BSidesYXE 2024 - Adam McMath - Impact

thank you all very much please find somebody with a green shirt and give them a hug putting on conferences like this is tough it's hard it's a lot of work it's all volunteer and they deserve our love and attention as well uh you know we were talking about the sponsors downstairs some of the stuff doesn't happen without sponsors please go visit their booths steal their swag we got all sorts of good stuff downstairs stickers and pens and all sorts of good stuff that we can take home to our kids too highly highly recommend that who's local oh wow because I know we got some friendly faces from from around elsewhere but look at this room this is phenomenal

we've got an obvious hunger for security conversations how many of you are like in like legit hardcore cyber security related kind of job functions about half that's cool that's cool so there's an awful lot of people okay every time I put together one of these presentations I I kind of have usually something that's ticking me off about the world and earlier this year it was it was all about a few things a whole lot of us in security are burned out a whole lot of people that are trying to get into security are are are freaking out because they're trying to figure out how they can fit in they don't understand how they can fit in uh

then we have a whole bunch of news and the news is always really cool around Defcon and and black hat time too of all the horrible things that are available to us in the world everybody keeps on getting popped ransomware isn't even a newsworthy thing anymore unless it's really big because it's just a usual daily source of business so that's why I came up with with this little conversation here that oh here we go oh yeah who am I uh I put the alphabet soup behind there for some reason I'm not really sure why making a mess since 1976 you can dox me it's all good I don't whatever um if you like what I have to

say I'm the director of Technology at X10 Technologies if you don't like what I have to say the opinions of the speaker are not necessarily representative of his employer in the news earlier this year especially I know Justin had one out earlier who's got one of these who's playing with these you're more than welcome to come and play with mine this is a flipper zero for anybody who has not played with one they can be a little challenging to get but this is an interesting toy that has made some headlines and has made a whole lot of video has anybody seen videos of of people doing naughty things with them yeah seen a what kind of

things have you like what have what have you

seen yeah oh yeah opening up doors that's a good one I like that you're playing right in you're playing all my cards for me that's what have you seen yeah

yeah yeah there's some interesting things we can do with that for sure okay people love scary stories I tell the stories about the Poltergeist in my house because for whatever reason we just blame all the things that go weird in my house on uh on a particular Poltergeist named Brent and my kids and I have all sorts of these things if anybody wants to play with the NFC tags too I've got a whole bunch you can get them for like 40 for 10 bucks on Amazon and you can put little codes and things on them and you can they have little backings once you know what these are too you'll start seeing them everywhere Guard Services use them so that they'll

they'll stick them in certain places and guards when they do their their rotations have to use their phone and and click on them to show that they're actually doing the rounds not sleeping under the conference table um but we we have little messages from our Poltergeist named Brent in our house and when we started showing my mother this my mother is a lovely lovely lady she started you know kind of fre freaking she doesn't really understand technology she doesn't really understand what what all of these things are and she started my kids showed her how to use NFC uh tools on her own phone she started communicating with the dead when when I started telling the stories about the

weird things that this Poltergeist does in my house that we blame on the Poltergeist of the that the ice maker doesn't work for whatever reason yeah it was Brent uh the lights flickering and telling this story around a campfire and just you know I was tired and kind of half asleep and telling the story and then realizing that all these people were freaking out some people love scary stories but some people get really freaked out by them the idea of the flipper zero is the same thing um oh I opened a lock too hold on half the stuff you see on YouTube about flipper zeros in particular are mostly garbage let's see if this works it's going to be loud so

you can see aay lock yeah and then I'm going to point my flipper zero at it I don't know why I have Halloween or Christmas decorations out

whatever okay kind of cool eh I'm going to show you the dark side of this oh there's my 16-year-old you could just see her feet she came in with the assist I've seen an awful lot of videos on the internet where someone has opening a car door someone is doing something with a flipper zero you know what the re there's even more dangerous stuff out there than a flipper zero flipper zero is a fantastic toy it's like an Arduino for hackers it's great stuff how many of you have tap enabled on your credit card or your debit card okay it would be breaking all sorts of federal laws but there are risk equations that we make for

ourselves that are more dangerous than anything we can really do with a flipper zero and that's one of them is is things like tap on a on a card oh let me get to the next slide somehow all right here is the Crux of my angst from like April May this year I think might even go back to Aristotle I never did find a source of this quote if anybody knows it by all means feel free to Google it and correct me while I'm up here on stage that's awesome I like that what we don't understand we fear what we fear we hate what we hate we seek to destroy this is a universal human thing because all of

you here are cyber security aware people that you are cyber security enthusiasts that you're hacker enthusiasts that you love the concepts of puzzles and things that we can noodle with and break and find new ways to do things that we shouldn't be able to do with things we're a little different but you know what what we scare the everloving crap out of normal people we scare them and well what's the flip side of this Canada's stolen car crisis Justin allegedly made worse by flipper zero here's why the device is now banned did the ban ever actually happen I never followed through with that I just know that there was an awful lot of politicians who were so scared of

the little dolphin on my screen that they said you know what the tamagachi for hackers for those of us who are old enough to remember the tamagachi that they wanted to ban it they said uhoh this is a bad thing cars are getting stolen and we got to ban The Flipper zero really when it's easier to get in through the window with a brick are we Banning bricks no we're not Banning bricks and so what do we as the security Community then do canidate flipper zero ban once again politicians show you they know nothing about technology maybe maybe not whatever but you know what really helps get people on our side let's mock them

yeah so what are the stakes this is where I started to get really concerned about the World by the way you don't have to to agree with me either that's the great thing about bsides that we can throw a whole bunch of things out to the universe and um none of us are getting paid so you are more than welcome to disagree with me and and that's fine too um but when I look at what the stakes can be here does anybody know who this quote comes from and eventually I was caught I was sent to prison for five years eight months was in solitary confinement because a federal prosecutor told the judge that if they allowed me to have

access to the phone while in prison that I could whistle into the phone and communicate with a modem at NORAD and actually launch an ICBM who said Kevin mitnik few of you said Kevin mitnik Gold Star Gold Star absolutely so he he he wrote a love him hate him I don't care the the book Ghost and the wires is an incredibly compelling read if you haven't read it I highly recommend it but it talks about this guy who was one of the original I guess high-profile hackers who was hack phone systems and doing funny things with phone systems and the people that didn't understand what he was about or what hacker culture is about or what security

culture is about put them in solitary confinement for eight months it's pretty gross stuff little closer to home and this one has been I don't know if you can see it in the back because of the stage 19-year-old in Nova Scotia asks for a freedom of information request on uh on something from his provincial government and discovered that if he incremented the number in the address bar he got another record so he was like oh this is the stupidest portal ever so he just wrote a little get script and then he went to school and it downloaded the entire copy of of everything on the Freedom of Information portal for the province of Nova Scotia what do we know this as

yeah insecure direct object reference SQL injection there's all sorts of ways we can talk about this but at the end of the day this is a privacy breach this is a poorly designed system that allowed somebody access to more things than it should have how do we think the government of Nova Scotia responded well uh charged over privacy breach they black vaned his little sister on her way home from school they Tau the contents of his kitchen they cut open mattresses and this is the police services who are doing this stuff so what are the stakes we got a whole lot of people who are scared of security people we're scared of security researchers who were scared

of technologists and this goes back fud you know the acronym fud let me hear it fear uncertainty and doubt thank you supposedly fud's dead by the way we haven't used fud in a decade to sell cyber security have we except we still kind of do the infrastructure team just won't listen to me how are we talking to the infrastructure team if you're running a vulnerability Management program and we go well you got to patch all your vulnerabilities we're going to get hacked all our stuff's going to get owned and it's going to make us look stupid and we're going to be broken that's fear when it finally blows up it's all on you I've been telling you for six

months you got to fix that web portal that can then shove 4,000 documents to a Nova Scotia teenager uncertainty stupid company keeps on making the same stupid mistakes yeah we all say that I say that too right but that's what is that that's doubt ourselves do we feel like we are making an impact do we feel like we are able to take the knowledge we have about security items and give that to people and make a difference and help us make a difference in people's lives and people's businesses every day just gets worse said that right at the beginning why isn't ransomware in the news anymore unless it's something really big it's because it's happening all the time

speaking of time I just want to take a look at the time oh I have plenty of time what other soundtracks we got what else are we saying what else are we

hearing all sorts of good things technical risk what okay if we're talking about technical risk in organizations if you've taken your cissp if you're studying for your cisp this will be on the exam what are our elements I'm looking for four things looking for four things are are technical elements of risk when we say cyber security risk what are we what are we looking for I would love to hear it it's typically what do we start with an asset right and an asset might have a yes A vulnerability you're playing my cards I love it thank you what else might we have a vulnerability needs to be what o a vulnerability needs to be exposed to whom or

what yes wow did you guys study an asset plus a vulnerability plus an exposure plus a threat actor I like that what are we missing we missing anything it's another question I'd like to ask if we have an asset with the vulnerability but there's no exposure is there risk if we have an asset of vulnerability and exposure but there's no threat actor right the latest uh there's a a Windows related vulnerability that came out shockingly just after Defcon that is still not patchable but we also don't understand that there's anything in the wild is this a risk there's all sorts of things that we have to put in there the big ones that I feel are always missing why

is this important what's the context we beat our heads against the wall all the time nothing keeps getting better it keeps on getting worse uh I can't get the infrastructure team to patch I can't even get us all on the same version of Windows etc etc but why is this important what's the context we miss this sometimes um moving into the concepts of Enterprise risk and I love this elevation this language helps helps us with some of that context the iso 31,000 definition of risk if you if you heard Tim mccre talking a couple weeks ago here he would have told you all about the iso 31,000 definition of risk and he is absolutely right the effect of

uncertainty on objectives but uncertainty of what do we know what our businesses do do we know when we're poking at things even as a red teamer what the importance or the objectives of the company that we're poking at are it becomes becomes a little more effective for us to start talking about that language anybody who's working with project managers I love project managers they get stuff done all the time and they know risk uncertainty measured by probability and impact you put it in a nice little grid and you can map out you're 5x5 or you're 3x3 and you can say oh my goodness this is a big risk or this is not a big risk if you have a high

probability risk but of low impact how much do we care how much should we care is that up to us to make that decision H the friction Point how many of you are working with this if it ain't broke don't touch it yes all of us are working with this why because a whole lot of it professionals have spent their entire careers just making stuff that doesn't fall down and if we touch it and it's highly complex many many boltons it might fall down and God help us if we do that on a Friday afternoon at 4:30 p.m. whoops what's the cyber security answer to this everything should be assumed to be broken at all times we need to be

touching everything constantly right so this becomes a really significant friction point between the security profess professionals and the IT professionals when we're talking about things like the cuckoo egg anyone who's read the the Clifford stole book it's all about this it's all about you know the the security guy is the bad guy my buddy Michael Sant archangelo says it all the time they hear cyber and they hear spider and they say kill it with

fire so are we looking to make an impact or should we be looking to make imp fluence is there a difference probably something that and this is where I start to you know I've been around for a long time I've been doing cyber security for a very long time this is the first job I've had now I started a three four weeks ago where cyber security isn't in my job title and I'm working now as more of a a business leader which is really exciting and cool because we're seeing this transition now of people who used to be it people become cyber security people people who used to be business bus leaders become cisos and now we're

seeing people who are cyber security focused doing more inside businesses this is really cool Tim would be another one he was the Chief Information Security Officer and chief security officer of the City of Calgary government of Alberta and a few other places too but security people we matter and if we can figure out how to deliver influence getting people to do what we want them to do because they want to do it too rather than impact get our stuff fixed right I I just did the Microsoft ad audit here is your 3in binder of findings fix this I got one sord in you had five so I that's my one that's my one I promise no F bombs okay maybe

[Music] one when so when I was the general manager of cyber security at the Calgary Airport the first thing I did was go to the accountants and ask them how do we make money and they were a little shocked because the answer was uh no one's ever asked us that from it before that's interesting okay then going through the per the the what are we actually worried about in this company we came up with four things and this was me and a couple other Business Leaders and a couple of it leaders we got together and asked this question what are we worried about in this business that we run operational stability Financial strength brand and

reputation asset value what do we typically focus on you know if we call things it assets we we're we're all about you know these horrible Windows hosts and these these stupid users who keep on clicking things whatever but what what how about we change the language a little bit to say okay but what about the operational stability of the organization if there is a risk that comes in a technical risk that comes in how could that affect our oper operational stability our our ability to get people in the building paying for parking paying for lunch and onto the plane or just getting the planes in and own Financial strength Brandon reputation if the big boards that we see

all over the airports get popped and all of a sudden there's naughty pictures on those things how does that affect our brand and reputation what does that matter to the organization and of course these things matter doesn't really sound like a cyber secur function though I guess but it helps us communicate the value of what we're doing another one that I did a little more recently with an organization customer satisfaction key risk area number one they are they have very very expensive products and they want to know that their customers are satisfied and will come back and spend another 250 Grand on their products as often as possible continuity of operations cash flow and asset value loss two different

companies two very different Industries this one is in transportation as well but very very different side of the business interestingly enough those it assets ranked fourth on the company's goals and objectives how do we get there how do we do that seek first to understand then to be understood I have a lot of quotes apparently and I added most of these in last night at about 9:30 yeah not that yeah about 15 minutes ago no uh oh the PCI Pizza really quick story seek first to understand then to be understood a I'm going to try and Budge the names here a lady named Amy came to me and said Adam I'm really concerned because I found a whole bunch

of credit card numbers in our accounting database I'm like okay that's bad any of you who have worked with the payment card industry or credit cards in general or sensitive data in general knowing that credit card numbers and cvvs and names and postal codes sitting in clear text fields in an accounting database is probably a bad idea right she came to me and and so I asked her Amy um did you tell the sales director about this and she said yeah he said it's by Design it's for customer satisfaction crap using our words against us so I went to the CFO I said okay did you go to your boss she's like yeah no one's listening to me so I went

to the CFO and I said okay Dave why why is this and he goes it's for customer satisfaction I'm like explain to me what this is about I want to know that when our customers call that they can get an order immediately and we can get our products shipped out the door to them as quickly as possible and I asked him because he's an accounting professional do you see any risk in this and he goes no I do it all the time my favorite pizza place it's the same thing I make a phone call I say it's Dave shipped me my last order and they just do it now I don't have to get out

my credit card nothing it's really convenient so I said dial them and he did so he stayed silent because he's seen me work before too so I said hey it's Dave at X company you know how we had our pizza party last month I would like to repeat that order today please and she said awesome is 11:30 okay and I saides please and she says it's on its way $700 worth of pizza later we changed storing credit card information in the accounting database so did my best to understand what his issues were then I asked him to be understood at no point in this does do we have to agree either that's okay we'll get to a little bit of that in a

few minutes this one anybody who's got I see Justin's eyes light up he knows old school Nell phone systems so I was working for a company that was okay many years ago back before the internet was a thing and I still had cartilage in my knees um we were changing out all of their Public Service telephone Network stuff all their their copper lines into sip Trunks and sip trunks are well does anybody even use sip trunks anymore we just make our phone calls on teams we had a system on there that would would uh block people from making longdistance phone calls outside of Canada and you had to punch in a special code and it costs about 10,000 bucks a

year and we lost that when we got the zp trunks so I went to the CFO same guy Dave and I go dude we got a problem here because uh we're losing this functionality and to add it in it's going to cost us a whole lot extra and he said to me okay Adam let's do the math on that I'm like great making fun of my name jerk [Laughter] when what was what was the last impact we had on this that made us put it in the first place that was about five years ago and what did that end up costing us about $2,000 so you're telling me we need a $110,000 control atom on a $2,000 once every fiveyear

problem I'm like oh okay we're probably good we have to learn too I've asked this question a whole bunch of times we want to be leaders in our industry how much do we sometimes maybe suck at being led too at listening at understanding some techniques for collaboration I touched on this a little bit before recognizing the complexity built into years of innovation and digital transformation all of the people we are working with in it and business have all been the victims of all sorts of people saying you have to be disruptors you have to be innovators and no you can't have any operating budget to maintain that old thing and God help you if you turn it off so we show up in

their environment and we ask them to turn something off I get it so what do we do about that we have to be reasonable this word reasonable and I've been talking about this word for a decade now because I found it in a whole bunch of Canadian laws right you go and look through the Canadian Charter of Rights and freedom uh criminal code of Canada and you will find the word reasonable all over because it's something that can change we don't say in our Canadian laws you have to have aes256 encryption on blah blah blah no no we just say you have to have reasonable controls because reasonable can change over time reason can change depending on

context of what we're trying to do no we don't need that extra $10,000 control for longdistance charges Adam because it's not reasonable that's also on your CIS exam by the way should your cost of your control ever eclipse the cost of the the value of the asset you're protecting offer choice anyone who's done the isaka C risk course or any of the materials in that I highly recommend it if you've already done your cisp and you're looking for something new to spend your company's education dollars on isaka C risk is a phenomenal uh phenomenal CT to go look at a new way to look at approaching risk in techn technology controls and was expecting this to be higher so when

we identify a risk in an organization we look at four options that we can put in front of people we're going to reduce risk through compensating controls uh wow you're looking at SSL 1.0 on this we should probably increase that that's adding compensating controls we can eliminate risk hey can you please turn off the junos pulse device that hasn't been patched in 10 years that would be really nice right that's eliminating risk we can transfer risk okay can any of us get Cyber insurance anymore I'm not sure like it's pretty hard to get Cyber insurance now or we can accept risk wow that's an interesting one we can say yeah there's $2,000 worth of risk and the control

option is going to be 10 grand what is that going to take H we'll accept the risk and hopefully we'll find it differently how do we deliver value communicating with Clarity describe the problem the first question especially in instant response I've spent so much of my career in instant response going into a room full of people who are panicking and they're like Adam everything's broken fantastic what's the problem ah I don't know right describe the problem the problem is we could have people doing naughty things with PCI Data inside our environment describe the value of the remediation do you recognize what a PCI breach would cost this company when I did the math on a privacy

breach at the Calgary Airport it was about an $80,000 Financial Risk when I did the math on a PCI breach at the Calgary Airport it was like an 80 million risk the value of the remediation what needs to be done to fix it now lots of interesting options that we could put on the table remember those four options we can reduce risk we can eliminate risk we can transfer risk or we can accept risk when we give people those options and let them be part of that solution for every problem be prepared to help identify the solution so many times in security we say you know what I just popped all your stuff later and then we drop the mic and

we walk out of the room are we actually being willing to help identify the solutions your security professional should probably not be the person also implementing remediations that's a bit of a conflict of interest but we can help them Define what the best options can look like oh and when we go to that you know that we get somebody saying I accept risk or notice how I didn't say defer in any of those four options you know what defer is it's fancy accept notes lots lots lots lots lots of notes as Security Professionals I hope you have Google keep you have one note you have a notebook you have Excel I don't care what you should be making

notes all the time and referencing notes all the time on the things that you're doing that will give you success give your company success and also save your butt when uh somebody says uh yeah we we did get popped techniques for sanity follow the energy why do we put in this order people processes and Technology why is that the order alphabetical yeah is so often as technologists we want to play with things we want to touch the keyboard we want to you know get the new tool the new tool will solve our problems says the vendor I'm not hacking on the vendors downstairs they're cool but we want the new tool we want the new

toy but yet we never get to the point we're always embattled with so much information we never get to actually hone our processes to take care of the people or even have the right people doing the right things Focus on the people first this is a thing that we're talking about more and more in security these days People First Security prioritize and I talk about this a lot during uh instant response conversations too what's important now what's in your control if the risk that you're addressing is not important now and if you if you ever see anything from dragos they have uh they kind of it's a three-step process do now do next do never I'm really challenged with the do

never part because when a lot of those it people who are already burned out here do never they actually cross it off their list and they will weaponize that against you later be careful with do never do now do next because we can't just drop a three- ring binder full of finding on someone's and say fix this we have to help them prioritize what's important now what's in your control if you're doing something red teaming if you're doing security research and you find something that cannot be solved by you how much of that are you personally going to accept what are you going to put at stake Thomas Deng in uh me member of legislative assembly in Alberta was

willing to put his career on the line for a vulnerability that he was reporting in a covid-19 portal that contained the personal private information of millions of albertans and it cost him his seat it cost him I think $60,000 in fines personally he was willing to put himself on the line we have to decide how much we're willing to put ourselves on the line in a lot of cases I do my best to find the person in the organization who can actually make that decision about risk and what we want to do about it was it 7500 oh he got off cheap yeah well I don't I don't have 7500 bucks in free credit right now

either never mind I got to get my expenses done I'm not a political guy I don't like politics thank you Steve my friends love is better than anger hope is better than fear optimism is better than despair so let us be loving hopeful and optimistic we'll change the world so Jack Leighton passed away from cancer a few years back um I don't really know much about his political career but this came up because the anniversary of his death was just last week and I had decided I needed to put a bunch of quotes in here so here's mine my friends we we are cyber security I don't care if you're red team blue team it business you just

snuck in for some free snacks we are cyber security when we act with partnership and purpose we'll have our impact or influence and we will change the world thoughts anger angst anyone want to wrestle I kind of want to where did he go I want to see if the Mohawk would survive a wrestle no render man is awesome I encourage you to give render man a hug and don't touch his hair it's not cool I have Hair Envy that's it for me any questions any thoughts any conversation spark any interest what up Arnold I like Arnold he answered all my questions I see a lot of your questions uh Encompass are encompassed in zero trust where where do you see zero trust

as an overall uh I guess something people should look at learn and practice if you go down and talk to the foret dudes they will tell you that they've been saying this particular line item for quite a long time identity is the new perimeter they're kind of right right and the more I've been able to spend time in larger organizations uh the more we have less control over our trust zones right we can set up trust zones and enclaves and all sorts of things like that and so zero trust becomes very important for those of you who are unfamiliar with zero trust you're essentially re-authenticating your user at every Access Control point that we want to

make access to something whether it's high sensitivity low sensitivity data or systems whatever identity is the new perimeter uh as recently as three weeks ago I was working with a company and we we successfully fought off a Russian a who was making intrusion into their environment because we were monitoring identity so absolutely zero trust is worthy of knowledge the challenge is there is a journey to get to zero trust I had a conversation with a government official who said Adam we need help setting up our first risk register and then we want zero trust I don't think that's going to happen like there's there's stuff that has to happen on that Journey so well planned I think that yeah we need to

have our end points we need we need to understand our end points we need to understand our sensitive data and moving a little bit beyond that we definitely have to be paying more attention to our identities that are operating accessing information and how that's awesome thank you Arnold any other questions we got one we got time for one in the back thank you so much for your presentation Adam we always talk about uh people are the weakest part in this equation what about technology we recently had a crowd strike thing and we are seeing a lot of Technologies issues what is your thought on that brilliant brilliant question thank you for that the crowd strike thing was really cool

uh in that it identified once again how a single technology in our environment can cease operations holy crap right that was a big holy crap moment not so bad for those of us in the west because uh by the time we all woke up most of the problems have been solved and we just had to you know kind of do an reboot of a couple no continuity of operations this is where I keep on preaching cyber security should be this great bridge between business objectives and the technology that serves it there is no job function anywhere in the world anymore okay maybe in certain places of the world but in North America there is no job function

anywhere in the world that does not rely on technology anymore so continuity of operations means that we have have to be prepared to operate the business even if our technology fails us we can't always have uh there may always be like what if Microsoft fails if Microsoft 365 went away not saying it would what kind of impact would that have on us so I encourage you and I I love tabletops for exactly this situation identify those key risk areas in your business ask hard questions like that what if this technology were to go away what would that do to our business and then find a way to respond and it leads to some very uncomfortable conversations it leads to

a whole lot of people saying yeah I don't actually care and remember what I said about notes lots and lots of notes back to you thank you all very much enjoy your time come find me have chats come play with my flipper zero and my proxmark oh I'll give you NFC tags if you want I can't throw thank you so much