Hacking101

[Music] that's okay I guess we can uh we can go if there's no mic there's no mic that's fine um sorry for the delay on the start this this is my fifth or sixth I boss count bides Calgary was at the very first one I'm one of the guys that signed the papers to make this happen and I'm looking around the room and believe it or not I actually don't recognize a lot of people so that tells me besides was a success there's a whole bunch of people that that oh wow cyber security is important we should do this so thank you very much for coming now why is it hacking 10 one guys we had this pandemic thing a

couple years back remember James called me says so we're gonna do a conference anyway what okay sure nothing's cancelled bides is going on that's great and we we prided ourselves on having a CTF we' had a few people in the very first couple ctfs come like I don't even know what to do how to do this and you know I'm always trying to help people out it's like let me show you how it's like more people in the crowd it's like we just need to teach a class on the basics of packing what do you got to do and it didn't really uh it didn't really go that well because there's no [Music]

room back on the presentations from a few years back with covid we actually had people connecting in and uh they were on the conference I like in your other screen try this and that's kind of where it came from and then we decided okay now that we're back in person let's do this and it didn't really go as well one because as usual we're always behind on getting all the other stuff set up but two it's like well I see people here with laptops now but they were sitting there in chair with chairs and they had uh no no way to participate like oh great so it's kind of like Freestyle in a lecture and talking about what we can

do with the CTF so that's kind of where this started and I think well this year we could try and do a smidgen better then I find out like as I walk in so did you send us the SL slides we're supposed to send slides my slides aren't even done I supposed to send them somewhere are you kidding me like come on right so so we do the obligatory about me kind of thing um so when I say self-proclaimed grumpy security guy that we I literally made that term up and if you find out on the internet you'll find like podcast me and another grumpy security Guy Talk about security if you feel that you belong in that club and Michelle you

do come by get sticker throw it on your laptop but it's a self-proclaimed grumpy security professional any gender huh I know but you're definitely a professional and an expert in the field and one of the ogs right like one of the people that's been here a long time so when you start looking down and say oh yeah there's a lot of stuff but I wanted to call out a bunch of people that have been with us a long way the we haven't that aren't there like guy sitting down talking to me I wish I had a little more time with him but Henry was one of our grinder guys that I just got stuff done

Steve Porter's been a sponsor of this thing from day one you know uh bo Valley's been great zingi is down there right now watching the farm and hoping things don't blow up before we get back and add more CPUs to the score so yeah and if you want to reach out to me you can find me on LinkedIn don't bother sending me an email there as many will profess I never answer that but doug. Lea Gmail I'm pretty easy to find and uh I will talk to anybody about security until you start holding up the calendar say it's time for you to stop talking this is pretty much all I do because plan a of being a rockar didn't

quite work out uh doesn't stop me from buying guitars doesn't stop me from occasionally putting some music out but yeah yeah where are we going with this this year um so if you pull out a book on hacking they're going to tell you about scan your systems and look for a vulnerable service and then run this medis sploit payload and it's like that's awesome when it works but the calendar fli and that hardly ever works anymore out of the box okay so I put this up here identity is the new perimeter meaning now when we're attacking the real thing is about trying to get inside the organization or inside that person's laptop it's not going to happen by

you shooting packets at it I'm sorry that doesn't thing so we go back here intelligence over technology was the theme the rough approximation of a theme that I started with and this is really what it is U the whole point with intelligence around an attack is you need to understand who you're going up against so on the CTF for example there's a bunch of profiling questions about the people that work at this company so when if you are playing and it costs nothing to play uh scoreboard is a little slow right now so please be patient we'll try and fix that but when you go on there it's going to ask you things like what's

the domain of the company sounds pretty basic but why would you need to know that because lots of companies have similar names when you're doing hacking and this is possibly learn from experience I may or may not have information later on this make sure you know what you're shooting at okay uh a lot of people just think it's cool to light up a scanner and scan the internet okay technically that's illegal are the police going to come knocking at your door no but if you found something and you started digging in and you got yourself somewhere and you decide to tell the company that this is what I found you may get a visit you may get a lawyer involved like there

could be a problem so definitely when you're hacking you need to make sure that you understand your targets and the range of limitations because even a lot of us have done this as as professional consultants and so you have to take out errors and Omission Insurance to say if I'm doing my job that you hired me for but I screw it up and it's really bad you can talk to this insurance company and they'll give you some money I know I'm not getting another job but at least I get to keep my house that's kind of how that angle works but errors and omissions is important because nowadays everything around us is controlled digitally the heat in this

room or the lack of cooling the lights all of those things the elevators to get you up and down we're really trusting that the people in control of that are the people we think they are and nowadays when it's IP addresses and software and things like that it's not necessarily who you think it is so that's identity isn't just people it's also is that the right SVC service running on that machine or is that one that the bad guy dropped in that just happens to have the same name as legit Microsoft One and the malware Whit list goes yeah okay off you go and does the thing like those are things so the identity of the

program that's running the identity of the person running the program identity of the machine all of those are measurable electronically and depending on your security controls that may or may not be part of the equation so your job as the hacker is to figure out how to get that identity somehow now right so that's kind of where that's kind of where we're going here what happens oh how about that so what's our very first identity situation is typically what username password right who doesn't have a password how many have the password of password you laugh but that's the still the number one password in the world so you know you need to be cognizant of

where you're leaving your credentials around and I signed up for have I've been owned but I put this thing here about the internet never forgetting because it actually did get popped uh some online CH I had this great idea I was going to start playing Jess again about I think about 10 years ago and I think I logged in once and went this is hard I don't think I'm going to bother um apparently they got owned last month chess.com or something but anyway so Troy's Troy Hunt's stuff he actually tells you what's been exposed but if we look here my email address is gone it's now out there in the public now it's not exactly like it's a secret it's on my

blog I talk like you can find me pretty easily but the username that I used remember I went back to Identity some sometimes when we log into a computer we're using not Joe Smith we're using you know J Smith or it's J Smith 4 five six seven depending on how many guys named Smith worked there before okay but I worked at one place where your username was a seven character random string like x47 23 that was your X number or Y number or whatever I forget the exact thing I thought that's super clever why is that why is it important to obscure your actual username I'm supposed to have some there's supposed to be giveaways for

good questions or something I don't know did they tell you that they told me that okay let's see well that's the thing for sure that's one so we've got the online names right so a lot of people will use an online handle but then they start to use that everywhere it's half of the Brute Force combination yeah so how does a brute force of pack

work right yeah and that's kind of Lucky with spraying stuff but yes for sure I have a username I try password if I don't want to lock these people out I might try something called password spring where I have a 100 usernames and I don't know it's Calgary why don't I try G Flames go do you never know there might be a hockey fan in there somewhere that's really hopeful but you know it's possible but I've got to start I've got half of the equation if all that I'm using is my username and my password suddenly this is a thing now right there it also said username so remember what I said I tend to be using my name all over

the place well what if it's an obscure handle that I think is all kinds of secret like you know Alpha 47 or something believe me I'm no Alpha but you know like let's pretend it's everybody that makes up a name like that you really got to worry but anyway so they say I'm the alpha whatever and they put that number in there but it's good because nobody knows my email address so they couldn't fish me well now they can't because now they can put the two of them together and my talk tomorrow where I do have slides which I didn't send to you guys and maybe that'll happen maybe it won't um the uh that I studied that as

part of my research this past year is how can I take little pieces of my data and reconstitute or re-identify somebody who's supposedly Anonymous and it's not this hardest one would think which was kind of the basis for thesis all right now where would I find such things well like everything else there's a service for that so I forget which one this one is maybe it's reasonable on there um anyway you can go on the internet and look for naming conventions of an email organization and because Bo valy sponsoring I thought I didn't ask permission for this because you know I'm a forgiveness begging kind of guy uh I'm sure they won't mind but I literally

just put their domain in there so this is public information I signed up I get 25 queries for free every month and all they want is my email address well I can make me a new email address in about eight seconds so I think I have unlimited queries with this service now I just need to keep signing in as somebody new but I can run this but now all of a sudden I've got the naming convention for this user and it's kind enough to give me their first name and last name well sometimes that's a hard thing but why would I want to know their first name and last name yeah I go look them up on social

media now I find out oh they're into dogs well suddenly so am I right why would I want to do that because I want to invite them to join my club or I wanted to do you know like I want so this whole social engineering you need to take advantage of the trust components and again my whole goal is to get something about their identity known to me so that I can go in and do stuff as them that's the perimeter I'm trying to break so the social engineering is a valid thing M but okay so let's pretend I'm not quite that freey and I just want to know what email addresses work right so right there you're looking at a

naming convention and on the CTF we actually have some questions around what's the email address for this person it's not on the internet well how would you do that you just guess who knew that so you can guess stuff we're in Canada you can literally Google what are the top surnames in Canada guess what they also have a first name site imagine that and if my email address was oh there's even pseudo code for this glue the things together four first name in my list depend all of the last names and try and send an email did that work did it not yeah like that's the thing so so there's different stuff that's going to come down there send a

test message now if you're real lucky and I don't think you are this year but I didn't check this maybe this will work I don't know on the mail servers of old they used to be kind enough and I'm seeing somebody over there say yeah I think I built a couple like that they would say that recipient isn't here thanks so if you don't tell me that what does that tell me yeah and they're there and that's their address it may not be perfect but you know they could have just started and they're still waiting to get their email working because you know it those guys no under normal circumstances like it's a hint now the weirdest part is we

sort of fixed that on a normal default exchange service like when I was pentesting 10 years ago this was almost a gimme and I threw out a shout out there to one of my favorite SMTP enumerators of all time called I never know how to say it but a tater so p a t a t o r you can also enumerate HTTP and a few other things but it just sort of worked for me with the SMTP enumeration because I

you know let's take all night I'm gonna just sit this and I come back in the morning and I got three email addresses out of it I made 10,000 inquiries politely and I got three valid emails out of that like how good is that cost me nothing and the mail server was just cooperating and so we got smart and we locked all that stuff down that's great then we decided to move to this thing called the cloud guess what Microsoft does by default when you ask at certain tools go look up NX geek or a 0365 Recon this same thing we fixed a long time ago is totally doable in Azure right now or at least it

was last week when I played with it and you know why it's there because Microsoft doesn't consider the exposure of your email address as a security risk that's one opinion it's not what I personally share and one of the reasons that I'd like to do this is we need to make sure that when we're going at something mod mod hacking a lot of the tools especially now where we've got machine intelligence or machine learning pattern matching pick a name somebody's probably already trademarked it but the things that are watching all the big data going that's weird it's definitely come to visit us so if you think you're just going to hit hit it with full speed

and off you go it's like no you're going to have to spread it around and we responded to one recently I thought oh that's pretty flapper every single request they kept using the same IP but they changed the computer they were coming from because that was part of the connection string and the user agent and they were inventing strings that could never exist in real life you know like an apple really never runs an Android user agent I'm pretty sure you'll win on that one but was and Microsoft's going yep all good here you go you're not hitting the threshold if it had been hitting it hard with the same connection all the time machine

would have went hey I counted to 1100 and that's a problem because 1099 and you're out of here right so they vary these things but as we get to scale on the service side we can do the same on our side so there's apis to build up equipment on Azure on Amazon on Google and how many people here are using something like ant anible or tensor flow or something like that yeah so I've got playbooks to build hacking platforms and as soon as that one gets busted I spin up another one now this is where flip the thing around does anybody ever set up an AWS account is this is not like the most unfriendly user experience ever so once

you're set up you're good but until you cross that threshold so if they bust me on this AWS thing am I likely to say forget it I'm going to digital ocean no it's just going to spin up another one but it's still going to be coming from AWS I'm probably going to be coming from the same region so from a blue team perspective you're going to need to look for anybody new talking to me from AWS that I never heard from last week yeah but like a lot like in a weird way and so you got to find some of those other threads to try and tag onto it but in the CTF we actually

have a couple challenges where you're going to have to go into Data that we collected on a real live implant now is a safe even if you found the real it's not actually going to do anything because I never know the skill level if CTF the last thing I wanted is put real life dangerous malware out there it's like see how far you get no that's not a responsible thing to do okay and um so you know we kind of like all right what can we do to kind of fix that so this command and control channel will definitely respond like the command and control Channel but it's not going to steal anything the good news is you're now

looking for who got infected so this is part of that intelligence where you have to understand the targets but you also hopefully most people here blue rather than red mostly blue both purple oh you want a job oh go talk to Steve Porter he's right guy and there's some guys over uh the X10 Booth they're also looking so yeah but yeah so purples obviously you do some red some blue uh blue most of us are blue so again applying the intelligence approach to what your adversary could be up to is a is a big deal right and uh yeah and and my name was on there and it came anyway I don't get it who knows why I

Maynard's on the other like I'd be overwatching mayard it's just me yeah see you he'll be recorded and he will have had slides he's an SE he's got time for stuff like that has lots of plain flights okay but scripting and automating absolutely is how attackers are coming at to you from an intelligence perspective where they're doing that from and the types of things that they're doing are the repeatable so I didn't put it up here because I think it's now just like in our culture the David Bianco pyramid of pain has everybody seen that okay anybody not it's okay one per okay one good everybody so to explain the pyramid and if I had a white for

actually we don't have pretend there's a virtual pyramid here oh we do oh yeah let's check that first that would be like the best hack it's scented non-toxic watercolor but it doesn't say good for white board so I don't know I would have done that so pyramid of pain right so down here you've got IP addresses and hashes and stuff like that and what do we call that we call that thread intelligence how hard is it to change your IP address on Azure or AWS I can script even creating the new machine hey you've been running for 12 minutes time for you to take a rest like yeah it's like a nothing but what do we do oh here's

177,000 more IP addresses let me just get those into the firewall block and right away right and your firewall's just crushed with all this stuff that's never ever going to call and if it does it's actually a real person and you want to let them in because last week was a bad guy but that's the nature of the cloud you never know who's got that IP so it's like who's got that IP but what's coming over that IP way more interesting and why is that because it's a pain in the ass to rewrite your scripts to do this new thing like if nothing else I should just look for those guys who were coming at

us with the random computer and the um whatever computer and the user agent as they're connecting into Azure it's like if I'd had more machine learning time in shops I would have done something like just tell me the IPS of people that are connecting from things that don't exist those are bad guys why is that because they got a script with two random go to Google user agents 200 common computer platforms 18 have fun but a lot of that stuff won't exist you know or if it's not one of these two or three or seven valid combinations highly suspicious and if the same IP keeps coming at you from different stuff it's absolutely possible because lots of

organizations Gat all their users behind a single machine or single IP so that's not a good count on its own but the fact that they're coming at you with an iPad that's running an Android browser is a dead giveaway that this is not the Droid you're looking for right like that is but it's also the other way around that this is probably an ad Neary because he has to go rewrite a script I've now moved into that middle ground of he's going to have to change his infrastructure that's more costly so that's part of the change is that we can use our intelligence about how these things work to defend against them as radical as that sounds it

actually works now if I had more machine learning shops that would be a thing but I promised my wife I'd at least take a little bit of time off so I probably won't start that till January we're good headshake okay maybe spring we'll but yeah I think that's the future of where we got to get to as professionals is learning how to use these high volumes of data and write our own madeup just show me everybody that is using something that doesn't exist it's a threat hunting hypothesis but we're hunting in the data you like that I'm going to trademark that or it's like it's time to shut up now I'm good with either one I

got yeah like we're same page right like yeah exactly and you'll notice we're similar vintage but Michelle's aging much better than me

um oh we could go somewhere that I'm good I'm good I'm good all right but so back to the original slide have you noticed we go way Offroad a lot any my talks why is there no agenda like Why Try right okay so we go down there so thanks that's the thing thank you Microsoft I got an out of office what's an out of office it's like that's like the golden T well not really the golden ticket but almost as good because now you told me how long you're gone for you may have even dropped a hint like I'm out of the country well that's a great way to social engineer the help desk oh my God you got to help me

because like and guess what they're gonna do that they're gonna help right so it's like great so that's gold couple of flags looking for out of office they go well who would do that little company called HP Gary internet lore you can go look this up but apparently that was part of how they got in was somebody got in out of office from somebody way up high in the you know in or plumbing and anybody doesn't know who HB Gary is you've heard of the NSA and uh CIA they buy stuff from H cyber subu so kind of a big deal when a heavy duty security firm loses identity of a keyers and they were able to use that to

get in get some source code and the guy got fired a couple weeks later and all the rest but anyway so that's awesome when you get an night out of her office and then of course when there's nobody there or a properly configured mail server nothing happens so I don't know maybe they're there maybe they're not but other places you can go find identities web apps would you like to reset your password why yes I would I'm sorry we don't have that user why we we do and now because it happens so often people have been using it for enumeration what do we do to our users hey somebody just tried to reset your password but is if that wasn't you you

just ignore this so we don't even see that anymore we don't even know that anybody's trying to break in and OCTA was really bad for that recently where you could enumerate anybody you wanted on there like pick a random email address from the it was surprising how many people anybody that's using these Federated services like OCTA and Office three or Azure and all the rest depending on how they configured it that Federation might be extra helpful and you could be trying to break into somebody's account in a corporation but they're authenticated by OCTA I'm beating on OCTA all day long finding out my users over here these guys are none the wiser because OCTA by default

doesn't even send that over it's like you know like 87,000 people inquired about your employees yesterday just saying that's kind of unusual for you guys they don't do that they might now that we talked about it more it'll be for fee of course

but go do all these hunting things like you know what for 5,000 bucks a year for sure I'll have that like there are I I rag on the cloud guys in some cases like but on other cases if you gave us some capabilities that only you guys could do because you're massive I would totally buy that if wasn't stupidly exped exp so there are places where we can sort of influence that and look for SAS providers that may offer a service like those kinds of things okay so yeah and just to be that guy because I've done lots of blue team work in the OAS testing guide they say don't be so nice about whether that user

has an account on there or not and so what I've been talking about all the time is data analytics for Defenders is really where we want to get to as an industry because our adversaries are already using that they're already they have apis to see who's got a new job change on LinkedIn and all that kind of stuff and linkedin's more than happy to sell you that visibility again pretty cheap like a lot of these services are under a hundred bucks a month if I can break into a company and steal a couple of wire transfers a year for half a million a piece spending a thousand bucks on API Keys a year doesn't seem like it seems like a cost

to doing business to me if I was an adversary I don't look good in orange but I think about what orange people think about as well okay so I put that up there blocking IPS you heard my rant on this what infrastructure we are hey we did most of this so the only thing I'm going to leave you with here is collect and hope is not a strategy I'm thinking of trademarking but I will append that for people in this room so collect and hope is not a strategy is your normal compliance approach to log monitoring let me send everything into the Sim well your sim vendor really likes that because they'll be by next week with a new order of dis

and seven more nodes and a new license count and they're just printing money and you're piling up this stuff and oh somebody that wrote this standard says we need to retain this for a year wow how many firewall events do you pull in a day and then you multiply that by bits on a disc and you go okay so I need a room about twice this size for just all my firewall logs of people scanning me from the internet and getting denied because it says in my standard I need to log all denies and permits because of PCI Compliant stuff like that okay RS have a way of shaping what we collect and we don't our job is to sometimes go

I don't think we want to do that and let's make a business case for we seriously don't record who is not shooting again blocked on the perimeter for a we keep it for a week because I'm in the middle of an investigation I want to know who was coming at me but after that I don't care who was shooting at me last week because apparently they never got in or right be working on a different problem right now gold they're on that end point okay so not every piece of data has the same lifetime if you're in the middle of an investigation that stuff may need to hang around for five years do you have a

safe way to store that no it aged out on our Sim last year exactly the words the lawyer wants to hear true story okay don't be you know you're going to have to pull that off you're going to have to store it somewhere so go back to your compliance people and go this policy sucks now to be kind the only thing worse than reading a policy is having to write one those none of you policy writers really oh you are go yeah truth brother truth yes it's they're hard because you got to cover all situations with such vager and then you've got people that are going to argue well that's doesn't really apply to me because I wear purple

socks work okay but cynicism aside understanding making sure that policy works for your defense strategy is super important and only way you're going to know that is read some policies and understand them sometimes you'll find one that says you're actually at this level you should be paid differently just it's like might be something for you anyway collecting hope is not a strategy but remember what I said about I'll take all the firewall logs for seven days yeah for sure and and there was this uh little company they bought another little company because the option was renew by Splunk license or buy the company and they bought the company but I was talking with Jay just before that

he goes yeah that joke's getting old like yeah I know but I love telling you you guys should Dr TR not happen but bright guys big data Lakes it's defin place yet because I don't necessarily know in the middle of an intrusion how far back it went where some of that data analytics there when's the best time to collect the data when the event is happening reconstituting it afterwards really time consuming and expense so you don't want to go there collect it now if you find out a week later you're never going to use it keep it moving out the other end think of it more like a managed L okay stuff coming in fills in a cool not used

goes out the other end if it turns out to be useful maybe you start pulling it out of the lake regular and that becomes a S engine rule okay so Sims are for structured data Lakes are for anything no structure yet and so a product like Splunk or elastic where they do the indexing and just like search for anything great but expensive to store forever so you want to balance that out but where you need it where you need to search quickly where you need to have correlation rules rules searching backwards super expensive go talk to the guys at cadar on how they're doing stuff as it comes in and starting to piece together the puzzle so some of these

user Behavior analytics models work in that way so it's important want to look at both things if you don't know anything about machine learning seriously you to me anything get at least familiar with how this works so and then this is really just like dumb things to do with data filter when you're searching in this big lake have a smart filter as the first thing now select star from Universe order by Neutron how to crush a database in one Command right but in the minute that I say select Stars where hydrogen composition is X and I've already classified them as type ones select star where type equals one anytime you can feed it a number or an index of some

type it's going to speed that search up and why do you care that because half the time you're digging down blind alleys you got the wrong thing right so you know that's kind of an issue all right and then so write good filters and then add more filters and once you find something that isn't applicable exclude that run the search again and you're trying to get to that goldilock zone not too hot not too cold just the right amount of data and field sets I preach this every day at work field sets matter when you open up a q radar or Arc site or Splunk Sim engine they have a set of fields that are there those fields are equally

useless for all kinds of data whatever data you put into it it's equally unuseful so job done everybody's treated badly from day one how do you like it so far but they give you an option to go in there and change the field set so if I'm looking at an email Trail I want to know who sent it so that's one field who was a two that's another interesting field what was the subject did it have any attachments or not great and maybe if you're lucky you got something like a high-end product where it says are they a known bag like did they fail SPF or things like that like you know your general opinion of this

sender so far and then you can start to gr through but that field set needs to be saved for email search when I need to go through the firewall thing guess what in that firewall log there's no such thing as a sender it's called a source IP so you need to tailor the field set but I honestly don't care how big the email is most of the time but if I'm looking at a data flow between two things is that like a regular little chunk of bytes every 15 minutes you're sending 128 bytes to that IP on Azure and about once an hour I see about two Megs come back and I see about five Megs go the other way let's see 15

or 128 128 128 128 that guy's probably got something and our EDR doesn't know what it is yet because guess what they just wrote it it's brand new they're the only ones using it but even inside patterns in order to make that kind of assumption my data analysis would need to include queries where bite volume is less than or greater than and stuff like that well the only way that's going to work is if you're actually collecting that in the log and then making it a field that you can search by these are these are not things that come out of the box the tool is there to build it you can build all go talk like the Q radar I

I was razing the guy last night at the party right it's like because I got a really good IBM joke you may be able to buy better but you can't pay more and he said sales so he didn't actually think that was a bad thing but you know but to be fair to IBM they build great stuff sometimes a little lagging but you can trust it okay and I've used arite I've used pretty much all the big players and they're all pretty good and they will allow you to build these things out but you need to go in and do the work so when they drop the Sim on your desk and say off you go it's like

okay see in a year no no I need 12 use cases by next week okay but they're not going to be useful you didn't clarify that part so we're good I meant my annual obje Sime in 12 use cases all of them sucky but that wasn't part of the all right but look here again stats so we're using so this Sim is available if you go play the CTF there's some questions and it's like oh what did they add because these are always adding new Step there's a stat so it's a little hard to see in here but again one of those sort of analytics things like who's talking a lot that's different abnormal and where they you

know so you need to understand your environment to figure out what's weird and what's normal out of that but that's uh that's kind of it and then yeah so this was an idea I had on how to build a classifier we won't go if you really want to dig into that tomorrow so I'm probably well past my time but that's kind of what I was trying to get across is go play the CTF at all not this one others you're going to need to do this but in your day jobs need to think about how the hacking's done so that you can defend differently and if you've never done any hacking please please please start

there's lots of free or lowcost ways to get into this how many people in here have run an nmap scripted scan see a lot of hands that didn't go up and that's not a shame thing okay but you go to the script you go oh my God they're all they keep adding new ones it's so useful if you've never even had the chance to do that because it's forbidden by your organization then a place like this is a great way to come try some thing right we purposely stage questions where you got to go find something on a weird court and then figure out what the heck it is well there's a way you to do that

it's actually not that hard once you understand but if you've never done it before it's completely foreign but then when some security engineer comes in we're just going to move that web service to port 8995 and we're going to put basic authentication on the front that should keep us safe that's fine if it's a camera on the cafeteria if you're a bank that's probably not the right approach okay why would basic authentication suck because the only person getting the logs is the web server and they're ugly and they're not recorded anywhere and there's no lockout and there's no complexity can and there's no limit to how long you could try SSH is another one how many people have implemented

lockout on your SSH dance you got that to work God bless you I've given up trying I just let her go and if it really care about it I take off passwords and I put on keys why is that because keys are harder to steal and guess than passwords they're like you can't guess a key if it really matters identity is the new perimeter remember I'm protecting this identity that matters a lot with something that you're not going to find on Google or have I been pulling so those are mechanisms that we can use and we need to start thinking about the identity of the process running on this computer the identity of that machine that says it's our web

server the identity of that person that says they the president of the company because that's how they're going to get in and we're going to find them snooping around the edges using data analytics and I finally know how this talk was supposed to

[Music] end [Music]