BSides Ottawa 2024 - Day 1 Keynote and Speakers
Show transcript [en]
so for for anyone here how many how many is this the first time you've been to esas Ottawa oh well that's crazy oh we've been we've been doing this a long long time just in the other end of town um yeah so just so you know this is our first time in this location um we've been running the event for 10 years plus 14 there there there's a there's an old that that remembers has been involved in okayy well I fit in that category to Fe so yeah so with being a new location things might not go as 100% smooth as they've have in the past in other locations we've been able to hide some
of those things before so be with us here um you know hopefully everything will go smooth but we had some technical issues with our projectors we had you know this that the other thing happened so you know there there could be things that well that shouldn't be that way or that could be better and we appreciate that feedback sir you know send that through the contact email good bad anything we'd like to hear feedback would be appreciated um so thank you all for coming um this is basically the biggest pides in in Canada and for all those of you that are new bid is a worldwide organization that's been around for a long time It's Kind it's Community
Driven um we don't get paid for this we're not making a profit out of this this all the money that we make goes back in into it and let me tell you these places aren't cheap uh so on that note we have a lot of sponsors that have paid food money to you know have your attention please get out and say hello um take their sales pitch whatever it is to make them want to come back so that we can keep doing this so we keep providing these great things for for us to do build a security Community um this is by the community for the community and and on that we have a lot
of things going on here today this is probably this event we have have we have more things on that we ever had on we you know our CTF has been with us forever um imped system Village blue team Village policy Village escape room greatly um schol right down in the corner is our lockpick Village please don't forget them they're kind of out of the way it feels like um so you know make sure you go there and say hello and try to pick a block all that kind of stuff it's important that all of our uh events get some attention obviously we're going to have lots of great talks going on today we had great success with
our col for papers for can't pick everyone we we try to go through and try to keep the top topics relevant and you know pi things that you know people might like it's hard to know right so but you should be you should be get lots of Education out of this today I would hope we have lots of giveaways you have to be here to get them anybody that's been here before knows that usually we have some stuff given away at each vent or each um village give away from the stage but call your call your name you're here you get it be here AE and finally just want to guess with everybody being new that we do have a
code of conduct really you know just be kind it's all right be be accepting we're here to all here to learn we're all here to network we're all here to enjoy ourselves let's trying to keep it that way uh from a logistics perspective now and this is goes back to my original comment about the logistics for parking underground parking is free the QR Cod inside the building is free apparently the QR code outside the building isn't and unfortunately if you've done that we can't help you get your money back because it's not controlled by the the people who run who own this event area um apologize this is one of those things that we we didn't
know about when we're signing all this up had we made it clear right away so if you've done that I apologize for that but free downstairs for sure down in underground and free inside downstairs just easy yeah so for food there's a lunch box today you know the food is going to be out in the vender area again just try to get over there and speak to everybody okay so let's get going with the day so first up so we have Matt Davis going to be speaker so Matt is a missionary thought leader innovator innovator with expertise in business strategy digital transformation and cyber security a dynamic keynote speaker and panelist he shares Insight on merging technology
sustainability and building Innovation to Holders recognized with his athletes like the top 50 government innovators award and CC ISO hall of fame runner up Matt is committed to shaping the future while serving on keyboards and volunteering for as a CPA CMA M his extensive education includes programs at the School of Business Horton and the rman School of Management please welcome to the stage Matt [Applause] Davis good morning everyone um I'm thrilled to be here today uh this is the uh first time for me speaking publicly since leaving my last role so I had to work with the Eide team to make sure it was okay they understood that no longer the sh Services Canada and they still
wanted me to speak so I'll think that as a good sign I I want to talk to you today about a couple things if I look back in 2020 I decided to embark on a new adventure and I see some friendly faces from my former life um decid to take on a new role um got ask one what I thought thought about the public sector I'm like never really thought about it but I had a great opportunity to step into a dep Ro um I had that role for about four months and then inter CTO for about three months and then became the CTO and uh um four years later um I have a chance to look back four ministers
three presidents um complete shift from remote work to hybrid work um moving from a cloud first model to a cloud smart model um just the if I think about four years ago I spent a little bit of time talking about this AI nobody was talking about Ai and suddenly chat g h the world and everybody was talk about AI people that didn't know anything about AI were coming up and saying hey we' seen this new thing chat G it's been amazing and what they're starting to use for it so um it's been an incredible journey um I want to think about for today um I want to start off by thanking the B Team the all of the team or
sponsors and all of you for showing up um these events aren't possible without folks like you sitting in the room and they're not possible without people putting a lot of effort behind the scenes order this happen with that said I'm going to spend a little bit of time talking about some things um I got often asked about what it was like to spend time in the public sector and coming spend all my entire career in the private sector it really was a significant adjustment there's a couple things that stuck out from me every single public servant that I met cared about what they did think about that every single one they had an ability to tie what they
were doing back to what they were doing to help their Department to help the Canada or to help the citizens of Canada and they took that perspective and it caught me a little off guard because many organizations spend time trying to figure out how do I instill a culture across an organization I'm thinking about okay my small like shared service is 10,000 people appro not quite getting close to it um but every person I met through that four years on that Journey cared about what they're doing and many organizations try very hard to instill that tone from the top and have it permeate throughout the organization the second thing I'd like to say is it was incredible for me to
think about um the change that we're going through and how important so my team will talk about Talent you we're spend a little bit of time to talking about technology technology is not the most important thing Talent is you can't do anything without having the people in the room to be able to help you move that technology forward it's fundamental investing in people is important and my team I I I said this repeatedly we need to make sure we're putting the right people in the right place and giving them the right tooling and the right skills to be able to job we we set up this whole digital Skilling program and started out focused on cloud it expanded
to include AI it expanded to include cyber security it expand include RPA technology all of those things were important but we needed to give people the opportunity to take that to take those skills to develop and I think there's you know I often remember back to one of the challenges in the cyber security front when it first started um really cyber security really early oned look back 15 years wasn't anywhere near the conversation that is now people were saying well if you train the people going to I'm like what he just caught me completely up what if you don't train them and they stay like think about that think about what's worse I think you're
much better off to train the people and have them develop their skills and then maybe here's a concept maybe treat them right so they don't want to be anyway this is my way of looking at it um I talked about one of the other things was a challenge when I was in the public sector is every day there's a prior there's there's literally hundreds of priorities there's that's burning that's that pops up um I had to take my team and this is you know I use the time to try and explain you know difficult things to people that don't truly understand technology in terms that they can understand and so I'm going to use an example that I used to explain we
used to manage our environment through kpis key performance it's great anybody heard the term they're they're excellent they're very good in an operational area but when you're the CTO we don't have a lot of operations we shouldn't we have some but we don't we shouldn't be measuring KV we had over 50 kbi so the challenge my team had is which ones are important how do I figure that out so we implemented an OP program and this is the first time the one I think OK you know Tech sector really understands okrs we I brought an OK program into our environment said okay we're going to do something a little different we're going to have one
no fail objective each team has one no fail just one so think about the idea and the example I used to explain that because anybody here follow for I didn't follow it as Clos as I did until CS around the track they get all think about all the gauges they see those are like kpis gas gauge tire pressure oil pressure wind all of that stuff getting trapped right all that data being fed in at the end of the day we were finishing last like but are good s you guys are good we all good right we're not we want to be on a Podium so the idea was take the OK put one no fail objective in front of
everybody and have everybody focus on making sure get the entire team going up doing one thing one thing that was going to make a difference for our our Branch one thing that's going to make a difference for the Department one thing that's going to make a difference for the government of Canada think about things that you do that are going to have that impact and it also takes the eye off of the dayto that occur and the day-to-day you know fires that occur on every enir by this by having this one no bill objective my team immediately felt okay now I have something that I can focus on I can direct my resources to having an
impact um your ability to communicates incredibly it's critical I spent better part of four years wearing a second language which is great so I finished I got my I guess BBD which is currently pretty good um but talking about today the language I'm talking about today is you're in this room everybody here probably has a very strong technical background and you have to talk to people sometimes that don't understand technical back technical terms and you have to be able to communicate in the language that they understand so they care I'll the best example I have and I'm not making this up I was trying to explain zero trust cyber security is so many and I keep going through it's like
well here you know I don't trust I don't trust myice try to explain why this is important in a world where you know the perimeter based approach isn't isn't directly you still relev but not as relevant they paused for a second said I'm sorry I'm not understanding why would you have a zero trust approach to cyber security and not a complete trust approach to cyber security that like why wouldn't we want to have cyber security that I had complete trust that it's working and was because I spent so much time trying to explain what zero trust was but they flipped it completely saying I don't want zero trust I want to have 100% trust in my
environment and I it caught me completely off guard because it just means they didn't truly understand everybody who lives in the cyber world understands zero tress but to somebody that never crosses time or spends time in that world they didn't understand where that concept came from so it took some time to go back and figure how best to communicate to individuals that may not have the same background that you have okay um last point I'm going to make on my experience is embracing change need to create an environment where people feel comfortable to embrace change um a lot of the time and the challenges that were I faced were because people were afraid of making mistakes in some cases
somebody says well if I make a mistake it's a crib living move for me I'm like no no I can't be like you can't make a mistake and and the example I'm using is you know we're talking about Ai and AI use cases a little B a little bit later but like how do we know that this use case is going to work I don't know you're you're thei experts like try it and see what happens what if it doesn't work I'm like well if it doesn't work then we'll go find another one like that's the whole point okay but then everybody will know that we didn't we weren't successful like that's not the point point is to try it and so try it
and see what happens but do so in an educated manner I'm not saying just like random randomly decide okay let's try this go but make meaningful decisions so and then I had the team go back they took a look at and say okay here's the ones we think are going to have the best impact here's the ones where we have great data that can help the ml work like you have to have some foundational reason for making a decision and pairing down because every organization is going to come up with hundreds of different use cases for things it's important to figure out how best to use a particular use case and if it works great if it
doesn't work that's great too at least you learn from but it's more important to have the team feel that they could make a mistake and that's not going to affect them it's not going to affect their career because they tried something and it didn't work okay that's what I wanted to to summarize for you know my my brief for8 in the four years that I spent in in in in shared services um I I would be remiss if I didn't say I'm incredibly grateful for the opportunity I had so many people help me um I have help me from day one help me all the way through so many folks from industry that helped me along that
Journey I'm I'm very grateful for the experience I learned a
lot there we go so there's a quick summary of your recent experiences I've got a simple so incidentally this is the first time I've done my own slides in a long time so hopefully they'll work um I want to spend a little bit time on AI and the reason I want to spend time on AI is because I think this is a huge Trend that's happening every organization is trying to figure out as I said four years ago everybody heard about but then came out and now we're seeing what I would say is the next Generation Ai and the reason being AI was helping to solve problems gen you know the challenge there is there's so
many different uses of gen and people are just starting to figure out where do I put this what you know what do I put into my llm how do I lo them and and what use cases are we going to find from it so the great news is people are thinking about they're thinking about how they can leverage the technology and if you think about you know where where we where we've come from from four years ago going back to the example of use cases now I see people coming up and thinking can we use AI for that like it's the question now ai agents is kind of like the new piece it's it's the idea
that you can start collection Siri where you you know you go say their virtual assistance right this is going that next step further where you're going to start to see applications AI agents AI they're going to form how the workflows are going to function in the future and the challenge is how do you put all those things together and then I start to think about because my head is wired off um when I think about cyber security all I think about I'll talk about this later is what's the attack service how are we going to protect against that AI agents and you know the hard part of explainability how do I know how they're making the decision how I get how do I
figure that out and then it brings in the whole governance and the ethical use of AI and the and the whole aspect of having having all that stuff in place um I think the challenge is that's going to take some work organizations are going to continue to invest in AI you're already seeing it becoming invented in products you're seeing things that you know organizations are starting to take a look at I just think about I'm not talking about certain companies that are using Ai and sensors to figure out how they navigate vehicles on roads or taxis and things like that so think about the impact of that they're collecting so much data they're analyzing it they're
taking making decisions and that's the big difference because if I think about you know where we've come from that's a huge difference from the way that we used to operate we used to think about okay I can put a prompt in I can get an answer but now think about the thinking portion I think that's the the part prompt engineering um you know I told people when they started using J everybody go take a prompt engineering course you know just like the language I was talking about on communication you need to be able to ask the right questions to get the right answers and there's an art to it there I'm still not very good at it I still try you know
some of these images were generated by me trying to quite prompts in to create that image and that's the you know the reality of it there's work to be done there in terms but it's a skill it's going to be important um touch okay I spent a lot of time in the last four years talking about the importance of the network and I talked about the importance of the network because Cloud was a big thing I'm thinking okay well Cloud's great but it's not it's not actually in the cloud it's you know somebody else's Data Center and you have to get to it and it's ironic some people think like I don't understand Cloud technology and
what do you really boil it down to that's really what it is but the important part is you have to be able to get to it so I said well you know think if that's a data center think about the access and getting back and forth from that data center is incredibly important and it's important because users want the experience they they don't want to be waiting they don't want to have their hand their app and looking at okay I like to put something in I'm waiting and realize okay where's it going well it's going from you know Vancouver into Ontario and back at like no no that's not what they're looking for it's also it's also why we have to
think about Edge Computing and it's why Edge Computing and you know think about the combination of 5G 6G Edge Computing they're all driving the same thing and if you think about the Advent of more AI you know you start to think about okay all of that is being done nearer to the user to make sure the experience is better so you have to have a network that's capable of doing you need a you know you need a reliable Network you need a fast Network and you need to have the data being processed near to where the user is going to use it which is what you're going to start to see more and more um it was ironic it came from
an organization that had over 700 data centers and I still have trouble saying that um and the idea was we wanted to reduce that I think we're down to 200 something but it's incredible to think of data how many data centers are out there um I'm going to spend a little bit of time talking about sustainability a little bit later but the the premise being is that you still need you still may need those data centers near to where the users are are are accessing their
applications let's see okay last com is going to be that's the whole premise of AI if you haven't heard that ter before is the fact that everything is moving closer to the edge okay Quantum Computing um the think about Quantum Computing um I tend to my first Quantum events um you know probably about two years ago two and a half years ago but that wasn't my first experience with Quantum my first experience with Quantum was me sitting in a room with an organization that's focused on Quantum Computing you want to be embarrassed they went around the room I'm Doctor I'm Doctor I'm Doctor I'm Doctor I think there was my fifth one I'm do and then it was like I'm Ma
it just there are some very very smart people working on Quantum Computing it was a pretty humbling experience but but what I took away from it was they were at the Forefront of figuring out you know qu Quantum Computing is really going to help us solve some very complex problems they're just starting though and I think that's the the part if I took back two and a half years ago and then for me in the cyber world I think a little bit about okay what does that mean for us when it comes to you know Quantum safe and how do we think about all of the encryption that's been done um thank God this dug into this but 2015
16 I can't remember the exact time frame they took a look at something like 82 different algorithms from 25 different countries the good news is we now have choice because my understanding is there's three maybe four by the end of the year like FS 203 204 205 like there's we are starting on that on that journey to have Quantum save encryption but you know the number of organization I talked to said well have you started on the journey anybody here Jo hands people here work done okay I'm just curious so I saw one hand maybe that's maybe you're just okay so there's the guy you want to talk to um I'm serious though if you think
about the the the idea of getting ready for Quantum and and the impact it's going to have I don't even know if organizations understand where they're using it so then you start to think about just like in cyber I need to know where my assets are in this case it's like okay I need to know where my assets are but then I need to know what level of encryption they're using I need to know whether it's going to be Quantum save and I feel like we are literally just starting on that journey and some organizations decided you know what first step is let's just start doing an inventory let's just see what Ty encryption we have and let's
just start to see where our most critical assets are and what the encryption is being used for could be a great starting point but my whole point about this is we're about to embark on that we have choices now there are there are ways in order to start preparing for it but I think it starts with organizations starting to think about let's do a current state let's understand where we are let's understand what our inventory is and then let's start to build a road map because at some point you're going to need to use that road map oh yeah the last comment start it's a little late to wait figure this okay cyber security so um wanted to
spend a little bit of time on this how many folks here have seen the national cyber threat assessment 2025 2026 okay so for me it's reg it's was regular reading um not surprising worked very closely with the folks um they do a very good job and I think it's really important to continue to read the you know what comes out in the cyber space in this case it's even more so important because it's this is a perspective from some arold from the Cyber Center um they talk a little bit about you know the nation state actors no no surprise there nothing's fundamentally changed they continue to talk about how the nation states are continuing to create havoc in
the cyber space um I think for me the new piece was in there on on India this time um it also provides some inset on the Cyber threats not surprising to anybody in this room ransomware is still a problem you know fishing attacks are still real frauds and scams are still real so they they continue to reinforce stuff that probably everybody in this room is at some point if they're in the cyber space has had to deal with um talk about the trends and talk a little bit about Ai and the fact that AI is creating more challenges and uh I'll spend a little bit of time more on the Cyber and AI piece a little bit later
but cyber and AI absolutely AI is going to help us it's also going to create challenges for us because we're not it's not exclusive to the to the people that are on the side of you know protecting cyber crime some of the folks that are committing it are also leveraging AI um vender concentration is problem and they talk a little bit about that if you think about the concentration think about the Imp there was a company this past year in the impact of some somebody Mak applying a patch and it suddenly took down you know millions and millions of of systems around the world and it was all because a patch but it it wasn't directly
related to them but it was their patch and so if you think about the impact of that just how many organizations have concentrated suppliers they lean heavily on some of the very large suppliers for their for their for not only their application stack but also their security stack so that's important understanding that connectedness is important and supply chain taxs are going to continue to occur and the attack surface is going to continue to grow okay that's what I wanted to cover there the zero trust Journey um I was very fortunate when I first started looking at zero trust I had John Kinder bag in my office um not everybody gets to do that but for me it
was incredibly helpful to get his perspective and I I'll never forget what he said just start every year I go to cyber forums and and and sit cyber roundtables not one ceso I've ever talked to said they were done when we finished that last year nobody says that everybody is still somewhere on that journey and I think the important part is we're going to continue to be on that Journey because everything continues to change we talk about you know I talk a lot about the attack service my team will hear me it's like do we know what our attack service is do we know how it's changing I think it's critical when you're on zero trust Journey you
understand what your attack service is and if I think about the organizations going back to my comment about on the quantum piece I could say the same thing on the attack service there's the part that people know about because they're aware of it but it's the unknown portion that people they may not know about and so that's the part that I keep talking about do you truly know what your tax serves is do you know how it's changing do you know if there's a change in your environment what that that impact is going to be on your potential attack service furthermore do you understand the controls that you have in place like how are you made aware that there's a
change in the attack surface um I'm a firm believer you know breach I running breach an attack simulation software regularly on your environment why because it shows control Effectiveness it'll let you know whether or not you're once once you understand with all the security staff that you have in place what stuff is helping you what stuff is letting you know that hey if this breach occurred to on us we would know what to do about it it's it it's an incredible mark one of the hardest challenges one of the greatest challenges I've had is trying to explain to people but Nate again going back to my comment about not everybody understands cyber and I think
about having to report to boards having sitting on boards and having talk to folks about educating boards around what it means about cyber everybody wants to know are they safe are we protect so risk quantification on the Cyber fund is incredibly challenging you see some of the scores that come out but even putting a score in front of somebody that doesn't understand well am I good I got a 740 okay might be I might be good I don't know if it's good but the moment something happens be like well I thought we had a good score well we did have a good score but we still doesn't mean your doesn't mean that the here's the
thing the threat actors don't read the reporting you know so you get a good report and says okay I'm I'm I'm protected look at I compare better than my peers in my industry great tranor can still launch an attack against you and you could still have a problem and that's the hard part to explain to people like because they're not reading this going well that whole comment about well if you have better locks and better guards around your house you're you know chanc are they're going to move to the neighborhood well it's probably there's a good chance that's going to happen but it's not guaranteed that they're going to effectively move so and all it takes
is one person you know talk you think about the social engineering aspect all it takes is one person to click right or somebody that downloads something there or something to that effect and suddenly okay everything that you had in that score might go over the window um I think you need to have all of those pieces in terms of when you're trying to quantify risk um I think about vulnerabilities um again nobody's finished vulnerabilities continue to occur um I think and and there's nobody that has anywhere near resources to be able to address all the vulnerabilities I think that's that's a really hard part for people to get a handle them every time they're prioritizing it's a
continuous prioritization effort these are going to pay attention to now but that doesn't mean there most people if they're able to get to critical and high phenomenal not every organization is able to get to do that but you reading the going back to the report some of the some of the vulnerabilities exist have existed for years and there's only be explo um last thing I wanted to talk a little bit about on Cyber is the value of tabletops if you haven't done a tabl toop exercise and I did this recently show of hands around like how many people in made it's still not 100% people in the room so I don't know if your organization you know if you're
part of an organization doing tabletops incredible because everybody puts most organizations already have an incident response but they don't know how it works and I don't think you truly know how it works until you get into the exercise of a tabletop I've had an opportunity to participate be part of a tabletop you know see the output from a tabletop and sit on a board that did a tabletop exercise it is incredible there's not a single time I haven't done a tabletop exercise that I haven't walked away with something and I I know that we we are very fortunate we have you know the opportunity to there's so much material out there to help people with tabletop but spending the time it's
getting people to commit to sitting in a room for 2 hours 3 hours 4 hours in order to and then take the learnings from that and apply it okay I did want to spend a little bit of time okay well speed this bit um securing data is going to be a challenge on the AI front um we talked about the importance of of you know everybody starting to leverage it on the Cyber front if I think about cyber ni the good news is there is a large company that just came out with uh a the first zero day Discovery using L I think it was a couple weeks ago so this to me was great
news that we are starting to leverage AI technology to help find zero days before the threat actors come that's a huge Game Changer in my mind so we're at the Forefront that's the first time I've seen something like that published but it it's it's it's incredible that we're able to do that and I think that that's kind of like we're it's kind of like the you know the battle that's going on we need to be leveraging technology to help protect at the same time all the threat actors are trying to figure out ways to to to launch tax for us um the other thing I was just going to briefly touch on the AI I I like the
idea that AI agents are going to be there the agents work 724 and 365 they just work right but I think spending the time I think one of the challenges for folks in the cyber space is going to be how do we take our entire everything that we've got in our security staff and put it all together to protect us and I think we're at the Forefront of seeing how AI agents are going to be able to do that this isn't sore I remember when Sor came out I remember I was thrilled with the idea of leveraging security orchestr response technology it took repetitive tasks and made them automated so it freed up time for your sock animals that
was a great for but AI agents are even going to be because they're going to have that thinking component and it's really going to boil down to how do you put these things together so that it actually creates a workflow that helps you and then frees up the time for your analyst to work on other things um it's not without challenges though the idea of hallucinations scares me so I think about the AI front and the fact that there could be hallucinations I'm like I you can't have your analyst then questioning what the AI came up with so goes back to the comment about explainability we're going to have an interesting Challenge on our front we're
going to lean in on the technology see what we can how we can leverage it but we're also going to have to make sure that we feel really comfortable that we're going to let this AI agent do the work and that's going to be the I think that's the challenge we're going to face in the next you know 3 to five years in terms of how do we leverage AI but do so with the explainability and the comfort that we feel good with the decision my comment is they can't run unchecked you're going to have to need a you need human oversight on this stuff um okay I wanted to spend a I I spent a lot
of the last couple years spending time on sustainability why because I think this is a this is a critical component for us um the reason being is that every organization has a chance to make a difference and I spent I spent time I've attended a couple of different courses in terms of Ed better educating myself it was a gap in my own knowledge and so I took a couple of courses in order to get a better understanding of what I can do as a CTO to lean in on sustainability um my takeaways are simple find something in your organization people feel good to be part of an organization that cares about the environment but more importantly it can
help Drive innovation in the organization it could have an impact on the culture I've seen some organizations that are leaning really heavily in to their sustainability efforts the whole ESG front is incredibly important and I would I'd be remiss if I didn't talk about it because if I think about the I saw a Forbes article that said you know AI is pushing us towards an energy crisis it's true think about the amount of energy needed to generate you know an AI response we are going to need energy and we need we're going to need more renewable energy you saw announcements about companies leaning in and opening up 3 Mile Island again or you know taking a look at small module reactors
that's because we're going to need energy to drive this technology moving forward and the better that we you know we need clean energy in order to be able to do so um pretty much over time so I'm just going to close with a couple
comments we have exciting times ahe I I can't tell you every day I went into the office there's something new from a tech but it's more more important taking that technology to solve a problem it is incredibly valuable getting the team motivated around having the talent around investing in the skills those are all things that are incredibly important my advice to everybody in this room is think about what you can do to make a difference think about how you can contribute that was the thing I challenged my entire Team every person that shows up to work every day to make a difference what are you going to do to make a difference to make our
environment better to make our Our Lives better to make the solutions that we're providing to our citizens better it you need to find something they need to be motivated in order to be able to do but I made it simple just make a difference so with that I'll say thank you and think about how you can make a
difference okay so I guess I finished in enough time I could take a couple questions or was perfectly clear which I'm hoping was the case well by the way if you like this make sure you mention it on the bside
site we're good
oh show results in the next 3 to 5 years that you see that we left behind wow I have to pick one um if I think about it it was um it's probably not going to be yeah it's probably I would say it's the digital Skilling program we put in place and the reason being is way you heard me mention it um it's it creates a lasting impact you invest in people um so we did two things we really ramped up the uh hiring program students and the reason being is because I wanted to bring a lot of young and career folks in to renew the environment they have an incredible way of looking at things and I used to meet regularly
with the students to hear what their thoughts are the good news is they don't have filters like I'm not I don't know how to looks the word it they they were very candid and open so when you ask them what's wrong I still remember this one student say well it took me 12 days to get my laptop okay and then I could see the team like you know he's the CTO right I like it's still I said gret's great well it's it's not great I'm glad you're telling me my hope is that by the time we do this the next time I don't have to hear this comment but but it speaks but their cander was refreshing to have in the
environment and it's great to hear what are you learning at school these days what can you bring from your environment so that was one and the Skilling program just investing in all of the skills I think the lasting impact is the impact on the people that are line because the skills that they have that they're able to gain access to is going to help the government quite candidly for a long
time okay chis thank you for your great talk so the question I have is that how would you differentiate for a company that they if they want to use AI are they just the trend and the high po it or they really need it and they're going to solve the problem with the com it's a good question um let me think about so there is definitely hype I think there wasn't hype before Chad gbt though like it was AI has been there for a long time and the folks that have my AI team they will tell you AI this isn't new it just suddenly like 2 and a half years ago everybody woke up AI um for the
organization you're and I I don't know your specific word I I think they should start and start to see where it would be possible what are areas that they they leverage you think about just a simple you know llm putting in stuff that you have to repeatedly answer the same questions over and over again like trying to put that knowledge together that's what I asked my team like go and ask what are some of the problem areas and can can AI or geni help solve the problem and make it better that was that was really the premise for them and then they came up with them like well over 100 use cases then it started to be
let's look through these and think well are these ones real problems and if we solve it if AI is able to help us solve the problem what's the difference going to be so it goes back to you need to figure out what the value of the AI use Cas is and I get it because it not every organization has the skills not organ a but I the way I viewed it is I I started spending time on AI said just try the AI on your phone just pick one try it start asking questions and the example I used to somebody as I did it okay there's a company that had a search engine because I'm not using company right I got
company that had a search engine before and then I went and did the same thing at an AI a geni and here's the difference the company with search came back with 17 Pages the question was simple find me the best Italian restaurants around 99 Meda where my office was 17 pages one list of eight with links that took like I don't know 10 seconds to go scroll through 7 I said that's the difference so if they're using search at all like I'm thinking you're already starting to see why companies that focused on search are now trying to Ed Al okay
thank you so much for your inside and as a cyber security and AI researcher I really enjoy you mention about explainable AI inant from the UK um um I enjoy you mention that about the retaining people and encouraging the medical the question is what's your opinion in terms of the problem you currently have you have probably here as well in terms of Team working in terms of the sof skill in terms of the cyber security majority of the people focus on the tools and technique rather than the S skill what's your opinion I'm not sure I fully got that question um I'm going to try and paraphrase were you looking for the softer skills of AI and collaboration
within the team
okay so okay so for the benefit of the folks um this is more about the the team working together have folks that are working on the AI and you have other folks on the Cyber team so um to me that doesn't sound completely like teamwork so the example I often use with my team when I explain it so I don't know anybody here Dragon B Graces but you know 's a big thing um I use this as an example I said I can't have somebody beating the drum at the front which would be your SE so and the people in the boat some people showing up standing on the dock some people showing up with anchors some people showing up
with paddles and in the water but not using them and other people in the boat have them they all have to be on the same team it's a team sport so I'd be I I'd be trying to figure out ways to get collaboration within the team and I'd be trying to put exercise in place to get them to communicate so if somebody was doing something in a AI they'd have in order for it to be successful they'd have to explain it to everybody else on the team and then have the whole team vote as to whether or not this is something for like you have to Force you have to create a forcing function in
order for that team to work together um we sometimes it's very challenging because there's some strong personalities sometimes in the room and sometimes you know quite candidly you might have to remove some Personalities in the room in order to have teams work in smaller groups and get consensus around certain pieces you've got to find ways to get the win that's the way I always said think about okay you have you collectively have a objective you have to come out of the room in agreement and if if they're if they're put into a box like that it's amazing the number of times that they will come out because they'll realize otherwise they stay in the room I don't know if
that helps or not but that's some of the things I you mentioned that um you're going to be able to use AI to find s days before attackers do knowing that attackers are going to have access to this power as well how confident are you that you're going to be able to stay ahead of them still and how might uh prompt engineering play a role that okay so I'll take two questions prompt engineering I think for me is just being able to ask three questions and so teaching the team once you have an llm how to get the best out of it so that's the skill there the threat I'm never going to be comfortable I'll be
honest with you I I I'm just going to make the assumption that threat actors are going to be finding you unique ways in order to launch different attacks I guess the way I viewed it is back to some of the things I talked about zero trust if you truly embark on the zero trust Journey you keep looking at those areas that you need to improve upon the idea being is I you know I have to have I have to have identity secured I have to have multiactor in place I have to have all sorts of you know whether it's Network segmentation I have to be testing my controls like I talked about reach fact but I I will never feel
comfortable it's just who I am and I don't know that anybody I I just don't know any when he sits in that Ru says yeah I'm going to go sleep well at night knowing because you just don't know what the net the next attack is going to look like and I I think but I do think investing in it and understanding that what that technology can do and how it can improve your defenses is going to be important because going back to my comment about AI agents 724 365 I have some really good people who worked for me in the past not one of them worked 724 365 they at some point everybody go home
to their family okay all right again thank you everyone for your time today have a great day enjoy the rest of the event
good morning bides how's everyone [Applause] doing so uh where are the folks first of all right off the bat I want to thank uh the amazing organizers at bide Ottawa for allowing me and giving me the honor uh to attend today it is a privilege and an honor being a second generation Canadian to be on the land I want to honor the people of the land of the anabi AL Nation and honor all First Nations inuent Nations mer valuable and their valuable past and present contribution it is without them uh that um we are here and so today we're going to have some fun and we're going to go on a little bit of a
journey together so with the show of hands how many people here immigrated to Canada the show up hands quite a bit how many people here are from Latin America Latin America what part of Latin America Colombia I love Colombia I stayed in bot met the best coffee in the world by the way how many people here are from Europe nice what part of Europe Germany nice and Middle East folks from the Middle East where paltin Palestine where else anyone else yes nice Asia well southeast Asia my Indian crew yeah what part of India Pakistan heck wrong with Pakistan Australia a whoa down under nice it's beautiful to see the folks that we have from different parts of the
world and what's interesting is on October the 8th
1971 that's fine here we go on October the 8th 1971 on this land a gentleman by the name of Pier Elliot Trudeau the father of our current prime minister adopted a multicultural policy which forged the way of immigration and established the Multicultural acts now this policy led the way of immigrants who came to Canada and this was in the 80s when my parents went from India to Pakistan got on a plane and landed at Leon Lester B International Airport and they moved to a very interesting area in Canada called Scaro anyone here from Scaro yeah oh wow what part of Scar BR melbour it's great area I grew up at the Cal lawence and what's interesting about Scaro is
the multiculturalism right the amount of folks that entered Canada and so when I was a young boy I grew up with folks from all parts of the worlds I grew up with folks from China Africa oh by the way how many people from Africa here Nigeria and the house nice and I grew up with various cultures various languages various religion at a very young age and it taught me a lot and there's an interesting story that I wanted to share with you that I've never really shared before but I thought I'm in Ottawa what better place to share it and it was when I was about 10 years old everyone I for the first time felt
racism and I was born here I was born in scar General Hospital and I would be running home and people would use a certain derogatory term for my Pakistani friend here probably knows where I'm going with this and the term was py p a k i s and so I would run home with kids throwing rocks at me and as time went on I would bite the back but a whole bunch of other people would join me folks from Africa Sri Lanka Punjab Australia like just random people would be running with me because they were all being called pack and so one day I came home crying I think I was like 12 years old or 11
years old and my mom said to me she said Bea which means son do you know what py means and I said what what does it mean clean she's like they're calling you clean and it had a little bit of a mind shift in my head and I was like wait a minute they're calling me clean that's a that's a good thing and so time went on and we were talking about starbo here I'm going to take a step back in history there was a family by the name of David and Mary Thompson who came from Scotland in 1799 on May 21st to Canada and they moved to an interesting area called Scar and they settled there along with
their 11 children it's actually located at maau and Lawrence or Brimley and Lawrence it's actually Thompson Park have you ever been to Thompson Park yeah and I went to a high school there called David and Mary Thompson and I tell you this story because everyone has come from somewhere to this beautiful country we call Canada and for those that grew up in Canada and as I said I'm a second generation Canadian Canada was a different place before than it is now people would open the door and say thank you people were polite they would not throw garbage on the on the streets people were respectful something changed along the way now some say it's immigration some say it's our values I
mean for me I think the biggest pride is every morning listening to the national anthem and it's funny the other day I I met a a person who sits in a um in the federal side of the government and I said I think it should be a law where they play the national anthem every morning at 9:00 a.m. across Panet on loud speaker and everyone has to stop to show The Pride but along the way we lost something now Mr Trudeau honorable Trudeau and I know I'm in Ottawa so I got to be a little bit careful that I don't go down a rabbit hole here but he brought in the same immigration policy and so we saw
thousands and thousands and thousands of folks enter Canada and the conversation is about how to navigate your career ins cyber security and one of the most challenging things that I face when I speak to people in cyber security and I teach at schools and I I do a lot of uh talk mentoring and one of the biggest challenges that I face with with with when people talk to me about the challenges and struggles that they face is experience right that's one what else is there what other challenges do we face race gender language culture a whole bunch of challenges that my mother and father faced as well but they persevered and so we're going to start off with the
first lesson of today and it's called confidence now along the journey today I'm going to give some advice you can take it you cannot take it but I'll tell you this much the advice that I'm going to give you has been tried tested and proven over the years I've given this advice and I've seen it come to fruition at a very young age uh in my entrepreneurial world I came across a lot of people that would enter Canada that were doctors lawyers Engineers etc etc and they went down two different paths there was one path where they didn't go back to school they didn't do the things that they needed to do to be a doctor in this
country and then there was other folks that didn't that that didn't and they sacrificed their time and became doctors so the biggest first challenge that I see with folks is language the language of English and how many people here with a shower hands is English is your first language how many people here English is your first language now to build confidence you need a strong command of the English language and if you don't possess that it's very difficult to have a conversation with anyone whether it's a job interview or it's just having a conversation now it's funny the other day I was speaking to someone who was from India and I asked them explain governance risk and
compliance to me and they explained it in English and it was a little bit difficult and then when they explain and I said explain it to be in Hindi I understand Hindi and it was amazing and so the lesson you take from that is yes in your own personal you know mother's tongue you possess this power of communication but when it comes to translating it into English it becomes very difficult so what's the advice so the first advice that I would give on building confidence is enhance your English really you're in Canada you have to be able to communicate in English efficiently and effectively so how can you do that what's a quick solution so
I'm going to give you the quick solution it requires you to walk into a library take a book any book that you want every day for five minutes read out loud and I promise you after 30 days and record yourself record yourself on day one and then record yourself on day 30 60 and 90 and what you will notice is a dramatic difference in how you speak so number one is language number two culture now one of the other things that happens with people that come to Canada is we end up hanging out with our own the zebras hang out with the zebras the giraffes hang out with the giraffes the elephants hang out with the elephants
and it's okay it is really okay to hang out with your own but you have to learn about other cultures if you look around right now there are people here from all over the world how much have you learned about folks for example from Africa about folks from Pakistan or from Pakistan to Palestine or from Palestine to Australia the Australia guys die but how much have you learned and so I go back to my story growing up in Scaro and for those that know is very unique because every street has a different culture different food different language and then it gets really micro where you have for example a street of Indian Indian food it has different
areas of India because Biryani in India uh has different Cuisines all around India so culture is very important now taking a another look is food food is one of the easiest things to talk about and learn how many anyone here from Somalia Somalia nice or north or south D nice how do I know that well first of all they have some of the best rice and chicken in the world and that hot sauce that green hot sauce amazing and they have it with banana believe it or not and it's amazing isn't it delicious delicious it really is but when is the last time you walked into a Somalian restaurant and ate Somalian food and this all leads to something
called social engineering if you're able to walk into a interview and within a few seconds that gentleman there is the one that's interviewing me to say hey what part of Somalia you're from and he goes from the north and you're able to talk about that for a few seconds what kind of impact do you think that has it's huge but the problem is we stay in our little box and because I'm Indian I'm going to pick on the Indian folks today because it's the only one that I won't get in trouble with and so I have a problem with the Indian folks here not all of them some of them and that is you come to this
country you got on that plane right you left your family you left your friends and you said I'm going to come to Canada but why why did you want to come to Canada anyone here from India actually I think we had a couple folks why did you come to Canada person from India here actually just ask Pakistan since you're in the front why did you come to Canada better opportunity safer place be able to speak freely quote unquote really now that's a I would hold you don't want me to go down so I have a question for you how's the food here what's better the bakas food or the food over here really interesting that's the first
time someone has said that to me and the reason why I say that is the food in your country is completely different than the food here the environment Healthcare healthare used to be amazing now it takes 20 hours to get a doctor you have to stand in line so people came to Canada for an opportunity but what they did is they didn't take an advantage of that opportunity and what did we do we got on that plane cried said goodbye to our family and we said I'm going to find a new I'm going to make something I'm going to come to the land of opportunity you arrive You're motivated you're driven you're passionate and then something happened
along the way now question how many people here are are looking for a job just with the show of hands I know it's a yeah how many people here work in cyber security or have studied cyber security but are working another job how many people here are in junior roles in cyber security and how many people here are in senior roles in cyber security wow the senior folks need to hire the junior folks that's what needs to happen we can solve everything in 5 minutes now for those that are that decided to put their hand up and didn't decide to put their hand up this is for you and for those that are in the senior roles
this is for you as well we need to really encourage the folks that are here and motivate them and what the folks that have come to Canada this is a message to you now disable Instagram disable Facebook disable Snapchat disable Tik Tok and spend time on yourself you came to this country not to watch Indian movies I'm telling you like straight up you came to this country to learn to become better to become great don't lose that opportunity the worst thing is to go back home and people ask you what did you do what did you learn and you have zero to show for it it's the worst thing but you're in a country where there's so
many opportunities you have to grab the bowl by the horn so going back to confidence the only way to build confidence right away is number one increase the strength of your language and and the ability to communicate get a book do that number two culture I encourage you all today to go to someone from another country just look around and go up to them and say Hi how are you my name is so Ando I'm from Pakistan where are you from and build a relationship number three go check out that Somalian restaurant in Ottawa is there a sman restaurant in Ottawa there a couple there's a couple ask that gentleman there for a really good uh
review on a Somalian restaurant but go out and eat other Foods other Cuisines and what that will allow you to do is build the ability to socially engineer with folks now we're in cyber security and we talk about social engineering but one of the things we miss out about social engineering is ourselves the ability to speak to someone I and I'm not cheting my more I have the ability to speak to anyone anytime any place I actually love it yesterday we were at Walmart and even the folks that work at Walmart I was being able to pick out I was saying hello to them in their language I was making jokes with them in their language and they're looking at me
going what's going on here and what that does is instantly and we were trying to find this Santa Claus inflatable balloon and we went to three different Walmarts and it's out there in the side escape room and we couldn't find it but finally the third Walmart that we went to because we built a little bit of like a connection she went in the back and found it and brought it out to us why because it was a little bit of a you know that thing that's important now actually I'm going to pause here for a second any questions about confidence pretty self-explanatory right okay we'll move on to branding now Brandy what does branding me
so I have been I I think I was born with one specific talent and has the ability to Market things uh and I think I do a really good job of it uh I have a great team uh that we've been able to work together and build a really cool brand called cyberx but I'm not here to talk about cyber I'm here to talk about you and so with the show of hand how many people here have their own personal websites 1 2 3 4 5 6 7 8 9 so you're in the technology space how difficult is it to create your own websites now why would you do that why would you create your own
website because it displays who you are in the age of Technology imagine for a moment went out bought a domain with your name in it.com and put your resume on there a really nice goodlooking one and by the way I'm just going to Sidetrack on resumes let's stop using 1960 resumes right there's so many really cool resumes out there I encourage you to go online and type up cool resumes fun resumés captivating resumes you're going to come across really really nice resumes please do that that's another side lesson but website building a website a building confidence right because you're like who I was able to put something together and if you don't know how to build a website
and you don't have the technology skills nowadays you can jump online learn it nowadays there's templates out there you can build it but you should have your information there your past jobs your you know favorite food uh things that you're doing basically a place where you can display yourself websites so I encourage you again please over this weekend now here's the thing there's only about maybe 10 people here that are actually going to do this and unfortunately the rest of the folks are not and I'm not trying to be negative I'm just trying to be realistic why are the 1015 here going to do it because they're like yeah wait a minute I should be doing something and
the other folks are going to look at it and go it's too much work let me just go back to Instagram and so that's why I said disable all those things because what I do want you to do one of the things is take the look at your past uh how much time you spent right can do that on your phone nowadays and try to decrease that time I disabled all my social media except for l about 3 years ago and it was the greatest feeling ever you feel liberated you feel free and you have so much more time and the first thing that I did is I wrote a book Because I had so much time to do all
these really cool things so number one quit please number two how many people here have led in a lot of people how many people here have used their LinkedIn in the last week now LinkedIn is a very powerful tool in helping you navigate a career inside your Superior why anyway why is powerful to yes connection what this is how she found out about this event is through Linkedin connections I'll tell you this much I have made a lot of connections on LinkedIn I mean I'm here because of LinkedIn LinkedIn is such an easy tool and again that's why I say disable all the other social media and spend your energy on LinkedIn there's so many cool
things you can do you can join groups you can learn from people you can message people you can just so much it is a social Community to help build your career because guess what people do when you go for a job interview they Google you right when they Google you the first couple of things that they should see is number one your website number two your linked profile you don't want to find in your Instagram with all the pictures of food you posted which is great but remember you can take those pictures of really cool food that you created and put it on your website so it builds a little bit of a personality so number two is
website number three is these sort of events networking and a lot of times people shy away from events like this or when they come they don't take advantage and so ask yourself this question how many people today since you've been here for the last two hours in the last break did you go up to someone branding that you never met or did you just connect with the same people you've seen before for or you just mind your business and walk around and not speak to people and if you did that you're missing a huge opportunity because I'm looking around at this at this room here and right in the front for example we have senior leaders from where
government private ooh private the dark side nice but before you were government yeah you look very government and then you went to the private side but there are folks all around that all you have to do is introduce yourself now the problem is well wait Maddie I'm shy and the reason why you're shy is because you have not built the confidence to have that conversation like this and you can't do that if you haven't learned a little bit about different cultures you have not learned a little bit about the food the language the religion geography just simple the capital someone says to you hey I'm from India is the capital of India you should know it there's so many Indians here for
those that are non Indian to meet someone that's Indian and so the only way to SP the conversation a lot of times is well how do I start off what do I say and that comes down to social engineering and the only way you're going to build that confidence as I said before is to go back to square one so now we've talked about confidence we've talked about brand in and how to St stand out and now we're going to talk about probably the most challenging problem that folks face in navigating their career insidey your security and that's experience right so what do we do we just okay I don't have experience how many resumees have you
sent and not received an answer how many interviews have you gone into and you just didn't get the call back and in the back of your head do you sometimes think maybe it was my experience yeah for you experience and many people this the number one challenge I speak to you I teach at for example at sen college and I go through probably about 50 60 kids uh we also put on cyber security events in Toronto and I come across thousands and thousands of folks and messaging me on LinkedIn and saying Maddie we need experience how do we get experience and so for the last s years I've been giving this particular advice on how to build experience so for
the senior folks hopefully you're going to you're going to be like yeah you know what I get that that's what I should be talking about for the folks that can't find a job for the folks that are working in another world and they wanted to be working inside your security this is how you build experience and it's very easy but it requires you to spend time on yourself and so number one is self-learning now you're like what does that mean if you go on YouTube and you type of sand certification or penetration testing or blue teaming or anything there are thousands and thousands and thousands of hours of content when is the last time you
actually listen to them all now remember when you learn something and you hear it for the first time you only retain about 10% of that information and sometimes it becomes daunting because you're like uh I only got 10% of this how do you get to 100 and here's a simple formula it's actually once I say it you're going like that makes tot sense so number one you learn something right so you're Lear learning about penetration testing you're like you know I don't know too much about it then we learn about it you go on you learn beginners then you go to let's just St have beginners you go to beginners the way for to go from 10% to
20% is now to learn more about this really go to the library go online find other resources highlight words that you didn't understand ask people and learn more now it's 20 25 30% potentially then what do you do teach it to something someone teach it to anyone teach it to a friend teach it to a family once you teach something you get to that 50 60% and then what do you do teach to a 5-year-old and so it's interesting there was a story that someone told me some time ago and that was about Archer and you can you know if you want to learn about archery you're going to go learn about it online then you're going
to go take lessons you're going to learn about it and then you're going to get better and you're going to practice practice practice spend time and then eventually you're going to get to a certain point where you want to master it and so what they do in this particular artury course is you got to go and teach 8-year-olds on how to do it and imagine you have to now get very technical you have to get very involved to explain it so you start mastering something so lesson number one of building experience is selflearning now imagine for a moment you walked into an interview and he said look I didn't take the $20,000 science training just straight up I didn't take
it cuz you know you don't have it you don't have certified ethical hacking you haven't you know went to any of these certifications out there you don't have it because a you don't have the money or B you've taken certain certifications and unfortunately they're not there I guess I mean it's that's the right word to say but they just don't have that ump that you need it because everyone's taking it and it's 6 weeks so imagine though you walked into an interview and he said look I'm going to be very BL with you I have not taken the S certification training however I learned to myself you can ask me any question and I know it and I hope
after I get this job that I'll have enough money to go out and get that certification imagine for a moment doing that but it takes confidence as well and I know people that have done that and have gotten a job just doing that so self-learning there's so much information out there on YouTube there's so much information online there's so much information on LinkedIn where you can start taking courses and building and learning and then continue keep going keep going keep going number two is competitions right there's a capture the flag around the corner here there's capture the flags and hackathons that happen all the time how many folks here have been involved in a bug
Bounty how many folks here that are new to cyer have a try hacki accounts what do you rank at when's the last time you used it and so imagine walking to an interview with no experience and saying my tracky score is or ranking is 5,000 that's a big number that's a very very big number but why can't you get into the top 50 now a person sitting on the other side is going to go holy beep this person doesn't have the experience but they're able to um you know show that okay so I'm going to get down I got about 5 minutes left yeah we're going to end this off very very quickly here so no
excuses that's it all right square one we're going to speed through this now what's the most powerful word in the English dictionary anyone know what it is why why is the most powerful word in the English dictionary my son he's 5 years old all he does is ask me why why is the sky blue why is this why is that what happens along the way as you get older is we stop asking why I want you all to ask yourself why did you come to Canada why are you in cyber security why are you not doing why are you not getting that job face the truth face Your Truth number two is creativity remember when
we were kids when you were in kindergarten or grade one and I got a grade one I got a junior Kindergarten kid right now and what he does when he comes home and and I asked him what did you do today he's like I made a sand castle when's the last time you drew on a a piece of paper with crayons a house a picket fence and a sun why is that important because it takes you back to the ability of creativity you need one of the things that we are missing is creativity we come here we start working we get involved with so many things and we miss out on creativity last thing is love you got to
have love for what you do if you don't have love for what you're doing don't do it get out go home get into something else because if you don't love what you're doing what's the point I wake up every morning loving what I do and the end lesson here is resiliency you're tested with three things in this world health wealth and family everyone every single person here has been tested with all these three things and they're happening all the time sometimes it's the money problem health problem family they're always taking down but then guess what you go home at night you put your head on on the pillow you wake up in the morning and you wake up so I'm going to end off
with my one of my heroes Rocky bow boy Sylvester Salone and in Rocky five he says a very powerful thing to his son and he goes look in this life you're going to get beat down left right and center it's about you getting up so I encourage you all as I end off here to get B get up to build that resist resiliency to find that purpose of why I want to thank you all for the time you spent with me today I want to thank the volunteers at bsides all the folks in the yellow shirt I encourage the senior leaders please go out to them say hello find out what they're doing they're all looking for a job uh I want
to again thank uh the organizers of bite all the sponsors partners and for you all uh listening to me for these last 45 minutes thank you
I'll take that we got a couple minutes five minutes all right I'll take some interesting questions only please that a lot there we got one we got one right here
yes simple word equivalency I'm a expatriate l came to Canada 50 years ago my education ended in ' 64 at a college advanced technology in the UK and I can't get hold of my original diploma nowadays the government of Canada requires access to your original diploma how do you compensate for equivalency well you got an administrative problem there seems like and I mean I'm not an administrative person that deals with I mean I hate red tape uh part of me makes me allergic coming Ottawa because of exactly that um you know what's the answer to that I I mean just thinking out loud what I would do in your situation is a go to London
get some good fishing chips uh and a jack a potato and figure it out from there um that's the only thing you really can do doing things from here is very difficult so unfortunately that's what you're going to have to do now if you're asking about well you know equivalent uh I mean you got tell that story wherever you are in an interview or job resume people are understanding to this stop if you're able to show a little bit of proof that you've done that uh it'll go a long way but if they're like no we need that piece of paper well I'm sorry to say you're a little the out of lck uh the only
only way is a Air Canada flight 7:30 p.m. to heo airport it's the only way to figure that out sorry to say it hopefully that's that's a good one yes sir yeah so again it's not really an interesting question it's just something that you know I've done throughout my career when I'm hiring people and putting teams together and I I think a lot of people missed this and I didn't really see it in in your your your presentation but when people are thinking about talking about experience so let's say they just started in U in cyber security know they should really think about those experience experiences that are outside the box that will help them um
specifically things like how do I do risk management well I've been doing risk management all my life and even if you're not in cyber secur you're doing risk management all the time and you know diverse communities have different ways or different views on risk management so you know having never experienced racism you know when I walked down the street you were talking about going home and people picking on you so your threat management your risk management is different than mine and people who are new to cyber security might not have that technical background you might not have that um years and years and years of experience in the cyber security industry but they have experiences so
think outside the box when you're going forward with what your experiences are so you can bring that and make it highlight it that my diversity brings something to your team that you don't have or you might not have so here's a here's another one this is a lesson bonus lesson and I'll be very quick with this and thank you for that that question one of the ways to build experience and I've seen people do this all the time is first of all build your brand have a website have all that information that I talked about have that confidence all of that stuff and then go door too to businesses imagine for a moment you're studying cyber security at thread
intelligence at University of Tron and you walk in with and you can't find a job and you have zero experience and you go to a bunch of small mom and pop businesses and you walk in and say hi my name is John Doe I'm currently studying thread intelligence at the University of Toronto and what I would like to offer you for free is a vulnerability assessment and obviously you're not going to use those words because they're going to be like what language are you speaking but you're going to say I would like to help you with your cyber security defense it's absolutely free here's a letter from my teacher that says I'm allowed to do this I would like
to help you if you go to 10 businesses guess how many will say yes help me for free the average is about four then what happens four people you help three things happen from there number one they hire you now or they say hey can you do this for us can you add this for us and now you suddenly get into this conversation where you're now Consulting and helping number two is they'll refer you to someone else and number three worst case scenario they'll say goodbye I don't want to speak to you again but guess what you get to add that to your resume get the ad that you're Linked In and after a month you have 20 companies
that you've helped build the Cyber resiliency that's an easy way to build experience that costs absolutely nothing other than your time one more yes sir okay thanks it's more a comment thank you very much for the top definitely triggered something in me though because in the very beginning you're talking about cultural differences and if you're I would like to suggest that if someone is looking for career progression you need to deal with other cultures as a unilingual white older guy uh I still have to take language courses and writing courses to talk to the executive culture uh etc etc that's my single comment it doesn't stop at any point love it great way to end
this off keep learning keep building and uh that's the moral of your story yeah again thank you very much everyone make sure you check out to cyber security at gab and have yourself a wonderful to days thank
you this is happening today we have have tools in various sectors of cyber security where AI is just helping you do all those things that would have been impossible a few years ago so as we Sprint into this future with AI I just want to keep one thing in mind and that's very crucial even though it is being perceived like AI can do everything AI is still not a magic want AI cannot alone do or achieve everything that we think it can not at least at this stage that we got well there has been talks about AI replacing humans and AI doing different things and human job loss etc etc at least when in 2022
November as Chad GPT became commercialized things started you know boiling down every conference that I went to I kept heard hearing about this talk hey is AI going to take our jobs are we going to have job losses I don't think so you are all professionals you have been in the field AI has been here for a couple of years now I don't think that we are seeing rapid job losses because of AI I think what's happening is more towards that Perfect Blend where Ai and humans are working together as it should be so as I said we're going to start a little bit by looking at the good side of AI what do we got today in your day
today in your cyber professional experience you probably would have either using something related to AI a AI tool for threat intelligence for malware for something related to incident response if not you should look into them they're really really good at a rapid speed they can U I would say they can look into your large amount of data they can look into all of those emails coming in and out they can look into all those you know issues popping up events popping up and you don't even need to look at them because it's taking care of itself AI today has the capability to solve a problem even before an analyst can get to it it is
not only just looking at it it is also analyzing it detecting the pattern figuring out what steps could be it is also sometimes filling out documentations providing results even updating those playbooks for you so today in this environment we got tools with in an AI reled tools which is taking care of all of that which would have been something we would never thought about because until AI became commercialized to this level so there's definitely so much so so much good about it just if we look into one of those examples of financial sector um banking industry I'm not going to name any examples here so I will just focus on one of those um financial sector
examples where AI today can even identify if there has been any issues with your credit card transaction it will quickly identify it will quickly block it will inform about that to an analyst or who would reach out to you and this in return would save you so much back and forth human intervention is nearly needed AI alone can do all of these repetitive tasks itself without humans needed to be involved at this
level looking into a few more Goods here so you know if I take a moment to think back where we are just like we were talking from the days of the antiviruses days of the firewalls St of the it Security in back chair to where we are today with AI driven Security Programs analyzing the network traffic the log monitoring the emails the threat detection the incident response all in and all good we all have come a long way we are seeing the good see reaping the a benefit going from one place to another without even you know feeling the pain of this way we have the threat response with AI different system which is risk
based it's assessing the risk level mapping all those and then doing a complete check we have Network block monitoring etc etc so on and so forth uh I think I covered a lot about those goods and they boil down to giving you or helping you the helping hand that friend that never sleeps and is always working 24/7 something that was also described this morning during the keynote that having that friend that never sleeps working 24/7 365 uh days it's something we can't dream of and it is a reality today but you're all here here sorry you're all here to not talk about the good or just about the good today you're all here to also know about the AI
security and the balance of things so I'm going to quickly go a little bit onto the other side so as you see I have an example and this is very close to me because this happened to me several times and I have put my thoughts about it in my social media too so what has happened is I was definitely trying to write a paper and I was trying to submit it and this is one of the commercially available AI Checker you can try this example yourself and I would love to know if you have already done so and what are your thoughts I have written a draft down and my of course my best friend Chad GPT
helped me to get there and after I finished that I what I've done is I've copy pasted because I wanted to know what the results is going to be from the AI Checker this is not a non-paid version generally available the results you see is 30% on the screen and you'll probably be asking me why are you even bringing this up that's still normal to you guys are surprise what is showing 30% was completely written by my best friend Chachi why do I have this as an example because a few moments ago when I I actually spent a couple of hours writing everything down on my own and I put that into the AI Checker it has a 90%
match why that happened I have no idea I don't think I would ever know I tried spreading the word in my community I tried asking a few questions to different people and everybody came back with similar answer if not the same they're all facing the same problem they have seen this as an example and they don't know the answers themselves AI today as its current form is doing so much work for us but it's still like one of those Alo friends when you ask it something why has it happened it would probably say it doesn't know how would you figure out why you got to a results and I'm specifically talking about the generally available
the commercialized AI out of the box AI most of us on our dayto day might not have our own access to our own or company owned llms with clear clarifications that is out there how to know how it got to this uh answers most of us with those Checkers and those AI model that are out there would never know how it got to that answer and this is just the tip of the iceberg this is the tip of the example that's going to follow and I only use that as an opening of segue to the next point just like what was discussed this morning in the in the key keyot session there are some parts of AI that we would
possibly need to think about and think hard hallucination was discussed and one of the problems because hallucinations it can lead to not just uh is issues it can lead to catastrophic failures and sometimes the answer we get from AI is not just you know arrogantly wrong it is dangerously wrong and hallucinations could lead to reputational damage could lead to all sorts of problem and lose that customer trust uh I don't want to like go into the details of AI halation because you've probably heard enough sessions uh which talks about what AI Hallucination is is but it is a thing today in case you have faced it I would really love to know during the discussions during the
questioning period what are your thoughts about it uh next point I would say the interpretability I'll come to that with a example let's say I think uh a lot many of you are driving um electronic Vehicles e vehicles uh in a few years if not already AI is within that vehicle you are just giving instructions and it's taking you wherever you wanted and suddenly it took a wrong turn and you just asked why it did so and the answer is it doesn't want to tell you doesn't know or it doesn't want to tell you you would be very very irritated by the answer that is the simplest form of example going back to my AI Checker
example that is also another form of AI interpretability the AI that we got today have this issue there's so many publicly available AI tools including you know as I keep referring to my best friend chpt so many times I'm putting I'm I'm putting a question asking and the answers is not right especially I mean I would say in a in a recent example uh my husband he is in cyber and he loves using AI because he's also in product he was taking um examples or asking um Chad GP to write different codes or help him with the codes himself but soon enough he realized that the codes that's coming out might not all be nested
together so whenever a question goes in the answer is just directly for that question it has no um I would say recollection of different ways of putting it all together looking at the holistic view it's just fitting out the answer for the question it has in hand today you might have a different experience in different AI or llm chat uh llm chatbot or other models that you have used today but I'm still going to focus on the generally available AIS and the experience with that AI bias is a thing and you can see one of the easiest example with the resume uh collectors there has been few example out in the industry already where the resume sorting tool with AI
capabilities have been diagnosed I would say with AI bias it is out there it's happening and it's still not been cured in a way or not at its best form it's still there and it definitely needs a lot more I would say refreshments and work to be done to kind of get it at a better State and um last but my most favorite topic uh I would go back to the initial example that I've given about the AI chatbot within the startup where it started viewing the personal data a topic very close to my heart about legal and Regulatory discrepancies or issues that is happening a chatbot I can only recall one of the examples today where a chatbot given a
wrong uh suggestion to a customer that costed an Airlines company quite a big fine because that was reported to be the wrong answer that's one of the example but there have been instances where AI chatbot started spewing personal information of customers that led to find or other issues on that note I would also like to say inp putting your own personal information in a g AI chatbot is also highly not encouraged so be mindful of that we talked a lot about the good the bad the issues that is happening uh in the end I would want to focus on how exactly can you solve this because this has been going on there are issues there
are problems s but in the end AI still has a lot to offer so as a company where should you start this has been the biggest question and as I said initially I have some answers if not I don't have all the answers I'm open to learning more and open to a discussion my general understanding of general that I have been adopting in my own company is started by starting to ask the right questions bdd or vendor do deligence this is an example in case you buying an AI tool or adopting an AI tool into your environment where do you get started it's like while you're doing a vendor due diligence or a supply evaluation
very common practice you should always ask by their practices with AI you can ask like what type of data you're going to is going to be shared between you and them how are they going to protect that data where is that data going to be stored and how who is it going to be shared with is personal or sensitive data going to be involved you should also ask about their incident practices their breach practices how exactly if something happens on their site they're going to inform you about it and what can you do about it these are like the very few basic questions that you can get started with it goes on and on it can go about
bcts it can go about Dr it can go about you know General legal or financial implications so on and so forth but in case you're one of those uh organization where you are implementing an AI an out of the box generally available AI into your environment you should definitely start by vendor due diligence start by the general question start by asking security practices of your vendor and going to the Privacy practices of your vendor sometimes quality is also a good place to start you want to know about their quality assurance practices how that AI is built what are the practices how are they testing uh one of these question actually came to me as what is going to happen because of the
nature of AI and how things are changing rapidly and the ansers there is as we talked about interpretability there is no set form how is my team going to test those Ai and their output there is no right or wrong way to say here you just have to have your own questions um into a way that deliver your exact requirements where you started with and kind of go from there that could be a very initial view question that to get to started now on the second scenario in case you are adapting AI or you are building AI into your environment or you're putting AI or I don't know making AI which is one of those use cases building your own llm
even though if you stick to the basic first requirement where you implementing AI from a third party these examples or these um few controls technical security controls are still very very much applicable I would say start by encryption everything that you see you probably thinking this is very basic but that's what matters going back to the basic for security controls encryption has been a tried and tested thing forever no matter which one you do and how you do it from encryption you can do about access controls you can talk about Dr and BCPS and you can talk about security audits so going back to encryption you want to know what are the encryption practices you're establishing
if you already have one making sure you have that for your AI you want to look into that security Audits and checks and keep on doing them periodically making sure they're happening in the right way and making sure you're getting those those results and reports in a periodic Manner and of course taking them higher up those are basic things you're already doing and you need to continue doing that with your AI tool in practice access control I don't need to go into details it's so very important it needs to be there MFA basic requirements making sure zero trust whatever your practices are you have to kind of stick to that and it maybe expanded to a
larger level to a greater level while using AI privacy practice is another one of those things um data minimization as I say you should not collect more than you need because the more you collect the more you are in the process of getting lost data privacy has been one of the biggest concerns with AI so privacy practice along with your security should be the Forefront of your implementation making sure you're doing those pasas making sure you're only collecting what you need and constantly monitoring the risk of the data that you're collecting or storing that is going to be one of those checks that you implement if you do not have that already you should look into Data
classification and retention I talk about them in parallel because it's all comes down to the data life cycle what are you collecting whatever you're collecting how you're tagging them and how does it look like in the end for them where is it going I have many customers asking me why are you collecting my data my answer is very simple I want to give you better results but if you're uncomfortable I am okay with not collecting your data whatever the customer's direction is we kind of go from there but I truly believe sometimes to get that finesse result like you yourself are putting information in chat GPT and that is refining your results better and better
and better as long as within your environment so same way if I'm getting that information to give my customer a better results that is the sole purpose of collecting the data however data minimization should be still your Forefront making sure you're not collecting too much than you need to give that b results making sure you're classifying your data to sensitive critical whatever you have going on as a labeling mechanism making sure you have a strict retention period according to your industry for those data and you're definitely definitely following that and your security audit checks or privacy audit checks are a very very great point on that to make sure that you're deleting that customer information so
next time you go in front of a customer or be sit in customer it it doesn't become a finding or a critical issue for you and then last but not the least my most most favorite and most complicated topic awareness training I don't know how much I can stress upon that um sorry going to go to the next slide training when it comes to adoption when it comes to generally I would say um upskilling when it it comes to making sure that the people who are using your AI today or actually going to work with the AI tool is up to that feed I've been in several conversations where people who are building that AI today do not
have the necessary knowledge about AI product building they are mostly product developers and they've never been trained so I cannot cannot stress upon the fact how important it is is to build that awareness to upskill your people it starts from whether you're building your own AI or adopting a generally available AI model or tool you need to spend time upskilling your people you need to spend time sending out those awareness campaigns so they understand the security and privacy of of working with AI are alongside with AI it's extremely important sometimes it's a cultural thing so I highly encourage you to talk to your senior Executives so the culture can come from the top but without the
proper training without the proper upskilling without the proper awareness and I see that like as as two parts of it upskilling and awareness there is no other way we don't know everything I don't know everything but with continuous improvement with continuous learning with awareness with upskilling I can get there every developer can get there to help build that security privacy within your AI school so again coming back to awareness and training it's very very important to get there last but not the least transparency and this is a this is a bigger topic so I'm just going to touch on it and leave it at there building an ethical AI is so very important especially if you're
making one um um AI the way I see it today it's like when you as a student or when you as an individual was starting out in a new career when you started out in the cyber security career for an example you didn't knew everything you were brand new you didn't know which way to go what to do you had someone a guide a mentor a peer who helped you get to a direction who helped you understand what's good from the bad get helped you to get that ethical consideration so you can become more effective AI generally available AI today is at the same stage so whenever you're building that AI or working with that AI training that AI is
very very important to have that ethical consideration as well to build into that ethics human oversight is the last topic going to cover here today because without that I think we are going nowhere just like I said there has been many talks since 20122 November until I think uh it's going to go on that humans are going to be replaced it's all going to be AI I truly don't believe that I think humans are the key to getting us successful humans are the key to getting AI successful become AI becoming more efficient and effective just like I use example AI at this stage need human guidance human interference I don't know how many of you are facing the same uh issue that I
am facing today but one of my biggest challenges today is building this you know building this uh parity between where AI stops and human intervention or human oversight begin yes of course my company wanted to have that latest and greatest automation technology and we have that but that does not mean I can simply not have an analyst without an analyst it's it's it's getting very difficult to have that so I spoke with my management I got that human oversight today we are trying to create that balance that yes AI would be directly responsible for doing all the automation activities where the human analyst would be focus on overseeing strategic thinking critical thinking looking at the bigger holistic picture that AI
today lacks on that example the only thing I can think of is AI is so great at doing repetitive tasks even before you get to them it could be finished and done for you but when it comes to looking at the business looking at the department looking at the function looking at the geopolitical and other risks AI is lacking that holistic View today it is good and doing the Redundant the repetitive task but when it comes to the wholesome experience you need that human oversight it's so very crucial to have that understanding and work from that understanding for example let's say that AI who helped block that Transaction what happens is that transaction is due to a merger that the
AI did not even got trained on only a human would know that this has happened for this new company on a different country and because of that that transaction was happening so human oversight is very very crucial balancing that human oversight and making sure that they're both working together would be the next best step for health care just as an example uh it could very well be AI taking care of all those heavy lifting that analyzing images and so on and so forth a doctor could be the one giving the actual diagnosis and doing the patient care and taking care of the bedside manner in cooking example you are the one taking care of the last play while
your um I don't know your mixer grinder is the one taking care of the heavy lifting not the most perfect example but it is kind of the way seeing it with the AI doing all the heavy lifting the Redundant the you know repetitive task for you and human oversight becoming that key crucial element to bind it all together in conclusion the takeaway is simple we live in a very nuanced and chaotic world where AI alone is not perfect and neither is it most secure so as human uh the responsibility lies with us where we want to go how we want to use this greatest and latest thing that we have in our hand we need to give it guidance
we need to keep it secure we talked about different security measures we talked about the guidance that only humans can provide and it is going to be so very crucial for the next steps I would say as we move forward let's remember that die alone is not enough and neither are human the perfect balance the perfect parity only happens when both of these two ends work together and that way we only can look at the best of technology and best of human insight and go towards the good future um I have my details shared I would end it over there I think I have a few minutes if there's any other questions on this but thank you so much
for [Applause] joining um so working in some AI related projects myself and everything one of the big questions that always comes up is the training data and what are you actually training the AI on and we know that there's been a lot of questions respect to copyright and the issues around some of the big company llms that have gone out just scraped the entire internet for their data sets in the security framework where do you think we're going to get the data sets to train these AIS on given how you know how people don't want to share security breaches and things like that where do you see that going um that's a that's a really great question question because I
face that today myself I have customers who are very protective about the data but they want the latest and the latest so I might sound a bit extremist in this way but my message has already been very straightforward for that you want the latest and the greatest you have to kind of come to a middle ground we alone with the like I would say the QA data the fake data alone cannot provide you the latest and the greatest in order for me to understand how to serve you better you have to come to an agreement we can start by data minimization as I said whatever they agree to we can just stick to that but without having anything
shared it is becoming very hard for provide them what they need so our customers even though they sort of a very regulated industry has been very open to this kind of discussion and they have understood they do have very strict regulation about how long we can store some information and how we can process them but I've seen some changes about willingness to share some information thank you very much uh my name is Anthony um I just I like the concluding part of your presentation when you talked about balancing um AI um when you do automation with human um that just reminds me of f fact checking uh for here but my question is um um the
ethical use of this AI um just following up on the previous question about intellectual property privacy one of the things I've seen is and looking at the example you gave when you put your work into um these tools um how do we really Trend the line when especially when we are trying to stay ethical using AI um I would say this is a very very broad Arena first of all there's definitely some uh guidelines or some Frameworks that is already generally available that you can look at to understand the ethical practices in case you're building AI or you are adopting AI you can take a look at that what these guidelines are stating as an
ethical practice but for a generally dayto day it becomes a very you know gray box the way I see it um I should like I I would definitely go back to one of my examples and where we are building something related to Ai and it comes down to the very basic checks so I would say like we need we start by understanding what exactly we need to provide as a result and how to get there it doesn't always have to be perfect but it needs to have the basic requirements for fulfilled um ethics can mean different thing for different people but on its like down the line of the bottom line it's all about making sure that what is
your requirement and what is your tool providing if that matches and you have a parity and for other guidance I generally tend to look at all these um I would say regulations and laws that's coming in and that provides me with an understanding of what are the good practices what are the like acceptable practices at this standard and sometimes I would say I'm not perfect we are not perfect AI is still evolving the regulations is evolving we learn from making mistakes we get we constantly do our internal audits we constantly do our checks to make sure that things are at parity things are working if something sticks out then we go ahead and fix that one more question last
question all right next thanks for the wonderful talk um I want to go back to actually the the first uh question and and drove down on that a little bit and I would love to hear your thoughts on basically the attack surface here you almost mentioned model bling and that's clearly the you know Central threat when it comes to AI but the problem is and I was you push back a little bit on some suggestions you say okay well we need data minimization I mean that's the exact of how these large HS work right you need millions of parameters you don't get the opportunity to have dat minimization and so I'm just wondering you know given the threat
space of model poisoning any insight there absolutely and that's a great great question the challenges of balancing security and privacy with AI something I have faced myself again uh in to answer this question I would go back to the some of the basic requirements of data privacy the way I see it and also combine one of the uh question that was asked before the ethics so of course you need data points you need information to build your AI to train train your AI to go from there whoever you are getting that data from make sure you get their permission so one of the core processes or one of the core examples or controls of gdpr is to
seek permission and only to process that data when you have that so for our customers we start by asking their questions and making them understand hey if you don't if you don't get this you're not going to get this are you okay with that helping them understand where they stand with or without their data minimization it's the basic requirement absolutely but it should all start with getting you know their consent consent is the key even for generally available personal information not your just customers information you should start by getting their consent if they're not comfortable you cannot have that but you should always challenge back and make them understand that if they don't give it to
you what are they going to lose out that has helped us to get a lot many customers in line to get a lot many customers to agree with us because everybody wants the leg Us and theas nobody is just going to say no no it's okay yes there would be people but most people would agree to it when you reason with them but without consent just uh that's where minimization come the practice without consent without helping them understand what you're taking from them and what's going to happen to that that's where all the violations and fines on you so make sure you get that consent that would be my answer thank
to think about how the places that we go to every day the things that are possible for us every day would not have been possible had it not been for those who came before us we also sometimes forget to think about how deep down the human Spirit knows that lives are interconnected it's that interconnection that I want to talk about today with the help of a story about a man named Eddie from the book good luck and it begins at the end with Eddie dying in the sun it might seem strange to start a story with the ending of someone dying but all endings are also Beginnings we just don't know it at the time a little
deep for after lunch hope that's I'm going to read from the book just a few pars the last hour of Eddie's life was spent like most of the others at Ruby Pier an amusement park by a great gray ocean the park had the usual attractions a boardwalk a ferris Fel roller coasters bumper cars a Taffy stand in an arcade where you could shoot streams of water into a clown's M it also had a big new ride called Freddy's free fall and this would be where Eddie would be killed in an accident that would make newspapers around the state at the time of his death Eddie was a squat white-haired old man with a short neck a barrel chest thick forearms
and a faded Army tattoo on his right shoulder his legs thin and vain number and his left hand wounded in the war was ruined by arthritis used it came to get around his face was Broad and cracky from the Sun with salty whiskers and a lower jaw that protruded slightly making him look prouder than he felt he kept a cigarette behind his left ear and a ring of keys hooked to his belt he wore rubber sold shoes and he wore an old linen cap his pale Brown uniform suggested a working man and a working man he was
Eddie's job was maintaining the rides which really meant keeping them safe every afternoon he walked the park checking on each attraction from the Tilted world to the pipeline plunge he looked for broken boards loose belts worn out steel sometimes he would stop his eyes glazing over and people walking by P thought that something was perhaps wrong with him but he was listening that's all after all those years he could hear trouble he said in the spits and spreaders and thrumming of the equipment it goes on to describe more about Eddie to help you understand him a little bit and how he died thinking that he really should have done more with his life but perhaps you know he couldn't
and he was held back but I'm going to skip to a staum where he sacrifices his own life to save a little girl in those final moments Eddie seemed to hear the whole world distant screaming waves music A Rush of wind a low loud ugly sound that he realized was his own voice blasting through his chest the little girl raised her arms and Eddie lunged his bad leg buckled he half flew half stumbled toward her landing on the metal platform which ripped through his shirt and split open his skin just beneath the patch that read Eddie and maintenance he felt two hands two small hands a stunning impact a blinding flash of light and then
nothing the book goes on to describe how Eddie wakes up in a place that looks like the amusement park at her re here but it isn't it's actually heaven and then he goes on to learn that in heaven you meet five people and these five people you know were each in his life for a reason and how he might not have known the reason at the time but Heaven is about understanding that reason and understanding your own life through the stories of those people who have an alternative view to your own so the book shows two points of view you know for each each event that happens in two angles so why am I telling you this is
it because I think that cyber security is like heaven maybe for some of you it is for some of you it's not who you are and and what you're working through um the reason that I'm telling you this is because in my years of leading digital transformation and organizations I started to think about the patterns that emerg and if you're in cyber security I understand that you like patterns and you like flips and you like to find those things and so I started to think about the kinds of people that I seem to meet um when trying to affect cyber security transformation or digital transformation and sometimes you sort of see the same faces of the same sorts of characters or
the same types of people were the same personas so if you're familiar with design work you might use personas to capture sort of the the category or type of person you might be working with so that you can design in a more human- centered or user centered kind of way so when I started to think well what are some of these personas that we encounter often and in doing a little bit of research um I'm actually wondering what you think as well these personas um and whether or not there are other personas who might add to the mix and by thinking about some of these personas you can start to understand how to inform your
own actions right you start to understand someone's needs or what they're thinking about or how they can affect a digital or cyber transformation then you can think about how to inform your own actions to make yourself more
successful what more would we understand more about everyone beside us even if you look at the person sitting beside you what had to happen to them in order them to be here today what are the things that they're thinking about what are some of those needs so what I'm going to do is I'm going to start us off with you know the first one but you know I'd love to know as well whether or not you agree with Tada the under resourced it leader okay maybe some of you are this under reserv it leader or You' worked with this person can I show up hands you know if this resonates with is this yes is this a person one that
you've encountered here we go and if you think about you know Matt's uh Matt's keot earlier this morning as well talked about how things are changing all the time there's so much to keep up with and almost by Nature you're going to be under resourced if you're an leader an organization that is going through transformation you know of some kind and so if you are coming in as an external cyber security you know support if you're selling a product or a service you know for them what you might might do is you might you know come in and as you're asked and perhaps um do some assessment uh where they're at provide some advice and some recommendations and
see where that land that lands and then keep going if you're part of an internal cyber team that might look a little bit different but for them you're one of many many different concerns many priorities that they might be trying to balance lots of things going on uh in terms of the business priorities where they're trying to get the organization to everything that's happened in the past and everything that's forward and if you can understand those things better as a cyber security expert with that perspective that you've got from then it makes it easier for you to speak to them in their own terms and to understand how to help them by connecting the dots perhaps you know
within their world and so that will be one example of how you might look at how to work with someone who is an under resourced it leader for instance okay but having those two different perspectives you know come in it's funny there's one story you know in the book one of the people that Edie in the book is one where he's like a little boy running across the street after a ball and he continues running after the ball and everything's just fine but he has a car kind of stopped and uh uh that is almost him and then that man has a very different story with respect to how that impact of him running across the street
under a ball um impacts that play So sometimes it's very different you might keep going chasing the ball you got but someone else might be quite impacted by what you've done and what you've said all right any guesses any suggestions or guesses to another kind of persona that you might be cyber security someone who's an executive all right a skeptical executive anyone met one of those and yeah it's a lot of fun right I've got two hands over here so skeptical executive you know there is one in every transformation I've seen um every digital or S transformation uh there always you know there there's generally one and it makes sense because they're going from a place
where cyber security was one thing and maybe they viewed it one way but transformation by Nature means that it's going to go a different way or something's going to have to change or they're going to have to think about things a little bit differently so that that makes sense but it's really important to meet them where they are meet them based on what they understand about cyber security um because often what they are telling you or what you are learning from them is that is indicative of the cyber security culture that's at that organization and so what is cyber security culture so what I'm thinking of is whether or not in an Ideal World everyone feels like cyber security is
their job they know what to do and what not to do and they generally do the right thing because they're set up for Success right so if you have a an executive or a leader who is setting the tone for that cyber security culture it's important not to skip over them even though you might want to and I have wanted to I will admit it laugh very loud um because what happens is that they start to impact the psychological safety of that organization when it comes to cyber and I think Matt talked a little bit about that uh this morning as well and what does that look like well that looks like when people um don't
feel safe or secure going to senior Executives or senior leadership with ideas about cyber security or with their mistakes or mistakes that are happening in the organization um it's a problem with accountability right so if you don't feel psychologically safe because you don't have that culture and it only takes one person or one leader uh to you know continue to sort of pull things down unfortunately it's not something that you that you can't ignore but you can work with them um them to leverage you what they have and uh I figure out how to manage it all right there okay so it's not all that okay you also meet people who are inspired keeners right people who are
inspired by what you're doing or what you're saying or inspired by someone an organization or perhaps by a mentor um I'm not going to spend a lot of time on this persona but I will say that I've attended a lot of cyber security events over the past year and most of the people I talk to can trace their interest in Cy security um to you know one person who has inspired them and you might not know you're that person who's inspired them but you may have um it's just like not knowing whose life you impacted or why they W in your life it's it's something that you've done to create impact and to kind of spread
things spread things out so be conscious of that uh look for a mentor if you don't have one or become a mentor right number four recently breached I call it the recently preached intentionally um because it sounds kind of like recently bed right um because generally if you've been preached or if you've been infected by a cyber security instant you've lost something right um whether you are you know part of a team that's internal that's working through an incident um you may feel like you have lost something um you've lost your sense of security or you've lost your confidence in what it is that you're doing um if you are a victim uh if you
are someone who has you know lost uh money um or lost uh your data uh in some way that you've also you know lost something so it's it's an appropriate title in a lot of ways and I came across a lot of interesting studies on the psychological impacts of cyber threat and what that looks like but it's also a good thing in a way it's a it's something that if you are part of a digital transformation or cyber transformation it's something that you can leverage you want to look for those people cuz those are the people who can help to accelerate what it is that you're doing so they've not only lost something they've gained something
or you gained something or the organization has gained something they've gained an opportunity they've really gained the opportunity to accelerate and to move forward based on what they've learned they understand that there's an opportunity to update playbooks to improve processes to ensure that this doesn't happen again or it doesn't happen to someone else that they know that's the opportunity and that's that's what they've gained my favorite part of that what gained is is thinking through so what are the requirements for the new world and the new system that you're building so that you can avoid having this happen Okay and the last one that we have is the vulnerable I'm going to spend a little bit more time talking
about this one I this is where the social impact piece of what I'm talking about today comes into play
generally do these categories feel like they they kind of resonate can I have like a hand excellent thanks so much and I'd love to hear more um and build us into something that leverage of the community you know as well what do I mean by vulnerable certain populations are more vulnerable to cyber security and have the most trouble recovering from them including those who may not have the technical expertise to defend themselves which is intuitive or those in social economic situations that limit their ability to access the Care Systems through the work that I've done over the past few years I can speak to these things a little bit first of all older adults seniors are
disproportionately affected by fishion and emails for instance where they may not recognize fraud activity the statistics are pretty significant um you know in 2022 adults over the age of 60 in the US lost about a billion dollar to scams and fraud which is an increase of over 7% from the year previous to that and here we're talking about people who are for the most part living on a fixed income right what happens to them they might be in a difficult housing situation as well which is something I know a little bit about and if you think about it also if they lose their housing situation what is it do they have for many of them they don't have a lot of
options there are 48,000 or more than 48,000 people on the waiting list for long-term care in Ontario over today okay so there's there's one part of the vulnerable kind of population piece of that um I'll also pull out sort of on a mental health kind of basis which is also a growing population uh people um participants in a study that I read you know really have a a hard time you know really with the property that can sometimes come with and mental health as a challenge such as anxiety and depression we heard that poverty exacerbates those challenges and it's a vicious cycle and a lot of these you know people in these vulnerable populations end up in a vicious cycle as
well so if you add in sort of the mental challenges that you might have and they have inability to perhaps plan on a longterm basis and then add in you know a sucker incident that affects their data and affects sort of the footprint of who they are in the world and their ability to access resources that's a very difficult situ and then in healthare cyber security incidents in healthcare lead to disruptions ranging from delays and Medical Treatments um to errors and diagnosis from providers of healthare we're not able to access data or records in that time of the wave for example um for those of you who aren't as as familiar with the healthcare space there
should be a direct link between L andwar and patient harm so uh there are lots of examples like Universal Health Services in 2020 we shut down their their hospitals delting surgeries diagnostic tests and other critical services so I wanted to make at that point um around vulnerable populations and so these are the who around some of the V vulnerable populations each one of them population if you look at you know seniors alone for example over the next 20 years the Senor population is expected to grow so you have an issue that it's a growing issue for the respective of the number of people that are simply in world right if you look at the statistics there by 2068 seniors are
projected to be one in every four uh in the population and the world over the number of people age8 years or older is expected to Triple between 2020 and 2050 so you have populations that are vulnerable you have significant amount of growth in those populations and then you have the fact that the industry that is currently regarded as the biggest target for cyber crime is the one that impacts these populations right I don't have perfect data in terms of who's being targeted and who's not being targeted but there is data in terms of the cost of those breaches and I have to say most of the data that's out there and the reason I'm saying this most of the data is out
there is is targeting organizations and corporations who have the resources to help uh and to build the infrastructure that is needed in healthcare particularly in Canada we do not have those resources we're dealing with Legacy systems where this is a problem right Legacy systems and and under funding in many of these areas so what we have in my very cheerful talk sorry is that we have the most vulnerable people right in an industry that is most targeted that is the least able to defend itself okay just think about that d pic people who are most vulnerable are the most targeted and the least able to defend themselves in Canada so thinking both us here comes the what
if what if what if we flip that upside down instead of having them as the the least defendable what if we made them the most what if we protected these people the most what if we protected these systems and these populations in these industries the most when you think about the Titanic I me back when women and children were regarded as vulnerable today children P offici sponsors as I know um they were told to go first they got to go on like the boats first right um take them to safety right that's that's what we did what if we did that with this SP time here I'm not going to tell you how to solve that challenge but I do want to
leave that with you because you the MERS and shakers and the doers and the thought leaders you are in a position to impact the space and the people that are there and you're doing it already so with that I'm going to leave you with that and I just wanted to say you know as well um that I'm just going to read a little bit more you know from the book because it is actually a hopeful and a message that deliver to have you seen people from your team Eddie emerged in brilliant light above an almost unimaginable scene there was a pier filled with thousands of people men and women fathers and mothers and children so many
children children from past and present children who had not side by side hand in hand in caps and short pants awesome filling the boardwalk on thees of wooden platforms sitting on each other's shoulders sitting in each other's oh yeah they were there would be there because of the simple mundane things that Edie had done in his life the accidents he had prevented the rides he test the unnoticed turns be infected every day there are many more than five people in cyber security that you will encounter in your work and that you have all beened whether you know them or not and that you I have no doubt so just picture how many more there might be for you thank
[Applause] [Music] [Applause] you I'll just mention one more thing I don't know if there'll be any questions but um I do want to dedicate this talk to my good friend su he was my that first Persona and my under resourced it leader who had accountability for cyber security in an organization I were death he passed away answering the early 2022 is now in heaven probably meeting all the people whose lives [Applause] [Music]
thank having worked with you I'm a little biased
all same make that assp you do have certain flavors is there one particular flavor one particular approach use for Jaded Persona long jaded
I done I think um I think that bears stud little bit of user research you know on that one I think that um I think that you have to listen I think you have to start by listening understanding kind of where they're at same with the skeptical executive skeptical executive I think you have to align on whatever your mission or purposes if you can align to the mission everything you know Falls in place gets much easier if you can make that communication really strong and help them understand you're working through the same things I think that go thank you for the manner in which you um I've been thinking about this for about 15 years
three that I would like to the understanding that qualification evation needs toy social Tech then you also need counsel for those that have been impacted we can say cyber security brief you also need someone to manage to assess the value of the quantification of the cost in the organization so you need a cost engineer to do that quantification and cost can't identify to management what the impact on the organization is cost the third one is actually long person it's your artificial agent artificial AI could be RBA um you need that non entity to do the very very discret analysis security so at least those three here wow I really like that we should talk after so we can compare notes and
then put that together I love the idea of building that out um and understanding how they all interact with each other as well so
thanks any so I we're good thank you so much everyone
[Applause] all right my name is Abigail thanks for coming to my TED Talk um I'm going to be talking about information Warfare so just a little bit of light hybrid Warfare to kick off the afternoon um as you said uh you'll notice from my little description there that I am not an O professional and I am not a cyber professional and I am not a disinfo expert so what am I doing here well I am a privacy professional and this this topic became very relevant and very important to me back in I was say 2016 2017 when I was living in the UK helping a lot of businesses like your strug to implement the sweeping data protection
legislation that was taking hold across the EU which is called the general data protection regulation and people were really fussed and excited particularly about their cookies and direct marketing which was not new with gdpr but was was amped up in terms of the potential for fines and disruption and so when the Cambridge analytica Scandal broke which some of you might remember M political micro targeting to influence the outcome of the brexit referendum as well as the uh us election uh suddenly it became very real that the work I was doing even though I always valued privacy as as a fundamental WR it was important to me it was it was a reminder to me just how
important the work I was doing was beyond compliance beyond my clients getting into trouble and having to put up pesky little popups or clean their websites of unnecessary trackers that there was a real reason behind it and that our very democracy our very fundamental rights can be impact by the kinds of things that we put into our websites and the kinds of things we do with people's data so I started to get very very deep as I do into understanding how disinformation Works how it spreads and it's kind of been a side project for me it helps that I'm also a real News Junkie and a politics junkie so that that doesn't hurt at all
um so what I'm talking to you about today is I'm going to try and keep it very concrete you'll hear later that information Warfare is a much bigger topic there's a huge cyber Dimension to it and I know I'm at a cyber conference but guess what I'm not going to talk a a lot of the Cyber piece we could do two full days just on that I really want to focus on what we also talk about in cyber and privacy which is the weakest link us right so when I talk about disinformation and being able to recognize an OP being able to recognize a campaign and being resilient against it it begins with us the human Element
no matter how much you try to reinforce with laws and other sorts of infrastructure sure at the end of the day we are the weakest link and I want us to become the strong ones and I think I'm very confident with you as a a room full of cyber professionals you already have so many of those skills and the critical thinking and the ability to be able to do some of the things I'll talk about today just a Content warning uh it's called The Truth by cats and dogs because I am starting off by with a concrete example of an information off that went ridiculously viral and it was extremely harmful it involved a lot of
old raceist trug and stereotypes and we're still feeling the shocks and the effects of it today to the point where people are leaving a small community they called home that had welcomed them and they don't feel safe so it can be a bit triggering I will be talking about it but my focus is on how the information spread I'm not going to zero in on the content but even so I appreciate that this is very fresh and very recent so maybe just um prepare yourself for that or put on some noise cancelling speakers for the ne headphones for the next 10 minutes if you find it all right so um one of the challenges when we don't believe our eyes when we
don't believe what we read or when we've been duped a few too many times is that uh or or if we believe lies um because we want to go because they're convincing is that we we sort of lose truths and we can be manipulated we can be controlled so if we don't have facts if we get into a posttruth world where facts don't really matter then we don't have truth and then we don't have trust and we all know as cyber privacy professionals how important trust is we'll trust in our institutions in our fellow citizens in the people who who live with us who visit with us is critical for our society to work properly and it's
critical for us to make really really fundamentally important decisions in our lives like what we're doing for our health care or who we're going to vote for in an election or whether we'll take action at all so that was a quote there from Mar ARA um she's the uh editor of Philippines newspaper the rappler and was trying to give early warnings to people in Europe and the US and Canada uh about what she was witnessing in terms of the disinformation and manipulation that was happening on social media for her and the Philippines and tried to warn us that this is this is an early warning what happened to us democracies can crumble very quickly so
please be warned we didn't listen to her warnings but we did invite her to the international Grand committee that happened um at Canada hosted with something like 11 or so other countries to talk about what do we do about this problem all right so today I'm going to talk about the anatomy of a dismal op so we'll go we'll go through that one and it's pretty fresh so hopefully I won not speak too long on it then we'll talk about how do we situate that in a much bigger information Warfare campaign and I will give you I'm focusing on a particular country uh that does this but I want to just underscore for you that
this isn't just about forign actors who want to do harm to us uh that is absolutely the case and there are many different ones but what you'll see from my next example is that we will have domestic actors who use the exact same tactics to manipulate us to cause harm and so these it's about the tactics we need to be aware of them and recognize them regardless of where they're coming from and then I'll talk about how do we use ENT open source intelligence to unmask uh a super spreader so in this Cas I'm using specific case study and then finally I'll run through you know how do we take what we've learned how can we use you know some of our critical
thinking skills and then if you do want to go further which I would love it if you did then we can uh talk about some of the resources that are out there to help you um really hone in on your your oent skills all right so they're eating the dogs they're eating the cats anyone not know what this was about you're going to be too embarrassed to put up your your hand so uh in the middle of the um the presidential debate between president-elect Trump and C then candidate Harris uh out of the blue you started saying they're eating the dogs they're eating the cats they're eating the pets of the people um who own them
or something along those lines and the question is well how did this hoax which was revealed to be a hoax how did this end up coming out of the mouth of a presidential candidate on a debate stage well I'll walk you through it and I will walk while I do it because I can't see my screen very well but um so it started with a rumor as things do uh what we like to call Triple here say up on the right hand side here oh sorry um those of you of my vintage at least might recognize this from Ferris bu's day off it's that quote where she says my best friends brothers sisters blah blah blah blah blah saw
spis Steeler faint out of 31 Flavors basically she doesn't know what she's talking about she's just heard you know five or six times years what may have happened but she's just presenting it as a well that's funny but the post in a private Facebook group um that led to to eventual F threats and other violence in a small community and that rang around the world was not very funny so it was very similar um and just so you know I have a lot of slides with a lot of text these are going up on my LinkedIn they have alt text for those of you who have trouble with your vision and hyperlinks and so um don't worry about taking
pictures or whatever you'll be able to get that from myON in a few days all right so it was a pretty low credibility post um she heard it from a neighbor whose daughter who this and that that Triple C zero credibility in that post and it was a post to a a Facebook neighborhood group warning them about um you know people eating cats from dogs specific people right so new people a relatively new communication migrants now there have been rumors circulating here and there and it's a an old Trope going back to the days of the Chinese Exclusion Act um in the US and we had probably similar stuff here of you know foreigners eating dogs and cats
and eating our pets and so this is not a new thing to to to ascribe these kinds of stereotypes so this sort of stuff was circulating and there had been a few tensions and issues in the community but also there were a lot of positive things that were going on and and and the Haitian um migrants who had been invited specifically invited legally to come and work in the community rejuvenate the community had done so and we're appreciated for that by much of the community but even so this Facebook group had 8,000 uh members in it and it spread through there but then what happened was it was quickly picked up by someone who had 2,000 followers who then
it got it picked up by a super spreader and then we'll see a lot of other super spreaders and how it spreads but as a starting point the first reaction if you're someone reading this is there's so much that makes it not credible or there's so much that there for you to say I'd like to know a little bit more like you said you heard something from Theo Rangers but I haven't seen anything from the Rangers talking about stuff happening in the park and meanwhile officials were very quick to deunk this and say nothing was going on so it's not like this was just lingering in the air and everyone was wondering did it happen
didn't it happen hasn't been confirmed that doesn't matter it spread and part of the reason why and and you know I talked about racism and xenophobia and that obviously is a really big part of it that is a subset of something else that we all have in ourselves which is confirmation bias right so confirmation bias is when you see something that confirms something you already believe and so you believe that new thing to be true and sometimes even when it's not rational to believe it right and so you just it's so with stereotypes or racism or you don't like your neighbor for whatever reason you're going to be quicker to believe bad things about them
because you already don't like them so that's what we saw here and then people started to share it and they shared it because they had various agendas but let's look at who shared it and how it all right so in less than a week it was intended for a few thousand people but it reached Millions even though it had been debunked multiple times and I'm going to walk over here now to be fair to everybody else um we saw a ring influencer this guy and Wess he decided to share the post uh alongside a photo that was not from Springfield Ohio it was from Columbus Ohio this man is not hatian and this is not a goose that he
killed it was road kill doesn't matter he's put the pictures together and then he pastes it and basically says you know this is to confirm what was already in that personis stage so now we're starting to layer on other information and trying to give it some credibility and and look how he's attached it to the question around immigration and economic woes and so on so he says Springfield is a small town in Ohio four years ago it had 60k residents under Harrison B Biden ,000 Haitian migrants were shipped which they were not they were invited and they came but were shipped uh to the town now ducks and pets are disappearing so I mean it's the other piece we need to
think about is like that's a real that's really trying to resonate and and get you emotionally right it's getting to your lizard brain I live in a lovely little community and I'm worried about migrants the people most worried about immigration often tend to be people furthest away from the border so in the Cambridge analytica case when the investigative journalist Carol C waler went to Wales to find out why did you vote overwhelmingly one of the reasons was this xenophobia and fear of migrants and so that she said well how many do you have in the town one lady there's a Polish cleaning lady who's here they they didn't have that it was the fear an
irrational fear that wasn't countered with any kind of life experience right to contradict it um so there's more but but you can see what's happening here is by this time and I wish I had better skills and I could have made a really cool timeline that's interactive but I didn't um so you'll have to imagine it by this time we're getting all kinds of people weighing in and they don't care about the truth what they care about is the value of this of of people believing or wanting to spread this right so now we have Ian miles Chong uh he is um with rt so Russia Russia today um which is a pro pro Russian uh
aanda uh outlet but in the Malaysia one and so he decided to spread this photos this was a video of um a woman who in again in a different town I think in this case Canton Ohio who was arrested and accused of stomping on the head of someone's cat and and eating it and then he says you know this woman was arrested for eating someone's Pet's cat in Ohio hint hint same state uh how does something like this happen if you follow the thread uh s the conversation further you'll see eventually he says he he attributes it to Haitians and that got had million followers he got 5.8 million views and by the way earned a lot of money on that
because hate spreads fast and you get clicks and you get a lot of Revenue so he had various motivations for that um and then we have JD V who was told even before he started res sharing this so vice presidential candidate now Vice president- elect uh JD V knowingly spread what he said was false and when he was challenged on it said if I have to create stories so that the American Media actually pays attention to the suffering of the American peop and that's what I'm going to do Dana because you guys are completely letting kamla Harris Coast so he's admitting he has to make up lies to make you think I mean it's it's
just do I need to say more about that it's just ridiculous but of course so then it didn't take long for that got into this guy's head and then he raised it during the debates and then all kinds of memes started coming out and then people who were trying to make fun of trump or reporting to make fun of trump putting videos and music and everything and and they were funny to watch but they were horrible too because they downplayed the impact to the community uh who who were seriously suffering from it and also people like JD V were taking that and saying see everyone agrees with us like they're praising what we're doing and so it got it got twisted and split
around people kept coming up with new evidence you know to debunk the debunking like oh you debunked this but actually you know the mainstream media is not going to tell you what we know and you're smart enough to do your own research and you're smart enough to trust the real uh you know the real people who are going tell you the truth and so we saw a lot of this kind of stuff and then again the protector uh the protector image comes up again with these AI generated posts of trump and soort and so forth this could have happened with any uh political candidate it could have been flip Dr it could have been liberals it could have been
leftists whatever my point is to show you the structure and what happened here and how it spread uh super spreaders like Elon Musk really Amplified this as well and just so you know I've got a link here um in the next slide but just before this a very similar sequence of events in terms of how the information traveled and how rumors turned into reality and stoked what I'll call Brown Shirts basically white supremacists who wanted to commit violence in various places um happened in the UK in Southport after that fatal uh that tragic stabbing um incident so again very similar pattern so the rumor is part of a narrative that um Russia and certain us
politicians were using at the time and we're very eager to exploit and the reason is if you can exploit divisions especially tapping in tapping on a nerve that is already raw right people are concerned about their economic situation all around the world we tend to blame people from outside for things that are wrong it's easier than blaming our politicians against who we feel powerless um so this whole sort of economic angs anti-immigrant sentiment very very easy we see it all the time you see it all around the world it's been used in many countries and it was certainly used here but in addition to that they started to weave in this sort of election fraud narrative as well
which was very very strong so not surprisingly we had uh an influencer prot Trump influencer said that he was paid to share a video of Haitian migrants who were saying that they were voting illegally for Harris at six or seven different polling stations right so that again that one went viral it didn't matter it really didn't matter that it had been debmed that there was no evidence because people believe sometimes what they want to believe so that's the other piece too is when we talk about disinformation we're always often thinking about how like oh how do people not get duped but sometimes people want a narrative and that's the dangerous situation we found ourselves in which is this post truth era and we
need to bring ourselves back from the edge especially because one of the potential uh unintended consequences of a talk like mine and what I'm doing today is that now you're going to be critical of the things you see but then you could tip over a little further into the I don't believe anything kind of mentality I'm trusting that since you're all cyber security probes and you know that there is no such thing as zero risk there are cyber risks but you know how to protect against them that you know you can never have 100% but that doesn't mean 0% you give up on Cyber so same thing with Shoring up your defenses against disinformation so anyway it's it's an ongoing theme in
US elections it's happened in other places and I've got a few articles here as well just showing um you know in 2022 there were a lot of divisive narratives that were hyper targeted to Black voters um in the US to try to deter them from voting altoe right in that particular case so a lot of Zero Sum messaging of like oh you got all this stop Asian hate legislation but what about an anti- lynching law well actually there actually had been a law like that but it didn't matter right the narratives just spread and spread and it just you just pick at that wound which is a real wound right like it's something that's there
but it gets exploited and then um this is a fantastic article here by Evan Dyer um that that sort of ties it all together really nicely so I would suggest that you read that and also do try to take a look at the Southport um examples as well you'll see the pattern repeated now I'm coming over here because I feel like I've neglected the others um now there are ways to use uh your analytical skills to try to understand how information is traveling this is one it's not the only one um but if you want to get a sense of you know especially with social media things can move just really really fast so this is a decision
tree from we verify it's one of the many free open source tools and what they've got there's a whole narrative that goes with it that explains this in more detail but in a nutshell you try to get back to the root of you know so where did the message start what are is there a network involved nor are there suspicious time stamps like is this just moving too quickly that it couldn't possibly is too much information being generated supposedly by the same person suggesting May multiple people are behind that Persona you know turning out content um is is their coordinated Behavior so a lot of act tags between them so there are great tools you can
use that analyze the data flows and visualize them and if you have them great but even if you don't as a late person just kind of looking at this it's like oh yeah it's all The Usual Suspects right so he's at tag and can.com then not tages you know this guy and that guy and and then Elon weighs in and now plus he got the algorithm and he can put his finger on the scale and it just goes on and on so you need to assess the intent as well like what are they trying to do here right is is this like just information for the sake of information is this just monetization no it's it's to list in an
emotional response and get me to be irrational so I need to calm myself down for a second do a bit of distress tolerance maybe some seal te6 breathing box breathing or something and ask myself you know what's this all about step away for a second and think it through um you can detect clusters and so on so there old tricks these are old tricks that go back over a hundred years you can go back so the the whole Trope of the sort of global uh Jewish Bank of conspiracy goes back to a forgery that was done on paper during the zaris times in 195 16 or 17 when they were trying to counter the bullshi and all this other
stuff so I mean things can really last and they can really spread so basically it follows this pattern and this is what I'm asking you to look for in the case of an a single information op okay so I'm talking about just one not a whole campaign so one it's trying to exploit a weakness so you need to know what are my weaknesses well that sounds familiar because as cyber Security Professionals you do this all the time right F ability scans threat modeling Etc so you're pretty good at that so can you do that in terms of yourself as an individual and us as a society um is there a source of tension that could be an opportunity
for someone to exploit I mean brothers and sisters do this to each other all the time too like in the family right so you just know how to get people skin um so are there pre-existing stereotypes old tropes Etc and then the next thing is we fan the flames right so we didn't start the fire but we can definitely we can definitely get it going right so you plan to or exploit a rumor then you amplify his message you get it um you add new content oh there was a police report oh yes this woman said that uh there's a voice recording it's been leaked but they won't the mainstream media won't play it it just goes on and
on right uh laer and amplify so once you start getting people who have some kind of credibility because they have a lot of following because they're a politician because they're a person who has some kind of status that you would believe would be honest or have some credibility um or a something that looks like a legitimate newspaper but isn't it could be a cyber squatting you know you're squatting on someone else's and it's it's a doel game or it could be a legitimate paper even legitimate paper so papers and record every once in a while and articles in and it just feels like a transcription as you know there are all these Anonymous sources they're
very very vague of you know what level they have and so on and so forth so this can happen even with imate sources that's laundering and amplifying and then embellishing so I talked about just a fire hose of lives just add as much on there just throwing confusion uh just to reinforce the narrative or to reinforce the chaos right so maybe you don't care about the believing the thing the point is to get people fighting and and just frustrated uh and then finally repeat repeat repeat repeat just be relentless the more you say something the more likely it is to be true the first person to get the message to you is the person you're most likely to believe right so
all of these things are ways that you can um you can spread disinformation so how do you spot it well you need to pause and take a break for a second right and ask yourself you know before I share this is this trying to play on my emotions is this does it feel off is it too perfect like does this feel like a Smoking Gun it's exactly what I want because sometimes that can happen to you and um there have been operations like this where something looked so perfect that it actually undermined The credibility of someone's opponent so there was this famous uh police officer in New York who was trying to crack down on the Red Scare and this forgery that
was created looked so perfect like it had come from the Soviet Union it was from Moscow and people had pointed out you know yeah there's some weird stuff in here he's said no no no it's definitely happened when it was finally revealed to be a forgery and it was admitted that it was a forgery he was completely humiliated and his entire everything I think he built up and his credibility as the sort of guy to defeat the Red Scare um completely blown out and they took him out they took them out that way that's in active measures uh if you ever read the book all right um is it a credible source is it an authentic
image or text you can do a really easy reverse image search and that's where a lot of people found okay that's from Kenton Ohio or that's from Columbus Ohio um we see this a lot with War photos be really careful about that a lot of photos from Syria were being passed office photos from Gaza right so you get this kind of thing and it's just it it matters especially if something hasn't happened because things are happening and so the double whammy there is that then the people who don't want to believe that atrocities are happening or that bad things are happening say but see there was a fake photo there that was Syria and then the people who do
want to believe well they get all worked up even more but that wasn't the incident and now they're losing credibility as well um does it feel coordinated is this a super spreader is this one of The Usual Suspects and then finally um if you can report it right take a screen grab um there are usually uh tools for that so uh that's just one op but if you stop there and you're doing all those things that I said which are valuable you're really still just playing wacka because these are usually coordinated as part of something bigger so now you're going to say oh my gosh Russia Russia Russia um I'm using Russia as an example
because uh and there like I said there are many state doctors who do this and they Dom factors as well the reason I'm using Russia is one it's very well studied I've got at least two really good books right here um which I do encourage you to look at um Russia's also been incredibly active in the past few years especially against NATO countries and then uh three it's impact with Canadians so I've given you American examples but even some of that um anti-asian sentiment trickled over the border to US with those same tropes uh recently and but also we've been not only t targets of campaigns we've been perpetrators right so when we talk about
increasing our cancom like our Canadian content in international trade with our with our allies conning them is not really the way to do it but we've been doing that we did that with Cambridge and good we did it with um we've done it recently as well so um there's this fantastic book really detailed study into Russian information Warfare I don't have time to go into into a lot of detail what I do want to just highlight a few things is that first of all information Warfare is part of a bigger H hybrid Warfare um sort of state of being that is on a Continuum what that does is it blurs the lines between peace time and War and what uh
Dr alil Who put together this study she studied uh Russia's own Doctrine its own materials its own policies and also studied a number of secondary sources really really detailed analysis to try to understand sort of what this means for Russia and really we're at a point where 90% of warfare for Russia is information Warfare and 10% is combat or other right so if you think about if you remember Cambridge analytica and I apologize if I'm throwing too many things out at you but you have Genny pran who had the c military company Vagner that's been active in all across Africa and all these other places and eventually was um died uh he also ran the internet
research agency which was under Cambridge analytic Bots and the trolls fake accounts and all of that stuff that we sell back then so those things are really intertwined um what what the idea is that is really about uh a battle for the minds and mass consciousness of your target so in the Target country it's not just the politicians and the military but also the citizens right so what you want to do is you want to wear people down you want them to lose faith in democracy you want them to not be a problem for you when it comes to things you want to do and that's a point I really want to reiterate here because you know the
examples that I'm going to be giving the example that I gave here they favor one side right so in this case you know we look to be in in Trump's favor and there's documentation in affidavit from a an indictment that was unsealed that shows that they had decided that as between the different parties we're going to have more luck here but it's not about any kind of ideological commitment this is different from the Soviet Union where there was an actual ideological basis this is really about what are our interests as a state and how do we use what's available to us to cause chaos and and and make things work for us um so what it does is it Blends
psychological and technological means and uh in the real key is against your adversary is to ensure information superiority and that doesn't mean you have better data I wish it did as a data professional but no what it means is that you have a better command of information Warfare and I'm just going to tell you you know see from some examples we are really outgunned so it is an issue that we have to take very seriously uh very quickly again it's an incredibly detailed study she looks at something like six confirmed cases and she's come up with this framework that she calls chaos so she's found this you know Common set of factors um common set
of things that happen uh for every information Warfare campaign that that Russia runs cyber so there's a Cyber attack on political infrastructure political infrastructure is quite detailed and includes a lot of things for our purposes today we're talking about the information space that's the part that's most interesting to us today but it goes way deeper than that um so if you think what cyber what she found was typically these were confidentiality and availability attacks many of you probably had some sleepless nights over some of these things I won't be talking a lot about those today but again there entire books on this really fascinating area um I would argue if you were to look at even more recent ones we'd see
more Integrity attacks where you mingle um real information that you've you've gone from a breach right and then you throw in some fake stuff right so you're kind of laundering it and I would call that an Integrity attack hyp is the one we're going to focus on today and that's the disinformation and strategic messaging and then there are other things like um you know if there are demonstrations whether you create fake demonstrations uh and then you have a or you have um that you have assassinations assassination attempts things like that again we're focusing on the age today so we've talked about you since 2016 because Cambridge analytica really showed us wow you can do a lot of stuff
with this technology that was meant to be fun and social um and and you can hijack our advertising uh ecosystem and and really turn it against us so we we' talked a lot about chat boogs and deep fages and you know um trolls and all these kinds of things but what we have to remember is ultimately it's the same pattern that I showed you earlier right it's a very very human thing which seems to be the theme today actually with a lot of the presentations today is that human peace and so that's why it's we need to understand that we'll only be influenced no matter how great the technology is if it doesn't resonate with us it's not going to
work all right so um there have been a lot of studies I won't spend a lot of time on this slide but when you do look at it after you'll see there's um it's quite extensive when we think about the Russian disinformation ecosystem so you can have a look at those uh cambage analytica seems like you know such an easy you know the Heyday it was all very easy to spot compared to what we have now because back then we had the psychometric profiling and segmentation and then targeted disinformation using using the advertising ecosystem right so adtech to hyper Target different messages to different people and often those messages were to deter people from voting or confuse them or or elist
certain responses and they were Amplified by bxs who made the message spread really really fast give a fake sense of of following and creating a kind of Ambience right it's just all around and trolls so those would be fake accounts and often these accounts were run outside of the country they were movans who were just coming up with a bunch of stuff people outside the country um and you know there was an important Canadian component to it there so that's again this is when I was getting interested in this whole area was that it was privacy Commissioners who played a very big role in unraveling what was happening here the UK information commissioner's office and
then the BC and the federal uh for Canada as well cracking down partly because one of the the Nexus in here was agregate IQ a tiny digital agency that was building the software for a number of these campaigns so we had a Canadian component um and uh part of the reason was you know offshoring made it easier for them to get away with the election funding issue uh so there was like a money laundering element to it and also um you know taking it out of the jurisdiction making it harder and so on and so forth um so when it comes to the information campaigns you may remember um when Russia's full scale Invasion into Ukraine happened there were a
number of countries um that banned Russia Today are which is a which is a state um News Network that's meant to push Russian propaganda so the there's a woman who's been doing this since 2014 she saw was called the Russian media Monitor and she takes these clips of actual um conversations on Russian State tv which are a pretty good reflection of what is an approved message like the things they're talking about they're allowed to talk about but it's supposed to feel kind of like dialogue and discussion and so she takes these Snippets and she kind of translates on for us but then she also gives us the context and explains so the one on the
left you'll see um Margarita siman who's in charge of RT said you know if you watch the video you'll see it but you know um they close the door we come through a window they close the window we come through the floorboards we have so many different ways we have so many operations and basically admitting that there were a number of things underway um I showed you the one on the right because the one on the right is an example of of a reaction to the the the cabinet picks that are being proposed and telsey gabard is the one that they're calling uh you know a friend of Russia which a lot of people suspected
sooc um so operation doel gangers not BR us to today oh my gosh five minutes left okay so that brings us to today so you may have heard um there were uh Canadian influencers behind this Nas of operation and instead of using Bots and trolls they could use influencers with a really large following to spread disinformation and spread um talking points that are valuable to them that they would do that and so we have a number of Canadian figures that were involved there um we've also seen from that affidavit and the exhibits that were uh that were that were dropped with it a number of websites of doppelganger news sites so doppelganger news sites disguised to
look like real news sites sometimes they include genuine news but there's a lot of other stuff that slips in a number of them reference Canadian stuff too so my point being that we're we're also a Target in some of these things uh storm 156 is the is the successor to the IRA the internet research agency they've been extremely active and again it's the same narratives that you're hearing over and over again so uh like I said it's a different take on canc con there's some examples of specific vulnerabilities that have been kind of um targeted in Russian information Warfare against Canada which you can look at later cuz I'm running out of time so how can you use uh open
source information to detect all of this I'll give you the example of something called uh the nefo dog so North Atlantic fellas organization some of you might even be some I don't know but these are basically these self-appointed you know online positive trolls these are people who they decided that when the full scale Invasion broke out that they were going to fight the information War online on Twitter Reddit and all other places and they quickly noticed this one particular very active like sort of information super spreader who went by the name of dumb je and basically they they put their thinking caps on they got together and they looked for a number of um hints to see you know uh you know she
seems to be talking to all these people who are sort of pro Kremlin influencers she's saying a lot of these talking points her accent comes and goes like she doesn't seem real they started digging and they did a whole host of things it's really cool actually um they looked at uh they looked at her um real name uh because her real name was used by some trolls who were trolling her they look did image matching they found a video of her when she had a tropical fish shop and they were able to use some of the decor from the background of her house from an interview and a reflection off of her glasses in a different one
all kinds of really cool stuff which I encourage you to read about because I clearly don't have the time um so there are number of methods you want to watch for things like BS and trolls to amplify doppelgangers that I just talked about Faker distorted media that can include real photos that are misattributed or fake photos that are AI generated or doctor you also want to watch out for super spreaders you'll know that right there's certain ones you see their names come up over and over and over again first they were Co deniers and then they were first they were Pro Syria and they said you know they were all pro Assad and then they
were Co deniers and then when the full scale Invasion happened suddenly they were talking about Ukrainian Nazis and Canada us should stop supporting Etc it's just it's literally like they're just following along and they don't have any obvious background as to why they would follow exactly what what is programing so um what about ism is another one and people use this not only in information Warfare you might even have it with your friends and it's really irritating where they try to create a false of equivalency and it's just a way of distracting so uh fire hes of Lies as well just pound people with so many different things even if they contradict each other that they're so
worn down they can't fight um and then of course the usual profiling and so on so the way we do it to address the weakest L ourselves is we need to identify not just an individual off what are our weaknesses so let's start threat modeling ourselves right as as digital citizens and as as people in a democracy what are the things that could be exploited for me personally or for us as a society right we have have our tensions here um and then the second thing is anticipate so who how would someone use that against us how might someone say something we have an election coming up that's a vulnerab vulnerable situation we need to think
about then you can start thinking about preuninger active or proactively Shoring up your defenses right the same way that you would you know that now people will guess passwords so you have multiactor authentication so how can we take a multiactor approach right now to disinformation and then as analyze the stuff that you do see so analyzing individual offs and then warning others so tons of resources out there lots of fun stuff interactive tools games everything this is just scraping the surface um and you'll find it on my LinkedIn these are my socials I finally deleted the hellscape you'll notice there's no there's no Twitter there I'm not there anymore um but I'm in all these other places so feel free to find
me thank you sorry no time for questions [Applause]
hello okay uh I guess the arest question I have and I think probably what other people have is uh algorithmic transparency on social media platforms is that a good thing is a bad thing but it not controls or not or what's your opinion on that yeah so I'm really happy to ask that question but you're right the devil's in the algorithm but the algorithm is only doing the devil's work because the devil wants to do that work right so there are two things algorithm transparency helps us to uh identify how something is is being done so I'm very much in favor of it what I like even better is if I can avoid having the
algorithm together and so spoutable and uh L Sky don't have an algorithm now you can choose who you want to follow the things you're interested in and you have a l on control I think really we should be served up the things we'd like to see although there is a risk of creting an ex for yourself yeah I'm a huge fan so in my in my day job this is more of a hobby but in my day job I spend a lot of time Sly on that issue so absolutely and and I would add to that I'll fairness right so and that is what the EU is doing right now with the digital Services act right and that's
what you all's in trouble for right but who knows maybe they'll all right is there another question um thank you very much um especially found interesting your discussion of everybody's spere of the other um the other being general term think in schools at this point um the other question I had wasat are you the website it's open
source one of resources for sure Bell though I do want to there just wasn't enough time put everything in this is how Insidious this stuff gets so poor Elliot hiin he's he's in the bad books with Russia because of the mh7 stuff right um cuz that's when Belling cat really got it start was they were trying to understand what happened to Malaysian plight at age 17 so what was happening recently was he was having to swat down very quickly these fake Belling cat posts saying there was disinformation or or trying to show something that was actually used to promote disinformation so he was like I was not involved in this this is not me so they were actually impersonating the
fact Checkers and that's not the only example there were other ones as well one of the websites taken down called stop with bakes or something like that um it's it's really quite Insidious so we do have our work kind of us but yeah absolutely they have free courses and um again if you go on to if you get the presentation you'll find some links to various free courses so there's is a little bit expensive um but there are other free things you can do too it okay
um this presentation is going to be a bit different when you're you're used to seeing um it's a concept that's been in my mind for a few years now and I I had the chance to I had fun when I was Prett SI hope I'm going to enjoy the tour a lot better what I'm going to do is um I've got one of the staff members he has a little bag and there's a whole ton of stories in there like little tiles of stories and as you'll see when I present myself I'm invester by trade and um what I did is I picked a whole bunch of different stories that are funny interesting things that you run into in
the industry when you do this type of stuff and when you've done two 300 engagements um you you tend to like have cool experiences so um hopefully there's going to be some learnings to do with those stories and and we can talk about it one thing that I want is if anybody wants to raise that your hand at any point you can you can ask questions you can give little anecdotes um just don't take you know 30 minutes of my presentation tell me a story good that'd be awesome so um and I call him Random Access Memories Random Access Memories right I had somebody come to me and go like oh oh yeah I'm really interested in in forensics it's
like no I know going now going to be looking at R unfortunately so if that's what we wanted to see s um so who am I um that's embarrassing something talk that one um my background is fitration testing like I said I've got um seven or 7 to 10 years of being only P testing now I um I'm director of um information security last B on work with some of the agencies s water and um had security over there but I still really like pesting so
I went on so I still dabble ption testing um yeah um I worked in a ton of Highly regulated industry so um you'll see a lot of the stories are around compliance and reg and things like that and some how you can run into kind of weird little snacks with it I'm it's not as relevant here because we're not in Atlantic Canada we of Atlantic cyber security Collective which is a really much it really is ative it's not not even a nonprofit it's just a whole bunch of groups in a Discord server which I actually had to close because I don't only buies are send you're going to see cool for me so um we're mostly a Discord server we've done
some un conferences and things like that and um we just had a whole lot of fun I believe a lot in commun one thing I'm really excited about um um the policy bu over there uh it's all about public policy all about government work uh somebody is going to be covering the uh Community cyber security strategy document that's going to be coming out soon um Bally right now so um if anybody's interested in that kind of world you can come and see um and yeah all um disclaimer this presentation is all the stuff that I've seen has no reflection on my current employee my former employees employers or like that um all the opinions and Analysis on
there my own my company will um also I've changed names and company names and stuffff because you know I don't want to throw anybody out in the bus I don't want to say that this compy this this exective swore at me for 3 days I got full within 6 hours they were pissed though anything that is public uh I'll talk about so um it's a bit less sensitive here because i' I've done work in the Ottawa region but when I'm talking in Atlantic Canada people kind of see themselves when they know who I'm talking I got to be very very careful um so how does this work um you pick a card you listen to a story and
you pick another card it's simple as that um we can get going what I did at the last um conference is I went to see a concert at some point with my son at um I think it was hackfest in Quebec City and they had this crazy metal band retro stuff and we were playing some old like really cool 8 bit video games in the background I thought that's really nice so I put up a video and I was I was showing old video games on here and I noticed that nobody was listening to me and they were just watching that at some point I was watching was like oh I play that guy I wanted to watch it so I so I
took that away sorry um so let's talk about some stories and I see some people in here that I know have experien with pentesting so one of the things I like to do is take this concept and then bring people up on the stage with me and and tell their stories or or create a podcast or a blog post and interview people and and ask them of really cool stories and I I think there's an audience for that if you look at like the books tribe of hackers if anybody ever heard of them which is just same question question asked to a whole bunch of set stre professionals some of people may in this audience may have
been on in those books I find that really interesting I kind of like this concept so I going to ask you to get a one pick one story just pick one out of those and there's going to be a title hopefully I remember them because I just made up titles and sometimes I listen to it and it takes me a few seconds to remember what that story actually is Lobby level takeover Lobby level takeover okay anybody remember the um rapid 7 under the hoodie videos anybody here was at pester and seen them they they took like hackers and them hoodies and their in the dark room they telling stories and I remember this one story
where um this person was saying he was in the lobby waiting for his contact to come in on a on a pentest and saw that it was the RJ45 Jack and hooked up hooked up to the RJ45 J and actually started the pentest because it was supposed to start at 9:00 a.m. that morning and one day had a big CCO um I was supposed to start contest at 9:00 in the morning they forgot that I was going to be there so they left me in lobby for like $3 um and I remember this video and I thought there's no way there's no way so I looked around I found a r45 jack plugged into it notice I had access to
the whole corporate Network um first thing as a contester when you do you sp respond right they'll tell you like hey you got to do all these things and you got to run some no no active directory respond if you know you know uh if you don't ask me how um within I would say about 45 minutes I had cracked a few local inmin hashes pentest hadn't started yet officially um and CED the password gained access long story short within about I would say I mean they left me there until noon um by noon I had full domain access on their Network on a pentest That was supposed to be 5 days that I hadn't even officially
started yet um I'm going to St the obvious and what the lesson to learn is it's like just don't activate your RJ45 horse in your lobby and better than that um I've been in places where I go into a conference room and and the Jack in the conference room has full access to the do all this from there so what do you do well you know what's what's the threat here you got to get in but you can easily pretend that you're company that wants to know more about theirs if you're bringing your technical guy is it okay if he plugs into the network and does a bit of work but you know he's there's an emergency at at work
something like that and and you just go and you can basically only compan toy by just not even gaining access to the sensitive area so I guess that's Mor story trying to just
zooming out zooming out zooming out okay um let's go back to the pandemic I think everybody remembers the pandemic right um I in my Consulting role I was doing a lot of work with a provincial government and um one of the first things that they asked us when we when the pandemic hit and everybody was starting to work from home which is today is the normal world but if you go back 5 years six years like this was not normal to have a whole bunch of people working from home um and one of the things that this provincial government was asking about was like what kind of tools should we be using how safe his
teams how safe is all these tools and they really wanted to use zoom because it's useful right and if a lot of you also remember Zoom had a lot of major issues major findings during right before the pandemic around the same time now what's interesting is that their response was really good they fixed all the right way and one thing that we quickly realized that everything that they were susceptible for that they got a lot of crap in the press it happened on teams it happened on the WebEx it happened everywhere you know UNC passs that you can go and again use a responder um it worked on every single one of them some reason the Press really wanted to throw
Zoom under the bus and all the Stu all the all the headlines were res then you read later it's like oh it also affects web XP and all these things right so at the end of the um this evental government to find tools they really really wanted to use zoom and and we had to have a conversation with them going like it's probably the right tool for it it it probably makes sense we love the way that they're reacting we love the way that they're proactive on their blog post they're saying all the stuff that they're doing all the stuff they're putting in play they spend a lot of money but we can't recommend it because
there's a reputational risk if ever anything happens and we know that the you know the public is going to go did you go with this one tool that everybody knows is evil right it doesn't matter if it's the best one sometimes a reputational hit is almost as risky as actual getting Po and get and getting home through through an app so it was a very strange conversation it was a huge learning moment for me like I in inside of the um the company that I worked for we had a lot of discussion seriously said this is the best tool but you can't use it and it was pretty interesting does anybody agree with that like is that do we do
the right thing we do the wrong thing like I don't know anybody got an end note on that or anything what if you sticker If you talk
yes you know your reputation is the most important thing so they could done everything well but people always remember that one negative thing so just by that default being associated might down no I agree I think we did it right
yes make yes yes but if something happened numbers don't facts don't matter numbers don't matter no
that's what they use us for that's what that that was our job was to do that type of stuff and we we had the numbers we presented the numbers to ourselves right and then we we decided like that's not the two to go with because there's if you remember Zoom was being destroyed in the media for for a few months very hard to make that recommendation
story also um if you want to provide feedback for this afterwards or or just my email is going to be there let me know if this is interesting or not white just um can you uh White just use the white Buton oh yeah yeah um so Wi-Fi pester favorite um this was an engagement where um they wanted me to test their corporate Wi-Fi and they said like you know guest Wi-Fi is in scope you can you can touch it you're it's just completely segmented you're not going to be a to on there as a pentest when you hear that you're like really yeah so uh you know spin up evil APS look at all the way set up attack V and all that
stuff spend half a day just looking at that stuff spin up a couple of evil APS hope that some's going connect to them and drop their passwords what not but in the meantime hey let's just check this wi-fi network so um on a Wi-Fi network you can just send the packet it de authenticates somebody and they reauthenticate when they do you can interet their hash depending on which um uh protection mechanism that they're using and then you can go and try to C the hatch they thought they had a very strong um Wi-Fi password but it was like one29 38 the guy was so happy that I did that on myself like boom you know my truth cried out in two seconds
it's a very common password um so got connected right away and I started scanning across vlans and and things sniffing that work everything else and next thing I notied is like yeah no it's not segmented I have access to the full corporate infrastructure I think in this case I found a anmin password and should F share somewhere um yeah I mean pentesters right how it sounds like we're doing like we're writing our own exploits and we're doing ones and zeros are flying in our face and we're like doing this thing it's like how many pentesters find passwords and scripts in your like gpos raise your hand right it's just like all the time um what a good cyber security
personality the gr if you if you know him I like this personality and he says um worrying about OD day um is like worrying about ninjas instead of hardes you know um I think it's fair why why would I burn first of all I I'm China or Russia um or um but um I wouldn't burn if somebody password. Tex file on the desktop which I
hope pre pre a long story um like I said I worked in a in a heavily regulated industry um a couple of them and and one of them I was a consultant doing work for external parties um but my company at the time not even know I don't even know if it's on my resume but um this company hired me well they I asked I can I does he Journal Network do he have connections to a whole bunch of clients it like a sore winds type situation where well even worse than that clients would send Hardware in and then they would have their connections and everything's interconnected and I go like well that's a huge risk isn't it so let's go in and
can I go with the head office and spend 5 days just poking around and um it was on the second or third day um I there was eternal blue right just stupid bug W to cry is the is is it one not anybody know Jal blue Ms 71 something anyway I think it's for Pride um just a stupid bu wormable very very uh easy to exploit and and I found it when I accessed it something really weird happened and there was somebody that had dropped a payload or a loader in there that um basically redirected me to The Domain control and gave me full system admin access to the controller so as I'm looking harder I noticed that hey
this is this is a threat actor that is in the network right now that's already been in here and has put in this C2 uh infrastructure to be able to give commands and do all kinds of stuff and um my pentest turned into an incident response really quickly um I went to see my boss which was the CTO he came to my desk and is this can I swear okay um he goes to my desk goes like this and goes Julian are you like trying to make my life hard right now and I look at him say I know right like what a what a CRI no no I'm serious say hm you know look at him and you're
like hey you have a threat actor in your network that could pivot into all of your clients information Cent and it's not my fault like I found it you should be thanking um it was on aan owned by a company that wasn't us that was another company that Wasing in the network you couldn't find the took us 14 hours to find the hard server where the fbm was sitting and at the end the IT guy was just riing tables up and I was pinging it's stupid but like if you don't have everything documented it's like you're screwed you're completely screwed um when see my C said dude you got to bring legal in go I got this i
got this it's like no you don't understand like if they've pivoted your network your client's Network these multinational company that are woring billions of dollars like this could be the end of this comy he was like no no I got this i got this next day I said you send Emil yeah I just wrot something I sent it out they're all my buddies two months later I was gone um two months later I was gone I that's on the environment want to work in sh Y and um they they didn't get po they didn't get like somehow the the thread actor lost connection to or didn't know it was there like I don't know um I
tried to we have inent response Gainer it took me 3 days to track down the guy that had the the code to give the instant respond so they can come in um and they never really did anything it was you see everything up there I do I have to tell the moral of this story I mean made it up R never heard of her never heard of her I love I don't I I'll be honest I may have GPT a little bit with these titles but they're funny so what um we were engaged to a a point of sales uh pentest for a national retailer and um did work at at the R&D office look at
all the kiosk trying to escape the kiosk and all that stuff and you know we just G access to everything a cre a big company that built it but if anybody's everever tried to get out of kiosk mode it's 100% successfully like there's no ke offic can stop um but when we went to the stores this is one of the things got very interesting because um of course I wanted to scan the environment and scor as far as Rules of Engagement you know what else is listening on this is the POS off the all the other systems that are there you know your PowerPoint presentation to show how cool of a store you are and all that stuff um so I
started doing a pain suite and um I counted over like six or seven devices uh in the store and I I started ping at the Ping sweep on4 and I got um 192 responses and there's seven devices like where is everything is there a data center in the back like you have like th00m like what's happening and digging and digging and asking questions I finally realized that all the stores from St John's super and Victoria were on the same sub why right what um apparently I made a joke of the PowerPoint presentation well apparently one day there's one store that it got corrupted and the head office was closed because they were off and everything else and somebody had the
right idea like oh well you can grab it from the other stores PowerPoint place you can just we just share the share and you just go and grab it and pull it down here so they if you went into a store and connected to their Network which of course the RJ45 PS were all my Lobby stories you can gain access to every single system across all stores um in all the malls I think we counted 20 something store or something like that feeling segment POS on its own wild I I wonder how many people in the crowd has like there's people that have seen this and there's people that go like I've always worked with the same
company they always do the right things you're full of crap like that that is impossible and I've just open those people so especially younger like students they go like yeah you're not supposed to do that this is how the book tells us like dud just go out there and look it's bad this one says access granted patience uh access granted patience yeah so my CEO that swore at me um this is something I never thought it would go I would I would run into and and it was fairly big company um to for a big building in a big city um and they they paid a lot of money to get us there and when you walk into a place and go
like you know what you may find stuff because we do the best we spent a lot of money we we do what we can but we we're pretty sure that we're not there's there maybe some holes around right and you start contesting and then or red teaming or whatever else and like you guys are really good like you know the places that are not good as well like yeah know we've been doing this for a long time we've got this this is the most secure network like I'm sorry I'm wasting your time but our clients are asking for this you're not going to find anything boom demanding access with first day um the c or C
whoever he was um comes to my desk and I go he goes how's it going I say hey you're pretty good and um I told him what had to happened and I had full access I also CED his password was which was ridiculous like Square words and anything and uh I quickly understood why because as soon as I told him that he went off went off like just started losing it basically um and so how do you negotiate that right as as a pest like I'm proud of myself I hey man I did my job I like this is pretty cool you know I popped everything in that Rush that you get when you finally log in and and you know
you have access to everything you've got you know Ru of the land um it feels good but at the same time this was a quick reminder for me that it's like consequences for this guy it's like this is his job he goes to the board and he tells him that they're the most seced company in the world and it would have been very different I guess if it had been on a six or seven or eight day but this was the first day um and he was seriously mad at me um I wasn't scared for my life or anything but maybe maybe um and again you know I learned from that lesson and I think
everybody can learn from that lesson in the sense of the soft skills are important for me it was like hey you're you're another technique right you're going to enjoy this like let's let's get into the details and and he didn't enjoy it at all he didn't not love um so I quickly learned to deliver that message in a much smoother way and in a much more professional manner I probably didn't deliver it in the best professional manner but that's who I am but now I do try to see how much time we have cost costly creds costly creds um I always laugh for these stories and I I got to find that's one thing I got
to tune is my reaction to hearing the title is going to be different every time and you're not like this the fun um big company again um doing a lot of um sensitive hydr culture um I think it was the past like October 17th um I forget the year um anyways this company had installed part of the regulatory requirement is need to have cameras everywhere and this was a huge company that actually buil their own power station to power a lot of their their go off operation and um they they had engaged this company to come in and and put in I think it was something between like 200 and 300 cameras webcams to look at the environment to
make sure that everything was fine and all of that stuff so I I walked into that environment first of all of course the cameras are on the same network you can access them they should be segmented you DVR is the only or NVR is the only thing we should talk to it um but I quickly saw that uh the first camera that I hit um I think it was literally a n and Min or like admin HIC Vision or whatever you know but um second camera have admin third camera and then I go like did they just install all cameras in the environment and not change defa creds and quickly realize that that's what had
happened and it was on the full Network anybody could access them so um when I when I when I told him this um it was when this started the engagement at the end of the engagement you realized that the company they called the company and they said well changing the Pres is not in the contract so um okay can we automate the CH no you can't there's no you got to go one one it's like okay well you're going to have to come here and fix this and they said like no it's not the contract so they okay how much is it going to cost us and it was like a lot of money and costing prits right they had to
literally pay a company to go in and change all the admin passwords that should have been done in the first place that is a great lesson that is something that on my list of stuff that I need in the contract with any company that I work with with the legal team with the the acquisition team and everything else is let's look at every option let's threat model this acquisition just like it was a pentest what could go wrong right first thing on that list is crits right and now with secure by Design secure by default people should not even have default passwords it should even be install it and reset it I have a feeling this
company would have put admin as a password on on the first run anyway anyway but 1 2 3 4 5 but anybody else run into that where like something so obvious that should be in the contract and should be assumed that it's going to do that it wasn't I see Shake a head man
like the CV jackpot one of the things that I do for the uh Atlantic cyber security Collective is there's a lot of students coming we have some really good courses in in New Brunswick and new Scotia to to train service security folks and and one of the person that help
Related talks
5:14:33
37:39
53:09
4:54:52
4:50:04
1:57:13