IATC - Security Trek: The Next Generation

I am Ira Victor I am one of you I have been coming to bides since it actually was open to the public um when it went when it left someone's house and actually went as a public event I have been coming as Josh knows to I am the Cavalry since Josh started I am the Cavalry so I am literally one of you I have been going my my first defc con was Defcon 10 so I have been um immersed in information security for a long time it is an honor to be here and present to you and to answer I I didn't know about the Pres the the slides for this last presentation I sat through with as much

interest as all of you did and it is wonderful I'm going to credit to Josh and his people for putting me after the first presentation I don't know if it was planned but I'm going to answer a lot of those questions in that presentation uh and uh full disclosure I I do work in uh digital forensics and incident response I am part of my pro bono time is not just here for you as I am the Cavalry but I am an ambassador for the center for Internet Security controls and as this unfolds you'll find out more about that and what this what it has to do with our talk I'm also going to give you the precursors to look

for when vendors sell you what they what they tell you will answer your problems but what to look for to know that that's not what what you're buying you're you're buying something else so there's a tease for what's coming up here uh I'm this this is another crazy coincidence I did name this security trk the Next Generation uh I did not know that this past weekend was the Star Trek convention it actually ended the day before yesterday someone asked me if that was planned it wasn't but I went with it so start dat 32 3320 55 which was 25 years ago today and star dat and what we were doing as a information security Community was we

were trying to educate mainstream users about information security and digital privacy and most people I've been around long enough to know gave us blank stairs what the heck are you talking about I remember that and what we wanted to do at B sides defc con black hat RSA shukan what we wanted to do was protect against cyber criminals nation state spying financial fraud um so we had attacks how many of you remember I love you some really really bad Cyber attack and then we had the early ransomware one of them was called crypto Locker W to cry um and and there are many many more I actually go and look those up cuz cuz I was going to put codee red in there

there were so many old attacks back then uh that we were trying to educate the world about so I actually think we've made great progress I know we have a lot to do but Josh's announcement today was an example about the great progress that we've made that there's now going to be a publicity effort around awareness and information security even the fact Josh that you could have that conversation and not get blank stairs right that's a change from when we when I am the Cavalry was started right I think that's great so what I my my opinion is mission accomplished sort of sort of my thesis is what we've what we've helped uh train people outside of our

community is that the threat is no longer abstract people now realize that it is a real threat that's good that's that's a big Improvement but now the challenge is how do we persuade the mainstream users that their systems and their things that they're doing in their life need to be secured they're aware of it but they're not quite sure what what the heck do we do now um a lot of times I've been told uh when I'm doing public speaking or I'm having media appearances um said Ira you've just scared the heck out of me the the person interviewing me on TV Ira you've scared the heck out of me and what I want to say is okay well that's

good but now we need to take take that fear and make it something of action and that's what I I consider the the people in the in the 21st century that have been involved in the security Community that's everybody here in the room people watching on video um have probably been involved in information security to some extent uh in the 20th century that's our generation broadly speaking so the question is what do we teach the Next Generation what are we going to do to have security for the next generation and how do we harness this so couple of challenges um small organizations often cannot afford in-house it let alone information security and that could be that could I

want to broadly Define what's small you know less than than 500 employees it might be a division of a larger company with less than 500 employees and spare spare resources right like a law enforcement department might be part of a a large entity legally but you were in light rail weren't you sir I was looking at you in light rail so you you may be part of a larger government entity but your group is would be considered small on its own and what your budgets are I still count that as a smaller organization challenging to have in-house to afford good in-house it good in-house you know great that that your organization sir has a seeso a lot of them don't it's

just voic it on it I further I'm going to ruffle some feathers here but I actually believe that a cyber security degree may not really adequately prepare graduates to defend against Real World threats how many of you know someone that has a degree in information security um uh and says I can't get a job because they say I have no experience and I tell them well I have a degree and they go right you have no experience and so we've got a lot of people with degrees but they're not actually getting hired in their field of choice why you know how do we fix that because that's someone that has that awareness how do we harness that and fix

that and um I think that part of what it h what the one of the keys that's missing my thesis is one of the keys that's missing in this pillar is practical real world response and when I tell that to people that have a degree like well Ira can you Can you hire me on one of your projects so I can get some experience and and and I can't get any experience so when I apply I have no experience what what do I do I'll answer that question I will answer that question so my what I want to impress upon you is all of us all of us that have been in the information security

community in the 21st century we have I call it the for the first generation we have because we know this stuff we know how bad things can be we have an ethical obligation to equip the Next Generation with the tools and knowledge to complete the mission okay yeah great sounds great Ira lots of platitudes thanks a lot bye I'll see you later no I going to tell you how we do that tell you how I'm doing it and how all of you can be part of that so I I propose that we need a radical change in our attitudes to information security to complete the mission number one information security is not about products primarily it's

primarily about process just just before this talk I was you know my phone is going off that is so embarrassing I can't tell you how embarrassed I am I probably turning red Ashley um uh the the uh there a huge litigation that's happening right now between the airline industry and the tech companies over the massive outage that recently happened I just was reading it this morning swear to God one of the major airlines said we spent billion I'm I'm paraphrasing it's a long story we spent billions of dollars on product it's not our fault this is the problem the CEO says we spent billions of dollars on products Sur I'm sorry to keep pointing out

because it was so great in light rail we spent billions of dollars on some stuff we but it's not solving the problem that's exactly right because it's about process primarily not about product in order for us to empower the Next Generation we have to share our experiences all of us you're shaking your heads right we spent we're spending we spent A4 million dollar buying this widget this black box and we racked it up and it's got all the Blinky lights it must be doing something and we spent tens of thousands of dollars on something as a service for this and then our whole infrastructure craps out and we lose half a billion dollars it's a

particular Airline I'm I'm referencing and they go we how can this happen we we're going to go Sue everyone because we spent all this money so first in this and again I'm going to come back to you sir and like what is your first name sir my name's Andy I hope you don't mind me using it because it was so awesome your last question so one of the elements is we need to change our understanding have a better understanding and all of us in the community have a have a better understanding about what open source is practical Hands-On and what it is and what it can't do because Andy part of the answer your question is not is not

vendor lock in that's not the answer to the question about what do we do when we our change our needs change but we're locked into hard to something as a service and some blinky light box in our rack and then the next the all this the part of this is also a public education Challenge and now I understand why Josh and his team like my proposal today because that was in it before I saw the the last talk all right now here's the big to the big if there's if there's a few things you take from this talk today and nothing else this is one of them right here I this is from directly from my experience

being in the community what are the telltale signs that uh a decision is being made to substitute information security true information security for just buying product that it's not product it's process is you look for the companies that boast to the investor community that their crap is going to have a revenue hockey stick how how many you have heard of the revenue hockey stick okay look it up I did not make this up it's when the business's strategies are more gear to the investor Community than the users and the customers and what they want is they want to they want to convince people that buy our buy our Blinky lights buy our XYZ is a

service and your problems will be solved and what they're doing is they're signing up all these people so they can get this Revenue hockey stick where they start at the bottom where a few customers and then they ramp everything up there's a certain security company that had a big outage that was a big fan of the revenue hockey stick now this is all publicly available information the investor Community to their credit expose what they do they do not hide this so you look and say do I see the telltale signs do I see them say the revenue hockey stick that we've tripled our Revenue in the last X number of months that's the revenue hockey stick

they're focused on investors not on users not on security not on process on investors and I'll give you another Telltale sign call before you make a decision to buy the blinky light or someone's going to make the decision and you're in the team to blide the blinky light box and the service call up use a little social engineering skills call up and pretend to be a customer can you talk to a real person are they really knowledgeable about information security are they knowledgeable about process or are they just there to facilitate the hockey stick if they're just there to facilitate the hockey stick don't walk run or at least advise someone that if you were in the position to make a

decision you wouldn't walk you'd run um uh the the one of those times that I made those calls on behalf of a client I swear to God the person I talked to and I said well why don't you do it this way I got to someone knowledgeable they said well that would be too difficult for us it was something very simple about process yeah because too difficult because they're focused on the revenue hockey stick look for those signs walk away and boy the market works if if if all of if enough of us doesn't be all of us if enough of us in the information security Community push back against the vendors push back look

at my last bullet point when they have their meetings internally I've been in these meetings by the way when they have their meetings and you and someone talks about process about that being important for the for the company yeah but Ira we don't get the revenue hockey STI that way you're not thinking big enough and I was dismissed not psych not physically psychologically dismissed what I was saying Market pressure can change that when the revenue hockey stick doesn't hockey stick that's how we that's how that that change starts to happen so outsourced it I know some of you I I'm an outsourced digital forensics and incident response professional my brethren in Outsource it there probably some of you here watching

I'm sorry to say you guys and gals you're Focus too much on selling product when it comes to information security not process please be I am the Cavalry be the Cavalry that changes that because it's about more about information security and privacy is more about process than buying products secondly what goes for security awareness training is looking at Antiquated attacks it's generic and it's teaching people about attacks that don't even happen uh or haven't happened for a long time uh so that's another challenge that that we need to conquer and I have an answer to that um and again I'm going to come back to this bias against open source there's a among non-technical people there is this response that I see

that if it's open source that means that all my data is open like no that's not how it works but it's those of us in this community I'm seeing the shaking heads we have to be the Cavalry I am the Cavalry and stand up in the room says no in the room no that's not what open source is it's a misunderstanding that's not the part that's open it's not what we mean when we say open source that's not what we mean uh so I want to take a break here um uh I did title my talk uh security Trek the Next Generation and one of the things that I found interesting about being a Star Trek fan is that when when

you have a security issue that you need to explain to someone a lay person there's almost always a Star Trek episode that has the issue and I came up with two examples um one is crowd strike son of a gun in the skitso man that's in Star Trek the Next Generation Series 2 episode 6 season 2 Pardon Me episode six data there's incompat in essence summarizing a long plot incompatible code is loaded into Data that almost causes a catastrophe on the Enterprise sound familiar great way to explain it now just is a personal sidebar and I'm always I want to talk about the community but my name Ira is not a very common name the main the protagonist in

this episode is Dr Ira Graves it's so cool the um and I remember when this episode aired actually because the guy's name was Ira uh cdk Global now cdk global has kind of been washed out of the headlines because of the crowd strike but it actually had a bigger impact in many ways than crowd strike did over half of the consumer and and Commercial uh vehicle business is uh powered by or uses CD cdk Global's uh software this is a company by their own own website says that they do they're an expert in everything related to technology marketing CRM Salesforce automation promotion uh search engine optimization will'll run your whole it and we're experts at information

security in my opinion hogwash they were acquired by private equity and that private Equity company in in my observations of publicly available information were obsessed with the hockey stick and so they got hit by a really bad ransomware attack and because a lot of dealers had all their eggs in the cdk basket because cdk promised we'll take care of everything they went down hard as hard as as some of the airlines did they went down and it affected thousands and thousands of businesses across the country now there's an episode called Gambit part one and two also Star Trek the Next Generation season 7 episode four and five where Captain Bard is held Ransom and they go over a lot of the issues and

challenges for ransom what a I do this everyone yes it's kind of fun to do it but also this is how we have to explain to the lay person this is not something kind of we don't understand what to do relate it to people in in ways that they can understand um one other little fun cool thing I found that picture with beard and some other some other character um have a little fun today at bides look for a person who has hair like that I promise you there are people here at besides that has a haircut like that somewhere here all right so what did what did I do what have what have we

done and actually I'm going to you get ready to stand up because I'm here with someone to help me today so what what I did with a group of people about 17 years ago is we set up a Lions Club with one project Lions Clubs are uh over 100y old service organizations they're all across the country all across the world and they usually get involved each Club in multiple service causes in their Community we have one cause it's the computers for kids club what we do is we recruit volunteers to help run the club it's 100% volunteer we service kids in the community that have no computers at home and we educate them about open source

privacy and security everyone we have educated in the last 17 years 15,000 students and their parents about open- Source information security and privacy 15,000 100% volunteer we are people in our community that care about this and we I am the Cavalry Spirit we are the Cavalry we did it and we service K through 12 students we not we we require the students to take training for this and we require them to come with their parents so their parents learn about security and privacy and the children learn learn about security and privacy Ashley stand up Ashley is our president of our chapter thank you Ashley and she helped me she helped me so much today in in in

in logistics and things so she she's awesome but Ashley's an example of not only that we're helping kids we're bringing people and Ashley was not in the information security Community but she wanted to be so we bring in adults young adults but also people that are going through career changes that have the problem of I can't get hired to do security infos SEC because I have no experience we give them we the by going through as an adult going through our program the our members get real world experience in information security and privacy that then is directly applicable into the job market we um I am proud to say that our current vice president and

uh Jenna is her name she was working at Walmart driving a forklift when she joined our club she has left the employment of Walmart and now she works for a a high-tech company doing work in our field and one of the elements was what she did in our computers for kids club because it gave her experience so she could jump out of that forklift job um and we have a multi-step approach to training that covers hardware and software and doing it in Reno but we have because we're part of Alliance club we can scale this to anywhere any of you are in the world and I'll tell you about that in a moment but I also have a big announcement this

right here in this room all of you that are watching this this is the worldwide announcement of the first desktop operating system that is comping with the center for Internet Security controls for security and privacy free open-source software it is going to be launched at the end of this year and we partnered with the the our computers for kids club we partner with the center for Internet Security so that we're the test bed and for people that want to get involved in this there's an opportunity if you are already in information security to burnish your resume if you know people that want experience to get involved in this program to be part of this of the launch of this

desktop operating system free open source everyone unlike Windows and Mac where out of the box the in my opinion what Microsoft and Apple has done is is deployed Millions upon millions of promiscuous devices and put it in the hands of consumers and small businesses shame on them because those devices out of the box in my experience are engineered to be compromised and I'll give you just one example I don't have I don't have time here to go through a catalog of all the examples I'll just give you one when you pull those devices out of the box and you go to start them up to set them up not on an active directory domain but stand alone

they all run as local admin and no instructions like no like oh don't do this if you want to do this your hair is going to fall out if that's what you really want to do are you sure you really want to do this you know when you want to delete Microsoft software that's what they say your hair is going to fall out if you delete it but they don't say and and apple too is guilty of this they don't say hey our devices are promiscuous and going to be compromised a moments if you run them as local admin by the way that's one one of the CIS controls is do not run as local admin

but yet millions of these devices are deployed every day that are running in that state so um uh we this is a this is going to be an operating system that is designed for security and privacy out of the box and free open source and we are going we've been deploying our own sort of home brew for greater security and privacy for the computers for kids club and we're going to be transitioning by the end of the year to the CIS uh version um it's going to be available I'll give you the link in a moment for CIS you you don't need to be part of the liance club computers for kids club to get that um but you can work with us uh

to to burnish your resume or know if you know people that don't get involved in information security so we we view this and I'll tell you how you can get involved we view this as the handson experience on security process none of it has to do with a revenue hockey stick there's no XYZ as a service there's no oh buy our proprietary box and then it's arbitrarily end of life that of 36 months because the revenue hockey stick requires you to buy another one of the stupid boxes none of that we we this is about a culture of security and privacy process and that allows us that that will allow us to finish the mission we've

started um doing so well in getting people aware but now we need to finish that mission and it's up to all of us up to you to do it so let me give you some examples here and I'll give you some contact info I'm going to put that up so you can take there now I have Ashley right here our president so at the end of the talk you can come to see me you can come to see Ashley as the president of the chapter you can also email or send us a text we'll send you information here's what we will offer to anyone that is not um in does not live in Northern Nevada there are so many

elements of what we do that are about process that don't require doesn't require you to be in Northern Nevada where we live um we as a matter of fact we were doing uh remote meetings before any lions clubs in the world we've been doing hybrid meetings we do a meeting an organization meeting every week it's always been hybrid and we do not use zoom another second thing the second thing to walk away from this if nothing else this is the second one do not use zoom it is promiscuous by design it is promiscuous by Design there is free open-source uh um video conferencing jits and I have no connection to jitsy jit dosi jitsy meets it is free like

open source free what a concept you can actually download jitsy and locally host your own jitsy little server you can you can put on a little small form factor box and run your own jitsy server but there's also Cloud jitsy so we meet on jitsy once a week or have an organization meeting for one hour once a week and by joining our club which means attending the meetings and then whatever you want to do we have many things that need to be done many of them can be done remotely we've spent 17 years ironing Out The Kinks of how to give out 15,000 computers just with volunteers just a couple hints the computers are all

donated to us so there are millions of of insecure compromis promiscuous by Design comp uh desktop computer systems uh I'll stick to North America but it's the world and by Design they're obsoleted by the tech companies that are concerned about their revenue hockey stick not about security or privacy of their customer in my opinion we take though Those comp organizations have to pay to have them hauled away they find out about us wait you guys will come pick them up what are you going to charge me nothing well nothing like so no nothing what do you do with them you just dump them out you know go somewhere in a river and dump them out no no no we

refurbish them and we teach kids about privacy and security with open source wow can you pick up three pallets next week I kid you not I kid you not we get pallets of donated equipment and we take that equipment and refurbish it so it's free and we put our free open software on it and we teach the kids this is how we do it all with volunteers and there's obviously with any process like this there's lots of Little Steps we know all those little steps so if you want to get if you want to go in your community and read about what we do talk with us and do something on your own in your

community please do it there are millions of these crappy insecure systems that are being dumped in garbage dumps or sent overseas to third world countries where little kids go through the motherboards and get heavy metal through their skin we can divert those you can divert those and if you want to do some version of this please go do it you can download the the CIS Linux and go do it if you want to be fostered by people that have been doing this for 17 years come join us remotely and then if you say great I learned this stuff Ira now I want to do it in my community awesome well connect you up with the liance club there wherever you

are in the country there's a liance club nearby that's why we one of the reasons that we affiliate with Lions Club they have a structure so we can focus on what we do we don't have to create a whole structure legally we do that through the through Lions Club International we are recognized by Lions Club International for our Innovation we're one of the fastest growing Lions Clubs in in this part of the country because of the Innovation what we do so yes we'd love you to get involved that way but any way you want to do it we're we're we're we're free open source people not going to stop you from doing something on your

own whatever works for you but if to start my recommendation is start by participating with us for as much as little as you want and you can learn from that and then decide what you want to do um I also want it would be terrible if I didn't give you Center for Internet Security so the CIS security.org you will see information on their website by the end of the year about it's actually it's a version of Linux Mint and I'll tell everyone for everyone's benefit why we chose Linux Mint Linux Mint um is is a my phone is still ringing son of a god two people I thought I shut it off God and it's a

Spam call is that there's some like significance in that isn't there um we chose Linux Mint for the CI version of uh the CIS compliant version of Linux and technically it's what we call a benchmark so we took Linux Mint and then we added a different process for its configuration to make the CIS version of Linux so it's Linux Mint it's the cinnamon desktop and we chose that for a couple of reasons one is this is so awesome everyone for you take this is like the third like really important thing user many end users small organizations end users home end users other types of people that are end users when you when they get that automatic

update to Windows 11 like what the hell happened to my computer where's the start menu on the lower left right I'm all shaking heads right so the first thing we tell people is Linux Mint is more like Windows 10 by a mile than Windows 11 is they're all of the sudden listening I we've got their attention the parents are like really where's the start button we'll show you where the start button is so that we chose that also Linux Mint cinnamon has a really big user base so we didn't with both our group the computers for kids club and Center for Internet Security we didn't want um people to get used to a certain environment and then we had to switch

them because we've all known there have been dros of Linux that have kind of come in and then faded and we we one of the things we do in the computers for kids club is when if a student comes with have a lot of elementary school and middle school students we tell them you you can keep this computer through the end of your education and if it breaks bring it back we'll either fix it or we'll give you another one I got six palets out back we'll give you another one if it doesn't if it doesn't work so we want to keep them on the same environment through their life cycle and Linux Mint has a very large user base a

long history and great help menus too so we were very conscious in why we chose Linux but and another plus how many of you have struggled getting a printer to work in desktop Linux I have oh my god um Linux Mint works really well with older print in my experience with older printers and we don't Supply printers uh it's it's another whole space and then there's an ink issue so we tell people that you know find a printer and Linux mitt work works really well for newer or older printers and it actually a lot of times it configures faster than Windows which is like pretty freaking amazing my opinion um so um uh we this is this is a

lot of this is due to our you know our close collaboration with Center for Internet Security another big benefit of Center for Internet Security controls I'm going to put on my ambassador's cap uh Nevada was the third state to say that that the definition of reasonable security because that's the issue and the last speaker talked a lot about risk management and it's not there's no risk there's no nothing bad's going to happen or everything bad's going to happen that's not what risk is about right we all know that well the problem has been um when there's when there's uh litigation civil litigation that happens when is like with crowd strike the issue is was the airline negligent or was

crowd strike and Microsoft negligent that's what it's fundamentally going to come down to and then then the argument is well we Delta says we had reasonable Security in our systems and crowd strike and Microsoft to say well we had reasonable Security in our in our process and then a judge with zero information security training typically and a jury with zero information security training is going is going to arbitrate what what is reasonable security holy moly $500 million loss by Delta is going to be arbitrated by people that have no training and information security that's really bad so there's been a movement to Define what reasonable security is Nevada was the third state to say the

center for Internet Security controls defines what is reasonable security I wrote that law got that put in that's how I became the Ambassador actually they called me after that law was passed and created this ambassador program now about 12 states have some version of this um and there are no states that contradict it that's really important legally no state says no we don't we don't accept Center for Internet Security so all of you here that's so this is the fourth thing that's really important whether you get involved with us or not in some way I hope you do but if you don't understanding what reasonable security is what's the definition of reasonable security and it

is now in more and more jurisdictions the center for Internet Security controls which no surprise is more about process than buying products and works really well with open source so I encourage you to look at that there also is a guide if you go if you do a search um just a regular duck. go search not that other company that everybody heard of duck Dugo search and type in reasonable security guide Center for Internet Security there is a guide now so you can take that to management to justify process over product and there's a guide for that I'll get you a question just a moment so um I encourage you to do that and I'm going to I know I'm I'm

I'm we I'm near I'm rounding third here so here's the contact information for the for the computers for kids club um also if you liked this talk I'm happy that you did it's been an honor and thank you Josh for allowing me to speak today it's been an honor to be amongst my friends um and present to you today I am doing H after this talk was approved I was asked to give a talk at another conference it's a virtual conference I'm going to give a version of this talk if you know people that would like what I talk about they can go to pfic conference.com there's a virtual conference on info SEC and digital

forensics on August 21st there's no charge it is they've it's it's free like open source and you can sign up I am giving the noon eastern time talk it's a version of this you can have people have ask me can I just log in just to watch this talk you have Ira absolutely you can log in and you can share this with other people that way so I hope you didn't mind Josh me me plugging that um and so I've got just a few more minutes you had a question thank you so my name is Angelica and I'm it examiner for the state for the Department of financial institutions I'm also sock examiner when you're saying

process over the product I had many prod unions telling me like I'm like what's your due diligence process and they said they say all the things but then it's if they don't have sock to report first of all we don't really know how to read it second of all if they have exceptions what do we supposed to to do with that y first of all we send them security questionnaire it's so hard to get them into sending it back to us yes for we get the security question yes so sense full disclosure I I am the acting ceso for a credit union as a consultant okay I know this inside and out please have them I we had no push back from the

Auditors and The Regulators with the adoption of sener security and it's a cookbook mhm and the board bought it you know bought the idea and part of it was it's not about buying more blinky light boxes and X as a service it's it's about process and they could understand that okay okay and I I I I hope somebody here knows about the credit union that that went down in Northern California because I don't know anyone from that credit union and boy do they need they need this answer second thing that for kids club is it just for kids or also if I have the credit union members they're like they also sign up yes so great

question so we give the computers to the kids locally but EV adults can can and should join listen I've been doing it for 17 years I learn stuff by teaching by tackling new challenges I say can hey Ira can you help tackle that yeah I'll tackle that that makes me better I Advance my skill set and the the benefit is when I do that with a credit union I got to be really careful because it's regulated and I have to you know I can't go off too far off the reservation but with the computers for kids club I say hey you know I think I have a new way to do this we could do it this this and

this way can we try that and and then generally people say yeah let's give that a try because the it's not the risk of a of a you know Credit Union or a bank it's a computers for kids club so it's a really great way to get real world experience but to push yourself so yes adults in the credit union can join that will give them secur the great security training and awareness by being involved in the in the club great question thank you so much any other question do I have other questions time for one more question one more all right you know what that'll give time for the next speaker to set up

I'm going to be around for a little bit please come find me come to stand up again Ashley talk to Ashley and uh we'll we'll answer any of your questions one onone thank you again everyone thank you thank you