PG - Fight Back - Raising Awareness @Infosec - Petri Koivisto

you got candy up here you got candy up here yes is this from home it's finish wow okay Co okay everyone we're going to go ahead and get started I would like to introduce uh Petri and uh his talk is fight back raising uh awareness and info s there you go so what's up so let's talk about awareness so I I know that you need to be kind of relaxed now after the happy hour so let's try it so go yay [Applause] [Music] y kaboo oh I like that so let's keep the interaction on going so I will ask some questions in in between and let's continue from there uh few words about myself so I'm far far

away from Helsinki that's in northern Europe I work in a company o that doesn't look good uh but anyway I I I work in a company called Tito which me in English is translated as knowledge and in Finland we have a saying that knowledge increases pain and the pain is now the INF in Awareness then why I chose the topic as fightback so fightback it's all about a skier dude called beaus who got injured really bad bad when he was doing a skiing film so he lost kind of everything he couldn't speak move do anything but he had two options he had a possibility to give up or fight back and he chose to fight back

and now he's walking talking and planning to run a marathon in in the near future so and if Becca can fight back so there is no reason why you cannot do that and now mission is to increase the awareness that in the spots to protecting yourself and mine is to increase the awareness in INF for so why do we need awareness what what is causing pain so we are under constant research by the color team Anonymous boys and girls out there and their evolution has changed for used to be a single person is now a group or a or a sorry a single machine or a but and then what what used to be fun is now gaining a profit so if they

don't get the the bug bunties or the big BN is what they're saying now so they will sell your data to the highest B and their number one attitude is to solve problems the problems which are causing us the pain then when we are building something so what should be in the blank here what are people humans humans correct so humans are the weakest weakest person in in the in the link so why is that so when they started developing something so they put in some code and they then deploy stuff to the internet but what is what is missing from here from this picture QA QA what else testing oh you are you are

testing like this guy who is testing with this awesome banana so and the other thing is that other thing is that there there is just a open source or or commercial products and you just hit next next next next next and it's in the internet deployed and why why are we doing that because your boss says that you need to be fast customer says you need to be fast or you just want to be agile trendy or whatever but do you really know what the thing does or does it collect the personal data it would be also really interesting to know that when you are deploying with your fancy Adel process that have you thought about these kind of infos areas

like business case vulnerabilities logs admin rights configs data privacy risk management business Contin Duty or Incident Management I I would say no because when I mention about these areas to people they are a really big question mark on this face that what the hell is this guy talking about why are you asking this this has never been requested before and I think that has happened of 2015 now why do we need to have the infosec areas in place so let's look at the short video which gives us a bit more context to the area [Music]

[Music]

[Music] [Music] I [Music] [Music] so what do you think about the

video yeah but when you are talking about these things you are you are cheering right so it feels like it's a really distinct item out there this could never happen to me but I have kind of one more example so here is lots of text just bear with me I summarize it in short so son's internal Network Got Hijacked and they got some demands that the data will be leaked outside if they are aren't me of course Sony said no and within few days so there were gigabytes of stuff out kind of social security numbers legal financial data internal passwords and the worst part is that there was a possibility of identity theft for six 6,800 employees and 40K

externals so it's still things that kind of a really distinct out item out there but what what if we we make it personal what if it's your data which is out there your identity which is stolen your legal and financial information out there so what what do you think about that does it make a difference so whenever you are having this app or tool or service and if you are responsible and your name is on there so make sure that you cover your behind and you know what you are responsible of and this won't happen to you so this is my motivation my goal how to make things so my whoever you are whatever you do in or outside it I want

to make you look awesome at infos so how do you make someone awesome so you need to be present available be positive always if things things are really bad don't yell don't make a scene just help help them to fix the things if if you if you are going to be kind of the typical infoset guy who's sitting in the iory tower out there so they will replace you with someone else and when you are talking about these things for example to the non security guys so they will get the message there comes the kind of the Home Run the game changer and then you there is the perfect moment where you have sunk in your message and what has

happened you have already raised the awareness to the next level then now how are we going to make you look awesome so how we fight fight back against the researchers so what I'm doing that we we have done kind of assessment with awareness twist so it means that means that when we go through the questions in the assessment which we look a bit later so we learn from that and then you need to demand evidence what what is the simple simplest form of evidence that is that you are providing that you are doing something candy hooray documentation so then you just Mark that is it yes or no is it acceptable or not then just ask when when you're

answering be honest so if you don't do what you have documented that you do something differently then it will backfire for you later on and then just fix the gaps that there are all the no and partial answers change them to yes now let's see what the assessment means so here are the earlier mentioned areas with the X number of questions and the the pass through score comes from okay and plus not applicable now what is wrong with this picture what [Applause]

correct there is awful lot of red why why is that because what I have seen that that there is a lots of cases that there is zero documentation or outdated documentation and when the awareness is missing so we need to highlight the negative figure to give give them the Wake Up Call now let's go go through a few kind of examples of questions I'm not going to show the whole set what is there created but but we can talk about those offline if someone is interested here are as well a couple of answers to the questions which are not then best practices so first one about the risk is there a procedure to follow discover new

risks if someone is asking uh answering you service manager for this question so don't use that so has the target a documented Lo plan the one clever answer was that we don't enable logs is there a patching schedule which is agree and the answer was that we bat on request I asked that what does it mean if when someone is asking then what then I asked that when somebody has asked you so it was last year and then are there kind of regular sources of of of information existing and the answer was that we collect user data but we don't inform user about that then what do we expect as a result when through the assessment when all the

questions has been answered and the gaps has been fixed so here are again once again the areas to go through let's start from the data privacy part any idea what is this thing hooray correct so for example this is mandatory in the PCI area when you have the data flow in place so you will know what data you are protecting then you can identify the data types the owner location and the owner needs to classify and protect the data occurring then you also know the source of the information why is it processed for and is the end user inform that is collected then is it transferred somewhere who has access to the data and how how you are you handling the

extracts for example here that can someone just go into the reporting UI and put select star and get everything out from there and then you also see that how the data is managed through the life cycle so what is the retention time and how the data is deleted and and data is corrected then let's look at the business case with the data flow you will have a Justified business case and you also know why how where and by whom the whole thing is developed and maintained and with the data flow you also know who is the owner of the whole thing let's talk about let's check out the risks so when you have the data flow in

place so risk and threats are identified by the risk owner who defines the controls and if the data flow is changing you all the risk and threats need to need to be reviewed and they will be magically kept up to date as well then let's look at the continuity when you have the data flow in place so you can deliver what you promised and you have a way to deliver what you promise and when the can and way are corrupted then you know also know how you can continue with your promise let's look at the conflict you can use the data flow for the configuration management just replace the boxes with the servers then you know what servers you have where

which configs they have and what kind of sources you use for those servers and if you have some servers which are not belonging to the data flow so just investigate and get rid of them or add them to the data flow let's look at the vulnerability management when when you have done the configs and now and now you're doing the vulnerability management so it's really easy to keep it up to date because you know that the software will be up to date through patching and the scans are enabled in all the correct places whatever you prefer to use for scans logs so I'm pretty sure that when you when you have the fix and vulnerability Management in place so

there will be locks enabled as well and you are transferring hopefully the Audi Trails outside the servers wh why why do you need to do that so that the trace what has been done by whom is visible so if the researcher comes for a visit so even if they wipe the server logs they are visible somewhere else let's look at the admin rights so the traceability will be ensured that when you have individual accounts don't use sh accounts because they cannot be tied into individual and be sure that you are not doing the opra effect that nobody is not an admin right great now so even you have accessed everything you got and you have fixed and

identified the gaps the researcher can and will come for a visit you have to understand that nothing is water tight you can do only for is best possible and you need to aim only for the best possible part so maybe you cannot prevent the intrusion but you can prevent the exit with the stolen data and if for some reason the best possible was not enough then you are prepared with the incident management process you have in place now how how can you do all of these things just do a minute project it's that simple just kick off accreate the schedule Define a Target date that defining the target date is really really important then there are lots of

lots of actions with responsibility and then follow up follow up follow up follow up as many times as needed and then close the assessment then when you start doing the assessment so do it properly aim it for as a companywide Target and when you you are having these new projects for service tools or apps demand that this assessment questions are added as a deliverable to the project so you will get out the correct evidence that they are doing they're supposed to do and with the actions what we have made so the a awareness has raised from minus 100 to close at plus 100 so in this case it was 97% now you still remember that there

was this finish nice saying that the awareness increases pain so are you agreeing with that the more you know the more pain you will get yes you want candy more noise no who

else sorry so let's now take a step back and see how we got to the 90 Plus on on the awareness so this was the starting point so pain caused by the hackers who want to solve problems created by humans lacking awareness at INF then we made the presentation kind of personal what if it's your data that leaks so do you want to be the next person explaining in the internet and every on the news that why it happened to you but then we turned it around and and saw how we make you look awesome at infoset then why are you awesome because the pain of the presentation the awareness has changed to knowledge and once again if this SK do

peka can fight back so there is no reason why you cannot do that and now as we had the mindset that security knowledge decreases pain so we can adopt the kind of the researcher things what we saw earlier the evolution motivation and attitude so our evolution is that we are eager to learn the motivation is you can come for a visit but the attitude is that I am awesome at infoset and with these steps that makes human is the best protection method there is take a kind of a close look at this slide so this is kind of summarizing everything so there is always new people involved or you need to train the existing people so it's just it's a

fight back you need to sleep repeat sleep repeat and there's no excuses on this thing any questions or comments or concerns on this area yes yes this is kind of the what what I do for a living yes so the all the examples are coming from real life

yes sorry what do you

mean so of course you need to get the management involved involvement in but if you cannot have it so it's really difficult to motivate the let's say the employers to do the right thing but of course everybody's always saying that this is yeah this is really really important but nothing happens so it's a kind of two-folded thing you need to go to the management and say that this need to happen and I think that the easiest way to show that things are wrong is that when actually something happens then you can say that what I told you okay more or is this self-evident to everybody it's good okay but while we are in Vegas so

we need to have some fun as well right so the parties are ongoing as well so it's kind of it has the same kind of thing you you sleep you repeat you party you sleep you repeat and there's no excuses on that if you don't know not yet are not familiar or the part is they existing so go into the link and check you you will find few few of them and then just go and have some fun so thank you very much see you at the Cy