Panel: From Failures To Fortresses Unveiling Cybersecurity's Greatest Missteps And Reinventions

so we've got a wonderful panel um I will let you all introduce yourself but we've got Niall Andrea Polly and Sam would you like to introduce yourselves and tell us who you are um I'm Sam Humphries I am a former travel agent that's true committee with you lovely people and I've also been at FSN this week so speaking is now hard because I'm very tired so please lower your expectations thank you can everyone hear at the back has anyone move forward we've got a bit of an issue with Mike so we want to record this so if someone moves forward if you're at the back and you're definitely there's loads of space down the front

yeah let's get cozy Let's Get Closer yeah [Music] the only fans

so enter yourself again Sam I'm Sam Humphries and I am a millionaire that's not what I said last time but but for its beam I'm on the on committee for most besides all of them that's not true all the northern ones but I don't live in the North so that's weird um and I was at infosec this week so I've run out of words mostly so yeah lower your expectations just a bit that two people down the front laughter before hi my name is Holly Grace Williams I break into computers for a living and I've brought some of my best words today good thank you Andrea Cullen and one of the co-founders of caps lock I've had a

really peopley week um and I'm autistic and I was super worried about saying something inappropriate so thanks to the previous speaker that's just sales anything else is going to be good um I'm a relative local to the area so I know some of you from work and studies and other things and attendee dc151 um run the sport User Group in Yorkshire and I'm here with Spectra hey so we're going to go worst [ __ ] off so there's gonna be swearing for study for children

so Niall go on there tell me your worst yeah sure so I actually I really like this question this is something I used to ask people in interviews I might probably ask some other people in the room there's a interviews because it's um generally hilarious and it's usually a bit of a growth story and it works I think as well um so my start in uh in the infrastruct industry is 13 14 years ago was in the vendor space uh in a network security vendor one day real early hours of the morning I had a phone call it's unusual it took me uh sort of few attempts to wait me for my Slumber uh when I got got on the call it was

someone's a really senior in the business um one of the exacts a sales sales director I think so no we've got we've got a problem and you know I've been receiving a call and I'm thinking I I can't if anyone's had to deal with sort of customers clients sometimes you get problems it's not really a big deal someone in Australia was having an issue I believe and I said you know is it really that big a problem and he's like no no yes had a call from like a main distributor for the APAC region and as people are coming online their systems are down but no internet access it's failed closed like there's there's nothing to it uh this is very

catastrophic so how'd you do as a part of bed you know throughout the laptop VPN plug-in coffee get in there um got into into the weeds of what it was basically a deploy that had gone out the previous Working Day in the UK uh put in place by Yours Truly had uh delivered a bunk signature update to the entire fleet worldwide uh just by the nature of time zones and the way these things worked as The Unlucky folks in APAC as the sun came up um their systems went down so so I was uh drafted into kind of uh hold up to it work out what went wrong and um and Scrabble to fix this we didn't

really have a way of recovering at the time so we invented it on the Fly uh that is start a story that many people have have similar ones and the reason the reason I like these are interviews and other things is when these things happen to you it's always a case of you know what did you earn and what did you do about it I'm a real fan of the whole Mantra that you know there's no no such thing as human error um a book about it Sydney Decker I think wrote it around like safety and fights and things like that and it's a great opportunity when these things happen in your orgs to have a talk about root

causes why these things happen why a single human error can weak to certain catastrophic outcomes and uh you know this is something we get out of interesting respondents for those of us involved in that kind of thing uh going into postmortems understanding why things happen uh in in it Ops and understanding how we get to these places putting protections for something happening again yeah never wasted a good crisis it's the uh the bottom line Andrea would you like to tell me a war story yeah why not eh um I'm not gonna worm this one but I'll just kind of talk you around what happens so it happened to somebody else it's like going into the chemist

and saying I want to get something that's not for me so I'm just gonna talk you down what happened I used to work in this organization that used to provide a managed service then this managed service was so secure that they had it on the third or fourth floor uh you couldn't take a pen in there you couldn't take anything into the room all the curtains were down because they were scared there was a drone was going to fly past you to move from the sea sort of thing couldn't smell as well because there's nothing to be seen so it was really nailed down but at the end of um every month there was a report sent

to the managed service division to tell them exactly what happened and all the outcomes of this service and what happened was it was in a spreadsheet as these things I was out and this spreadsheet was emailed round to the wrong people with hidden hidden fields in it and basically it had all the data of everything that nobody needed to see emails had pretty much everybody which was bad enough because that's a little bit of a learner wasn't it was a real crisis and people were called in from everywhere but on the back of this they thought it was a really good idea and I think this is the biggest learning point for me they thought it was a really good

idea to email everybody after this and say to them please don't open that email it contains really confidential information you shouldn't read please make sure you delete it so I think it went up from being opened by nearly two people to the whole of the business wow that is yes don't look at this Holly I'm not going to ask you for a war story because I know you are a military if you want to tell us a war story you can tell us go ahead with your question then we can decide which one's better and what's your worst [ __ ] up oh man so um I think I can I think I can answer

both of these questions in the same story actually so um let's head to summer holiday I took a pill that guy out of hand and uh was that a rooftop of a building trying to get a system called a reset to work if you've never come across vsap if you've seen starlink it's like that right very small language terminal it's a satellite communication system and I couldn't get it to work and the problem is I was third line support so I was like the person that people call when stuff isn't working and I couldn't get to work at all it's a huge amount of time you know doing the layer eight thing like am I doing something stupid

are all the cables working the whole stop working I've got absolutely nothing out of it and I went through kind of methodology line by line and I eventually ended up with uh the sir the the civilian support network on the phone trying to explain to them that the satellite communication system is is not working and they did the exact same thing anyone who's running an ISP before right you know what it's like it's just have you tried turning the router off and on again and all of that and like a rooftop right now I don't really want to be here but let's let's play this game and I went through absolutely everything and it turns out would you

believe it or not that the problem was my compass pointed South that was what the problem was so I'm supposed to be pointing out what the direction of where the satellite is to get the Lincoln my compass was broke uh it genuine it was broken in such a way that it literally pointed South as in the it wasn't North it was South I was facing just the wrong direction so I think I think the lesson from that is um test your kit and I think it's sometimes a bit silly when we have um conferences like this where people stand at the front and they talk about like patch management and strong passwords and multi-factor authentication things I think most

people in the room professionals within cyber security know all of that stuff I think one of the things that often goes wrong is things get implemented and you don't check that it's actually working until you're on a rooftop on a summer holiday that's gone a bit far right so do you want to tell me your worst [ __ ] it was my first wedding there I can tell stories I used to work at McAfee I'm really sorry anyone who's I had that's why that's still a lot to apologize um and on the 21st of April 2010 at 1432 we released an update that broke every single XP machine that we talked to we did it in a species and I got the first

message from support with someone so here's in here send me a message saying has other that's gone out and I was like no they don't go out till three somebody pressed the button early and it was like what dominoes happens the first call I'm like okay trying to troubleshoot is it this can we do that don't find out and then we got a bank come in and say that 10 000 machines just fell over and I was like being hit by a truck because my incident Response pregnancy is like look on FX in the most horrible accurate way that we were going to be in the office for a very very long time and macro tried to play it down at the

last few few percentage of machines it was it was lows like automatic updates are really good because they're really fast until there's something in it that deletes a key system file from pretty much every endpoint that you talk to um and there was a lot of shouting there was some great moments so we went to infosec and the Samantha could paid some homeless people I think stand outside in in hoodies that said that 59 58 you're only supposed to blow the bloody virus up all right Fair all right that's yeah and then a weekend we come up with a way to do this because it was sneaking that up into that problem did anyone actually

experience this by the way I can't run very fast um it wasn't me anyway but we came up with a wake up on land solution that finally wasn't walking around every single machine and the symptom you got when you got 5958 was the machines were going to a reboot loop so engineering got any problem like right we've got this there's a little gotcha though if you leave the disc in the drive you'll find all the machines going into a reboot leak and at that point I think I lost my mind with a fix actually just created the same problem and I haven't slept for about seven days so yeah that was that's up there I think with all

stories how long did it take to fix it um some customers just got on and just did the um did the stake in that trying to get the dats off the update servers I was dealing with a lot of Americans sorry any Americans in the room but it didn't help so they wouldn't believe me that maybe getting the update off the update server would be a really good idea so it was it was a long time when it came we were good more than that I think it just it never stopped it felt like and then he had a party for it the next year and everyone yeah so that was that was catastrophic as it got okay

[Music] so if you have a silver bullet to make businesses or people more secure and this is a question for everybody we know we love silver bullets what would your silver bullet be [Music] um well yes so I'm going to be the guy who gives the standard

[Music] hopefully someone else will engage a little bit more directly just just kind of drill down and kind of why I say that um cyber security is kind of an infosecond General regarding it's like a combo uh I'm not gonna attempt to Define complex because there's some like very smart people with phds like John Atkinson in the room but uh essentially lots of moving parts that you can't decompose easily to kind of understand the whole by looking at any one particular part of it and that's kind of part of the philosophy around like why spectrums talk about attack paths and like Jared uh like Chief I just talked about this a lot at the same time

from the Black Swan he has cited cyber security is a complex problem so uh I don't I don't really think there is a silk for that reason um the problems are complex we hope we've got a tool that helps simplify some of it but uh this stuff's going to keep us all they look well then Andrea what's your silver bullet yeah I wish I had some that smart off and if you say at this point where I'm out for both of those things um I think for me having worked in loads of different sectors um that most sectors start with a compliance approach um in that that's where the kind of heading that's the essential bit that's

the bit that's kind of slapping around the face and then they look at risks so risk gets tied into compliance I think my silver bullet and I'm not even sure this is a bullet or even silver but here we go is to you can tell the aspect that it started it's been a long week is um to put risk first ahead of compliance rather than the other way around and to kind of just consider the big picture of race of which compliances apart so okay let's do it what about you Holly I think kind of optimizing towards leaving people with something that can take away and like actually Implement rather than like oh man this is a hard

problem um is what Lisa's talk about in the in the blue note for anyone who saw that it's tabletop exercises so sitting down and walking through something like a breach response and the reason I picked that in particular is I think a lot of people are already familiar with like pen testing and printability Analysis and a lot of the stuff that I usually talk about but my experience at organizations is very few organizations do those bubble pops and the first time you do one they go horrendously but in like a really good way where the company actually gets like right in the face of oh we aren't bad at this because it's hard isn't it you know like finding a

missing patch can be as easy as running a vulnerability scan finding systems getting compromised as easy as a pen test and then you kind of feel like oh at some point we'll install that patch and that problem's solved with actual um complexity that comes from dealing with a breach especially when they on the side of that negotiation is not necessarily on your side um I think I think that's a good thing so if anyone wants like something that can take away in terms of what is your organization solvable and you haven't been doing tabletop incident response scenario testing that is why foreign but

but I think we as an industry we need to stop the whole like oh the user and problem exist between people and chair right or desk it's not helping I we should be able to put our arms around the users and not this I almost feels lazy that we're like oh yeah stupid users they cause all the problems going in with that attitude I literally kind of it shifts the blame away from us from our Crappy Bird pits that we get and it's our job to secure people they don't have to know security they shouldn't have today security they can go and be experts in whatever it is they do and we're there to protect them as

much as the systems that we look after so I'd get rid of owning about you could use because they're not stupid better a load of stuff than us um but they do click stuff and if that's the only line of defense sorry about you love it so one final question for you all we don't want to talk about Community besides is there's a community and everybody here thank you so much for supporting us um what would you like to see less of or morality what was it um so I guess Community um you know business Community that's you know the very online kind of Twitter Community is another I think from for that aspect like all the kind of online

stuff I think it's um it's important that we recognize that the people who are really active on like Twitter and really online and even the people who come to conferences are actually it's actually a pretty small subset and kind of microcosm of um practitioners in the industry at lodge um so I think it's worth being cognizant of that I mean in terms of that that space particularly I think my advice would be that we could be nicer in in that Arena just generally well they're civil uh but to kind of broaden that point out I suppose like if you look at like the UK for example like most um you know most employment most turnover is actually in small medium

businesses so they're like completely not engaged with like what we're talking about here they're not engaged with Twitter dramas uh they're not really uh in in the same place so and to not seem like a hypocrite Spectros we work at some the the higher end of um of the industry and like Advanced attack of the Avia characterizing that and defended against that but I think what what's really helpful is for organizations who do work in that space to think about how we can make that trickle down to more broadly in the community in the industry so I mean it's quite a concrete point on like what that would look like to be more uh specific

open sourcing software Solutions writing blog posts uh sharing research things like that offering training courses webinars these are all things that um some of the big techs do we certainly it's important part of our philosophy of spectrums um our CEO of us called um transparency and with kind of detailed some of this approach you can check out the GitHub for some of the open source projects and I think there's there's notable people who are doing that like I said some of the big tax bunch of cool stuff like um slack Microsoft yeah just make making that more accessible yeah I think it is all about Community um I I think it community and diversity probably I mean I'm never

pleased to be a woman in an environment like this because the toilet queue is tinished around the block with him so I think diversity definitely more diversity more Community I love these signs I know we're a big fan and I think that kind of community Spirit wins through I think it is about joining as a community yes myself probably the obvious one for news drama I'm not great with it um I like it we all do made of jobs let's be honest we're not generally making anything or anything like that but I think it is that let's just crack on and get on with our jobs that can be and actually embrace the community and give everybody a hand up

you know so more of that and here what I'm going to do is it's going to help us support and help you progress talking about that from your friends what about you Holly well I'd like to say more of is please submit to cfps I've been on the CPA review world for a few conferences now and um very often the number of submissions and how few there I would surprise you and also it can be the case that there's many submissions that are all around the same kind of topic because something is in the news or something is the current question so there could be several talks if you've ever submitted and had not been selected

someone else has been selected on a similar topic that could be why that conference might have had five people all want to hit the same topic and then and then not had that many other submissions so yeah if you've enjoyed besides and if you have something that you think is cool there's probably other people who would agree with you so I'd love to see an increase in the number of cfp submissions I'm gonna build on that a little bit um I'd like to see more CMP submissions that aren't just the code and the old days and it's my talk they're all really good like I love seeing those events there's a lot of other skills Beyond

coding that could be shared and you might think well surely everyone knows this but guarantee you like every talk I've been to I've always taken something away even if it's some something that I know really really well to get a different perspective is helpful so it might be a soft skill thing it might just be some sort of comparison you're drawing between something you do in your life to cyber security that may help you in your cyber security world but if you've got an idea I'd Bounce It Off someone from these sides that's already like involved in that um please please all of those and we like having loads of different thoughts um I also agree with it no drama please

and the last thing I think just is being kind not just to each other but to yourself because I think we work in really stressful environments and we're always thinking oh yeah do I know enough syndrome's kicking in all they do is amazing it really is like we helped the world innovate we help the world be better and we're never going to be great all the time there's always going to be stuff to do which is important but just look at yourself sometimes and be really proud of what you do whether it's like I just go pick up your bad cells

so do we have time for questions

sure but make them really spicy and nothing to do with what we just said we've got no prizes yeah oh yeah yeah um so you talked about engaging better with users and I think one of the great approaches yes

how your examples where they have responded with it yes and and to any inquiry they've had or thing development in the business that's a tough one who wants to go yeah I think if anything good comes of a pandemic which is a lot of bad came of it but the the visibility of security I think shuts up in a lot of organizations and it wasn't just like no you can't do that no like turning that off blocking that stop it you idiot you've got to use this instead I think there's been a lot more yes and and understanding like business cases and use cases and actually working together with different groups within organizations to be able to find

Solutions it might not be what they think they need but it'll get into where they need to go um and I've seen a lot of shifts on that which is a benefit of having a pandemic but I don't want another one thanks that was way better than United States any more questions no right thank you very much