesn't work anymore so having a secure Baseline in kubernetes I think it's a big help otherwise you have to care about every detail of cators on your own and uh what I notic this is not something what not even um the cloud providers do really well so not even Google is providing out of the box a secure GK cluster and they more or less uh have invented most parts of it so you should be aware that your standard def set up probably is not secure and you should spend time on understanding it and securing it it's not as hard as it sounds but it is development security and system engineering because touching this uh area means you need to

understand the Linux system a little bit a little bit better the standard U administrator and this is uh this is the challenge and this makes some effort in uh in projects so as the last question um do you have any resources that you can for example share sharing this slack for people to get started to read up on this uh I have um placed my trainings notebooks on GitHub if you look um on on GitHub but I'm um so I'm it's on an open license and if you can live with it and do it on your own you can't step through it and otherwise you need to ask me and then we make a very

intense kind of workshop on that um or any other guy who or girl which is able to tell notebooks means but in the in the beginning I would not start with the naive Cloud native assumption that uh everything can secure out of the box yeah okay so I mean if you can drop this link in the slide that will be probably amazing help for everyone and hopefully your contact details but they are also in the slides you shared there okay great that was all the questions we had and we will have a short break and then we'll be back with the next talk thank you to the organizers and thank you for listening yeah thank you for the

keynote was really good [Music]

thanks [Music]

[Music]

[Music] yeah

[Music]

[Music] he [Music] okay hello everyone we're back and with our next talk it's on the topic of vulnerable as a service and it will be delivered by Dr Mt swimmer of Trend Micro forward-looking threat research team also Morton will provide more details on himself and so that's why I'll keep myself short here thank you and enjoy the talk good afternoon everybody I'm happy to be here at bides mesh 21 um presenting to you on our research the research that my team did called vulnerable as a surface uh and which was done by Joy costoya Royal Ray myself and fod yarichin so who is this team so we are um our team my team is a member of the

FTR research team within Trend Micro research and our goal is to uh research any social issues that are changing um the landscape the threat landscape or technology issues or just general change in the uh e- crime landscape my team in particular does uh Research into uh well into how to work with data more effectively and so we're basically a little data processing SL devops team so for that reason when we saw a couple years ago that there were all these Cloud breaches that were being reported we wanted to know more about these things but just to back up a little bit here in the security commun Community we tend to talk about the cloud as somebody

else's computer now it's really really much more than that and I hope that's become clear over the last couple of years and so we don't say just gbly oh it's somebody else's server it's really this huge selection of services that all these providers um offer to us in in in being able to piece together our applications effectively in the cloud and it seems like every day there's more and more services that we have to work with or we can work with if we so choose but from our point of view we we view um the cloud more as an iceberg we only really see the top but what we what we don't see is really what's happening

way on the bottom we don't really we kind of have a vague idea that it must be comprised of computers and networks and firewalls and ACL rules in the routers and all that sort of good stuff um but in in fact we have no control and no insight into these things a layer up from that is a layer that we do deal with on a more regular basis we don't deploy the the database server ourselves we don't deploy the um the ppcs ourselves on the operating systems but but at least we have some way of controlling these through an infrastructure as code approach what we do have a lot of control over is the top layer so the

application and the business logic and um what sort of data we we're storing so we are interested in particular um in right from the start and this leaky buckets problem and I should really caveat in saying that we started this research way back in 200 8 um and uh decided to audit a certain period of time and then evaluate the data later so within a one per one month period we looked at a lot of the data that I'll be talking about we saw a lot of reports from US military to um you know to insurances and other things uh leaking data and we were particularly intrigued by one case that we saw which uh happened at the LA

Times it was it was just an interesting case to um to look at in more detail this was from the homicide. times.com site not the main site but a little side side and what we saw um what what seemed to be happening there is that the the viewers or the readers of that page would go to the page and and their browser would start crypto Mining and of course the question was well how could that possibly happen and this was by the way initially reported by uh Troy MCH of bad packets um so if you look at that page you will um and and and look at the headers you'll see that the data is

being um is being served through something called something in the domain of cloudfront.net now cloudfront.net we know is an AWS CDN service so content um delivery Network and uh and that's a good indication that well first of all the application is probably hosted in Amazon but second of all it's um it might be hosted by an S3 site an S3 bucket but the question is which bucket is it it doesn't tell us anything about it um however um it turns out that programmers um like to use a bucket names that are related to The Domain so let's say we take example.com www.example.com there are a couple of basic permutations that are that are that we know are used and uh if we just

go through those and there's usually not that many we can ask Amazon does this bucket exist and then one will come out or usually one will come out at the end and that will be the bucket name how does that look like in practice well let's take the elb size sides um website that we run for this conference um if you look at the domain name you um you can and you check on Amazon you can see that actually exactly the same domain name is the bucket name in in AWS how do we know that we run a command line tool AWS S3 API and then we just get the the ACLS the bucket acl's and um with that bucket ACL we can

see that the access was denied to it and that's kind of what we want to see but it does tell us though that that side exists that bucket actually exists it just means we can't access it which is kind of what we want to see what we don't want to see is is this when we ask for the acl's it tells us that all Global users have full control over that bucket we do not want to see that uh but we do see that more uh more often than we really should and we we dug a little bit deeper into that what we did was we looked at various data sources that we have available to ourselves so showed and uh

some internal tables and data collections that that my team runs and we found about 5.6 uh references to buckets um we then uh figured out that about 4.4 were actually accessible so I don't know maybe the other ones had been briefly accessible and were no longer um 79 of those are directly readable so it's not a huge number but more than I would have hoped for now readable just means that uh you have full access to the to read anything in that bucket which may not be what you actually want um depends on whether you use that bucket for anything else any confidential information um however more alarming was that 40 of these buckets were ridable at

least the acl's told us that um what we can't do of course is Trend Micro is actually try it out you know right into that bucket that would have been not just illegal but also just ethically wrong but it turns out we didn't have to do that because threat researchers had already done this for us um a guy called um Robbie Wiggins um had already been in in that time period been looking through all of the buckets uh that he could find and would write in this pc. txt file and he wasn't the only one who was doing that so that way we know we knew that the these buckets were being written into um people could write them so that

confirmed what the ACLS told us and we found many buckets where obviously this is this had been done before so in this case that I'm going to show you um the uh both um Robbie W Wiggins file was posted in there as well as another one called Bug disclosure. txt and uh both these had like a little bit of a friendly warning I don't know whether I condone in fact I do not contone this sort of action but um but it turns out that this is done and they didn't I don't know do they get in trouble no idea so what we think went down in the LA time was that at some point this txt file

these two txt files were dropped on um on the LA Times so either 2017 or 2018 you know uh those were the two times but this was ignored by the LA Times um operation staff um now if they had used bucket logging which you can use um they would they should have seen this but they didn't so an attacker eventually found um found that this page was open to was was right writable and changed a JavaScript file to contain a Monero Miner that would communicate its results to coinhive and I assume that this is not what the LA Times had wanted um to happen we were also interested in computer vulnerabilities though uh just you know I mean not just on the basis of

manipulating data but also manipulating processes um you guys all know about containers in the meantime I don't have to explain that uh containers are not the things that the ships here in Hamburg are transporting they are in fact um a combination of Linux c groups and kernel name name spaces that allow a a certain degree of process isolation um most commonly we see uh Docker containers uh sorry Docker servers as well as kubernetes servers or Mesa servers that host these containers and uh we're going to look just very briefly at Docker containers uh sorry Docker servers that we found um and in that audit period that I was talking about we saw about 4K 4,000 um uh uh

Docker servers that were exposed um at least according to showen and other data sources 45 of those were actually verifiably exposed so we could actually communicate with them and say hi you know are you actually a server and in many cases when they answer back they told they they gave us their process list and we and and we saw things like XM rig um so crypto miners um we also saw containers that were not named obviously but did contain the U an actual crypto Miner and what they would do is they would take a more generic image like the auntu W get image what they would do is they would install that image they would then issue a

series of commands these command or actually a command this command would would uh the initial command would load then another command which would load yet another command most of it pulling its data from ppin and I guess one could call this like criminal devops perhaps but it's um maybe not the most robust way of deploying your software but hey if it works for them I guess they're happy I'm not they are uh and in some cases we saw interesting messages in there saying that they're actually benign and don't don't destroys now I would a word of warning in our informed opinion these crypto minor installations are the last part of a longer compromise and so once

they've got all the data and compromise whatever they want to the maybe the the accounts that they're interested in or whatever they'll install a crypto Miner so do not trust these messages you really need to go back and check your entire system and see and especially your logs and see whether any data has been lost we know that kubernetes also can host containers but kumas also has its own problems um as we found um in it has a it has like two ports that the cubiletes communicate with um one port the um 10250 Port we saw 1 1.800 or sorry 1800 exposed um instances of this on the on the web and in many cases if

we look into if we just add it ask it for the Pod list we can see uh evidence of crypto miners being installed there or other very dubious things and and I should always I should mention in all these cases yes it's easy to find the crypto miners it's a lot harder to find actual compromise processes which also might have been there so you know and we were not legally in the position to go and take a look at a take look inside the running code because well that again would be illegal kuin also uses a um a configuration management system called ETD which is also used by other systems but kumin is a big user of it and there

we we saw um 2400 exposed sites using it and what's interesting about SCD is that it contains a lot of interesting information about the running um systems including also certificates not so good so what I would like to encourage you to do as Security Experts is to try to think cloud native we have to move not I mean not just companies who are writing Cloud uh Cloud applications also us need to move from this on premise thinking in terms of you know here's a server and here's a network to how the cloud infrastructure all fits together um and and and look for um and look for the novel ways that attackers are attacking us um and I

think we have an opportunity here because uh because if in a in a more mature company you'll be using infrastructure as code which in my mind leads automatically to security by Design and yes a diagram like this can look a little bit intimidating but you can with a little bit of work go around go around and say yes we need extra security here or this is fine um and there are tools for this um there are various tools that for instance we offer but other people too to you know protect various aspects of the various running devices from lambdas to ec2 instances to whatever you you're running and we also have tools that will analyze your

infrastructure as code files and deployments um to make sure that they are in compliance or not so I don't feel that um that cloud Dev Dev secops is is living up to its potential yet there is a lot of things that could be done which are not but um I think we can I think it has enabled a proper security by Design and we should embrace that and we should leave our un premised thinking behind us and I really do feel that this is going to be a major um change in in how we secure systems and with that oh that was very stupid of me okay you're on okay thank you Morton for sharing these Insight that was great

information there um the first question we already have is whether the slides will be available yeah and I'm sorry that um about it but I don't actually have slides for this as such you notice that this was really just a video presentation however the full paper is linked to the channel so if you go to the channel look at the top you'll see that the paper is is linked there um one of the pretty casual note you make in the talk is on on the crypto Miners and ransomware it's that you mention that people should be aware that these are not actually the beginning or the main part of an attack but they at the end of

a of a campaign and if you if you find them you probably have have more concerns than just the ransomware could you elaborate on that a little yes I mean what what we've um what we believe that we see when we look through a lot of these uh these insulations from the outside is evidence that they've already been doing some other tampering or you know credential harvesting you know especially when you see things like um especially when you see some something like you know Expos ET ETD Services you know if you can pull that data out you're going to do all that and use that to compromise the systems in a more meaningful way and then you know if you

still haven't been caught out then you'll just you know create a c install a crypto Miner that profits you because why not you know if nobody is is off nobody's looking at that system then obviously you might as well just make money until they do finally figure out that it's been compromised and there's also been a question whether you can explain some of the details of the coin Hive exploit the the the Bitcoin Hive exploit oh the coin Hive exploit you mention on the talk I wouldn't I okay I wouldn't really call that an exploit as such but in the case of the LA Times which is I think what was being asked is um they

man manipulated that JavaScript uh and because they could write their own JavaScript into the um you know that static website um what would happen is you you'd load that site the Java script of course would run because it's a part of the um the installation and then the browser itself would start mining crypto then um that crypto any if any any any crypto currency that was being mined in that process would then be benefited to the attacker on coinhive they they just use coinhive itself not as an attack but just as a way of monetizing it okay we're also running pretty short of time so next thing to make us hopefully give us hopefully a positive

outlook into the future um your repl your research took place in 2018 and has the world changed since then can we hope for better place yeah I mean we occasionally REM monitor um the stuff that we um you know that we looked at back then and yes things have gotten better I see far fewer um kuin insulations or ETD insulations that are being exposed um they are over being attacked we're also running at the moment we're running an ETD Honeypot and maybe in a couple months we'll have some results from that because I think these things are now getting attacked a lot more as well so on one hand yes fewer exposures on the other hand more

attacks and we have one last question that I think is really interesting um and it's about you mentioning the infrastructure is code were to lead security by Design mhm and what is the best way for an existing organization to switch to to infrastructure as a service infrastructure in the cloud or infrastructure as code um I will probably mirror what Thomas said before and you basically want to start a Scrat from scratch um because it's not just a matter of porting you know this server that used to be here and put it onto the cloud over here what you really need to do is think cloud native about it and and and think about okay how is a cloud

native installation going to work because you will not see the benefits of cloud and you will also get the security wrong if you still think of you know a server being something on premise and I can store my credentials on it because it's mine and I control it no in the cloud you have to think completely differently about credentials and uh you know and security plumbing and all that sort of thing so I unfortunately I would say you really kind of have to re-engineer the your your application sorry about that so we're ending on a sad note yes okay I think we're running out of time time here and in just a minute we will be back with the next

talk please stay with us and thank you Morton thank you questions and I'll be back tomorrow because I'm also a part of the organization team so of Interest yes that's true byebye thanks everybody okay goodbye all right so [Music] let [Music]

[Music] he [Music] he [Music]

[Music] okay hello everyone and our next talk will be demystifying the state of kubernetes cluster security the cloud native way and our speakers will will be vazan chimp uh he's a security architect and panst and a man of many hats in his organization and he is accompanied by PR chasar who is a principal security consultant and they are going yeah to talk about the state of kubernetes security and a tool they developed the called Cube Striker um for this talk there will also be Q&A it's you can ask questions in the demystifying the state of kubernetes cluster security Channel and we can then discuss them after the after that with the speakers and the speakers can even

after the Q&A session that's on the stream uh get back to you share links and so on so feel free to ask questions stay for q& to get them answered and enjoy the talk hello welcome flow cyber security enthusias thank you for joining the session today and of course we will be talking about securing cuber nities and specifically about the tool named Cube Striker that I have been developing over the last few months taking a look at the other talks that are going on here certainly other Security Professionals are showcasing their tools and talking about securing kubernetes or securing certain aspects of cuberes but what I want to talk about is really more securing a bigger picture of kubernetes

by looking look at different ways of securing numerous moving pieces inside the cluster and building a secured kubernetes ecosystem let me start by introducing myself my name is vant chipil like many of you I'm sure I'm a security fanatic and my experience spans across various domains of information security including cloud cloud native security architecture and penetration testing I'm also passionate about security Automation and devops I'm currently working for a fintech named mx51 where I play the role of a security architect a penetration tester a compliance specialist a Devo practitioner and a security engineer as you can tell I wear multiple hats which certainly keeps me on my toes now let me introduce my co-presenter hello my prad

chasar I'm the principal security consultant in HPI Dubai my day-to-day job revolves around pen testing of cloud and kubernetes infrastructure today I will be demonstrating the different attacks on the kubernetes infrastructure now that the intros are done let's dive into more fascinating stuff the world of kubernetes in the age of containers kubernetes has become a popular open source platform for containerized workflows and a key building block for modern technology infrastructure getting started with kubernetes is easy it takes a matter of minutes to set up a new cluster and run applications however the real concern or challenge is what follows this the pivotal question of how to make sure your cluster is secure for any organization security should be

primary concern and not an afterthought because as we know all too well especially in the current covid environment prevention is always better than cure in fact let me tell you what exactly happens in the real world when kubernetes clusters aren't secured properly in mid 2019 second largest autof Finance Company in the United States was hacked and huge amounts of credit card data Social Security numbers and bank account numbers of more than 100 million customers was leaked to recall who this was it was Capital One world's famous automaker was one of the earlier victims of cryptojacking when a kubernetes cluster was compromised due to an administrative console not being password protected can you guess who this was it was Tesla there are many

other incidents like Microsoft's Cube FL breach and dogga Hub incident last year where attackers managed to plant malicious images now let's quickly look into some scenarios why why kubernetes has become a prime target for hackers and how hackers chain different attacks on the kubernetes ecosystem in the real world this is our Target web application which has a command execution vulnerability we will be exploiting this web application try to get access to the underlying server for this we will be starting the listener on the attacker machine go back to the application enter this ring which will connect to the attacker machine Let's execute as you can see we got a connect back from the web application

let's check the privilege of the user let's check are we in the container is environment or running on a physical server this can be done by using Mi contain utility from the output you can see we are running on the kubernetes infrastructure let's verify some envir variables it confirms more now let's download the cube CTL binary Cube CTL binary can be used to run the commands against the cluster for any pod which is running in the cluster has a service account autom mounted in the default setup and the service account has a rolled tag to it let's verify which role is tacked to our service account in this part Cube CTL o can I list this command will show the

different privileges which are attacked to the service account as you can see from the output like we can create list update watch delete Parts also there is one more privilege card P exec using this privilege attacker can jump from one port to another ports there's a one more way to verify the same Cube CTL or can I create pods the answer is yes let's see can we create the secrets Cube C what can I create secret no so as you can see we have compromised the Pod from the vulnerable web application let's leverage this feature where the service account can creat the pod in the cluster we will be creating the crypto mining pod in the cluster let's look at

the yaml of it this is the yaml for the miner pod we are pulling out the image KS minor which is a Monero pod all the coins mined using the infrastructure will be uploaded to particular website using these part credentials as you can see we have put down the limits on the memory and CPU just to remain stealy otherwise the minor pod will consume the entire memory of the infrastructure let's copy this go to the attacker access paste as you can see minor pod is created let's verify it is running or not Cube C get po hyphen o wide yes you can see the minor pod is running on the worker

node so till now we have seen we exploited the web application and compromise underlying pod we also started the crypto mining pod in the cluster let's see can we compromise a master and worker node let's leverage the Privileges which we recently grabbed it for this we will be using yaml definition file which has a privilege pod in it let's see the contents of the yaml file as you can see the first content in this file is for starting the pod on the worker node and the second definition is starting the pod on the master node the only distribution factors between two file is the node name equal to master states that this SP should start on the

master node if you don't Define this parameter it automatically lands on the worker node here we will be using different attributes in the yaml file for example host path using this you can mount the file system of the base operating system in your pod and then you can browse it then we also seeing that run as a user zero which means that start this part as a root user and this is a volume amount which you have created pre pod and the same is there in pod which will be running in the master let's copy this I also let's copy this I also have the dedicated slide discussing each attribute and the impact mapping let's go back to the attacker

console paste it as you can see the two ports are created now let's verify the placement of the privilege

ports as you can see one of the Pod is created on the master and one on the worker node let's exec into the pod which is created on the master node let's see the host name we are on the master let's try to grab some of the files on the

host this is the shadow file of the host you can crack the passwords in this file and then connect to the different nodes in the cluster let's look at another interesting scenario where an attacker after getting access to the cluster targets a crown jewel the build server which has privileged access to the core base container storage repository and whole infrastructure and how they can take the attacks to a different level let us assume that the attacker has gained access to the underlying pod using a web app vulnerable he has seen before and then the attacker will quickly download the Q control and then explore the ports that are running on the cluster then he comes across a container

which is like a Jenkins which is a build server and checks if we can access that Jenkin server and there we go we got access to the Jenkins build server and we are running inside the cluster now let's try to grab the public IP address of the machine to access the UI of the Jenkins yes we could access the Jenkin server however it is like password protected but uh being an attacker I just don't want to leave it there but try to explore more and manipulate the configuration files to bypass the security mechanisms I have made some changes to the Jenkins configuration files and then I would like to restart the Jenkins to reflect the changes or

just delete the port so that it will bring up a new jenin pod right I'll go ahead and just delete the existing pod

and it should bring up a new Jenkins Bo and now let's see if we can access the Jenkins console again there we go we were able to pip pass uh the authentication mechanism and now let's create a new job basically to grab some secrets in the environment variables and I will just create a small build step which will run a quick bash command I have like a set of commands which I will put into like the build stage and I will save and run the build now there you go you now have access to all the environment variables the secrets and it says uh the jenin server is running with the roote Privileges the ID root and it also says like stealing

ad up years credentials now you have access to the whole infrastructure ad up years and if you happen to gain access to like um the SSH credentials to the GitHub at the docker Hub you can create some malicious Docker images and you can push them to the docker hub using the jenin bille server or uh you can also make uh some changes to the code base or you can just uh access the repositories inside the code base well there is another interesting way of bypassing the security controls to avoid detection after gaining access to the cluster by just creating a replica or duplicating the API server I have learned this technique from recent presentation of

Pride Gman a wellknown security geek well after gaining access to the cluster the attacker will quickly grab the configuration file of the QB server and now let's create a duplicate pod with the similar configuration file with some modifications or some configuration changes in favor of the attacker such as like opening in Secure port or permitting Anonymous access or CD access well now now let's uh deploy this pod we have the duplicate API server up and running and let's grab the IP address of the API server well that's the IP address of uh the duplicate API server and now let's curl to the insecure Port that we have Exposed on Port 443 and then try to

access certain resources such as like the pods and secrets on the insecure port there we go and that's why it is called a game over if you're planning on using kubernetes in production one of the key things to consider from a security perspective is the threat model the application of the attack methodology on kubernetes is something that everyone who uses kubernetes need to understand while kubernetes has many advantages it also brings new security challenges and risks and has threats in various forms such as external and internal attackers and vulnerable container runtime as seen now and in addition to that it has become a prime target for hackers because of the numerous moving pieces that needs to be secured inside the

cluster now that we have understood the dangers facing our industry and given the knowledge Gap among teams and a lack of solid security measures to protect kubernetes you might be wondering how in the world are we going to secure these many moving pieces and stop all these attacks I had the same exact thought and that's what led me to build Cube striker in simple terms the objective of cube Striker is to secure the cloud native in the most efficient and user friendly way the Cornerstone of security is visibility you can't secure what you can't see therefore Cube Striker adopts this philosophy and aims to enhance the visibility by acting as a security auditing tool for kubernetes it is

platform agnostic tool and compatible with various platforms such as self-hosted kubernetes Amazon e s Azure AKs and Google GK it is specially designed to tackle kubernetes cluster security issues due to misconfigurations and will help strengthen the overall it infrastructure of your organization now let me show you exactly how the magic happens let's look at different scenarios and how Cube Striker can help you in the first scenario Let's scan a cluster hosted in the Google Cloud you can install Cube Striker using python or pip in just a matter of seconds in addition to that you can can spin up the cube Striker with just one command and it can run anywhere regardless of the operating system as long as you have a

container runtime installed there you go and Cube Striker accepts three forms of input you can either pass a URL or an IP address of the remote Target or you can choose the remote Target if you have it configured in your local Cube config file or you can provide a range of IP addresses which could be like a combination of your master node and the worker nodes in this scenario let's choose URL or IP and pass the IP address of the Google Cloud end point Cube Striker starts with a reconnaissance phase scan where it checks for a host of ports and various services such as like secure service inse secure service read write readon ports and a host of

ports and once the services are identified it lists all the different services that are identified during the reconnaissance phase for example example in this scenario it says it has identified server secure end point identified and Cube Striker can perform both authenticated and unauthenticated scans of self-managed and cloud provider managed kubernetes infrastructure we may relate them to a black box and a white box testing let's perform an authenticated scan in order to pass the token we can grab the token using the following commands for different Cloud providers this scenario let's grab a token for the Google Cloud Custer now I have the token and I'm punching

it there you go it says authentication success and now we can perform all checks for the first scenario and it will Gear Up by scanning for a wide range of I am misconfiguration in the cluster such as like readon roles admin roles Secrets roles privileged roles and once they are identified it will move on to detecting a variety of misconfigured containers and then initiate scans on misconfigured PS and security policies and network policies not only that it can assess the excessive privileges of the subjects in the cluster but can also run commands on the containers and streams back the output the second scenario let's scan a cluster posted on Amazon web services eks let me spin up my Cube Striker

container it's up and running and for this scenario let me choose the second option Cube config file and this is the cluster that I'm going to scan and this is a cluster that is available on eks once I choose the cluster it will initiate its enumeration or reconnaissance phase and it will check for various or range of host or services that are open on this cluster and once the numeration stage is completed it will provide me the version of the kubernetes that is running on on this cluster and also the services that are identified on this cluster and let me again perform authenticated scan and because this is a eks cluster let me use this command and

grab the token from the remote host well now that I have the token let me copy this token and punch it in my Cube striper there you go it says authentication successful and once we start performing all checks it will gear up for scanning wide range of I am misconfigurations and once the IM am configurations is done it will move on to scanning for various misconfigured containers and then on to like scanning for misconfigured power security policies and finally scanning for uh Network policies after that you can simply CL on exit and it will generate a report and we'll be looking at the report in the next few minutes what we have showed you so far are the capabilities of its first

version which was released just a few months ago since its launch it has received a great response and it has been viewed and used more than 10,000 occasions people have actually started using it to scan their infrastructures and I have been asked to develop with more features this gave me the guidance and the encouragement that I needed to build the next version with more advanced capabilities and an easy to ous interface you are about to receive an exclusive pre-release screening of the latest version of cube Striker can I have a drum roll please release here is the new and the Very improved version of cube Striker the new release has a front end and now provides security for containers

running inside the cluster by continuously discovering tracking scanning and Reporting them using an open-source scanner it also incorporates the ability to see some critical resources in cuties infrastructure and the ways in which it could be compromised you can also see visualized attack Paths of how hackers in advance their attack taxs by chaining different misconfigured components in the kubernetes cluster this feature is currently in the beta version and will be further improved as a threat analysis and visualization tool the new version of cube Striker can be installed anywhere such as your workstation or an Amazon E2 instance or Azure virtual machine or indeed any machine which can access the target cues clusters that you want to scan and secure the new web app

environment can be installed using either kubernetes manifestation files or hel charts or even using Docker compos now let's uh launch this kubernetes manifestation files using this one single

command there you go it created like the frontend service back end service database service and also all the deployments like front end backend and DV now in order to access the UI you need to Fitch the load balancer or the external IP of the frontend service this is the external IP as shown on the screen and let's try to access this URL using the browser for the very first time it may take a few minutes approximately like 1 to two minutes for the load balancer to be effective because it takes some time to register with the underlying instances and to become healthy now looks like it has uh started loading and there you go this is like

the new and the improved version of the cube Striker with a decent UI we'll give you all the information about the total number of clusters or the containers that are running inside uh all your clusters it will show us information about the roles misconfigured containers Etc now let's look at a scenario by adding a cluster and it accepts Amazon Azure AKs Google Cloud cluster and also you can add generic clusters such as like open shift or IBM or even like an onframe one so you can add a cluster by giving like the cluster name that needs to be scanned and you need to provide an I am role which will have the Privileges to reach

out and scan your target cluster and the reasion where your cluster is located in case if it is an Amazon click on Create and usually the scan takes anywhere close to 9 to 10 seconds at this stage and once the scan is ready towards the right side of your screen the total number will increase to one and within the next 1 to two seconds it will come up with all the relevant information of the scan there you go it says like it has scanned total 149 roles out of which 113 are misconfigured like total 10 containers have been scanned out of with seven or mis configured pretty much like part security policies and the network

policies and the nodes where the cluster is running and let's click on this cluster and let's Deep dive into the demo of the reporting part well it gives you like the version of the cuties that is running inside the cluster and the version of Docker that is running on the worker nodes and also like the same information like misconfigured roles containers PA security policies uh nodes and scans Etc now the all the information whatever we have seen using the CLI it's displayed in a very appropriate way using like GUI under the misconfigured roles it says like admin roles read admin roles destructive roles secret roles and all kinds of privileged roles and it also clearly says this user web app in the

namespace default has verbs star which means actions and all resources star which means this particular user can access all the resources across the cluster this is the reason why this is considered as admin role and pretty much like a read admin role the destructive role where the users have got delete privileges on the resources this one says delete on secrets and this is has like delete on the secrets pretty much and the secrets role conveys that a particular user can get list and watch the secrets in different name spaces and the PSP roles and the privileged roles now if you look at the misc config containers it says the containers which are like actually privileged containers

and the containers where certain critical parameters are missing and it would also tell you the reason why a container is called as a privileged container if you click on one of the containers it will tell you the reason why it is called as a privileged container it will show you the flags for this one it says like the host network ID set us true and here it says like host P ID has been set set as true and these are the this is the reason why it has been flagged as the privilege rool then it will list all the containers where the liveness probe is missing Readiness probe is missing memory limits and CPU limits are missing the priority

class name has not been set and where the secrets and the service accounts have been mounted and then the misconfigured policies it will tell you why a particular part security policy is is called as uh misconfigured because if you look at this one it has like all the flags just privileged as true and is running as any user and low privilege escalation is set to true and it is letting to run or to deploy anything with all the capabilities are like few other examples if you look at uh other po security policies and then the misconfigure network policies and then it will list the nodes that you have running inside the cluster it will give you like the

operating system architecture and then now let's create another couple of clusters pretty quickly I have like two more test clusters which are running in Amazon e haes let me quickly add those two clusters here the name of the cluster is vant Dev cluster and I will provide the IM am rooll and also the region where the cluster is up and running it's created and in the next 8 to 10 seconds you should have the reports let me add add one more

cluster now we have like three clusters added into the UI and once in the next 4 to 5 Seconds it should have all the updated results once we click on the dashboard now it will show us the complete total aggregated results like total 443 roll scanned versus the number of misconfigured resources identified and also on the screen you can see like three different clusters like black hat Isa demo and buson sandbox cluster and Buon demo cluster Etc it's pretty easy and very straightforward to use and it would take just a couple of minutes or even less than couple of minutes for you to have the latest Cube Striker up and running the Journey of cube Striker has just

begun I hope to develop the tool further by extending its scanning capabilities to include scanning of container Registries for vulnerabilities in images stored on various Registries as well as scanning of container images as a part of the cicd pipelines I also plan to incorporate ready to use integration with notification channels and ticketing tools and include a functionality for continuous scanning monitoring and alerting of any security anomalies that occur inside the kuber's cluster it's a kind of like runtime protection so watch this paace and be sure to regularly check out the gith hubing for latest updates we also have a website which provides you a road map and narrates the Journey of cube Striker to date it also

gives you a detailed explanation of its capabilities procedures guidelines and some handy howto videos to make your life easier please check out the website as well and share your feedback the first version of cube Striker is available on GitHub and the second improved version of cube Striker will be available on GitHub later today the link is shown on the slides please give it a test drive yourself and share your thoughts any feedback or suggestions for improvements are always welcome needless to say Innovation needs collaboration while the cube Striker community of adopters and contributors is steadily growing I hope to continue the expansion of its use by collaborating with more users and get more contributors on board if you are

Keen to get to know more about the project or if you're interested to get involved in contributing to this open source please get in touch with me through any of these channels to sum up I want to leave you all with this if you patch 99 vulnerabilities out of 100 you're not called 99% secured but you're still 100% vulnerable because an attacker needs only one weak link to bring the whole system down well that concludes my presentation I'm happy to take any questions if you

have thank you very much for your talk and the ins you shared thank you for providing the Tool uh one of the first questions where do I find the tool and can you share the link in the slack Channel sure the tool um has been hosted on GitHub and the links will be shared in the slack Channel and also there is like an exclusive documentation for the Tool uh if you could browse to the website Cub striker.com which includes like installation and different use cases of the tool and how to set up both the command line interface and also the web application version okay cool thank you uh one question we also have is whether Cube

Striker operates on the infrastruct on the deployed software or does it operate on the infrastructure as code part at this stage uh it will purely scan the running cluster any cluster that is deployed will be scanned by Cube Striker but going forward we have the plans of scanning the the cuber yam manifestation files and also the helm charts that is on the road map okay cool uh talking about the road map um you said that you ask for contributors can you can you share what you're actually looking for what what skills do you require for example what languages should should someone who wants to provide uh code or share code contribute code what should they know what should they be aware of

well uh needless to say like Innovation uh needs collaboration so that's one of the Prime reason why I am looking for different contributors and the tool has been built using python for the backend and the angular as a front end so I'm looking people like with more ideas or different use cases that they are expecting out of the tools so that I can keep adding different uh more modules to the tools in the next coming months and anyone like who is Keen to develop new features they can just simply create a request test it in their local machine if everything works well they can merge it with the master Branch they also look for people who contribute documentation

and or examples or are you good on that yeah absolutely yes yeah okay so don't you don't have to be a coder to to contribute there right no no that's absolutely fine yeah that's right okay Also regarding the content that Cube strike implements um do you take into account the CIS kubernetes benchmarks or did you come up with your let's say own custom custom benchmarks uh these are like my own custom benchmarks based on like different assessments that I have performed for different clients we keep testing like numerous clients every week or every month there are like different scenarios we came up for eks or on from kubernetes clusters or it could be like U cuber is hosted on AKs these are like

purely based on like the realtime experience okay so there's an opportunity for people who want to contribute right yeah that's right yeah okay um okay uh you also during your talk talked about security by Design and you briefly mentioned threat modeling this goes to a very different direction right um when you when you have this quite large kubernetes deployments with very Dynamic microservice Landscapes do you feel that the current threat modeling approaches do fit these new infrastructure models do you do you think you can get generate value there or do we needs something else well uh needless to say like cuberes is like one of the booming Technologies in the current world and it is like very hot in the devop space at

the same time it will bring like so many risks to the organizations uh like like when it comes to like threat modeling like pretty much the existing or traditional techniques may not apply for kubernetes because kubernetes being a relatively new technology and there are like numerous moving pieces that needs to be secured inside the cluster however there are like three or some few general areas that the administrators need to secure their clusters it could be like securing from external attacks uh such as like attacks coming from the outside the organization where they need to secure like host off ports like API secure and inse secure ports cuet ports or uh having appropriate authentication and authorization and at the same time

they should be looking at misconfiguration issues like I said issues arising from unsecured configuration of the numerous moving pieces it could be like the port security policies or the network policies or the limit ranges or the access control mechanisms and the admission controller and finally they should be looking into like securing the vulnerable applications as well like issues arising from vulnerabilities in softwares or applications such as like vulnerable libraries or vulnerable do dock container images or it could be vulnerable host or it could be like vulnerable applications on the court these are like the most important pillars that one should look after one when it comes to securing the Clusters do you have any references on

this that you can share link a link to for example yeah absolutely I can post them in the slack Channel yeah that was amazing would be amazing um waiting for other questions but I have some so I always like to like to ask speakers what is there as key takeaway or or as an easy takeaway for people who now do attend the conference like what questions should I as a security person in my company go and ask my my de teams when they build applications for for kubernetes when I want to figure out if they're doing doing the right thing on what questions would I ask our admins who who own the kubernetes cluster what

what would I want to look out for right so here let us segregate the duties between two teams one could be like the devs who actually build the applications and the devops who actually build the infrastructure when it comes to the devs we should be looking after or we should be asking them whether they are writing like the secure code or using like the secure libraries or are there any vulnerabilities in the libraries that they are using they should be scanning for that stuff and when it comes to like the devops of actually manage the infrastructure they should be looking after right from building the docker container images ensuring like they are using like secured Docker images and

like we discussed before they need to make sure they are securing like the host of ports that are Exposed on the humanties cluster and looking after the cuberes um role based access controls and they need to secure like the S CD with the TLs firewall and the encryption and they should be like segregating the network between the master and the worker nodes and most importantly they need to turn on the kubernetes audit loging which is not enabled by default it would be like the eks or AKs or GK it is not enabled by default they need to make sure they are like turning on the kubernetes a logging and they need to constantly monitor the traffic to limit

any Communications I have the feeling that could be a talk in itself or for a day kuber auditing and logging is all together a different animal yeah okay um with cub Striker do you have any real wor success story that you can share did you use it in production somewhere I mean it already looks very polished so I assume um is there any story you can share where it helped you yeah absolutely like I said uh every time we go to or we perform new different assessments on new clients this is the first thing that I always do I can run the cube Striker into two various formats as an unauthenticated scan which is like performing a black blackbox scan

as an attacker and really helps me to identify any unsecured ports or any open ports to the world and the different stages like performing an authenticated scan as like a white box testing and definitely help me in many scenarios to identify different types of loop holes and different misconfigurations of the various numerous moving pieces okay that's cool and the cube Striker can be integrated with the cicd U the CD pipelines as well it can flow very freely with any of the CSD tools so you can identify the bugs even before they become bugs in the production environment that's amazing I assume you have documentation on this or examples can also put into the chat yeah yeah okay we have one last

question and uh this oh that's why we're wide ranging um what are the most common security issues that you usually find in clusters uh to begin with again the same stuff like looking after uh various secured ports and most importantly like the secure the kubernetes API server is left exposed to the public as a part of the deployments because it is required but hackers are all always like in constant search for this kubernetes API secure server if there is no proper authentication or Engineers probably like me they might enable some Anonymous access or leave like um insecure Port uh just for testing and then they forget to again secure those stuff so these are things which we usually find out when it

comes to assessments okay you're running out of time so thank you very much much for cube Striker for the talk and the examples you provided uh that was amazing that was very good content thank you and to everyone else listening uh you're welcome um to everyone else listening two guys will be still around in the chat so if you have any further questions or comments um you can still ask them and for everyone else uh we will have a short break until 3 o' and we will continue with the next talk thank you and get something cold to drink it's probably hot [Music]

[Music] outside [Music] oh [Music]

[Music] oh

[Music] oh [Music]

[Music]

[Music] oh [Music] oh [Music]

[Music] he [Music]

[Music]

[Music] oh [Music]

[Music]

oh [Music]

[Music]

hi everyone I hope you're enjoying the conference so far uh we continue with our program and our next speaker is radam who's part of Cisco security research and is joining us from India welcome Trinity thank you yeah we're glad to have you here um is talk will be around obfuscation techniques in uh document based malware and uh we see some uh some of the common techniques uh recent examples and uh maybe also learn strategies on how to uh analyze and and crack those techniques um before we get started uh there will be a Q&A session right after the talk um so anyone feel free to ask question in the dedicated Channel and uh yeah with

that being said uh let's just jump in good morning everyone thank you for joining my talk I'm Shi radam security researcher at Cisco apart from work I conduct workshops on malware analysis at universities and colleges across India I'm G certified malware analist I watch a lot of animes and I'm a huge fan of One Piece anime this is my Twitter handle we can get connected there in this talk I'll be speaking about some of the officiation techniques used by an attacker in document emails are one of the most popular ways for any malare to enter into one systems usually a user gets an email with an attaching document the user then downloads this attachment when the

document is open the user gets infected now how does this document infects this happens using macros a macro is a piece of code us it to automate a task every document malware has these macros embedded inside them now how do these macros run automatically this happens using some inbuilt functions these functions will get triggered whenever a document is opened or closed attacker abuses these functions by placing some malicious code inside them for example attacker attacker uses any one of the open functions here and when the document is open it gets triggered and the macros will run automatically sometimes attacker might use autoclose function an interesting aspect to these close functions is that they might go

undetected sometimes because some automated sandboxes may not close the documents and these functions will not get triggered in the first place and hence the samples may not be marked as malicious most of the documents that are coming via email attachments are downloaders now we call these the we call these documental downloaders because they download additional piece of malware into victim system system when you look at the high level every every downloader has one or more URLs embedded inside them from where they download the malicious exhibit file backos are used to carry out this job almost all the malw nowadays comes with one or more officiation techniques broadly we will see the appications at two levels one is at the macro and the

other one is at the script that is obtained by the macro this is usually a poal script or JavaScript point to be noted that the second layer script may or may not be present this totally depends upon the malware author using o tools we can extract the macro code from the documents since the macro macros that we get is mostly VB script we can run them in the windows that is outside the document environment without opening the document but sometimes there are some dependencies in the code where the macro users met dat are the properties or attributes of the document to form a potion script that is the second layer script unless we get these dependences running the macro code

outside the document will be meaningless we'll see some of the examples now this is a sample of a macro code without any officiation this was the case way back way back in 2012 or 13 everything is straightforward here Auto openen function triggers when the document is open an URL is embed in the plain s side the request is being sent to the URL to download the executable file the downloaded file is being executed using the object of a w script shell one thing to be noted here is that there is no p p script present here let us see some of the generic techniques that are being used by the attackers to enut the content in this case the final postal

script is being created using RS the various components of the code are stored in different array array indices in the end the required array indices are called and the script is formed on the flight this is executed using the Shell command at the end similar to the previous case instead of an array attacker uses ask value to create a script for instance car of AP gives us the letter V car of1 gives us o and so on after concatenation of all these characters a script is formed this is another technique where the content is already encoded using an exr function with a key the attacker uses exr decoder for decryption this method is used in exor

transom to drop an executable file here instead of an XR function attacker might use different encoding functions the examples we have seen till now have uh use some generic techniques these do not have any uh dependencies on the document objects when there is a dependency the macro code cannot be run outside the document environment let us see some of the examples of these kind of these kind of samples this is how majority of the dog malwares looks like when they open to see the macros we can go to the VB debugger in the application generally we see some word objects forms modules and references in the project section in this case the document open is present while it is

calling another function which is present in the form section here form sections also has some macros emitted inside them let's see those macros now the macros here are slightly abated going through each line does not make sense here every variable is randomly named and most of the variables are not even used anywhere in the code after breaking my head for few hours this is what I got most of the macro code is unnecessary the attacker has embeded 18 lines of unnecessary code in between the actual code we could have seen uh you would have seen similar type of techniques many times where attacker keeps huge commented content in between the lines of board so that the actual strip is not

visible to the researcher while analyzing it there is a lot of phisticated content present even after cleaning the I have picked some of the interesting techniques that many marware uses these days here in the first line the show window is set to zero this makes the window hiden you will not see any window pop up on the screen because of this before looking into the the other lines of code here let us see some of the user forms present in the document here this is the user form and they have some objects present inside the user form the caption of this object is page one and S when the first object is dragged aside there is another object present

Ben like this eight other objects are present now look at the code the code grabs the objects caption present the form that is first one uh we take the caption here it might be page one or t the second line here goes to this another object and grabs the content present inside the object in this case it will be p with the letter P we can form a word called process or pral Etc using these techniques a script may be formed at the end let's look at the another technique in the same sample well the document is open we did not see anything suspicious here the attacker is hiding some content in the plain side

this is not visible to us because the color of the text is white when the font when the font was changed to Red some text was visible the font size was very small in order to make it more difficult to read the fisticated content present in the page can be easily decoded this can be decoded using a simple find and replace function a string is present in between every character of a poal script in this case equal to Y3 n o s is a string that is used as a separator when this was done a por script was obtained however the officiation did not end there there is a Bas 64 encoded content present in

the after decoding the b64 content we'll get an poal script here even this script has multiple officiation techniques one such officiation technique in the PO script is uh the actual string is here the actual string is system. i. directory this is split into multiple substrings and is placed in the different order this is the different order like they have placed in different order here the correct order is called and and the and the actual string is generated on fly so here when you see 5 2 0 3 these are the correct order of the strings sub strings that are being called and the final string that is obtained is system. i. direct there is similar technique from

the another sample user form did not have any text on it but the Mac but the user form has some macro code embedded inside it we can see The Code by double checking on the user form here uh in one of the officiation technique the attacker has placed a path that he's going to use uh in the title of the document the path is being grabbed by the inil function here in the Mac so like this the attacker might choose to play some encoded content in the document properties so here author title subject these are all the document properties attacker might keep some encoded content inside that this is the dependency in the M that I was talking

about by looking at the extension we can reduce that it is an HTF file now the attacker has attacker places some content inside this hdf the content that is being placed inside the HTF is divided into some four functions in the end all the functions are called and the ritten vares are concatenated now observe the content here carefully it is uh it is HTML HTML content and the JavaScript content now this is formed as a file and placed in the part that we have seen before and the HT file can will be run in the victim system by using w shell what we have seen till now is that the malicious document creates an htfl

in victim system and runs it by creating an HTF file we have seen some officiation techniques A variation of the sample where the path is present in the user forms but not in the title this is the button object present in the user form the caption of the button button object is called is called in the macro code till now we have seen only poell scripts that are created from the MOs these days many malw are coming with macros that are creating a Javascript file or an HTF file which contains the JavaScript in the HTF file the HTML body contains two Bas 64 encoded content separated by a separator an interesting JavaScript function is present in the HTF it is

difficult to say what this function does if one does not know how the basic for encoding this D till now we have seen an inbu function to decoded B 64 encoded content the attacker has placed a b 64 decoder code inside the document modware a variant of this code is present in one of the question and answer Forum my guess is that the attacker has copied the function and made some changes to it the content that is obtained from the basic for decoder function is in the reverse order when this is reverse a JS code JavaScript code is obtained this is a generic JavaScript code where the URL is present and the malicious executable file gets

downloaded using that URL and it will be executed in the victim system sometimes instead of placing a URL to uh download a file attacker might embed an executable file itself in the document whatever we have seen till now can be decoded using a debug whatever the officiation technique it might be in the end the code has to decate itself at certain point debug debugger comes in handy to mark that point observe what is going on in the macro this brings us to the L technique today ofation Excel files all the methods we have seen till now can also be used in Excel on Excel documents however in this particular example attacker did not attacker used

XML macros or we can call it as Excel 4.0 this is an 30- year old feature that is being abused as we can see here there are no macros present in the macro section so where is the maltia script present in this case to find that out we have to look into the Excel sheets present in the document document may contain one or more sheets and sometimes these sheets will be pass protected due to this we cannot modify the contents of of the sheet in order to remove the protection I have unzipped the file uh went to the macro sheets folder after opening one of the sheets in the notepad we can find the sheet protect protection tag uh with

a password Here we can see that password is e removing the protection tag sheet protection tag from the file will remove the protection on the sheet after removing the tag we can zip it back to an Excel file now let us go back to the unprotected shield and see what is present there different officiation techniques might also be used here but the common ones are learning the color color of the text to White so that we cannot see what is there in it and the content will be scatter in differences as you can see here only one content is present here and the other contents are there in different sales at different places after cleaning up these are the

cells that contains the formulas and some content these formulas will run in a particular order and download the malous file here as we can see we have URL download to file a this will download an executable file and A1 here will represents this URL and A3 here will represents this part in this part the executable uh file will be downloaded and the downloaded executable file will be can be run using this vxc this is an example of macro 4.0 whatever officiation techniques we have seen till now can also be applied to XML macros to make it more harder to detect just to sum up in this session today we have explored various sophistication techniques in uh document Mal this is

not a comprehensive list and there will there will definitely be more techniques to come up but identifying the existing ones help help us be better prepare for what is to come thank you for watching my talk I hope this is helpful hey we are back with SC for some Q&A uh thanks again for the for the talk um someone in slack asked uh what is the difference between a downloader and a dropper um downloader actually requires a network access uh it will download um a malicious executable file from the command and control server or any other malicious website but uh dropper has that embedded uh it has uh executable file embedded inside it so it doesn't it

does not require any network access to download a file it already has an exe file or a dll or any executable file in it so whenever a document opens uh that uh executable file will run inside the system so downloader should uh download the that exe file or executable file from the internet got um can you maybe recommend any tools uh so you showed uh multip officiation techniques um any tools that you use on a daily basis that assist you in the the officiation um process like either statically or or dynamically and maybe also in the OB process if you want to test uh detections I think you showed cyberchef as as one example and I saw

there was also a fan in the SE Channel but maybe have some additional recommendations um cyers shift has like a lot of tools in it uh I only showed uh while decoding a Bas 64 I assume but it has like uh lot of buil-in tools I like I use this cyberly and other than that uh not for deification but uh when you're analyzing and document malware we can use o tools to decode the malware so to see what is the macros inside it and after that uh we have to see what are the evation step present and based on that we have to change a little bit okay maybe you can also share that a

link to that tool in the the S Channel later then we can can check it out uh there was another question what is the best tool to analyze macro 4.0 XA um as I told you like uh OA tools has an plugin so you can use that plugin uh to see if it has a bound sheet in it I did not discuss about the bound sheet and all in the talk but uh it has a plugin to see if it is a macro 4.0 or not so basically I did not use any of the tools in my talk so uh I like to see what is what is the exact ofation present inside it so in order to do that

tools doesn't help for that so I have to use the debugger here so to see what is the exact oppos present inside it but to answer the question o tool might help all right thank you uh from your experience um how how long does it generally take for an obfuscation technique to to become so known or widely spread that attackers need to come up with um new ways um or maybe in other words like how often do you see novel techniques versus like slight iterations maybe of of existing techniques um I'm not sure exactly about the time how long it does take but so when you see uh a mod called emotet it's not there now it has been taken down but

uh uh like it has followed a particular pattern so whenever you see uh the when you decod otate uh it has a particular pattern and it has a particular uh pattern in the ofation in the PO shell so I'm not sure about the time but maybe uh if it become too popular maybe uh then uh the attacker will uh go ahead and change the what the officiation present inside it okay we lost your audio for for a moment um sorry yeah okay no now it's back okay fine um so another question came in um some VBA macro dos are encrypted how do you uh bypass that um I guess how how do you get the key or how do you bypass the

obfuscation uh uh here the thing is we did not bypass the officiation we saw what is the uh so what I showed you was like what are the fications that are present inside the document and how to decode them we are not bypassing it so U we are seeing what is the officiation technique and what can we do U like to in order to decode that malware so somebody has mentioned a tool here uh I did not use it but I like to uh decode it manually so I use sa to decode it or command line tools like that yeah okay and then maybe maybe the last question um given the improvements and obus Creations that you that you see

like what's you your view on the improvements on the defense side like uh detecting um and defending against uh document based malware maybe Beyond like traditional signature based approaches um yeah um so one thing is like uh so if we put this document in an uh sandbox uh uh automated sandbox so we can see all the iOS present inside it but uh we have to write the signatures for these officiation techniques too right so uh like day by day like every day we see new officiation techniques so we have to write those different uh signatures for those appications so that we can detect it um I can share uh U like I recently came across an article

uh few days back so there was an um malware which was delivered using a PP so it wasn't Word document it wasn't an Excel document it was a PPT so that PPT so when you hold the mouse over the PBT your Macros will execute behind the scenes so it does not have um Auto functions or that so when you hold the um the cursor on the PBT so your micro functions will uh run so this way we have to write these signatures what are the techniques that they are using and based on that we have to write the signatures here and are there any Behavior based um uh detections like that you uh basically not look for a specific signature but

more like the behavior of uh sure like starting a shell or downloading something yeah um like uh we can see if it is a downloader uh it will be downloading an exe file right so uh that is a behavior signature and some some droppers might have an embedded file inside it so whenever it pches that uh um uh embedded file and uh it it has to execute that embedded file right so executing that embedded file is also so if you see that we can uh mark it as malicious and yeah like that there are many behavi techniques but these are like one or two that I mention okay uh thank you very much um I

think that's all the questions we have for now um so uh we'll be back with our next speaker in a few moments um and stay tuned until then sure thank you [Music] yeah [Music] he [Music] we are back with uh our next presenter uh Joey costoya from the forward looking C research team from uh Trent micro welcome Joy um hi hello um so thank you everyone for joining this session so I'm Joy Gaya I am standing in on behalf of Veno Shalini um the main speaker for this talk um though he's not available on video right now but he'll be in he'll be present in the slack Channel um to answer your questions so uh this talk

will discuss about access control devices that are utilizing Edge Computing techniques as well as an examination of these devices for security Witnesses brought about by the use of edge Computing Paradigm so with that um that's David thanks um yeah I think you uh you said it all uh just a quick reminder for the audience uh if you have any questions um as always uh find the dedicated stack channel for this talk and post your questions there and uh then we will have a Q&A after the after the talk all right with that being said let's get started hello everyone my name is vino chalini from the forward-looking threat research team in micro and today I'm going to talk to you about Edge

Computing The Fragile art of implementing it properly and how can we exploit it to walk through access control system so let's jump right to the chance Edge Computing is a new uh Computing architecture that compared to let's say the classical case of iot and Cloud where you have a swarm of iot devices you know D devices sensors that all communicates through a cloud service or a remote server Edge Computing brings the computational power back to the device on the edge of the network so back to your premises whereas um uh you'd have so sensors that are capable of processing data on the same device or servers nearby the device on the premise of the network itself and of course the

fact of having actuation processing and acquisition all at the in the same place brings multiple advantages uh you have uh to rely Less on network communications to remote servers because the processing happen on site so you have increased resiliency less need for Network bandwidth you have a lower latency because uh exchange of messages happens uh between nearby nodes and in general for uh those applications where sensitive data needs to be handled there's the other advantage that you don't need to ship that sensitive data off to a remote location for example uh that's the reason why it has been used on multiple vertical with ESS verticals such as Agriculture and transportation systems for smart farming so where you are in a remote field for

example and you need to do real time data Collections and monitoring of Machinery uh for factory automations and Industrial control system where response time is of essence think of smart manufacturing cameras that needs to identify and discard effective pieces on the production line for cameras and surveillance where you have sensitive information in fact such as uh you know people's faces and elevators and building automation so one thing that um people needs to neglect a little is the fact that you have with Edge Computing three new architectural assumptions in particular uh you have an implicit Trust on your device compared to a call it dump iot device uh Edge devices have to be trusted because they

are the one in charge of acquiring processing and taking decisions on what to do uh with their task there's a higher need for data synchronization and data consistency because again you don't have anymore a centralized location that does the processing but the processing is done by individual nodes that needs to be up to dat with one another with the latest information and the actuation as we said it's done on premises by the device itself without necessarily supervision so with this in mind we asked oursel the questions what happens if these assumptions are in fact neglected what happens if the manufacturer ship Edge devices where um these assumptions are not taken too much into considerations what what happens if

the customers are not aware and so we decided to investigate the problem by looking at a class of edge devices such as access control cameras U bear in mind the kind of exploits and attacks that we found are not uh we decided not to expose uh flaws that are specific to access control cameras as much as flaws that are specific to the fact that these are edge-based cameras any particular we choose the access control cameras because well first of all they are easy to acquire compared to a Smart Factory reproduction line or um an agricultural Machinery but despite being easier to acquire they embody one of the most critical uh function in a company infrastructure which is user

authentication these are the cameras that literally keep people outside of your office unauthorized people outside of your office and despite all of that they also Implement some functions that are very affined to other fields such as uh again image acquisition and processing actuation and so on so with this in mind of all the four cameras we took cameras from four different manufacturers who are anything but a niche market the ZK TECO ZK TECO it's a big Chinese vendor uh that grows more than $3.58 million us on fingerprint alone in 2015 for example this is a camera that it's Android based and uh it doesn't need need doesn't need a remote server if just for coordination and and monitoring but it's

fully autonomous in everything that it's user authentication and management K Vision uh Europeans might be aware because it's a brand that's fairly big in Europe and the niia area and it's actually one of the biggest manufacturer in the world uh this camera in particular the model we chose it runs uh doesn't run Android it runs a custom uh customized Linux distribution telpo TPS 980 this is another Android based camera from telpo which is the manufacturer that's that partnered with Alibaba to provide Alibaba with facial recognition Technologies on all the point of services so it's not a small vendor and finally magvi koala where magvi it's one of the big three into the facial recognition algorithm and the supplier

of for example the hanzu city Brain Project where hanu is a smart city in China um the those last two cameras can in fact run both autonomously or with a cloud service with an optional cloud service so we looked at these cameras we analyzed them from a point of view of the physical security of the software security to see the patches are where up to date um on the communication security which is the most critical aspect and we identified some attacks that we decided to group around those three architectural assumption exactly to point out what happens if you neglect those three aspects and in particular let's look at the first one implicit device trust so we said these devices are

supposed to act in full autonomy so you as the customer when you install them especially an access control camera you trust it to identify the right people to make the facial recognition right to deal with the user management without the need of an external service and goes the same for example for a smart manufacturing camera where you trust the camera to identify and discard effective pieces without necessar supervision which begs the question what happens if the device is owned or what happens if somebody impersonates the device and here are some nice case so this is an example for the ZK TECO uh we tried to see what what what communication was like when creating a new user or we're

doing user management in general and the first thing we noticed is that ZK TECO for example has https disabled by default which means that any malicious actor sitting on the same network you know in case you have a disgruntled employee or you have a customer that sits on the gas Network that you haven't secured or olated from the others uh by just running a TCP dump or a wire shark can actually see the traffic over here now what's interesting about this traffic this is a request that the camera performs to the remote server when it creates a new user whereas the server on the other side merely acknowledges the new user and propagates the information to the other cameras

what you see here in the third line is that we have not only the communication is UN encrypted but we have a session token that it's actually reusable all of this means that if I'm sitting on Network and I uh captur this traffic I am now able to forge a new request create a new user with whatever picture I decide to send and authenticates whomever I want to enter the premises not only that but uh with the same principle reusing the same token I can actually perform a call and give additional privileges to an existing user or maybe one that I just created so that he can act as an administrator on the whole infrastructure talking about device

synchronization so it's sort of a in topic even we're talking about network communication but as you noticed uh Edge devices need to be kept into strict synchronization in the case there when you create a new user the user information needs to propagate to the other cameras in the building so that they can authenticate it the same way and you know that doesn't just goes for cameras but in general Edge devices need the synchronization which means that you need an additional set of apis from an external server to for the device to sort of communicate with one another and that again backs the question what happens if these API end points are not authenticated or what happens if the

connection is not encrypted you see where I'm going there so for example for the user picture the ZK TECO together with some other models actually um we managed to find an API endpoint where once could fetch user pictures and again the API endpoint it's neither authenticated nor checked not it's rate limit which means that anybody really knowing that URL or grabbing the URL from the network traffic which is encrypted as we showed is just able to enumerate all of the user pictures in your company through a simple Brute Force but let's say that you're really lazy and you just you don't even want to do that turns out that heat vision for example uh synchronizes periodically all the

devices by sending them through device poing the full database updated database of users comprise on user data user pictures and so on well then that means basically since this communication is not encrypted either that all you need to do really is sitting on the same network as the device and wait until the full database gets to you uh ready to be excitated another interesting thing we found for the telpo device the telpo device can connect to a cloud service for administrative purposes to connect to that you need of course a an admin password which is not known by anyone and that would be secure enough however it seems that there is an authenticated API call that you can call

to retrieve an access token to the interface what is the information that that API Cod requires it only requires the serial number of one of the devices that sits in your infrastructure where do you find that serial number on the back of any device really so if the device has been badly deployed or if you can physically access the device and just look on the back you got your serial number you can perform your API call and uh you get administrative access you can of course you know with the same principle do server impersonation uh so with a simple R poisoning you can pass yourself on the server and then all the cameras will basically send you their logs their user

pictures their updated user database and of course this also means that you can impit or delay auditing because you know there is no chance to do anomaly detection if you don't receive the logs from the cameras finally for the third aspect as I mentioned you have an unsupervised actuator in the device proximity in the case of a smart manufacturing camera the camera discards the pieces in the case of Access Control the cameras open and close the door so in the simplest case you can wonder what happens if I can physically access the camera and just grab the wires and short and short the wires well you can open the door in that case but it's more interesting uh for

the cases there something more interesting in the case of the mag koala the me koala has this three- tiered architecture where uh you basically have the camera that acquires the picture you have an edge server that sits on your network that performs the authentication and if it authenticates the picture it sends a command to uh a network relay who's responsible for opening the door now why attacking the camera if all you can do is craft a netcat command to the network relay who is not authenticated nor encrypted as well and just physically open the door without even looking at the camera so some concluding remarks um this is a table that resumes more or less all the

vulnerabilities that we found and all the aspects of the cameras you see that all the cameras have exposed USB ports which means that you can also do application s loads and this is something that in Edge device should be protected um you can perform many deid attacks in most cases where um where in the case of V vision for example it's a little harder because it's using a binary protocol that needs to be reversed but however is not encrypted and yes most of the time user forgery and user Administration can be faked via simple requests so it's a kind of a dire situation that seems to depend from the fact that every time we change a media

and we move to a new technology what were the best practices that we acquired on the old one such as use your https authentication pretty much seems to disappear so we've seen this example you know we move from web to mobile web and all of a sudden HTTP has disappeared to mobile apps to http rest apis uh to iot that suffer the same problem and now with Edge since that every time we change the media all the best practices that get acquired don't seem to apply anymore there's also another aspect which is that edge sort of steals a false sense of security due to the fact that you have devices that resembles d by those are just simple cameras but in

fact they are not they actually pack computational power and additional task inside so users needs to be aware both the users that Acquire these devices and the vendors that sell them that this is by no mean just a fancy new iot device but it's actually something more with uh more dangers lying behind and more precautions to be taken and finally in terms of mitigations so again around these three aspects of the device for the device Trust of course we need secure network connection that needs to be implemented either by the vendor and enabled by the user uh even better Network isolations for those devices uh you know hardening hardening hardening make sure that they are patched up again from both vendors

and customers and constant auditing device synchronization well that goes without saying almost feels um we need API authentication that needs to be implemented we need things like certificate pinning to make sure that uh malicious actors cannot impersonate the device and additional Network isolation of course and for the actuators you know there needs to be careful deployment cables needs to be properly installed and extra auditing of course so this concludes my presentation I hope you enjoyed it um sorry would probably go better with live demos but alas times are what they are and if you want to read the full paper that is the link thanks we are back with Joey for some Q&A uh thanks again uh for your or the

talk and research um I was wondering with all the issues that you found um what were the vendor reactions uh when you reported it and maybe more generally what is the um the update of PGE policy of those vendors is that more like an afterthought on those Edge devices or um what have you seen there um so in one in one case um one vendor actually um have on update on the software um so like before for example when when there um it was mentioned in the presentation that they only have um plain HTTP protocol support and now they support now like https support and also um yeah um and also the newer versions of the of the hardware um we can no

longer replicate the attacks that we did before okay and have you maybe also looked into the update mechanism itself um like how those devices update themselves if they do proper Integrity checks and verification um so for the updat like one of the one of the devices um they don't um as far as I know as far as as we can see there's no like auto update thing that's going on so in in their case um um um they need to field a service technician um to service the devices and do the upgrades themselves um so it's kind of like um So when you buy devices there's sort of a contract support contract also associated with it so that they could do

the upgrades um the got the vendors or the the service contractor can do the updates got it um maybe more of an open-ended question um like as was mentioned in the in the talk like why do you think we are always doing the same mistakes over and over again like do you think it's mostly like time to Market like those cameras need to be produced faster than from the competition or is it maybe that there's just very little consequences if you have those issues or maybe develop a training awareness something like that um well if you if you if you look at it um feature-wise um it actually offers some benefits so for example the facial recognition devices

everything is comp every every all the computation is done on the device so that means the response time for the recognition is very fast because everything is done on a device there's no connection to the Internet so um there is an advantage using th those kinds of um architecture but then yeah it mistakes from the old mistakes from the past I gets repeated again and again so yeah all right thank you um we're running a bit late so I think that's uh all the questions we can take for now um I think you and ventu will also stay a little bit in the SE channel in case there are followup questions um so thanks again for your presentation and

your time and we'll be back with the next speaker in just a bit okay thank [Music]

[Music] you [Music] we're back with our next talk uh let me introduce you to our next speaker Tim Panton who's CTO of pip gmbh welcome Tim welcome and thank you very much for inviting me along it's great glad to have you um in your talk we will hear about your experiments and experience uh designing and building a KVM using off the shelf Hardware like a Raspberry Pi um and last but not least do all this in a hopefully secure manner um as always if you have questions uh there's also a slack channel for this talk um so you can post questions and we'll get back to them uh after the talk um that said uh yeah we are looking

forward to hearing about your KVM design process uh let's get started thank you hi so this talk is about how to build a better and more secure KVM with off-the-shelf commodity Hardware it's so also really for me it's an experiment in security by design of taking security seriously throughout the design process and trying to make sure that it's being considered at every point I'm Tim Panton I'm the CTO p.p gmbh about 20 years ago I ran a Internet Security scanning service more recently I've been running uh voice of service and then about four years ago I started building a a stack for an iot stack for cameras the goal of this activity is to give remote access

to server assets think about the trolley that you had and you wheeled around the data center in the in the old days you would wheel it around and plug it into like the server you wanted to to to rebuild or whatever so I want to do something like that but on the internet I want to plug Hardware into the H HDMI and the USB and get access to it but remotely so kind of use case for that might be a firewall Appliance so where you want to manage it but you don't want to manage it through itself CU then it's so easy to get yourself cut off and the other thing is that increasingly cheap

low power arm servers which are quite capable of running web services and things like that they don't have lights out management built in and then the final requirement goal here is is to make sure the thing is is easy to use so like all good security talks we need to talk about what the thread model is so what are we protecting what are we assuming and who are we protecting it from so we want to protect the service so like we've got a server there or a firewall or whatever and we don't want to provide new attack vectors that give more ways of attacking that existing device we want to protect any authentication tokens that are involved

in creating that both the ones that are in the Ser for the server but also for the device itself and we want to make sure that the data in Flight is not vulnerable to interception I mean we could talk about what the losses are here potential losses are here but I think these cover the the data I want to assume that we've got lazy but not evil users so we're assuming that all of the users who are actually using the service legitimately are not out to misuse it I want to assume however also that though that the infrastructure is untrusted so anything once you once you leave the cage in the data center is untrusted up

to the point where you reach the user's browser I want to assume kind of semi-secure location which means that say a data center rack with CCTV and proper access control or conversely maybe you know the the security room in an office building or a person's flat you know the covered with the rouer in it so that means that the main threat is external it's got a over the network and there are two CL categories for that as far as I'm concerned one of which is automated scans I mean they are inevitable every IP address is going to going to get scanned and active targeting by motivated individuals now that used to be something you could

pretty much ignore but it's not true anymore like motivated individuals are actually relatively cheap like th000 bucks will buy you quite a lot of motivation unfortunately so we want to minimize the threat and we're taking three intersecting strategies on this the first one is to block known attack vectors and that means that you have to have a look at what it is that adjacent projects have been vulnerable to and classically for cameras that's I mean I should have it on here actually but that that's default passwords guessable passwords but then you have things like buffer overrun and type trickery and input validation as being kind of major attack vectors so the next step is to

minimize the attack surface and so that's a matter of from my point of view that's a matter of simplifying interfaces reducing optionality so if there are two ways to do a thing and only one of them is actually really used get rid of the other one and that's the kind of open BSD approach and also minimize secret data storage so if you don't store a secret you can't lose it and then the final thing is how do you deal with kind of unknown attacks unknown vulnerabilities well the only thing you can really do is to leverage standards so well thought through standards and also to use best practice in terms of code and tooling and techniques so I've

talked a lot about Theory but let's just like have a quick look at what it actually looks like what you see here is a safari on a Mac M1 Mac list that was listing the foreign Keys it knew about and now it's connecting to one the one device it knows about which is actually a aunu x86 um running 1024 by 768 and in between we have a Raspberry Pi that is doing the the bridging between the two and as you can see it's reasonably performant if you watch the XIs they move reasonably smoothly the typing is is perfectly usable screen update is quite sharp and you're doing that and that's happening at about a megabit and

a half which is pretty good I think so you can see now the the mouse cursor moving around reasonably uh crisp popup the colors are a little bit out but I think that's a price worth paying for for the bandwidth compression we're getting oh yeah I'm just going to show you here that this is Safari technology preview because we're using one feature that's in the preview only but we don't have to we just happen to have uh happen to be testing that feature and so there you go this is a reasonably sharp usable KVM in a browser so I should actually at this point give credit to a couple of projects that helped me get started on

this this tiny pilot and P KVM they both use very similar Hardware solution to to what I'm doing but the software is completely different they stream jpex over HTTP and then wrap that in the VPN so we don't actually share any code with either project but they were an inspiration so what I instead did was to leverage the iot stack that I've been doing for pipe for doing video cameras and baby monitors and stuff like that so what does that look like this is what it looks like we've got piie in the middle server on one side and browser on the other with joined up by the public internet so one of the nice things about

this design is it has what you could Loosely call an ey Gap I mean I know it isn't really an air gap but between the server and the the raspberry pipe you're just using USB there's no inter there's no IP connectivity between the two all right it isn't really an air gap but the way it works for the video is that we just have a cheap capture card $14 or so cheap dumb predictable V for all 2o compant so Linux just thinks it's a 1080p camera it comes in over USB although they're R CSI variants that you can use instead which come in on the camera interface and the pi has a hardware h264 encoder which supports

1080p at 30 frames a second and that means that we can get the bit rate down to about a tenth of what we would with jpeg so 2 megabits versus about 20 megabits second which is a huge win I think so the other aspect of the air gap is the data going the other way so we've talked about the video now we look at the mouse and keyboard going the other way again it's really not an air gap it's USBC so bizarrely the or handily the Raspberry Pi supports on the USBC Port supports Gadget mode which is kind of hang over from some of the Android stuff but it's in the Linux kernel so it's a kind of nice feature and what

that lets you do is to have that emulate uh human interface device so a mouse or a keyboard or or a wheel or whatever and and you just do a bit of Kernel config and then what happens is that you get these devices turn up in the dev tree and if you just write bytes to them the correct bites to them then they emulate a keyboard or a mouse and then over USB to the other end of the USB connection and the great thing is the server can't tell that this isn't keyboard or a mouse and and a mouse and monitor so the server configuration is exactly what it was before with the exception that it's

worth setting the um HDMI resolution to what you want to capture at so the next piece of this puzzle is how do you get from the P out to the browser and we've chosen to use web ITC for this and the reason for that is really mostly that you shouldn't write your own cryptography or protocols so we decided not to but there are some other kind of benefits of specifically of using web ITC it's available in all the browsers and it means that you don't need to install a client like there's no client install needed for this which not only is it easier to use but it also means that the user has not introduced a new

set of risks by int adding a you know Zoom client or whatever we is a reasonably well studied protocol I mean it's it's had some bugs found it's had some fixes made but it's still it's actively being studied which is better than using something that's dormant and full of bugs it gives you an endtoend encrypted Channel using self signed x509 at each end which you can then use for o which is kind of Handy and it was actually built for low latency high quality video video calls but it's also been used a lot for screen shares which means that the infrastructure is geared up for something very similar to the use case that we're using it for here and

the other sort of side thing pandemic has meant that we to see traffic is actually very much expected on networks and network operators are expect ing quite large bulks of of weo traffic so weot has got a bunch of nice security properties which are somewhat to do with the timing of its Inception when the standard was being built was just post the Snowden Revelations which means that there's a a healthy degree of paranoia going on in in in webc and in the protocol design so for example no out reports until messages till there's been a message exchange so there's not it's pretty much invulnerable to scanning there's the open port Is Random so like you don't know what port it's going to

be open so again it's kind of very much defensed against scanning and it works behind that so there's not even an IP address that sits there to to be pinged open once the port is open it's protected by onetime password so you won't get a response if you don't have that onetime password the selected Port is verified with the dtls handshake so even once you've kind of done the onetime password exchange and found a path which I'll talk a little bit more about bit you can verify that path and there's a dtls extension that uses key material to derive a media session key that's used for encrypting the media session and that gives you po perfect

forward secrecy as well because it's a new key each time and there's also a layer in which the the dtls also wraps sctp so you havep for using can be used for non-media data and we're using it for the keyboard and mouse so that's what this looks like so the big there's a big yellow blob in the middle there which I tagged as the pipe webc agent I should talk a little bit about that the webc agent is a clean room implementation for small Linux devices of webc and it happens to be in Java and there are kind of quite good reasons for that the strong typing in Java means that there's a bunch of vulnerabilities

that just get caught by the virtual machine and don't make it up into the up the stack it's uh pretty well protected against buffer overflows on on on the input and stack smashing and that kind of stuff like a lot of the vulnerabilities that present in C and C++ aren't applicable to Java there's a reasonably mature ecosystem for tools and stuff like that which always helps in producing higher quality code and it's reasonably performant on small machines because of its ancestry which is which is great so beyond that that's kind of generic thing what we've specifically done in the Java code is we've had some rules about what we won't do in and will do in order to try and

raise the defense in depth so we don't do reflection right now there's a concept in Java of reflection where you can inspect a class and work out what it is and set members even if you don't have ownership of it and this kind of stuff and conversely you can spontaneously create objects based on input and we don't do any of that we we we don't think think it's a safe mechanism the input paer for example does string Compares rather than reges so we have a specific list of services that that that can be matched against that are named by strings and the incoming service has to exactly match that string this it's not a regex we

only do we only exchange packets with known peers so if you're not a known peer you don't get packets from us we only open media sessions with a known paer who's permitted to have media sessions there's like a hierarchy of permissioning going on here and to be a permitted Pier you must have your public key in our local key store so it must you must have got it there somehow and then the final thing is that well penultimate thing is that we act as a proxy so we don't link to outside native binaries we don't use jni we only use sockets to connect to outside Services well and the file system so we have a

clean abstraction layer there that that prevents us from being um vulnerable to inside attacks like that and the final thing is we use GitHub alerts for Upstream cves so to see if we have any of the libraries that we've used have had recent cves issued or recent security updates we'll get notified by GitHub so we don't keep have to keep checking ourselves which is really useful so I talked a little bit about the or we use self- sign certificates but we use proximity verification so we decent the or push the the or holding out to each each Edge is responsible for its own authentication so the x509 are created stored and checked locally on device and they're exchanged using the

DTs handshake so that that's how we get a public key from one device to another is through the dtls handshake we validate those with a nons so we use a QR code which to prove the proximity so in the case of of this we we show a q R code on the screen of the p and you scan it on a laptop or an iPhone or an iPad and that proves that you're physically approximate at the time when that specific one-off QR code was shown that token is shown uh and then subsequently you can do the same sort of transaction to lend that access to other devices like another laptop or a desktop or whatever so I want to to spend a moment

through thinking about proximities of proof of ownership so basically what we're doing here is we're saying that the thing itself the p in this case is a token like you often see tokens generated by things like Cur Rosses like theoretical objects but this is in this case we're using the possession of the iot device the physical proximity as a token of ownership you know so essentially the owner is the first person to plug it in and switch it on and that's a pretty good proxy it's a pretty good measure of ownership so then the question is how does the device know that it's you establishing ownership and then that's where we use the proximity we offer a localized one time

cryptographic handshake that is validated by this QR code so you scan a QR code to prove that you've got a line of sight sounds a bit complicated but actually it's really not that it's really not complicated so this is my iPad I'm going turn on the camera in a second and it this is my iPad so we switch the camera on and you can see this is the Raspberry Pi and and just so as you know you've got the HDMI coming out they've got ether and then we've got HDMI going to the server so there's a this is USB HDMI scan capture device and then you got USB C that goes off to the keyboard

interface on the and mouse interface on the server and as you can see it's already showing this QR code which is the validation token for for this proximity exchange and what what I'll do now is to tap on the QR code scan that the Safari has found and it will taking me into Safari I now do a web ITC cryptographic exchange send the tokens over and now send the keys over and now I'm dropped into a session with the HDMI of that device so that was actually pretty easy I I know like some of you will be familiar with what about see and you say well what about the signaling where did we where did that work and

yeah okay I it's true we we do need a cloud service for connection establishment so the two ends have to find each other somehow so we don't trust that with private data or keys so we create this thing called an RDV server which is basically just a web server on a known public IP and both ends connect outwards to it over web sockets and then they exchange setup messages to set up a web OTC peer-to-peer connection the one of the tricks that we're using here is that we're using the hash of of the public key of the device as its address which means that we're immune to iteration attacks because it's a huge key space

and it means that a device can ignore a setup message that's come from something that isn't one of its permitted peers and although we can't validate that on the the initial setup as when it gets to the dtls stage of the handshake we can validate that the far end really does have the private key that matches that public key and that allows us to ensure that the RDV server hasn't introduced a monster in the middle so how do we get through Nat well ice is a webc feature it uses a bunch of tricks and I'm just going to kind of very briefly outline them so stun which allows the each end to alarn a public IP address turn the

turn service acts as a packet reflector if you can't find a direct path between two ends to between the two peers and and the setup messages contain all of the discovered public IPS private IPS and IPv6 addresses and the ice service process tries all the combinations of those IP addresses in turn and and the turn address to find a path that works but as I said earlier this ice exchange this whole ice exchange is secured by onetime password so you you can't it's harder to break into it from as a third part party you have to be privy to The Exchange in order to be able to do it the metadata so we downside of all this is

we're collecting metadata particularly the IP addresses so this the RDV web server knows the IP addresses and it knows the time times of uses usage the stun server knows IP addresses it knows usage time and it knows duration the turn server knows the IP and usage time the RDV server knows IP's public keys of both ends and some timing information the KVM knows all of that and keystrokes and video the KVM is the kind of thing who really got to got to watch so there's a bunch of things that we haven't done that we do need to do in in the longer term one of which is adversarial testing we need to to to test this get somebody to like really

poke it pen test it effectively we need some fuzzing done on it and we need third party code reviews we haven't done those things there are however some known flaws that we know about that kind of that are we're going to have to live with because they're difficult to fix uh principle one is that the Raspberry Pi has no secure boot which means that a passer by could swap SD cards in seconds and change the change the config uh the E best mitigation is basically 3D print a case for it which keeps the SD card inside I haven't done that the other option is just to hot glue the SD card in which I think I probably would do in

a in a deployment it's a bad sign if hot glue is your solution to to your security problem but whatever specifically one of the vulnerabilities that that introduces is the gadget mode supports USB Ethernet emulation so in principle if you hacked a Raspberry Pi by swapping the SD card or some other way then it could monster in the middle traffic by introducing a new route from to the server by pretending to be an Ethernet device this kind of is a risk but it's not a much bigger risk than the fact that if you'd hack the P you could use the USB keyboard to change the routing tables and direct it off through a proxy device that was capturing all

the traffic so it's sort of it's bad but there's an equally bad thing already which doesn't make you that much more comfortable but it's not disastrous and that leads on to the other thing is that like the pi is a perfect place to install a key logo I come I actually think that part of this stuff would actually just make a perfect key logo the zero for example can do the same thing and that makes a really nice little key logger to put into that and the final thing is that you have to trust the website that loads the page so where you know when when you saw that page loaded that was doing the emulation

that has to trust the website so I think the overall lesson is that you could see that we've thought about security at every level of the process the protocol the code the user interface the user experience the hardware but it isn't incompatible with usability you can make a usable service if you include thinking about security early enough in the process and keep it mind all the way through to do that you kind of have to expose your design and developer teams to security thinking and you have to expose your security team to design and product thinking and the standard technique was just to kind of apply compliance rules it's not enough cuz what you end up with is something

that's neither secure nor usable I want to thank thank you very much for listening I really do appreciate it I know we've all seen an awful lot of video in the last year so if you made it this far out I really tip of the Hat I really do appreciate it if you got questions comments whatever to at p.p or Steely glint on Twitter I'm very happy to answer questions there and I should say that most of this code is licensable for using things like security cameras baby monitors or wherever else seems appropriate and and and useful yeah really happy to to take questions thank you very much and we're back with uh Tim for our

Q&A and uh we had a couple of questions in in slack and uh the first one was if the uh pi0w could also be used instead of the rest Pi 4 um if they both share the gadget mode yeah uh technically you could and you I think if you were doing this for a home use then it would make sense to do that in data center um you'd end up needing to use Wi-Fi um on the because you you don't have the ethernet connector the pi4 has got a an Ethernet connector so that's a in a data center that's a big win on the security front I think okay and talking about the ethernet I think in your uh your

abstract you also mentioned uh potential use for uh red teamers so I guess uh we could also think about have have you thought about that more or would you I think the network part you would then use like a cellular adapter um I haven't really thought too much about it I mean I think there's the the kind of one end of it is it's it's a really easy key logger like you know the key logger code is just a bit of Kernel config and you're done um which was kind of interesting so you could sort of intersect uh keystrokes that way and then um you know if you if you use the gadget mode ethernet to spring up up

another ethernet on the server and then you could probably force it to root certain packets to you rather than out to the the Big Wide World um I it's not I'm not a red teamer so I haven't actually kind of really thought that through but it feels like there's some fun stuff to do there and then like webc is quite a nice protocol for xfill I think from that point of view and that it kind of drills its way out and everyone's using webc for everything so should be fairly invisible okay and uh another question was uh why would you implement um the agent in in Java when it's 2021 and not not in rest

yeah I um the real reason is I started this four and a half years ago uh when I think that was a it was a simpler Choice it turns out it's actually still not a bad decision because one of the nice things about the Java VM being so old is that it it Maps a lot of things to Hardware so for example the AES encryption which is what uh we us he does Maps straight into an arm single arm instruction so you know some of the more kind of uh be closer to the metal languages wouldn't wouldn't get you any better performance okay and uh I'm not sure if you said it in the video like the uh the

device you showed is that at the moment just a proof of concept um for you or would it later be available to purchase or would you would we be able to build it ourselves using your software stack is there anything planned uh I don't know I I what I would really like to do would be to persuade some of the people who are already kind of in this Hardware business to to take on our software I'm I'm not a not a hardware like vendor and I've no no knowledge of how to do that sort of business so I'm much Keener on on doing that as a um as a collaboration with somebody who's got Hardware got

it and uh maybe more like a detail question um you talked about how you uh solved the um natural uh for the establishing the the connection um I was wondering did you run into any challenge um like of the time for finding uh fitting candidates like collection of addresses and initiating the connectivity checks um is that something that can be done in in parallel or you basically need both ends doing that and then um you find like see if there a direct path so the standard is that both ends do it simultaneously and there's a sort of coordination there's some rules that they that helps them coordinate the the sequence of that uh um and actually

that helps you get through certain Knack configurations where if both ends are trying at the same time the kind of pinhole opens you can get through it so it's there's a big advantage to doing that but there's some discussion in the standards world for whether you can like I don't know what's the word right word maybe pickle a configuration say well this this is this is how I'm always going to use it um but then the downside is that then you don't have a random Port what's nice about doing ice the way you have it is that you don't know in advance what the port what port's going to be open so you can't scan for

it right right um you talked about uh the different design decisions you took at every every step um have you also uh or are you also doing anything special in regards to updating the device itself um because I I would assume that those those kind of devices are often um like forgotten or rarely updated um is there any auto update in place um or how is that would that be managed uh it's a good question um I think um I we do have a it's not a kind of fully fledged feature yet but we do have the ability to update the code itself so the the actual uh our agent and the surrounding code we've got a mechanism for updating

it the channel itself so kind of only people who can access it can update it so we have that mechanism and and it's also possible to to use that path to generate a local shell script a local shell connection so you could then use that local shell to spin up um an update you kind of Raspberry Pi update but I mean basically your this is commodity Hardware that doesn't have kind of um cloud-based update facility if you were building a product you would take you know one of the proper um things that would allow you to manage a large Fleet of of devices and push updates out to them in a in a more centralized way I

think that's one of the places where you it's kind of hard to beat the cloud all right um I think uh that was all the questions we had for now um I think you will just stay uh maybe for a little bit in this s channel in case there's more things coming up I also saw that some people were sharing interesting uh additional resources there um and yeah thanks again for uh taking time and doing the Q&A and your talk um next up we have a short break um so yeah feel free to keep the conversation going in in slack and also check out our uh sponsor channels um for some good or maybe you're interested in um career

opportunities uh at those companies that are supporting the community and this event and um yeah after the break we'll be back with some more bid munity content uh so stay tuned and see you [Music]

soon [Music]

[Music]

[Music] I [Music]

[Music]

[Music] oh [Music] oh [Music]

[Music]

[Music] w [Music] oh [Music]

[Music]

[Music] oh [Music]

[Music]

[Music] go [Music]

[Music]

[Music] oh

[Music] a [Music]

[Music]

oh [Music] so SOS as mentioning I'm here with Gustaf hello Gustaf hello servos so Gustaf you have been leading the software security Journey at one of the biggest Furniture companies which is Ikea Ikea yes um just a solid background in cyber security so you probably knew where you trally want to go um and I'm quite excited to learn how you um implemented these communities of practice even if there is the philosophical discussion whether Star Wars or Star Trek but we're not going to get into this so I think we we just start with the recording and we have the Q&A afterwards so please join the select Channel if you have any questions and we'll see you later after

the talk yeah perfect ask me loads of question and if I don't have time to answer them on the live stream um I'll try to take time and answer them on slack as well so yeah please enjoy hello everyone my name is Gusta lunc I work for Ikea and I'm here to talk about our cyber Jedi Academy um I live in in Sweden I've been working with a few different positions in security but the 3 years ago I joined Ikea to start working with software security a bit more in this context um for 2 years I've been leading the software security program at Ikea and I'm here to talk about what are the learnings we've had

in our security community that the Cyber jeda Academy is and what I think that we all you know how we must think and work with security in in specifically devops today so let's jump in some slides and and uh let's get cracking shall we okay so software security rise of the Cyber Jedi a security Community Practice and some nice Ikea products as well uh so some Ikea advertisements in this of course uh that's me I work within cyber security at Ina Ina is a part of Ikea this means that we sell Furniture but we do not produce furniture that is a different part of Ikea so our security that we do is mainly focused on all our warehouses all

our co-workers we are 170,000 employees whereas approximately 5 6,000 people work with our digital Solutions so we're quite a fairly big digital Department as well I run software security that is one out of five legs within cyber security and the talk here it's I I give it but I have a whole team within software security so everyone back home uh big thanks to you as well this is not uh and has never been a oneman show so the biggest Revolution since Ikea was founded and this is not the pandemic we're in uh this is actually about the mobile phones already in 2017 four years ago it was estimated that 5 billion people had mobile phones and this has

massively changed the way that we interact and how our customers shop not only at Ikea but at all retail retailers across the globe and it's also it's been like our data shows us very clearly that in China the phones are super important for what they're going to buy even when it comes to Furniture whereas in Germany many of you guys are think the stores are still the most important thing and I hope that you are an AKA customer and if you've been so maybe you've seen that the store experience is usually better than the online one but we're changing that and I think that we've come quite quite a far away I'm going to talk about

how we've tried to work work through the Security in this context so 3 years ago we sit out with a new AA retail direction that we are creating a new Ikea in three years bringing digital to the core of everything we do so it changed almost everything when it comes to digital and this transformation we focus on devops and I think that many people know what what devops is but just to clarify when we say devops we mean the culture and and not that we run a lot of pipelines of course we run a lot of cicd pipelines but the context that our digital platform teams and digital product teams are working is mainly devops and this means one thing that you

build it you run it you operate it and yes you guessed it you must secure it so where would we go and and because this massively changed we've been working with security at Ikea for a long time would have you know a 24x7 sock monitoring for over 10 years we have a strong perimeter but what does what does you know devops and and us you know in in this we're also going to the cloud quite aggressively well we look that how do we measure devops and what do our engineering communities speak about so our engineering managers as well they started and and are still measuring the teams on many of the performance metrics which comes from accelerate state of

develops and if you're working with if you work with insecurity and and you work with specifically software security like I do I recommend you reading this and maybe like if you don't have time don't you don't have to read the book read the the sery state of devops read the book as well but state of devops is is is an awesome survey of devops Transformations across companies and and um we sto this quote here uh information security should be integrated into the entire software delivery life yeah that makes sense what we see is a shift to giv the developers the means to build Security in and and this means okay we really want to build Security in

from the start and these are the metrics that they look at and so it's different from the ones that we have in security but we see one availability and and many people with in security Works within CIA and if we can do these things right I'm sure that we can do security right as well and in in this I just want to highlight one specific thing from from the seity of devops as well they said the best strategies for scaling devops in organization focus on structural solutions that build community and this this picture here that I stole um from from d and state of devops it's shows a clear thing like the communities of practice line in the elite performing

teams you have communities of practice and and traditional things such as a center of excellence is not as common so we thought very much about this when we started building out this community but first how are we going to do cyber security with devops well for us if you are a team that you build it and you run it and you operate it you architecture the solution you are also the most and the only well equipped team to solve security issues within your team and as such the security work should be centered on that team and that the security and Engineers that we have and that I also am we must focus on empowering the product teams and make

them better in how they deal with security and together with the Cyber Jedi that I'll go into in just a minute that's how we try to drive security so we started our security Champions program a little bit over a year ago but but and this slide is is almost two years old when we set up that we wanted to start to do this and that was to build a security Champions program and I think we've all heard about the security Champions but we wanted to make security scalable we wanted to increase transparency offering we wanted to raise awareness and Empower developers to address security well security Champions program but but the talk is about cyber Jedi

well we had the opportunity of course to pick any topic we like and we had a long discussion whether or not to go with Star Trek or Star Wars easy so easy choice if you ask me so we went with Star Wars help me Cyber Jedi you are my only hope quote layup uh I think that this just tells us really well how we can the only way for us to scale Out Security in the organization that we need the Cyber Jedi to help us in this and the Cyber Jedi are critical to Our Success within cyber security and to make it a bit more fun and and make the Star Wars theme more obvious we also you know wrote some of

these things R of the digital product breach I think you recognize that but yeah let's go into what did we do and where did we start well in March 2020 we had a pilot program with seven engineers and we had a few modules like the sslc secure software development life cycle secure coding and web security and then we changed feedback on the program and this is super important and I'll get back to why changing on feedback is so important but these modules became too big uh so we had to change so in in September 2020 we made a bigger roll out where we also learned uh learn launched our self-led learning and and the self-led learning

utilizes our Ikea e-learning platform and this is something that we do in collaboration with Learning and Development at Ikea and learning development is an organization that is tasked with upscaling all of our people in in the company and then they work with the pl plural site and um koser and these type of learning platforms and that's also how we've actually B boundled up together with them to run some of our secure Cod Warrior platforms as well on the left hand side of the screen you see a picture of our Eline online learning and you see the curriculum on the first level the way of the Cyber Jedi and this is an introduction video there's reflection

forms and and more things in their online platform can be such as links to um documents or or articles we want them to read um videos I said it can be service it can be assignments and these are on the online Lear online learning platform to enable the Cyber Jedi to do it at their own pace and this is really important because some weeks you maybe have releases some weeks you have focus in your product teams but with the online learning they can do it when they have their own time and the assignments we give them is to do things in the context of their own team and this is this is really important together with the self flood

learning we had four different levels and in the first level The Saga Begins you learn some Basics you learn what is the sslc what is privacy data and some Basics this takes usually one month and that the P one level 3 to four months you apply learnings within your teams and this can be one of the pad one levels or assignments we have is SAS scanning like code scanning and to apply that in your team in the Night level which is at more advanced level you optimize and lead your teams through very security activities so at the P one level we ask them for example to start you selecting s and they can pick either things that

we offer centrally or open source as well um just the important thing is that they scan and improve on on findings from the different types of scanning that we do and at the Night level we haven't optimized this stting integrating in their in their flows of the teams in the processes of the teams and and at the later stage of the Night level we also have the Cyber gen do threat modeling and this is really awesome because if we have software Engineers within their own teams doing threat modeling like that that that gives so much benefits to the teams because the whole teams understands the application better when they threat model together and and we can have a separate talk on how we do

threat modeling that's for another uh another time but we believe that empowering the product teams to do threat modeling themselves and at the Master Level we only have a few there we want them to lead and Inspire other teams uh and and they take part in poc's they help us with a lot of feedbacks to really improve how we do cyber security in the company today the open sessions um every week we have an hour which is an open session and here all cyber jelli are invited just to come ask questions get help or or hang out and work on S Jedi stuff some some of the Jedi uses this hour this meeting maybe not to be active in

the meeting but to have blocked time to work on their assignments and and we also have occasional topics and we almost nowadays we almost always have a topic which can be something that's um relevant or something that we want them to think extra hard on our work with such as third party dependencies and and and the update hygiene when it comes to third party dependencies and and such a thing was when dependency confusing arise which was a vulnerability or a vulnerability in package managers which could where through security researchers hacked a lot of big organizations such as apple and Shopify and Microsoft we talked about this on cber Academy and what we need to do to protect us from

this so having this every week enable us to discuss topics that's happening right now and and that is relevant for them to to keep track on so that's that's that's you know what we did we have the uh the online learning we have the open sessions we have the different level but like what has this amounted to we've been running this for a year now and and yeah what have we learned well at the start we were the learning Learners of how to adopt the sslc and and that made some naive but you know truth is that I think that many SS dlc's across the across the world looks fairly similar like an ssdc you have code scan inde

dependency analysis pan testing you have hardening uh some have Das some have don't have Das some have as but it was quite theoretical we didn't support our Jedi and our developers in easily understanding what the sdlc is about so with feedback from the developers we could change the SS DLC and the communication around the sslc quite a lot we also Le that initially getting time commitment was hard from product owners and Engineering managers they did not want to give out time without realizing where what this was we also like like at the first one part we also understood that the feedback from the Jedi were super important not only to how we needed to do the sslc but

feedback in general when it comes to security when it comes to compliance it controls they say things we don't want to but that we need to hear and and that's that's that's really good and and also and really important learning is that you must spend the Cyber jalous time wisely all activities that you do they must make sense and make the product better and and and and I'll elaborate on that in just a minute because what went really well and not only what we learned is that we created a helpful community and this is something that I'm really proud of and and looking that that the the state of devops where I talked about the the

hyper and Elite performing devops themes they have communities of practice for things and this community that we've created here is really helpful so the community consist of mainly a big slack thread uh or a slack Channel Confluence space our meetings and in the slack channels we have cyber Jedi asking questions such as I have this finding where I have this type of data or I have this problem with authenticating or you know whatever we have other cyber Jedis helping them and not not specifically perhaps a security engineer and this is really good because if we have if we have product teams and Engineers helping other Engineers with challenges they've had they have a solution that

works in not only in theory but in practice and that's really good the learning goes both ways and this is something that's good as well in the community because we learn as much as much as much from the Jedi as they learn from us with insecurity and that's really good because now we have you know our assurance teams and our cloudsec teams and our pentesters they also engage with the cber Jedis and that's really good and the third Point here is is is good that supporting the Jedi has gone well because now we have all these different security teams helping the Jas and that makes them feel special and that makes them engaged because within

High engagement and and that they feel special They also feel like they are a part of why we're doing this and and and they can be a part of how we're going to do security tomorrow at a and and this also brings me to like believing in the mission the why and and I haven't talked so much about Ikea because I think this community and all these things is important but the why we're doing this is really important and this is something that we come across on Ikea has a vision that we want to create a better everyday life for the many people we want to show that it is good business to do good business and for us

to reach these goals that a lot of people in the company really believes in we must have secure software we must have high quality software and we cannot reach this unless we build security and privacy from the start so this message has has come across and people believe in what they're doing and and the last point the the the teams with a cyber Jedi is more successful in their security activities and that leads me to the to the drawbacks because there are like I I know it may sound like gold and green forests as as we say in Sweden but there are some some drawbacks we feel that the Cyber Jedi or the teams that have cyber Jedi are

successful in their security security activities but connecting to the big transformation that we done as a company we have no good Baseline of our product teams to measure from so we don't really know the impact that they're actually having so that makes it hard to measure the positive impact but we know that there is an impact because we see a lot of and not not us but engineering managers asking for us to train more Jedi a drawback with this as well now that the the academy has picked up pace and and we see a lot of you know a lot of benefits from that there's a lot of expectations on the Jedi that as soon as

someone okay here's the Jedi in the team security engineers and all of people they look to the Jedi for the answers and and this is this is a bit dangerous it also comes with a high cost of of running this of course but not not it is a lowcost connect if you if you ask me in terms of what we get out of it but it is time consuming we need to create Learning Materials need to create um documents you need to spend time with them you need to make them feel special and that takes time and energy and and the last one here is is that there are a possibility as well that we're having software Engineers

working in in potential activities that does not reduce risk and this is something that's that's really critical for them because they need to provide value otherwise it's a waste of time and and and uh yeah this is something that that we thought a lot thought about so what should what should you do and and why why why am I so passionate about this and and and well some tips for your own cyber Jedi Academy is that first do a minimal valuable product program to test this out and you don't have to be a big Organization for this do an MVP program in the context of your company or of your community or wherever you are

because I generally believe that the context that we are doing security that's all what it is about because if if it wasn't about the context we could always just go to oasp and use their checklist and use all of the things that's written there because I I mean hands down they're amazing right but do an MVP program and make sure that you improve on feedback don't be too uh don't have too much pride because I think that it's impossible for a c Central Security team to sit in an iory Tower and say this is how things must work this is how you must do security I think that improving on feedback and having them see that they can actually

impact how security is function at this company they're much more likely to engage with you and make sure that you spend the developers time wisely because if they feel that they are learning something that is useful that is really good and that they're having assignments that improves security or the knowledge or the process of their teams all the teams are all the product owners the engineering managers going to say hey this is awesome we are a better team now than before we had a cyber jiz and if you spend that time wisely you know that's awesome and the last Point learning by doing that's that's one of the key things and that's connected right that

if you do a thing that help your that helps your product or or teaches you something and you do it and and Learn by doing that is the best way to learn anything if you ask me and and what is our subject Academy and and what are what are our plans for the future well first we're going to make more paths than for other rools and software engineers and Devo Engineers because even though we produce a lot of software we also buy a lot of software we integrate a lot of software so we need to have paths for platforms engineering system engineers and we're even being asked to do paths for roles such as product owners and um scrw

Masters to enable them to do security better we also need to do uh or hire our frequency of Home boarding and this is something that we're working on right now to have anyone to be able to join at any time and and and they are possible are able to do so for now but what we've seen is that if we run it as cohorts meaning that we start with a set of people with a set Pace semi set pace and and a schedule they're more likely to engage and do the things that they they have to do we also we also need to make the different levels clearer and that that is mainly due to two things one one

is that the Cyber Jas themselves can distinguish themselves that they are on a different level and that the the security engineers and the people around the business they understand okay that this Jedi is on the partan or the Night level when they then they should know XY Z but if we have the levels clearer that also solves the the the next to last uh Point here that if we have a clear communication to managers on the commitment and personal development for the different levels that helps the Cyber Jedi to get time and commitment to to spend on this because if you're supposed to get to the ma to the m to the Jedi Master Level and earn that

degree you need to spend time and effort and that should be reflected on on on things such as personal development goals within the managers and this is something that we haven't figured out as good as we should but we're trying to and of course the the goal like the end goal of all of this is that we hope that we can have one Jedi in each team because now we've successfully in Integrated Security from the inside of their product team and that is the best way you know connecting back to the the the statement of the team Centric security if we have security trained people in each product team then we come a super super long way and that's

something that I that I really really believe in because if they work with security within their team they work with you know they work with building up a security knowledge Capital within their teams and a security knowledge about their product where they can you know how do we how do things really work and I think that if you if you ask developers and and think about do they know every piece of their application and and in smaller apps yes but in big Enterprises they they generally don't and and and having cyber Jedi work with security from within their product teams that is really really good and and one of the benefits of that as well is that that enables the

security Engineers to focus on some of the more complex things WID spreading problem that could be what do you say uh cross domain or cross team functional issues that or or or security issues that they need to focus on yeah uh I can go on for for for hours about this uh reach out if you have questions uh I'm here to discuss more on the event and uh I think this is this is uh a really cool thing that's you know doing really well for us uh I'd like to thank you for listening and I'd really like to make a big shout out to to my team back home at Ikea with the Jennifer funas you're all doing an awesome job to

to making this happen and yeah thanks for stopping

by so thank you for the good talk gusta it was a pleasure so let's uh see if we have some questions apart from Star Trek versus Star Wars memes um that was a hard battle actually yeah do you think somebody won Star Trek or Mr Spock the Jedi well we we went with the Jedi team and I'll leave it at that okay yeah let's leave it at the Jed I um P asked for example will the slides be made available um I think we can do that yeah that's that's no problem after the talk um and he also asked um that using the self-paced learning is a great idea U what to do if it's not available

in your organization for example and so what is the critical part for the mission I I think that the the learning management system is is just one thing that makes this a little bit easier for us to track and and have the people request access to the Jedi Academy but you could as well do it as manually it's it's just about how big how big of a scale is that you're going to do this roll out and how how many Jedi or security Champions that you are going to have I think that you can do it without it it's just an easy way for us to where we can keep all the learning content but

the learning content in itself is actually spread out across several uh several factors such as we have links to videos on YouTube we have links to our own conference documents our own GitHub repos so it's really what you make of it and we also have a lot of own videos and and just a short tip on that is that do not overdo it anyone with a webcam and a reasonable microphone can make a video make it short and concise and something that's really interesting in the context that you are working in and a problem that you are facing and start posting those video in in your community and it's going to be it's going to be great

MH and did you use um a specific learning management system yeah I think the hours are name Cornerstone or something but don't quote me on that I think that's very so basically it's actually a shitty learning management system if you ask me I guess most of them are quite old so and bigger corporations more than smaller ones so you will find something but important as I understand it is that you have YouTube videos that are not too long and then you split up the content so they can consume it bit by bit I think that it has to be on their own time uh when they have time to watch it and when they have time to spend on it

so I think yeah um and E had a question again coming back to the chedi dark side what do you do if the project drifts onto the dark side if the timer budget runs out so they can implement the best practices I think I think that this question is is on point because I think that this is something that being a security professional you need to balance this question every day and and you will always run in teams where you come possibly with the with a mitigation or come with a vulnerability or whatever you talk the team about that they are but we cannot fix this we are going live tomorrow or we are going live in 10

minutes are we secure and and that is all about managing their expectation and and I think that the teams work what they are measured on which is a bit why I talked about the the state of devops and and the Dora metrics as as we refer them to here and that if they are measured on that we need to put other measurements in place as well so that we can visualize and measure the teams on how they are uh you know how they're doing and we are not perfect in this uh far from it we're actually trying to to build out some new stuff with this but it can start with Y like if you're using

Y at your company or or whatever TI system or how you now work start using labeling and and visualize those things that have that's where we started with our visualization because we can see then that teams are actually create it's good that the tickets go up because then we know that they are creating y tickets and then we want the trend of course to to go down as well so visualize and measure because then teams will start working on it MH okay I think that that's a good answer and um P had another question regarding the language content so as an international corporation do you only deliver with the trainings in English or also in local

languages uh yeah the the training is only in English for now we are actually engaging more um we actually had quite a lot of people joining in in China to the academy last week which are our first enrollments in China and we have as small Security Department in China as well and i' we've welcome then in with open arms to say that if if if you need to create something special for China we're super happy to include it in in our things and this is something that we try to be very open with that you being a Jedi or you being in security Community overall at Ikea we really want you to engage in the academy it's not

something that that just my team works with if we can engage more and create a Better Living Community the better so uh I think that question is really really good it's only in English right now but I would be up for having it in in local languages because looking at China for example very specific regulations in China same in Russia and other countries as well so I think that's yeah okay then you need to develop the local language okay um in the chat I don't see any other question at the moment so uh I have one written down for me um you mentioned the OAS project uh in one sentence so they also have this probably

know it the security pins project which uh um are you familiar with that which project did you say the oasp pins security pins so you basically give the developers like a physical token if they complete the training and then they can pin it to their t-shirt or to their office so they have something physical where they can go around and say hey I did this or I did this and so I was wondering do you have something where you get maybe a light sword or Blaster Cannon or I think that's an that's an excellent question we had all of those plans uh but then the pandemic hit so we've actually only run our um our Jedi

Academy during the pandemic so it hasn't been any any any reason for us to have anything physical but I think those things are really good because if you have such a thing and and we try to highlight when people are completing stages in um in the academy by sending email to the managers and congratulating them with the personal email saying huge congratulations you've done this it's a big undertaking and if we could actually add some physical things to that I think that would be would be a really nice touch as well yeah at least I would like really like that or feel that encourages me to to be even more keen on learning I mean you have a cool t-shirt on you

right now I guess that's one of you yeah yeah that's also you get for devoting free fre time to a cool conference yeah exactly um so one last question do you prefer um we always have this Coral between alides and bides do you prefer the mountains or the sea uh I live next to the Sea so I'm GNA say the sea okay so then I have to kick you out um and um let's switch over to the next talk with Christina dear thank you K thank you very much guys have a great day

[Music] he [Music] he [Music]

[Music] so servos back again hello I'm here with Christina hi hi everyone Christina so probably most of us know Christina already but for those that don't know um Christina has been strengthening the human element in the cyber security for large and medium companies um she has a strong background in Psychology which which is a really good foundation for trainings and improving the human firewall in the quotes um and recently I stumbled over one project it's called the oen Curious project where you're also part of the board a member of the board U which is quite interesting um maybe you have a word what what are you doing in this project with those in Curious practically it's a team it's an

international team of uh o experts they experts in open source intelligence uh okay expert is also a heavy word but each of us has their Niche when it comes to open source and they add a lot we add a lot of value we try at least and our goal is to identify new techniques to spread the message around open source intelligence techniques and to also shareing news in the industry we be a good resource for people yeah and you're basically also providing YouTube videos where you show or go through these examples that's that's exct or interviews with other experts in the field okay specially is a better word cool um yeah so um but today you

will talk about how to strengthen um the human parameter within the company right and the cyber security culture and basically what security teams can do with within their organizations to help push the message of cyber security habits within their companies and what is holding them back potentially okay then let's find out shall we yes hello everyone and welcome I'm very happy to be here again at another German besides event and this time talking about the Behavioral Science influencing your cyber security culture but before we delve into the science let's start with the story the story was described in the book How to Win Friends and Influence People by Dale Garn it is the story of Mr Johnston a

security and safety manager who was working for a big Manufacturing Company of the time so one his responsibilities was to check out the employees and make sure that they are wearing their safety helmets however the employees didn't want to and they weren't really wearing them his strategy was to walk down the manufacturing floor every so often see the who is not working their helmet go to them tell them to wear the helmet point out the regulation site the policy and basically not not leave until they put their helmets back on and then go to someone else he would do that two or three times per day but of course once he was leaving the floor the

manufacturing floor the employees were just taking their helmets back off and Mr Johnson knew that he knew that and he kind of hated it that and it was a main reason of frustration in his working life he would go back to his office and as you can imagine he would think why are they just not wearing the helmet I didn't ask them to solve Advanced Algebra I didn't ask them to build a spaceship all I asked them to do is to wear the safety helmet and they just won't do it what is wrong with them and the months were passing by his frustration was growing but at some point his way of thinking started to

change he thought okay they are just not doing it what can I do different how can I approach them differently and as he was building his thought but he eventually he decided to go back at the manufacturing floor and talk with them and ask them why they are not wearing the helmets and what is wrong with the whole process are they uncomfortable are they too tight are they too hard on the head do they sweat too much what's wrong and he would get feedback that was actually very valuable later on and that he would apply but in addition to asking why they are not wearing the helmets and what he can do to improve this process

for them he also started discussing with them and educating them a little bit on the whole topic of uh safety helmets and basically telling them that the reason this policies is there is for their own safety and it is for their own security and it is so that they can stay healthy and avoid trouble once they hit their door if an accident happens they need to stay alive and they need to stay well and uh with the conversation and the relationship building that happened through it employees started seeing the topic a little bit differently they started connecting with Mr Johnson they started understanding Comfort the helmets became more comfortable they started wearing them more often but in

addition with increased compliance because they did start complying a lot more with the safety measures the resentment towards anything that was related to security also decreased significantly and this way eventually Mr Johnson and the employees started collaborating a little better on the whole security issue in fact a lot better and we have a lot to learn from this story but before we do so let me introduce myself and tell you who am I to talk about these things my name is Christin leati I am a psychologist and a social engineer I am a trainer and consultant for cyber SCA on the human element of security most of the time I deliver social engineering and security awareness trainings to all

levels of employees as well as security teams or I conduct corporate or high value Target vulnerability assessments based on open source intelligence as of this year I'm also very happy to announce that I'm a board member of the oin curious project which is always a lot of fun and I'm really thankful for now let's start a little bit with the whole topic of cyber security and why humans play such a big role in it especially the in recent years so yes cyber security used to be by definition a very technical discipline it was all about security the Integrity of devices networks and data from unauthorized access or damage but as a threat actor started started evolving as

we all know by now they started targeting humans and cyber security started um including an element of information security or a big element of information security now information security involves the protection of sensitive data and information from unauthorized access this means in any form in print in electronic format but also in the spoken word so if employees go about and discuss um sensitive matters or confidential information this is again a matter of information security and they should know not to do it basically cyber security today is not only a technical challenge but it is also a behavioral one and why that's because as long as managers and employees can provide access to systems and high value

information they also become targets and they may intentionally inside their threats or unintentionally cause security incidents or breaches basically cyber security today is a shared responsibility and it depends on all employees of an organization too don't take my word for it again but take a look at the data Bridge investigations reports and this one is the one from Verizon so Verizon measured the regularity of cyber incidents and breaches of last year as of every year but last year he found they found out once again that 22 that in 22% of breaches the tax that we're utilizing involved social attacks which means attacks to humans the human perimeter that we were talking about and not only

22% involved social attacks but 30% of the breaches that happened last year involved internal actors this includes either social engineering attacks or internal actors that acted willfully which means they were inside their threats but in any case a good percentage involves employees and it will keep involving employees because right now it is one of the weakest points that we need to work better with and develop but we talk a lot about is security culture and I'm sure you have heard the term as well but what is security culture after all by definition it is the ideas customs and social behavior of a particular people or Society in our case the employees of an organiz ation that allow them to be free

from danger or threats and in effect protect their organization as well in other words it is the way things are done around here you enter an environment and you can pretty quickly tell how things are done around there and let's be honest between us you start following the Norms of your environment we all do that so it plays a huge role and it is very very very sign significant however as good as it is it comes with a challenge with a few challenges yes security culture enables and strengthens the human perimeter against cyber threats and it does enable business operations it does keep the organization more secure but on the other hand your organization is like

this big black circle that you see on your screens and you and your security team are only a small part of it you are the small dot in this bigger Circle in this bigger interaction of departments so suddenly we have one Department our security department having to influence all the other departments and the way they interrelate with one another and it is a big task however it is doable as long as you adjust a few a few elements in the approach like Mr Johnston did and it is necessary what are the challenges one of the main challenges is the employee competing priorities we will talk about it a little bit later in more detail but basically it means what

are the Norms of the organization in terms of priorities is it security or is it productivity for example what would come first if they if somebody had to choose between the two second it's I'm sorry to say the inappropriate security awareness trainings that create this sensitization that create the mentality of it will never happen to us this is not relevant it's not going to happen here this type of mentality or overwhelm so much that simply create security fatigue this usually happens when uh trainings that when information security awareness trainings are very generic they feel like they do not apply to the realities and the lives and the corporate culture of that specific organization and therefore people just

look at a series of um some of them are random some relevant videos about Securities do and don't and in the end they just decide to dismiss it all because it doesn't feel like it relates to them or they just get too tired or they get the third bullet point the mentality of inevitability they come in contact with so many different threats that they think it's inevitable I I cannot do anything about it even if I try and put all this effort into to learning how to apply best practices and there are just so many things that can happen that I have just play a very small role in it and I better look at

how I can do my work faster and better than I start bothering with security at all and of course last is the whole Factor around covid-19 this pandemic that influenced uh the cyber security culture and mainly the whole organizational culture because you simply just cannot do too much if you do not come in contact with people anymore if you do not see them if you do not talk to them and yeah and you have to stay stuck with zoom meetings but uh we really hope that the situation will change soon and we will be able to again have organizations that intentionally are able to build their cultures in a better and more effective way now we have the challenges but we also

have some support from Behavioral Science in terms of how to change the behaviors of people and here comes the theory of plan behavior that basically says that the behavioral behavioral decision making is based on how beneficial a certain action would be to me so really we all think okay if I do this what's my benefit what am I getting out of it if I put the effort what do I win out of putting this effort so if we think that something is positive and beneficial to us we are more likely to do it and even more so if you think that our if we think that our significant others and especially our peer group our co-workers our teams and

leaders are also in favor of us performing this Behavior they will support it they will like it and it will be viewed in a positive way so as long as we have these two factors together our intention to do something or in other words our motivation will also be higher and the likelihood of Performing this Behavior will increase as well so very well theory of PL Behavior but uh there is another Factor the person needs to feel capable of of Performing this Behavior the rule of self efficacy okay I want to do it I I want to be viewed in a positive light by others by doing it but can I or is it too complicated am I able to perform

this action and follow the steps or not really is it too complicated too hard too many obstacles I don't know too little training so other behavioral models agree for example fog's very well-known behavior model which

BSidesMEsh21 Day 1

Related talks