Security BSides Delaware 2021 - Day 1
Show transcript [en]
[Music]
[Music]
[Music]
[Music] yeah [Music] w [Music]
n [Music] [Music]
a [Music]
[Music] down
[Music]
down [Music]
[Music]
yeah [Music]
[Music] n [Music]
a [Music]
[Music]
[Music]
[Music] n [Music]
[Music]
[Applause]
[Applause]
n
[Music] [Applause] [Music] [Applause] n [Music] [Music]
[Music] [Applause] [Music] n [Music] [Applause] [Music] e
[Music]
[Applause] [Music]
[Music]
[Music]
[Music]
[Music] right
[Music]
sh
yeah we're good
yeah
[Music] oh hey we're live good morning bides delare good morning we're doing this again Welcome to our 12th Year and welcome to our second year virtual pandemic season 2 I didn't like season one either hopefully this is the last virtual season you know like like like we're GNA be canceling this show after this year okay the the virtual aspect is going to go away and and please Lord and however you see them uh we're going to be back in person next year and uh boy is it going to be a reunion time but for this year we're virtual we're on Discord we're doing both days Friday and Saturday we have plenty of speakers which was wonderful we have
some wonderful sponsors we have secure which is a Federated Trust Company based on blockchain and daml we have uh syndicus Nikon which is a teaching Academy and a training academy they're lovely lovely people John Shandra runs syndicus naon I think he's got a few of his people here uh and we've got gigamon who is a Perpetual sponsor of Pros V Joe's they are just awesome awesome people they literally hounded me we want a sponsor like okay okay I'll let you sponsor we have amazing speakers we have lovely places to talk and chill this year let's relax let's hang out let's have a good time let's talk let's re reunite next year we drink I mean see
each other Jason that's that's me yeah um uh I mean I'm excited to be back again this year um excited to see what uh what our speakers have to say and I mean everything you said is true I hope this is the last year we do virtual I really want to see people and give hugs and and you know be able to run around like a madman again next year when we organize this Jason clothes on this time okay uh just running around oh well yeah I'll stay seated yes remember this is the last bsides Delaware that pants are optional the hell you say we might do Hybrid next year we haven't thought about that yet I
wouldn't mind that uh I love the fact that Rando you were I was like pants are optional this year and like I know that everybody on the stream looked down to double check but uh if you want an input if you want input into whether we are virtual in person or Hybrid next year please go to the announcements Channel and do the regge checkin for cpes or to uh enter the raffle oh uh it's gamon's doing the raffle right well we are also doing a raffle oh tell me about this raffle I just did if you go to the announcements Channel and fill out the red check-in form we will be raffling off some Amazon gift cards oh oh that's
nice feedback and it's also a way that you can verify your attendance if you need to for cpes or college credit so if you have cissp college credit anything like that you need uh continuing education credits go to the channel uh the reg channel uh check in and you can get the announcements Channel sorry the announcements Channel and you can get those uh cpes you can get those continuing education credits for any reason whatsoever and uh and you also get entered into a is it automatic entrance or do I have to do anything special when I get there you can enter it once per day and we will randomize who wins afterward it's based on one GI her will be awarded for every
40 people that submit an entry and is is it a pinned a pinned message in in announcement so that I can check on a pinned message in the announcement so you can find it easily see these are the this is the information I need okay um is there any other things I should know about the structure of Discord or anything I should anywhere I should go anything like that you should check out all the channels and you should socialize with people in the lobby chats if you want to ask questions of the speaker go to the Q&A chats and we're just about ready to start our first Speaker I want to welcome Dr Nikki Robinson she will be
presenting human perception the missing security control I know a lot of us think about the technical side of things and we might need to think about the human side a little bit more and uh I'm excited to hear her tell us all about it that sounds awesome ladies and gentlemen children of all ages the second and hopefully final virtual bides Delaware begins now Rando it's all yours hi now everybody on chat and everybody in Discord is going to see a little bit how the sausage is made uh while we get our speaker set up so uh Dr Robinson if you could uh start Shar hi if you could start sharing for me yep one second here and if you're not
presenting get out of track one uh let's see this watch stream hey there you are and Dr Robinson where are you from I am from Maryland so not too far away from Delaware very good and what made you want to present at be this is me killing time uh oh oh good what what made you want to present here at uh at bsides uh so I'm a big fan of bsides in general I think it's a great conference um I know I've seen lots of great presentations at bsides conferences and uh really any chance I can talk about uh human factors perception and combining with cyber security I'm like all over uh but yeah I was I was excited to come to
bsides Delaware for sure outstanding well we're all really excited to have you and I'm almost done riffing and killing time and you will be able to present she's our very first speaker and I just woke up so everybody again welcome to bides Delaware 2021 and I give you uh Dr Nikki Robinson awesome thank you so much uh well thank you to bid Delaware for having me and first Speaker of the day uh so thank you for for having me I'm excited to talk about this as I mentioned literally anytime I can talk about this I'm I'm excited uh so today I'm going to be presenting on human perception the missing security control uh I am a uh security Architect
by day an Adjunct professor by night as well as several other things I also co-host the uh resilient cyber podcast uh so you know just a couple little things I like to do all right so what we're going to talk about today so uh I'm going to cover quite a few topics since I have the time uh we're going to start with talking about security controls I'm sure you guys are all aware of what they are but I'm going to talk about uh sort of give us a baseline here of what what I'm sort of adding context to and then I want to talk about some of the different it and security roles specifically related to
security controls uh what is perception and I'm going to talk a little bit about perception and cognition uh senses and cyber security how does perception change over time time I.E how does our risk change over time uh and then I wanted to provide some case examples some uh ways that this may manifest itself uh within different organizations or within different teams and then hopefully some final takeaways some really practical stuff that you guys can use and take back to your organizations your teams uh things to think about and digest and and uh uh see where it goes okay as I mentioned uh security Architect by day primarily um so at IBM I'm part of the ciso
security innovation and Remediation team so I do a lot of uh remediation activities as well as on the Innovation side uh you know trying to solve those big complex problems uh you know within within an a large organization I'm also an adun professor at Capital technology University that is the school that I received my uh DSC in cyber security and I'm currently wrapping up a PhD in human factors so shock uh that's why I'm sort of talking about this topic today you know the last year and a half of research has really changed the way I feel about cyber security uh so I have a background in it Ops so I was an administrator I did uh a managed virtual
environments I did ADM Citrix I mean VMware you name it um and then transitioned into security about uh probably about four years ago now um I got really interested in vulnerability chaining vulnerability scoring how are vulnerabilities scored how do we understand what vulnerabilities are and so when I was studying that for the dsse um I saw this this PhD in human factors and I was like oh this is really interesting I want to see how I can if I can understand psychology better if I can understand humans better can I improve cyber security uh our security posture and reduce our risk in an environment and uh that's really what ultimately led me here uh so quick disclaimer all thoughts
feelings views expressed in the presentation are my own they do not reflect uh any of my employers and another quick disclaimer I'm not a licensed therapist or psychologist I love research um I I have a lot of friends that are cognitive psychologists that I've spoken to about research and uh there's a sort of a small group of us out there that are sort of really studying sort of the implications of cognitive psychology and understanding how it really affects the security posture of of a network all right so hopping right in security controls so anyone that's you know been in security for any sort of any length of time and even from the it side you know this is really where I
was introduced to security controls uh was actually as an administrator so these are anything like applying a group policy uh fixing a registry key on an OS Baseline uh template um all all kinds of different uh settings uh password length and strength or complexity requirements how do I handle uh users versus service accounts um How do I manage my OU all of that kind of stuff now I'm getting really far into ad but there are a number of different types of security controls they're not just you know gpos um or settings on a network device we're actually talking about procedural technical compliance there's also physical security controls uh so security controls are really this it's really
this broad sort of um a field and I I when I was looking at what security controls do we manage do we Implement do we look at I just started to see this like missing sort of piece right is it's like okay so let's say I'm able to implement these security controls um and I'm monitoring them and I'm doing all these other things um but what am I missing because we all know like cyber security attacks are continuing and they're just increasing in complexity and um the way that we sort of um the way that we sort of handle security right like we're still having all these cyber attacks happening fishing attacks are still outrageous and and happening all
the time so what are we missing if I'm applying these security controls properly how am I still missing you know something that's allowing a fishing attack to take place um so I anyway this is where this sort of started this idea of like what are we missing that we can't sort of properly put these security controls in place uh to really mitigate risk so that sort of got me thinking well when I was on the it side of the house I didn't really see and perceive security controls the same way that I do now that I a security practitioner you know from the it operations side I'm really implementing those controls I may have some leverage over
what controls are selected but but not always you know I on the it side I I may have been told hey Implement these security controls and I may be able to push back and say you know what that one's not going to work or maybe not but ultimately I'm going to have to figure out how to either implement this control or figure out how to provide mitigating controls uh that will resolve that that vulnerability or that issue and I may be evaluating specifically for functionality so from the it side I don't want to affect my user negatively I want to make sure that they are you know they have all of their uh systems available and functional and so my
objectives and goals are going to be a little bit different than the security side of the house you know security we're concerned with risk you know I I want to make sure that the system is secure and of course I want to work with the business I want to make sure that what I'm telling it aligns with the business and the strategy but you know ultimately I still need to my main primary objective is to secure the network to secure the organization so I'm going to select those controls based on maybe whatever requirements I may have if I'm a federal organization versus a private sector organization that may be different um and then ultimately monitoring for any
inconsistencies so my favorite example is sort of I've applied a g uh for a setting well what happens if I move maybe I have you know 100 computers in that OU what if I move to them from there to a different OU and I didn't take the gpos with me to the new OU or maybe I didn't take all of them uh it's possible that some of those settings would then end up being missing from those uh systems so me as security it's my job to make sure that you know those settings are being applied uh consistently and you know as I expect them to so um perception when I started looking into sort of seeing the same problems that I
see over and over again in in security uh and studying the idea of human factors so human factors is really um it's sort of this blend of engineering design and psychology really ultimately trying to make tools the best way that we can for humans to use them and so that got me thinking well hold on a second if I start to blend some of those psychological Concepts or some of those really the terminology that we're using in Psychology if I start applying that in cyber security um can I start to address some of those gaps that I'm seeing so perception this is how we interpret a situation and we're going to talk about some specific cases here because I think
it's important to to actually highlight how this works in the real world uh but perception is how do I understand a situation how do I understand the world around me this is sensory based you know versus cognition cognition is really you know how do we make decisions and there may be some perception or some bias there based on our past experiences but we are making decisions based on our understanding of a situation I like to equate this to um when I talk about cognition you know I talk a lot about Chess um perception is more you know I've interacted with an individual before if I've had a negative interaction how does that affect my perception of that individual and it
could solely be based on that one situation that one interaction I had but maybe that person was having a bad day maybe you know they were they had a doughnut for breakfast and their doughnut dropped on the ground like oh that's frustrating and so maybe I had a bad interaction with them because maybe they were frustrated that morning not because they're a bad person um but my perception may change of that individual based on that interaction but so uh for perception it's it's handled in a couple of different ways the way that we perceive and and handle decision making um using perception uh bottom up processing versus top down processing so for example if I stub my
toe I immediately my B I have pain that shoots through my toe potentially up through my leg and I'm like oh my gosh ow ow that was my toe uh you know that for me that that changes my perception of a situation it's like oh wow that was immediate and that hurt a lot um and it's a sensory thing that was a pain sort of reaction uh versus if I'm sitting on the beach and you know my hands go in the sand and I can feel the sand and my perception of the beach and where I'm at changes based on what I feel and even what I see and what I smell you know if you're at the ocean
and you're smelling the ocean uh you know you have memories that are based on those sensory sort of inputs that we have so to get a little bit dig a little bit deeper into perception versus cognition so this is where I was starting to talk about chess if I'm talking about cognition I'm talking about how do I make decisions if I'm playing chess and I'm playing a two-minute chess match versus a an hourong chess match I'm going to be playing that quite differently 2 minutes is not a lot of time that's one minute per uh per per player that's one minute for me to process an entire chess game so I'm going to be really playing that
game based on my past experience with chess and the the fastest thinking that I can do to make sure that I'm making those decisions to try to win the game you know if I'm playing a two-minute chess match I may be okay with losing my queen very early on uh because it's like hey I got to keep moving I can't I can't focus too much on on the implications of losing that Queen I need to figure out how do I handle that and overcome versus an hourlong chess match I'm going to have time to really think about 30 moves ahead uh if I move here what will my opponent do if I move here what will my
opponent do if I move here how many different ways could my opponent react to that uh me moving that piece so you're really thinking in multiple different ways and really uh deeply considering what implic a moving a piece might have um so uh visual perception there's there's a lot of really great research out there and of course unfortunately not going to have time to talk a lot about it but I highly suggest if you're interested in this topic and how it might relate to your cyber security teams just uh on Google Scholar look up visual perception because uh that primarily recently they're talking about it as being you know one of the primary ways that we
make decisions is how we see something so uh if I see someone I think I'm getting some Echo okay um so if I see someone and I see their body language that may change the way that I handle a decision or the way that I um you know sort of interact with someone so uh the way that we visually see something it may change the way that we handle decisions uh and quickly I want to touch on metacognition this is one of the most uh interesting things I think I found when I was studying cognition and perception this is the way that after we make a decision we really think about how we made that decision so if I'm
making a risk-based decision how did I come to that decision was it the right decision was it the wrong decision and if it was how could I change that the next time to make sure that I make a more appropriate decision uh so I love the term meta because we use it for lots of different ways uh metadata and all that but for metacognition you're really taking that step from okay I've made a decision to evaluating how that decision was made and I think especially in cyber security this is a really important concept because we're constantly our our jobs are are really making decisions is this alert malicious or not uh is this um Network traffic
malicious or not so there's a lot of um sort of uh the the ability to make decisions and make them quickly but then we have to really go back and say how did we make that decision how did I determine that that was a malicious uh File versus non-malicious how did I determine that that website uh should be blocked versus maybe not so uh a couple examples here I wanted to mention the sort of the fear based response based on uh experience which is more perception based so let's say for for example I responded to uh an incident there was an incident that h a security incident that happened and I just I know if I don't do something I'm
going to get in a lot of trouble or I might be held accountable for it I'm scared of the making the wrong decision but so ultimately I'm going to quickly move I'm going to communicate probably really effectively try to tell whoever I can tell ahead of time so that way it doesn't get you know out of hand um um quickly or if I'm too scared to tell somebody about something that's when you know issues really arise right is it's like if I see alerts coming in but I'm really scared to tell my management about it because maybe in the past I've had an experience where they got really upset with me what happens if you know a
sock analyst who's nervous about telling their management about an incident what happens if that incident goes unnoticed or like undisclosed for an hour versus two hours versus three hours you know what happens how does our risk uh you know sort of go up at that point um so I think it's really important especially when we're talking about perception to talk about how uh fear-based responses could impact the overall security of our environment um and in across different teams right not just um you know a stock analy talking to a manager but maybe even a manager talking to Executive management you maybe there's concern there that if an incident is happening that there may be you know repercussions
and uh that not not addressing the situation or uh you know not maybe not uh taking it up with with the uh highest Executives you know maybe that could end up being a much bigger incident than maybe it would have been if it was addressed immediately so uh senses and cyber security when I was putting this presentation together this uh this concept really hit me how do we use our senses to either make decisions to understand a situation to manage and monitor alerts to configure our security tools how do we especially visually um and with the tools that we have how do we interact um during an incident um a security incident what tools do we have available
to us and how do we see them I'm I'm really big on you know having security tools we have to have them right we we need them they help give us great information that we can then make objective decisions on however if we have too many security tools it's very possible that you know I I could if I've got 10 security tools that I one analyst need to manage it's very difficult for me to make sure that I'm using all of those tools to the best of my um the best of their ability so that I can configure those tools properly because when you have 10 tools to manage potentially upgrades patching at the OS level OS level the application
Level and maybe a device as well you have to consider all of that time uh updates to the software there may be new things that have to be configured it's possible that over time that uh that tool wasn't configured properly initially and so it's not working well now you know maybe a year later or 2 years later so am I using the tools that I have properly am I able to visually see those tools and get effective information you know helpful information uh which is where I want to talk about cognitive limitations um if I'm focused on like my number two bullet here if I'm focused on the data that I'm seeing in these tools if I'm
focused on all of the information information that's coming out from you know all the products the patches the security controls the Frameworks the guidance the policies and what I'm being told by peers colleagues management Executives strategic business Direction I think you can kind of see where I'm going but this is where you know we started talking about burnout cognitive limitations how much can I as an individual really handle at in cyber security you know we have so many different things that we have to not only manage from a technical perspective but we have to manage relationships with it operations with developers with maybe product and product managers um you know maybe from the stock perspective maybe I have to
deal with customers or third party vendors so there are a lot of things that I as a security professional need to manage and there's only so much that we can sort of handle and bring into it and so we start to get this sort of sensory overload this to way too much information so I think there's uh sort of this interesting conversation that has to happen on how much information are you digesting and ingesting from security tools from products from from uh patching from a remediation standpoint um how much can we handle and really digest and then use that to make really good clear decisions for uh a risk-based decisions and uh for the Third item here
that I wanted to talk about uh can we inter can we interpret risk based on how security analyst perceive a situation so if I as a sock analyst with my years of experience and the ability to sort of pinpoint um where a an alert might be noise and where an alert might be malicious or anomalous uh that's sort of my based on my uh previous experiences and based on my based on my education based on my awareness of the system um then we can make risk-based decisions and we use all of the tools that are our our disposal including my perception of the situation if I'm monitoring a network and I see something that doesn't look right to me
whether or not I can pinpoint it right away whether it's an alert a strange IP something like that uh but if I can start to pinpoint that I'm using my perception my experience to help make risk-based decisions um but we don't talk about it in that context necessarily you know I I think there's uh real power in using the right terminology using the right and then on top of that using the right definitions for those terms so for example vulnerability management which is probably my favorite top topic besides human factors but when we're talking about vulnerability management if I asked individual one and individual two what their definitions of vulnerability management was I would probably get two
different answers some people see it as really you know a patch management uh sort of activity some people see it more from the remediation standpoint some people see it as a continuous monitoring sort of exercise so our perception of the terminology that we use can really impact the way that we think about security of a system so I think there is real power in using terms like perception the way that we sense things the way that we use our intuition based on experience uh to help us manage risk um and then ultimately how does our perception affect how we use those security tools how we interact with other teams whether that's it operations or developers and then ultimately how do
we respond to incidents based on that perception so I'm going to talk about some cases but I I really wanted to sort of highlight this because this is really the reason why I think that sometimes uh like I continue to see the same types of attacks over and over again uh you know attackers think about things in a very different way than us as Network Defenders do and I think if we can start to integrate some of those psychological Concepts and terms into our everyday security vocabulary uh it may help us say like oh you know I didn't think about how my perception of a tool might have affected that security or risk-based decision but now I'm
thinking oh I I perceive this tool differently based on my personal experience how does my coworker perceive this tool and have a discussion about that hey what is your perception of this tool how do you feel about this tool do you think that it's useful uh based on your experience and your perception because sometimes um I know I can have the wrong perception of something based on my experience and so really communicating collaborating talking with other people about how they feel about something or what they've experienced can help change my perception of something too so um that's sort of where we're going to talk about some of the actionable takeaways but really just sort of having that idea of okay need to
think about how um how this uh situation how this tool how my interaction with this tool has changed the way that I feel about
this uh okay so perception over time this is the um this is what I think is also another really important conversation to have um I know I can just speak on my my own experience my perception has really changed over time uh especially for risk-based decisions when I was in it operations and I started studying vulnerability scoring how low and medium vulnerabilities could be exploited that really changed my entire perception and my perspective about what security meant to me as a system owner so uh over time you know being a system admin on day one you know I I didn't have any biases I didn't have any fear or concern it was just hey I'm here to learn and I'm here
to manage an environment versus maybe my second week on the job where I've met a number of team members I've probably gone through initial training and learned more about the organization um you know meeting uh even other teams that I might be working with so first impressions are really important so the way that I've um had first interactions with people that could change my perception almost immediately of how I feel like I might interact with people versus 6 months down the road I've probably been working on some projects working with other teams really getting a better uh understanding of the infrastructure and the technology at play uh what does the tech stack look like uh I think uh one
of one of my uh prior colleagues it was uh because I was uh feeling like I was a little lost especially in the first six months I was like oh my gosh I feel like I'm still learning so much and he said to me he was like listen it takes six months to a year to really learn a network like it can really take a long time especially in really highly complex environment so he was like don't worry about it it's going to take some time it's fine so uh so anyway but by six months you're starting to really get a better understanding uh technically of what's going on across the organization then uh let's say four
years down the road uh bias starts to come in maybe you've had bad interactions with you you know other co-workers uh maybe you've had frustrating sort of um uh projects or projects that failed for whatever reason you know that affects the perception the way that you perceive the environment maybe the way you perceive co-workers maybe the way you perceive tools and vendor relationships uh so biases really start to especially as you know as someone who continues to grow within an environment um biases really start to come in based on those EXP experiences and then 10 years um I asked the question like what might be the issue here but after 10 years especially you know within one organization or working
in sort of one sort of uh environment you really would have a lot of bias based on past experience and and that's totally acceptable right uh you know we if we experienced a bad relationship with someone over 10 years my perception is that that's not going to change that's that relationship is probably not going to change um but so after you know a certain amount of time it's different for everyone but perception is going to change uh there may be negative perception when it comes to people processes or tools um as well as positive perception um for people process tools um but what does that mean to my risk so if my perception at the
beginning of you know a project or working with a team is positive uh but it's really negative at the end of the project how does that affect my risk does it I mean maybe it doesn't but it's very possible that by the end if you have a a negative interaction with someone or um maybe the project just didn't go as planned maybe you know deadlines were missed the project got pushed back maybe the technology just ultimately wasn't going to work for for the project or for the goals uh but that can really potentially increase risk I'll give a really specific example so uh let's say you're evaluating a tool and it goes from you know you have it in
test and it works okay and then you know whoever decides yetep put it into production well you've got a test system now that maybe ended up into production I know this is probably like wildly hypothetical right so uh so you've got an environment now that's probably called something test that's now in production was it meant to go into to production what is the risk uh of putting that test item into production were all the security controls in place from the beginning where they tried to did someone try to add them at the end and were there maybe issues with that so how does the uh perception of that tool over time change based on you know maybe
it moved from test to prod uh maybe you know you started having Executives or management or you know VIP start to use this product uh but you can't maybe guess necessarily guarantee that it's secure based on you know sort of the inevitable push from test to prod um so it's just sort of something to consider if you think about uh how perception changes over time and how our interactions with technology change over time it could potentially affect the risk of the organization all right so round one uh I I wanted to break down three different cases mostly because uh like I said these are totally hypothetical right I'm sure these have never happened to anyone
uh but I think it's important to talk about how perception might actually uh in the real world practically affect either relationships or overall risk so let's say there's an itops group they're working on upgrading uh OS levels let's just say Windows 10 to Windows 11 something like that or Windows 7 to Windows 10 probably years ago um so maybe the security team because of maybe EOL maybe there's vulnerabilities and risk they are are pushing for you know a specific timeline because it's like hey there's critical vulnerabilities this is end of life we've got to get this out the door it it's got to go um but then tension builds between teams because maybe the it operations team maybe
they're getting different direction from it management versus what they're getting from the security team so they're sort of maybe caught in the middle trying to figure out how do we balance functionality for a user for versus security and making sure that we are you know upgrading those systems as as quickly as possible but without AFF affecting functionality for you know my users um both teams go to the management there's contention there's issues so uh not just how do we solve this but how does this affect risk so if I'm thinking about risk here it's possible that these systems may not get upgraded because you know their it operations or not get updated you know as quickly as maybe security would like
because uh you know there's a functionality issue there's a concern over customer maybe there's concern over Revenue even that hey if if I don't you know if I don't fix this fast enough or if I uh fix this too quickly I might affect the actual revenue for the business if I affect our customers so uh there's a lot of concern there and a lot of um you know perception uh that's going to change after this interaction this is one upgrade for an operating system this isn't an application or Hardware upgrades or anything like that and if the timeline gets pushed the risk increases if the teams have trouble working together or you know they have a
bad interaction when they're where they're sort of uh talking about these things it operations may be very hesitant to work with security in the future um you know if they're concerned that you know oh my gosh if I do this upgrade it's going to break everything or you know I can't uh I can't affect my users and my customers because that's my number one goal and objective um so I think as far as solving this is It's really uh you know we talk a lot about shift left and improving security sort of I think from the beginning from the onset and that's certainly a great goal and I think what we're a lot of people
are moving towards but I think it's almost a a little bit deeper than that as far as communication goes I think uh security you know it's it's there to enable the business and it's there to uh you know sort of work with people and I think in the past there's been this sort of negative perception of you know security is just here to bang on my door and make me Implement these 300 controls and not give me any information but uh there are a lot of uh you know security Engineers isos uh that want to really help enable the business and improve security without affecting functionality and and meeting that business strategy so I think that you know it maybe in this
particular situation there was a negative negative perception of how security might affect the functionality for the users but you know maybe it's just perception maybe that's not actually what they were intending to do uh but intention doesn't always meet perception all right round two so uh security versus executive management again totally hypothetical I'm sure this has never happened so uh security is working on a critical vulnerability they have expressed urgency to the CIO uh you know making sure that this gets done very quickly and and immediately um um but you know the CIO you know thinking about the business thinking about customers and users hey I can't do this during production hours this is not going to
happen we need to we need to figure out like a better way to do this and and I'm not going to um affect this and let's say that they're at the end of a quarter and they say you know what I'm at the end of a quarter I I can't do this right now because this is going to affect sales or productivity whatever it might be um and you know what I don't have enough information so uh we're just we're not going to do this right now if this is a critical not just critical but exploitable vulnerability uh what what would have maybe been a like a better way for security to address this to management
maybe instead of saying there's a critical vulnerability we have to do this right now what could be a better way to do this would be laying out a plan you know because that perception then is you know executive management that CIO may be like you know what I don't I don't trust them they're just telling me to do this and they don't understand what you know what we've got going on here so maybe from the security side of the house I could have gone to the CIO and said this is a highly exploitable vulnerability you know we know these AP groups are using this actively right now in campaigns against businesses just like us and if
the system if we get affected by this if we are um you know hit by by this AP group uh we will lose x amount of dollars we will lose this much you know downtime and the time for the downtime during production hours to get this resolved versus the possible impact for company reputation uh loss Revenue all those things that might be a better way to show uh the understanding of the business to show the um that security understands the needs while also expressing that you know what this is a this is a serious impact to our entire organization not just you know yes we have thousands of vulnerabilities but this one in particular could ruin our
business uh so it sort of you know changes the way the conversation happens um and it also improves probably the perception of how management feels about security uh overall you know it's like oh hey they were thinking about all this stuff they gave me all this great information and now I can make a better risk based decision based on this instead of sort of maybe having you know a negative perception or maybe there was a negative interaction in the past that affected their perception and they were just like you know what I'm not going to put up with this so it is possible that perception of the security team or of the information given to them was
negative whether you know appropriate or not uh but that perception might change that conversation and so uh if there is already a negative perception in place for uh security controls or vulnerabilities or whatever it might be that need to be resolved it's it starts with changing that perception and not saying you know not doing the same thing over and over again and saying like why why don't they listen to me but changing that conversation might change that perception might help reduce risk all right round three uh so here I wanted to talk about just a little bit different angle uh third party uh vendor uh versus not vers well yeah versus the security engineer so a security
engineer they need more information from this third party vendor hey I need to understand your product better I need to understand what's going on and uh you know this third party is like uh yeah but here's my documentation everything's fine I I have this all documented um you know it's it it's it's here this is all that you need so that that may change the perception that the security engineer has of that V if they feel like they're not getting enough information enough documentation or that they sort of what they need is not being heard that may change the perception of how the security engineer works with that tool or works with that vendor uh and they may not use that
anymore so there's this sort of possibility that you know with a negative interaction like this this may change the perception of how they use these products uh which again may also affect the security although potentially in a positive way if I have a negative perception of of a vendor um and I may not use their product anymore you know that whether good or bad um that's sort of my perception right so even a year from then if that third party vendor or vendor comes back and says hey we'd like for you to try our product my I may already have a pretty cemented perception of how I feel about that company or organization even if let's
say uh they have new products or they've improved their security of their products and they can provide more information I may still have that perception that sort of negative interaction that I'm like you know what I'm just not going to use them because I just I didn't get a good feeling the first time now that could be like I said it could actually potentially be a good thing it might help improve security of that environment if you don't sort of trust that organization or you're not quite sure if you should or not then maybe that's probably a good way to go however um it is possible that you know a specific tool or a specific uh a a a
third party application something like that it is possible that it might be necessary for a business functionality or something like that so it is possible that it may have to be integrated at some point just depending on what's available on the market I mean fortunately there are a lot of vendors out there um but if you know if the business is looking for something in particular they may say you know what we're going to go ahead with this product anyway even if we're not getting the information we want because we have to because it's a business need so um that may change the the way the security engineer feels about that product or that company or you know whatever it
might be um but it may still be a sort of a necessary Tool uh that has to be used in the organization but the point is that the perception of the security engineer is probably going to change and even if that's going to change towards management if they say well you know what we have to use this tool anyway so you know just sort of deal deal with it we have to deal with it uh the security engineer might might change the way that they feel about management too it's like they don't understand what I'm you know trying to express or trying to explain uh which can change the way that they maybe interact with Management in the
future you know maybe they're not going to tell them in the future like well they didn't listen to me the first time I'm not going to tell them the the second or third time you know when this happens which again if there are unremediated vulnerabilities or you know uh other issues with the product and the security engineer doesn't feel comfortable going to management and saying anything again because they feel like maybe they're not being heard that would uh severely increase risk across the environment if if they are not actually expressing that to management so actionable takeaways I know I covered a lot uh but hopefully um hopefully I sort of brought the story together the biggest things here I would
say really understanding the concepts of perception and and cognition so how we make decisions and then like how do I make decisions how do I make risk-based decisions in my organization and how does perception affect those risk-based decisions how does my interaction with other teams affect how I associate risk with software with products how do I use my security tools how do I perceive my security tools uh and how it's really affecting the overall security strategy so not just how does it affect Security today but just like I was talking about perception over time how has maybe a negative perception between teams or negative interactions between teams affected the security strategy over time uh so considering not just today how it
might be impactful but in five years how will perception change or how could I change the perception of maybe the security team or tools or products um to make sure that I am improving uh Security in the future as as you know an organization grows um how does psychology fit into RMF so I love the risk management framework I think it's a fantastic place for organizations to really start to build sort of a risk management strategy right but I'm curious if there would maybe be maybe there is something missing there that we're not talking about the actual interactions with teams you know uh it's very laid out very well who sort of own owns and and manages each step in the
RMF process but what if there was sort of an interaction component or perception component in RMF that helps to identify where you know psychology and behaviors you know behavioral analysis or behaviors of people affect the way that we Implement and manage RMF like in an organization uh and do you have people trained in human factors on your security teams uh if not why not uh there are a lot of great cognitive psychologists that I'm aware of that are are sort of moving into security uh whether that's through teaching or or into industry and uh it's very very helpful I think it's really helpful because it helps to look at security in a different way um if we
keep trying to solve problems in the same ways it's just uh I can't remember who said it but it's like that that leads to Madness just continuing to to sort of try to solve problems the same way and then it's we're not getting anywhere so um so think about how human factors um in engineering think about how psychology might affect uh your organization maybe maybe it'll be helpful to understand those terms and that terminology uh wrap wrapping up so just final sort of thoughts here uh you know we as humans are the ones that are using these products we're using the technology we're using the software and we're working with it development product strategy marketing all of that
stuff we're working with them so how are we using this uh as humans um how does perception again affect the overall security strategy uh humans and intera humans and our interactions with other humans can really play a major part into how we Implement Monitor and manage security controls um and consider what security controls might be in your environment that are not just technical what what's security controls are people focused or people Centric uh and then just sort of evaluate you know taking stock in and I try to do this too if I interact with someone how did they potentially perceive that situation did they have a positive perception um did we have a positive interaction will that
positively impact the security posture of my organization uh so sort of um taking that back and thinking about how perception and even you know for me what what biases do I have have that are impacting me implementing security um so that's going to wrap up my presentation uh hope I hope it was helpful and I hope that I gave some actionable items uh for you guys to take uh take back I think I'll be hanging out in Discord for a while uh there's my LinkedIn if you'd like to connect with me on LinkedIn uh and I I just wanted to say a final big thank you to uh besides Delaware for for having me today um and
there's a ton of great talks I know on excited about them but I'll go ahead and stop sharing and turn it back over all right great thank you Nikki so much and uh we are going to take about a 10 or 11 minute break and come back with my container application has 100 vulnerabilities now what do I do uh so everybody stay tuned slight
intermission
there is two people in the postp Q&A [Music]
at [Music] a [Music] hello
[Music] n [Music]
he
[Music] [Applause]
no [Music]
n [Music] n [Music]
n [Music]
yeah [Music] [Applause]
[Music] [Applause] [Music] e [Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] n [Applause] [Music] [Applause] [Music]
[Music]
yes
w [Music] [Music]
[Music] d
[Music] [Applause]
[Music]
d [Music]
oh [Music]
hello everyone I'm RNA visha and I'm a developer Advocate at IBM and the title for my talk today is my container application has under vulnerabilities now what in this talk we'll understand what what are containers what is application modernization and and uh jump into what is uh container security and how to ensure container Security in a Docker applications so as part of Enterprises it digital transformation applications have expanded from traditional bare metal servers to VMS and now to Containers this is driving containerized app deployment and development with that enterprises are faced with key challenge how do you ensure that the uh containerized applications are secure containers are Standalone lightweight portable and they provide accelerated time to Market and infrastructure
efficiency they have Brad appeal because they allow users to easily package an application and its dependencies into a single image which can be promoted from development to test and to production without change containers make it easy to ensure consistency across environments and multiple deployment targets like physical servers to VMS to public or private clouds and this help helps teams more easily develop and manage the applications that deliver the business value and because of this application modernization and migration to cloud is significantly increasing the container option and in the next two years 89% of increase in container usage is expected and despite the high adoption rate uh container security continues to be a concern to ID
professionals 50% of ID professionals cited security as primary issue with their container strategy so what is cloud native so Cloud native applications are a combination of automated devops containers and microservices Cloud native applications are built using multiple independent microservices that are deployed in Cloud environments this avoids the mon monolith scenario of maybe Tangled code scope creep and over collaboration that ultimately releases impacts the relation schedules and using an automated devops and continuous delivery model software development uh teams can quickly and iteratively add new features to an application so if you look at the diagram um it it pretty much explains how uh Cloud native works and as a result we get a lightweight modular and
highly automated approach container security so devops isn't just about development and operation teams if you want to take full advantage of agility and responsiveness of a devops approach IID security also plays an integrated role in the entire cycle and with this approach there is a way for us to integrate devops and security for best Dev secops practices by by putting a certain controls in place right starting with secure by Design culture and practice this is a absc program that starts with the people culture that lead to secure and best uh coding practices shift left design and development what this simply means is instead of thinking of security as an afterthought once the application is created maybe then I'll
write a firewall and Patch something instead of thinking of it like that we have to shift left and incorporate Security in every cycle of development enable core security controls uh which will Implement core controls across data identity Network and points and containers and continuous validation and offensive testing U we'll have to make sure that the applications are continuously tested and then finally cicd delivery automation um you could use something like a rad anible to establish a robust Dev secops tool chain while helping while helping automate deployment and development of security controls which are embedded into the uh deployment of new workloads so there are multiple reasons why security can be challenging for container environment and the following
considerations are critical for securing uh container environment speed of container uh deployment can be a double EDG Squad right the benefit of container technology is that they accelerate application development deployment processes making security updates upgrades and vulnerability patching fast and easy yet the speed of De deployment can be a challenge too often there is not enough time for quality assurance or security testing which means that companies need to go through manual processes of consistently checking that the latest versions of containers are the ones that are being used that all the code is patched and fully up to date um and microservices adds complexity the fact that containers typically requires applications to be broken into smaller microservices
resulting in increased data traffic and complex access controls and more rules you have a lot lots and lots of servic often too many ports so that means there are more doors to secure plus each door has less information about what's going on so it's harder to identify someone's the bad guy and then use of public container repositories the traditional software development process build test deploy quickly becomes Irrelevant in the age of containers in fact developers often grab ready to use uncan images from public repositories and throw them into the cloud uh and by the time someone notices that the containers are there they've done their job and are gone so the life cycle might be over by
the time security team can actually go in um lack of isolation one of the nice things about virtual machines is that if an attacker takes over your VM the damage he can do is limited to that particular VM uh this is not so with the containers an attacker who compromises one container could potentially gain access to the others that are running on the same post and the LA and the lack of strict isolation between containers is another uh inherent container security challenge lack of visibility right the portability makes containers more susceptible to In Motion compromises many security profession professionals don't have the right tools to monitor transient container and microservices as they appear and disappear additionally
most of the recent attacks started from within the data center and more laterally due to the lack of visibility and control for East West traffic hackers exploit this oversight not addressing this traffic flows leaves the organizations vulnerable to potential security threats Cloud native environments Cloud n Technologies such as container serus and other microservices based Technologies present Real challenges to security teams especially when coupled with fast-paced devops processes Cloud native environments require new approach to security and lack of skills and expertise can create that challenges so whether using whether you're using containers to build your application from ground up or putting your existing monolith apps to a containerized environment you need to realize that container environments
introduce you to a unique set of security risks that you should be ready to address from day one as you begin to pull your uh base images to build your containers until they're deployed and running in production environments and there are five major container risk areas starting with images right containers are built using either a parent or a base image images are useful for building containers because you can reuse the various components of image instead of building a container image from scratch however like any other piece of code images or dependencies could contain vulnerabilities registry for developers the quickest and easiest way to incorporate standard open-source components into an application is to pull the appropriate container images
from a public repository um when you do this you are by necessity trusting that the registry to uh maintain the least at the basic level of security regarding the contents of image orchestration the orchestration layer of container security focuses on the environment responsible for the day to-day operation of containers there are multiple moving Parts in orchestrators such as coas this makes it more challenging to secure not only because of the number of components involved but the way in which those components interact right some Communicator via API some others via host file system all potential points of entry into to the orchestration environment must be addressed and then comes containers uh besides the entities such as apps and
images they hold containers themselves are often considered vulnerable to security risks through container run times that manage the containers a vulnerable runtime can expose all the containers it runs and also the host OS to potential security risks and finally the host OS itself the OS that host container environment is perhaps the most important layer of the stack because an attack uh this is an attack that compromises the host could provide Intruders with access to everything else in the stack um container security risks are majorly uh categorized as compromise of a container image or compromise of container as a whole and then uh the other type is if someone's misusing a container attack or containers that the
host Os or other host among others uh so if you look at the threat vectors that the container environment introduces us to starting from images right you have image vulnerabilities configuration defects embedded malware embedded clear teex secrets and the use of untrusted images right uh when you're reporting your applications to a cloud strategy these these are certain things that you must address as far as container images are concerned then comes registry you might come across insecure connections to Registries stale images in the registry insufficient authentication and authorization restrictions to the registry orchestration unbounded administrative act access unauthorized access poly separated inter container uh Network traffic mixing of workload sensitivity levels and orchestrator no trust right
these are certain thre vectors that orchestration layer uh presents us with then comes container itself the vulnerability within the runtime software unbounded network access from containers insecure container runtime configurations application vulnerabilities And Rog containers right and finally comes the host where this is the largest iack surface it has um starting from Shar Kel Hosto components vulnerabilities improper user access rights and host file file system tampering these are some of the things that could happen um with host right so container envirment introduces us with uh whole different types of thread vectors so our container I mean our container services should cover all the risk areas right it should address major risk areas that we've discussed about
starting with images application images are among key vulnerable areas for security risks in container environment these images can be outdated once insecure versions of software applications carrying bugs those containing hidden malware and those are those which are Loosely configured moreover these images often carry along authentication keys or certificates to address this risk we will have to design value dat and then detect the configuration defects and Define the policies to block the instantiation of unsecure images and then comes registry so when we are accessing from a poly configured registry the access should happen through an encrypted and authent authenticated connections also the registry should undergo continuous monitoring to ensure all stale images that offer scope to vulnerabilities are
cleared so we should ensure that the audit processes uh implementation of secure connections and then develop policies for Effective authentication then comes securing the orchestration uh it recommends tight Access Control to Cluster wide administrative accounts through effective authentication methods something like a multifactor authentication just about uh password authentication segmenting the containers by purpose sensitivity thread posture uh provides higher defenses defense in depth and overall container orchestration platforms should be configured to features that make them facilitate a secure environment for all apps that they run therefore it is recommended to implement rbac uh policies for uh proper API controls design and implementation of workload security zones right securing the container so the most common security issue with containers occurs
when container run times that manage themselves contain vulnerabilities a vulnerable runtime can expose all containers it runs and also gives the host to to uh potential security risks given the flexibility that containers enjoy through Dynamic IPs over the network there is a need to identify Network anomalies in such an environment and apply relevant filtering tools to address any possible vulnerabilities we should ensure the vulnerability management Monitor and help control unbounded network access detect and fix the insecure container runtime configurations and finally the host OS host OS is a key to successful container environment given the fact that it lies at the lowest level of container architecture uh it it is the more critical Target to security threats a
compromise of Hosto can lead to the compromise of all containers that are running on it host should undergo continuous scans for abilities and any required updates should be immediately applied so this is not just uh the level of container runtime it should also be done to the lower level components such as canel uh which is which are key to secure container operation proper configuration is also important to security of host OS it should be run as immutable infrastructure with no data and application Level dependencies this make host is highly reliable and effective in functioning so these are some of the security controls uh to address the container risks that we've discussed about so here are some of the best
practices right when we are writing our code what these are some of the practices that we could follow right starting with wh listing the dependencies so it's a tradeoff between convenience and security right so solution is that let the developers be Developers create a dedicated team to Whit list approved set of goal and base images for developers and if you if you this is a typical example that you're seeing on the screen um remove the blo that's found in your typical VM instance right you need to Whit list the dependencies that you need for your process and then you remove the system libraries or tools that hacker hackers sometimes love right and we have to use
managed Security Services uh ship the security consistently across the enir so don't use the root user in the container right so it it prevents Hackers from doing anything that requires root with your container right it all if you if you don't use the root user in the container it also prevents hackers to from using aptg to install additional tools that they might need to exploit further on in your continue base so this is a typical example just put user X in your Docker file and after running any commands that uh requires root and then limit the container resources so when you are when you're are running a container or a pod on orchestration platform you can write a
mchine config and limit the container resources limit the resources by memory and CPU right when you're putting a certain limit it it prevents any um dos dos attacks right so one way to prevent dos attack is to place memory and CPU limits on the container and these are some of the uh Security Options that kubernetes environment offer so use a non-root user and give only read only file system when you're if you're writing a pod or if you're creating a container for a certain image you can enable readon access to the file system uh when you're writing the security context and finally dis disallow the privileged escalation right so in the specs that you're writing for your for instantiating a
container image as a pod on orchestration platform all you can do is write a security context run as a nonroot user enable um read only access and allow the privileged escalation disallow the privileged escalation so here are some of the other best practices when it comes to using kubernetes as orchestration engine you can use I am to configure role based access policies you can manage the access uh to the kubernetes resources um you can use our back to Define part security policies so with part security policies what I mean is you can configure policies to authorize who can create and update Parts in uh KU service then comes encrypting the data in kuties in versions uh one point in certain
versions of communities the data in atcd is stored on local disk of Master node hence it would require us to encrypt the data that's being stored right so we we'll have to make sure that the data is encrypted and then enable TLS on your Ingress so that you can encrypt the data that is going into your apps and then Implement Network policies using Calico and you can protect the app config with kuity Secrets instead of writing your application configurations uh directly in your code hardcoded you can write a secret for kues or any orchestration platform through which you can protect your app config and finally sto sto is a service mesh that provides a uniform way to
connect manage and secure your microservices you so what you can do is you can use thiso to establish a mutual TLS among the microservices that are running um running in your environment securing container workloads uh so this is how Enterprises most of the times work you have a typical pipeline which mostly consists of build Dev test app scan pre prod Etc pipeline that typical that typically is set up and this is this is this is what U this is the kind of devops pipelines that the Enterprises are using every time a new change is made instead of actually performing each of these steps manually we can automate it by setting up a delivery pipeline so in delivery
pipeline a build stage is where you're just fetching the code from fetching the code changes from The Source repository and you're building the code and and then you once the bill stage is passed it automatically uh starts a Dev stage Dev stage has again certain jobs where you're trying to deploy the application also perform some uh functional tests once the development stage is done automatically the test stage is triggered uh once the test stage is done app scan Dynamic prod so these are some of the things that happen uh typically right so some of the benefits that it off it offers is delivery pipelines are very easy to set up and they enable Contin continuous integration continuous
integ testing continuous deployment in your uh application and one one one more advantages you can deliver your application into multiple Cloud platforms or multiple deployment targets anything so this is this is where we have to understand uh so when transferring data among Network systems trust is a central concern in particular when communicating over untrusted medium such as Internet it is critical to ensure the Integrity of the publisher of the all data a system operates on so you you use Docker engine to push and pull images to a public or private registry so what content trust is a concept which gives you the ability to verify both the integrity and Integrity of the publisher of all the data that is received from a
registry over any channel Docker content trust provides the ability to use digital signatures for data that is sent to and received from remote Docker Registries this signatures allow client side or runtime verification of the Integrity uh and the publisher of specific image tags through DCT image Publishers can sign their images and image consumers can ensure that the images that they pull are signed so Publishers could be individuals or organizations or automated software Supply chains signing the content as part of their release process so when a publisher who is using Docker content trust pushes an image to a remote registry Docker engine locally signs the image image with Publishers private key and when the user pulls this image
Docker engine uses Publishers public key to verify that the image is exactly what the public has created so it ensures that the image wasn't tampered with and that it is up to dat do con trust provides a stock strong cryptographic guarantees over what the code is and what versions of software are running in your infrastructure uh it integrates the update framework into Docker using notary notary is an open- Source Tool uh that provides thrust over any content so here are some of the use cases that um that that it provides starting with image forgery right so let's say a publisher has published uh his his image a certain private key is associated with the image and if the if
a hacker is trying to Tamper this do Docker image the key the key has will be the key since the key is tagged once the publisher has once the hacker has tampered with the image when the user is trying to pull the image he will check for the digital signature which is available on the image and since the image has been tampered with he will not get a I mean any anybody who's trying to pull the image will not get a validation on the digital signature which the image has so you there is no way um to forge the image using do if the if if Docker contrust is in place image forgy can be
detected replay attacks a replay attack occurs when a cyber criminal tries to e e drop on a secure network communication um intercepts it and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants the adding danger of free play attx is that hacker doesn't even need Advanced skill to decrypt a message after capturing it from the network the attack could be successful simply by resending the whole thing right uh the way it happen the way DCT avoids this is every like I said every image has a tagging key and if someone is trying to perform a replay attack on it you once once a user is trying to pull
this particular image you'll see that the digital signature is expired over the docker image so if a hacker tries to delay it or tries to resend it after certain time after each dropping on a certain Network by looking at the expired digital signal signature over the docker image the user who's trying to pull the image knows that it's no longer valid and then finally compromised keys in in the cases of compromised Keys um the hacker simply tries to miss hacker simply tries to replace the keys with something else uh in this case if a publisher is publishing an image with a private key and let's say the hacker is trying to tag it with a compromised ke
key what happens is when the user is trying to pull it with a public key the mismatch is easily recognized and the use and the and the keys and the fact that the keys are compromised is easily noticed so that's Docker content trust one of the practices that can be followed when you're using Docker applications and then comes vulnerability scanning right so we Face attack vectors like OS vulnerabilities um which could be vulnerable cor versions or patch libraries and then application weaknesses something like excesss buffer overloading or X SQL injection so with containerization every layer in the container is just one Link in the chain the containers that you produce can be used as base for another
container and so on with the link in the chain susceptible to the attack vectors and threads so that's when we use vulnerability scanning when containers are loaded into the Container registry service or a registry any registry service they should automatically be scanned for vulnerab vulnerabilities and once this vulnerability scanning is done it should generate it will generate something called assessment report and this assessment report is uh something that consists of cves the common vulnerabilities and exposures that are identified for the image right so uh whether it's exempt the CV ID the security noce information and the summary of the vulnerability that has been detected so this is a typical process that happens and these are some of the issues
that are being that that will be captured by using p scanning so this is how it actually looks like uh so if you see once the image is scanned for vulner scanned with vulnerability scanners something like opencape uh vulnerability IDs cves are captured and once the CV is captured you also have to understand which package has been affected uh once you identify which package is like identified typical vs scanners usually advise us on how to resolve it so it's not limited to cves it U vs scanners usually identify configuration issues too uh using these configuration issues you you can identify and accordingly address the patch write a patch to it and then comes Docker image signing
right so in the same pipeline that you're setting up one way to do is uh automate the entire process using tool chains with the with the same for this for an application you can write a tool two separate tool chain one which focuses mostly on image signing so if you see there are two two this is example that it could look like there are two stages that are set up unit dock contentra stage starts by DCT where it will create um the DCT keys right once the DCT keys are created uh this stage also allocates the keys and Provisions them to be the delegation keys that are used and to sign the docker images in future and the
second SE second stage that you're seeing here is to set up ikas runtime enforcement in the deployment cluster so what this stage does does is it creates image enforcement policy that is applied on the kubernetes cluster and the stage also specifies that an image can't be deployed until the signatures are found and validated so you can control where images are deployed from enforce VA policies vulnerability advisor policies and then ensure content trust is properly applied on the images if the image does not meet your policy requirements the Pod is not deploy to your cluster or updated or maintain or anything so cisc container image enforcement policy retrieves the information about about image trust and vulnerabilities from the registry you
can choose to block or allow the deployment of images that are stored in other registries so these are these are some of the steps instead of having your pipeline mostly focusing on U building and containerizing and deploying these are some of the stages that could ensure the security policies are in place you have build containerized validate and deploy stages in your devops 2 Chains writing unit tests in the build phase would make it easy for us to test uh that that the application build the code is properly being built and in the containerized phase you also build uh signed Docker images instead of building just Docker images so that you ensure that the images are tagged and signed
for for us to validate before instantiating them and the next stage comes which is validate stage this is where you're checking vulnerabilities this the check vulnerability stage is a stage where you're checking for if the image has any CVS or configuration issues uh if they are not there if the stage passes move on to the next job where you sign the image for validation uh once the once this is done you go to a deploy phase where you do a pre-check of signatures and once the signatures are confirmed you instantiate the container image which would mean that you're instantiating a pod on your orchestrator and apart from this your tool change must contain vulnerability advisor software Docker image signing
Source control issue tracking online editing and then finally deployment or kuity service or orchestration service that you're using so if you look at the stage where we're talking about vulnerability scanning it is a simple assessment that should uh give a overall status of the image based on the vulnerabilities or any configuration issues that are that are present in the image if no nothing is present that's when you go for that's when you approve the image and instantiate the image so if the image has uh if the image has indeed been found with vulnerability or configuration issues just make sure that this make sure that your uh tool chain will exempt it out and accordingly stop
stop the instantiate instantiation of the container as a part so that's my talk thank
you
[Music]
yeah
[Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music] [Applause] [Music] oh
[Music] [Applause] [Music]
[Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] h [Music] a [Applause] [Music] oh [Music]
yeah [Music]
[Music] oh
[Music]
[Music] oh
[Music] n [Music]
oh [Music]
[Music] [Music]
[Music]
n
[Music]
[Music]
[Music] [Music]
Gooding up theam me again miles say your angels I'm an angel up his angels [Music] no
problem chill out [Music] dad my CPU is a neuronet processor a learning [Music] computer knives and stabbing [Music] weapons [Music] hello I'm [Music]
hungry what the [ __ ] is going on
here hi honey how are [Music] you you have to get out of the city immediately and avoid the [Music] authorities 100 F of hon great force of lightning a glimmering Wonderland welcome to in a few months he creates a revolutionary type of [Music] microprocessor
[Music]
all right welcome back to bides Delaware 2021 I'm your MC for today my name is Rando uh thank you guys for all hanging out or as I like to say guys gals and all of my nine nonbinary Pals this is our 12th year second virtual but very much looking forward to seeing all of your smiling faces next year we have our next talk uh our speakers are here and it is security engineering does not equal admin analyst responder take it away gentlemen awesome thanks very much hey great to be here and I really appreciate you guys listen to my our our talk right so I have the awesome privilege of working with Lou infiltrate and uh we
are going to talk about security how security Engineers is its own unique skill set and it doesn't uh it has overlap but it is not exact to all these things so uh your standard disclaimer uh forward forward looking statement uh legal liability Etc goes here uh but hey who am I I'm Craig Bowser I've been doing security for over 20 years in various DOD and civilian uh contractors and agencies and such I have some letters after my name that mean something to HR folks uh and um I go by reswab 10 on my Twitter account and I blog very occasionally and it's been too long so I'll try and get that updated but that's me hi I'm L goon I've been a security
engineer for several de years now uh I started in information technology in the defense Contracting industry uh did a lot of things such as uh system administration software development and still ended up into cyber security and security uh uh engine ing uh I have a couple of Sears as well my Twitter handle is infiltrate and my email is lon 7@gmail.com because I'm too lazy to do a website or a Blog so that's me and a nutshell uh and um we um again we're glad to to talk to you guys about security engineering today so this is what we're going to cover uh we're going to talk about hey what is security engineering what are some of the roles that go with it uh
we're going to introduce yet another framework because we know you guys love Frameworks and I mean who doesn't love Frameworks right I tell you what I'm not sure I I have Frameworks all over the place and yeah posters posters full of Frameworks yes notebooks yes yes so we'll talk a little bit about what the job market is for security Engineers how to become educated you know and the certifications that go with that and then we'll talk about look forward a little bit about what are some of the current challenges and the future challenges that security Engineers uh are facing but first Lou you give us a definition of what uh security engineering is about you know it's been
it's been something where we look at everybody's definition of security engineering and we see something that's common so this is really more common to what we believe security engineering is and that is security engineering is the process of Designing and incorporating security controls into an information system and making that a part of the systems integral capabilities right and then you want to say well what does a security engineer do uh the security engineer is an experienced professional and we'll we'll elaborate on that a little bit later in the talk that designs and implements uh strategies and systems to protect infrastructure from cyber attacks threats and vulnerabilities that is the overall definition of security engineering and
engineer that we would like to expound on for today exactly but really you know where did this come from right remember years ago security was sort of like its own thing or wasn't even a thing it was in we were relegated to the bottom floor in the closet down in the lower level of the corporate building right right yeah with you know it and everything else but security was not its own thing so you know we came from where did we come from you know from back you know in the 90s with with uh what was the CPU what what did you have back then Lou you know as far as your I had a Gateway I think it
was a 35 me meertz SX Intel processor SX 86 processor yes you were flying did you have that little turbo button where it's like you know o I can I can no that was that was the DX model that the SX didn't have the turbo model okay right so you know that that little turbo button that's like hitting the you know I'm not sure if it actually maybe it did do something but it you know made you feel good to push the button think you're processing faster but really what were we facing back then we had you know infrastructure like firewalls proxies were around you know remember nwork web proxies were coming into IDs was you
know introduced uh antivirus was around because you know we even back then we had viruses they didn't move on their own but they were you know not then at at least not a lot uh so where else we were facing we were facing you know corporate snooping uh uh BBS kind of snooping and attacks and passing of things uh but our our it infrastructure is very basic was websites email online servicing AOL anybody I actually I didn't have AOL I hated it I hated it even then what do we call it a so yeah but you know huh no no go ahead yeah I was just uh I was just remarking that yeah so I remember uh
what was security engineering back then right it again wasn't on its own but we had I remember I was in the Air Force at that time I was part of a team called scope Network and our job was to go to uh Air Force bases and help optimize and troubleshoot their networks and so we would show up at a base and spend two weeks basically doing whatever uh the the Comm Squadron the communication Squadron needed and so we would just go in and some days some jobs excuse me some places it was hey we we have this new router it's our it's our it's our point of presence router it's our border router and we just we don't have we
needed you know we need some help because we just don't have the time you know funny thing is back then they didn't they didn't have they didn't have enough people enough time to do everything they want guess what hasn't changed in 20 years uh you still don't have enough people enough time to do everything you want but so we would go and help them do that sometimes it was uh rebuilding their uh domain structure in nt4 now I don't know how many of you remember nt4 that was a thing um and you know there still was the concept of domains and some you know and that sometimes we would completely redo their domains all of these things required
engineering to figure out well how is this going to affect the network how do we plan uh to ensure that that it not only has minimal impact negative but that on Monday morning when or the next morning when these changes were implemented the entire base was able to come up and be not only functional and operational but actually more efficient because we've done something to improve the efficiency of the network overall and so the concept of security engineering wasn't necessarily written out uh it was just hey go fix this but really that's what we're doing because we're not only making the network we're working together with the operations to secure and efficient make the network
efficient to add to that yeah as you can see here in our Slide the threat profile continues to grow over over the decades and and as you can see not only the threat profile and the technology and the networking technology these things grow over time and our and our profiles become more complex as we are in today so uh reason why you know I I really like that the fact that you know we started you know basically here at the at the 3600 bot level we're now to multicore levels and artificial intelligence and data breaches and things like that that whole threat landscape has increased over the decades here and it's just a short span this is
like 30 years right and and here we are uh full online services full Cloud mobile integration and things like that those things I think we will we will see that over time that made the information technology and the security uh cyber security uh industry grow and expand into come into terms to where we have that all these roles under the cyber security umbrella and and and so on and so forth but what has really emerged recently has been the this the security industry the security engineering industry at this point uh yeah and yeah as L said you know security engineering just has gotten more complex as we have you know continued to add all of these things
while still taking into account the old stuff that's still around Slammer is still around right you go listen on on uh you know on on the superport you on the wild internet and you'll still see Slam The Slammer worm trying to infiltrate you scary it's been 15 plus years but you know things never die so so Craig let's talk about the security engineering uh roles here yeah yeah where I mean so you know how where do you go to get into this right how do you start right where did where did we all start I talked a little bit about where I started I started you know as system admin I started as a network admin doing
uh optimization troubleshooting and understanding the roles but I mean the the you know the beginning into this you know is a number of different ways whether you start from networking whether you start as a server admin whether you start in it support all of these provide some of that Foundation I mean the whole point of this slide I think that we really want you to take away from them this is from cyber seek by the way uh the whole point of this slide is thaty cyber security engineering security engineering is not NE is not a beginner role this is not an entry-level position because you need to understand the so many foundational aspects of your environment of of a
network environment to really uh do that well so you know where you start from your feeder roles and you move into sort of entry level you know Junior roles of doing cyber security analyst and incident response and uh and maybe you know focusing on um you know vulnerability management and then as you move into more of a mid-level journeyman role uh of of maybe an isone eyesone glass uh incident responders analyst uh maybe a consultant maybe doing pen testing of vulnerability um you know exploration or research right those all these skills build on each other to be you know allow you to be a cyber security engineer overall and you know don't mind these numbers we'll talk more in depth about
jobs and and salaries later on in the slide uh I'm sorry later on in the presentation but you know understand hey this is you know the engineer is not something you just walk off the street and say yeah I'm going to be a cyber security engineer because you there's so many things that build on that so what does that look like well first is the you know some of these ideas some of the roles that go into it is you know the concept of an isso isse information security officer uh where you understand regulations compliance you understand how to write and read and apply policies and monitor your environment for adherence to those policies and then you
move over to the concept of of an architect a security architect and what this role implies or entails is the actual design of network configurations of security of applications and designing applications utilizing applications configuring application securely policy absolutely understanding uh and being able to take a policy and figure out how that actually applies in your environment Falls in this role near These Guys these Architects they're thinking one to five years out they're thinking hey what what is this new tool what is this new technology how does that work in my environment and how does I make sure it work securely and then from there there's the security analyst part where These Guys these are eyes on
glass we're familiar with this role they understand and they monitor the state of the of the security posture of your environment and they're analyzing reacting to deviations from that secure State and that you know investigating incidents and by the way I mean obviously this is a very high level slide you can go way down in the Weeds on each of these roles but where I'm talking about here and as deviate from security is the network server admin roles that is you know where these guys are responsible for ensuring our environments operate they ensure that traffic and users and tools are working available and that uh that there's uptime that things are efficient that everything's accessible and so what we
have is that security engineer that overlaps all of of these and sometimes and those of you who are in smaller organizations you wear many of these hats all at the same time or you're switching in and out as you're doing uh going throughout your day but in general you're looking at the engineer he's implementing the architect plans he's partnering with the engineers and the admins you're ensuring your analysts can do their job and you're enabling the isso to uh work with compliance so so what you're saying Craig is the security engineer is the great compromising role we work with everybody we work a lot with everything from the from the sea level down to the
an analyst and even the user absolutely we we cross uh we cross all those planes and we'll talk about that a little bit here like where we have the hard skills and the soft skills so what working with all of those people all of those users hey what in the hard you know where do we what do we need to be able to do what's our hands on keyboard tasks you know if you you know so for in the infc part you need to understand security policies best practices understand comprehend what vulnerabilities and exploits uh uh that that leverage those vulnerabilities how tools both attack tools and defense tools work and how to detect and protect your network how to
detect the bad things how to detect the attack tools how to find the vulnerabilities uh on your network and how to prevent attacks or the very least what's mandatory what do they say you know if you can't prevent you must detect you have to do one or the other uh ideally both then from just you have then you have to understand from a operating point of view the server administrator roles understanding how authentication authorization works in your environment along with just the configurations you know that that's such a uh such a small sample of all the things that go into you know know whether it's it's uh databases or web servers or applications or operating
systems or or well I'll talk about Cloud separately but I mean that you know that's just an example but of anything you got to understand auth authentication authorization because that's such a huge part of security but then you know the tie to that uh scripting and programming these are skills that are absolutely required in today's environment because where you can't get where it's not provided necessarily by a tool that you may have to actually you know WRA you grab your your scripting skills and go do something and then you talk about hey Network architecture talk about absolutely needing to understand this skill because you're dealing all the time with protocols you're dealing uh with their tools of the network and the
communication many right what what do we see many exploits they take advantage of weaknesses in these in these tools in uh in protocols or in how things communicate and so understanding why uh you know DNS flood attacks why they and how they work enables you to then architect your or at least engineer your network take understand what the architect is doing to protect your network so you can engineer uh an implementation to protect your network from those things and finally you know recently recently being like what 10 years but you know in the you know you know recently you know we have all the cloud stuff that we now have to understand because even though the the
concepts are similar they work slight they may work slightly differently they may be um you know some of that is abstract away from us where we may not see the the bits and bites that flow at the you know underneath the virtualization that we are in inside but we still have to understand what that layer is and how they work together to provide us the containers of how serverus works and why it works so we can then protect it but hard skills are only one side of the coin um and soft skills you know are are as as much required as anything if not you know equal uh and so when you're an engineer you're uh doing a lot of writing because
you're reporting on what you're doing you're reporting on how things work you're reporting on what should be done and so documenting what you've done memos to uh co-workers memos to management uh to detailing where you should go recommendations there therein uh taking notes cuz you're going to be in meetings a lot cuz you're going to get called hey we're we got a new project coming out uh we need you to be in this meeting we need you to figure out what to do so you're going to be taking notes a lot of times on on those uh about what's going on so that's an important skill to have project management time management absolutely because your projects are not going to
be sort of hey you know install this operating system install this application there your projects are going to be multi-week multi-month tasks and goals gos where you're going to have to know how you know uh manage different tasks and the timelines and dependencies and manage your time for each uh not maybe not just your time but moving into people you're going to have to work you know understand how to manage teams or work within teams to uh get your tasks done when is there dependencies on other people so being excuse me diplomatic in that sense uh or is super critical hey performance Under Pressure these are mult these you will be responsible for multi-million doll projects maybe or
multi thousand projects but you know definitely uh you're going to be responsible for projects that could be uh you know your where your company your organization is like hey if this doesn't get done we're sunk right so you have to be able to perform under that pressure under people micromanaging you or you know being you know like you know similar under a microscope and you got to work with all sorts of people so that means you can't just say well I don't want to work with this person CU I don't like them I don't like their uh you know I don't like their clothes I don't like the fact I don't like the fact that
they're a Giants fan um I don't like the fact that they're a Dallas fan actually if you're a Dallas fan I don't work with you but you know if but you know if you know whatever it is you got to be inclusive uh of of everybody so right that's that's part of that skill so you know business skills hey when you're doing the project understanding what the cost is understanding how to estimate that cost project that cost Roi um and knowing when you're going to get a return on investment you may have to work with sales if you're a sales engineer that's absolutely part of security engineering I you know the role I'm in now I'm required to get on
pre-sales and discuss how with customers how they may implement or how this tool would help them or this service would help them and so that's uh that's a skill that's important and critical to develop ultimately you have to to be a problem solver you're going to get called in on meetings or called unexpectedly hey such and such broke why and that's the all you're going to have and so if you are uh you need to be able to think about what services and protocols and configurations should be there to kind of logically Trace back why something broke and so that's going to be a very key skill uh so Lou thinking about how you got to where you
are in your security engineer career here right where some of these things really stood out to you that you really said oh yeah that that was something I had to develop well definitely the hard skills um uh were were were key to my my beginning in Information Technology but I want to touch on something a little bit more recent with that in the soft skills category was that uh and and and we look at this this from like you said a project management perspective and things like that but you know as over time these these industries develop right so we were dealing with project managers and budget and things like that from working with that but now we have
Team project things and and and methodologies such as waterfall and agile and things like that that we now are a part of at the table so learning that that transition over the time was really integral to to to my soft skills uh setup as well I mean I like you I'm not a big fan of documentation but you know the most of my time I was I was actually writing administrative documents and Disaster Recovery documents and and documenting technical procedures or incident handling procedures over over the over o over the course of any any of my job sets right so those key things learning how to make sure that we write we're good at technical writing we're good at at
making sure that we understand uh uh a processes and things like that to recover or to to implement or to make sure like you said if we get hit by a bus or something uh somebody else can take that documentation and run with their project so those are the ma some of the the constant levels uh soft skills that I I had to uh to really hone in on over time and and over time they got really easier uh with that as far as the hard skill set man I started off with application development I started off with Hardware integration especially with videos and stuff and I did all the majority part of my system
administration and then as we started get attacks and and and and incidents and stuff like that that really kind of kickstarted you know understanding like you said about operating systems understanding about uh applications and things like that and and some of the network typology that you mentioned you you really get an appreciation for that when you now have to go in there and figure out how to to integrate an IDs into a system or to a network or into a corporation so that hard skill sets of of of getting that experience initially in in your field uh really pays off when you you transition into a security engineering Road uh absolutely so um so how do you know what are some
ways that we get there right how do we get to this point and there as you know as I implied with the Cyber seek uh there that's one option that's one path but you know really where you know where can we you know how what's the path what are some of the other paths some of the other ways to to uh move into this field or if you're in this field continue to advance in it so let's just be honest bottom line you know first thing is that there's there's schools right you can go to uh colleges you can go to uh um Tech schools uh if you're in the military a lot of military has really really been
focused on providing training for their troops uh in it and in high-tech uh uh skill sets and career Fields And so there's a number of different uh schools that have security engineering degrees and so that gives you a great leg up in the industry uh both bachelors and Masters Masters obviously is something you want to pursue if you are already in the field and want to improve your you know your uh your skill sets and your capabilities there there's training companies sanss is a one that obviously comes to mind quickly but there's uh Udi there's LinkedIn learning there's boot camps as well that uh operate in a similar fashion to say you know cisp boot camps but for longer times uh we
and by the way we have a bunch of links at the end of this slide presentation which we'll share out uh that H you know that you can then do further uh research on your own uh there's uh other formal training could be vendor specific and this is not something to uh uh to to kind of blow off you say well if it's vendor specific then am I only qualified uh for that vendor no I would say that you're not be why because uh the Concepts that they teach are going to apply no matter what so if you're talking about you know building a DMZ with Cisco products you can still build a DMZ with Palo Alto or
Juniper or some other tool but it's just obviously knowing what you know the difference in the commands and the process the concept of what a DMZ is and why it's important applies no matter what tool that you are using to do that so uh formal training is great because it increases your knowledge in general for the field as well as uh increases your skill set for something uh specific for maybe the J current job you're on and the current job you're trying to go for and then finally you can uh you can just be self-taught as well and that's uh that's important uh and there's number of ways you can teach yourself to either get as you're getting into the
field or once you're in the field improve your skill sets uh then I want to bring up just the uh National Initiative for cyber security cage and studies website uh which is by the way a horrible name because it's way too completing know but nevertheless um sorry um nevertheless uh you know they have I think the best way is to to really call it out is they have a specific um uh key uh uh key measurements or key skill sets that they break out different uh uh different different job details so for instance what's pictured here is a cyber defense infrastructure support specialist and they break this down and they say hey you should have these
abilities and this knowledge and this skills and these are all the the the different things and they break it's a great way to say hey what do I need to know for this type of job now they don't necessarily have a security engineer but you definitely can kind of as you look through it you look through these at least these three security architects information system security developer you see that the skills and the abilities and the knowledge in these really help you um you know with um really help you with uh uh you know doing actually security engineering and then finally once you start uh well finally with this as far as prepping and moving into the career
uh there if you once you're in the career you know you're looking for some of that you know those certification those letters after your name that HR department's like uh so you know there's a number of of actual searchs that really actually apply to engineering and so you could have you know from the cisp once you get that you can get the specialty of engineering uh the siza the C uh siza plus from CompTIA uh is definitely apply applicable if you have the uh opportunity to take Sans training there's the gced or the gdsa a great uh great classes and and great uh certifications for engineering because they look at security from the Enterprise Point of View and uh you know
and then you also can work through those vendor shts I have some examples from Cisco here so all of that brings us to what we want to talk about our new framework right the one that we you know that we're presenting so so Security in general likes to talk about the CIA Triad confidentiality integrity and availab ability but we're saying hey if you're an engineer your your framework should be slightly broader than that Lou you want to uh dive into this so yeah uh we we we were talking about this as we developed the the presentation of what what are some of the areas where we can can can uh look at things from a
security engineer perspective from from other perspectives as as we Define this roll out right so we we we saw that there are are at least three good areas that we should look at uring our jobs or doing your job or or or working on a project or or working on on a service or something like that and that those key areas are RI into security which we will talk about as a as as both the concept and the the indicators the performance indicators beyond that operations things that that we do when we're trying to put a tool or service into or production and the business side of things how do we work with uh our our sea levels our
directors all the way down to the the the business people or or or the uh the the vendors that we're dealing with uh for set service or product so it it kind of comes out to be the SOB like the CIA Triad you know so uh we thought that will be kind of catchy and and and we want to introduce this into this talk so that we can get feedback on this you know do you think this is a good way for us forward you know should we look at formalizing this into some kind of uh framework uh that's that's well known and can be used in curriculums and and applications going forward so let's talk
about the security aspect of first so you go on to the next slide there Mr Mr uh yeah I know it's a little a little bit of a a network delay there all right so our first first uh part of the framework is security and again if we're putting in a service or a platform or we're doing something uh that involves a security engineering project even if we're not may not be the lead on it the first thing is is that what is the function provided from a from a secuity perspective or from a business perspective is It Something That We're protecting the environment with this is something that is we're monitoring and logging information with for or
incidents or or or or threadings or or reports or something like that or is it something that we need to uh uh report on metrics things things like number of of attacks or something like that right so that's the function that we think of when we talk about the security uh is this product or service compliant and does it adhere to the security standards of course you know there are a lot of security standards out there especially uh um uh International right so uh some of our vendors that we have even the cloud services do comply with um uh these standards and some of these may even uh uh claim to comply with compliance standards such as NIS
853 um is this a technology or service that we're looking and and finally and we'll talk about this in the other Tri as well what are the performance indicators that we need to be aware of for this product is it something that's going to elevate our situational awareness in in in certain areas of our our our company or Corporation is it something that can mitigate threats is it something that can make our life or work easier uh so on and so forth so there are a lot of um what we would call key kpis uh that we're going to look at in in in certain areas as the framework develops so that is uh mostly the security framework and
again still a work in progress so you know if if you think there's something we can add here in that area feel free to to contact us on it as we look at operations we look at the day-today uh resources needed to effectively administer or uh work the tool a service right so again if we're if we're moving to AWS or something like that who's in charge of the administration part of this this uh project what teams are involved is it networking teams is it is it uh the security engineering security operations team is it is it some other teams uh or business teams that are trying to put their applications into the into the uh a AWS infrastructure
there so we we always need to know uh what what uh teams and organizations are involved and also will be impacted if something goes down or if a service is uh interrupted or something like that that impact of the organization is is a key critical you know are we putting in something that will affect our our business operations are we putting in something that can affect financial reporting or something like that and finally um again you know is this something where we need to track the the amount of hours needed to to uh to to operate this tool or or the resources needed to to operate this tool or is this something that we can put in the
cloud and let it run automatically and check it you know once a week or something like that so so um the impact of the organization is is kind of critical to operations because you always want to think about that when you're uh putting in a service or or or platform next finally we have the business side of things and in the business side of things we we definitely want to understand who are our stakeholders is it the is it the vice presidents is the directors the program managers is the people who signed the the ultimate check they they are now and as as we seen in our experience are now coming to the table and allowing the
security engineering and cisos to sit in and have be a part of these technical conversations as or or or or operational conversations if you will uh now so we're not necessarily relying on all the sea level to sit up there in the in the high table and and talk and then just kind of uh uh trickle down information to us but we are looking at at at those things from a stakeholder perspective this stakeholders are very important identifying them and working with them as as you begin this project or service and then of course of all things cost is this going to be a capital cost is this going to be in budget cost is this going
to be a special uh situational cost is it going to be something where we're going to have to worry about getting insurance for as as you know ransomware uh these days are are causing all kinds of insurance headaches in in the uh in our industry uh but as we as we uh look at ways to mitigate some of these threats the costs are a very important thing and it's something that you can understand as a security engineer and also these days something that you will be at the table with uh when you're looking at vendors and then and that's why we talk about vendor maturity vendor maturity is is something where if we're looking at the
cisos the Amazons and and the Dells and all that stuff uh or we're looking at the networking Services of of Cloud providers and things like that we want to know how mature they are you know and that may help us in our decision if they are a five-star partner a Go Star partner uh that may help us uh in our decisions to to implement certain tools and capabilities again we look at these things and we can relate to our stakeholders uh our Returns on investments and our meantime to detect resolve and contain as a key performance indicator uh that we can report uh hopefully over the shortterm and the long term at the life of the project as
well and then we also want to look at the operating expense as we mentioned before you know is this costing us extra resources to operate this tools or is this something we can absorb into the general uh operating expense uh going forward such as data center cost or or service cost Cloud uh cost in Amazon so those are the three major areas that we think when we think of of the the this security engineering Triad we kind of look at um my example even though not complete uh does uh represent a a typical security engineering project to where if if your networking team says hey we're moving from one gigabit to 10 gigabit or 100 gigabit networks how is
it going to affect you guys um uh uh security stat and so um and again this slide is incomplete and I do apologize but I will talk to it uh so at first and foremost we look at the impact across those three Tri uh Triad areas and then we look at the key performance indicators right so it it from a security perspective uh moving if we have Legacy tools that are are rated at a gigabyte and cannot process uh uh Network traffic more than a gigabyte then we're going to obviously have to upgrade those tools and or figure out if there are new tools or something like that that can we can add into the
security stack to do that the operations side of the Triad will probably affect more of the of the security operations team in this instance because we we will have to make sure that uh all of their uh tools and resources are able to also handle the additional uh traffic that that we're we're looking at uh going up to right so in the case of the Sim you know if we have a a Sim in place uh the extra Network traffic will generate more logs will generate more more uh resources and things more data for us to look at over the Long Haul into our tools so that may provide impact uh our our operations team and overwhelm them
to a certain point uh of of maybe impacting the tool in a reverse in an adverse manner uh all in all the the the thing uh for the business Triad is is excuse me the business side of the of the Triad is that is this an out of cycle cost or is this something we can put into our um our our annual budget cost right you know what is that going to be if we're going to had to go from a generation one paloalto to generation five Palo because it's rated at 100 gbits per second now are we going to have to uh put in something maybe like a packet broker to help us manage traffic to the security
stack so as you can see there there's here's a a nice example even though not complete of how we can utilize the security uh engineering Triad and as for a project that uh that will impact the uh the corporation at large so again I I do apologize that this slide is not complete but uh hopefully future did a great job talking through it and I think I I think everyone understands it's a great example of how this security Tri the the Triad we're talking about really applies to your environment to what your projects are you know the it's like what is the ROI at the end of this right are we making sure that from a security
engineering point of view we've increased Roi we always hear about security being a cost sync yet this is where we have to understand that we uh in in communicating what we've done and how the end result is that we've actually uh increased the ROI uh we have reduced uh maybe we red the increase the I'm sorry maybe we've increased the ROI by reducing our liability uh what are these a lot of these breaches that happen today what's one of the things they want to know did we have was security configured properly and the more that we can show as security Engineers that is configured properly and things are working and we've uh engineered for um observability and coverage the more
we can reduce liability in that sense and so that's a really solid example of of of that so moving through uh moving on you know we have what is the need for security Engineers going forward we just gave it's very very high it's really high high right uh you know some quotes from some articles that you know we recently read it's like hey it's one of the three key think highers to make now and right we all know security right there's number of different stats on how many jobs opening in security overall but Engineers are part of that and sometimes we focus on hey we need more analysts we need more pentesters we need need more incident responders but if you
don't also complement those hires with Engineers you're going to be uh in trouble because who's going to make sure that those other uh capabilities those other skill sets can do their job as well as the engineers uh this the executive order uh which I know is more you know American government United States government but I but it I think the trickle down effect of this executive order is going to be felt for years and you know because it directs the government uh to go Implement zero trust Implement MFA Implement uh war and advanced logging and retention and pcap collection and a number of other things and Ron guler was right he you know he called out he said
hey this executive order you can't just hire analysts you got to hire security Engineers because someone's got to figure out how to implement zero trust and it's not going to be the guy that's doing eyes on keyboard he he needs to have eyes on keyboard and this other these other tasks are huge and require the kind of network and security engineering uh that uh go into this working with the admins working with network operators working with management working with compliance offers security Engineers will be needed to do these things and Lou you took a look at uh you know some of the jobs out there right um uh going on yeah there there were a c there were several sites
out there that we looked at but we wanted to pull uh just something locally here and and and these two sites dce and ID had the the the metrics no problem I had the metrics for for the regional area here and we also want to give a shout out to Delaware where bsize Delaware is uh they have 40 at the time of this writing uh which was last week they had 42 cybercity engineering jobs available so if you're living in Metro delw Delaware area you're a cyber security engineer there might be something out there for you the Metro Delaware area but on the other hand people of Delaware might have some issue with that right yeah uh but shout out to my metro
delare area and I'm I'm here to but yeah as you can see in the in the region over 11,000 jobs fromed and over 7,000 jobs from Dice uh you can see a a average salary for a an engineering uh cyber security engineer is about $134,000 the low end was about 108 as of 2000 uh as of this year and then the highend was around 155 so not saying it's lucrative but you know hey you're not at the executive tax level yet so pretty good stuff I believe and and maybe with the High Cost of Living around here the this little this little salary could help but yeah uh definitely a lot of opportunities here uh do check your your sites you know
there we we pick Dyson and D because of the mattress po directly from the website but there are a lot of other jobs out there right and you know when you talk about you know Co and and the lockdown and no matter you know where you stand on the issue and far as your personal uh viewpoints the the real realization is that it has changed how we work and because it's changed how we work it's changed the some of the challenges that we have to deal with in cyber security and and then specifically to this talk engineering right there's been an you know working from home increase in fishing scams uh teleconferencing you have you know data
breaches you have zoom bombing right things that we didn't necessarily have to deal with when everyone was in the office uh uh counteracting you know the spread of misinformation about your company right how all right we're not just we're not talking about controversial topics that are in the news they're talking about hey did you hear that such and such company had a breach and it that's not true it goes you know that can spread very quickly uh and where you if you're in the office that kind of information might not be spread as as fast uh because you have more control over what happens within your company so uh so all of these things absolutely impact
um you know the the the security of where we are now but what's coming down the pipe right I already talk about the executive order but you think about um all of the things that are even in general whether it's in the government uh in the US government or commercial or or International zero trust is a thing that's going to happen that's moving forward no matter where you are we see an increase in automation that is without a doubt coming down that is uh coming down the pipe and increasing sore xdr uh whatever tools you want to call it we are trying to use automation to offset the skill set and the lack of people we're uh as well as
making our current people more efficient right Mo move that all of that basic stuff the stuff the day-today ordinary routine task automate that stuff we don't need uh we don't need to do that if if it's mind-numbing uh alert fatigue is real I mean you think I I think you have a a new theme for a new t-shirt automate that [ __ ] I think you do I'm probably sure that's already been done if doesn't have that somebody else already does so um but right you know um but those are you know you think about as we increase with you know natural disasters and pandemics how do we make sure that we have um you know going
forward how do we make sure that that we have continuous operations resiliency y resiliency right for whether you know first really came about I remember the stories coming out of a hurricane Katrina and you know some of the both the successes and failures of that of out of even 911 successes and failures of resiliency planning right what happens if your headquarters goes down how fast can you uh you know re reconstitute or even resume business so that's you know going forward we you know engineering security engineering is going to be critical as we have new tools new capabilities new threats uh coming down the pipe Quantum Computing uh Lou I don't even understand Quantum Computing I can barely spell
it um but yet that's we're going to have to engineer that into our environments you know next year 10 years I don't know so yeah Quantum Computing is going to is going to be something where the computational uh Power will go exponentially up to the next level allowing those people to F the F the biggest application of that is is uh reverse ciphering right so that's the biggest application of that but there are also other applications in terms of of of biometric Computing and things like that but yeah again learning what's coming down the the the the pipe as you will is going to be key to another area of security engineering you always got
to be not only in in the CES of of the USS Enterprise but you got to be on bridge looking you know down the the the black holes that are coming your way so yeah security engineering aspects the Next Generation stuff I mean we didn't even talk about some of these things in depth because of time but uh it is important that the the security Engineers have education have understanding have experience and and now there are are Avenues out there where you can go to school for security engineering can go and participate in trainings for security engineering specifically just for that Y and and and learn those things going forward so yeah so with that that's our talk uh we would
love feedback on the framework on uh you know what we missed uh or what what we included so this is our contact information feel free to hit us up on any of those uh I am not on all the social so uh but I am on those uh email and Twitter uh so infiltrate may be more social than I am but uh that that's where we can be reached so any questions in the last minute or so that we have before they kick us out I we've been monitoring chat Q&A so is it Lobby oh oh yeah track and qua I like that the qua yeah oh okay they do love our acronym hey that's
great that's great that's great yes um there was a there was a uh uh a a link to another certification certified associate capm provided BYOB that's uh project management so I mean that you know that definitely can help uh you know because again that's a great skill set to have uh you know you know something I need to look into as I I manage more and more projects so yeah and then uh I think hash Metro Delaware is going to be here at this conference y'all so you heard it from us first there you go all right so I think that's time uh it was great talking with you um and uh look uh glad we could uh share this time
with you hope you guys got some good stuff out of it so yes yes me too me too great uh back to our uh UST command controller all right let me figure out how to get out [Music]
[Music] [Music] of [Music]
[Music]
for further information
[Music] please [Music] no [Music] problem I know not why you cry [Music] just do what I tell you now now now just do what I tell you [Music] now for further information
[Music]
[Music]
please
[Music]
[Music] he [Music]
[Music]
[Music] n [Music]
for further information
[Music] please [Music] sh
[Music] oh [Music] [Music]
a [Music] [Applause] [Music] [Applause] [Music]
[Music] yeah [Music] [Applause] [Music]
[Music]
[Music] [Applause] [Music] [Applause] [Music] n [Applause] fighting a war we could never win trying to flee the pain that's with still hanging on to moments lost try to carry on no matter the cost there one that makes me come alive when you're by my side forget everything together with me we
table that movie I want you to smile shut out the worry stream wa for a while the look you have in your eyes back then we'll pretend it's 85 again that me feel like I'm home take me back again to see the look of that c power and love it's back on the screen and we
85 [Music] [Applause] [Music] [Applause] I want you to smile shut out all the worri away for a while look you your then we'll pretend it's 85 again play that me feel like I'm home take me back again to see the look of that the power love it's back on the screen and we 85 the movie I want you a smile shut out all the worries dream away for a while look you in your eyes back then we it's 85 Again Play me feel like take me back again to see the look of that the power of love it's back on the screen we have 85 [Music]
[Music]
[Music]
[Music]
[Music] [Music] systematically hurting me perfectly planned this little game of your sof de seed it's breaking my heart but I cannot stop it happening and I cannot run away something's holding me this emotions got me I just want to hide away Wish I Could Just Surrender walk
away wish I could just Le that walk
away wish I had just remember to walk
away automatically I can see why you were in mine whole con are guiding [Music] me I'll keep my head high [Applause] so I will not stop discovering what goes on inside my heart I don't want to look back and the days ahead are challenging but I won't just hide away I know that these hard times will fade [Music] away [Music]
[Music] you [Music]
say
[Music]
[Music]
[Music] [Music] [Applause] [Music] now [Applause] [Music]
[Music] [Music]
[Music] la [Music]
he
[Music] a [Music] [Applause] [Music] ni [Music]
[Applause]
yeah [Music] [Applause] [Music] [Applause] [Music]
[Music] oh [Music] [Music] he [Music] w [Music]
[Music]
[Music] w [Music]
[Music] a
[Applause] [Music] [Applause] [Music]
oh [Music]
[Music]
[Music] [Applause] [Music] he [Music] [Applause] [Music]
[Applause] [Music] a
[Music]
[Music] oh
[Applause]
yeah
[Music]
oh
[Music] yeah [Music]
yeah
[Music]
don't overthink things baby cuz I know that you [Music] do youve been a stranger lately and they know that's not you easy come easy go no need to fight about it easy come easy go no Str I'm good without it easy come easy go let's keep it it fun and simple easy come easy go you know my love is no sweat it's no sweat it's no sweat it's no sweat M it's no sweat it's no sweat it's no sweat it's no
sweat
don't things baby cuz you do you been a string [Music] lately and I know that's not you easy come easy go no need to fight about it easy come easy go no stress I'm good easy come easy go let's keep it fun simple easy come easy go you know my love there no sweat it's no sweat M it's no sweat it's no sweat it's no sweat it's not swe it's not sweat it's not [Music] sweat
[Music]
[Music] I've seen things people wouldn't [Music] believe attack ships on fire or show your right [Music] I watched [Music] scenes glitter in the dark neared 10 hours a game all those moments will be lost in [Music] time [Music] [Applause] [Music] like tears and
Rain time to [Music] die [Music] oh [Music] oh [Music]
[Music] [Applause]
[Music] [Music] I [Music]
[Music]
[Music] [Music]
[Music] I'm hungry what are we having for dinner [Music] pasta this is going to make us fat cookies put that cookie down now yumy [Music] yumy
who the hell am [Music] IA [Music] stop [Music] [Laughter] [Music] it no yeah I just [Music] [Applause] [Music]
[Music]
[Music]
[Music] oh [Music] [Music] oh [Music]
[Music] [Applause] [Music]
[Music]
a
[Music] [Music] [Applause] [Music]
[Music] known at the end of summer the Innocence Fades and the week become stronger known at the end of summer lost without you the skyline looked like a stained glass window the city sang such Mendo four bare feet on a rain so Street summered brushed feet [Music] dreams
[Music]
[Music] hello bze [Music] Delaware [Music] disappeared in a camera flash why do the bad girls Never Last lost in Jin and lemonade Electro spins in the Mermaid Parade
n
[Music]
should at the end of summer the Innocence Fades and the week become stronger should have known at the end of sum might be lost without you for quet and no regret except for the polar roads I left you were just some spell I was under that in the summer summer
some [Music]
[Music]
[Music] [Music] [Applause] [Music] listen to me very carefully what's the dog's [Music] name come with me if you want to [Music] live you drunk [ __ ] don't [ __ ] scream at [Music] me
hello besides Delaware my name is Kenneth gears coming to you almost live from Brazil I work for a company called very good security and I am very thankful and happy to be talking to you today this talk is about cryptocurrency specifically about its strategic potential to change change the world uh politically socially financially uh and in particular I want to ask a question that may be a key indicator in the future can cryptocurrency be a real currency and might it even replace uh the US dollar as the world's Reserve currency so you've probably seen a chart like this it displays that in 2010 somebody could buy a pizza for 10,000 Bitcoin what actually happened and today
that same Bitcoin is worth $500 million I mean I feel like I could buy the Tyrell Corporation right with that kind of Roi so clearly some people are going to get very rich on bitcoin um and some people like you may choose to invest so at least what one of the things I want to leave you with is what what are some of the General Security consider considerations to think about uh if you're going uh to invest in this uh technology so here we have some things in the news just from Google news today right we have celebrity power uh a couple of quarterbacks right Tom Brady and Aaron Rogers uh pushing uh cryptocurrency we have some political
power uh Rand Paul El Salvador kind of weighing in on the uh the potential and even maybe setting some of the mechanisms in place for for uh cryptocurrency to be recognized by governments uh to become what's called legal tender we'll get to that shortly uh and Community power this uh Sheba Inu coin which is uh currently number nine right in value on the list of cryptocurrencies shows that a group of people who just might agree or like a certain concept can actually um put Faith in a certain cryptocurrency right uh for their their own Community which is quite instructive and then finally squid game you know do we wind up with a situation in which we have a
few winners and very many
losers so when we think about what is valuable in what's not um let's maybe go back to World War II and and think about in a time of Crisis right uh where do people go and what do people do and it turns out sometimes when civilization is seen to be quite fragile is in a time of Crisis um you know assets get hoarded and stolen and moved really quickly so when you know Germany's invading the other countries uh in uh in Europe England and France got all of their their gold together and and shipped them either to the United States or to Africa in daring adventurous operations uh that are you know Hollywood level right so what makes
something valuable uh is uh not always easy to understand some things historically like shells and salt uh that were Bartered for goods and services you know they had a value because were they involved a proof of work uh that they were found and extracted through manual labor gold is really interesting right so if you take the whole periodic table and you start taking away things on the periodic table that um that are poisonous uh Radioactive corrosive uh too rare that sort of thing pretty much you wind up with gold and a few other things like silver but not many right right so there's a reason why gold is so valuable uh and why governments uh hoard
it and they keep it as a store of value over time well thank goodness that we're not always at war after the war right the Allied Powers got together in New Hampshire uh place called Breton woods and came up with a plan for the post-war World economy now the United States was the world's biggest military power also had the largest gold reserves in the world so they came up with a plan where the dollar would be backed by gold pegged to the price of gold uh in other countries uh their currencies would be pegged to the US dollar right so it was a system of dependencies I'm sure you're all familiar with uh that's reliable
right in any case after the war uh the United States dollar was crowned the world's Reserve currency right so if you're in another country you had your currency but you had also had the US dollar uh in which you could trust uh as an anchor uh as hard currency uh and something that you could rely on was called a safe haven currency in case you had economic uh trouble yourself your faith was in Uncle Sam or in the United States uh to to provide an anchor uh for your
economy so at this point you might be saying well why the heck do we need money anyway right so let me just uh spend a couple of minutes on this topic money is considered to be a human construct uh based on economic consensus and social convention um it's something that is used to exchange for other things like Goods services and taxes over time there be became a standardization in the size in the shape in the weight of currency so that it could be you know seen to be real uh and there's a concept of legal tender in which um businesses are required to accept your money so you may not know this but in a in a in a coffee shop
uh before they make your coffee they don't have to accept your money after they make your coffee they do maybe not in Texas you got your own rules down there uh in any case in China we have seen metal coins as old as 3,000 years and paper money in China as old as 1,000 years good money uh as you can imagine uh you need to be able to rely on it right so it's scarce authentic durable portable uh and stable now digital currencies if they are to succeed they need to have some of these or all of these uh same traits right that have become part and parcel of what good money is now I'm sure this is
coming in the future because you know if you think about it most transactions uh in the world even in US Dollars are simply uh digital transactions you don't you know more often than not you don't spend dollars anymore um you know but you go in and you you have a card and they hand you your coffee and the the two the two balances on uh ledgers are are uh one goes up and one goes down which we'll get to in a
second so money as you probably know equals power the United States has the largest gold reserves other countries put their trust in the United States and so they invest in dollars and thus the US uh more than half of the world's Reserve currency uh is in US Dollars now this gives the US incredible political benefit right as well uh the world benefits from stability relatively low inflation uh devaluation of the dollar um a managed supply of dollars uh liquidity they can use the dollar gives them access to markets and Trust uh that they might not otherwise have uh but the United States uh has some uh special privileges right being the world's uh Banker really
um so the United States can monetize its debt to an extent that other countries can't because um we can print money uh and other countries can't right so we can run greater balance of payments deficits um we can pursue policy objectives uh that other countries can't uh and this has been called uh quote the exorbitant privilege unquote right that some countries have been unhappy with the United States having such built-in advantages but this is the way it's been since World War II right so uh one of the ways that this uh you can understand this is via the US military right so uh during the Cold War and and Beyond um the United States has
provided a security umbrella to the world that we can afford right we have the most assets so we have the biggest military budget uh of course in the past few weeks you may have been seeing in the news that this may be changing relative uh to the rise of of China's military but you know that that is uh something uh that is for the future perhaps but speaking since World War II um even then other nations wanted to change this right France in particular was not not happy with this um so the United States um also couldn't sustain this forever with things like the Vietnam War uh the New Deal um by 1971 it was clear that the United States
needed to make some changes uh right so uh the United States ended the convertibility of the US dollar to Gold we sort of broke the deal right we let the US dollar float uh it became a fiat currency no longer backed by gold and so this idea uh that was developed at Breton Woods that the dollar would be pegged to gold and another countries would be pegged to the US dollar and thus by extension pegged to Gold no longer held right so that's why some you know Big Shot Financial firms like Goldman Sachs in the past few years have warned uh that the United States may lose its uh coveted uh Dollar World Reserve currency status uh and that's
what we're talking about today now let's talk about the three essential ele elements of money that cryptocurrency coders are going to have to strive for uh investors are going to have to look for the first is medium of exchange this refers to something as an intermediary token of a certain value uh that can be used can be traded for goods Services taxes and it's beyond barter right so um you may have oranges and I may have apples uh and we get by uh trading those for a while but eventually we want an intermediary token that represents a certain number of apples or oranges sometimes this can be hard to predict right as we said money is a
societal and economic uh convention it's a construct I've been living the past couple of years in East Africa and there was a story there that really uh is fascinating it's uh people began to trade cell phone minutes as currency right go into the shop and say Hey I want this I'm going to give you this many cell phone minutes and and that became easier to use sometimes than cash uh and this was so wildly popular over the years uh that it turned into a major multinational corporation called impesa so societal adoption is key uh and it goes back to some of those things we all learned in information security School uh usability functionality and security does it have
a balance of those elements uh that users uh can believe in uh and users can leverage uh for their needs the second element we'll talk about is unit of account so this is a stable measure costs prices profits performance all of these things we want to measure uh in units that we can understand so the value of the stable measure is not only for goods and services but as we get more sophisticated in terms of economics assets and liabilities so Double Entry bookkeeping is key right understanding modern finance and also cryptocurrency there's a credit side and a debit side that need to stay in balance and double entry book bookkeeping was seen to be a powerful
enough technology uh that it literally helped Europe to emerge from the Dark Ages and forms really part of the heart of capitalism today so a ledger right this is key to understanding both uh you know traditional finance and cryptocurrency a record of economic activity Financial relationships uh that every body can see right this is key to blockchain um it's older than writing for communication the very first writing we have seen on Bones in Africa uh was related to Counting uh and looked to be long distance counting relationships so a good Ledger is immutable timestamped it shows ownership and it's accurate so modern uh Payment Systems typically are about amending ledgers so again when you go in for your morning
coffee your Ledger sinks and the coffee shops Rises and some of this relates to the differences between cryptocurrencies like Bitcoin and ethereum and Bitcoin is more transaction based and ethereum more balance or Ledger
based the third and final essential element of money is store of value so good money should be a durable asset that has stable demand over time and saved purchasing power right this counters the risk of inflation or devaluation uh United States dollar has achieved remarkable results uh in this category uh and that's why it's the world's Reserve of currency um store value is a lot about risk management so many countries believe in the US dollar that they have officially adopted the US dollar as their currency official alongside their own to include Cambodia Ecuador Lebanon Somalia Zimbabwe and others but this third and final element of money may be hard for cryptocurrency to a achieve due to the volatility that
we have seen uh in the value the lack of central management of cryptocurrency uh is precisely what people like about it uh but it also may make it difficult for cryptocurrency to achieve uh the status of good money uh and of Reserve currency level money so let's return turn to Gold a little bit and compare how uh countries are trying to manage their economies relative to the dollar as well as other things uh and see where cryptocurrency might fit in so Russia Today has an antagonistic relationship with the United States and it makes it a good case study for us Putin would like to dollarize the economy and lower Russia's vulnerability to us sanctions currently it's the biggest uh
State buyer of gold and in January of this year gold surpass the dollar uh in Russia in terms of um its Holdings uh within Russia so 23% of its reserves are in gold and 22% in dollars Russia's cryptocurrency policy though should also be seen from the standpoint of of politics I think authoritarian governments are going to have their own concerns relative to cryptocurrency uh because it's a lot about giving power and freedom and Independence to to civilians and citizens and and dictatorships aren't typically about that right um telecommunications are used to to um to make money but also to surveil right and so giving up both of those things are not something that a dictator is going
to do easily um little things too like naali had a lot of Bitcoin donations after his arrest these kind of things may upset a government so so is in some um autocratic countries Russia has um to some degree banned cryptocurrency prevented Uh Russian politicians from owning cryptocurrency stifled mining uh even while exploring you know um whether it can uh whether it can adopt these things um from a centralized standpoint but again that's sort of at odds with what people like about crypto um some of the allegations on the criminal side are that you know uh Contract Killers could accept sort of anonymous uh cryptocurrency um deals uh revolutionaries like in January 6th uh were said to have received Bitcoin
donations from abroad um the question of whether terrorists uh could use Bitcoin for operations you know anonymously all of these things are going to concern law enforcement and Counter Intelligence and it's just one thing that cryptocurrency investors need to keep in mind um governments like power they have something called this Monopoly on the use of force within their territory whether it's a state or a province or a country um and they're not going to give that up like lightly I worked for NCIS for a Dozen Years law enforcement and and you know when you look at the world from a a law enforcement lens you have you you think well I have to enforce laws within this jurisdiction and it's
uh it's just important for me to be able to do my job right and so uh so there's always a tension right between between Citizen and State uh in Russia some of the things uh that make uh the internet internet users wey have been Russian domain names and cilic uh in um in URLs they haven't wanted that a lot of young people because they they think that it's either going to be a a digital uh USSR in the same way uh Russian State cryptocurrency uh may not be uh what Russians want uh but we'll see uh but these case studies are really interesting to watch to see how politics and economics which are intimately tied
of course um how it how it plays out uh in different parts of the world so cryptocurrency uh let's talk about you know historically you know 1974 we had ethernet and tcpip 1990 HTTP 1996 SSL TLS uh 2009 Bitcoin you know these are all programmable transactions that are building on each other right and so any good scientist you've heard says you know I stand on the shoulders of giants um you know it's important to put things in perspective and to understand that you know we're taking one step uh after another uh toward the future so the challenge with um with cryptocurrency is how to verifiably move value across a decentralized netw network uh and so there's just certain
engineering challenges right that need to be overcome uh we'd like to do it personto person uh with no trusted intermediary is this possible um we want to do it with no double spending uh we want to lower what's called uh in economics the cost of trust right so that you know you and I can trust each other on the web um these are called the economics of verification some past cryptocurrencies have failed uh because one or another of these pieces was missing um but with you know with Bitcoin uh and blockchain we may have a consensus protocol right that uh with good cryptography proof of work a native currency uh and a reliable network of
nodes uh which came about in 2008 via Satoshi Nakamoto uh in his paper Bitcoin a P2P electronic cash system right um did we achieve this stuff um some of the things that we built on that were foundational or that um Satoshi built on um asymmetric cryptography hash functions for integrity and tamper resistance digital signatures for consent pendon timestamps uh for the blocks and a distributed consensus algorithm right that one can believe in in theory these things could secure the entire internet with verifiable in immutable transactions uh and so uh what some promoters of Bitcoin have said that this even solves uh age-old conundrums like the Byzantine generals problem uh in which you have different units that just
before an attack really can't communicate with each other uh because of you know they want the element of surprise but they have to trust each other right and so it's been an age-old problem but if Bitcoin and blockchain can even solve the Byzantine General's problem well maybe maybe we're there the cool thing about Bitcoin and blockchain is that we could move anything right it's a human Network almost where you can move not only money but assets uh across the internet uh and after 2008 now we've got well over a thousand cryptocurrencies and initial coin offerings uh so the technology appears to be there for a lot of what we want um and you can see the picture of
Shanghai here and China um now is largely cashless as well as other advanced economies uh in 2019 over 80% of payments uh were via uh 10cent WeChat pay or Alibaba alipay they're buying much less gold uh than in Russia and so uh seem to be more uh pushing toward uh cryptocurrency and blockchain uh president shei has called for investment uh and development in these Technologies and soon in 2022 in the Beijing Winter Olympics there will be a digital one test right uh but still we're talking about an autocracy that likes to maintain control right over um over China uh so there have been cryptocurrency curs uh and a stifling of mining to some degree although most of
Bitcoin is actually mined in China right so so these countervailing winds are present uh you know in in certain places uh prominently um but if if China could develop the crypto develop a cryptocurrency uh that other countries would use right uh that would then perhaps uh chip away at the United States Advantage uh in terms of a reserve currency uh and then maybe other parts of the world uh would see China's cryptocurrency as something that would be more attractive uh than the US dollar uh to hold uh for a Time of Crisis or for a safe haven so a word on blockchain so for cryptocurrency you know it needs uh rails to ride on uh you
know crypto is the digital asset uh but it's stored in a decentralized online Ledger right that also has solid cryptography um it's a transaction Ledger that's public distributed and secure based on a consensus Communications protocol block validation for Bitcoin it manages the creation of coins and verifies the transfer of coin ownership also invented by Satoshi it has technical input and output that are important to know a little bit about stuff like a previous transaction ID index signature uh unique output uh public key Bitcoin address uh values uh that can be verified Etc lock time it's an auditable database a list of Records or blocks tied together with math and crypto timestamps append only uh that are
tamper resistant uh the kind of thing where um it's a house of cards failure right you can't really break it otherwise uh the whole thing breaks um and and of course the proof is in the pudding but over time of course uh enough people attacking it sort of yield uh Faith right in the
technology mining this is one of the really cool aspects uh that give sort of a democratic uh feel uh to cryptocurrency uh you can it like gold there may be a limited number or a limited time 2140 uh or a certain uh number of coins that are possible to get and of course this will uh increase the attractiveness of owning one of these coins like Bitcoin um but with mining you can you can verify uh you when you add a block to The Ledger um it's math that's hard to solve but easy to verify so that's kind of cool uh the first person uh then to supply the hash value can get the credit but then other people can um can
see right what happened and uh uh recognize that there is a new coin there is a new hash Etc some of the political issues uh that go with this though for example electricity compute power uh the hash rate carbon footprint um these all cost time and money and effort and you've seen some of the big operations in Iceland and China and elsewhere uh that yield uh Bitcoin um such that you might need to participate in a mining pool now to to have an effective uh hope of mining Bitcoin um but this has led to crimes such as cryptojacking and cicd abuse uh stuff like uh one of mine uh versus Monero um not only sort of at the
criminal individual level but the political ramifications at the national level so Venezuela has thought to use you know Bitcoin to counter hyperinflation um you know but if your country hasn't had good economics prior uh you know the best case of course is El Salvador right now to look at uh you know uh you know can the power of volcanoes be used to mine Bitcoin uh can Bitcoin be used to uh stabilize an economy or to make it independent uh from uh World strictures uh and those are those are open questions really but if you look at North Korea uh they're using Bitcoin certainly as well as other types of digital operation including cyber crime to uh skirt economic
sanctions right and so uh you can be sure that other Asian states are going to then have a say including specifically at at the European Union might be a good place to watch uh the development of policy why uh because it involves sort of a consensus protocol among a dozens of other countries uh right to determine uh what we should and shouldn't be doing uh in economics uh and politics so the benefits of cryptocurrency start at the user level right so at the individual level it gives me some Freedom right some level of ownership uh with confidentiality uh with lower cost PTP it can be transnational there might be an Roi in terms of uh
investment um I might find credit right a line of credit uh I might be able to trade assets baseball cards or something um the societal impact is clear there's a financial inclusion not only for maybe an individual but for a small country like El Salvador there's a dissemination of power right from the state to the individual uh which uh which again I'm in my opinion uh may slow the whole thing down uh Rich investors are also very attracted by the market cap the spreads uh as well as you know introducing some level of risk uh management uh into their portfolio um they can see the returns uh but they might be manageable right if they if they keep it low and and keep it
safe um I'm concerned though that only you know the really the security conscious or those who can afford uh to buy the security uh may be better off in this space and we'll get to that soon but um you know the risk of of losing your your Bitcoin is also quite real so let's talk a little bit about political potential at the Strategic level I spend a lot of time in Estonia I'm very fond of the digital Nation um and E government uh digital democracy um supporting the rule of law uh transparency via digital IDs online voting um these are things that Estonia is leading in and uh I even think that they're doing a
good job exporting to the world uh ideas for promoting human rights anti-corruption um data reporting from from anywhere from Little People interconnected uh by the uh by the internet um all of these things uh which are part and parcel of blockchain uh which is intimately tied to bitcoin are are really worth thinking about as we invest uh and believe in in these Technologies uh central banks uh via mon monetary policy they they specifically want Financial stability um and they will monitor uh cryptocurrency uh use and growth um and you know to some degree we're going to have to follow uh their guidelines to see if uh if it's a good investment right as part of our portfolio uh that
we can grow it um cryptocurrency is mostly legal in the west but really all laws related to terrorism and money laundering and tax payment consumer protection investor protection they all have to be followed right and so so these are things uh as we look at the marketplace and as we think about investing uh are important uh right because again I think that Bitcoin and and uh blockchain as well as cryptocurrency in general have huge strategic potential right for the planet um you know but you have to watch the how how the the marketplace and how governments uh and organizations respond like in the US today it's okay to accept cryptocurrency payments um but taxes have to be uh in US dollars right so uh
you know but we've already seen you know things in NFL over the past week for example you know uh Tom Brady paying with Bitcoin for football uh so things are going to change especially as celebrity power political power uh gets involved um but it'll be fun to watch um let's move on to to some security issues that need to be thought about so if one were to make significant investment uh in cryptocurrency there's a lot to think about uh for an owner there is a learning curve um there's a quick evolution in the technology that you'll have to keep up with um and then there's you know the general risk to your your wealth or your savings uh you know
always to keep in mind um at the regulation National level um expect changes uh in Insurance standards uh custodianship um at the infrastructure level uh you have to think about the supply chain you're dependent on uh hacked exchanges for example uh software updates that may be opaque you know to your um your understanding uh governments may become uncomfortable with uh the computation and electricity costs and Mining um where it's done maybe human rights uh issues associated with that um are you comfortable with Market manipulation uh by Nations or or large holders uh whom you you do not know by by name there's a presumption of internet access uh so to some degree it seems like you're hos to politics and you may
say well it's always been that way and that's that's true um but if you think about the number of people who've loost lost access to their uh Bitcoin you know um you know access to your Hardware uh and access to your passwords uh is really key um and then to say something is dependent on cyber security is is again there's a myriad problems uh to deal with you know from hacking and malware fishing extortion uh cryptojacking at your you know at your company um so as though the legitimate use of cryptocurrency Rises uh it's pretty simple math you you can expect that crime is likely to fall the percentage of highrisk exchanges is currently falling there
have been over the past year a number of Executives uh arrested uh and then law enforcement is is keenly focused on this know your client problem uh which you know which entails some some challenges philosophically for cryptocurrency at the same time uh if law enforcement feels that it can see a little bit better kyc then um you know then maybe your Investments are safer indeed so now let's talk about uh some security things that you can do um proactively and uh uh to prepare for uh protecting your investment um I would say you know in general you know three elements to think about are physical security cyber security and human security uh your private keys are your digital identity
in the cryptocurrency market uh they allow you to trade cryptocurrency online if your private key is stolen a thief can commit cryptocurrency fraud uh so with your wallet uh there's a few different kinds a cold wallet or Hardware wallet has no internet connection uh per se um is a good way to go a paper wallet don't forget to laminate it so it doesn't get destroyed by moisture uh um if you have multiple wallets which you know diversification is always nice uh you know you've got multiple you know uh issues to think about for each uh don't forget to print and save your backup words right so that uh you don't lose access um pki and digital
signatures are important to get your mind around um a key pair uh stems from a random number uh and many hacked wall in the past really have had no good random number generation and so they didn't uh provide the level of security you know that that uh one would want uh so in general cyber security hygiene device security involves antivirus patching firewalls network security VPN no public Wi-Fi uh at the human level uh passwords are important you know some that is hard to forget but easy to remember as a challenge uh make them unique use multiactor authentication uh and always be aware of social engineering you know especially if you're rich um fishing adwar email
attachments links all of these things um I worked for two and a half years a little while ago as a data scientist at a at a cyber security firm and and boy we really saw the Avalanche of ad where uh during that period and much of it I think was initial you know Recon for uh more serious uh types of attacks so what's the verdict I think in the near term uh cryptocurrency is not about to replace the US dollar uh as Reserve currency but over the horizon anything is possible and in this day and age with you know modern Communications and the internet uh change happens faster than ever um cryptocurrency clearly has unbelievable potential for both uh
financial and uh political uh changes um it will be a catalyst uh and a challenge to the current system um but it's going to have to overcome some performance issues scalability issues efficiency trust speed it's going to have to be interoperable uh with Legacy systems um Visa currently is pretty much real time and by comparison Bitcoin is really slow um the sustainability issue at the political level um what about blood coins uh like blood diamonds um you know maybe people won't care maybe they will uh digital digital things are have so so much more potential because of the ability to for for um scale and speed um the things might be hard to predict um today the security risks are still
fairly High uh in the payment system is slow but uh with credit cards it took about 15 to 20 years for laws to catch up uh with uh the issuance of credit cards things are hard to predict remember the cell phone minutes uh in Kenya so four big areas to watch are code uh the marketplace um or people using the code uh laws uh and then Norms you know ask your friends and and see what you think uh the central banks seek Financial stability they seek to invest uh or to protect the investing public uh and then Financial firms you know watch what they do this is their business uh they're not so dumb it's their job uh and as they
adopt and adapt uh you can feel more certain about uh about buying in um and Trust uh will grow uh around the world okay some parting advice bear in mind in my disclaimer I'm an information security analyst I'm not a financial expert and so these are things I found on the web uh that can uh that can help an investor uh to think uh three key elements of investment consistency emotional control and tax planning right these are just things that you've got to think about you know death and taxes if you invest in cryptocurrency have a plan is your plan primarily wealth preservation or wealth creation right right those are two big questions uh to ask yourself and that's goes to
Roi uh and when you think about a return on investment timing the market as I see uh the experts say historically has been considered to be mostly luck very hard uh to predict the future so be careful an example plan is to Define what you mean by value what you mean by opportunity set goals calculate risk invest in security then make a small purchase right that's a small part of your portfolio uh Monitor and evaluate it and start over right always think soberly about these things uh so you don't wind up uh on the block with no uh portfolio at all there's no doubt there's a lot of money to be made in fintech there will
be a lot of money to be made in cryptocurrency but you know as we've seen uh there have been quite a few losers um there's space to earn money uh but uh you should assume that buying into cryptocurrency is a high-risk investment make it a small fraction of your net worth or your investment inputs and you can think of CC if you want to be more machian as a binary investment uh decentralized Global cryptocurrency is going to work or it's not right and that means that the value let's say of bit Bitcoin uh could be the most valuable asset in human history or it could drop to zero right and so sometimes when you buy into stocks they always say you know
this could drop to zero be aware about that um in life they say it's unwar unwise to be a minimalist or a maximalist uh so you can think about that as as well you know occupying some Middle Ground um and then you know when we see you know Tom Brady and Elon Musk uh promoting Bitcoin uh you think about you know what would be a significant investment to them they can afford uh to lose their Bitcoin can you or I uh and that's that's a whole other question right so besides Delaware many thanks for the opportunity to speak to you today my name is Kenneth gears I work for very good security and I'm happy to
entertain any questions or Communications you have on this topic thanks a lot and take
[Music] care [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Applause]
[Music]
hey good afternoon welcome to bsides my name is Ken netzorg uh here to introduce an inline traffic analysis Appliance uh for use uh in ad measure and if your platform allows for it uh if you can do managed routing you could uh look to do this in your own platform as well uh there's a few magical there are a few options in Azure but other than that you should be able to uh run this potentially in others so we'll step through this and uh your mileage may vary as you get through it but we'll see how we go so why are we here um I spent some time trying to figure out how to uh
run a tap inside of the cloud Azure doesn't allow for tapping so I uh needed to find a way to get in the middle of network traffic in order to evaluate what was going on and whether it was legitimate uh in doing the evaluation I found that there were multiple vendor appliances but unfortunately those all came with a high cost so in uh poking around I found out we do have the tools and so here's an introduction since I had to piece different pieces together to make it all work uh so I'll blow through it but first off who am I and why am I here talking to you I've got 25 years of experience throughout the
information technology industry and I like to solve problems specifically it related so uh we'll keep it to a minimum on the other aspects of it I'm I'm currently a director of Technology decisive Edge uh here in Delaware and I do have some certifications to my name uh so an overview of what we plan to tackle today I'll run through the architecture we'll look at the Azure objects that get implemented in order to make this work some of the OS modifications then following that we'll look at monitoring traffic what the options are both from a surot Zeke uh which was formerly known as bro and just straight TCP dump then some high availability options with the
following enhancements hardening and future options for the configuration finishing off with some conclusions and questions I will be monitoring the uh chat Channel as we go along so if there's questions feel free to uh drop those in and if we run out of time hopefully not since we got 30 minutes to go through this we'll uh bounce into the Q&A Channel afterward for any future chitchat the first the architecture what I will introduce today is going to be a simplistic virtual machine with three network interface cards uh one in the secure environment basically your internal one on the public side attached to a public IP address for the outbound and then a management IP uh on that side so we
would have a network traffic pattern looking like this to the outside world from the inside world the advanced architecture I will poke at briefly is going to add some different layers to the basic with multiple virtual machines managed through an inbound load balancer uh going through a network address translation Gateway on the outbound side that will give you some fault tolerance and load balancing capabilities so let's get busy and build this first off uh I designed this with one virtual Network split into three subnets for the apply the appliances I mentioned one for the secure management and public IPS and then a client IP uh used to get to the device in order to manage the operating system initially as
well as generate some traffic so we could see it so the object compute uh I chose a standard b2s so one of the critical pieces to look at is what is the size machine you need uh minimum if that's what you're looking for that actually has the ability to attach three Nicks to it so in the Microsoft world that would be the standard b2s there's some A's as well that allow it um slightly more expensive uh and then you can jump into the D series uh on on bound uh if you need some more Nick if you need more capacity for compute uh you can rework those as well but again um the Nick capacity is definitely what
you're looking for uh second when you go to create the Azure uh virtual uh machine make sure you set the Nick into the outbound uh subnet first um that definitely helps with some of the routing complexities that'll come later where you don't have to then override what that is going to look like so in your initial if you use the wizard you're going to add one Nick as you go along then once the machine is up you can add two additional if you are Savvy with scripting you can do that all at once um I went through the wizard and just work these two in uh so that provided a network map that looked similar uh to what you see there on the
right hand side where I put eth1 the ethernet uh second one in the secure subnet and the third Nick in the management subnet um and then of course the network security groups that get attached to those depending on how you've proceeded we'll address that shortly later so with Azure they have the concept of Ip forwarding that does need to be turned on at the portal level so on the outbound Nick I want back in and added enabled the IP forwarding uh some other platforms may or may not require this um it is an Azure thing and I found that it seemed to only be effective on the outbound side the inbound or management subnets do not need forwarding turned
on So in theory after you have done all of that uh from a platform perspective you fired up your virtual machine you should be able to from your client log into the operating system um so from here I launched an SSH connection from the client subnet and went to the manage or sorry to the outbound Nick that was my first hit um again because of the routing complexities um if you didn't deal with asynchronous routing going to the outbound e eth z is the first one there just to at least get logged in uh at that point from there you can make the next modifications that we come to so we need to tell the kernel it's
now becoming a router so by default the kernel has routing turned off so the couple different options to go about that we can set it dynamically um though it's not persistent by using the cctl command shown there and if we want to make that persistent so it survives restart we could actually put that into a file in the cctl directory um as shown there uh on the screen um this will then set the kernel to allow routing or sorry allow forwarding um upon restarts or you can just do both if you want to make it real time you can set it initially and also set it in the file so it does uh survive reboots and you do have it to
play with immediately so once the forwarding is enabled uh we go ahead and handle the routing this is the piece that will allow us now to actually get to our management interface as well as our uh inbound traffic on the private subnet so for this I just use the 2011 and 202 um IDs within the routing file um attached those um to the eth1 and eth2 labels so um it helped keep things a little more straight in the uh naming perspective so now we've defined a route table uh and then we go through for each interface uh being on the Azure platform Azure will uh based on the design manage your eth0 your first nick uh for you so
that uh will Define the routing it'll set up all the DHCP information so we need to now go in and manage eth1 and eth2 so the settings for each of these as you can see on the screen there are setting up the route and rules um so the default route within the Azure Network it uses the first IP address of that subnet um so in this particular case the 16.1 and the 20.1 um if you refer back to the original diagram after that um the rules as far as if you see a packet come in from or so either from or to your interface IP address having those set properly um will define those in the
table so that way the routing rules know that when it sees traffic coming into that interface um it knows that it should respond back on that interface and that's what will prove for the magic as we get into eth2 which in this case is our management interface we can then uh connect to that one once we have restarted so uh the reboot at this point definitely helps clear things up um enable the routing enable the forwarding make sure everything is there and we can validate that through a quick SSH into the management IP so we switched over as you can see here we're attaching to the 20.4 IP address and we have a shell at
that point so in summary as we've worked through this we have built a network that was split into three subnets I added the four to give me a client uh machine to both connect to and test with um though it's not explicitly required in this case we added the virtual machine uh we had one nick uh in each of the three subnets and we've made updates to allow us to SSH into the actual management Nick so with that in place we should now be able to do what it is we need to do we should be able to forward the track traffic outbound so from an IP tables perspective this gives us the ability to
uh Gat the traffic so do a network address translation from the inbound to the outbound IP tables is a little bit varied based on your firewall distribution I have chosen to use Debian for this particular example um you could also be using uh Red Hat um or Ubuntu so installing IP tables uh depending on the platform it could be IP tables persistent or IP taable Services uh to make sure that when you restart IP tables truly does start back up again for you um and then where the IP Table stores its files depending on your flavor uh you'll want to make sure you know where that is to be able to edit that so in our case um we edited on the
rules version 4 the rules. V4 and that gave us the ability to add the natat chain um since IP tables is broken up into different chains so here um the network add address translation chain we added a post routing rule that says the outbound ethernet zero we're going to do a source Network address translation and that is going to be to the ethernet address that's on your outbound uh interface so in this particular case it is 30.4 we also added a filter chain that basically said hey any coming into IP tables we are going to accept so we add the forward option on our inbound E1 and tell it we're going to accept it so for
many you may cringe as we are accepting everything we are not implying any firewall rules in this particular case so the benefit is being in a cloud um we can apply the network security groups or ACLS depending on your platform around that network interface not being on the host so instead of managing it at the IP tables level we'll use the nsgs or ACLS to manage the traffic at the platform level one less spot to manage it and manipulate it when you need to add a new port for outbound so once the IP forwarding and routing have been put into place we need to modify the platform in order to generate and send traffic directly to our
interface so in this particular case for Azure we did a IP routing rule uh their default route is the quad 0/0 and then we would specify the next hop as the IP address of the appliance we just created so that would be the inbound secure Nick in this particular case we had it at the uh 16.4 address we can then assign that to any subnet we need to in this particular particular case we were going to assign it to our client uh subnet that we created as well early on and that then allows that client when it sends any traffic outbound it especially to the internet it will be sent through our server here that we just
created so what can we do now that we've got traffic being sent to our Appliance what is it initially we can take advantage of so running a TC P dump um is the first way to really validate that your configuration is working we can run the TCP dump um running an interface any uh definitely helps make sure that you both get the inbound and the outbound traffic so both the uh eth0 and eth1 traffic so it's going both in and out um in this particular screenshot don't forget that if you are doing this from the client that you're also managing TCP to um you might want to exclude Port 22 otherwise you're going to get a nice uh Reverb on that one with
lots of traffic back and forth so you will see that in the screenshot but generally if you're going to test that on a different client that's not also sshed in you can limit that to Simply the traffic so that's TCP dump Sur cotta actually has a specific section within their system and that in within their documentation that shows how to configure an inline surra cotta network uh so it's actually pretty simple by adding a single line to your IP tables that we have already worked on and that is just sending it to the nfq uh that you can see there that is configured and set up within surot so everything else pretty much Remains the
Same follow the documentation within sirotta uh and then from there add the simple line to your IP tables restart IP tables and Away you go you now have a full inline working surra cotta system zek uh is another fabulous tool that's out there I do have uh some experience running this minimally in line uh to monitor traffic from point A to point B but uh this being an overall cluster diagram that you see there on the screen showing the difference between the Taps the front ends the workers and the managers for this particular case uh this integration and configuration would basically be the tap the front end and the worker all combined so you would
need to modify your configuration uh to send the traffic off to the manager machine uh once it's done however uh it should work to monitor the traffic ongoing PF ring would probably also be uh suggested in order to make sure you can get the throughput and volume uh simplistic testing I I have not found that the need for PF ring is there but if you take it higher scale PF ring definitely would be worth looking into and so you can see the links to the Zeke Pages um on where it discusses the cluster setup so those are the basic uh pieces on in order to get to a network traffic monitoring either with sirotta or with
Zeke um and so that to date however leaves us a little suspect um we need in order to make this more high performance um should we be putting any bigger loads behind it make sure that we put in a load balancer uh to make sure that we have redundancy and or scale so if we need to add more systems to our design or if we need to uh increase our capacity or actually do maintenance do restarts should we only have a single machine anytime we restarted that machine we would be cutting off traffic to the outbound world so Azure allows us to do an in an inbound load balancer uh you can use a basic um what
they call a skew or a standard skew would give you a little more uh sizing with that one uh plus if you for a standard skew if you are going to be traversing different uh virtual Network works that would definitely come in handy there are some limitations with a basic uh load balancer um keep in mind with an inbound load balcer there are some challenges that come along with this one uh it does use a polling heartbeat that's uh either set to TCP or HTTP to know if that Appliance is healthy and allowed to basically be routed to from a traffic perspective uh so something will need to be on the service listening on your
appliance that would respond to that one um the additional piece with an inbound load balancer is you would need to specify each Port that is going to be allowed through that uh load balancer so 80443 DNS traffic um ntp uh depending on how where you're getting your timing from SMTP um different options there to go along with that so keep that in mind as you are building uh routes out through that that you capture apure those different ports uh there's no need to swap the ports if you're sending it from uh 80 you can map it straight on to your load your uh inline Appliance at 80 we did not make any restrictions as you
recall on the firewall um so it should be listening across all ports we just left it at the interface level and then um overlaying the network security groups uh there are some hiccups and challenges that you might face with that one uh the last time I worked on that one simply putting a network security group in the in the path on the secure network did uh basically break the communication between the load balancer and the uh network interface so there's some work to be done with that piece of it um and the standard skew though might uh change that one a little bit another piece that has recently come up that Microsoft has introduced used as
an inbound Gateway load balancer so this one is a little more broad uh keep in mind though it is in preview so in order to set that one up uh you would need to opt into the preview for it uh the other option is just keep an eye on it know it's out there the goal with this one uh one of the things that made it uh intriguing is that you can chain uh different appliances together and you can as they say in the documentation you can integrate virtual appliances transparently into the network path so um where in the past when Microsoft dove into the network Taps they tied you specifically to a thirdparty vendor in
this particular case it seems as though they are going to allow you to use a custom Appliance um IE what we just built um as the back end and you can say as the documentation States you can easily add or remove appliances as well as scaling so so keep that in mind keep an eye on that one um it might be of value in the future um and provide a little bit more benefit than a standard simple inbound Gateway or an inbound load balancer the so that handles the inbound um and allowing for uh scaling at the on the inbound side from an outbound side um Microsoft has said their preferred or at least I guess their best as they
State uh uh is the network address translation the at Gateway however I'm still scratching my head the pricing and SLA states that their data path is at least 99.9% available so just for you guys watching there at home I did put that down in the bottom right hand corner kind of small but that means you've got 10 minutes of outage time a week um if that's okay with you I guess 99.9 is your friend um so I don't know I'm not quite sure how this can be their best solution with a 39 um we'll see where that one goes um but those are the other options in the box there for what is allowed uh or what I guess options are
for outbound IP addresses um considering this is the best um it works the other option is for those familiar with the Azure environment would be to use another load balancer uh behind another IP address um so that actually fans as reverse proxy basically on the outbound side so those are kind of the two major reasons or major tools you could use on the outbound side but um the KN Gateway hopefully they improve their slas so here we are next steps and considerations we've kind of discussed so far setting up the virtual machine we've discussed uh what we can do to monitor the traffic uh how to make this slightly more High performant than the uh just the basic uh apply
and what other things that might be gotas with this process so as I mentioned earlier we have network security groups uh through those uh by default just some of the basic ideas would be on the public putting a network security group on the public subnet um and only allow outbound so basically block everything inbound there should be no need for one Nick to communicate with another or any traffic to be inbound so you can pretty much deny everything inbound um keep in mind it is State full so any traffic going back out would be allowed back in but you wouldn't need to accept any inbound unsolicited traffic the uh secure Channel um on the secure nick uh definitely would be ideal
to put a network security group there um keep in mind it might take a little bit of trial and error to get that Network Security Group up and going even though the load balancer uh would be allowed through through there by default uh and then you have the third Nick which would be the management Nick um definitely with that one uh limit your connections into that subnet uh from anything you trust uh and SSH block everything else at that point so that we should take care of your your security from a platform perspective and network traffic uh then of course you have SSH this one in theory should be listening on eth2 one of the challenges
I found is with the load balancer if it needs a heartbeat the question is going to be what is actually running on that Appliance to respond to a heartbeat um so SSH for better for worse you can run it on a separate Port might be one option for a heartbeat to answer uh suggestions if anyone else has anything else um definitely might be interested in seeing what there is but um adding more services only increases the uh footprint and complexity and uh risk at that point so um keep that one in mind the other issue is if you don't install 22 SSH on the inbound um which might be ideal uh should you ever have to send
SSH through the device you don't want the SSH Damon on this particular Appliance listening and responding you want that SSH traffic routed through the appliance uh not responded to so uh you might need to update the SSH Damon keep that one in mind um as you're progressing through your uh installation NF tables uh for those familiar with the Linux world we are turning a corner IP tables is uh on its way out NF tables is uh coming around um it's a little more complex to set up uh I have not yet had the uh pleasure or pain of uh dealing with converting this installation into a network tables uh format so unfortunately I don't have
anything to give you at the moment um from a configuration perspective maybe in time I'll get that uh out there so wrapping this up hopefully this has been helpful um we've shown that you can build your own appliance using some cost-effective resources at the end of the day it's the cost of the virtual machine in the Azure World um throw a reservation on it and you probably have something uh that you can use for about 40 bucks a month uh far better than just about anything you're going to find um out there that's commercially viable um at hundreds easily uh per month the appliance can be outfitted with your own product that you choose so again choosing open source um
cotta or Zeke um uh you could even tie that into a security onion feed that stuff into Rita um or your other um AC Hunter uh to monitor your traffic and then using different cloud services uh you should be able ble to increase the availability and throughput so you don't uh have you're not relying on just that one device uh serving that up hopefully that's been helpful if there's any questions or comments definitely uh monitor the Q&A channel uh so with that uh if you need to contact me I wish you luck on your hunting and uh getting it up and running I am zorg the blue on the Discord Channel and I will uh try and post something out there
on the GitHub uh that I've got I don't have these slides up there yet um but I'll work on putting something together before too long but hopefully that's been helpful and appreciate everybody's time enjoy the rest of the day thank you Ken we really appreciate it everybody watching on stream we'll be back in just a few minutes enjoy this intermission coffee break go hide your dead bodies whatever you want to do uh thanks again
Ken
[Music]
[Music]
[Music]
n [Music] yeah
[Music]
he [Music]
[Music] he [Music]
he
[Applause]
a
[Music] standing on the feet I'm still alive wish I even tried just never tried it's better if I [Music] evened I wish you iide my way she see me as light wait why I keep on picking up the phone why is it always on I'm just a light W in your eyes why is it always on the us through the grain you would never know me anyway I'm just the light W in your eyes I'm just the light
way taking my chance just to know your name breaking my B just to see your face it's better if I even try why keep on picking up the phone why is it always [Music] on I'm just a line waiting your eyes why is it always
on just a light W in your eyes the OD through the grain it would never be anyway I'm just the lightweight in your eyes I'm just the light
way
[Music]
see us through the grave you would never know be anyway I'm just the lightweight in your [Music] eyes I'm just a
light I'm just a light W in your eyes still Al Li just light in your eyes still still out Al still out alive still [Music]
out
[Music]
I
[Music] [Applause]
[Music]
[Music]
w [Music]
[Music]
he [Music]
oh [Music]
[Music]
[Music]
[Music]
[Music] [Music] n [Music]
[Music]
checkpoint [Music] [Music]
[Music] a [Music]
[Music] [Applause] [Music] n [Music] [Applause] [Music]
hey
Rob
okay sorry am I live okay I'm I'm talking to you all wonderful um right uh homomorphic encryption um I uh okay there's there's an example right there for you in in a sense um you are uh perfectly free to uh take a picture of the QR code there on the screen get all the information that you need about me um bearing in mind that I did get my start in Security in malware research and that means that I know every possible way to get somebody to install bad stuff on their computer um now I I get another uh example uh if you will of homomorphic encryption this this really isn't an example this is just
weak encryption of course um and you know rot 13 is is the way that we hide uh semih hiide things that uh we're we're talking about um and it's it's really just a a weak form of encryption so it's not really uh homomorphic encryption because what we want to do with homomorphic encryption is to actually encrypt the data and still be able to use it for some purpose without decrypting it you know it's it's not just easy decryption it's use it while it's still encrypted um now uh a lot of people think that this is you know really fantastic idea and and yes uh I mean there are you know some good things about it but um some
people are going overboard uh this was a a news article that I came across recently um and they're calling it The Holy Grail of of encryption um yeah it's it's got some good uses but it's also got some limitations which we will uh talk about um uh as we go through here first of all homeomorphic encryption is not a new thing we have in fact been using forms of homomorphic encryption for some time for example how do we store passwords we hash them ashing is is oneway encryption there is no way to decrypt the password of course what we do is uh when somebody submits a password we hash the submitted password and check it against the hash
that we've stored so we're not storing the passwords in uh an unencrypted form they are encrypted they can't be recovered but um we can still use them we we still have a use for that uh so you know there there it is there's one example of uh homomorphic encryption uh and we're using it all the time uh now a few I don't I don't want to push these These are these are kind of bad or limited examples but um doing an exact search which which basically an exact comparison is is what we've done already with the uh the password uh mashing uh but uh looking at the electronic code book mode of of block Cipher um it uh is of course the
the weakest form of uh block Cipher you know the weakest mode for block ciphers and that is because it uh if if you have the same data um you get the same Cipher text and so for example uh if you're doing you know simple graphics and and that sort of thing you can encrypt it using uh ECB mode and yet you can still get a rough idea of what the the image is about um so this isn't you know uh well this this is just a weak form of Cipher but again you know if we want to do exact searches or exact comparisons and and the you know block size is is the same as our record size um we can use
homomorphic encryption um um if uh oh uh sorting as as well um the Caesar Cipher you know the rot example uh up at the beginning there uh or basically any uh uh encryption that uses mod functions um you can do sorting functions uh on a a limited basis and and we'll talk about uh a little bit later here about uh homomorphic encryption and fully homomorphic encryption uh many types of homomorphic encryption are give you a a rough result uh possibly a workable result but not necessarily an absolutely accurate result uh so we can get a a a rough sort out of a Caesar Cipher or a mod uh function in in in encription there um covid-19 contact tracing this this
was interesting uh dp3t uh protocol um just uses a random data Beacon and that actually contains no personally identifiable information and that is why they can use uh this for contact tracing and still uh protect privacy uh but that's only if you're doing the the simplest form of of contract tring as soon as you start adding uh location data time data to the random data that the beacon uh comprises um that starts to uh present a problem for for privacy as well uh so again you know different things here the uh the data Beacon for contact tracing is it's a random number it has no meaning um you know it's a in a sense it's kind of perfect encryption because
uh there is no original data there except for the the random data but uh again you know this is not a really great example of what we want to use homomorphic encryption for and and of course you know there's our QR codes for uh uh vaccine um uh confirmation that that uh you can prove uh that uh you uh have been vaccinated and you can do travel you can get into restaurants you can get into shows uh stuff like that and so you can take this QR code and uh present it and get into a restaurant and and you know get into a gym get in to a movie theater whatever it it may be uh try to travel
on an airplane uh and if you do use this QR code and and try to do those things you deserve everything that happens to you so a better example here um uh voting in elections have been uh much in in issue both in in your country and in mine uh I am of course from Canada and therefore an untrusted we the alien but we've had uh recently a federal election we had a couple of Elections um uh provincially up here uh that uh have you know addressed issues of uh could we have online balloting could we have uh machine voting could be you know various and uh I've I've been looking at voting systems for many many years and um
the various uh proposals that that have been given have been uh pretty much universally terrible I think one of the worst that I uh encountered recently was somebody who suggested that we use blockchain for online voting and I just you know we crying out loud where is your head at but uh revest and this is the revest of the Ron revest that is the RN RSA um he proposed uh this uh three bellot voting system and uh there's the uh you know some information you can get on um and by the way I've uh fired into the uh track one chat and Q&A area uh some details and all the urls that I'm using in these slides so you don't have to uh
madly try to copy that down um but the three ballot voting system is is really really interesting this is the first one that I've seen that that really impresses me as something that is possible uh Microsoft has um uh is bringing out something or presenting proposing something called election guard and I from what they have said about it I believe that it is in fact uh based on on the revest uh three ballot voting system now um the first thing about uh balloting is that um we want to be anonymous uh we want people to be able to uh vote and vote privately confidentially nobody should know um what they're voting for um now I I can't you know go to if you're
interested in three ballot voting system go to the you know do some research on it because what I am going to uh say here about it is uh overly simp simplified to to the point of of being problematic but in any case uh the uh three Val voting system think for yourself of of a ballot regular ballot in three parts the first part being the names of the people that you're going to vote for uh the last part being the the check boxes where you're going to put your X but the middle part of the ballot being a uh set of um fairly random lines connecting the names to the different boxes now that ballot is in three parts and if
you detach any of those parts any of those parts uh you know first last or the one in the middle then you do not know from the two remaining pieces what you know who this person voted for now that's that's as I say that's overly simplified because the revest system does this but it does it mathematically and uh it's very interesting this can be implemented either on paper or digitally and the voter keeps one of the parts of the ballot there's three parts to the ballot the the voter keeps one one part and therefore that protects their anonymity now uh because it's not the oversimplified example that I just gave the mathematical relation means that they can in fact
count the votes even though it is in a sense encrypted it is anonymous um and the three balot voting system also provides us with a number of things that we have not had before um you have non-repudiation of voting the the voter having voted uh the uh voting authorities although they do not know the
Related talks
31:02
28:25
48:45
57:35
22:25
40:35