Proving Ground — Wednesday
Show transcript [en]
I'm gonna butterfly baby [Music] [Music]
[Music]
[Music] thank you baby [Music] baby you'll give me yeah [Music] don't leave me alone [Music]
[Music]
appetite [Music]
[Music] tomorrow [Music]
[Music] foreign [Music]
[Music] everybody [Music]
[Music]
[Music]
thank you
[Music]
[Music] thank you
[Music]
[Music] foreign [Music]
[Music] [Music]
[Music]
[Music]
thank you [Music]
[Music] thank you [Music]
[Music]
[Music] thank you [Music] foreign [Music]
[Music]
[Music] thank you [Music]
[Music] foreign [Music] happy birthday [Music] thank you [Music] hahaha [Music] foreign [Music] Minecraft foreign [Music] thank you [Music] thank you [Music] foreign [Music] thank you [Music]
foreign
[Music] foreign [Music] [Music] thank you [Music] thank you [Music] foreign [Music]
[Music]
[Music] foreign [Music]
[Music]
okay
okay this is great hello it should work is it very low if I no and that's very much how do we make this work hello hello oh come on in good morning Sam Humphries all right everyone good let's press the button at the back are we good are we live we're streaming we're on the internet all right good morning besides Las Vegas hang on I got a script so good morning slash afternoon and welcome to b-sides Las Vegas Proving Ground underground we're proving around this morning I feel with something okay um welcome you want to come and grab a seat we are live on the internet please keep your clothes on please really do that it's early and
I've only just eaten okay so we're opening proceedings today with a man who is a pun not actually a pun that's a pun yeah I was going to make up a fun fact about Ian decent but he's you are very fun you're having a little bit to the mind just a little bit then um cool cool so your talk is well it's on the screen but for those of you who'd like me to read it Birds the bees and the cves so um quick couple of things gotta thank the sponsors because they're amazing Diamond sponsor Adobe Gold sponsors uh prismacloud sem blue cat tracks Toyota one I was only supposed to say three of these but thank you to all
of them uh it's their support along with the other donors and volunteers that make this event possible um please turn your phones off it's just kind of polite and we're not underground so I think you can you can take photos you write with photos but please just don't take photos of random people without asking them and are you good to go my friend excellent over to you all right thank you so much for that fantastic introduction so again the title of my talk is the birds the bees and the cves or understanding critical vulnerabilities to critical infrastructure um my name is Ian deason so I'm with the United States cyber security and infrastructure Security Agency
um specifically why this is for the birds of bees and the cves is because when a security researcher and a product security team love or hate each other that much that is how a cve is born um you may be noticing throughout my presentation there are many many stork images where [Music] thank you [Music] foreign [Music] foreign
[Music] the government discloses vulnerabilities just quick raise a hand dealer yep
you see yeah so that's actually another way so um and if you can be able to get a lovely sticker package thank you so much that was you thank you Merry Christmas so one thing that's important on why we're trying to so my take as well is one of the reasons why we want to make sure that [Music] thank you [Music] [Music] thank you today so Josh corman's talked about president presidential policy directive 21 a little bit these are some of the authorities that we have be able to work with in critical infrastructure and federal government on how we're able to manage the risk and straight strengthen the resilience of Nations infrastructure we're able to reduce vulnerabilities and
be able to hasten response so I'm going to talk a little bit specifically within the context of vulnerability disclosure on how we're able to hasten that response um so there's different ISO standards so this is a very a bird's eye view if you will of some of the of how we are able to conduct our processes there's ISO standards behind this the cert coordination Center has written a fantastic guide but this is a very quick quick and dirty for those folks that might not have heard this before um so the first phase is this is where there's going to be the vulnerability that's discovered whether it's by accident whether it's through research either way that information is there
there's some sort of wheat there's some sort of weakness to that particular software Hardware that's documented and is shared um so that would be where we'd go into the coordinated disclosure phase um and at that point we need to there's a validation of that vulnerability whether one researcher finds it in an isolated environment needs to go to that product security team to make sure that yes they are seeing what is true yes this is truly a vulnerability um one of the things behind that coordination as well is um a lot of times it's not a handshake a lot of times people are reaching out with a hand and they're getting a lot they're trying they're getting
threatened with the lawsuit um so this is a little bit of reality some of what sizza does in our mission is we are able to be a third party vulnerability disclosure entity what that means is if you people need help we are able to assist um and one thing as well specifically within this this phase is the timeline can vary drastically where some of the cases I've specifically supported have had timelines of about a year to two years where summer within 30 days um so ultimately once there's some sort of agreement between the two entities or three entities there's going to be some sort of patch or mitigation phase so a patch depending on the system so if
we're talking critical infrastructure control systems that patch cycle is going to take a little bit longer because they're not going to be having on a rolling basis some patch Cycles are are happening quarterly sometimes you need to be able to bring site on staff on site some of these systems are underwater some of them are in outer space so it's really you have to be able to do a little bit more coordination you have to prepare a little bit better also when it comes to the mitigation phase not all mitigations not all patches will be a mitigation some mitigations are destroy the device buy a new one the firmware is broken so there's other things people need to understand and
then finally for the last phase this is something that we're this is where we become instrumental is where we're using our megaphone and we're able to get the word out we are able to get the word out to people that might not have access to a threat Intel platform we're able to get that information out to people that need to understand the risk of what their products are so they can be able to make those decisions to how to be able to best Safeguard their communities how to best be able to safeguard their Enterprise whatever type of operation they're trying to to have we're there to be able to support them um one of them mine takes one it comes to
the whole idea of coordinated vulnerability disclosure there's a sense where there is coordination involved with yes with all of them but not all of them are organized so we try to make sure that we're bringing that reasonableness and that organization that it needs so a little bit higher level on the process but like why does this become so difficult so that was a pretty easy well it wasn't really flow chart but it's very why does this become so difficult and why does this become so critical where I want you to kind of think of criticality not necessarily as whether something can be a remotely exploited whether it's a cbss score of a 10 but think of
criticality as critical thinking how much time do you need to think about these problems how much how much creative thinking do you need to be able to you need to be able to do when you're tackling some of these problems um because one of the things I'm going to be doing is there are five different examples that I'm going to be sharing with you and in each example I'm going to tell you the fact that you can't really have a set playbook for everything you need to be able to um be creative and you have to be able to think on the Fly all right so I'm going to have a quick example of what if there is a
vulnerability that gets shared with you and it's literally everywhere so this was an advisory that we that we released um about a year and a half ago um when we first received this report the idea behind it was this was going to affect billions of different devices so this is going to be affecting different real-time operating systems or rtos's which are used in cyber physical systems some of these products you can see right here um or can't really see but some of the products were products made and maintained by Amazon which one of the largest companies on the planet where others were smaller projects managed by one to two people and this becomes very difficult because
if you're thinking of a specific vulnerability that affects a memory allocation function and this number of operating systems are we going to be targeting that operating system during the mitigation and patching phase you have to be targeting where those actual products are placed you have to be able to work Downstream so when we started our coordination we contacted the vendors of these different Technologies not all of them um were based in the United States they're all all across the world and it became really clear that there was a lack of supply chain visibility that really came behind this because what happens is if you have this small rtos that is put into a smaller component
which then then gets integrated into a larger product which then gets sold to a system integrator that you know will create an HVAC unit or something that gets integrated into a submarine that gets sold and then there's a maintenance contract that's put on top of that so there's layers and lawyers and layers of obfuscation of where you're trying to understand and enumerate what the problem is behind one vulnerability it becomes near impossible where not all these things are going to be IP based you can't search on showdan for some of these things because a littoral ship isn't necessarily going to have this type of it's not going to be able to show this there is Market data
that you can purchase but unfortunately it tends to be really expensive and if you're trying to be able to just simply understand what the what that impact of the vulnerability is it can take lots of time effort and a lot of thinking um this specific case actually took us an over a year from the moment that we received the case to the moment that it went public and one of the things behind it where people start to get a little bit when it's starting to affect OT iot industrial medical and Enterprise networks when it is so many different devices it gets very difficult to understand what it works with um specifically it says that we are
working with initiatives within s-bomb and another initiative called Vex to kind of help with some of these issues so I'm not going to get into that within the this talk but there are very smart individuals we have at our organization that can speak to that um second one I'm going to bring up is what if this a vulnerability specifically gets attention so in this case so this is another advisory we wrote for a product called the mycotus MV 7200 which is a GPS tracker so this particular GPS tracker is an aftermarket automotive part that you're able to put into your car and you can be able to track some fuel you can track where the car is it gets
integrated within the the greater vehicle itself um when we first received this case didn't see it was it was bad but the use case behind it there wasn't the proof concept available at a specific car so it wasn't going to be at the level of other other particular car hacks that we've seen where they're able to physically stop a car driving on the road um however this got a little bit more spun up when the Associated Press picked it up so what this means for those folks that don't under that have not seen this before when the the Associated Press acts as a larger a larger Seed where smaller news outlets can be able to take the the information
behind it um what specifically happened with this one and you might be able to see what the title of researchers chinese-made GPS trackers are highly vulnerable that's not going to be telling the whole story behind you know what what is actually capable of this vulnerability they're seeing the fact that there is another country that is able to try to hack into GPS systems um one of the things I've specifically learned with this case is the fact that there's a many times security research companies and this isn't for any of them for or for all of them but they're able to hire PR firms to be able to do media pushes and this is where there's this context
behind where a vulnerability tends to get more attention if it's able to get more clicks so that's just an interesting way to be able to take where the research is being the Fantastic research is being done but sometimes there's that message becomes a little bit different um and specifically with this one there were um I did receive lots of different questions from Private Industry and other parts of government to say how many cars can be hacked right now which I was not able to answer all right here's another here's another one which we heard a little bit yesterday um like what if there's a vulnerability within medical devices so this can be touchy for some people
um so this was a medical advisory I don't know how many people have heard of the Hamilton T1 um some people know what this is because this is a ventilator um another thing I want to show is the fact the date is February 16 2021 which was right in the middle of the pandemic so again this is a vulnerability that if you look at so CVS CVSs you know take it or leave it however a very very low not a very critical vulnerability but the fact that this was a vulnerability affecting ventilators during the pandemic where there's supply chain shortages and it's a literal physical harm type of element behind it people are a little bit more
cautious of these type of vulnerabilities um so this was something we did get a little bit more questions on just based off of like the type of technology and how it was affected one of the things that we have to be able to help with these types of vulnerabilities is we do have a memorandum of understanding in place with our partners at the Food and Drug Administration also within the U.S federal government where we are able to share our vulnerabilities before they're public with the people that know how to fix them so what that means is they have different capabilities whether it's cardiologists whether it's other people that can test these medical devices which are meant to
treat or diagnose diseases or injuries they're able to go in and give that proper patient safety impact that we can't be able to do because I I don't have a medical background I'm not the best person to be able to make that assessment all right one of my another vulnerability that we have is what if it's affecting an open standard um so this was a I had I had to look up this vulnerability before I um before I took this case um so the object Management Group has something called the distributed Data Systems which so this is a middleware component that's going to be used to handle the reliability of control systems over white distances so it's a
very it's just kind of a way to link different architectures um so it's a little bit different because um there's already this idea of different locations and this is an open standard how do you be able to fix something when it's you're not telling one manufacturer you're not telling one software developer here's the bug how do you fix it you have to talk to Consortium and people have been working on the standard for years to be able to build other Technologies so we did what we did we ended up writing an advisory behind it um but one of the secondary impacts behind this was not only did it affect multiple Technologies but the fact that
if you did it very quick online search you could see that there's very very highly critical pieces of critical infrastructure whether it is a large Dam that's up in the United States or the fact that it's International Space Station happens to be using this type of technology so this is going back to this idea of even if this is a very Niche technology only a few people understand the fact that it's used in very highly critical systems is going to give this a little bit more attention and so as though my last example so like gave different examples of the news we've given different examples but what if it all happens at all at once with
exploitation um so yeah we get we have that one we have log for Shell that happened um which for many many entrances not only is it critical on the fact that it was mass exploitation affecting all all Realms of Enterprise as well as critical infrastructure this also happened during the holiday season where many people happen to have time off this is also during The Surge of Omicron virus during or The Omen crime variant of covid which also hindered teams um this was also used in open source which just also made it difficult but I will say after working with several different teams on the response effort was a fantastic job and there's certainly a lot of lessons learned
um so we've learned a little bit now so vulnerabilities can really be anywhere they can affect up to billions of devices so one cves could be up to like billions um the media can be able to give attention to things that might normally not have gotten that same attention um the public can be very sensitive to medical devices or things that they understand such as cars Vehicles things that they know tangible items you know how to express harm um standards can really really increase the amount of complexity when it comes to response and it all can happen at once um so what are some things that we can be able to do to help um so I'm going to talk about three
different strategies here and some of these things we were discussed yesterday where you can be able to add a vulnerability disclosure a vulnerability disclosure policy you can either become a CV numbering Authority or you can be able to have kind of tailor-made vulnerability response processes um so if you do make products so if you are making code that's being sold one of the things that we highly do recommend is that you become a CBE numbering Authority so what that's going to do is that's going to be able to allow you to assign your own cve IDs it's going to also allow you to be able to tailor what your language is so that way when you're
trying to be able to own that vulnerability information own the rhetoric behind it this is the first step they do have a few few different barriers of entries of making sure that you have a public that you're showing your publicly facing vulnerability information which already is something we're already wanting people to do and it also is showing the fact that you're you have a bonus a vulnerability disclosure policy allowing good faith researchers to reach out to be able to provide these services to people to the company because oftentimes if it's not explicitly known organizations and researchers reach out to us to be able to serve as that in intermediary um says that we are able to help with
that um Julia's in the audience as well so in the she can also be able to assist you if you have more questions on that um but also something that I had highlighted earlier if you do have a business have a vulnerability disclosure policy because that's going to be one of those things to allow good faith researchers to allow this this work to be done if you do make those if you do have those if you do have those website misconfigurations it's going to be more it's going to be more helpful to have people being reaching out under um with the people are going to be more willing to work with you if they know that they
have that there rather than what you know the byproduct is where if there's some sort of exploitation that can happen um that is something also we can be able to help you with at Cesar um and also if you do have if you do have vulnerability response within your within your vulnerability Management program have different plans whether you're receiving a pre-disclosure vulnerability whether you're receiving a zero day whether if something is exploited have different plans and play books for each so one of the things behind it is think about about driving what the consequent consequences based analysis is so if you do have if you do have those cyber physical systems if you do have medical within your networks think
about what those worst case scenarios could be think about like how if there was the adversary that did happen to that did breach your network what are those different things you could be able to do brainstorm those type of ideas write them down and then think about them and be able to make risk-based decisions when that happens um but ultimately um one of the things I want people to understand is the fact that not every vulnerability is the same and you should be prepared because there's a huge data management problem behind vulnerabilities and we at says that we do have the known exploit vulnerabilities catalog to be able to help with kind of that data
management problem but there is understanding the the depth and breadth of different systems and the different as there is an interoperability of cyber and physical systems just have a very good idea of how things can be affecting other other processes um but again as I mentioned earlier um this seems daunting um we can help yes those are those are two storks give me a high five um that there's an email there if you if you want to reach out we're definitely able to reach out or feel free to reach out afterwards also for those of you in the audience we are actively hiring um so this is a just a pitch if folk you can be able to take picture if you're
what we have specific job announcements for um for black hat Defcon and B-side so feel free to check that out um but yeah that is all I have I have thank you everyone thank you to The Proving Grounds thank you to my mentor Mainframe thank you for the organization for bringing me out here and hopefully everyone was able to take something back with them bring them to your organization but thank you again [Applause] well thank y'all hello that was amazing really good an excellent keeping to time as well so now that it's up to me but I think you can come back at some point because that was awesome [Applause] all right we don't have time for
questions so unfortunately I need to get the new speaker on but will you be hiding somewhere yeah I'll be outside if people have more if people have more or not more I have more stickers if you like stickers um but if you have questions about anything I'll be outside just for next next while amazing thank you yeah of course thank you thank you friend thank you for [Music] thank you
[Music] thank you [Music] foreign [Music] foreign [Music]
[Music]
foreign [Music]
[Music] foreign [Music] [Music] thank you foreign [Music] all right [Music] from Las Vegas all right good morning slash afternoon I know it's morning welcome to besides Vegas this is still Proving Ground if you were here from before you'll know that and if you're new to the room welcome um so second up on the track today we have Thiago bogini um who is going to be there's this big title on the screen Brazilian Deep Web I'm very excited for this that's something I know nothing about so it's gonna be great before you get going quick thing we need to thank sponsors because sponsors bring the money um so we'd like to thank our sponsors especially our Diamond sponsor Adobe and
our gold sponsors choose three um I'll do all of them because I like sponsors Prisma Cloud 7 grip blue cat Plex track Toyota conductor one it's their support along with our other sponsors donors and volunteers that make this possible Tiago my friend floor is yours over to you thank you so much I'm a first time presentation besides the first time presentation English it's my natural language it's Portuguese because I and many awards lost in during the presentation but I talked about then how to Brazilian guys using up cycle for a bit skating the IP address or trackings for cyber investigators okay but my first name is Chiago borgini today I head of cyber trash intelligence
in Brazilian company the name is exer and today and one guys for organized security besides in Sao Paulo I invited all for participate in the next year speaking in many athletes in braziland and another countries in Professor for postgraduate courses in Brazil but I talk him because the cyber crime is not about me what challenged the Cyber criming in just years and I believe in the next years okay the first problems relating the Cyber enforcement tracking the Cyber criminals in the presentation because the one guy having Brazilian another guy is saying that they spend in their Russian alaunter guy creating the provider in USA in the crime unique for congruate the problem uh cyber crime today using the emergency
Technologies in brazilian's most common guy is using AA for create a deep fake um for bypass self-in recognizes bypass onboarding bank accounts and bypass true fa authentications and I'm 5g's networking is another big problem is different because the a traditional investigators the law enforcements are needing learning again because the one guy do not work in the same time is in the cyberspace the Cyber primary work in different okay and after the coffee dependent and I talk in the out crime working in the home office I mean same day all peoples and another problem because it's basically in Brazil the law enforcement agents not having peoples technology it's a big problem I think a talking one
guy I mean cyber investigate disability investigating to nothing and do not identify the ISP related the IP address for example hey what the law enforcement do not inventify one IP address is very easy but then one problem in Brazil and then another problem established the public sector private sector join for cooperating and share information relating this cybercrimic because it's today is very necessary the current scenarios involve the data breach attacks involved attacking focusing their financial transactions and today at attackers threat actors Kindle the business and the application for me is very important information because the which is knowledge creating a most sophisticated tax because not using just a technology the trit actor you know the business you
know the process you know our role is involved in the financial transaction is that creating the many things ideal for Creator our um many types the fraud scams and in Brazilian it's very abusive uses social engineer technical in Brazilian the guys is very good low for example one Brazilian mower is most common 200 megabytes as I like as a service pack for analyze and that but this social engineering for involved in the all process is very complex involves a fake number involved via fake SMS fake what supplementation a fake website for creating the owl [Music] um started foreign the the current then Brazilian is most common creating the guys creating the malware focused in the
IRP Sierra Army and and other applications like as sap uh sales Farsi anything and not like malware created for Windows or Linux or Mac OS just malware created for attacker the application it's a very important information but uh what the TPA attacks many people think that trit actors work in the only DP lab but in Brazil it's very very different because the most common thread actor focus in the cyber crime and throughout the scams talking about just subjecting in the WhatsApp telegram tick tock the most common Instagram and owl and social medias Verizon for my company collected today more or less 3 million messages WhatsApp per day only cyber fraud grips it's a very very volumetric data and
just samples the first sorry for because the fried skin is is right in the Portuguese but the first in spring for the screenshot he liked the fraud that focus on the Coca-Cola if the people send it to message German peoples the Coca-Cola saying that the guy won't refrigerator whoa what what the hell and that's something example is that many common in Brazil the guy got the WhatsApp picture create a second number in Center main suggest to many contacts hey mother I changed my number it's my new phone number how are you I lock my account to banking I needed the payee one bill or online I needed by my friend is possible you're creating transaction financial transaction for me
is thank you 100 reels in many people's just stressing the message do not check if the real number is correct or hey my daddy is you didn't you change your phone or nothing I I talked for my my students and the many people's lost the smartphone is a phone because hey the column
okay interesting very good and the odd another problem oh sorry there's lots of water to me uh WhatsApp is sub requirement is talk about the cybercrombie in many WhatsApp groups it's very common uh what's epic purpose groups is very common you buy or sell anything um credentials um fake documents fake abuse scams for bypass traffic Authentication in Brazilian is common using the RNG account banking like as a fake account banking user deferment laundry and one guy creating the um a bank account just for money laundry it's a big problem in Brazil because the our peoples create is a business one guy buy for example one people in dollars two hundred dollars for people creating in the 10 Banks as
same account but it is account is just use it for money laundering and it's reinforced then partnership between the private sector and the public sector for share information and the second slides for example year by the drive licensing fake Drive lines and faking and financial transaction bill [Music] fake credit cards and anything drugs and guns anything people's credit cards that basic information so not interested all day I see many messages so like as and what protection choose guy use I think is in the obstacles are VPN it proxies Cloud computer nothing the first experiment I haven't had three questions for response from that the first question if the upside is different between the WhatsApp guy
telegram guy or discard guy is I have an upcycled difference between the platform or the same it's the first question second question the track actor typing if you the track character focus on the model development Heaven what type of sex then a guy creating just create an efficient skin what the upside the guy it's a second second question and how many trajectors use the upside and what most common upset used for all guys start my research focused in Brazilian groups and the strategies involved the web link
a Tracker okay a starting conversation just guy just guy selling fake money okay if you buy 100 you receive 1000 in the paper money uh I talked to this guy hey I need to buy your money but your money is dressed or not because I buying they are not our guys not trust me I'm I think money I buy I send it to guy one link after guide just clicking the link I collect the all information the guy for example IP address uh shell location IP um user agency operation system anything for my surprise it's just guy not using VPN not using proxy or relay hosting anything oh God this is very good uh it's possible identified
system operation browser anything uh just jyp is a relation only the IP address okay not a GPS okay in Brazilian is having [Music] um financial transaction the name is pix like as a instant transaction Financial I Believe In The USA having the same technology but the another name and the Pix is possible I changed at Saint the money to people using their cell phone number Mau address uh cpf cpf like as a social number and then you have two random keys my first thing hey could the guy not use the upside it's possible this guy used this same phone number for creating a bank account okay I test for my surprise the guy created this
account banking phone number and the expose the this is a banking here the name the guy here the social number okay for Brazilian compliance Brazilian as a lhl gpg like I said ggpr uh obviously this three first numbers and the two last numbers the social number but if you haven't six middle number is possible identified two guys in many data breaches okay I've get this number checking data breaches is all data here letting this guy address full name date of body model uh our phones our emails uh our employees anything social medias is good that's not the case I think in the second threat actor just track Tech detector selling then scan for removing to a failed education in
their banks in Brazilian for example is cases many come up if you are installing the cell phone the guy removed you second Factor authentication and enable to factor that activation the another device for us as the account Banking and then movement in the all transactions the same social engineer hey just working I have in big database contained a social number or cpf and then password I'm all 50 15 business I send my database if you you know remove your favorite Authentication the all Financial obtained the scam splitting between me and two okay okay oh I sent it to you my database okay another value bug or IP tracker for my surprise again the IP address
and providers user agencies and they phone number oh funny model in the last song if this IB is a VPN it process what they do nothing is that clear at the address okay okay I think oh guys is losers or know this uh okay I simplify my my research just to create the fake database and involved the credential database affect creation and taking another database highlighting the credit card numbers and the distributes two links in the many groups hey just a free database credential for use for us and then free database for credit card for us okay and for my surprise again and many guys click in the link and the collect and all information
uh the rip address collecting money per person not have anything upside involved just a clarity then five persons using VPN and three persons using host hosting the guy using the cloud computer instance Amazon Google Cloud anything for us as the telegram or Whatsapp web okay but then zero guys using proxies or artar okay oh good the fire investigators better Center but I think if just Brazilian scenario yeah another crowd is the same or as different okay send the same link for our groups involved in Latin Not Included the Brazilian groups in the WhatsApp Telegram and its card in results more or less seminant between interference because they Latin using 680 not using anything abstract just a clear
p they using VPN increasing for 31 percent use guys using VPN for website important information because then I think what what threat actors Brazil Brazilian threat actors do not use jump sacking because nothing having um worry for jio or just in common or not using for not to know the upset method okay I think many um links I support two interesting skates this guy click in the link if but if you check the job IP address jip 0.2 Paris but this guy do not permit in just collect the IP address but collecting the GPS coordinate it's good again but if you check your GPS coordinating point to customer feed what guys live in staying in the
customer fee or Paris if I check the IP address IP address I click on that VPN provider in this case it's possible that the guy using VPN for us is the link the VPN node in the Paris but the real location the guy using customer fee okay and okay then they'll ask her if goes through for this guy this guy for me to collected not just in collecting the GPS coordinate coordinated but collect this selfie for law enforcement is very good you have the IP address you have a geo location you have a self-funded model you have the self the guy that's it the next day morning hello is that a girl it's it's not unique guy
I haven't more or less private team guys using the permit to collect the GPS and collect the itself I have many books of self-drotectures Brazilian but what points of the research in two hours collected in 200 Mark 215 seven units IPS and seven using the VPN 80 using cloudy holster like as DPS zero using proxies or dark and I'm not identify principle difference the TP between the threat actors the malware developer um fishing development then throughout the guide is using the semi a method for teeth piece this semi-op psych method and the scenery repeating between the platforming the guy using the same upside method in the WhatsApp delivery and scoring okay um that last the most concentrated IP address
collecting concentrating them in the high Goods haggis economic concentration in Brazilian Sao Paulo Genero Brazilian uh Portola it's a far status constraint to the economy in Brazil okay but the accommodations for our direct actors profession because they I need if if the guy fail in the upside the Cyber threat entire religions analysis is possible failing the same problem working in the separate Direction tradition always validate the all aspects involved in the upcycle if you have an DNS leaking if you're using VPN if you your VPN do not leak a real IP are leaking the real user agency because then another guy is not a kid today the threat actors in Brazil beside crime organization the financial uh
[Music] they're worth the financial money obtained the fraudids movement the drugs against people's trafficking and many others problems ESP I don't have again in my house but the guy have a gun is if the guy ex get my real IP address creating a real threat for my person of psyche is a very important for our CTI professionals the second lesson and one small flow and compromising in many cases entire investigator because if you want to say one Unity opportunity is lost and that they're eating return refer first in the again again Infinity looping just in agnity in all cases I need validating hours back in the upset for law enforcement is a good because then
if the law enforcement lead dedication for apply the same techniques is possible between the good results because the the threat actors they're not using or not appropriate to the [Music] um hide the try tracks or traces in the cyberspace in many cases the trit actors having the same fails same problems for example the guy uses VPN but permitted the self and the permitted collect the GPS coordinator hey you do not use the object correctly okay and in Brazilian have many problems collecting for example if you're needing and then find one guy the policies signed the IP address for Telco and the Delco in many cases returning the data related the IP address in more or less six months
next month the guy is lost another country and another and part of a rope then I think then just the same strategy is possible working for map is cyber predators because the Cyber Predators um I try with another experiment separate predators and they're not recouped in the many cases in top sack and then permitted they collect the GPS collect the itself it's a good because there's a big problem in other words okay if I finish then almost some actors in concert about of Saki Brazilian scenarios in punish for example if the guy going to jail this guy is staying on the jail for one or three months it's not a problem because then using three months is for pag
create a new fraud scheme creating um a new technique is anything so just a research period okay if it uh your first time in that jail you don't need any timing just you going the policy sign in the document in okay you're free okay resin is very mental that's it you guys thanks for the opportunity [Applause] that was amazing first person texting in English oh wow just so good so good and um opportunities to be cyber criminals in Brazil apparently are available don't do that though that's illegal that's for you thank you very much thank you so much uh if you wanna we will you be around if people have got questions yeah yeah cool cool so if you yeah we
can grab the next speaker who's my next speaker [Music] thank you foreign [Music] foreign [Music] thank you [Music] foreign [Music]
[Music]
[Music] thank you [Music]
[Music] thank you [Music] thank you [Music] [Music] foreign [Music] we are live on the internet live from Las Vegas all right go quick Sam uh right good morning afternoon welcome to besides Las Vegas track name which is proving ground right now this talk is on my phone hang on a second it is shining a light into the security black hole of iot and OT this is Huxley he's with a big round of applause real quick I gotta thank the sponsors because they give us money right all right quick thanks for sponsors Diamond sponsor Adobe Gold sponsors choose three um Prisma Cloud seven grab blue cat brexit Toyota conductor one it's their support that helps it will happen thank
you if you're a sponsor a donor or a volunteer you're amazing Huxley it's over to you my friend let's go great thank you very much all right so hi everybody my name is Huxley Barbie I'm the only Huxley Barbie ever ever going to meet and I am the lead organizer for beat size New York City really happy to be here with the mothership in besides Las Vegas really excited about that and I'm also the security evangelist at run zero but more relevant to this talk I've had a long career as a security consultant and most of my clients had just I.T environments but many of them are more than a few have had OT environments as
well and specifically I have had customers in manufacturing transportation and higher education all of which often have OT environments so these environments include a lot of factory devices or bus or rail station equipment campus facilities and so on and so forth so much of what we're going to discuss here today falls under the category of critical infrastructure and key resources in the United States by the end of this talk I hope that you will want to know more about OT than you did before you have a few pointers on where to go to do your own security research on critical infrastructure you have understanding of the challenges of scanning OT networks when you're trying to satisfy Cas control number one
and have a few ideas on how to overcome these challenges also I'm giving out cash as part of this very exciting all right so when we think of compute we often think about laptops servers and databases and this is what we would call it devices but this only represents a small percentage of devices chips that are manufactured I saw this one statistic that says 90 of chips that are manufactured go into embedded devices iot and OT devices so it's a much larger landscape outside of it some of these invited embedded devices are iot devices which have a huge variety right we often like to joke that these days even like a coffee mug is on
the internet right so that would be an iot device but it also includes like random little stuff like printers IP cameras home automation like your nest and whatever as well as even power supplies some of these better devices are are known as OT devices operational technology devices which operate our factories our water treatment facilities recycling plants oil refineries gas pipelines all sorts of areas that are called cikr critical infrastructure and Key Resources now two points of clarification here in this talk I'm using the term OT you can think of it as synonymous with ICS industrial Control Systems the second point of clarification is you'll notice they're on the lower right I have a medical device oftentimes people call this iomt
internet of medical things but with the role that iomt plays and its usage pattern it actually fits under the OT category a lot better all right so obviously in this talk I'm focusing on OT and some on iot um most of us are not familiar with OTS I'm going to go over that first and then I will talk about how really it's not only going to challenge to go on the offensive against OT environments I'll briefly touch on what other people do for uh scanning defensive scanning and then I will talk about the novel idea in this presentation which is active scanning in OT environments and then finally we'll take a look at what this
means for the iot side so even though many of our OT environments are considered critical infrastructure they are shockingly unprotected but what do I mean by an OT device so let's take a look at that first there's actually a huge Variety in OT environments it's not like it where most folks have a stock PC either or a Mac with you know modular components rather there are a lot of devices that are specially designed for a specific purpose only can be used in an electrical plan only can be used in this Factory and so on and so forth I'm going to walk through an example with you to show you what I mean by OT but just
keep in mind there's a lot of variety in OT environments okay so what we have here is a water treatment tank the contaminated water comes up from the lower left and it goes into the uh the tank and then comes out the the right pipe over there what you see here are two different sensors that are attached to the right side of the tank so when the water is below the lower one the right valve closes the left valve the left pump pumps and so the dirty water comes in and then when the water reaches higher than the higher sensor the left pump stops and then the right valve opens up and it drains out
um drains out the the cleaned water after like an hour just like sitting there for the treatment the pumps and the valves are called actuators although out in the field you might find these to be integrated so an integrated actuator and sensor again there's a lot of variety in OT environments the brains of this operation is known as a PLC program The Logical programmable logic controller and again lots of variety no T environments and Electro plant electrical plant you might have an IED instead which stands for integrated sorry intelligent Electric electrical device there's an HMI a human management interface this is the panel that a technician would use to adjust the behavior of that plc
think of the HMI not as a computer but more like a keypad of sorts like a thermostat in your house that that's really an HMI it's meant for like that level of technician to to operate it's definitely very locked down uh plcs are programmed with an engineer's workstation this actually is a PC although what you often find is they will be running things like Windows XP old operating systems apparently I was talking to somebody where he found like a Windows 3.1 on a particular like engineer station so um this is one system okay and at a site you might find multiple of these systems all coordinating with each other through what is known as a DCS
distributed control system on the other hand you might also have a deployment where these OT systems are spread out over a large geographic region and that is organized into what is known as a scada supervisory control and data access with scada's you might actually have an rtu which allows you to relay between PLC back to some sort of centralized control center at the headquarters right so this is a quick tour of how a small part of an OT environment might look like so now let's take a look at what it means to secure OT environments and how that's different from securing it environments in it we are con we are concerned with the movement of data but in OT you're
concerned with the movement of widgets and gears and cogs and things like that moving of stuff machinery it vendors will release products with planned obsolescence right so all of you have phones and laptops which are probably no more than three to five years old on the OT side these devices just sit there pretty much forever in Internet time yep all right here's the first question where I'm giving away money what is commonly thought of as the Triad of major concerns for any security program there you go that's yours all right so conventional wisdom in our industry says that these are the pillars of um of that of concern and now arguably on the I.T side confidentiality
tends to rise to the fore right um most companies on the actually like an e-commerce site they don't get sued if their e-commerce site goes down they just lose a little bit of money but if they lose pii then then of course you know they're going to be investigated they're going to be sued in this reputation loss and so on and so forth on the OT side though availability is absolutely Paramount they will do everything and anything to avoid an outage right now let's talk about why this is important for a commercial organization uh loss of availability means loss of Revenue right your your cars are not being built in your factory the the gas
is not flowing and so on and so forth but also for many of these critical infrastructure and Key Resources they're regulated by the government right so for example Colonial pipeline was fine a million dollars by fisma because of an outage right so when they are not able to deliver that availability they can be fined by the government right uh on if it's not a commercial organization but like a governmental or quasi-governmental organization what you have is a politician that doesn't want the the bad press of you know that particular service Municipal Service uh going down and so on so forth so you know for one or one of these other reasons you know availability is
far more important with that CIA Triad nearly all of it devices run on one of these operating systems and they're all time sharing operating systems but on the OT side there's far more variety of operating systems that are often real-time operating systems instead which you know has real implications or ramifications for what happens when you contacted over the network and what it might do uh OT devices are programmed in languages that I had never heard of before I started digging into this right um ladder diagram I have to read this out function block diagram sequential function chart and so on so forth OT devices are almost never updated or patched so this goes back to what I was
saying earlier availability is the most important thing for these organizations they will do everything and anything to avoid an outage so they don't want to shut down for patching they also want to avoid any potential extended downtime due to a bad upgrade or a bad update now you might laugh here that I'm saying like I.T secure by Design but relative to the OT side yes it is is you know secure by Design with on the OT side though like there's pretty much nothing right the moment you have access to a PLC you will have access to actuators and sensors and be able to modify Its Behavior right many of these OT devices do not require authentication many of
them are talking plain text over the network there's no encryption and so on and so forth and frequently there is no governance in these organizations to remediate default users default passwords as well as default settings basically once you get access you you own everything it devices these days tend to have a lot of endpoint protection or there's you know they're being scanned by bone scanners and even the network itself has some sort of network level protection in OT some of the industries have started introducing controls and making great improvements but in many Industries there just still are no security controls at all traditionally it devices have some have had some connection to the internet but
oftentimes OT environments were air-gapped they were air-gapped which explains a lot of what I've said so far right security through isolation right not security through obscurity but security through isolation so oftentimes people thought it was okay for OT devices to not have so much protection is because in order for you to compromise the iot device you kind of have to walk up to it to do something to it now traditionally OT networks that had their own protocols But but so this is the kicker here starting around 2005 in order to be more operationally efficient a lot of these organizations started connecting their OT Networks to the Internet so they could do Remote Management and things like so think
about it this way if I have a valve on a pipeline out in the middle of Wyoming that needs to be adjusted it's so much easier if I could just you know do that over the over the network as opposed to Flying somebody out there in order to just you know to to turn the bow right so for operational efficiency this started happening but up to now up to 2005 security through isolation was the thing and so that sort of curtain of air gapness sort of came down and then that sort of exposed all these other problems that I mentioned uh so far all right here's the next question what is the name of this model shown in
this picture yes that's it somebody pass that okay so this is the Purdue model uh it shows an ideal model of an OT Network or what it should look like where there's different levels of risk and controls that are stratified for the sake of security and you'll see here sensors and actuators are down at the bottom of field devices as they're called right and layer one you got the PLC layer two and three you have the HMI and so on and so forth now what's supposed to happen here is between each layer there's supposed to be some sort of security control that adjudicates communication between those layers the other thing that's supposed to happen is
you should only be communicating with your adjacent layer you should not be going from one to three or one to four you can only go from one to zero or one to two right um the other thing that that you want to note here is the higher layers are very I.T ish and the further down you go the more OT it gets okay um the other thing to note is the lower you go the fewer security protections you have you're going to find more security protection at the top so what this means is if you're going to make your way and infiltrate into the top it gets easier and easier for you to get down to the
bottom right so once you're in layer five it's pretty much a foregone conclusion it's just a matter of time before the adversary can get down to layer zero so sounds easy right well what if I told you it's actually a lot easier than that right so in this scenario I said you get into layer five you work your way down to layer one and zero right but what if you could skip through all those layers and just go right to layer one over the internet wouldn't that be easier right yeah answer is yes it is easier so remember what I said um actually I don't know if I mentioned this but no organization actually truly implements Purdue that is
an ideal model that most organizations do not uh live up to and so we have an example here of what is supposed to be layer 1 and Purdue a PLC that is directly connected to the internet so you can skip five through two and just go right to layer one so now you might be thinking well Huxley okay fine it's on the internet but like how do I log into this device right into the web interface on that device well you know what you might want to do aside from using showdown of course is you could just go on Google to find this plc as I mentioned um but if you want to log into it what would you do well would you
just go on the internet as well and you go and find the usernames and passwords remember what I mentioned before most organizations don't have the security governance to remediate default users default passwords and default settings which means what you're going to find on GitHub is probably going to work at least some other time okay it's all there here's another organization skate of Strangelove they're an independent group of security researchers they also published this type of information so it's all there and you don't have to try very hard to find them now what if you have a situation where that particular device has been remedied such that it doesn't have default passwords right so maybe this organization did a little bit of of
governance on these things and you can't just like go find the the default password and you just log in well remember how I said earlier that OT devices are almost never updated or patched so what you would do then in this case if you can't just log in with Adobe password is head over to cesa's website and find a vulnerability to exploit right they've basically given you a program roadmap of things that you can try out because most of the devices are not patched more than likely some of these vulnerabilities are going to work even if that device was deployed 20 or 30 years ago and so now you might be thinking okay I see that you know I can probably have
some success with default usernames and passwords if not I have like a vulnerability that I can probably exploit but you might be thinking okay OT devices are so different from it like do any different tooling to exploit these vulnerabilities well the answer is no because with current tooling there are modules that you can use to go ahead and exploit those has vulnerabilities I hope that have I have impressed upon you that there's a real problem here with our critical infrastructure and Key Resources some of you might be thinking you know I'm going to go back and take a look at my plan for going off the grid because because who knows right um but the fact of the matter is any
organization with an OT environment should have a hard look at it and I was being a little cynical earlier by saying like oh the only reason that people care about availability is because you know they're going to lose money or they're going to be fined or it's going to be bad press but um that in no way discounts the importance of availability with OT devices because many of our Lives depend on water and electricity we depend on electricity here in the city for sure Pharmaceuticals and so on and so forth like so this is really important that all of our organizations that have OT environments to to take a look at this because our lives
depend on it and arguably one of the first things you would do if you're protecting an OD environment is to figure out what you have right many organizations in the past have tried uh using scanners like nessus or an nmap to figure out what they have which unfortunately gener resulted in major Financial loss or major outages these tend to not be published for obvious reasons but I'm sure you speaking with your friends or others might have heard about such a things for this reason security teams tend to use a passive Network monitor sniffing for traffic with a with a tap or a span port to figure out what's on the network which is fine as long as you can access
enough choke points on the network but let's take a look at this more closely right suppose here you have a scada system that is spread across multiple sites and all the communication at these various branches are backhauled to the headquarters well in this case you know you will have access to most of the core distribution switches at the headquarters and so therefore you can see all the traffic for the devices that communicate intersight right but now consider this scenario right where the site to site communication is not backhauld through a central location but instead they can have peer-to-peer communication among these sites well this is operationally efficient right and for these sites to be able to talk
to each other they can be more operational efficient so obviously organizations are going to do this but it makes it much much harder for you to get enough choke points to figure out what are all the things that are talking on the network and if you have hundreds of sites I guarantee you that's impossible for you to get some sort of comprehensive asset inventory so by sticking with a passive Network monitor solution instead of active scanning security teams are inviting these these issues right not only do they get an inventory that has gaps but it's complicated to deploy if you ever tried setting up you know spam ports at scale I'm sure you know what I'm talking about
and uh in order for you to collect all that Network traffic you need to have these big beefy Hardware Appliances right so just deployment wise is complicated and uh you get poor performance unless you spend the money and what do you get for all that you get an inventory that has poor fingerprinting and has a lot of gaps in it it's not getting all the devices um and the fingerprinting tends to be poor simply because the only thing that you have for fingerprinting is what's going over the wire and so if a particular device is not very chatty it's not you know giving itself up then uh the fingerprinting tends to be vague or even incorrect
so let's dig into the reasons why actress going scanning has failed in the past like so why why is it that there were all these outages when people try to actively scan the network and based on this sort of look in at that we will come up with the five principles of active scanning in OT and here is the next question packet 20 53 what do we call that like what does it has a name that's named after a holiday the interesting thing about 2053 is that the fin bit is on the push bit is on the um no he raises his hand all right there you go you got it um
all right so scanners like uh nmap and nessus they intentionally use non-standard packets or unexpected payloads for fingerprinting purposes right so they'll jostle that device so to speak to see what the response is and based on that response of like aha like you're that thing right um this this Christmas packet here is a non-standard package right it's not something you would normally see and depending on the network stack of that device it might handle it it might not handle it what is often the case with OT devices is they will not handle it and they won't crash or they will reboot or they will freeze up right causing that that outage now the same is true when you move up above the
network stack you're looking at the application itself like application payloads also have this issue where uh they will freeze up or crash and so on and so forth the thing is programming in it has has benefited from Decades of innovation in terms of like release engineering sdlc you know quality assurances and things like this um but you don't have that in an OT with OT they the quality assurance is like oh this thing properly responds to somebody pushing a button or flipping a switch not oh we can handle arbitrary Network traffic that is completely unexpected right also like input checking I think is not a thing in OG like it's like an I.T thing but like I.T applications yes OT I I
really don't think they do any of that all right number two here is vulnerability scanners will send security probes to detective vulnerabilities and by its very nature this is unexpected traffic for iot device for so for the same reason as previous previous slide OT devices will oftentimes behave very erratically when it sees a security probe all right let's talk about um heavy traffic so Legacy vulnerability and network scanners um they can potentially send lots and lots of traffic on on the network to a particular endpoint some OG equipment cannot handle that much scan traffic all at once and so when they do and it's partly due to the fact that their real-time operating systems when they when they see receive
that much traffic they will get slow downs or they'll freeze up and things like this but but there's also the issue of the network itself right A lot of these network devices are not going to be able to handle some heavy scan traffic as well so in this example here we have a mission control in the middle you have that Pipeline and then there's like the pump over there so that pipeline is not in an urban environment it's actually in a remote location where they can't get FiOS they can't get DSL all they can do is get a modem right and then that pump you can't even get a phone line out there and so what they'll do is they'll
use radio or satellite to go back to the pipeline and then piggyback over the modem in order to get back to Mission Control this is not the type of network that can handle a lot of heavy scan traffic right and so uh what you want to do is uh you want to be able to tune your scanner in two ways right first is by being able to dial down the total number of packets they're going to send out there but the other one is to be able to distribute that traffic smartly so that you are sending the least amount of traffic you need to to each endpoint without having an extended scan time so fast overall scan time but least amount
of traffic on those each individual device and number four here this one is extremely important there are some devices that will crash even if you send standards compliant traffic they're just poorly built poorly written and things like this so in this case what you have to do is do something called incremental fingerprinting so what you do is you first you send a super benign query to that device and you sort of like understand the shape of it you know just like high level like what this thing is and then based on what you've learned what you fingerprinted so far about that device then you go down this code path or that code path for the next query that you
send to it and so successively through these iterative queries uh where you're being very careful about what you're sending and not sending you could ultimately get to a point where you actually have this device fingerprinted pretty well but also avoiding any sort of situation where you have sent a particular query that might have crashed it right um and then the last principle here is right at the bottom don't be stupid go slow start small and then and then expand out all right move on to iot here oh really okay we're gonna we're gonna skip right over iot sorry about that yeah no worries no worries um I'll be out there if you have any questions please connect with me find me
all right all right thank you very much [Applause]
[Music] thank you [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music]
[Music]
[Music] thank you
[Music] foreign [Music]
hydrated everyone sat down fantastic are we live streaming we are live streaming live from New York not really should say London all right cool uh good morning slash afternoon it's now afternoon uh I'm Sam Humphries I am the only thing that stands between you and this man um right this talk is talk title it's not called that it is um building a culture of cyber security a case study to approach enhancing risk management I'm looking forward to this um quick things real quick thank you to our sponsors Diamond sponsor Adobe Gold sponsors prismacloud seven grab blue cat Plex track Toyota and conductor one all of you are volunteering and donating and participating Lewis human human excellent
um the floor is now yours for the next 25 minutes big round of applause please [Applause] thank you everyone I'm super excited to be here today to talk about one of the things that I love in this world which is cyber risk management I'm excited to see so many people turn out who are interested in this topic with me a little bit about myself I'm a submarine fast attack Navy veteran I was a Radioman there for over 10 years one of the highlights of my career after that I navigated through several three-letter government organizations landed in commercial cyber security through that entire time I picked up a couple famous cert cssp PMP handful of others that are kind of entry
requirements Security Plus network plus all those things one of the things that I developed along the way is that I am a cyber nerd but I'm also people curious I always find it very interesting to see how people approach technology both those who are interested in it and those who maybe feel like it's maybe Beyond them a little bit but they're still interested in it today what we're going to talk about is the perception Gap the perception gap between us first of all let me ask how many cyber security practitioners do we have in the room show of hands wonderful wonderful thank you how many HR professionals do we have in the room all right I might oh did I see one
we have a tape up here she can't cross right there's lasers what about marketing professionals any marketing professionals room we got one right up here it's doing fabulous all right there's a tape right there with lasers all right what we're going to do is we're going to approach this and we're going to think about this and the concept of what makes us as cyber professionals so pessimistic about users their actions the systems right I walk into the grocery store I see credit cards machines I'm thinking PCI audit you know has the cashier been briefed you know but the people around me are just shopping and grabbing groceries what creates this opposing optimistic perspective about technology
compared to cyber practitioners pessimistic View is it because our skill set our training or our focus is when you've seen the things and you know the things all you see are the things that can exploit it and on the other hand what makes others so optimistic is it ignorance is bliss or is it that they see things differently maybe there's a Middle Road maybe there's a table of commonality that we can find let's dig through some things and see what we can see the two groups we're going to talk about today are HR and marketing now how did how do you know I'm not in marketing how do you know because this is what I Envision Market this is what
this is what I Envision marketing people look like they're all super excited at the computer and I'll point at the screen and they're just really really and and we're wearing a Microsoft shirt and we're still happy it's it's that that's how you know but let's take a look you know so the HR department what do we typically see in the HR department what kind of things are they dealing with every day PDFs yeah PDFs PDFs only from known entities yeah no no they're looking at Job resumes both solicited and unsolicited there may be looking at legal agreements sometimes solicited sometimes unsolicited they're doing all the things that make us cyber practitioners scream oh my God
but they're like well I have to ask my job like well am I not supposed to open PDFs what else what's some of the low-hanging fruit Word Documents email people's information HR systems people in general yes one of the reasons I got into cybers because I didn't have to deal with people one of the HR systems you know typically that's 2fa at best we're talking login and password not a lot of depth and those that are getting better that's not a criticism against HR technology it's just the nature of I.T systems today SAS based where they're logging into an HR management system and they're handling extremely sensitive information on a laptop or an endpoint device that might not be completely
controlled if I hear someone say OCTA controls it let's sidebar that one but the point here is that the HR department is doing great things they're also doing very dangerous things but did they see it that way if I go and I talk to the HR department and I say what things are you doing that are dangerous they're probably going to list people we deal with sensitive information on people and they'd be right they probably would not list opening a PDF as one of the most dangerous things they're doing today I might differ let's do a risk level check high medium low how would you rate HR in the organization hi how many high okay it's about a half the room how many
medium okay that's the other third how many low zero lows I generally agree with that so we we understood that HR deals with sensitive data they've got financial information payroll information on everyone they've got confidential records all the things that we understand HR has they deal with like breathing they have legal compliance requirements it's not just about your personal information they also have to comply with state Federal and then International if the organization expands requirements on how they move handle and view data and who can be around them when they view that information again they're probably not going to list opening a PDF as the worst thing they're going to do today this is where culture comes in
can we work with the HR department and identify what sensitive data is and help them see some of the threats that are involved with the ways they're accessing that information at no fault of their own just the nature of Technology is there a table for that discussion where you're at today and what are those questions being asked now that we understand the current risk level we identify HR as a high to medium risk in the organization based on our unofficial polling here so let's turn our eyes to the marketing department I know lasers lasers marketing how many marketers go to conferences and they have to meet with people that's sort of why they're there right I mean
this is we bring marketers in they join the Cyber team we've got great marketers out in the middle ground today doing excellent work they might not traditionally be cyber experts but they're familiar with the product lines or they're cyber experts turn marketer they went the other way occasionally extroverts happen in our world it does occasionally occur and so meetups are going to happen in this instance a marketer was contacted to meet up for lunch by supposedly a foreign CEO of a startup let's do a rest level check high medium low how many for high okay about five percent of the room how many medium okay about most of the room and how many low okay got one two
so this is sitting in the medium range for for risk what happens next oh I'll send you an email let's meet up for lunch emails happen every day by the millions and the billions and if you're in my inbox by the thousands it's a lot right either marketing or otherwise so they get an email how many times is someone here show of hands got an email with an attachment that just looks very innocuous but it turns out to basically be the images and the signature right yeah that's I've worked with organizations who actually require that you not put an image in your signature because that happens and because it can trick people into opening it
I endorse that approach the body contains a base64 blob the person maybe not knowing thinks it's their image tries to open it what happens next bad things it's called Bad Day some of the possibilities this is just the normal imperfect interoperability between Gmail and Outlook sometimes Yahoo and Gmail these these more text-based email agents sending things that don't translate the image and so it attaches it so far we're within the realm of normal for a marketing person culture comes in by the marketing person saying this seems weird but we're not there yet next up the person says hey I'm down here down here in the lobby gonna meet up well wait a minute now they're trying to
to move outside of it well I'm outside now what does this sound like to the Cyber folks in the room they're being lured out what I call getting off campus getting lured off campus outside of the comfort zone to again get that information from you a little bit by little bit by little bit let's do a quick wrist level check how many people now are at High okay about a quarter of the room how many people are still a medium okay how many people are low so everybody shifted up a level by and large because now in our cyber brains all the hairs in our back are just tingling all of this sounds odd to us
to our residents marketing expert in the room your risk level is this high medium or low or is this pretty standard Fair I mean it happens right it's awesome that's right so so far to our marketing person this happens all the time her objective is to meet and greet produce information share information so from her perspective the risk very very low to medium a little stranger danger but that has more to do with meeting a stranger than any technical implications well that's culture versus fishing have we aligned with the marketing department to understand what things could go wrong to share with them the things that we see and did we work with them to understand their perspective
of why this is every day for them there's no way to not do things this way the same as our HR reps there's no way for them not to do things that way so what's left our culture a culture of saying I know this seems weird but there might be a more secure way of doing it and I'm going to reach out to the cyber nerds and see if this triggers them in any way just to do a pulse check what do we need for that conversation to occur alignment a table that they feel good and open to come and discuss these things that they have questions about if the culture is not built around one
where we as the Cyber folks are so pessimistic that we put up walls users are dumb they don't know anything they don't understand technology how can they possibly be trusted if we put up those kinds of cultural walls that's not inviting to the folks who may have simple questions that's where culture versus fishing how do we encourage the marketing folks to only use official channels for communication to track an accountable accountability of these conversations how do we teach them how to verify profiles I understand your remed is to go and meet with folks and to transfer information between the two of you how can we be conduits for a paved pathway of safety for those conversations
and it starts with culture now I fooled all of you we've been assessing risk this entire time did we ever Define risk levels no what did I give you high medium and low did we the Cyber folks Define what high means did we ever Define what LO means now I with a certain level of confidence know that when I'm speaking with cyber professionals I say high medium and low we all see red yellow green do the non-cyber folks know what that means do they Define it in the same way we do and how can we correct or assure that that interpretation is equal engineering departments have the same challenge with cyber departments what's high for them
is not necessarily high for us what's low for them we're the house is on fire right we can't call enough fire engines to some of the lows I've seen engineering departments deal with they're like oh no that's not a big problem I'm over here freaking out so what do we do now we can mitigate some of the HR risk strict access controls private vlans training having that discussion inviting them to the table exclusionary discussions exclude open that door create cyber champions in the HR department how do we mitigate it and marketing same thing identify and verify show them how to assess the risk from a cyber perspective and then we the Cyber people understand that for a marketing person they have to
enter these dangerous situations technically speaking how can they do these dangerous things safely but to do that our culture has to be inviting and open up the table of discussion where do we go from here let's revisit that Gap perception we've got the Cyber smes pessimistic the world me going into a grocery store risk risk aisle nine risk everyone else just shopping for groceries and how do we get the folks who oh every day is uh picking flowers day and get them to see like maybe there's some snakes in that grass that they're not aware of and help them align their measurement of risk with our measurement of risk high medium and low but also maybe teach us
something about what they have to deal with day to day cultivating a culture of cyber security risk awareness should extend beyond the technical teams it's about empowering everyone with the Knowledge and Skills to protect themselves and the organization it might not be our fault if something happens but it is our problem and it's also our duty to empower everyone in the organization to appreciate how cyber risk can both Empower and also hurt us if not handled properly hopefully you can all go back with this message to your cultures and see how you're inviting those folks to the table I'd love to open up to any questions
[Applause]
thank you uh that was great really really good does anyone have a question we've got pretty time for one or none also fine um she gave she made me speed around that she was like two minutes away no it's great got a marketing how do you uh Define the risk levels to bridge the gap uh well how do I so I I heard two questions one how do I Define the risk level and how do I bridge the gap so I Define risk levels specifically based on the organization because what I consider high they might not consider high so step one is understanding the organization what's important to them what do they think is at risk what can
impact their ability to make money at the end of the day every business is there for that reason we need to identify the crown jewels or the things that might impact their ability to make money two how do I bridge the gap identify who the key relationships are that might help or hinder the mitigation of risk and that's through relationship management you know catch more bees with honey than you do vinegar if we run around like the fear of police that might instigate short-term gains but it doesn't create a positive culture around cyber we don't need to be the no police and we don't need to be you know we don't even know no no no no no right
that's not us we're there to empower it's a great question awesome thank you great question indeed right everyone please bake a round of applause alrighty
um well buy from me now as well so I think it's it's lunchtime or bedtime or whatever you do at this time of day normally just for yourselves and be safe out there I was [Music] foreign [Music] [Music] foreign [Music] [Music] thank you [Music]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51