Working With Risk by Chris Ratcliff

hello my name is Chris Ratcliffe I work in IT and working security now for that's part a decade feels like a lot longer and risk is something that I basically work with every single day and what I found quite interesting is work with risk but then it bleeds into your everyday life which is why I've got the top working with risks but actually it's how I stop worrying and just started connecting things to the internet so we're gonna start the little audience participation it's just what you need first thing in the morning so who here would connect sorry I'm bound by the microphone so can't walk too far this way who here would connect their

phone to the internet who's not putting their hands up who's a very very paranoid all your life okay most of you however you fancy who here would connect a cheap Chinese CCTV system with to your old firmware to the internet very good point what about a barbecue feel collective barbecues Internet why that's exactly the point this is a genuinely this is Wi-Fi barbecue by if you think in the garden you've got a lump of meat on it for like six or eight hours and you come up with a lovely sort of tasty feast at the end of it hopefully if you're doing this with charcoal on a sort of normal barbecue you're out there every few

hours you're there holding and prodding and poking and when the weather's like this you really don't want to be so they've put Wi-Fi into this so I can sit inside or be in bed nice and dry and I can check it's done I can adjust it all of this good stuff from wherever I want to be tan in fact with this one they've even got a cloud back-end and as it says welcome to the future of barbecue now you're making a point why what's the point I want to this is the thing this is my use case the fact that other people have different views I kind of don't care about because this is what I want but

then we get to go blues law where people just connect stuff up from sacred and how many times have we looked at stuff we look to products we look going some this house they've got a thing we plugged in England why why did somebody think that was a good idea why are you putting Wi-Fi and then web server into a washing machine or a coffee machine just because you can doesn't meaning that you should it's like the compass that used to get on children's shoes when watt said when I was young like what's the point of a compass on the sole of your shoe but it was you know something about how we can do this so they did but one

of the big problems with risk is that it's rarely a unilateral decision and it's rarely also straightforward I mean if there's no downside something is not risk does their downside you just do it so as soon as we as security people start going why would you want to see that that's do you pit it starts becoming them enough you start putting that kind of roadblock between the people that were actually trying to convince to do something or not do something and

and I think that's a very big and sometimes sort of misconception with people outside the industry that the role of securities to stop things happening and I very much looked at their way around I look at securities job is to allow things to happen it's easy to not do anything you just turn this up just unplug it you just never store data and you don't collect it but if you want something to happen how can you do it to kill me but anyone who's ever been through an airport this doesn't look like an environment when think when things are being permissioned this is the point people who go through an airport security area the primary

focus is not to turn people away primary function is to say I think boarding pass you allow it to be outside you're not contributing regulations you're not carrying anything too ridiculous through you go and if you don't meet those rules then you get blocked think it's big human firewall but a lot more obnoxious so who here has seen this thing before yeah who thinks they are pointless and stupid and objects of ridicule who here thinks they're actually quite useful exactly the Internet has an opinion which is basically this but what that fails to understand is that there are multiple use cases password managers which are a lot of us use password managers fantastic and they work on

every device and they automatically lock you in and they can cycle your passwords all this great stuff if that works for you if it doesn't maybe some like this gets write down your password you'd keep them along on the little bit of advice how to use it this works for people that password managers might not people go mommy but it's not as good but we're not talking about one best solution or nothing this exists along the side this is an option so this is one option that's what manage another option no password management whatsoever is the third option and to be honest between this and nothing I'd kind of take this

but the important thing is as well is that the two are not better or worse than each other they're different because something like this can't scrape it over the internet you can't have it harvested but you've got to be more aware of your physical security maybe not write things down quite as clearly as people might want to you could take it but it's different for this this almost works has untain analogy for people if people are forced to have something they don't want that doesn't work they won't use it give them something that works for them you're just merging things up now the problem risk is that it's very very difficult to specifically quantify you can look at it as a general guide I

kind of sort of work start working from here so if something were to happen how severe is it going to be how likely is it going to be the more likely it is and the more severe it is we should probably do something about it so this might be sticking all of your stuff in an AWS bucket thinking it's probably okay because Amazon no what they do it right but then down here you've got an encrypted password database so something that's full of user logins but they're all encrypted and salted and hashed and all that good stuff and you protected it deeply within a business so it's not very likely and if you do lose it if it's gobbledygook kind

of doesn't matter it's worth noting particularly in about the last five years or so likelihood so I gave it Kara the laser pointer likelihood is really tight one thing for me that's automation AWS buckets are a great example because people can scan them on maths they are scanning them on mass and they will look for anything they can retrieve out them and it's very easy for somebody to do it and just leave it running the more people scan it more likely it is that something's gonna find something it always goes back to the example that we had a moment ago with the password manager with the password manager book take that out of the online world and

suddenly instead of everyone on the planet potentially being able to access it you down to five ten maybe this is obviously subjective one of the big steps once you've got a use case is to fully understand it because what might be severe to you is actually not very severe to somebody else so you need to discuss you need to communicate you need to understand so you both have a full picture of what's actually going on you can do this through a space discussions through tabletop exercises and it's very important that you both understand it in the same language as well because that example I gave most ago where I said that's where database gets stolen some

people will hear that and go oh god I'll pass what they feel is get me in the news it's gonna be terrible we've got and we're gonna find some penalties or something you go well yes but but it's encrypted so don't worry it's actually not as bad as you think but we both need to understand that it's actually the same level of severity one thing for anybody who ever discusses recipe it at work be here be it with relatives be up with friends or whatever please please don't use one word just because just for us comes in really two forms so one is can you just which is usually sort of can you just hack this password can you

just break into this database Thanks just really do means what they think you're actually able to do novice kill you've got the other is I'll just unless you are literally logging on to box clicking a button and logging off to say I'll just stand up that infrastructure I'll just reboot all those servers I'll just love on on a Sunday and patch it all it'll be fine let me give an example if you say how to defuse a bomb one find a bomb to just defuse the bomb three tier medals that completely undermines how dangerous how difficult that job is unless you're going for some sort of mass hyperbole best avoid it because it doesn't teach me anything

about what it takes and it doesn't Envy you that person with the appropriate amount of respect noticed if you're old like me as well you might suddenly might say how do you snapchat the answer of course is that you just use snapchat I've put my number in I don't I don't get it so don't matter I barbecue I've said that I want it we go okay what's the downside what's the what's the attack service so functional [ __ ] is always my favorite if you ever see a story in the news about IOT what I call functional misuse is always the first thing that go to which is if you use it as it is intended

to be used what can you dig and there was a new story where it said smart thermostats you could hack them and people could have just your aura heating this could cost people tens of pounds a year you know you're really not thinking outside the box so with this what can you do change the temperature you can use up my fuel turn it off over cut my mighty basically spoil my day but if it runs out of fuel it will turn itself off it's very hard to make it kind of combust or do anything too dangerous because they thought of that people tend to drink beer while they're using it so you need to have the safety safety guards in

there but let's take it step further what could you do with the actual hardware infrastructure misuse get access to the underlying OS remember this communicates with with with the cloud services and there's an API in there maybe there are calls that aren't documented maybe there's authorization issues between the cloud and the barbeque here's a sentence I never thought I'd hear in a year talk using the barbeque to attack other LAN devices if anybody can buy one of these take it a bit see what it can do and submit a talk like DEFCON for like my food is tasty but my data is gone that would be fantastic so are we happy or am i happy with these

down sides against the upside of having my new shiny toy that I want to play with and we get on to a thing called risk appetite now let's let's have a sorry I give you a hundred thousand pounds and say right take it away give it back to me in a week you do that I will give you five thousand pounds hopefully all of you we go that doesn't sound right but stick with your choices are one you stick all the money under your bed in a shoebox hope nobody steals it you spend zero money but if it gets stolen you're on the hook for a hundred grand not great option to you spend a thousand pounds

securing it by safe maybe yeah screw it into the wall screens the floor spent in concrete whatever takes your fancy you think okay I'm gonna spend a thousand pounds like at five thousand pounds so four grand that there's a chance that it might get stolen but this less chance than if I just leave it on the kitchen work service or you go you know what I'm really quite risk-averse so what I'm gonna do is take that hundred thousand pounds off put it in the safe I'll get a security guard and I'll get two security guards and then they can watch each other and a CCTV system in and in fact we'll have it in a secure location as well so it's

going to be absolutely there I'll be really confident that when it's the end of the week five hundred thousand pounds are still there except that will cost you ten thousand pounds ten thousand pounds out five thousand pounds in you're not going to do it and this is this is risk appetite so how much risk are you willing to take before it's either too much or actually not enough and same to security people that's not enough risk sounds quite counterintuitive but the more you protect something gets the law of diminishing returns and it becomes increasingly expensive to get a very very small increase in collection so this is quite an easy example because as soon as you put numbers around

something you go a minus B equals C yep tick or cross think about though you've got 100,000 pounds in your house who knows there's a hundred thousand pounds in your house maybe the person last year is a little bit dubious maybe their friends are a bit dubious and they know where you live maybe it's a criminal scheme and you don't want your name getting to the newspaper as somebody who aids and abets criminals so we've now gone from instead of just a simple maths equation we're now starting to deal with reputation we're now starting to deal with anxiety we're now starting to do all lead with those things which are intangible but they're quite calm primal because like free

clown and just we're saying we're kind of programmed to deal with risk we do risky things we drink we cross the road and we undercut food but we have to have some sense of is it going to kill us is it going to keep me up at night or actually am i okay with it and this gets really difficult if you're trying to quantify this with somebody because we get emotional and emotional responses in the brain can easily overpower the higher functions the logic functions again got a frank freaking Jasper mert or bleeding nicely into mind it's great having them as a warm up so if you ever deal with risk and you deal with fear

and you deal with things that are ephemeral that it's difficult to attach a pound amount to you're going to very very quickly get into the emotional argument I'd love say there's an easy way of dealing with it if you find a way of quantifying that you will make a absolute fortune because God knows all of those data breaches where three million accounts here and God knows what else over there get to breached and the find is trivial if we could put a dollar amount against that I would be very happy indeed so risk appetite risk appetites kind of interesting one because you say as soon as you say okay well we want zero breaches is that actually feasible let

me give you an example who here would consider themselves a red teamer one maybe the ones that just sort of keep the head down and say no pound Ronnie who is also more on the defensive side on the be kind of the sock side of things few more risk so the red team is particular risk is a great thing to play with because risk isn't it zero-sum it's not one person has it and therefore the other person doesn't it's it can be very very asymmetric let me give an example phishing attacks if you're trying to get somebody's click a link you want to launch phishing attack there's I think so for a red team point of view it's low

risk who really investigates phishing attacks particularly at scale there's too many yeah like it might get caught might get dropped that's kind of end of it but it is high scale it's easy to automate we're back to the likelihoods scale and if you're throwing out ten thousand emails hundred thousand emails what you're trying to do is you're trying to second-guess the user so what can I do whether it's one person whether it's a thousand people what can I put in that somebody will click on and use fav news optimism you can use financial sexual and whatever you think people will respond to in that situation target success rate quite 1% quite 1 of a percent to about

1% doesn't sound like a lot but if you send an organization a thousand emails and 10 people click on it there's 10 opportunities to get something into their network from the defensive point of view however it's quite different because this is actually quite cheap attack quite low risk if you're on the defensive side high risk because you don't know if any of those get through and they get clicked on what it's going to deploy and it's high scale in fact if you're a big organization you're not dealing with one opponent you're dealing with several opponents who were all trying to do the same thing and this is but this is where it gets particularly tricky because as I'm saying interview

one of the things with risk is it's about understanding it's about discussing and having a mutual understanding and awareness of what's involved essentially but on that end of thing so in the case of the red team column it's ok I get an email what would make me click on the link for the blue team they're trying to second-guess what an attacker would do to second-guess what a user would do so it's becoming increasingly difficult to kind of go okay well if I was going to write a phishing attack but I knew that there's being sent to our users then I know that this sort of thing might think and you just spiral into a huge number

Possible's but what's your target Sarah how much does it cost to get to Kate where you absolutely have zero phishing emails being clicked on huge amount but that's always going to be the challenge so we then start saying okay we know the positives of the use cases and the negatives of a use case what can we do I think okay what can we do to try and make things a bit better so essentially what toilets Mitigation

some obvious things so in the case of this particular barbecue you can look at it okay so trusted blender that this isn't a shipped in from who knows where written by who knows what regular firmware updates you unplug it don't keep it plugged in all the time probably so your your your time to potentially attack it is limited he uses wpa2 for the Wi-Fi connections which it's pretty good what you might say as well is actually do you want details outside the house or do you just want to be able to be in the living room and that be outside so stop it reaching the internet talk maybe I'm dedicated VLAN so we can only get out the internet it can't see

or attack all of your stuff you probably look at they're going yeah it sounds pretty obvious difficult here is that that's not bad better kit so it's pretty straightforward but what is intuitive for us in this room and in this community these are the sort of things that we think about quite a lot because this is how do we make something possible if we do all of this we're happy for this to go ahead we're trying to make sure that this security is used here to allowing to happen and not be a reason to stop it because frankly how many times are people seen you can't use a password manager because of security you can't do this because of security

well why don't I how to do that because of security and you're like that doesn't tell me anything that doesn't give me a reason to better what your times tell me frankly just sounds like an excuse and bear in mind as well imagine this is our Chinese CCTV system what MIT admit what mitigations would you do then you know you gotta fix tapping passwords you've got who knows what support who knows what firmware updates CJ I'm actually you know what I'm gonna have it at home or in the office maybe we'll put it on a separate test network maybe we'll put out an ISP connection you know what maybe we cannot mitigate this to a

point where we're happy we just go you know what let's just get rid it's not worth it you guys and girls or anything like they probably are I love plugging stuff into the Internet if something can be plugged into the internet and I bought it it has that capability I will plug it in to see what it does even when it's useless I've done it with Telly's and DVD recorders and stuff and it's just most times it is just completely rubbish or did I do it because it's there but in my head I can get to a point where I'm happy that it's not gonna compromise anything but humans as a species are really bad at

quantifying risk we kind of do intuitively because we don't be eaten by a lion or fall out of a tree or something but we're actually quite bad at being able to go to go yes this is higher than this and that's very small this is very large particulars well because we do things repeatedly and we become comfortable with risk so there's me plugging stuff in the more stuff I plug into the internet at home I still have been hacked so I must be doing something right and I keep plugging it in and if something happens I'll be like well that didn't happen all the times before or cut me my fault because the risk each time is different

but I get so used to it crossing the road quite Angra thing to do but you do it all the time and you get used to it so you don't think of it necessaries of risky activity so we've got let me give an example so you thought to know how bad we are at qualifying risk as humans here's 20 coins and I'm gonna say to you these are all perfectly random so no trickery there's no hidden thing here 20 coins all perfectly random if you state one pound and you flip all of them and they land all on heads you'll win 50,000 pounds okay who would it would do that yeah bit of fun the odds of you doing that roughly about

one in a million little bit over so in order to guarantee that you win 50,000 pounds you must be prepared to spend a million pounds to do it but some of some of you will be going aha but each time you do it is a discrete event and one event doesn't have a reaction on the other so you could win on the first go you could we're not millions ago so ok so on average let's say you'll probably win at about halfway so now you're down spending half a million pounds to win 50,000 but it doesn't feel that ridiculous because you'll do it and you won't miss a couple of quid out your pocket and you'll go on your date on on

your way and you'll probably forget about it but here's the big challenge with an activity like this is if you say ok for me use case is trivial doesn't fly makes difference in my life well raising about afterwards unless I win I'll remember it for a long time but what about other use cases what are other people how would they respond to it so this is a graph from World Bank which shows population who live in extreme poverty you can see particularly particularly here sort of central Africa this is the plenty of the population who live per head on one dollar 90 a day or less so suddenly you're thinking oh I'm not just gambling a pocket change here

suddenly a couple goes at this and that's somebody's life for a day you know how would they respond to this so it can be very it can be very easy to always look at things from your own experience and bring with it all your own preconceptions and all your own experience and all your own how comfortable you are particularly with risk and particularly with whether you're a risky person or conservative person or whatever the trick really more than anything when it comes to dealing with other people and dealing with risk is to be able to look at it from their point of view pushing their buttons why do they want to do it how can we make it

happen with that we have any questions

yep damn near impossible it is go into the random directions okay we've got the USB pen problems but are they from 1816 actually did lots of other draft wise was done there as possible what the ending look comes to do so take a look at this trend right but I'm gonna go to the person who I think you were getting happy most or all that does is ask ug graph to be over fiscal we're also risk-averse during a paranoid company and what they don't make risky decisions which actually so actual cycles growth yep Easter away yes that that's a fantastic question so for those of you differ here so basically the question was how can you take risk and how can

you make it palatable how can you make it possibly possibly attractive to the business with great difficulty I think the it depends on a couple of things first of all it depends on the people and there are so if you take a business a thing for example you might say there'll be somebody who goes we want to see this positional make us a million pounds you know well yes but you're not doing yes but it'll make us a million pounds but yeah but and you just end up in that conversation and you end up hangover overrun by it and then they'll say they're other people who will be like they don't do anything they don't

want to be the person who did you agree to the thing that they're meant there was negative impact so I think this a couple of things so first of all is it's actually down to communication it's about kind of working with people see being able to sort of pick out those those people I think what you said about going to different people different situations is good but I think you also need to take an approach where you say okay well who's the authority on this so if you're in a in an organization and you want to qualify database risk who's the person that you can go to others and say all that this person's review they

they're the expert then they think that this is good this could be better and this is problematic and when you're faced with something like that the idea that you know people don't speak up against Authority because they don't look silly similarly I think you can always take the the oppositely with some B's to confident or in your opinion too confident where you don't want to you never ever want to be the person cried wolf because if you're always then you won't get your tinfoil hat on and you're always there going oh I don't know oh it's a bit risky people will respond to to that and you'll always be seen as the negative one who always tries to stop

everything which so it's finding what people respond to being balanced and if you think they're going too far one way or the other just sort of matching them and just sort of tempering them ultimately though one of the big problems with risk is that you can't fix it and you can't ever get to a point where you say oh so I've said this in the in the past it that's people you can do it but you will likely be fired if you do that tends to turn their opinion fairly quickly but that's a very rare situation to be in where something is that bad way you weren't just saying everybody who'll listen don't do this because it is

stupid if we go back to the to the public you think you know you won't do this why because I think it's called well okay well look I've advised you and I've gone through the pros we go through the cons MacArthur investigations but look if you want to do it I can't stop you let the record show but you know ultimately if somebody's willing to accept a risk and if there is a mechanism in place to accept that risk and it can be independently reviewed I think as well so you can say okay well you think this I think this this group of people say yes say no everyone goes okay that's the decision and sometimes

you will get a situation like so anywhere they go or why would we spend all this money on security and then they get hacked but it's always really easy to look at that in retrospect doing it there and then you kind of you have to make the best decision with the data that you've gotten you know if you're the servers and I thought it was gonna be okay you kind of just have to review that potential severity it's very like in a red box

there's actually a very small chance of you dying a very large chance a very small impact so actually go to you've got two places it's opposite but then you have to resent like the progress and that's it and again it comes down to communication because we're particularly dealing with data you can say if you if somebody was to steal this bit of data what's the impact and you go well if they got that then also have to get that and also have to get back and also have to know that that happens and they'd also have knowledge of this so it all comes down to how you communicate it where you say it's not very likely so in

your scenario you can say well you're right it's it's likely that you'll get a small injury it's unlikely that you'll get a large injury but if you do it could be bad you can't round that down to a number unfortunately if you could all of this this tall up in a locked shoulder but so you say okay well how do you communicate it and how do you communicate it where you not only do you sort of make those what ifs and the maybes but also you don't put too much weight on what you think the outcome is because I'm I've done it myself right I think this is a bad idea and you sort of

read the document there's that much about why it's bad and there's a paragraph that the sentence at the bottom which is or it could be quite a good thing you think actually I'm not being balanced here so it's this isn't this is a blunt instrument and I think sometimes picking a better way to communicate it for specific examples or for increasingly complex examples is a real skill and yeah it's a communication change right they should have the particularly put on the house it's a little like yes that soon as you lose it reputation

and I think it also depends who you can't go back to original put all servants who you're dealing with and how they respond you know this is kind of the Donald Trump level of kind of risk analysis but you know you're right you know it can be a line it can be a series of use cases over you know whatever works for people you know some people are very driven but I think it's also worth looking at the other way around where if you're a developer and you've made mistakes you become increasingly risk-averse because you don't want to make those mistakes you've made in the past so you cannot end up in a situation I think

where you get young people who are like well why can't we do this now why can't we do it on a production system and the older people who are going oh no that's very although that could cause an outage and actually what you want is both of them sort of do that but you need to sort of be quite introspective I think and I think is easy sorting more I'm right you must be wrong sorry pointing at you I'm just making innovation when in fact you can actually sort of go actually I'm part of the problem as well so the more you think about risk holistically I think the more you can open to situations can change yeah I do

that there is another version of this graph which is similar concept but it's for productivity management which is basically these are one axis and how urgent it is the other axis and what they say is the top right corner you should deal with right now because it's Thorton to detergent stuff sits in the other boxes maybe do it maybe you delegate it but you know keep it sort of in the back of you like stuff it's in the green box just don't bother because it's not urgent it's not important why why you can think about it and I think you know what tech saying you with that sometimes with the risk what you say no

worries fine is low risk just we don't have the time the people would have the money we can't fix all of this because what's it going to give us we're on that bit of the tall bit of the graph so yeah I think we can you know finding a way of at least categorizing stuff in some way into these sort of different boxes can really help you sort of prioritize and you know give people a sense of purpose as well right we're getting in there to hand over time so any more questions should either see quality nothing like a tub of Ferrero Rocher right well thank you thank all very much [Applause]